Fortigate - switch from NAT to transparent mode error fix
When trying to switch a Fortigate from NAT mode to the Transparent one, we get an error about Fortilink interface being used. The official docs just say to delete Fortilink from all used settings, but not how. This article shows where and how.
The error:
config sys settings
set opmode transparent
set manageip 10.13.13.13/24
Cannot change to Transparent mode because this vdom contains managed switches and switchctl-vlans. Please clear managed-switches, disable fortilink and retry. node_check_object fail! for opmode transparent Attribute 'opmode' value 'transparent' checking fail -7610 Command fail. Return code -7610
First thing is to look for fortilink in the config:
# show | grep -i fortilink -f
config system interface
edit "fortilink" <---
set vdom "root"
set fortilink enable <---
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 9
next
end
config system ntp
set ntpsync enable
set server-mode enable
set interface "fortilink" <---
end
config system dhcp server
edit 1
set ntp-service local
set default-gateway 10.255.1.1
set netmask 255.255.255.0
set interface "fortilink" <---
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
next
end
config switch-controller storm-control-policy
edit "auto-config"
set description "storm control policy for fortilink-isl-icl port" <---
set storm-control-mode disabled
next
end
All in all 4 places: NTP, switch-controller policy, interface itself under config sys interface, and DHCP server.
The cmdb command shows 3 references (misses switch-controller policy):
# diagnose sys cmdb refcnt show system.interface.name fortilink entry used by table system.dhcp.server:id '1' entry used by child table interface:interface-name 'fortilink' of complex system.ntp:interface.interface-name
Let’s see if deleting 3 of the above will be enough:
Deleting DHCP server instance "1":
# config sys dhcp server (server) # del 1 (server) # end
Disabling NTP server which lists fortilink interface (or you can switch interface to any other available):
# config sys ntp
FortiGate(ntp) # show
config system ntp
set ntpsync enable
set server-mode enable
set interface "fortilink"
end
(ntp) # set server-mode disable
(ntp) # end
Disable Fortilink interface to see if enough:
# config sys int (interface) # edit fortilink (fortilink) # set stat down (fortilink) # end
Checking again if there any references left:
FortiGate # diagnose sys cmdb refcnt show system.interface.name fortilink FortiGate #
Output is empty so we are clear to engage:
Cannot change to Transparent mode because this vdom contains managed switches and switchctl-vlans. Please clear managed-switches, disable fortilink and retry. node_check_object fail! for opmode transparent Attribute 'opmode' value 'transparent' checking fail -7610 Command fail. Return code -7610
Nope, no joy, so seems like we have to delete the Fortilink interface altogether (at least in VM Fortigate):
# config sys int (interface) # del fortilink (interface) # end # config sys settings (settings) # set opmode transparent (settings) # set manageip 10.13.13.13/24 (settings) # end Changing to TP mode
Done.
BTW, to switch back to NAT mode you will HAVE to specify device and interface ip for the default gateway (or just do exe factoryreset to wipe all config and it will reboot to NAT mode):
config sys settings set opmode nat set device port1 set ip 10.13.13.1/24
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.