Fortigate: changing switch to interface mode in 5.4+

September 17, 2017

Fortigate: changing switch to interface mode in 5.4+

Fortinet, the makers of Fortigate firewalls, keep changing around how to convert the internal Ethernet ports from switch mode, where all the ports are members of a single interface, to interface mode, where each port is its own interface.

This weekend I spent hours tracking down how to do this on a Fortigate 60E that shipped with 5.4.3, because the procedure changed - again - and even Fortigate support was too busy to help me (!!).

But I figured it out and am writing this for Google.

A hat tip to Cyrill Gremaud whose helpful instructions allowed me to sort it out; his notes didn't exactly apply to this version of firmware, but it was close enough. Thank you, Cyrill.

The general approach has always been to remove all references to the "internal" interface, which makes it available for the shuffling required.

For an out-of-the-box unit, there are only two references, the internal DHCP server plus a firewall rule allowing traffic, and they have to be removed. If you have already configured additional references to the "internal" interface, they have to go too, and it's probably easiest to remove them from the GUI.

On the 60E models, there's no USB management port that I've been used to, so there's no friendly web-type interface via the FortiExplorer app, so as far as I know we have to do this strictly on the CLI via the serial port. This is new to me so maybe I'm missing something easy, but since we're removing the IP address from the internal interface, we can't use network methods to connect.

config system dhcp server
  delete 1
  end

config firewall policy
  delete 1
  end

# Note: some guides say set the IP to 0.0.0.0 but this works too.
# You do have to remove the "lan" role.
config system interface
  edit "internal"
    unset ip
    unset role
    end

# deleting the internal switch does the heavy lifting here
config system virtual-switch
  delete internal
  end

# or whatever parameters you want for network access
config system interface
  edit "internal1"
    set ip 192.168.1.99/24
    set role lan
    set allowaccess ping http https
    end

Now you can connect via the usual network methods and continue your configuration. Unlike previous methods that used "set internal-switch-mode interface", this does not seem to require a reboot to take effect.

This procedure has been tested in September 2017 on Fortigate 60E with 5.4.3 and 5.4.5 firmware.

Posted at 07:27 AM in Tech Tips | Permalink

Comments

Verify your Comment

Previewing your Comment

Posted by: |

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:

Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

I had a backup. Really.

September 17, 2017