Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Rhill
New Contributor II

Created on ‎07-31-2025 08:05 AM Edited on ‎07-31-2025 08:06 AM

How to Convert a Software Switch to Hardware Switch on HA Cluster

Hello. 

 

We have an Active/passive cluster setup with 200F devices that interface with a redundant LAN network. During the setup there were issues with loops occurring that were blocked by STP in the LAN network. The cluster LAN interfaces on the firewalls function as a transit LAN with VLAN sub-interfaces below it for our network hosts.

The network loops were mitigated by removing redundant links into the firewalls and the LAN network settings on the Ubiquiti switching equipment. We are not currently experiencing loop issues. But we are now trying to figure out how to fix the problematic setup to remove the STP loops and allow a redundant network.

The root cause of the loops looks like software switches on the FortiGate LAN interfaces. Per this link (https://community.fortinet.com/t5/FortiGate/Technical-Tip-Building-redundant-paths-to-switch-network...), they are identified as not participating in STP. And the software switches are also not monitored if a LAN interface fails.

My question, what is the best strategy for removing a software switch with VLAN sub-interfaces and replacing it with a hardware switch on the firewalls? If I do it in the GUI, it looks like a complete breakdown and rebuild of the configuration of the firewall.

We appreciate any input or guidance,

Robert

Labels:
469
0 Kudos
2 Solutions
AEK
SuperUser
SuperUser

Created on ‎07-31-2025 08:36 AM

Hi Robert

I'd do as follows:

  1. Backup the config
  2. Edit the config file and change the SW switch to HW switch
  3. Restore the config

Don't forget to keep the original backup, just in case there is an issue and you want to roll-back.

Hope it helps.

AEK

View solution in original post

AEK
457
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Rhill

Created on ‎08-02-2025 03:19 PM

"VLAN switch" vs. "Hardware switch" has almost nothing to do with "Software switch".  If you're NOT using VLAN Switch specific feature, VLAN switch works in the same way hardware switch works. Disabling VLAN switch mode (to go back to the native hardware-switch mode) wouldn't help anything to get rid of software switch.

The software switch is configured under "config system switch-interface" in the config file. You should see the members under the interface name you configured.
To configure hardware switch (also VLAN switch), you need to configure "config system virtual-switch" instead like below.
 
config system virtual-switch
  edit <interface_name_you_want>
    set physical-swtich "sw0"    <-- this depends on the model but likely sw0 would work
    config port

      edit "portX"     <-- these are the member ports currently in the softswitch
      next

      edit "portY"
      next
       .....
    end
  next
end

Then you can remove the software switch config under "config system switch-interface" (and under "config system interface" if you want to change the name. but in that case you need to configure the new interface).

Toshi

View solution in original post

354
9 REPLIES 9
AEK
SuperUser
SuperUser

Created on ‎07-31-2025 08:36 AM

Hi Robert

I'd do as follows:

  1. Backup the config
  2. Edit the config file and change the SW switch to HW switch
  3. Restore the config

Don't forget to keep the original backup, just in case there is an issue and you want to roll-back.

Hope it helps.

AEK
AEK
458
0 Kudos
Rhill
New Contributor II
In response to AEK

Created on ‎07-31-2025 09:59 AM

Hello AEK,

 

Thank you very much for the quick response.  That sounds like an easy change.  We'll give it a go.   

446
0 Kudos
Rhill
New Contributor II
In response to Rhill

Created on ‎08-01-2025 06:52 PM Edited on ‎08-01-2025 07:04 PM

Update. I used Notepad++ to edit the file.  I changed the interface from "switch" to "hard-switch"  I then restored the config file.  It worked functionally, but in the management interface, the VLAN switch and all vlan sub-interfaces showed up as down.  I rolled back without issue. 

 

I was recommended to try this solution: ( https://community.fortinet.com/t5/FortiGate/Technical-Tips-FortiGate-Does-not-show-the-Hardware-swit...

 

It was to get the hardware switch to show up, but got this error and aborted:

 

This change will disable trunk on interfaces and remove VLAN from virtual switches.  If you don't want it to be changed, type "abort"

393
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Rhill

Created on ‎08-02-2025 03:19 PM

"VLAN switch" vs. "Hardware switch" has almost nothing to do with "Software switch".  If you're NOT using VLAN Switch specific feature, VLAN switch works in the same way hardware switch works. Disabling VLAN switch mode (to go back to the native hardware-switch mode) wouldn't help anything to get rid of software switch.

