Hi all,
To support my problem description, please see attached diagram below, which is a simplified overview of my network.
I am entirely new to Fortinet firewalls. I've always worked with Cisco firewalls but recently the company has decided to move away from Cisco and switch to Fortinet devices.
I am setting up a FortiGate 70F on the latest firmware 7.6.2. By default out of the box the Fortinet was configured with WAN1, WAN2 and DMZ ports configured as "Physical Interfaces". Port 1 through 5 were setup in VLAN Switch Mode, with VLAN 0 configured on the default 192.168.1.0/24 network.
My office network is on VLAN 70, subnet 10.70.70.0/24.
I broke up the VLAN Switch and removed port 2 through 5 from it so that they would turn into physical interfaces again. Only port 1 is still in the VLAN Switch mode. See below:
Port 5 is currently my initial admin access port while I configure the firewall (that's why its called "Initial"). Whenever I connect this interface to my access layer switch, I can access the firewall on its IP address. I configured a static route on the Fortigate to use 10.70.70.1 as the default gateway, which is my Cisco Firepower firewall.
Now for some to me unbeknownst reason, the second I connect port 1 of the Fortigate to my access switch, both my laptop and the Fortigate lose their ARP entry to 10.70.70.1 and can therefore no longer connect to the internet. When I disconnect port 1, it takes a couple of minutes for the devices to re-learn the MAC address of the Cisco gateway and then internet connection is restored.
I am trying to understand the following:
If someone could help me understand the behavior that I'm seeing and difference between the 3 modes, that would be greatly appreciated!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can refer below article to get more details on it.
https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/183531/virtual-vlan-switch
Hi @Martin5 ,
You can't leave Member as empty. If this Hardware switch interface (internal) is not in use, you may delete it directly.
Otherwise, you have to back up the configuration, edit it using a text file editor, replace internal with internal4 or the interface you want to use, and delete the Hardware switch configuration. Reload the FGT configuration which will force you to reboot the FGT.
Sorry, my bad. I just tested it on my FGT, yes, we can have members as empty.
So @Martin5 ,
What you can do:
config system virtual-switch
edit internal
config port
delete internal4
end
You should be able to remove the internal4 out of the Hardware switch.
Thanks everyone! All my ports are now individual physical interfaces and my initial problem with the ARP entries has been resolved by removing the STP feature from a VLAN Switch mode port.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.