Choosing your FortiGate’s switch mode

This section contains information to help you determine which internal switch mode your FortiGate should use, a decision that should be made before the FortiGate is installed.

What is the internal switch mode?

The internal switch mode determines how the FortiGate’s physical ports are managed by the FortiGate. The two main modes are Switch mode and Interface mode.

Internal switch mode was removed in FortiOS 5.4.

What are Switch mode and Interface mode and why are they used?

In Switch mode, all the internal interfaces are part of the same subnet and treated as a single interface, called either lan or internal by default, depending on the FortiGate model. Switch mode is used when the network layout is basic, with most users being on the same subnet.

In Interface mode, the physical interfaces of the FortiGate unit are handled individually, with each interface having its own IP address. Interfaces can also be combined by configuring them as part of either hardware or software switches, which allow multiple interfaces to be treated as a single interface. This mode is ideal for complex networks that use different subnets to compartmentalize the network traffic.

Which mode is your FortiGate in by default?

The default mode that a FortiGate starts in varies depending on the model. To determine which mode your FortiGate unit is in, go to System > Network > Interfaces. Locate the
lan or internal interface. If the interface is listed as a Physical Interface in the Type column, then your FortiGate is in Switch mode. If the interface is a Hardware Switch, then your FortiGate is in Interface mode.

How do you change the mode?

If you need to change the mode your FortiGate unit is in, first make sure none of the physical ports that make up the lan or internal interface are referenced in the FortiGate configuration (for example, in a policy or DHCP server). If you FortiGate model has a Switch Controller, you may need to disable it before you can change the internal switch mode.

Go to System > Dashboard > Status and enter either of the following commands into the CLI Console:

  1. Command to change the FortiGate to switch mode:
    config system global
         set internal-switch-mode switch
  2. Command to change the FortiGate to interface mode:
    config system global
         set internal-switch-mode interface
Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Share this recipe:


Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • packetguy

    The sentence:

    “If the interface is listed as a Physical Interface in the Type column, then your FortiGate is in Switch mode. If the interface is a Hardware Switch, then your FortiGate is in Interface mode.”

    seems backwards. Why would the interface say “hardware switch” if it were not in switch mode? Please correct this, or provide an explanation for this confusing terminology.

    • Victoria Martin

      Hardware switches are only available using a FortiGate in Interface mode. The main difference with the lan/internal interface is that in Switch Mode you cannot add or remove ports from the interface, while in Interface Mode you can.

      When a FortiGate is in Switch mode, every single one of its physical ports is part of a single virtual interface, and so the FortiGate could be considered to be one single “switch,” which is why this mode is called Switch mode.

      When a FortiGate is in Interface mode, every interface can be managed separately. However, they can also be put together into a single virtual interface, which is typically going to be a “hardware switch,” in which the underlying switch chip/driver handles all of the switching directly (there are also software switches, where switching is handled by the FortiOS software).

      There is more information about the internal switch mode in the Getting Started guide for FortiOS 5.2:

  • Toshi Esumi

    Is there any performance difference between “switch mode” and “hardware-switch” in a virtual-switch interface in “interface mode”? If no difference, I don’t see any benefit of using “switch mode”.

    • Victoria Martin

      Hi Toshi,

      I do not believe there is any performance difference.

      • Toshi Esumi

        I got the same answer from TAC, saying both are using the same mechanism and there shouldn’t be any difference in performance. But I found only one, so far, benefit of using switch mode is in case that you need to configure VRRP on the “internal” interface. VRRP is allowed only on “physical” interface or vlan interfaces. Not on “hardware-switch” type on “internal” vertual interface in interface mode. But it would be rarely needed and many alternatives are available with interface mode. So I wouldn’t try going back to switch mode any more.

        Besides, changing the mode is not as easy as you described. I needed to take “DHCP” out, the default policy out, then even needed to disable switch-controller in global. Only after that, it took “set internal-switch-mode switch” with v5.2.x.

        • Victoria Martin

          Thank you for letting me know about the difficulties you had switching modes. I’ve made some changes to the instructions based on your comments.

        • bdickie

          Thanks for the note about switch mode and VRRP. I’ll make sure to add this info to the VRRP chapter of the HA guide.

  • Seb Gagné

    Hey Victoria,

    Thanks for this article. I am currently using my fortigate in Interface mode. I still kept 8 interface for my LAN interface and all the rest is seperated into single ones.

    I wanted to know if I could regroup another set of interface with another subnet.


    1-8 =
    9-12 =

    I currently have port 9 configured with a different subnet for test purposes and some users use this as well. I wanted to add more ports to that subnet but can’t seems to find a way. Do you know if grouping two sets of interface together is possible?



    • Seb Gagné

      Nevermind , Found it 🙂

  • Erkan Büyükbayraktaroğlu

    Hello there ;

    We use the FortiGate 200D. Fortinet want to collect on our internal network switch. Do you think I should use hardware switch? software switch? Which is better?

    • Victoria Martin


      In most cases, a hardware switch is preferred.

      • Erkan Büyükbayraktaroğlu

        Thank you so much. I will do as you say configurations.

  • abdo

    i configure HA active-active (a clusture of 2 fortigate 100D ) but my problem is : when interface lan of master unit is uplugged the salve does not work. can you help me ? i work with hardware swith (interface mode)