The software switch is configured under "config system switch-interface" in the config file. You should see the members under the interface name you configured.
To configure hardware switch (also VLAN switch), you need to configure "config system virtual-switch" instead like below.
 
config system virtual-switch
  edit <interface_name_you_want>
    set physical-swtich "sw0"    <-- this depends on the model but likely sw0 would work
    config port

      edit "portX"     <-- these are the member ports currently in the softswitch
      next

      edit "portY"
      next
       .....
    end
  next
end

Then you can remove the software switch config under "config system switch-interface" (and under "config system interface" if you want to change the name. but in that case you need to configure the new interface).

Toshi

355
Rhill
New Contributor II
In response to Toshi_Esumi

Created on ‎08-02-2025 04:20 PM Edited on ‎08-02-2025 04:23 PM

Hello Toshi,

 

Thank you very much for your response. Although the VLAN switch was working functionally as a hardware switch, my issue was with the VLAN switch causing problems with the GUI. In the web interface, all the interfaces were listed as down and the VLAN Switch was not accessible. Please see the screenshots below:

1.png

When clicking into the "Internal LAN" VLAN Switch:
2-1.png
So, if I understand your response, do I just need to make two changes rather than just one change?  
 
When I look through my config file, I see three switch entries:
 
1) software switch:
config system switch-interface
    edit "Internal LAN"
    (rest of switch-interface clipped)
2) physical switch:
config system physical-switch
    edit "sw0"
    (rest of physical-interface clipped)
(not used since there are no ports listed under it?)
 
3) Virtual switch:
config system virtual-switch
    edit "lan"
        set physical-switch "sw0"
        config port
            edit "port4"
    (rest of virtual-interface clipped)
 
So, are you saying I need to make two changes:
 
1) Change switch type from switch to hard-switch
 
2)  Then I need to move my software switch entry FROM under the config system switch-interface down TO under the config system virtual-switch entry to represent two hardware switches?
 
Thank you again for your input.
 
345
0 Kudos
Rhill
New Contributor II
In response to Rhill

Created on ‎08-02-2025 06:45 PM

I believe it worked.  I have a 40F and mimicked the setup with a successful change.  And everything appears to be working as expected.

 

After I made the two changes along with removing the config system switch-interface section and modifying the switch-interface entry to match the config system virtual-switch format, I upload it to the firewall and rebooted. 

 

I came back up.  I could use the hard-switch port and the GUI shows ports as up when connected.  

 

Thanks again for your guidance..

332
TE
New Contributor II
In response to Rhill

Created on ‎08-02-2025 10:21 PM

The 40F doesn't support VLAN switch mode/feature, while 60F and above models, including 200F, support VLAN switch mode, which add native VLAN & dedicated trunk interface for those native VLANs, but not exactly in the same way a regular L2 switch would operate. But either way, the bottom line is the same "HARDWARE" switch unlike the software switch. 
Most people who use one of F-series models (except 40F) or newer that supports VLAN switch wouldn't change the default mode and use it with VLAN switch mode enabled, but use it as a hardware switch. You would never encounter/feel the difference.

Toshi

313
Rhill
New Contributor II
In response to TE

Created on ‎08-03-2025 12:56 PM Edited on ‎08-03-2025 01:02 PM

Thank TE for the clarification.  I thought it was just because virtual-switch-vlan was set to disable on the 40F.

 

As you mentioned, the switch types function the same.  Once the changes were set correctly, it took and is working fine.

 

One note for others as green as I am editing the config file and following this thread, here a lessoned learned:

 

1) Have the firmware and TFTP server ready to recover in case the config file is not done correctly.  My first attempt on a test box was misconfigured (a space or non-tabbed entry) preventing login/assess.  I had to reload the default matching firmware and then a new config file without the misconfiguration.

 

2) After the config file is uploaded and restarted, have a console window open to the boot process of the firewall.  A startup entry will notify you if there is a problem with the config file.

284
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Rhill

Created on ‎08-03-2025 11:05 PM

Sorry, I logged in with a different email address so "TE=Toshi_Esumi".
Yes, console access is crucial to see any config file issues while it boots up. And, if the boot partition "image+config" is messed up due to config file issues, you need to flush the boot partition and load up the image via a TFTP server to recover the partition.

Toshi 

270
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.