- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- How to Migrate VLANs to Virtual Switch on FortiGat...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Migrate VLANs to Virtual Switch on FortiGate Without Losing Configurations?
I'm working with a FortiGate 100F and attempting to migrate 10 VLANs from port5 to a newly created virtual switch. My goal is to preserve all existing configurations, including policies and routing tied to these VLANs, during the migration. I've tried editing the backup configuration file to replace port5 with the virtual switch's name and re-upload it, but after doing so, all my VLANs vanished from the configuration. I ensured that syntax and references were correctly maintained in the edit.
Has anyone successfully completed a similar migration, or can provide insights on how to retain VLAN configurations when moving to a virtual switch? Are there specific steps or considerations in the FortiGate setup to prevent the loss of VLAN configurations during such a process?
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your prompt reply and valuable insights. I appreciate your suggestions on using CLI scripts and minimizing firewall policy adjustments during the migration process. Your mention of using a wizard for interface-to-zone migration was particularly intriguing.
Regarding the suggestion to call Professional Services (PS), while I understand the importance of expert guidance in critical environments, I'm optimistic about handling the migration internally. As a member of Professional Services myself, I'm confident in our team's abilities to manage the migration effectively. Nevertheless, I'll keep PS support in mind for any unforeseen challenges.
After further exploration, I stumbled upon an article discussing the migration of VLANs to other interfaces using FortiGate devices. It offers detailed steps and insights that align closely with our migration objectives. I found it helpful and thought it might complement our migration strategy. You can find the article here: Technical Tip: Transfer/Migrate VLAN to another interface.
URL: - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Transfer-Migrate-VLAN-to-another-interface...
I'm pleased to share that implementing the solution outlined in the article took no more than 10 minutes, and our network is functioning flawlessly. It's reassuring to see such efficient results, and I'm confident in the decisions we've made for our migration strategy.
Thank you once again for your assistance. Your input has been invaluable in shaping our migration approach.
Best regards
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hassan
In such situation one of the good methods is to use zones. I'd proceed as follows:
- Make a full backup of your FG config
- Create a zone for each VLAN
- Migrate VLANs to Zones (interface migration wizard)
- Create the new interface VLANs
- Add each new interface VLAN to the right existing zone (you will have 2 VLAN interfaces by zone, one old and one new)
- Propagate the VLANs from the switch to FG's new port(s)
- Migrate the interface IP addresses from the old VLAN interfaces to the new VLAN interfaces
- Test if everything is ok
- Once all is fine delete the old VLAN interfaces
- Rollback from backup config in case of major issue
Do it in maintenance window.
Downtime approximately 10 mn.
Test it first on a test system if possible
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the detailed recommendations on migrating VLANs to zones and adjusting network configurations. I understand the proposed approach and its benefits for managing network policies and simplifying configurations. However, I'm facing a significant challenge due to the scale of our network, which includes over 112 switches and more than 1015 firewall policies, alongside numerous policy routes.
Given the complexity and breadth of our network infrastructure, a major concern is the practicality of implementing these changes without causing extensive downtime or operational disruption. The initial estimate of approximately 10 minutes of downtime seems optimistic in our context. Redefining policies and reconfiguring all switches in this timeframe isn't feasible, considering the need for careful planning, phased implementation, and rigorous testing to ensure network integrity and performance.
Implementing changes on such a scale likely requires a more gradual transition plan, potentially leveraging automation tools to manage repetitive tasks and minimize human error. However, even with automation, the scope of changes—especially updating switch configurations and firewall policies—presents a considerable workload.
I'm seeking further guidance on managing this transition more effectively under these constraints. Are there alternative strategies that might accommodate the large scale of our network, while minimizing downtime and disruption? Additionally, would engaging with professional services for planning and execution support be advisable in this scenario?
I appreciate any insights or suggestions you can offer, including experiences from similar large-scale migrations or best practices for managing complex network transitions.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome Hassan
I'll try to ask with short answers some of your questions but probably not all of them, hoping that it will help.
- For large scale a good solution to speed up the migration and minimize time is to prepare and use CLI scripts for switch & FG
- No need to change any firewall policy. The only thing changed in policies is to change interfaces by zones, and this is done automatically and quickly by wizard (almost no traffic interruption)
- Sometimes when your environment is very critical and you can't handle such migration then yes you should call PS
- Full backup (switch & FG) is your best guarantee. Prepare a plan and rollback plan in a realistic maintenance window. Stop everything and execute rollback if maintenance window reaches its end
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your prompt reply and valuable insights. I appreciate your suggestions on using CLI scripts and minimizing firewall policy adjustments during the migration process. Your mention of using a wizard for interface-to-zone migration was particularly intriguing.
Regarding the suggestion to call Professional Services (PS), while I understand the importance of expert guidance in critical environments, I'm optimistic about handling the migration internally. As a member of Professional Services myself, I'm confident in our team's abilities to manage the migration effectively. Nevertheless, I'll keep PS support in mind for any unforeseen challenges.
After further exploration, I stumbled upon an article discussing the migration of VLANs to other interfaces using FortiGate devices. It offers detailed steps and insights that align closely with our migration objectives. I found it helpful and thought it might complement our migration strategy. You can find the article here: Technical Tip: Transfer/Migrate VLAN to another interface.
URL: - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Transfer-Migrate-VLAN-to-another-interface...
I'm pleased to share that implementing the solution outlined in the article took no more than 10 minutes, and our network is functioning flawlessly. It's reassuring to see such efficient results, and I'm confident in the decisions we've made for our migration strategy.
Thank you once again for your assistance. Your input has been invaluable in shaping our migration approach.
Best regards
Related Posts
- Possible memory issues with 7.2.8 38 Views
- Blockin Whatsapp Videocall only 35 Views
- Linux forticlient-cli with enable_local_lan 46 Views
- Can the log report be automated? 42 Views
- adding foritgate into fortimanager 52 Views
Labels
-
FortiGate
6,556 -
FortiClient
1,307 -
5.2
801 -
5.4
639 -
FortiManager
565 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
264 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
FortiConnect
24 -
SD-WAN
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
IP address management - IPAM
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.