Break “internal” default member on FortiOS 5.4.x on low-end models

Hello everybody ! This post is the first one about the Fortinet products. Since few months, I have the chance to work with a lot of Fortinet products and I will begin to write some articles about these company.

Today, I will briefly explain how to break/configure the “lan” default hardware switch present on some low-end Fortigate models which running 5.4.x FortiOS. This post uses a FortiWifi 60E. “Wifi” just means that it is a Fortigate with Wireless capabilities.

Initial power-up

When I powered on the 60E for the first time, it comes with FortiOS 5.4.1 installed and when you look under “Network” -> “Interfaces“, you will not see all physical ports but only a member named “Internal” which is used within a interface named “lan“. You can check this using CLI:

From CLI, if you edit the “lan” interface, you can just add or remove the member named “Internal” but you cannot configure it ! By default, all physical ports are members of this “Internal” member. 

Break / configure “internal” member

To be able to use physical ports to handle various network configurations like DHCP server, DNS, VLAN sub-interfaces and so on, it is necessary to break the “internal” member.

Step 1 – Remove all reference to “lan” interface

From the GUI, you can see the number of current references of this interface. Be sure to remove them all ! in principle, the following points can count for a reference (this list is non-exhaustive). 

  • If policies use “lan” interface as incoming or outgoing interface
  • If the DHCP server is enable on the interface configuration
  • If the “lan” interface is used in an address or virtual IP’s configuration
  • if the DNS server is enable for the “lan” interface

Step 2 – Change IP of “lan” interface

From CLI or directly from the GUI, please set the following IP configuration on the “lan” interface

  • Addressing mode : Manual
  • IP/Network Mask : 0.0.0.0/0

set-address

Or by CLI using this command:

Step 3 – Delete the “lan” interface

Now, you can delete the “lan” interface directly from the GUI or by CLI

Step 4 – Delete “internal “member

Now, because “internal” member is not used anymore in the “lan” interface, we can remove it. In fact, it is a virtual-switch which contains all physical members.

After that, you should be able to see all physical members on the GUI under “Network” -> “Interfaces” or directly by CLI using the following command:

show-phy-interfaces

Note: “internal1” and “internal2” are not shown on this picture but you must see it in your configuration. On some other models, the physical interfaces are named “port1“, “port2” and so on. 

Step 5 – Configure the physical ports

Now, you can configure each physical interfaces as you want 🙂 

config-example-interfaces

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInShare on RedditShare on StumbleUponShare on TumblrPin on PinterestFlattr the authorDigg thisBuffer this pagePrint this page

Leave a Reply

Your email address will not be published. Required fields are marked *