When trying to switch a Fortigate from NAT mode to the Transparent one, we get an error about Fortilink interface being used. The official docs just say to delete Fortilink from all used settings, but not how. This article shows where and how.
The error:
config sys settings
set opmode transparent
set manageip 10.13.13.13/24
Cannot change to Transparent mode because this vdom contains managed switches and switchctl-vlans.Please clear managed-switches, disable fortilink and retry.node_check_object fail! for opmode transparentAttribute 'opmode' value 'transparent' checking fail -7610Command fail. Return code -7610
First thing is to look for fortilink in the config:
# show | grep -i fortilink -fconfig system interface edit "fortilink" <--- set vdom "root" set fortilink enable <--- set ip 10.255.1.1 255.255.255.0 set allowaccess ping fabric set type aggregate set lldp-reception enable set lldp-transmission enable set snmp-index 9 nextendconfig system ntp set ntpsync enable set server-mode enable set interface "fortilink" <---endconfig system dhcp server edit 1 set ntp-service local set default-gateway 10.255.1.1 set netmask 255.255.255.0 set interface "fortilink" <--- set vci-match enable set vci-string "FortiSwitch" "FortiExtender" nextendconfig switch-controller storm-control-policy edit "auto-config" set description "storm control policy for fortilink-isl-icl port" <--- set storm-control-mode disabled nextend
All in all 4 places: NTP, switch-controller policy, interface itself under config sys interface, and DHCP server.
The cmdb command shows 3 references (misses switch-controller policy):
# diagnose sys cmdb refcnt show system.interface.name fortilinkentry used by table system.dhcp.server:id '1'entry used by child table interface:interface-name 'fortilink' of complex system.ntp:interface.interface-name
Let’s see if deleting 3 of the above will be enough:
Deleting DHCP server instance "1":
# config sys dhcp server(server) # del 1(server) # end
Disabling NTP server which lists fortilink interface (or you can switch interface to any other available):
# config sys ntpFortiGate(ntp) # showconfig system ntp set ntpsync enable set server-mode enable set interface "fortilink"end(ntp) # set server-mode disable(ntp) # end
Disable Fortilink interface to see if enough:
# config sys int(interface) # edit fortilink(fortilink) # set stat down(fortilink) # end
Checking again if there any references left:
FortiGate # diagnose sys cmdb refcnt show system.interface.name fortilinkFortiGate #
Output is empty so we are clear to engage:
Cannot change to Transparent mode because this vdom contains managed switches and switchctl-vlans.Please clear managed-switches, disable fortilink and retry.node_check_object fail! for opmode transparentAttribute 'opmode' value 'transparent' checking fail -7610Command fail. Return code -7610
Nope, no joy, so seems like we have to delete the Fortilink interface altogether (at least in VM Fortigate):
# config sys int(interface) # del fortilink(interface) # end# config sys settings(settings) # set opmode transparent(settings) # set manageip 10.13.13.13/24(settings) # endChanging to TP mode
Done.
BTW, to switch back to NAT mode you will HAVE to specify device and interface ip for the default gateway (or just do exe factoryreset to wipe all config and it will reboot to NAT mode):
config sys settingsset opmode natset device port1set ip 10.13.13.1/24
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.
