FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Stefanie_FTNT
Article Id 198654
Description
In FortiOS v5.4 the commands to change from switch mode to interface mode are different from in v5.2.

Solution
In 5.2 the port configuration could be changed by using the following commands:

1) Command to change the FortiGate to switch mode:
config system global
   set internal-switch-mode switch
end

2) Command to change the FortiGate to interface mode:
config system global
   set internal-switch-mode interface
end

After this change the unit had to be rebooted and instead of a combined “internal” switch the unit showed individual ports.

In 5.4 the commands have been changed.

In 5.4 some of the configuration modules were removed and changed. If you upgraded your unit with switch mode interface, the configuration is adapted.

However, with factory resets or brand new units the default setting is that all ports are in the hardware switch.

In order to have separate ports instead of running them in a switch, the configuration changes can be made as follows for new or factory reset units.

Step 1 - Remove all policies referencing “internal” or “lan”.
FWF90D3Z13xxxxxx (policy) # show
config firewall policy
    edit 1
        set uuid 1dac0956-0e3f-51e7-9b91-b653bdf8af55
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

FWF90D3Z13xxxxxx (policy) # purge    ----{ Caution! This will remove all policies
This operation will clear all table!
Do you want to continue? (y/n)y

Step 2 (For WiFi units only) - Remove "internal" from software switch interface "lan".
FWF90D3Z13xxxxxx # config system switch-interface
FWF90D3Z13xxxxxx (switch-interface) # edit lan
FWF90D3Z13xxxxxx (lan) # show
config system switch-interface
    edit "lan"
        set vdom "root"
        set member "wifi" "internal"
    next
end
FWF90D3Z13xxxxxx (lan) # set member wifi
FWF90D3Z13xxxxxx (lan) # end

FWF90D3Z13xxxxxx (switch-interface) # show
config system switch-interface
    edit "lan"
        set vdom "root"
        set member "wifi"
    next
end

Step 3 – Remove all (or individual ports) from the virtual switch.
FWF90D3Z13xxxxxx # config system virtual-switch
FWF90D3Z13xxxxxx (virtual-switch) # show
config system virtual-switch
    edit "internal"
        set physical-switch "sw0"
        config port
            edit "internal1"
            next
            edit "internal2"
            next
            edit "internal3"
            next
            edit "internal4"
            next
            edit "internal5"
            next
            edit "internal6"
            next
            edit "internal7"
            next
            edit "internal8"
            next
            edit "internal9"
            next
            edit "internal10"
            next
            edit "internal11"
            next
            edit "internal12"
            next
            edit "internal13"
            next
            edit "internal14"
            next
        end
    next
end

FWF90D3Z13xxxxxx (virtual-switch) # purge    ----{ Caution! This will remove all ports.
This operation will clear all table!
Do you want to continue? (y/n)y

If only remove some ports are to be removed from the switch, instead of “purge” enter:

FWF90D3Z13xxxxxx # config system virtual-switch
FWF90D3Z13xxxxxx (internal) # config port

FWF90D3Z13xxxxxx (port) # 
FWF90D3Z13xxxxxx (port) # delete internal1
FWF90D3Z13xxxxxx (port) # end

After removing the ports from the hardware switch the configuration of policies, routes and interface settings for each port can be completed.

Related Articles

Technical Note: Comparison of FortiGate Switch Mode configs between v5.2 and v5.4

Technical Note: How to disable Internal Switch on v5.4

Contributors