Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Martin5
New Contributor

Losing ARP entry of default gateway when connecting Fortigate VLAN switch port to LAN

Hi all,

 

To support my problem description, please see attached diagram below, which is a simplified overview of my network.

LabNetwork.png

 

I am entirely new to Fortinet firewalls. I've always worked with Cisco firewalls but recently the company has decided to move away from Cisco and switch to Fortinet devices.

 

I am setting up a FortiGate 70F on the latest firmware 7.6.2. By default out of the box the Fortinet was configured with WAN1, WAN2 and DMZ ports configured as "Physical Interfaces". Port 1 through 5 were setup in VLAN Switch Mode, with VLAN 0 configured on the default 192.168.1.0/24 network.

My office network is on VLAN 70, subnet 10.70.70.0/24.

I broke up the VLAN Switch and removed port 2 through 5 from it so that they would turn into physical interfaces again. Only port 1 is still in the VLAN Switch mode. See below:

 

Fortigateconfig.png

 

Port 5 is currently my initial admin access port while I configure the firewall (that's why its called "Initial"). Whenever I connect this interface to my access layer switch, I can access the firewall on its IP address. I configured a static route on the Fortigate to use 10.70.70.1 as the default gateway, which is my Cisco Firepower firewall.

 

Now for some to me unbeknownst reason, the second I connect port 1 of the Fortigate to my access switch, both my laptop and the Fortigate lose their ARP entry to 10.70.70.1 and can therefore no longer connect to the internet. When I disconnect port 1, it takes a couple of minutes for the devices to re-learn the MAC address of the Cisco gateway and then internet connection is restored.

 

I am trying to understand the following:

  1. Why do I lose my ARP entry to the gateway on all of my devices connected to the same switch when I connect a VLAN Switch type fortigate port to my network?
  2. What exactly is this VLAN Switch inside the Fortigate? I can setup ports as "Hardware Switch" and configure subinterfaces on their own SVI VLANs. I don't understand the difference between Hardware Switch, Software Switch and VLAN Switch ports. I tried looking this up in the Fortinet documentation but it's still not clear enough to me.

If someone could help me understand the behavior that I'm seeing and difference between the 3 modes, that would be greatly appreciated!

3 Solutions
dingjerry_FTNT

Hi @Martin5 ,

 

You can't leave Member as empty.  If this Hardware switch interface (internal) is not in use, you may delete it directly.

 

Otherwise, you have to back up the configuration, edit it using a text file editor, replace internal with internal4 or the interface you want to use, and delete the Hardware switch configuration.  Reload the FGT configuration which will force you to reboot the FGT.

Regards,

Jerry

View solution in original post

dingjerry_FTNT

Sorry, my bad.  I just tested it on my FGT, yes, we can have members as empty.

 

So @Martin5 ,

 

What you can do:

 

config system virtual-switch

edit internal

config port

delete internal4

end

 

You should be able to remove the internal4 out of the Hardware switch.

Regards,

Jerry

View solution in original post

10 REPLIES 10
Martin5
New Contributor

Thanks everyone! All my ports are now individual physical interfaces and my initial problem with the ARP entries has been resolved by removing the STP feature from a VLAN Switch mode port.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors