Hi all,
To support my problem description, please see attached diagram below, which is a simplified overview of my network.
I am entirely new to Fortinet firewalls. I've always worked with Cisco firewalls but recently the company has decided to move away from Cisco and switch to Fortinet devices.
I am setting up a FortiGate 70F on the latest firmware 7.6.2. By default out of the box the Fortinet was configured with WAN1, WAN2 and DMZ ports configured as "Physical Interfaces". Port 1 through 5 were setup in VLAN Switch Mode, with VLAN 0 configured on the default 192.168.1.0/24 network.
My office network is on VLAN 70, subnet 10.70.70.0/24.
I broke up the VLAN Switch and removed port 2 through 5 from it so that they would turn into physical interfaces again. Only port 1 is still in the VLAN Switch mode. See below:
Port 5 is currently my initial admin access port while I configure the firewall (that's why its called "Initial"). Whenever I connect this interface to my access layer switch, I can access the firewall on its IP address. I configured a static route on the Fortigate to use 10.70.70.1 as the default gateway, which is my Cisco Firepower firewall.
Now for some to me unbeknownst reason, the second I connect port 1 of the Fortigate to my access switch, both my laptop and the Fortigate lose their ARP entry to 10.70.70.1 and can therefore no longer connect to the internet. When I disconnect port 1, it takes a couple of minutes for the devices to re-learn the MAC address of the Cisco gateway and then internet connection is restored.
I am trying to understand the following:
- Why do I lose my ARP entry to the gateway on all of my devices connected to the same switch when I connect a VLAN Switch type fortigate port to my network?
- What exactly is this VLAN Switch inside the Fortigate? I can setup ports as "Hardware Switch" and configure subinterfaces on their own SVI VLANs. I don't understand the difference between Hardware Switch, Software Switch and VLAN Switch ports. I tried looking this up in the Fortinet documentation but it's still not clear enough to me.
If someone could help me understand the behavior that I'm seeing and difference between the 3 modes, that would be greatly appreciated!
3 Solutions
I think I figured out the ARP problem. After connecting port 1 to my LAN switch again, I lost my ARP MAC entry to the gateway. When running Wireshark to see what is happning, I see a whole bunch of STP messages from the Fortinet.
As soon as I disabled STP on the Fortinet VLAN switch, after a minute or so my internet connection came back.
Our office is fairly small and we did not custom configure STP on our switches, so all of them are still on the default 32768 priority. I am guessing that the Fortinet has a lower MAC address and became the root bridge. But please correct me if I'm wrong.
Thanks.
How do I delete all interfaces from a switch in the fortigate? I want to use all interfaces as regular standard layer 3 ports. Through the GUI it won't let me delete all interfaces. It wants me to have at least 1 port assigned to the switch.
How do I get Internal4 out of the switch as well?
