moving sub-interfaces to another physical port - effects on firewall policy

doncacciatoconsuting · ‎02-26-2024

When trying to move sub-interfaces from one physical port to another, my policy package in FMG throws errors... Seems like I have to manually update every policy. Is there a way to get the policy to track the changes and auto-correct itself ?

Thanks,

Don

Skytech1 · ‎02-26-2024

Hi Don,

When I've tried to do it locally on FG, I can't move the subinterface (vlan) from one physical port to another one, it prompts an error. Anyway if you've managed to do that and want to mantain the policies, I suggest you move the interface to a Zone, and apply the policies to the Zone, that way you won't have to modify policies

Regards,

doncacciatoconsuting · ‎02-26-2024

My thought was running these CLI scripts from FMG:

1) Policy Package - Replace vlan interface with "any". Must install the policy because all subsequent configs will fail.

2) Device Database - In the VLAN interface, unset the existing physical port, then set the new port.

3) Device Database - Add the vlan interface to a new zone.

4) Policy Package - Change the policies from 'any' to the new zone.

STEP 2 Fails with the following message, so I'm kinda stumped.

"VLAN ID, VLAN protocol, or physical interface cannot be changed once a VLAN has been created."

Skytech1 · ‎02-26-2024

Yeap...that's exactly what happens when trying to move the vlan to a different port...as far as I understand, there's no way to move the interface (even locally on the FortiGate), it has to be recreated in the other port

doncacciatoconsuting · ‎02-26-2024

Or you can brute force it by downloading the config, changing the physical port that it's tied to, then upload the config back. Requires a reboot.

moving sub-interfaces to another physical port - effects on firewall policy

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website