Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
btp
Contributor

Change of VLAN ID

All,

I find it quite unbelievable that you can't change the VLAN ID of an interface once it has been created. This must be the only network equipment we own that does not allow this. And we have a lot.

 

So - this I do want.

 

/BT

-- Bjørn Tore

-- Bjørn Tore
9 REPLIES 9
neonbit
Valued Contributor

Backup the config, edit the interfaces VLAN ID and restore the config. It will require a reboot of the firewall.

btp

Yes - I know how to change the VLAN ID. But that it either requires to rewrite the config with policies, routes etc, or a reboot - it seems so last century..

-- Bjørn Tore

-- Bjørn Tore
Carl_Wallmark
Valued Contributor

I couldn´t agree more! 

 

I have talked to guys on events and asked why this is impossible, but they cannot come up with a good answer.

Probably the only vendor that doesn´t allow this except for recreating everything or change the config file and do a reboot.

 

I wonder how this is working in a big datacenter where they change vlan IDs all the time, "sorry but we need to reboot the firewall 10 times a day because we need to change vland id......"

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
MikePruett

There are a few interface settings and behaviors that do this

Mike Pruett Fortinet GURU | Fortinet Training Videos
Carl_Wallmark

An Enterprise firewall in my world is a device that does not need a reboot for any configuration change, uptime should be 100% - thats an enterprise firewall.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
emnoc
Esteemed Contributor III

Than make a NFR to fortinet. I do not see this as big issue, in most enterprise they design things and don't need to change  vlan.id that often.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Carl_Wallmark
Valued Contributor

Believe me, I have.

 

And even if it´s not that often, as you say, you shouldn´t have reboot and re-import a config to change vlan ID, (or create the new vlan and then create every rule again)

 

Cisco can do it, Juniper can do it, so why not Fortinet ?

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
schwit
New Contributor

It boggles the mind that Fortinet still hasn't fixed this.

JianWu

This feature is added in 7.0+

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/885870/interface-migration-wizard

 

Before it is available, it does require some effort.

One way to do is to create a new VLAN interface, and replace all the references the old one is associated (such as firewall policy).

In the GUI/Network interfaces, on the far right, you should see a # associated with the old VLAN interface object.. click it and you will see where it is used/referenced.

 

Hope this helps.

Jian Wu

Jian Wu
Labels
Top Kudoed Authors