Blah, Cloud.

Adventures in architectures

  • Twitter
  • GitHub
  • Home
  • Blog
  • Kubernetes on vSphere
  • Multi-tenant IaaS Networking
  • Me
    • About
    • CV
    • Contact
Home » Blog » Infrastructure » Changing Fortigate from Switch mode to Interface mode

Changing Fortigate from Switch mode to Interface mode

11/02/2014 by Myles Gray 18 Comments

Fortigate units (the big ones at least) come configured in what is called “switch mode” meaning it groups a number of interfaces together and makes them act as a switch, serves DHCP over these interfaces, etc.

Most companies don’t like to use this – instead if we want to up our throughput for a given zone we’d create an 802.3ad aggregate link out of 2 or more of the interfaces.

Disabling switch mode isn’t as straight forward as putting the one command in, there are two factors you need to consider:

  1. Are you serving DHCP over this switch interface?
  2. Have you got any policies relating to this interface?

If the answer is “yes” to either of these you need to do the following or you will see one of “Interface switch is in use” or “Interface internal is in use” or “Entry is used” later on:

Delete the DHCP server relating to it (either in the GUI as below):

Disable DHCP Server

Or you can do it in the CLI:

fw-a # config sys dhcp server
fw-a (server) # show <look at list and find the entry number relating to your interface>
fw-a (server) # delete [entry number here]
fw-a (server) # end

Next you need to delete all policies relating to the interface again, this can be done in the GUI via Policy -> Policy -> Policy and delete all policies associated with that interface. Again, it can be done with the CLI:

fw-a # config firewall policy
fw-a (policy) # show <look at list and find the entry number(s) relating to your interface>
fw-a (policy) # delete [entry number here]
fw-a (policy) # end

Once all the switch mode interface’s related objects are deleted then we can change the global mode from switch to interface via CLI:

fw-a # config sys global
fw-a (global) # set internal-switch-mode interface
fw-a (global) # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n) y

The box will reboot and you’ll have a host of new interfaces to use as you like.

N.B: Some boxes are awkward and will require you to deleted the virtual hardware/software switch that is created it you still can’t see the individual IFs run the following commands:

configure system virtual-switch
delete {interface name e.g. lan, internal}

If you are still having difficulty you can run the following to find any remaining related entries to the interface:

diagnose sys checkused sys.interface.name {interface name e.g. lan, internal}

This command will output any entries that relate to this object and might stop it from being removed.

Why not follow @mylesagray on Twitter for more like this!

Show some love:

  • Reddit
  • Twitter
  • Pocket
  • LinkedIn
  • Email
  • Telegram

Similar things I've written

Filed Under: Infrastructure Tagged With: fortigate, networking

About Myles Gray

Hi! I'm Myles, and I'm a Dev Advocate at VMware. Focused primarily on content generation, product enablement and feedback from customers and field to engineering.

Comments

  1. André says

    24/07/2014 at 06:58

    Thanks a lot for this “hint” ;-)
    If you don’t want to disable the DHCP service and/or delete releated Policys, then initiate a “full-config” backup, open the Backup file with an text-editor, edit the corresponding line, save it an Restore it.

    Reply
  2. Julio Ruan says

    18/10/2014 at 17:51

    I just try to do this procedure on my fortiwifi 30D and doesn’t work… Can you guys help me?? Pls…

    This is the error

    Interface lan is in use
    attribute set operator error, -23, discard the setting
    Command fail. Return code -23

    FWF30Dxxxxxxxxxx # config firewall policy

    FWF30Dxxxxxxxxxx (policy) # show
    config firewall policy
    end

    FWF30Dxxxxxxxxxx # config sys dhcp server
    FWF30Dxxxxxxxxxx (server) # show
    FWF30Dxxxxxxxxxx (server) #

    Reply
  3. Victor says

    11/11/2014 at 10:42

    Julio, on the 30D. also remove the lan from the internal interface members if you still have issues, then also ensure the lan ports are plugged to any devices.

    Reply
  4. Jan says

    26/11/2014 at 09:09

    Julio, I had the same problem you had on a fortiwifi 40C without physical access and solved it by putting the interface administratively down and removing a static (default) route from it. Not sure which of both did the trick, but then it worked.

    Reply
  5. JaroS says

    02/12/2014 at 12:52

    Hello Gents,

    I would like to put ports into the interface mode, but I must miss something as I am not able to do it. I do not have any policy related to the “lan” interface as well as DHCP. If I check mode in “system global”, I can see it is set to interface, but I do see still the “lan” interface only. I am trying to set this up on Forti 100D

    Reply
    • Myles Gray says

      02/12/2014 at 14:40

      Hi Jaro,

      I have a 100D at the moment, can you paste the output of what you’re seeing from the relevant sections?

