最近因專案需求,採購了兩台Firewall,原本屬意Juniper SSG-140
但同事Mike說Fortinet FG-110C 的性能價格比比較好
好吧,那就買兩台FG-110C
東西到貨接上Console,我就囧了...
PORT 1-8 是一個SWITCH interface
然後WAN1 & WAN2..
當時我並不知道SWITCH可以改成INTERFACE MODE
當下在想,哇.. 那我要接五個網段不就只能用VLAN Trunk..
而且那這樣我HA要怎麼接?
畢竟很久沒設FortiGate..,花了點時間才完成
結果今天Mike跟我說,Paul說Fortigate可以把switch mode改interface mode
哈,果然沒有用WebUI設定,就不會注意到可以改模式
結果設定一點... 出現 'Entry is used.' 這是啥?
什麼都還沒設耶..
用CLI設看看
FG100CXXXX # config system global
FG100CXXXX (global) #
FG100CXXXX (global) # set internal-switch-mode
hub hub
interface interface
switch switch
FG100CXXXX (global) # set internal-switch-mode interface
FG100CXXXX (global) #
FG100CXXXX (global) # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n)y
Interface switch is in use
attribute set operator error, -23, discard the setting
Command fail. Return code -23
嗯? switch is in use?
想了一下,猜想是default policy的關係
用diag指令查查
FG100CXXXX # diagnose sys checkused system.interface.name switch
entry used by table firewall.policy:policyid '1'
Bingo!
FG100CXXXX # config firewall policy
FG100CXXXX (policy) # delete 1
FG100CXXXX (policy) # end
FG100CXXXX # diagnose sys checkused system.interface.name switch
沒有任何設定使用switch interface了
這時再下..
FG100CXXXX # config system global
FG100CXXXX (global) # set internal-switch-mode interface
FG100CXXXX (global) # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n)y
FG100CXXXX #
The system is going down NOW !!
打完收工~
FG100C3G10600960 (global) #
FG100C3G10600960 (global) # set internal-switch-mode
hub hub
interface interface
switch switch
FG100C3G10600960 (global) # set internal-switch-mode interface
FG100C3G10600960 (global) #
FG100C3G10600960 (global) # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n)y
Interface switch is in use
attribute set operator error, -23, discard the setting
Command fail. Return code -23
留言列表
{{ article.title }}
網路技術 (3)
