Changing Fortigate from Switch mode to Interface mode | Blah, Cloud

[mylesagray]

Written on 02/11/2014 11:53:56

URL: https://blah.cloud/infrastructure/changing-fortigate-switch-mode-interface-mode/

[mylesagray]

Comment written by André on 07/24/2014 06:58:19

Thanks a lot for this "hint" ;-)
If you don't want to disable the DHCP service and/or delete releated Policys, then initiate a "full-config" backup, open the Backup file with an text-editor, edit the corresponding line, save it an Restore it.

[mylesagray]

Comment written by Julio Ruan on 10/18/2014 17:51:34

I just try to do this procedure on my fortiwifi 30D and doesn't work... Can you guys help me?? Pls...

This is the error

Interface lan is in use
attribute set operator error, -23, discard the setting
Command fail. Return code -23

FWF30Dxxxxxxxxxx # config firewall policy

FWF30Dxxxxxxxxxx (policy) # show
config firewall policy
end

FWF30Dxxxxxxxxxx # config sys dhcp server
FWF30Dxxxxxxxxxx (server) # show
FWF30Dxxxxxxxxxx (server) #

[mylesagray]

Comment written by Victor on 11/11/2014 10:42:07

Julio, on the 30D. also remove the lan from the internal interface members if you still have issues, then also ensure the lan ports are plugged to any devices.

[mylesagray]

Comment written by Jan on 11/26/2014 09:09:46

Julio, I had the same problem you had on a fortiwifi 40C without physical access and solved it by putting the interface administratively down and removing a static (default) route from it. Not sure which of both did the trick, but then it worked.

[mylesagray]

Comment written by JaroS on 12/02/2014 12:52:53

Hello Gents,

I would like to put ports into the interface mode, but I must miss something as I am not able to do it. I do not have any policy related to the "lan" interface as well as DHCP. If I check mode in "system global", I can see it is set to interface, but I do see still the "lan" interface only. I am trying to set this up on Forti 100D

[mylesagray]

Comment written by Myles Gray on 12/02/2014 14:40:27

Hi Jaro,

I have a 100D at the moment, can you paste the output of what you're seeing from the relevant sections?

Myles

[mylesagray]

Comment written by JaroS on 12/02/2014 15:32:03

Hi Myles,

Thanks for getting back to me so swiftly. Please see following output:

CENSORED_HOSTNAME # show system dhcp server

CENSORED_HOSTNAME #
-------
CENSORED_HOSTNAME #
CENSORED_HOSTNAME # show firewall policy
config firewall policy
end
CENSORED_HOSTNAME #
-------
CENSORED_HOSTNAME # show system global
config system global
set fgd-alert-subscription advisory latest-threat
set hostname "CENSORED_HOSTNAME"
set internal-switch-mode interface
set optimize antivirus
set pre-login-banner enable
set timezone 04
end
CENSORED_HOSTNAME #
-------
CENSORED_HOSTNAME # show system interface
config system interface
edit "wan1"
set vdom "root"
set ip x.x.x.x x.x.x.x
set allowaccess ping https ssh
set type physical
set alias "Outside"
set snmp-index 2
next
edit "dmz"
set vdom "root"
set allowaccess ping https fgfm capwap
set status down
set type physical
set snmp-index 4
next
edit "modem"
set vdom "root"
set mode pppoe
set type physical
set snmp-index 5
set defaultgw enable
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "sslvpn tunnel interface"
set snmp-index 7
next
edit "mesh.root"
set vdom "root"
set status down
set type vap-switch
set snmp-index 8
next
edit "wan2"
set vdom "root"
set allowaccess ping fgfm
set type physical
set snmp-index 3
next
edit "mgmt"
set vdom "root"
set allowaccess ping https fgfm
set status down
set type physical
set dedicated-to management
set snmp-index 6
next
edit "ha1"
set vdom "root"
set type physical
set snmp-index 10
next
edit "ha2"
set vdom "root"
set type physical
set snmp-index 11
next
edit "lan"
set vdom "root"
set type hard-switch
set snmp-index 1
next
end

CENSORED_HOSTNAME #

[mylesagray]

Comment written by Myles Gray on 12/02/2014 16:10:53

Jaro - have you rebooted the box as this state will exist until the reboot?

[mylesagray]

Comment written by JaroS on 12/02/2014 16:14:15

@Myles,

Yes, I rebooted it several times. Without luck. I still see only the "lan" interface instead of many "internalX" ones. I am running the box on the 5.0.9 OS.

[mylesagray]

Comment written by Myles Gray on 12/02/2014 19:02:02

Jaro – Looking at that IF it is a hardware switch, go to the UI and delete the LAN interface (I assume your connected via MGMT) then your IFs should show up separately.

[mylesagray]

Comment written by JaroS on 12/03/2014 10:51:19

Myles - I am connected via OOB; basically I am remotely consoled to the device. I tried to delete "lan" interface from the CLI; still no luck:

"Switch interfaces can only be deleted from the switch interface table.
command_cli_delete:5408 delete table entry lan unset oper error ret=-160
Command fail. Return code -160"

[mylesagray]

Comment written by Myles Gray on 12/03/2014 11:02:25

Jaro - Can you show me the output of `show system virtual-switch` please?

Also run: `diagnose sys checkused sys.interface.name lan`

[mylesagray]

Comment written by JaroS on 12/03/2014 11:14:34

@Myles

Thank you very much for your enlightenment :) I went to the "conf system virtual-switch" and deleted "lan" from there and I now see port1-16.

It looks like this might have changed in the 5.0.9 code as I tried to factory-reset the box before and it came by default in the "interface" mode.

Once again, thank you very much for your time and help in resolving this tricky thing :)

Wish you all the best.

Jaro

[mylesagray]

Comment written by Myles Gray on 12/03/2014 11:15:31

Jaro - Excellent news, glad I could be of service! :)

[mylesagray]

Comment written by anjanesh babu on 08/17/2015 14:27:49

Thanks for posting this online. Removal of DHCP via CLI worked for me

[mylesagray]

Comment written by Elmer Santos on 08/26/2016 06:25:08

Can any one help me I accidentally click administrative down in internal ports now I can't Login to the GUI in browser or to CLI. Now all ports are disabled. How can I enable again the ports?

[mylesagray]

Comment written by Myles Gray on 08/26/2016 07:11:57

Plug in a console cable or USB and use FortiExplorer

[mylesagray]

Comment written by hilbert on 09/01/2016 21:30:06

in the case with the fgt wifi entry in the GUI and in the menu System, Network and interface edit internal and disassociate lan and then delete de lan

and ready