The FGT-60D has a WAN1, WAN2, DMZ, and internal ports 1-7, all 10 of which are GigabitEthernet. Ports 1-7 form an internal switch, which by default appears as only one interface in the GUI - "internal". I want to separate the internal switch ports into different VLANs but I cannot find any way to do it. I can view each physical [eth] port individually in the CLI using "get hardware nic" and it lists dmz, wan1, wan2, internal, and eth4-eth11. Strangely, when I enter "get hardware nic internal", it shows as up, but if I enter "get hardware nic eth[4-11]" they all show as down. I am connected to port7, which I expected would be mapped to eth11. It doesn't make sense to me. There seems to be no way to access these physical port through the "config" command, only the "get" command.
1. How can I access and configure each individual eth port?
2. I have created VLAN sub-interfaces attached to the "internal" interface, but how do tell the FGT-60D which physical gig ports to trunk? i.e. how does the FGT know to trunk all VLANs on, say, physical Gig port 1 (if connected to another switch port that is trunked)?
Solved! Go to Solution.
Thanks, I found the answer here:
Technical-Tip-Switch-mode-vs-interface-mode (189832)
This command is available on my device:
config system global
set internal-switch-mode interface
end
Hello @forchip ,
It seems like you're referring to a situation where physical interfaces are grouped under a single hardware switch on certain models. In this case, you have the flexibility to remove specific physical interfaces from this hardware switch if needed. Once removed, you can proceed with the configurations you require for those interfaces.
Regarding hardware switches: You can collect all interfaces under one hardware switch and delete any interfaces from it. Refer to this link for more details:
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/100999/hardware-switch
For creating a VLAN interface and associating it with an interface, it's advisable to first create an aggregate interface for redundancy and improved bandwidth. After that, you can create a VLAN interface using the aggregate interface. Here are some links for reference:
BR.
If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.
Thanks, I found the answer here:
Technical-Tip-Switch-mode-vs-interface-mode (189832)
This command is available on my device:
config system global
set internal-switch-mode interface
end
User | Count |
---|---|
2674 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.