Fortigate Hardware Vs Software Switch


Hardware vs Software SwitchI have a FortiGate 100D running 5.0.2. I' ve just converted the default ' internal' interface switch to interface mode and now I would like to bridge only a few of the freed-up 16 ports together to make another interface just for FortiAPs. In the past, I' ve used software switches for other things, but I now see ' hardware switch' is an option when I go to create the new interface. I just want to confirm that a ' hardware switch' is what should be used for this.Thanks for any insight.

I could only find info on the software switch in the docs - nothing about the hardware switch option.

A hardware switch is a virtual interface that groups different interfaces together, allowing a FortiGate to treat the group as a single interface. Many FortiGate models have a default hardware switch, called either lan or internal. The two types of switches also have differences in which commands and features are available, which vary depending on your FortiGate’s model. In most situations, using a hardware switch is preferred for better performance, with software switches used in cases where a feature is required that is unavailable for a hardware switch.

The entry is written for a 90d, but will work the same for a 60d or 80d, even some C models.By default the Fortigate is in “Switch mode” you will only be able to see the “internal” switch, and cannot add or remove interfaces from this switch. In this mode you can add more switches, but not remove the current ports.In the next few parts we will change the switch mode to interface, and be able to add/remove ports and switches.Before doing anything to the Firewall make a backup. When we actually change the interface mode it will delete the IP address on the internal interface. So connect to a WAN or DMZ port and use the GUI, or make sure to be consoled into the firewall VIA the serial port (console).First we need to remove any reference to the “internal” switch itself. If you have a default config then there will be only two. The internal-WAN policy, and the DHCP server under the “Internal” interface.You can see all references attached to the interface by navigating to System-Network-Interfaces and modifying the settings to show the Reference tab.once those references show up, you can click on the number and navigate to the exact location of that reference. For example, let say you added an address object a long time ago and added the interface.

Fortigate Hardware Vs Software Switch For Mac

Bingo – shows you exactly where.After removing all the references by deleting them (yes, deleting. So make a backup!) you should now see a 0 balance in the references. We can now change the interface mode in CLI.You can either do this through a terminal such as putty, or through the GUI CLI app. Remember after changing the interface mode, it will delete your IP address on the internal network. So do this VIA Console, or go to the GUI on the WAN or DMZ interface.Commands are:config system globalset internal-switch-mode interfaceendThen click y to reboot the firewall, when it comes back it will be in interface mode.Once it is back up, login VIA the GUI on either the WAN1, WAN2, or DMZ ports. Then you should see something like this:Now, under this page System-Network-Interfaces lets click the “Create” Button.


From here you can create your switch. Select the type as Software or hardware switch depending on your model. You can also add your ports, set the name of the interface and the IP.Once you press OK, you should see your new interface listed under system-network-interface as seen belowRecreate all of your policies, to allow access to and from and everything should work great. If you have any questions or I failed to explain anything please let me know.