Hello everybody ! This post is the first one about the Fortinet products. Since few months, I have the chance to work with a lot of Fortinet products and I will begin to write some articles about these company.
Today, I will briefly explain how to break/configure the “lan” default hardware switch present on some low-end Fortigate models which running 5.4.x FortiOS. This post uses a FortiWifi 60E. “Wifi” just means that it is a Fortigate with Wireless capabilities.
Initial power-up
When I powered on the 60E for the first time, it comes with FortiOS 5.4.1 installed and when you look under “Network” -> “Interfaces“, you will not see all physical ports but only a member named “Internal” which is used within a interface named “lan“. You can check this using CLI:
FWF60E-labo# show system switch-interface
From CLI, if you edit the “lan” interface, you can just add or remove the member named “Internal” but you cannot configure it ! By default, all physical ports are members of this “Internal” member.
Break / configure “internal” member
To be able to use physical ports to handle various network configurations like DHCP server, DNS, VLAN sub-interfaces and so on, it is necessary to break the “internal” member.
Step 1 – Remove all reference to “lan” interface
From the GUI, you can see the number of current references of this interface. Be sure to remove them all ! in principle, the following points can count for a reference (this list is non-exhaustive).
- If policies use “lan” interface as incoming or outgoing interface
- If the DHCP server is enable on the interface configuration
- If the “lan” interface is used in an address or virtual IP’s configuration
- if the DNS server is enable for the “lan” interface
Step 2 – Change IP of “lan” interface
From CLI or directly from the GUI, please set the following IP configuration on the “lan” interface
- Addressing mode : Manual
- IP/Network Mask : 0.0.0.0/0
Or by CLI using this command:
FWF60E-labo# config system interface FWF60E-labo (interface)# edit lan FWF60E-labo (lan)# set ip 0.0.0.0 0.0.0.0 FWF60E-labo (lan)# end
Step 3 – Delete the “lan” interface
Now, you can delete the “lan” interface directly from the GUI or by CLI
FWF60E-labo# config system interface FWF60E-labo (interface)# delete lan FWF60E-labo (interface)# end
Step 4 – Delete “internal “member
Now, because “internal” member is not used anymore in the “lan” interface, we can remove it. In fact, it is a virtual-switch which contains all physical members.
FWF60E-labo# config system virtual-switch FWF60E-labo (virtual-switch)# delete internal FWF60E-labo (virtual-switch)# end
After that, you should be able to see all physical members on the GUI under “Network” -> “Interfaces” or directly by CLI using the following command:
FWF60E-labo# show system interface
Note: “internal1” and “internal2” are not shown on this picture but you must see it in your configuration. On some other models, the physical interfaces are named “port1“, “port2” and so on.
Step 5 – Configure the physical ports
Now, you can configure each physical interfaces as you want 🙂
Hello,
What is the advantage to change any interface to software switch. Please let me know.