Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
antoniocerasuolo
New Contributor III

Created on ‎01-31-2025 01:22 AM

fortiwifi 40F/ how to delete a port form the hardware switch LAN to set as a solo software switchLAN

Hi,

 

my lan hardware switch interface has 3 ports lan1,lan2,lan3.-> lan

 

these 3 ports are part of the main "internal lan"

 

how do i take lan1 out of the lan hardware switch and create a second hardware switch lets say lan_2 containing only the port lan1?

 

in this fashion i would then add lan_2 to a new internal interface lets say internal_2 ?

 

how can all of this be done? it seems impossible to find where to topke out lan1 from the hardware switch.

 

any help would be appreciated.

 

ciao,

Antonio

 

Labels:
2940
0 Kudos
30 REPLIES 30
antoniocerasuolo
New Contributor III

Created on ‎01-31-2025 09:08 AM

here are a couple of logs from the file:

maybe it's legitimate blocking but seems to be too much..

**********************************************************************************************************

 

date=2025-01-31 time=17:29:09 id=7466117546744217622 itime="2025-01-31 17:29:14" euid=3 epid=1029 dsteuid=3 dstepid=101 logflag=67 logver=702101706 type="traffic" subtype="forward" level="notice" action="accept" utmaction="block" policyid=2 sessionid=592454 srcip=10.8.8.13 dstip=96.45.46.46 transip=192.168.1.245 srcport=56985 dstport=53 transport=56985 trandisp="snat" duration=180 proto=17 sentbyte=75 rcvdbyte=103 sentpkt=1 rcvdpkt=1 logid=0000000013 srcname="ROG_ANTONIO" dstname="dns2.fortiguard.net" service="DNS" app="DNS" appcat="Network.Service" srcintfrole="lan" dstintfrole="wan" srcserver=0 appid=16195 apprisk="elevated" policytype="policy" channel=40 shapingpolicyid=2 eventtime=1738340948927865830 shaperdropsentbyte=0 shaperdroprcvdbyte=0 countdns=1 srcuuid="1b02621a-95ee-51ef-5f4f-3e53698fcedb" dstuuid="1b02621a-95ee-51ef-5f4f-3e53698fcedb" poluuid="1d894a6c-95ee-51ef-5b0b-7ba14d488b60" srcmac="f4:c8:8a:6c:fd:59" mastersrcmac="f4:c8:8a:6c:fd:59" srcswversion="10" osname="Windows" srccountry="Reserved" dstcountry="United States" srcssid="guest_wifi_fortinet" srcintf="guestwifi" dstintf="wan" applist="default" radioband="802.11ac,n-only" policyname="guest_wifi_policy" ap="FWF40F-WIFI0" apsn="FWF40FTK23006541" shapersentname="medium-priority" shaperrcvdname="medium-priority" hostname="d1zf2p7ylo2ros.cloudfront.net" catdesc="Phishing" tz="+0100" srccity="Reserved" signal=-62 snr=50 shapingpolicyname="dialy_traffic" srcgeoid=1000000000 dstgeoid=6252001 devid="FWF40FTK23006541" vd="root" utmref="BAQACAAIAAABvHAAAAaP5nGej-ZxnbxkAAAGj-Zxno_mcZw==" dtime="2025-01-31 17:29:09" itime_t=1738340954 devname="FWF40FTK23006541" srcuuid_name=all dstuuid_name=all
date=2025-01-31 time=17:29:08 id=7466117546744217620 itime="2025-01-31 17:29:14" euid=3 epid=1029 dsteuid=3 dstepid=101 logflag=67 logver=702101706 type="traffic" subtype="forward" level="notice" action="accept" utmaction="block" policyid=2 sessionid=592451 srcip=10.8.8.13 dstip=96.45.46.46 transip=192.168.1.245 srcport=61957 dstport=53 transport=61957 trandisp="snat" duration=180 proto=17 sentbyte=75 rcvdbyte=91 sentpkt=1 rcvdpkt=1 logid=0000000013 srcname="ROG_ANTONIO" dstname="dns2.fortiguard.net" service="DNS" app="DNS" appcat="Network.Service" srcintfrole="lan" dstintfrole="wan" srcserver=0 appid=16195 apprisk="elevated" policytype="policy" channel=40 shapingpolicyid=2 eventtime=1738340948917871790 shaperdropsentbyte=0 shaperdroprcvdbyte=0 countdns=1 srcuuid="1b02621a-95ee-51ef-5f4f-3e53698fcedb" dstuuid="1b02621a-95ee-51ef-5f4f-3e53698fcedb" poluuid="1d894a6c-95ee-51ef-5b0b-7ba14d488b60" srcmac="f4:c8:8a:6c:fd:59" mastersrcmac="f4:c8:8a:6c:fd:59" srcswversion="10" osname="Windows" srccountry="Reserved" dstcountry="United States" srcssid="guest_wifi_fortinet" srcintf="guestwifi" dstintf="wan" applist="default" radioband="802.11ac,n-only" policyname="guest_wifi_policy" ap="FWF40F-WIFI0" apsn="FWF40FTK23006541" shapersentname="medium-priority" shaperrcvdname="medium-priority" hostname="d1zf2p7ylo2ros.cloudfront.net" catdesc="Phishing" tz="+0100" srccity="Reserved" signal=-62 snr=50 shapingpolicyname="dialy_traffic" srcgeoid=1000000000 dstgeoid=6252001 devid="FWF40FTK23006541" vd="root" utmref="BAQACAAIAAABvFgAAAaP5nGej-ZxnbxQAAAGj-Zxno_mcZw==" dtime="2025-01-31 17:29:08" itime_t=1738340954 devname="FWF40FTK23006541" srcuuid_name=all dstuuid_name=all

