Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiPhish
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ' Interface Mode' not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 05-21-2007 01:17 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
' Interface Mode' not working
Hi,
On a Fortigate 200A you have several interfaces.
2 WAN, 2 DMZ and 1 4-port switch.
According to FortiGate_Administration_Guide_01-30004-0203-20070102.pdf on page 71,
It should be possible to put the switch into interface mode to be able to configure the interfaces of the 4-Port switch individually.
This isn’t working.
Below I’m posting what I did to troubleshoot the issue.
Please give feedback.
Fortigate-200A 3.00,build0413,070503
-- DEFAULT CONFIG (switch mode) --
FG200A3906503468 # sh system interface
config system interface
edit " internal"
set vdom " root"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https
set type physical
next
edit " dmz1"
set vdom " root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https
set type physical
next
edit " dmz2"
set vdom " root"
set allowaccess ping
set type physical
next
edit " wan1"
set vdom " root"
set ip 192.168.100.99 255.255.255.0
set allowaccess ping https telnet
set type physical
next
edit " wan2"
set vdom " root"
set allowaccess ping
set type physical
next
end
-- PING FROM 192.168.1.5 to internal (192.168.1.99) --
C:\>ping 192.168.1.99
Pinging 192.168.1.99 with 32 bytes of data:
Reply from 192.168.1.99: bytes=32 time<1ms TTL=255
Reply from 192.168.1.99: bytes=32 time<1ms TTL=255
Reply from 192.168.1.99: bytes=32 time<1ms TTL=255
Reply from 192.168.1.99: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.1.99:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
-- MONITORING ‘INTERNAL (192.168.1.99) --
FG200A3906503468 # diag snif pa internal icmp
interfaces=[internal]
filters=[icmp]
1.034718 192.168.1.5 -> 192.168.1.99: icmp: echo request
1.034776 192.168.1.99 -> 192.168.1.5: icmp: echo reply
2.037005 192.168.1.5 -> 192.168.1.99: icmp: echo request
2.037064 192.168.1.99 -> 192.168.1.5: icmp: echo reply
3.039301 192.168.1.5 -> 192.168.1.99: icmp: echo request
3.039364 192.168.1.99 -> 192.168.1.5: icmp: echo reply
4.041571 192.168.1.5 -> 192.168.1.99: icmp: echo request
4.041632 192.168.1.99 -> 192.168.1.5: icmp: echo reply
-- CHANGIING TO INTERFACE MODE --
!!! DELETE DEFAULT FIREWALL POLICY BECAUSE SETTING IS IN USE !!!
‘System’ -> ‘Network’ -> ‘Switch Mode’
Change ‘Switch Mode’ into ‘Interface Mode’
-- RESULTING INTO A NEW INTERFACE CONFIGURATION: --
FG200A3906503468 # sh system interface
config system interface
edit " dmz1"
set vdom " root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https
set type physical
next
edit " dmz2"
set vdom " root"
set allowaccess ping
set type physical
next
edit " wan1"
set vdom " root"
set ip 192.168.100.99 255.255.255.0
set allowaccess ping https telnet
set type physical
next
edit " wan2"
set vdom " root"
set allowaccess ping
set type physical
next
edit " internal1"
set vdom " root"
set type physical
next
edit " internal2"
set vdom " root"
set type physical
next
edit " internal3"
set vdom " root"
set type physical
next
edit " internal4"
set vdom " root"
set type physical
next
end
-- GIVING INTERNAL 1 A VALID IP ADRESS --
FG200A3906503468 # sh system interface internal1
config system interface
edit " internal1"
set vdom " root"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https telnet
set type physical
next
end
-- pinging from 192.168.1.5 to INTERNAL1 (192.168.1.99) --
Request timed out
Request timed out
Request timed out
Request timed out
-- MONITORING INTERNAL1 (192.168.1.99) --
FG200A3906503468 # dia snif pa internal1 icmp
interfaces=[internal1]
filters=[icmp]
pcap_open_live: ioctl: No such device for internal1 ????????????????????
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you done all the configuration in the CLI? or the GUI?
Log into the GUI and check that the interface names are internal1, internal2 etc.
Its just a thought, as the edit cli command sometimes seems to allow invalid interface names sometimes.
I presume you do have the network cable in the Internal1 port as well :)
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also;
I presume you noted the comments of the pre-requisites before changing the mode, the manual states;
Caution: Before you are able to switch between Switch Mode and Interface Mode all references to ‘internal’ interfaces must be removed. This includes references such as firewall policies, VDOM interface assignments, VLANS, and routing.
