yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

You can’t set duplex/speed settings of the Fortigate interfaces?

You can’t set duplex/speed settings of the Fortigate interfaces.
Important FIX: depends on which interface you are trying to set! [ Thanks to Chen for pointing out ]
Upon careful reexamination turns out that you can’t set duplex/speed settings of 4-port switch interfaces only, i.e. Internal interface of Fortigate 60, 60M, 100A, 200A, and FortiWiFi-60 and also LAN interface of 500A .
Tried on FG100A FortiOS v4.0,build0178,090820 (MR1)
[showmyads]

FG100 (dmz2) # set speed
100full 100M full-duplex
100half 100M half-duplex
10full 10M full-duplex
10half 10M half-duplex
auto auto adjust speed

Working most of the time with Cisco gear I’m (and others) used to being able to set duplex/speed
parameters on the physical interfaces to my liking.
This comes as a necessity when connecting cisco to various equipment of differing quality. So it was a surprise to me when I encountered strange layer1/layer2 connectivity problem between some Fortigate 200A and cisco and tried to set manually duplex full/speed 100 on the Fortigate just to find out that it is impossible to do it on the Fortigate.
It was possible back in the days of FortiOS 2.80 (and early 3.0 – I guess up until MR5)  :

# conf sys int
(interface)# edit internal
(internal)# set speed

100full 100M full-duplex
100half 100M half-duplex
10full 10M full-duplex
10half 10M half-duplex

But then Fortinet dropped this option and the only (not direct) explanation
found on their site is this memo:
“Locked-down port policies (forcing speed, duplex, and link capabilities with auto-negotiation disabled) are
outdated. Legacy and historical reasons for forced setup with auto-negotiation disabled date
back many years when the technology was new…”

Now we can see what is the negotiated status of the links
(this command also shows errors/collisions/MTU on the interface) :

FG100 # diagnose hardware deviceinfo nic internal
Description VIA VT6102 Rhine-II
Part_Number N/A
Driver_Name via-rhine
Driver_Version 1.1.17
PCI_Vendor 0x1106
PCI_Device_ID 0x3065
PCI_Subsystem_Vendor 0x3065
PCI_Subsystem_ID 0x1106
PCI_Revision_ID 0x74
PCI_Address 0:12.0
PCI_Bus_Type
Memory 0x0000f400
IRQ 11
System_Device_Name internal
Current_HWaddr 00:09:0f:30:32:11 #In HA set up primary member would have different , virtual MAC address , for more see FortiOS v3.0 HA Cluster virtual MAC addresses
Permanent_HWaddr 00:09:0f:30:32:11
Link up
Speed 100
Duplex forced full
FlowControl off
State up(0x00001103)
MTU_Size 1392
Rx_Packets 89944267
Tx_Packets 73437299
Rx_Bytes 370540924
Tx_Bytes 428118992
Rx_Errors 0
Tx_Errors 0
Rx_Dropped 0
Tx_Dropped 0
Multicast 8810
Collisions 0
Rx_Length_Errors 0
Rx_Over_Errors -0
Rx_CRC_Errors 0
Rx_Frame_Errors 0
Rx_FIFO_Errors 0
Rx_Missed_Errors 0
Tx_Aborted_Errors 0
Tx_Carrier_Errors 0
Tx_FIFO_Errors 0
Tx_Heartbeat_Errors 0
Tx_Window_Errors 0
Tx_Single_Collision_Frames 0
Tx_Multiple_Collision_Frames 0
Rx_Frame_Too_Longs 0
Rx_Symbol_Errors 0
Rx_Control_Unknown_Opcodes 0
Rx_Pause_Frames 0
Tx_Pause_Frames 0
Scatter_Gather OFF
poll_intr_switch 0
rx_tasklet_pkts 92505560
xmit queue 0
recv queue -64
phy_id= 1/1



9 Comments

  1. Thank you, thank you! Your post reminded me of a setting I had put on my wan1 interface which was causing serious link speed degradation. Once I set my wan1 interface back to auto everything was back in tip-top shape. You have no idea how long I banged my head against the wall on this one.

  2. How do I set the wan1 port to auto? i tried everything I could think of. I must be missign something

  3. Can I find some virtual enviroment for learning FortiOS?

  4. Yuri

    May 10, 2011 at 7:17 am

    Hi Crysty,
    there is a free available over the internet demo Fortigate machine:
    http://yurisk.info/2010/02/03/fortigate-firewall-demo-free-access-also-fortimanager-and-fortianalyzer/
    But there you are not full admin so it is good for getting to know GUI management only .
    There is also ESXi image of the FortiOS deemed to be used as virtual appliance. While it is not easy but possible to find
    such image , it requires special license you can get only from Fortinet to make it run. So you need to work for some partner of the Fortinet to get such.

  5. hi
    Can any one help me how to change the WAN mode, now its showing Half Duplex only. the ISP telling that we need to disable auto negotiations, but i did”t find any option related thin Firewall. I’m using fortiget 60B.

    Regards
    Amjith

  6. you can set your speed to auto: config system interface -> edit wan1 -> set speed auto -> end

  7. 100full 100M full-duplex
    100half 100M half-duplex
    10full 10M full-duplex
    10half 10M half-duplex
    auto auto adjust speed

    If you want half duplex only then: config system interface -> edit wan1 -> set speed 100half
    -> end

  8. The ‘internal’ hardware switch is configured elsewhere:
    config system global
    set internal-switch-speed
    end
    with the same options as for other interfaces.
    The Fortinet KB article cited above by Corey contains the regular command, the command for the internal switch and the diagnostics commands. kb.fortinet.com is all you need 🙂

1 Pingback

  1. You can’t set duplex/speed settings of the Fortigate interfaces? | FortiGate e produtos Fortinet

Comments are closed.

© 2016 yurisk.info

Theme by Anders NorenUp ↑