Fortigate units (the big ones at least) come configured in what is called “switch mode” meaning it groups a number of interfaces together and makes them act as a switch, serves DHCP over these interfaces, etc.
Most companies don’t like to use this – instead if we want to up our throughput for a given zone we’d create an 802.3ad aggregate link out of 2 or more of the interfaces.
Disabling switch mode isn’t as straight forward as putting the one command in, there are two factors you need to consider:
- Are you serving DHCP over this switch interface?
- Have you got any policies relating to this interface?
If the answer is “yes” to either of these you need to do the following or you will see one of “Interface switch is in use” or “Interface internal is in use” or “Entry is used” later on:
Delete the DHCP server relating to it (either in the GUI as below):
Or you can do it in the CLI:
fw-a # config sys dhcp server
fw-a (server) # show <look at list and find the entry number relating to your interface>
fw-a (server) # delete [entry number here]
fw-a (server) # end
Next you need to delete all policies relating to the interface again, this can be done in the GUI via Policy -> Policy -> Policy and delete all policies associated with that interface. Again, it can be done with the CLI:
fw-a # config firewall policy
fw-a (policy) # show <look at list and find the entry number(s) relating to your interface>
fw-a (policy) # delete [entry number here]
fw-a (policy) # end
Once all the switch mode interface’s related objects are deleted then we can change the global mode from switch to interface via CLI:
fw-a # config sys global
fw-a (global) # set internal-switch-mode interface
fw-a (global) # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n) y
The box will reboot and you’ll have a host of new interfaces to use as you like.
N.B: Some boxes are awkward and will require you to deleted the virtual hardware/software switch that is created it you still can’t see the individual IFs run the following commands:
configure system virtual-switch
delete {interface name e.g. lan, internal}
If you are still having difficulty you can run the following to find any remaining related entries to the interface:
diagnose sys checkused sys.interface.name {interface name e.g. lan, internal}
This command will output any entries that relate to this object and might stop it from being removed.
Why not follow @mylesagray on Twitter for more like this!
Thanks a lot for this “hint” ;-)
If you don’t want to disable the DHCP service and/or delete releated Policys, then initiate a “full-config” backup, open the Backup file with an text-editor, edit the corresponding line, save it an Restore it.
I just try to do this procedure on my fortiwifi 30D and doesn’t work… Can you guys help me?? Pls…
This is the error
Interface lan is in use
attribute set operator error, -23, discard the setting
Command fail. Return code -23
FWF30Dxxxxxxxxxx # config firewall policy
FWF30Dxxxxxxxxxx (policy) # show
config firewall policy
end
FWF30Dxxxxxxxxxx # config sys dhcp server
FWF30Dxxxxxxxxxx (server) # show
FWF30Dxxxxxxxxxx (server) #
Julio, on the 30D. also remove the lan from the internal interface members if you still have issues, then also ensure the lan ports are plugged to any devices.
Julio, I had the same problem you had on a fortiwifi 40C without physical access and solved it by putting the interface administratively down and removing a static (default) route from it. Not sure which of both did the trick, but then it worked.
Hello Gents,
I would like to put ports into the interface mode, but I must miss something as I am not able to do it. I do not have any policy related to the “lan” interface as well as DHCP. If I check mode in “system global”, I can see it is set to interface, but I do see still the “lan” interface only. I am trying to set this up on Forti 100D
Hi Jaro,
I have a 100D at the moment, can you paste the output of what you’re seeing from the relevant sections?
Myles
Hi Myles,
Thanks for getting back to me so swiftly. Please see following output:
CENSORED_HOSTNAME # show system dhcp server
CENSORED_HOSTNAME #
——-
CENSORED_HOSTNAME #
CENSORED_HOSTNAME # show firewall policy
config firewall policy
end
CENSORED_HOSTNAME #
——-
CENSORED_HOSTNAME # show system global
config system global
set fgd-alert-subscription advisory latest-threat
set hostname “CENSORED_HOSTNAME”
set internal-switch-mode interface
set optimize antivirus
set pre-login-banner enable
set timezone 04
end
CENSORED_HOSTNAME #
——-
CENSORED_HOSTNAME # show system interface
config system interface
edit “wan1”
set vdom “root”
set ip x.x.x.x x.x.x.x
set allowaccess ping https ssh
set type physical
set alias “Outside”
set snmp-index 2
next
edit “dmz”
set vdom “root”
set allowaccess ping https fgfm capwap
set status down
set type physical
set snmp-index 4
next
edit “modem”
set vdom “root”
set mode pppoe
set type physical
set snmp-index 5
set defaultgw enable
next
edit “ssl.root”
set vdom “root”
set type tunnel
set alias “sslvpn tunnel interface”
set snmp-index 7
next
edit “mesh.root”
set vdom “root”
set status down
set type vap-switch
set snmp-index 8
next
edit “wan2”
set vdom “root”
set allowaccess ping fgfm
set type physical
set snmp-index 3
next
edit “mgmt”
set vdom “root”
set allowaccess ping https fgfm
set status down
set type physical
set dedicated-to management
set snmp-index 6
next
edit “ha1”
set vdom “root”
set type physical
set snmp-index 10
next
edit “ha2”
set vdom “root”
set type physical
set snmp-index 11
next
edit “lan”
set vdom “root”
set type hard-switch
set snmp-index 1
next
end
CENSORED_HOSTNAME #
Jaro – have you rebooted the box as this state will exist until the reboot?
@Myles,
Yes, I rebooted it several times. Without luck. I still see only the “lan” interface instead of many “internalX” ones. I am running the box on the 5.0.9 OS.
Jaro – Looking at that IF it is a hardware switch, go to the UI and delete the LAN interface (I assume your connected via MGMT) then your IFs should show up separately.
Myles – I am connected via OOB; basically I am remotely consoled to the device. I tried to delete “lan” interface from the CLI; still no luck:
“Switch interfaces can only be deleted from the switch interface table.
command_cli_delete:5408 delete table entry lan unset oper error ret=-160
Command fail. Return code -160”
Jaro – Can you show me the output of `show system virtual-switch` please?
Also run: `diagnose sys checkused sys.interface.name lan`
@Myles
Thank you very much for your enlightenment :) I went to the “conf system virtual-switch” and deleted “lan” from there and I now see port1-16.
It looks like this might have changed in the 5.0.9 code as I tried to factory-reset the box before and it came by default in the “interface” mode.
Once again, thank you very much for your time and help in resolving this tricky thing :)
Wish you all the best.
Jaro
Jaro – Excellent news, glad I could be of service! :)
Thanks for posting this online. Removal of DHCP via CLI worked for me
Can any one help me I accidentally click administrative down in internal ports now I can’t Login to the GUI in browser or to CLI. Now all ports are disabled. How can I enable again the ports?
Plug in a console cable or USB and use FortiExplorer
in the case with the fgt wifi entry in the GUI and in the menu System, Network and interface edit internal and disassociate lan and then delete de lan
and ready