You might also want to delete the arp cache on the host/device you are pinging, as if the mac changes during this process, the pings would fail until the arp has been refereshed. (eg. if pinging an windows host, type the following to clear it out; arp -d 192.168.1.99)
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 05-21-2007 02:00 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply UkWizard,
1)I' ve done the configuration in the GUI.
in other words, changing from ' switch mode' to ' Interface Mode' was done in the GUI, as well as assigning the IP adres to internal1.
When I changed the mode, ' internal' became ' internal1' & ' internal2' etc...
It looked ok in the GUI aswell as in the CLI
2) yes, there is a network cable in internal1 =)
a machine is connected to it, with ' ping 192.168.1.99 -t' running
3) I' ve noticed the pre-requisites and deleted the default Firewall entry.
(All internal is allowed through all WAN1). This was indeed necessary to allow the switching. Otherwise it gives an error ' something something in use'
4) clearing the ARP cache on the device (192.168.1.5) didn' t help.
Something I already thougth of and tried before, btw :-)
I' ve just spoken to out contact person @Fortinet and he is thinking towards Hardware Revisions.
According to a document it should work on a FG200A290xxxxxxx
mine is a FG200A390xxxxxxx, a brand new one.
He' s investigating the issue as we speak.
Also, i' m running MR3.0
I can' t find any document that says this will work on MR4.0
Until I' m really really convinced I need to go to MR4.0, MR3.0 is staying on there.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All i know is that you need ' Revision 2' , of that hardware, for this feature.
Not sure how to find the revision of the hardware, but check the label underneath in case it states it.
judging from the sniffing error you got, it definately looks like it cannot see the physical interfaces, doesnt it. so it could be the revision. Is the unit new?
From the CLI, if you list the interfaces, i presume it does see the internal ones?
Also try sniffing using " any" interfaces instead, should be;
diag sniff pa any icmp
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 05-21-2007 03:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to the Fortinet guy I have a ' revision2'
the manufacaturing date on the appliance states 2007.02
so it' s a brand new one.
The document the Fortinet guy spoke about, I reckon they are the release notes of some Firmware, stated that it' s supported on Revision2 appliance with serial numbers starting with FG200A290xxxxxxx.
Mine starts with FG200A390xxxxxxx.
This could perhaps mean it' s another revision.
And maybe, just maybe, this isn' t working because of that.
I' m trying MR4 this afternoon.
Just to make sure it' s not firmware related.
Not applicable
Created on 05-21-2007 05:06 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I received ' FGT_200A-v300-build0480-FORTINET.out' as a new firmware
and that solved the problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good stuff, worth noting.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
8,012 -
FortiClient
1,606 -
5.2
801 -
FortiManager
677 -
5.4
639 -
FortiAnalyzer
516 -
FortiSwitch
423 -
FortiAP
421 -
6.0
416 -
5.6
362 -
FortiClient EMS
362 -
FortiMail
300 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
187 -
SSL-VPN
174 -
FortiNAC
160 -
IPsec
154 -
6.4
128 -
FortiGuard
124 -
FortiGateCloud
98 -
FortiCloud Products
94 -
FortiSIEM
93 -
SD-WAN
88 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
68 -
4.0MR3
64 -
FortiProxy
53 -
Firewall policy
53 -
FortiEDR
50 -
Fortivoice
49 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
40 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
34 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
25 -
Authentication
25 -
FortiWAN
24 -
FortiConverter
24 -
RADIUS
24 -
FortiGate v5.2
23 -
VDOM
23 -
FortiLink
22 -
Virtual IP
20 -
Web profile
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
FortiMonitor
16 -
Traffic shaping
16 -
Application control
16 -
FortiDDoS
15 -
FortiPAM
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Admin
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiGate v4.0 MR3
8 -
FortiManager v4.0
8 -
FortiBridge
8 -
IPS signature
8 -
System settings
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
RMA Information and Announcements
7 -
Traffic shaping policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Security profile
6 -
Port policy
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
DLP sensor
4 -
Email filter profile
4 -
Web rating
4 -
Fortinet Engage Partner Program
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Netflow
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Application signature
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1 -
Cloud Management Security
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1468 | |
| 1007 | |
| 748 | |
| 443 | |
| 206 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.