Choosing your FortiGate’s switch mode

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This section contains information to help you determine which internal switch mode your FortiGate should use, a decision that should be made before the FortiGate is installed.

What is the internal switch mode?

The internal switch mode determines how the FortiGate’s physical ports are managed by the FortiGate. The two main modes are Switch mode and Interface mode.

Internal switch mode was removed in FortiOS 5.4.

What are Switch mode and Interface mode and why are they used?

In Switch mode, all the internal interfaces are part of the same subnet and treated as a single interface, called either lan or internal by default, depending on the FortiGate model. Switch mode is used when the network layout is basic, with most users being on the same subnet.

In Interface mode, the physical interfaces of the FortiGate unit are handled individually, with each interface having its own IP address. Interfaces can also be combined by configuring them as part of either hardware or software switches, which allow multiple interfaces to be treated as a single interface. This mode is ideal for complex networks that use different subnets to compartmentalize the network traffic.

Which mode is your FortiGate in by default?

The default mode that a FortiGate starts in varies depending on the model. To determine which mode your FortiGate unit is in, go to System > Network > Interfaces. Locate the
lan or internal interface. If the interface is listed as a Physical Interface in the Type column, then your FortiGate is in Switch mode. If the interface is a Hardware Switch, then your FortiGate is in Interface mode.

How do you change the mode?

If you need to change the mode your FortiGate unit is in, first make sure none of the physical ports that make up the lan or internal interface are referenced in the FortiGate configuration (for example, in a policy or DHCP server). If you FortiGate model has a Switch Controller, you may need to disable it before you can change the internal switch mode.

Go to System > Dashboard > Status and enter either of the following commands into the CLI Console:

  1. Command to change the FortiGate to switch mode:
    config system global
         set internal-switch-mode switch
    exit
  2. Command to change the FortiGate to interface mode:
    config system global
         set internal-switch-mode interface
    exit
Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
  • Juan Ruiz

    HI, when using switch mode, is it possible to use some ports as trunk (default) and some of the switch ports as “access mode” (no 802.1q tag) for any other vlan besides vlan 1?. Thanks.

  • Justin Loebel

    If the Fortigate is in Interface mode does that prevent Internal from being added to a software switch? We used to put our internal network on a software switch under 5.2 but under 5.4 the internal interface is never listed as an available interface.

    • Victoria Martin

      Hi Justin,

      In 5.4, Internal Switch Mode was removed, so that is not the cause. In order to add an interface to a Software Switch, that interface cannot be referenced by the existing configuration. The interface must also have its IP address set to 0.0.0.0/0.0.0.0.

      I hope that helps!

      • Justin Loebel

        Thanks for the quick reply!

      • Justin Loebel

        I removed all references I could find for the internal interface, which was just one policy: internal to wan1 and the DHCP server. When I try to set member internal for the new switch I receive “entry not found in datasource”

  • ecil npr

    HI can anyone tell how to add my router to Lan port of fortigate 100e model and what steps i follows so that my router comes on fortigate network and works fine.

  • Andrey

    “Internal switch mode was removed in FortiOS 5.4.”…”If the interface is listed as a Physical Interface in the Type column, then your FortiGate is in Switch mode”
    So right now I am looking on Fortigate 5.4 and I see interfaces listed as “Physical Inteface”.. which mode is that??

    You guys should really stop “inventing the wheel” with your own confusing terms..why don’t you just use whatever the rest of the world is using ..for example “layer 2 interface”. “layer 3 interface” and etc

    • Victoria Martin

      While the internal switch mode was removed, the term physical interface is still used in FortiOS 5.4.

  • Alians Mars

    Hi,I have Fortigate 100D firewall and i want to assign deffernet subnet ips like 192.168.100.1 on lan port1 and 172.16.200.1 on lan port2. i tried but from gui i can’t. can you please help me how can i do it.