 

 

 

1013
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to antoniocerasuolo

Created on ‎01-31-2025 09:27 AM

Hi @antoniocerasuolo ,

 

Both logs are for the following info:

 

type="traffic" subtype="forward" level="notice" action="accept" utmaction="block" policyid=2 , policyname="guest_wifi_policy", dstname="dns2.fortiguard.net" 

 

Apparently, you have only one firewall policy for Guest WiFi traffic and you applied a lot of UTM, including Application List, Traffic Shapers, and so on.  And one of the UTM blocked this DNS traffic to "dns2.fortiguard.net".

 

So question: 

 

Do you really need to apply UTM for DNS traffic from the Guest WiFi traffic?

 

If no, you may create a new firewall policy above policy #2 to allow DNS traffic from Guest WiFi without any UTM applied.

 

Regards,

Jerry
1004
0 Kudos
antoniocerasuolo
New Contributor III
In response to dingjerry_FTNT

Created on ‎01-31-2025 09:33 AM

hi,

 

here is the policy i created, i just used the service DNS should i have done something else? to actually get the fortiguard dns?

Immagine3.png

999
0 Kudos
funkylicious
SuperUser
SuperUser
In response to antoniocerasuolo

Created on ‎01-31-2025 09:38 AM

it should work just like that.

if you want to restrict it further you can specify the destination to certain IPs only or to a ISDB , https://docs.fortinet.com/document/fortigate-cnf/latest/2023-new-features/563017/use-isdb-objects-in... like Fortinet-FortiGuard 

"jack of all trades, master of none"
"jack of all trades, master of none"
991
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to antoniocerasuolo

Created on ‎01-31-2025 09:45 AM

Hi @antoniocerasuolo ,

 

Make sure that the new policy #18 is above the existing policy #2.

Regards,

Jerry
978
0 Kudos
antoniocerasuolo
New Contributor III

Created on ‎01-31-2025 09:35 AM

seems tthat the blocking is happening because the policy 2 is a proxy based policy which i need if i want Data leak prevention to work

995
0 Kudos
funkylicious
SuperUser
SuperUser
In response to antoniocerasuolo

Created on ‎01-31-2025 09:42 AM

try moving the newly create rule that allows DNS above this rule.

"jack of all trades, master of none"
"jack of all trades, master of none"
983
0 Kudos
antoniocerasuolo
New Contributor III
In response to funkylicious

Created on ‎01-31-2025 09:46 AM

Hi,

 

ok I created the rule as youy suggested with ISBD is this ok? take a look

 

Immagine5.png

973
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to antoniocerasuolo

Created on ‎01-31-2025 09:48 AM

Hi @antoniocerasuolo ,

 

You may add objects with Fortinet & DNS in the names.

Regards,

Jerry
966
0 Kudos
funkylicious
SuperUser
SuperUser
In response to antoniocerasuolo

Created on ‎01-31-2025 09:48 AM

yes, this would do. now just move this rule above the one that blocks.

"jack of all trades, master of none"
"jack of all trades, master of none"
966
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.