Change Switch Mode to Interface Mode in Fortigate FortiOS 5

Recently I have upgraded one of the new Fortigate 80C to FortiOS 5.0 and could not see the option to change switch mode to interface mode. Finally I have done it by CLI and let me share the way about how to change switch mode to interface mode in Fortigate FortiOS 5. Usually this option is available in web interface under settings of network ports in earlier FortiOS, like 4.0 and 3.0. But, I couldn’t see it in FortiOS 5.0.

Fortigate is one of the best hardware device which can do lot of things in firewall, network security, internet proxy, VPN and more. You can find more information about their products, features and more technical details here in official site.

I’m not sure whether I have missed the correct place to see the option to change switch mode to interface mode in FortiOS 5 web interface, anyhow here is the way to do that in CLI ( Command Line Interface).

Basically 3 steps involved in this process.

1) Complete the prerequisites to change the mode

2) Change the mode from Switch mode to interface mode

3) Configure the network and allow access to a particular network port.

 

1) Prerequisites to change the mode

You must disable DHCP service on the Fortigate device and remove the any policies related to internal interface.

Below is the Fortigate device 80C in switch mode. All interfaces are combined together as single ‘internal’interface. In this case, we can’t have different settings ( IPs, policies etc) for every port in this device.

a) To remove DHCP, click on the ‘internal’ and press edit. Deselect the check box of DHCP server as shown below.

b) Remove any policies which are related to ‘internal’ port, normally you will find only one policy.

Now we are ready to change the mode.

2) Changing from Switch mode to interface mode.

As said earlier, we should use CLI to complete this task. Use serial cable and any telnet client software for this purpose. If you like to use built in telnet client of Windows 8 or 8.1, check this guide.

Login with default default credentials which username is admin and no password.

Type following command,

config system global 
  set internal-switch-mode interface 
end

Once the device is rebooted, it will not have any network settings. Therefore, we must configure IP address and allowed access (http or https) to a particular network port which can be accessed through network cable and internet browser later.

 

3) Configure the network and allow access to a network port

Earlier we have changed switch port mode to interface mode. Now the device will have n number of individual network ports which can have individual settings and policies. After changing the mode, these ports will not have any settings, even no default IP address. Use the same CLI to configure IP and allow http or https access to a particular network port so that can be accessed via network.

The following  video explains it well.

To configure the access, ( below example shows how to allow access of https and http on particular port)

config system interface
edit <interface_name>
set allowaccess http https
end

 

By above three steps you should be able to change your Fortigate device from switch mode to interface mode in FortiOS 5 with CLI. This will enable you to have separate settings and configurations for every network port.

Description	How to change from switch mode to interface mode.
Components	FortiGate-200A (rev2 and up) FortiGate-200B FortiGate-100A (rev2 and up) FortiGate-110C FortiGate-80C - FortiGate Voice-80C FortiGate-60B FortiGate-60C FortiWifi-60B
Steps or Commands	Issue The models listed above allow you to change the Internal interface from 1 interface (called switch mode) to multiple(*) separate interfaces (called interface mode). When changing between modes, the name of the internal interface can cause an error that prevents the change from happening. (*) The number of separate interfaces available when changing to interface mode depends on the FortiGate model. For example, the FortiGate-200A will provide 4 separate interfaces, the FortiGate-60B / FortiWifi-60B / FortiGate-80C provide 6 separate interfaces, the FortiGate Voice-80C / FortiGate-110C  provide 8 separate interfaces. Solution The rename command used in this solution is only applicable up to and including FortiOS v4.0 MR1.  Change the name of the internal interface using the CLI before changing the mode. This will avoid the error, and allow the change to happen properly. Before changing the mode from switch to interface: config system interface    rename internal to internal3  end Before changing the mode from interface to switch: config system interface    rename internal3 to internal end Please also check the related article "Troubleshooting Tip : Error message 'Interface switch is in use' or 'Interface internal is in use' or 'Entry is used' when changing internal-switch-mode"

Related Articles

Troubleshooting Tip : Error message "Interface switch is in use" or "Interface internal is in use" or "Entry is used" when changing internal-switch-mode

use command : diagnose sys checkused   to check which item is using the switch ports. 

eg:diagnose sys checkused sys.interface,name internal

 w

e are looking at all dependencies for the interface 

called "inter

nal"