    • Victoria Martin

      Hello Alians,

      The 100D typically has a LAN hardware switch configured by default. In order to assign different IPs to internal ports, you will first have to remove them from the hardward switch, so they can be configured independently.

      • raymundo cruz

        Hi Victoria, same thing here! I tried different subnets in per port but upon checking there’s no internet traffic on the said port. do you have step by step procedure on how to do this setup? thanks

  • abdo

    hello,
    i configure HA active-active (a clusture of 2 fortigate 100D ) but my problem is : when interface lan of master unit is uplugged the salve does not work. can you help me ? i work with hardware swith (interface mode)

  • Erkan Büyükbayraktaroğlu

    Hello there ;

    We use the FortiGate 200D. Fortinet want to collect on our internal network switch. Do you think I should use hardware switch? software switch? Which is better?

    • Victoria Martin

      Hello,

      In most cases, a hardware switch is preferred.

      • Erkan Büyükbayraktaroğlu

        Thank you so much. I will do as you say configurations.

  • Seb Gagné

    Hey Victoria,

    Thanks for this article. I am currently using my fortigate in Interface mode. I still kept 8 interface for my LAN interface and all the rest is seperated into single ones.

    I wanted to know if I could regroup another set of interface with another subnet.

    example:

    1-8 = 192.168.51.0/24
    9-12 = 192.168.1.0/24

    I currently have port 9 configured with a different subnet for test purposes and some users use this as well. I wanted to add more ports to that subnet but can’t seems to find a way. Do you know if grouping two sets of interface together is possible?

    Thanks!

    Seb

    • Seb Gagné

      Nevermind , Found it 🙂

  • Toshi Esumi

    Is there any performance difference between “switch mode” and “hardware-switch” in a virtual-switch interface in “interface mode”? If no difference, I don’t see any benefit of using “switch mode”.

    • Victoria Martin

      Hi Toshi,

      I do not believe there is any performance difference.

      • Toshi Esumi

        I got the same answer from TAC, saying both are using the same mechanism and there shouldn’t be any difference in performance. But I found only one, so far, benefit of using switch mode is in case that you need to configure VRRP on the “internal” interface. VRRP is allowed only on “physical” interface or vlan interfaces. Not on “hardware-switch” type on “internal” vertual interface in interface mode. But it would be rarely needed and many alternatives are available with interface mode. So I wouldn’t try going back to switch mode any more.

        Besides, changing the mode is not as easy as you described. I needed to take “DHCP” out, the default policy out, then even needed to disable switch-controller in global. Only after that, it took “set internal-switch-mode switch” with v5.2.x.

        • Victoria Martin

          Thank you for letting me know about the difficulties you had switching modes. I’ve made some changes to the instructions based on your comments.

        • bdickie

          Thanks for the note about switch mode and VRRP. I’ll make sure to add this info to the VRRP chapter of the HA guide.

  • packetguy

    The sentence:

    “If the interface is listed as a Physical Interface in the Type column, then your FortiGate is in Switch mode. If the interface is a Hardware Switch, then your FortiGate is in Interface mode.”

    seems backwards. Why would the interface say “hardware switch” if it were not in switch mode? Please correct this, or provide an explanation for this confusing terminology.

    • Victoria Martin

      Hardware switches are only available using a FortiGate in Interface mode. The main difference with the lan/internal interface is that in Switch Mode you cannot add or remove ports from the interface, while in Interface Mode you can.

      When a FortiGate is in Switch mode, every single one of its physical ports is part of a single virtual interface, and so the FortiGate could be considered to be one single “switch,” which is why this mode is called Switch mode.

      When a FortiGate is in Interface mode, every interface can be managed separately. However, they can also be put together into a single virtual interface, which is typically going to be a “hardware switch,” in which the underlying switch chip/driver handles all of the switching directly (there are also software switches, where switching is handled by the FortiOS software).

      There is more information about the internal switch mode in the Getting Started guide for FortiOS 5.2: http://docs.fortinet.com/uploaded/files/1987/fortigate-getting-started-52.pdf