      Myles

      Reply
      • JaroS says

        02/12/2014 at 15:32

        Hi Myles,

        Thanks for getting back to me so swiftly. Please see following output:

        CENSORED_HOSTNAME # show system dhcp server

        CENSORED_HOSTNAME #
        ——-
        CENSORED_HOSTNAME #
        CENSORED_HOSTNAME # show firewall policy
        config firewall policy
        end
        CENSORED_HOSTNAME #
        ——-
        CENSORED_HOSTNAME # show system global
        config system global
        set fgd-alert-subscription advisory latest-threat
        set hostname “CENSORED_HOSTNAME”
        set internal-switch-mode interface
        set optimize antivirus
        set pre-login-banner enable
        set timezone 04
        end
        CENSORED_HOSTNAME #
        ——-
        CENSORED_HOSTNAME # show system interface
        config system interface
        edit “wan1”
        set vdom “root”
        set ip x.x.x.x x.x.x.x
        set allowaccess ping https ssh
        set type physical
        set alias “Outside”
        set snmp-index 2
        next
        edit “dmz”
        set vdom “root”
        set allowaccess ping https fgfm capwap
        set status down
        set type physical
        set snmp-index 4
        next
        edit “modem”
        set vdom “root”
        set mode pppoe
        set type physical
        set snmp-index 5
        set defaultgw enable
        next
        edit “ssl.root”
        set vdom “root”
        set type tunnel
        set alias “sslvpn tunnel interface”
        set snmp-index 7
        next
        edit “mesh.root”
        set vdom “root”
        set status down
        set type vap-switch
        set snmp-index 8
        next
        edit “wan2”
        set vdom “root”
        set allowaccess ping fgfm
        set type physical
        set snmp-index 3
        next
        edit “mgmt”
        set vdom “root”
        set allowaccess ping https fgfm
        set status down
        set type physical
        set dedicated-to management
        set snmp-index 6
        next
        edit “ha1”
        set vdom “root”
        set type physical
        set snmp-index 10
        next
        edit “ha2”
        set vdom “root”
        set type physical
        set snmp-index 11
        next
        edit “lan”
        set vdom “root”
        set type hard-switch
        set snmp-index 1
        next
        end

        CENSORED_HOSTNAME #

        Reply
        • Myles Gray says

          02/12/2014 at 16:10

          Jaro – have you rebooted the box as this state will exist until the reboot?

          Reply
          • JaroS says

            02/12/2014 at 16:14

            @Myles,

            Yes, I rebooted it several times. Without luck. I still see only the “lan” interface instead of many “internalX” ones. I am running the box on the 5.0.9 OS.

            Reply
            • Myles Gray says

              02/12/2014 at 19:02

              Jaro – Looking at that IF it is a hardware switch, go to the UI and delete the LAN interface (I assume your connected via MGMT) then your IFs should show up separately.

              Reply
  6. JaroS says

    03/12/2014 at 10:51

    Myles – I am connected via OOB; basically I am remotely consoled to the device. I tried to delete “lan” interface from the CLI; still no luck:

    “Switch interfaces can only be deleted from the switch interface table.
    command_cli_delete:5408 delete table entry lan unset oper error ret=-160
    Command fail. Return code -160”

    Reply
    • Myles Gray says

      03/12/2014 at 11:02

      Jaro – Can you show me the output of `show system virtual-switch` please?

      Also run: `diagnose sys checkused sys.interface.name lan`

      Reply
  7. JaroS says

    03/12/2014 at 11:14

    @Myles

    Thank you very much for your enlightenment :) I went to the “conf system virtual-switch” and deleted “lan” from there and I now see port1-16.

    It looks like this might have changed in the 5.0.9 code as I tried to factory-reset the box before and it came by default in the “interface” mode.

    Once again, thank you very much for your time and help in resolving this tricky thing :)

    Wish you all the best.

    Jaro

    Reply
    • Myles Gray says

      03/12/2014 at 11:15

      Jaro – Excellent news, glad I could be of service! :)

      Reply
  8. anjanesh babu says

    17/08/2015 at 14:27

    Thanks for posting this online. Removal of DHCP via CLI worked for me

    Reply
  9. Elmer Santos says

    26/08/2016 at 06:25

    Can any one help me I accidentally click administrative down in internal ports now I can’t Login to the GUI in browser or to CLI. Now all ports are disabled. How can I enable again the ports?

    Reply
    • Myles Gray says

      26/08/2016 at 07:11

      Plug in a console cable or USB and use FortiExplorer

      Reply
  10. hilbert says

    01/09/2016 at 21:30

    in the case with the fgt wifi entry in the GUI and in the menu System, Network and interface edit internal and disassociate lan and then delete de lan

    and ready

    Reply

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Myles Gray

Hi! I'm Myles, and I'm a Dev Advocate at VMware. Focused primarily on content generation, product enablement and feedback from customers and field to engineering. Read More…

Categories

Tags

active directory authentication CBT cisco datastore dell design esxi fortigate iscsi jumbo frame kubernetes lab linux load-balancing lun md3000i mtu networking NginX nic nsx openSUSE osx pxe readynas san sdelete serial teaming ubuntu vcenter vcloud director vcsa vexpert video VIRL vmdk vmfs vmware vsan vsphere vsphere 6 vsphere beta windows

Subscribe to Blog via Email

Copyright © 2021 · News Pro Theme on Genesis Framework · WordPress · Log in

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.