A whisper of a networker.

最近因專案需求，採購了兩台Firewall，原本屬意Juniper SSG-140

但同事Mike說Fortinet FG-110C 的性能價格比比較好

好吧，那就買兩台FG-110C

東西到貨接上Console，我就囧了...

PORT 1-8 是一個SWITCH interface

然後WAN1 & WAN2..

當時我並不知道SWITCH可以改成INTERFACE MODE

當下在想，哇.. 那我要接五個網段不就只能用VLAN Trunk..

而且那這樣我HA要怎麼接？

畢竟很久沒設FortiGate..，花了點時間才完成

結果今天Mike跟我說，Paul說Fortigate可以把switch mode改interface mode

哈，果然沒有用WebUI設定，就不會注意到可以改模式

結果設定一點... 出現 'Entry is used.' 這是啥？

什麼都還沒設耶..

用CLI設看看

FG100CXXXX # config system global

FG100CXXXX (global) #
FG100CXXXX (global) # set internal-switch-mode
hub          hub
interface    interface
switch       switch
 
FG100CXXXX (global) # set internal-switch-mode interface

FG100CXXXX (global) #
FG100CXXXX (global) # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n)y

Interface switch is in use
attribute set operator error, -23, discard the setting
Command fail. Return code -23

嗯？ switch is in use?

想了一下，猜想是default policy的關係

用diag指令查查

FG100CXXXX # diagnose sys checkused system.interface.name switch
entry used by table firewall.policy:policyid '1'

Bingo!

FG100CXXXX # config firewall policy

FG100CXXXX (policy) # delete 1

FG100CXXXX (policy) # end

FG100CXXXX # diagnose sys checkused system.interface.name switch

沒有任何設定使用switch interface了

這時再下..

FG100CXXXX # config system global

FG100CXXXX (global) # set internal-switch-mode interface

FG100CXXXX (global) # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n)y


FG100CXXXX #

The system is going down NOW !!

打完收工~