Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lovejit
New Contributor

Fortigate Firewall : Lan port shoul be L2 Hardware switch Interf or L3 Physical Interface

Hello Guys,

 

I have Fortigate 100D installed on multiple sites,  and everything is working. Only difference is that some firewalls have Lan port (which goes to internal network) as L3 Physical Interface with static IP whereas other firewalls have L2 type Hardware switch interface.

 

Please explain how it makes difference in networking, Which is Industry standard and why ?

 

1 Solution
Nicholas_Doropoulos
Contributor

Hi,

 

It depends on the Fortigate's mode of operation. The modes are 2:

 

NAT mode (aka Router mode) whereby the firewall acts as a layer 3 device that forwards packets. As such, the firewall's interfaces are assigned IP addresses. This is the default mode.

 

Transparent mode (aka Bridge mode) enables the firewall to act as a layer 2 device that can either block or forward frames. This mode is usually used for deployments whereby the user doesn't want to re-configure his IP addressing scheme of his network to implement Fortigate.

 

I hope that helps.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

View solution in original post

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
5 REPLIES 5
Nicholas_Doropoulos
Contributor

Hi,

 

It depends on the Fortigate's mode of operation. The modes are 2:

 

NAT mode (aka Router mode) whereby the firewall acts as a layer 3 device that forwards packets. As such, the firewall's interfaces are assigned IP addresses. This is the default mode.

 

Transparent mode (aka Bridge mode) enables the firewall to act as a layer 2 device that can either block or forward frames. This mode is usually used for deployments whereby the user doesn't want to re-configure his IP addressing scheme of his network to implement Fortigate.

 

I hope that helps.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
lovejit

I already aware of these modes and our all firewalls are configured with NAT mode , but still some firewall LAN port is configured as L2 port and some are L3 ports.

 

still confuse ?

Nicholas_Doropoulos

Have you configured any VDOMS on the Fortigate?

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
lovejit

No Vdoms

Both firewalls have exact same sort of working,  Only somebody choose Physical in INTERFACE TYPE option while configuring port . On other firewall somebody choose Hardware switch in INTERFACE TYPE.

 

 

Nicholas_Doropoulos

Ok, I think I see what you mean now. Basically, ff the interface is listed as a Physical Interface in the Type column, then your FortiGate is in Switch mode. If the interface is a Hardware Switch, then your FortiGate is in Interface mode.

 

As far as your question about standards goes, in Switch mode, all the internal interfaces are part of the same subnet and treated as a single interface, called either lan or internal by default, depending on the FortiGate model. Switch mode is used when the network layout is basic, with most users being on the same subnet.

 

In Interface mode, the physical interfaces of the FortiGate unit are handled individually, with each interface having its own IP address. Interfaces can also be combined by configuring them as part of either hardware or software switches, which allow multiple interfaces to be treated as a single interface. This mode is ideal for complex networks that use different subnets to compartmentalize the network traffic.

 

If you need to change the mode your FortiGate unit is in, first make sure none of the physical ports that make up the lan or internal interface are referenced in the FortiGate configuration (for example, in a policy or DHCP server). If you FortiGate model has a Switch Controller, you may need to disable it before you can change the internal switch mode.

Go to System > Dashboard > Status and enter either of the following commands into the CLI Console:

[ol]
  • Command to change the FortiGate to switch mode: config system global      set internal-switch-mode switch exit
  • Command to change the FortiGate to interface mode: config system global      set internal-switch-mode interface exit[/ol]

    I hope the above answers your question :)

  • NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

    NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors