Escolar Documentos
Profissional Documentos
Cultura Documentos
de todos os tamanhos.
aplicativos que variam de agregação de desktop a data center, permitindo que Ofertas de produtos
as empresas façam convergir sua segurança e acesso à rede. FS-108E, 108E-POE, 108E-FPOE, 124E, 124E-POE,
124E-FPOE, 148E, 148E-POE, 124F, 124F-POE,
124F-FPOE, 148F, 148F-POE, 148F-FPOE, 224D- FPOE,
224E, 224E-POE, 248D, 248E-POE, 248E-FPOE, 424D,
424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE,
424E-FIBER, M426EFPOE, 424E, 424E 424E-FPOE,
448E, 448E-POE, 448E-FPOE, 524-D, 524D-FPOE, 548D,
Integração do Security Fabric
548D-FPOE
através do FortiLink
camada de acesso são ativadas e gerenciadas por meio de um § Ideal para ambientes de rede convergentes;
permitindo que o tráfego de voz, dados e sem
único console. A integração do FortiLink permite o gerenciamento
fio seja entregue em uma única rede
centralizado de políticas, incluindo acesso e controle baseados em
funções, tornando-o fácil de implementar e gerenciar. Este § Suporta implantações não FortiLink
por meio da interface de usuário integrada, API
controle e capacidade de gerenciamento tornam o FortiSwitch ou configuração de linha de comando
luzes
§ 8-48 portas GE, com capacidade PoE + § Portas 24-48 GE, com capacidade PoE + § Portas 24-48 GE, com capacidade PoE + § Portas 24-48 GE, com capacidade PoE +
§ Área de trabalho para armário de fiação § Chave típica do wiring closet § Maior armário de fiação ou requisitos § Maior armário de fiação ou requisitos
§ 2-4 portas de uplink GE SFP § 4 portas de uplink GE SFP de alto rendimento de alto rendimento
§ 4 portas de uplink 10GE SFP + § 4 portas de uplink SFP + 10 GE § 4x 10 GE SFP + e
2 portas de uplink QSFP de 40 GE
Desdobramento, desenvolvimento
FortiLink
Opção de gerenciamento de nuvem
FortiGate gerenciado. Tecido de segurança ativado.
Modelo de implantação mais comum.
FortiGate Cloud
Estar sozinho
Opção de gerenciamento de nuvem
Modelo de implantação padrão do setor. Comum
em ambientes não FortiGate.
FortiSwitch Cloud
2
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Características
Gestão e Configuração
Switches Gerenciados por FortiGate FortiLink Stacking (Auto 8 a 300 dependendo do modelo FortiGate (consulte o guia de administração) Sim
sim
Segurança e Visibilidade
Recursos UTM
Alta disponibilidade
Active-Active Split LAG de FortiGate para FortiSwitches para redundância avançada Sim (com FS-2xx, 4xx, 5xx)
FORTISWITCH MODEL SERIES 2XXD, 4XXD, 5XXD 1XXE / 1XXF 2XXE, 4XXE
Camada 2
IEEE 802.1w Protocolo de árvore de expansão rápida (RSTP) IEEE sim sim sim
802.1s Protocolo de árvore de expansão múltipla (MSTP) STP Root sim sim sim
Equilíbrio de tráfego Unicast / Multicast na porta de entroncamento (dst-ip, sim sim sim
Controle de fluxo e contrapressão IEEE 802.3x IEEE 802.3 sim sim sim
Ethernet IEEE 802.3ae 10 Gigabit Família 4xx e 5xx Sim N / A / Sim sim
Suporte para porta dividida (QSFP + breakout para 4x10G SFP + ou 4x1G Família FS-5xx N/D N/D
3
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Características
FORTISWITCH MODEL SERIES 2XXD, 4XXD, 5XXD 1XXE / 1XXF 2XXE, 4XXE
Camada 3 *
1K em 424E, 424E-POE,
64 em FS-2xx, Família 4xx; 16K
N/D 424E-FPOE, M426E-FPOE
na família FS-5xx
16K em 448E, 448E-POE,
448E-FPOE, 424E-Fibra
2K em 424E, 424E-POE,
1K em FS-2xx, Família 4xx; 24K
N/D 424E-FPOE, M426E-FPOE
na Família FS-5xx
16K em 448E, 448E-POE,
448E-FPOE, 424E-Fibra
Protocolos de roteamento dinâmico ** OSPFv2, RIPv2, VRRP; N/D OSPFv2, RIPv2, VRRP
Serviços
Segurança e Visibilidade
Autenticação de administrador via RFC 2865 RADIUS IEEE sim sim sim
substituto VLAN IEEE 802.1x acesso por MAC (MAB) IEEE sim sim sim
802.1x Atribuição dinâmica de VLAN Radius CoA (mudança sim sim sim
IEEE 802.1ab Link Layer Discovery Protocol (LLDP) IEEE 802.1ab sim sim sim
IEEE 802.1ae MAC Security (MAC Sec) Portas FS-5xxD 10G Não Não
Alta disponibilidade
Qualidade de serviço
Gestão
Gerenciamento de IPv4 e IPv6 Telnet sim sim sim
4
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Características
BFD MIB
RFC 5881: Detecção de encaminhamento bidirecional (BFD) para IPv4 e IPv6 (salto único) RFC 5882: Aplicação RFC 1850: OSPF versão 2 Management Information Base RFC 2233: O
genérica de detecção de encaminhamento bidirecional (BFD) BGP grupo de interfaces MIB usando SMIv2 RFC 2618: Radius-Auth-Client-MIB
RFC 1965: Confederações de Sistema Autônomo para BGP RFC 1997: RFC 2674: Definições de objetos gerenciados para pontes com classes de tráfego, filtragem multicast e extensões de LAN
RFC 2545: Uso de extensões multiprotocolo BGP-4 para roteamento interdomínio IPv6 RFC 2796: Reflexão de RFC 2787: Definições de objetos gerenciados para o protocolo de redundância do roteador virtual RFC 2819: Base de
rota BGP - uma alternativa para malha completa IBGP RFC 2842: Propaganda de capacidades com BGP-4 informações de gerenciamento de monitoramento de rede remota RFC 2932: IPv4 Multicast Routing MIB
RFC 2858: Extensões Multiprotocolo para BGP-4 RFC 4271: RFC 2934: MIB multicast independente de protocolo para IPv4
BGP-4 RFC 3289: Base de informações de gerenciamento para a arquitetura de serviços diferenciados RFC 3433: Base de
RFC 6286: Identificador BGP exclusivo de todo o sistema autônomo para BGP-4 RFC 6608: informações de gerenciamento de sensor de entidade
subcódigos para erro de máquina de estado finito BGP RFC 3621: Power Ethernet MIB RFC 6933:
RFC 6793: suporte BGP para espaço de número do sistema autônomo de quatro octetos (AS) RFC 7606: Entidade MIB (versão 4) OSPF
RFC 7705: Mecanismos de migração de sistema autônomo e seus efeitos no atributo BGP AS_PATH RFC 8212: comportamento de RFC 1765: OSPF Database Overflow RFC
propagação de rota de BGP externo padrão (EBGP) sem políticas RFC 8654: suporte de mensagem estendido para BGP 2328: OSPF versão 2
RFC 2131: Protocolo de configuração dinâmica de hosts RFC RFC 3101: A opção da área não tão atarracada do OSPF (NSSA) RFC 3137:
3046: opção de informações do agente de retransmissão DHCP anúncio do roteador stub do OSPF
RFC 7513: Solução de Melhoria de Validação de Endereço de Origem (SAVI) para DHCP IP / IPv4 RFC 3623: reinicialização otimizada do OSPF
RFC 3168: A adição de notificação explícita de congestionamento (ECN) ao IP RFC 5227: RFC 5709: OSPFv2 HMAC-SHA Cryptographic Authentication RFC 6549:
RFC 5517: VLANs privadas da Cisco Systems: segurança escalonável em um ambiente de múltiplos clientes RFC 7039: RFC 6845: Transmissão híbrida OSPF e tipo de interface ponto a multiponto RFC 6860: ocultando
Estrutura de melhoria de validação de endereço de origem (SAVI) redes somente de trânsito no OSPF
Multicast IP RFC 7474: Extensão de segurança para OSPFv2 ao usar o gerenciamento manual de chaves RFC 7503:
RFC 2362: Protocolo Independent Multicast-Sparse Mode (PIM-SM): Especificação de protocolo RFC 2710: Multicast OSPF para IPv6
Listener Discovery (MLD) para IPv6 (MLDv1) RFC 8042: Rascunho de recomendação T.4 do CCITT
RFC 4541: Considerações sobre o protocolo de gerenciamento de grupo da Internet (IGMP) e interruptores de detecção de multicast RFC 8362: Extensibilidade do anúncio do estado do link OSPFv3 (LSA) OUTRO
RFC 4605: Internet Group Management Protocol (IGMP) / Multicast Listener Discovery (MLD) -Based Multicast Forwarding RFC 2030: SNTP
(“IGMP / MLD Proxying”) RFC 3176: sFlow da InMon Corporation: um método para monitorar o tráfego em redes comutadas e roteadas
RFC 2464: Transmissão de pacotes IPv6 em redes Ethernet: Transmissão de pacotes IPv6 em redes Ethernet RFC 3954: Cisco Systems NetFlow Services Export Versão 9
RFC 5101: Especificação do protocolo IP Flow Information Export (IPFIX) para a troca de informações de fluxo
RFC 2474: Definição do Campo de Serviços Diferenciados (Campo DS) nos Cabeçalhos e IPv6 (DSCP) RFC 2893: Mecanismos de
Transição para Hosts e Roteadores IPv6 RFC 5798: VRRPv3 (IPv4 e IPv6) RADIUS
RFC 4213: Mecanismos de transição básicos para hosts e roteadores IPv6 RFC 4291:
Arquitetura de endereçamento IP versão 6 RFC 2865: autenticação de administrador usando RADIUS RFC
RFC 4443: Internet Control Message Protocol (ICMPv6) para a especificação do protocolo da Internet versão 6 (IPv6) RFC 4861: descoberta 2866: contabilidade RADIUS
de vizinho para IP versão 6 (IPv6) RFC 5176: Extensões de autorização dinâmica para serviço de usuário de discagem com autenticação remota (RADIUS)
RFC 6724: Seleção de endereço padrão para protocolo da Internet versão 6 (IPv6) RFC 7113: IPv6 RFC 1058: Routing Information Protocol RFC 2080:
RFC 8200: Protocolo da Internet, Versão 6 (IPv6) Especificação RFC 8201: RFC 2082: Autenticação RIP-2 MD5 RFC
RFC 1195: Uso de OSI IS-IS para roteamento em TCP / IP e ambientes duplos RFC 5308:
RFC 1213: peças MIB II que se aplicam a unidades FortiSwitch 100 RFC 1354: RFC 2572: Processamento e envio de mensagens SNMP RFC 2573:
RFC 1493: Bridge MIB RFC RFC 2576: Coexistência entre versões SNMP
* modelo.
RFC e MIB suportados pelo sistema operacional FortiSwitch. Verifique a matriz de recursos no guia de administração para obter suporte específico para o
5
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
Especificações de Hardware
Total Network Interfaces 7x GE RJ45, 1x GE / POE-PD RJ45 e 2x 8x GE RJ45 e 2x GE SFP 8x GE RJ45 e 2x GE SFP
GE SFP
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos
Especificações do sistema
INSTANTÂNEO 32 MB 32 MB 32 MB
Dimensões
Altura x Profundidade x Largura 1,5 x 6,3 x 8,7 1,7 x 8,2 x 13 1,7 x 8,2 x 13
Largura (mm) Peso 2,2 lbs (1 kg) 4,3 lbs (1,95 kg) 4,5 lbs (2,04 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz / PoE-PSE (af) CA e 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA
Poder Redundante - - -
Consumo de energia * (médio / máximo) Dissipação de 5,54 W / 6,26 W 70,19 W / 71,10 W 135,19 W / 136,10 W
Umidade 10–90% sem condensação 10–90% sem condensação 10–90% sem condensação
Certificação e Conformidade
garantia
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
6
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
Especificações de Hardware
Total Network Interfaces 24x GE RJ45 e 4x GE SFP 0 24x GE RJ45 e 4x GE SFP 0 24x GE RJ45 e 4x GE SFP 0
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos
Especificações do sistema
INSTANTÂNEO 32 MB 32 MB 32 MB
Dimensões
Altura x Profundidade x Largura 1,7 x 8,2 x 13 1,7 x 12,2 x 17,3 44 x 1,7 x 12,2 x 17,3 44 x
Largura (mm) Peso 4,7 lbs (2,13 kg) 11,1 lbs (5,03 kg) 11,2 lbs (5,03 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA
Poder Redundante - - -
Consumo de energia * (médio / máximo) Dissipação de 15,83 W /17,79 W 54 202,78 W / 205,45 W 387,78 W / 390,45 W
Umidade 10–90% sem condensação 10–90% sem condensação 10–90% sem condensação
Certificação e Conformidade
garantia
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
FortiSwitch 124E-FPOE
7
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
Especificações de Hardware
Especificações do sistema
INSTANTÂNEO 64 MB 64 MB
Dimensões
Largura (mm) Peso 8,6 lbs (3,9 kg) 11,5 lbs (5,2 kg)
Meio Ambiente
Certificação e Conformidade
garantia
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
8
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
Especificações de Hardware
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos
Especificações do sistema
agregação de links 2 MB 2 MB 2 MB
INSTANTÂNEO 64 MB 64 MB 64 MB
Dimensões
Altura x Profundidade x Largura 1,73 x 9,06 x 12,99 44 x 1,73 x 10,24 x 12,99 44 x 1,73 x 10,24 x 12,99 44 x
Largura (mm) Peso 4,48 lbs (2,03 kg) 7,85 lbs (3,56 kg) 8,42 lbs (3,82 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50-60 Hz CA 100–240 V CA, 50-60 Hz CA 100–240 V CA, 50-60 Hz CA
Consumo de energia * (médio / máximo) Dissipação de 24,8 W / 26,3 W 235,9 W / 237,4 W 449,8 W / 451,3 W
Umidade 10–90% sem condensação 10–90% sem condensação 10–90% sem condensação
Certificação e Conformidade
garantia
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
FortiSwitch 124F-FPOE
9
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
Especificações de Hardware
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos
Especificações do sistema
agregação de links 2 MB 2 MB 2 MB
INSTANTÂNEO 64 MB 64 MB 64 MB
Dimensões
Altura x Profundidade x Largura 1,73 x 10,24 x 17,32 44 x 1,73 x 12,20 x 17,32 44 x 1,73 x 12,20 x 17,32 44 x
Largura (mm) Peso 7,63 lbs (3,46 kg) 10,32 lbs (4,68 kg) 10,32 lbs (4,68 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50-60 Hz CA 100–240 V CA, 50-60 Hz CA 100–240 V CA, 50-60 Hz CA
Consumo de energia * (médio / máximo) Dissipação de 55,8 W / 57 W 474,8 W / 476,3 W 893,5 W / 895,7 W
Umidade 10–90% sem condensação 10–90% sem condensação 10–90% sem condensação
Certificação e Conformidade
garantia
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
FortiSwitch 148F-FPOE
10
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
Especificações de Hardware
Power over Ethernet (PoE) Orçamento de 24 (802.3af / 802.3at) N/D 12 (802.3af / 802.3at)
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos
Especificações do sistema
Buffers de pacotes de grupos de Até o número de portas Até o número de portas Até o número de portas
Dimensões
Altura x Profundidade x Largura 1,73 x 12,2 x 17,5 44 x 1,73 x 9 x 12,99 44 x 1,73 x 9 x 12,99 44 x
Largura (mm) Peso 10,64 lbs (4,83 kg) 4,78 lbs (2,17 kg) 5,37 lbs (2,44 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA
Consumo de energia * (médio / máximo) Dissipação de 380 W / 397 W 17,2 W / 17,3 W 220,18 W / 223,57 W
Umidade 10–90% sem condensação 10–90% sem condensação 10–90% sem condensação
Certificação e Conformidade
garantia
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
FortiSwitch 224E-POE
11
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
Especificações de Hardware
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos
Especificações do sistema
Buffers de pacotes de grupos de Até o número de portas Até o número de portas Até o número de portas
Dimensões
Altura x Profundidade x Largura 1,73 x 9,68 x 17,3 44 x 1,73 x 16,1 x 17,3 44 x 1,73 x 16,1 x 17,3 44 x
Largura (mm) Peso 7,81 lbs (3,54 kg) 12,12 lbs (5,5 kg) 13,44 lbs (6,1 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA
Consumo de energia * (médio / máximo) Dissipação de 38,66 W / 39,19 W 134 457,46 W / 466,47 W 842 W / 855,02 W
Umidade 10–90% sem condensação 10–90% sem condensação 10–90% sem condensação
Certificação e Conformidade
garantia
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
FortiSwitch 248E-FPOE
12
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
Especificações de Hardware
Total Network Interfaces Portas 24x GE RJ45 e 2x10 GE SFP + Portas 24x GE RJ45 e 2x10 GE SFP + Portas 24x GE RJ45 e 2x10 GE SFP +
Observação: as portas SFP + são compatíveis Observação: as portas SFP + são compatíveis Observação: as portas SFP + são compatíveis
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos
Especificações do sistema
Buffers de pacotes de grupos de Até o número de portas Até o número de portas Até o número de portas
Dimensões
Altura x Profundidade x Largura 1,75 x 10,12 x 17,3 44 x 1,75 x 10,12 x 17,3 44 x 1,73 x 12,2 x 17,5 44 x
Largura (mm) Peso 7,14 lbs (3,24 kg) 8,42 lbs (3,82 kg) 10,64 lbs (4,83 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA
Consumo de energia * (médio / máximo) Dissipação de 17,3 W / 17,2 W 208 W / 210 W 397 W / 403 W
Umidade 10–90% sem condensação 10–90% sem condensação 10–90% sem condensação
Certificação e Conformidade
garantia
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
FortiSwitch 424D-FPOE
13
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
Especificações de Hardware
Total Network Interfaces 48x GE RJ45 e 4x10 GE SFP + portas 48x GE RJ45 e 4x10 GE SFP + portas 48x GE RJ45 e 4x10 GE SFP + portas
Nota: as portas SFP + são compatíveis com 1 GE SFP Nota: as portas SFP + são compatíveis com 1 GE SFP Nota: as portas SFP + são compatíveis com 1 GE SFP
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos
Especificações do sistema
Buffers de pacotes de grupos de Até o número de portas Até o número de portas Até o número de portas
Dimensões
Altura x Profundidade x Largura 1,75 x 12,2 x 17,3 44 x 1,73 x 16,1 x 17,3 44 x 1,73 x 16,1 x 17,3 44 x
Largura (mm) Peso 9,15 lbs (4,15 kg) 13,44 lbs (6,1 kg) 15,45 lbs (7,01 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA
Umidade 10–90% sem condensação 10–90% sem condensação 10–90% sem condensação
Certificação e Conformidade
garantia
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
FortiSwitch 448D-FPOE
14
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
FORTISWITCH-424E-FIBER FORTISWITCH-M426E-FPOE
Especificações de Hardware
Total Network Interfaces 24x GE SFP e 4x 10GE SFP + portas Nota: As 16x GE RJ45, 8 portas 2,5 GE RJ45, 2x 5 GE RJ45 e 4x 10 GE SFP + portas Nota: as portas SFP +
com 1 GE SFP
Power over Ethernet (PoE) Orçamento de N/D 24 (16x 802.3af / at, 8x 802.3af / at / UPOE) 420 W
Especificações do sistema
agregação de links MB MB
Dimensões
Largura (mm) Peso 5,62 lbs (2,55 kg) 13,00 lbs (5,9 kg)
Meio Ambiente
Certificação e Conformidade
garantia
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
15
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
Especificações de Hardware
Total Network Interfaces 24x GE RJ45 e 4x10 GE SFP + portas 24x GE RJ45 e 4x10 GE SFP + portas 24x GE RJ45 e 4x10 GE SFP + portas
Nota: as portas SFP + são compatíveis com 1 GE SFP Nota: as portas SFP + são compatíveis com 1 GE SFP Nota: as portas SFP + são compatíveis com 1 GE SFP
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos
Especificações do sistema
Buffers de pacotes de grupos de Até o número de portas 2 Até o número de portas 2 Até o número de portas 2
agregação de links MB MB MB
Dimensões
Altura x Profundidade x Largura 1,75 x 10,23 x 17,3 44 x 1,75 x 16,14 x 17,3 44 x 1,75 x 16,14 x 17,3 44 x
Largura (mm) Peso 6,83 lbs (3,1 kg) 11,57 lbs (5,25 kg) 12,72 lbs (5,77 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA
Consumo de energia * (médio / máximo) Dissipação de 22,3 W / 23,6 W 281,3 W / 283,5 W 431,2 W / 433,7 W
Umidade 5–95% sem condensação 5–95% sem condensação 5–95% sem condensação
Certificação e Conformidade
garantia
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
FortiSwitch 424E-FPOE
16
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
Especificações de Hardware
Total Network Interfaces 48x GE RJ45 e 4 portas 10GE SFP + 48x GE RJ45 e 4 portas 10GE SFP + 48x GE RJ45 e 4 portas 10GE SFP +
Nota: as portas SFP + são compatíveis com 1 GE SFP Nota: as portas SFP + são compatíveis com 1 GE SFP Nota: as portas SFP + são compatíveis com 1 GE SFP
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos
Especificações do sistema
Buffers de pacotes de grupos de Até o número de portas 2 Até o número de portas 2 Até o número de portas 2
agregação de links MB MB MB
Dimensões
Altura x Profundidade x Largura 1,75 x 12,2 x 17,3 44 x 1,73 x 16,1 x 17,3 44 x 1,73 x 16,1 x 17,3 44 x
Largura (mm) Peso 9,17 lbs (4,16 kg) 13,8 lbs (6,26 kg) 14,04 lbs (6,37 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA
Consumo de energia * (médio / máximo) Dissipação de 46,5 W / 47,81 W 440,12 W / 442,234 W 921,4 W / 923,6 W
Umidade 10–90% sem condensação 10–90% sem condensação 10–90% sem condensação
Certificação e Conformidade
garantia
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
FortiSwitch 448E-FPOE
17
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Especificações
Especificações de Hardware
Total Network Interfaces 24 portas GE / RJ45, 24 portas GE / RJ45, 48 portas GE / RJ45, 48 portas GE / RJ45,
Fator de forma 1 RU Rack Mount 1 RU Rack Mount 1 RU Rack Mount 1 RU Rack Mount
Power over Ethernet (PoE) Orçamento de N/D 24 (802.3af / at) N/D 48 (802.3af / at)
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos > 10 anos
Especificações do sistema
Capacidade de comutação (Duplex) 288 Gbps 288 Gbps 336 Gbps 336 Gbps
Armazenamento de endereços MAC de 428 Mpps 428 Mpps 512 Mpps 512 Mpps
Buffers de pacotes de grupos de Até o número de portas 4 Até o número de portas 4 Até o número de portas 4 Até o número de portas 4
agregação de links MB MB MB MB
Dimensões
Altura x Profundidade x Largura 1,75 x 13,8 x 17,3 44 x 1,75 x 13,8 x 17,3 44 x 1,75 x 13,8 x 17,3 44 x 1,75 x 13,8 x 17,3 44 x
(polegadas) Altura x Profundidade x 350 x 439 350 x 439 350 x 439 350 x 439
Largura (mm) Peso 13,6 lbs (6,2 kg) 15,74 lbs (7,14 kg) 14,1 lbs (6,4 kg) 15,74 lbs (7,14 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz 150 W 100–240 V CA, 50/60 Hz 600 W 100–240 V CA, 50/60 Hz 150 W 100–240 V CA, 50/60 Hz 920 W
Poder Redundante FS-PSU-150 opcional * FS-PSU-600 opcional * FS-PSU-150 opcional * FS-PSU-900 opcional *
(apenas para backup de 150 W) (para 600 W para PoE adicional) (apenas para backup de 150 W) (para 900 W para PoE adicional)
Consumo de energia ** (média / máxima) Dissipação de 73 W / 75 W 570 W / 579 W (carga PoE total) 296 74 W / 77 W 925 W / 961 W (carga PoE total) 318
calor 247 BTU / h BTU / h (carga PoE total) 32–113 ° F 252 BTU / h BTU / h (carga PoE total) 32–113 ° F
Temperatura de armazenamento - 40–158 ° F (-40–70 ° C) - 40–158 ° F (-40–70 ° C) - 40–158 ° F (-40–70 ° C) - 40–158 ° F (-40–70 ° C)
Umidade 5–95% sem condensação 5–95% sem condensação 5–95% sem condensação 5–95% sem condensação
Direção do fluxo de ar de frente para trás de frente para trás de frente para trás de frente para trás
Certificação e Conformidade
garantia
*quente
FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE As unidades de fonte de alimentação podem ser trocadas a
* em
* O uso
consumo de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
18
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Informações do pedido
FortiSwitch 108E FS-108E Interruptor compatível com controlador de switch FortiGate de camada 2 com 8 portas GE RJ45 + 2 SFP, linha AC e PSE com alimentação dupla. Fanless.
FortiSwitch 108E-POE FS-108E-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 8 portas GE RJ45 + 2 SFP,
FortiSwitch 108E-FPOE FS-108E-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 8 portas GE RJ45 + 2 SFP, 8
FortiSwitch 124E FS-124E Interruptor compatível com controlador de switch FortiGate de camada 2 com 24 GE RJ45 + 4 portas SFP. Fanless.
FortiSwitch 124E-POE FS-124E-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 24 GE RJ45 + 4 portas SFP, 12 portas PoE com limite máximo de 185 W. Switch
FortiSwitch 124E-F-POE FS-124E-FPOE PoE + compatível com o controlador de switch FortiGate de camada 2 com 24 portas GE RJ45 + 4 SFP, PoE de 24 portas com limite máximo de 370 W. Interruptor
FortiSwitch 148E FS-148E compatível com o controlador de switch FortiGate de camada 2 com 48 GE RJ45 + 4 portas SFP.
FortiSwitch 148E-POE FS-148E-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 48 GE RJ45 + 4 portas SFP, PoE de 24 portas com limite máximo de 370 W.
FortiSwitch 124F FS-124F Interruptor compatível com controlador de switch FortiGate de camada 2 com 24 GE RJ45 + 4 portas 10G SFP +.
FortiSwitch 124F-POE FS-124F-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 24 GE RJ45 + 4 portas 10G SFP +, 12 portas PoE com limite máximo de 185 W.
FortiSwitch 124F-FPOE FS-124F-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 24 GE RJ45 + 4 portas 10G SFP +, 24 portas PoE com limite máximo de 370 W.
FortiSwitch 148F FS-148F Interruptor compatível com controlador de switch FortiGate de camada 2 com 48 GE RJ45 + 4 portas 10G SFP +.
FortiSwitch 148F-POE FS-148F-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 48 GE RJ45 + 4 portas 10G SFP +, 24 portas PoE com limite máximo de 370 W.
FortiSwitch 148F-FPOE FS-148F-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 48 GE RJ45 + 4 portas 10G SFP +, 48 portas PoE com limite máximo de 740 W.
FortiSwitch 224D-FPOE FS-224D-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 24 GE RJ45 + 4 portas SFP, PoE
FortiSwitch 224E FS-224E Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 24 GE RJ45 + 4 portas SFP. Fanless.
FortiSwitch 224E-POE FS-224E-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 24 GE RJ45 + 4 portas SFP, 12
FortiSwitch 248D FS-248D Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 48 GE RJ45 + 4 portas SFP.
FortiSwitch 248E-POE FS-248E-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 48 GE RJ45 + 4 portas SFP, PoE
FortiSwitch 248E-FPOE FS-248E-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 48 GE RJ45 + 4 portas SFP, 48
FortiSwitch 424D FS-424D Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 24 GE RJ45 + 2x 10 GE SFP + portas.
FortiSwitch 424D-POE FS-424D-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 24 GE RJ45 + 2x 10 GE SFP + portas, 24
FortiSwitch 424D-FPOE FS-424D-FPOE Switch PoE + compatível com o controlador de switch FortiGate Layer 2/3 com 24 GE RJ45 + 2x 10 GE SFP + portas, 24 portas
FortiSwitch 448D FS-448D Interruptor compatível com o controlador de switch FortiGate de camada 2/3 com 48 GE RJ45 + 4x 10 GE SFP + portas.
FortiSwitch 448D-POE FS-448D-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 48 GE RJ45 + 4x 10 GE SFP + portas, 48
FortiSwitch 448D-FPOE FS-448D-FPOE Interruptor PoE + compatível com controlador de switch FortiGate de camada 2/3 com 48 GE RJ45 + 4x 10 GE SFP + portas, 48
FortiSwitch 424E-Fiber FS-424E-Fiber Interruptor compatível com o controlador de switch FortiGate de camada 2/3 com 24x GE SFP e 4x 10 GE SFP + Uplinks
FortiSwitch M426E-FPOE FS-M426E-FPOE Interruptor PoE + / UPoE compatível com o controlador de switch FortiGate de camada 2/3 com 16x GE RJ45, 8x 2,5 RJ45, 2x 5 GE RJ45 e 4x 10 GE
FortiSwitch 424E FS-424E Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 24 GE RJ45, 4x 10 GE SFP + portas.
FortiSwitch 424E-POE FS-424E-POE Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 24 GE RJ45, 4 portas 10 GE SFP +, 24
FortiSwitch 424E-FPOE FS-424E-FPOE Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 24 GE RJ45, 4 portas 10 GE SFP +, 24
FortiSwitch 448E FS-448E Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 48 GE RJ45, 4x 10 GE SFP + portas.
FS-448E-POE Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 48 GE RJ45, 4 portas 10 GE SFP +, 48 portas PoE + com limite máximo de 421 W.
FortiSwitch 448E-POE
FS-448E-FPOE Interruptor compatível com o controlador de switch FortiGate de camada 2/3 com 48 GE RJ45, 4 portas 10 GE SFP +, 48 portas PoE + com limite máximo de 772 W.
FortiSwitch 448E-FPOE
FortiSwitch 524D FS-524D Switch do controlador de switch FortiGate de camada 2/3 com portas 24 GE RJ45, 4x 10 GE SFP + e 2x 40 GE QSFP +.
FortiSwitch 524D-FPOE FS-524D-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 24 GE RJ45, 4x 10 GE SFP +, 2x 40 GE QSFP + portas, 24 portas
FortiSwitch 548D FS-548D Switch do controlador de switch FortiGate de camada 2/3 com portas 48 GE RJ45, 4x 10 GE SFP + e 2x 40 GE QSFP +.
FortiSwitch 548D-FPOE FS-548D-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 48 GE RJ45, 4 portas 10 GE SFP + e 2x 40 GE QSFP + portas, 48
Licença de gerenciamento de nuvem FortiSwitch * FC-10-WMSC1-190-02-DD FortiSwitch Cloud Management License subscrição de 1 ano de contrato.
19
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
Informações do pedido
Acessórios
Licença de recursos avançados FortiSwitch FS-SW-LIC-200 Licença SW para switches da série FS-200 para ativar recursos avançados. Licença SW
FS-SW-LIC-400 para switches da série FS-400 para ativar recursos avançados. Licença SW para
Fonte de alimentação CA redundante externa Fonte FRPS-740 Fonte de alimentação CA redundante para até 2 unidades: FS-224D-FPOE, FS-248D-FPOE, FS-424D-FPOE, FS-448D-POE e FS-424D-POE. Fonte de alimentação
* * Ao gerenciar um FortiSwitch com um FortiGate via FortiGate Cloud, nenhuma licença adicional é necessária.
Para obter detalhes sobre os módulos do transceptor, consulte o Folha de dados dos Transceptores Fortinet.
www.fortinet.com
Copyright © 2020 Fortinet, Inc. Todos os direitos reservados. Fortinet®, FortiGate®, FortiCare® e FortiGuard® e algumas outras marcas são marcas registradas da Fortinet, Inc., e outros nomes Fortinet aqui mencionados também podem ser marcas registradas e / ou de direito consuetudinário da Fortinet. Todos os outros nomes
de produtos ou empresas podem ser marcas comerciais de seus respectivos proprietários. O desempenho e outras métricas aqui contidas foram obtidos em testes de laboratório internos sob condições ideais, e o desempenho real e outros resultados podem variar. Variáveis de rede, diferentes ambientes de rede e outras
condições podem afetar os resultados de desempenho. Nada neste documento representa qualquer compromisso vinculativo da Fortinet, e a Fortinet se isenta de todas as garantias, expressas ou implícitas, exceto na medida em que a Fortinet celebra um contrato vinculativo por escrito, assinado pelo Conselho Geral da Fortinet,
com um comprador que garanta expressamente que o produto identificado terá um desempenho de acordo com certas métricas de desempenho expressamente identificadas e, nesse caso, apenas as métricas de desempenho específicas expressamente identificadas em tal contrato por escrito vinculativo serão vinculativas para
a Fortinet. Para maior clareza, qualquer garantia será limitada ao desempenho nas mesmas condições ideais dos testes de laboratório internos da Fortinet. A Fortinet se isenta totalmente de quaisquer acordos, representações e garantias de acordo com este instrumento, sejam expressas ou implícitas. A Fortinet reserva-se o
direito de alterar, modificar, transferir ou revisar esta publicação sem aviso prévio, e a versão mais atual da publicação será aplicável. A Fortinet se isenta totalmente de quaisquer acordos, representações e garantias de acordo com este instrumento, sejam expressas ou implícitas.
FST-PROD-DS-SW3 FS-SA-DAT-R40-202011
DATA SHEET
Highlights
Deployment
FortiLink
FortiGate Managed. Security Fabric Enabled. Cloud Management Option
Most common deployment model.
FortiGate Cloud
2
DATA SHEET | FortiSwitch™ Secure Access Family
Features
3
DATA SHEET | FortiSwitch™ Secure Access Family
Features
FORTISWITCH MODEL SERIES 2XXD, 4XXD, 5XXD 1XXE / 1XXF 2XXE, 4XXE
Layer 3*
Static Routing (Hardware-based) Yes N/A Yes
Routing Entries 64 on 2xxE
1K on 424E, 424E-POE,
64 on FS-2xx, 4xx Family;
N/A 424E-FPOE, M426E-FPOE
16K on FS-5xx Family
16K on 448E, 448E-POE,
448E-FPOE, 424E-Fiber
Host Entries 1K on 2xxE
2K on 424E, 424E-POE,
1K on FS-2xx, 4xx Family;
N/A 424E-FPOE, M426E-FPOE
24K on FS-5xx Family
16K on 448E, 448E-POE,
448E-FPOE, 424E-Fiber
Dynamic Routing Protocols** OSPFv2, RIPv2, VRRP; N/A OSPFv2, RIPv2, VRRP
BGP, ISIS on FS-5xx
Multicast Protocols** PIM-SSM on FS-5xx N/A N/A
ECMP FS-5xx Family N/A No
Spanning Tree Instances 32 instances max for
N/A N/A
FS-5xx from 6.2.0+
Bidirectional Forwarding Detection (BFD) Yes N/A Yes
DHCP Relay Yes N/A Yes
Services
IGMP Snooping Yes No Yes
Security and Visibility
Port Mirroring Yes Yes Yes
Admin Authentication Via RFC 2865 RADIUS Yes Yes Yes
IEEE 802.1x authentication Port-based Yes Yes Yes
IEEE 802.1x Authentication MAC-based Yes Yes Yes
IEEE 802.1x Guest and Fallback VLAN Yes Yes Yes
IEEE 802.1x MAC Access Bypass (MAB) Yes Yes Yes
IEEE 802.1x Dynamic VLAN Assignment Yes Yes Yes
Radius CoA (Change of Authority) Yes Yes Yes
Radius Accounting Yes Yes Yes
MAC-IP Binding 5xx only No No
sFlow Yes No Yes
ACL 1K entries on FS-5xx Family No 512 entries on 2xxE
512 on 2xx, 4xx Families 1K on 424E, 424E-POE,
424E-FPOE, M426E-FPOE
1.5K on 448E, 448E-POE,
448E-FPOE, 424E-Fiber
IEEE 802.1ab Link Layer Discovery Protocol (LLDP) Yes Yes Yes
IEEE 802.1ab LLDP-MED Yes Yes Yes
IEEE 802.1ae MAC Security (MAC Sec) FS-5xxD 10G ports No No
DHCP-Snooping Yes Yes Yes
Dynamic ARP Inspection Yes Yes Yes
Sticky MAC and MAC Limit Yes Yes Yes
High Availability
Multi-Chassis Link Aggregation (MCLAG) Yes N/A Yes
Quality of Service
IEEE 802.1p Based Priority Queuing Yes Yes Yes
IP TOS/DSCP Based Priority Queuing Yes Yes Yes
IEEE 1588 PTP (Transparent Clock) Yes No Yes
Management
IPv4 and IPv6 Management Yes Yes Yes
Telnet / SSH Yes Yes Yes
HTTP / HTTPS Yes Yes Yes
SNMP v1/v2c/v3 Yes Yes Yes
SNTP Yes Yes Yes
Standard CLI and Web GUI Interface Yes Yes Yes
Software download/upload: TFTP/FTP/GUI Yes Yes Yes
Managed from FortiGate Yes Yes Yes
Support for HTTP REST APIs for
Yes Yes Yes
Configuration and Monitoring
* Supported on 2xx, 4xx and 5xx. ** Requires ‘Advanced Features’ License.
4
DATA SHEET | FortiSwitch™ Secure Access Family
Features
* RFC and MIB supported by FortiSwitch Operating System. Check feature matrix in administration guide for model specific support.
5
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
System Specifications
Switching Capacity (Duplex) 20 Gbps 20 Gbps 20 Gbps
Packets Per Second (Duplex) 30 Mpps 30 Mpps 30 Mpps
MAC Address Storage 8K 8K 8K
Network Latency 4µs 4µs 4µs
VLANs Supported 4K 4K 4K
Link Aggregation Group Size 8 8 8
Total Link Aggregation Groups 8 8 8
Packet Buffers 512 KB 512 KB 512 KB
DRAM 256 MB DDR3 256 MB DDR3 256 MB DDR3
FLASH 32 MB 32 MB 32 MB
Dimensions
Height x Depth x Width (inches) 1.5 x 6.3 x 8.7 1.7 x 8.2 x 13 1.7 x 8.2 x 13
Height x Depth x Width (mm) 38 x 160 x 220 44 x 209 x 330 44 x 209 x 330
Weight 2.2 lbs (1 kg) 4.3 lbs (1.95 kg) 4.5 lbs (2.04 kg)
Environment
Power Required 100–240V AC, 50/60 Hz / PoE-PSE(af) 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC & PoE-PD Built in AC Built in AC Built in
Redundant Power — — —
Power Consumption* (Average / Maximum) 5.54 W / 6.26 W 70.19 W / 71.10 W 135.19 W / 136.10 W
Heat Dissipation 18.9 BTU/h 17.7 BTU/h 17.7 BTU/h
Operating Temperature 32-113°F (0–45°C) 32-113°F (0–45°C) 32-113°F (0–45°C)
Storage Temperature -40–158°F (-40–70°C) -40–158°F (-40–70°C) -40–158°F (-40–70°C)
Humidity 10–90% non-condensing 10–90% non-condensing 10–90% non-condensing
6
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
System Specifications
Switching Capacity (Duplex) 56 Gbps 56 Gbps 56 Gbps
Packets Per Second (Duplex) 83 Mpps 83 Mpps 83 Mpps
MAC Address Storage 8K 8K 8K
Network Latency 4µs 4µs 4µs
VLANs Supported 4K 4K 4K
Link Aggregation Group Size 8 8 8
Total Link Aggregation Groups 8 8 8
Packet Buffers 512 KB 512 KB 512 KB
DRAM 256 MB DDR3 256 MB DDR3 256 MB DDR3
FLASH 32 MB 32 MB 32 MB
Dimensions
Height x Depth x Width (inches) 1.7 x 8.2 x 13 1.7 x 12.2 x 17.3 1.7 x 12.2 x 17.3
Height x Depth x Width (mm) 44 x 209 x 330 44 x 309 x 440 44 x 309 x 440
Weight 4.7 lbs (2.13 kg) 11.1 lbs (5.03 kg) 11.2 lbs (5.03 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC Built in AC Built in AC Built in
Redundant Power — — —
Power Consumption* (Average / Maximum) 15.83 W /17.79 W 202.78 W / 205.45 W 387.78 W / 390.45 W
Heat Dissipation 54 BTU/h 60.67 BTU/h 60.67 BTU/h
Operating Temperature 32-113°F (0–45°C) 32-113°F (0–45°C) 32-113°F (0–45°C)
Storage Temperature -40–158°F (-40–70°C) -40–158°F (-40–70°C) -40–158°F (-40–70°C)
Humidity 10–90% non-condensing 10–90% non-condensing 10–90% non-condensing
FortiSwitch 124E-FPOE
7
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
System Specifications
Switching Capacity (Duplex) 104 Gbps 104 Gbps
Packets Per Second (Duplex) 155 Mpps 155 Mpps
MAC Address Storage 16 K 16 K
Network Latency 3860 ns 3860 ns
VLANs Supported 4K 4K
Link Aggregation Group Size 8 8
Total Link Aggregation Groups 16 16
Packet Buffers 1.5 MB 1.5 MB
DRAM 256 MB DDR3 256 MB DDR3
FLASH 64 MB 64 MB
Dimensions
Height x Depth x Width (inches) 1.73 x 12.2 x 17.3 1.73 x 13.7 x 17.3
Height x Depth x Width (mm) 44 x 309 x 440 44 x 348 x 440
Weight 8.6 lbs (3.9 kg) 11.5 lbs (5.2 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC Built in AC Built in
Redundant Power No No
Power Consumption* (Average / Maximum) 19.804 W / 22.137 W 389.742 W /393.109 W
Heat Dissipation 67.574 BTU/h 78.82 BTU/h
Operating Temperature 32-113°F (0–45°C) 32-113°F (0–45°C)
Storage Temperature -4–158°F (-20–70°C) -4–158°F (-20–70°C)
Humidity 10–90% non-condensing 10–90% non-condensing
8
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
System Specifications
Switching Capacity (Duplex) 128 Gbps 128 Gbps 128 Gbps
Packets Per Second (Duplex) 190 Mpps 190 Mpps 190 Mpps
MAC Address Storage 32 K 32 K 32 K
Network Latency < 1µs < 1µs < 1µs
VLANs Supported 4K 4K 4K
Link Aggregation Group Size 8 8 8
Total Link Aggregation Groups 128 128 128
Packet Buffers 2 MB 2 MB 2 MB
DRAM 512 MB DDR3 512 MB DDR3 512 MB DDR3
FLASH 64 MB 64 MB 64 MB
Dimensions
Height x Depth x Width (inches) 1.73 x 9.06 x 12.99 1.73 x 10.24 x 12.99 1.73 x 10.24 x 12.99
Height x Depth x Width (mm) 44 x 230 x 330 44 x 260 x 330 44 x 260 x 330
Weight 4.48 lbs (2.03 kg) 7.85 lbs (3.56 kg) 8.42 lbs (3.82 kg)
Environment
Power Required 100–240V AC, 50-60 Hz 100–240V AC, 50-60 Hz 100–240V AC, 50-60 Hz
Power Supply AC built in AC built in AC built in
Redundant Power No No No
Power Consumption* (Average / Maximum) 24.8 W / 26.3 W 235.9 W / 237.4 W 449.8 W / 451.3 W
Heat Dissipation 89.683 BTU/h 809.534 BTU/h 1538.933 BTU/h
Operating Temperature 32–113°F (0–45°C) 32–113°F (0–45°C) 32–113°F (0–45°C)
Storage Temperature -4–158°F (-20–70°C) -4–158°F (-20–70°C) -4–158°F (-20–70°C)
Humidity 10–90% non-condensing 10–90% non-condensing 10–90% non-condensing
Warranty
Fortinet Warranty Limited lifetime** warranty on all models
* POE models power consumption is similar to non-POE model if POE is not in use
** Fortinet Warranty Policy: http://www.fortinet.com/doc/legal/EULA.pdf
FortiSwitch 124F-FPOE
9
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
System Specifications
Switching Capacity (Duplex) 176 Gbps 176 Gbps 176 Gbps
Packets Per Second (Duplex) 260 Mpps 260 Mpps 260 Mpps
MAC Address Storage 32 K 32 K 32 K
Network Latency < 1µs < 1µs < 1µs
VLANs Supported 4K 4K 4K
Link Aggregation Group Size 8 8 8
Total Link Aggregation Groups 128 128 128
Packet Buffers 2 MB 2 MB 2 MB
DRAM 512 MB DDR3 512 MB DDR3 512 MB DDR3
FLASH 64 MB 64 MB 64 MB
Dimensions
Height x Depth x Width (inches) 1.73 x 10.24 x 17.32 1.73 x 12.20 x 17.32 1.73 x 12.20 x 17.32
Height x Depth x Width (mm) 44 x 260 x 440 44 x 310 x 440 44 x 310 x 440
Weight 7.63 lbs (3.46 kg) 10.32 lbs (4.68 kg) 10.32 lbs (4.68 kg)
Environment
Power Required 100–240V AC, 50-60 Hz 100–240V AC, 50-60 Hz 100–240V AC, 50-60 Hz
Power Supply AC built in AC built in AC built in
Redundant Power No No No
Power Consumption* (Average / Maximum) 55.8 W / 57 W 474.8 W / 476.3 W 893.5 W / 895.7 W
Heat Dissipation 194.37 BTU/h 195.73 BTU/h 198.46 BTU/h
Operating Temperature 32–113°F (0–45°C) 32–113°F (0–45°C) 32–113°F (0–45°C)
Storage Temperature -4–158°F (-20–70°C) -4–158°F (-20–70°C) -4–158°F (-20–70°C)
Humidity 10–90% non-condensing 10–90% non-condensing 10–90% non-condensing
Warranty
Fortinet Warranty Limited lifetime** warranty on all models
* POE models power consumption is similar to non-POE model if POE is not in use
** Fortinet Warranty Policy: http://www.fortinet.com/doc/legal/EULA.pdf
FortiSwitch 148F-FPOE
10
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
System Specifications
Switching Capacity (Duplex) 56 Gbps 56 Gbps 56 Gbps
Packets Per Second (Duplex) 83 Mpps 83 Mpps 83 Mpps
MAC Address Storage 16 K 16 K 16 K
Network Latency < 1µs < 1µs < 1µs
VLANs Supported 4K 4K 4K
Link Aggregation Group Size 8 8 8
Total Link Aggregation Groups Up to number of ports Up to number of ports Up to number of ports
Packet Buffers 1.5 MB 1.5 MB 1.5 MB
DRAM 512 MB DDR3 512 MB DDR3 512 MB DDR3
FLASH 128 MB 128 MB 128 MB
Dimensions
Height x Depth x Width (inches) 1.73 x 12.2 x 17.5 1.73 x 9 x 12.99 1.73 x 9 x 12.99
Height x Depth x Width (mm) 44 x 310 x 440 44 x 230 x 330 44 x 230 x 330
Weight 10.64 lbs (4.83 kg) 4.78 lbs (2.17 kg) 5.37 lbs (2.44 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC built in AC built in AC built in
Redundant Power Optional FRPS-740 Redundant AC Optional FRPS-740
Power Consumption* (Average / Maximum) 380 W / 397 W 17.2 W / 17.3 W 220.18 W / 223.57 W
Heat Dissipation 85 BTU/h 59.095 BTU/h 74.29554 BTU/h
Operating Temperature 32–122°F (0–50°C) 32–122°F (0–50°C) 32–122°F (0–50°C)
Storage Temperature -4–158°F (-20–70°C) -4–158°F (-20–70°C) -4–158°F (-20–70°C)
Humidity 10–90% non-condensing 10–90% non-condensing 10–90% non-condensing
Warranty
Fortinet Warranty Limited lifetime** warranty on all models
* POE models power consumption is similar to non-POE model if POE is not in use
** Fortinet Warranty Policy: http://www.fortinet.com/doc/legal/EULA.pdf
FortiSwitch 224E-POE
11
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
System Specifications
Switching Capacity (Duplex) 104 Gbps 104 Gbps 104 Gbps
Packets Per Second (Duplex) 155 Mpps 155 Mpps 155 Mpps
MAC Address Storage 16 K 16 K 16 K
Network Latency < 1µs < 1µs < 1µs
VLANs Supported 4K 4K 4K
Link Aggregation Group Size 8 8 8
Total Link Aggregation Groups Up to number of ports Up to number of ports Up to number of ports
Packet Buffers 1.5 MB 1.5 MB 1.5 MB
DRAM 512 MB DDR3 512 MB DDR3 512 MB DDR3
FLASH 128 MB 128 MB 128 MB
Dimensions
Height x Depth x Width (inches) 1.73 x 9.68 x 17.3 1.73 x 16.1 x 17.3 1.73 x 16.1 x 17.3
Height x Depth x Width (mm) 44 x 246 x 440 44 x 410 x 440 44 x 410 x 440
Weight 7.81 lbs (3.54 kg) 12.12 lbs (5.5 kg) 13.44 lbs (6.1 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC built in AC built in AC built in
Redundant Power — Optional FRPS-740 Optional FRPS-740
Power Consumption* (Average / Maximum) 38.66 W / 39.19 W 457.46 W / 466.47 W 842 W / 855.02 W
Heat Dissipation 134 BTU/h 177.14268 BTU/h 162.87865 BTU/h
Operating Temperature 32–122°F (0–50°C) 32–122°F (0–50°C) 32–122°F (0–50°C)
Storage Temperature -4–158°F (-20–70°C) -4–158°F (-20–70°C) -4–158°F (-20–70°C)
Humidity 10–90% non-condensing 10–90% non-condensing 10–90% non-condensing
Warranty
Fortinet Warranty Limited lifetime** warranty on all models
* POE models power consumption is similar to non-POE model if POE is not in use
** Fortinet Warranty Policy: http://www.fortinet.com/doc/legal/EULA.pdf
FortiSwitch 248E-FPOE
12
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
System Specifications
Switching Capacity (Duplex) 88 Gbps 88 Gbps 88 Gbps
Packets Per Second (Duplex) 131 Mpps 131 Mpps 131 Mpps
MAC Address Storage 16 K 16 K 16 K
Network Latency < 1µs < 1µs < 1µs
VLANs Supported 4K 4K 4K
Link Aggregation Group Size 8 8 8
Total Link Aggregation Groups Up to number of ports Up to number of ports Up to number of ports
Packet Buffers 1.5 MB 1.5 MB 1.5 MB
DRAM 1 GB DDR3 1 GB DDR3 1 GB DDR3
FLASH 128 MB 128 MB 128 MB
Dimensions
Height x Depth x Width (inches) 1.75 x 10.12 x 17.3 1.75 x 10.12 x 17.3 1.73 x 12.2 x 17.5
Height x Depth x Width (mm) 44 x 250 x 440 44 x 250 x 440 44 x 310 x 440
Weight 7.14 lbs (3.24 kg) 8.42 lbs (3.82 kg) 10.64 lbs (4.83 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC built in AC built in AC built in
Redundant Power Redundant AC Optional FRPS-740 Optional FRPS-740
Power Consumption* (Average / Maximum) 17.3 W / 17.2 W 208 W / 210 W 397 W / 403 W
Heat Dissipation 69 BTU/h 89 BTU/h 100 BTU/h
Operating Temperature 32–122°F (0–50°C) 32–122°F (0–50°C) 32–122°F (0–50°C)
Storage Temperature -4–158°F (-20–70°C) -4–158°F (-20–70°C) -4–158°F (-20–70°C)
Humidity 10–90% non-condensing 10–90% non-condensing 10–90% non-condensing
Warranty
Fortinet Warranty Limited lifetime** warranty on all models
* POE models power consumption is similar to non-POE model if POE is not in use
** Fortinet Warranty Policy: http://www.fortinet.com/doc/legal/EULA.pdf
FortiSwitch 424D-FPOE
13
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
System Specifications
Switching Capacity (Duplex) 176 Gbps 176 Gbps 176 Gbps
Packets Per Second (Duplex) 262 Mpps 262 Mpps 262 Mpps
MAC Address Storage 16 K 16 K 16 K
Network Latency < 1µs < 1µs < 1µs
VLANs Supported 4K 4K 4K
Link Aggregation Group Size 8 8 8
Total Link Aggregation Groups Up to number of ports Up to number of ports Up to number of ports
Packet Buffers 1.5 MB 1.5 MB 1.5 MB
DRAM 1 GB DDR3 1 GB DDR3 1 GB DDR3
FLASH 128 MB 128 MB 128 MB
Dimensions
Height x Depth x Width (inches) 1.75 x 12.2 x 17.3 1.73 x 16.1 x 17.3 1.73 x 16.1 x 17.3
Height x Depth x Width (mm) 44 x 310 x 440 44 x 410 x 440 44 x 410 x 440
Weight 9.15 lbs (4.15 kg) 13.44 lbs (6.1 kg) 15.45 lbs (7.01 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC built in AC built in AC built in
Redundant Power Redundant AC Optional FRPS-740 Redundant AC
Power Consumption* (Average / Maximum) 38 W / 38 W 417 W / 419 W 790 W / 792 W
Heat Dissipation 147 BTU/h 177 BTU/h 193 BTU/h
Operating Temperature 32–122°F (0–50°C) 32–122°F (0–50°C) 32–122°F (0–50°C)
Storage Temperature -4–158°F (-20–70°C) -4–158°F (-20–70°C) -4–158°F (-20–70°C)
Humidity 10–90% non-condensing 10–90% non-condensing 10–90% non-condensing
Warranty
Fortinet Warranty Limited lifetime** warranty on all models
* POE models power consumption is similar to non-POE model if POE is not in use
** Fortinet Warranty Policy: http://www.fortinet.com/doc/legal/EULA.pdf
FortiSwitch 448D-FPOE
14
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
FORTISWITCH-424E-FIBER FORTISWITCH-M426E-FPOE
Hardware Specifications
Total Network Interfaces 24x GE SFP and 4x 10GE SFP+ ports 16x GE RJ45, 8x 2.5 GE RJ45 ports, 2x 5 GE RJ45, and 4x 10 GE SFP+ ports
Note: SFP+ ports are compatlble Note: SFP+ ports are compatible
with 1 GE SFP with 1 GE SFP
Dedicated Management 10/100 Port 1 1
RJ-45 Serial Console Port 1 1
Form Factor 1 RU Rack Mount 1 RU Rack Mount
Power over Ethernet (PoE) Ports N/A 24 (16x 802.3af/at, 8x 802.3af/at/UPOE)
PoE Power Budget N/A 420 W
Mean Time Between Failures > 10 years > 10 years
System Specifications
Switching Capacity (Duplex) 128 Gbps 172 Gbps
Packets Per Second (Duplex) 204 Mpps 255 Mpps
MAC Address Storage 32 K 16 K
Network Latency < 1µs < 1µs
VLANs Supported 4K 4K
Link Aggregation Group Size 8 8
Total Link Aggregation Groups Up to number of ports Up to number of ports
Packet Buffers 4 MB 2 MB
DRAM 1 GB DDR4 1 GB DDR4
FLASH 256 MB 256 MB
Dimensions
Height x Depth x Width (inches) 1.75 x 7.87 x 17.3 1.73 x 16.14 x 17.3
Height x Depth x Width (mm) 44 x 200 x 440 44 x 410 x 440
Weight 5.62 lbs (2.55 kg) 13.00 lbs (5.9 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC built in AC built in
Redundant Power Redundant AC Redundant AC
Power Consumption* (Average / Maximum) 36 W / 38 W 441 W / 442 W
Heat Dissipation 132.5 BTU/h 132.734 BTU/h
Operating Temperature 32–113°F (0–45°C) 32–122°F (0–50°C)
Storage Temperature -4–158°F (-20–70°C) -4–158°F (-20–70°C)
Humidity 5–95% non-condensing 5–95% non-condensing
Warranty
Fortinet Warranty Limited lifetime** warranty on all models
* POE models power consumption is similar to non-POE model if POE is not in use
** Fortinet Warranty Policy: http://www.fortinet.com/doc/legal/EULA.pdf
15
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
System Specifications
Switching Capacity (Duplex) 128 Gbps 128 Gbps 128 Gbps
Packets Per Second (Duplex) 204 Mpps 204 Mpps 204 Mpps
MAC Address Storage 16 K 16 K 16 K
Network Latency < 1µs < 1µs < 1µs
VLANs Supported 4K 4K 4K
Link Aggregation Group Size 8 8 8
Total Link Aggregation Groups Up to number of ports Up to number of ports Up to number of ports
Packet Buffers 2 MB 2 MB 2 MB
DRAM 1 GB DDR4 1 GB DDR4 1 GB DDR4
FLASH 256 MB 256 MB 256 MB
Dimensions
Height x Depth x Width (inches) 1.75 x 10.23 x 17.3 1.75 x 16.14 x 17.3 1.75 x 16.14 x 17.3
Height x Depth x Width (mm) 44 x 260 x 440 44 x 410 x 440 44 x 410 x 440
Weight 6.83 lbs (3.1 kg) 11.57 lbs (5.25 kg) 12.72 lbs (5.77 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC built in AC built in AC built in
Redundant Power Redundant AC Redundant AC Redundant AC
Power Consumption* (Average / Maximum) 22.3 W / 23.6 W 281.3 W / 283.5 W 431.2 W / 433.7 W
Heat Dissipation 76.04 BTU/h 102.64 BTU/h 117.2 BTU/h
Operating Temperature 32–113°F (0–45°C) 32–113°F (0–45°C) 32–122°F (0–45°C)
Storage Temperature -40–158°F (-40–70°C) -4–158°F (-40–70°C) -40–158°F (-40–70°C)
Humidity 5–95% non-condensing 5–95% non-condensing 5–95% non-condensing
Warranty
Fortinet Warranty Limited lifetime** warranty on all models
* POE models power consumption is similar to non-POE model if POE is not in use
** Fortinet Warranty Policy: http://www.fortinet.com/doc/legal/EULA.pdf
FortiSwitch 424E-FPOE
16
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
System Specifications
Switching Capacity (Duplex) 176 Gbps 176 Gbps 176 Gbps
Packets Per Second (Duplex) 262 Mpps 262 Mpps 262 Mpps
MAC Address Storage 32 K 32 K 32 K
Network Latency <1µs <1µs <1µs
VLANs Supported 4K 4K 4K
Link Aggregation Group Size 8 8 8
Total Link Aggregation Groups Up to number of ports Up to number of ports Up to number of ports
Packet Buffers 2 MB 2 MB 2 MB
DRAM 1GB DDR4 1GB DDR4 1GB DDR4
FLASH 256 MB 256 MB 256 MB
Dimensions
Height x Depth x Width (inches) 1.75 x 12.2 x 17.3 1.73 x 16.1 x 17.3 1.73 x 16.1 x 17.3
Height x Depth x Width (mm) 44 x 310 x 440 44 x 410 x 440 44 x 410 x 440
Weight 9.17 lbs (4.16 kg) 13.8 lbs (6.26 kg) 14.04 lbs (6.37 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC built in AC built in AC built in
Redundant Power Redundant AC Redundant AC Redundant AC
Power Consumption* (Average / Maximum) 46.5 W / 47.81 W 440.12 W / 442.234 W 921.4 W / 923.6 W
Heat Dissipation 163.032 BTU/h 163.066 BTU/h 163.1 BTU/h
Operating Temperature 32–122°F (0–50°C) 32–122°F (0–50°C) 32–122°F (0–50°C)
Storage Temperature -4–158°F (-20–70°C) -4–158°F (-20–70°C) -4–158°F (-20–70°C)
Humidity 10–90% non condensing 10–90% non condensing 10–90% non condensing
Warranty
Fortinet Warranty Limited lifetime** warranty on all models
* POE models power consumption is similar to non-POE model if POE is not in use
** Fortinet Warranty Policy: http://www.fortinet.com/doc/legal/EULA.pdf
FortiSwitch 448E-FPOE
17
DATA SHEET | FortiSwitch™ Secure Access Family
Specifications
System Specifications
Switching Capacity (Duplex) 288 Gbps 288 Gbps 336 Gbps 336 Gbps
Packets Per Second (Duplex) 428 Mpps 428 Mpps 512 Mpps 512 Mpps
MAC Address Storage 96 K 96 K 96 K 96 K
Network Latency < 2µs < 2µs < 2µs < 2µs
VLANs Supported 4K 4K 4K 4K
Link Aggregation Group Size 24 24 48 48
Total Link Aggregation Groups Up to number of ports Up to number of ports Up to number of ports Up to number of ports
Packet Buffers 4 MB 4 MB 4 MB 4 MB
DRAM 2 GB DDR3 2 GB DDR3 2 GB DDR3 2 GB DDR3
FLASH 128 MB 128 MB 128 MB 128 MB
Dimensions
Height x Depth x Width (inches) 1.75 x 13.8 x 17.3 1.75 x 13.8 x 17.3 1.75 x 13.8 x 17.3 1.75 x 13.8 x 17.3
Height x Depth x Width (mm) 44 x 350 x 439 44 x 350 x 439 44 x 350 x 439 44 x 350 x 439
Weight 13.6 lbs (6.2 kg) 15.74 lbs (7.14 kg) 14.1 lbs (6.4 kg) 15.74 lbs (7.14 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply 150 W AC PSU* 600 W AC PSU* 150 W AC PSU* 920 W AC PSU*
Redundant Power Optional FS-PSU-150* Optional FS-PSU-600* Optional FS-PSU-150* Optional FS-PSU-900*
(for 150 W backup only) (for 600 W for additional PoE) (for 150 W backup only) (for 900 W for additional PoE)
Power Consumption** (Average / Maximum) 73 W / 75 W 570 W / 579 W (full PoE load) 74 W / 77 W 925 W / 961 W (full PoE load)
Heat Dissipation 247 BTU/h 296 BTU/h (full PoE loading) 252 BTU/h 318 BTU/h (full PoE loading)
Operating Temperature 32–113°F (0–45°C) 32–113°F (0–45°C) 32–113°F (0–45°C) 32–113°F (0–45°C)
Storage Temperature -40–158°F (-40–70°C) -40–158°F (-40–70°C) -40–158°F (-40–70°C) -40–158°F (-40–70°C)
Humidity 5–95% non-condensing 5–95% non-condensing 5–95% non-condensing 5–95% non-condensing
Warranty
Fortinet Warranty Limited lifetime*** warranty on all models
*FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE Power Supply Units are Hot-Swappable
** POE models power consumption is similar to non-POE model if POE is not in use
*** Fortinet Warranty Policy: http://www.fortinet.com/doc/legal/EULA.pdf
18
DATA SHEET | FortiSwitch™ Secure Access Family
Order Information
Product SKU Description
FortiSwitch 108E FS-108E Layer 2 FortiGate switch controller compatible switch with 8 GE RJ45 + 2 SFP ports, line AC and PSE dual powered. Fanless.
FortiSwitch 108E-POE FS-108E-POE Layer 2 FortiGate switch controller compatible PoE+ switch with 8 GE RJ45 + 2 SFP ports,
4 port PoE with maximum 65 W PoE limit. Fanless.
FortiSwitch 108E-FPOE FS-108E-FPOE Layer 2 FortiGate switch controller compatible PoE+ switch with 8 GE RJ45 + 2 SFP ports,
8 port PoE with maximum 130 W PoE limit. Fanless.
FortiSwitch 124E FS-124E Layer 2 FortiGate switch controller compatible switch with 24 GE RJ45 + 4 SFP ports. Fanless.
FortiSwitch 124E-POE FS-124E-POE Layer 2 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 4 SFP ports, 12 port PoE with maximum 185 W limit.
FortiSwitch 124E-F-POE FS-124E-FPOE Layer 2 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 4 SFP ports, 24 port PoE with maximum 370 W limit.
FortiSwitch 148E FS-148E Layer 2 FortiGate switch controller compatible switch with 48 GE RJ45 + 4 SFP ports.
FortiSwitch 148E-POE FS-148E-POE Layer 2 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4 SFP ports, 24 port PoE with maximum 370 W limit.
FortiSwitch 124F FS-124F Layer 2 FortiGate switch controller compatible switch with 24 GE RJ45 + 4 10G SFP+ ports.
FortiSwitch 124F-POE FS-124F-POE Layer 2 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 4 10G SFP+ ports, 12 port PoE with maximum 185
W limit.
FortiSwitch 124F-FPOE FS-124F-FPOE Layer 2 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 4 10G SFP+ ports, 24 port PoE with maximum 370
W limit.
FortiSwitch 148F FS-148F Layer 2 FortiGate switch controller compatible switch with 48 GE RJ45 + 4 10G SFP+ ports.
FortiSwitch 148F-POE FS-148F-POE Layer 2 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4 10G SFP+ ports, 24 port PoE with maximum 370
W limit.
FortiSwitch 148F-FPOE FS-148F-FPOE Layer 2 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4 10G SFP+ ports, 48 port PoE with maximum 740
W limit.
FortiSwitch 224D-FPOE FS-224D-FPOE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 4 SFP ports,
24 port PoE with maximum 370 W limit.
FortiSwitch 224E FS-224E Layer 2/3 FortiGate switch controller compatible switch with 24 GE RJ45 + 4 SFP ports. Fanless.
FortiSwitch 224E-POE FS-224E-POE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 4 SFP ports,
12 port PoE with maximum 180 W limit.
FortiSwitch 248D FS-248D Layer 2/3 FortiGate switch controller compatible switch with 48 GE RJ45 + 4 SFP ports.
FortiSwitch 248E-POE FS-248E-POE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4 SFP ports,
24 port PoE with maximum 370 W limit.
FortiSwitch 248E-FPOE FS-248E-FPOE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4 SFP ports,
48 port PoE with maximum 740 W limit.
FortiSwitch 424D FS-424D Layer 2/3 FortiGate switch controller compatible switch with 24 GE RJ45 + 2x 10 GE SFP+ ports.
FortiSwitch 424D-POE FS-424D-POE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 2x 10 GE SFP+ ports,
24 port PoE with maximum 185 W limit.
FortiSwitch 424D-FPOE FS-424D-FPOE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 2x 10 GE SFP+ ports,
24 port PoE with maximum 370 W limit.
FortiSwitch 448D FS-448D Layer 2/3 FortiGate switch controller compatible switch with 48 GE RJ45 + 4x 10 GE SFP+ ports.
FortiSwitch 448D-POE FS-448D-POE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4x 10 GE SFP+ ports,
48 port PoE with maximum 370 W limit.
FortiSwitch 448D-FPOE FS-448D-FPOE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4x 10 GE SFP+ ports,
48 port PoE with maximum 740 W limit.
FortiSwitch 424E-Fiber FS-424E-Fiber Layer 2/3 FortiGate switch controller compatible switch with 24x GE SFP and 4x 10 GE SFP+ Uplinks
FortiSwitch M426E-FPOE FS-M426E-FPOE Layer 2/3 FortiGate switch controller compatible PoE+/UPoE switch with 16x GE RJ45, 8x 2.5 RJ45, 2x 5 GE RJ45 and
4x 10 GE SFP+, 24 port PoE+ with maximum 420 W limit.
FortiSwitch 424E FS-424E Layer 2/3 FortiGate switch controller compatible switch with 24 GE RJ45, 4x 10 GE SFP + ports.
FortiSwitch 424E-POE FS-424E-POE Layer 2/3 FortiGate switch controller compatible switch with 24 GE RJ45, 4x 10 GE SFP + ports,
24 port PoE+ with maximum 283.5 W limit.
FortiSwitch 424E-FPOE FS-424E-FPOE Layer 2/3 FortiGate switch controller compatible switch with 24 GE RJ45, 4x 10 GE SFP + ports,
24 port PoE+ with maximum 433.7 W limit.
FortiSwitch 448E FS-448E Layer 2/3 FortiGate switch controller compatible switch with 48 GE RJ45, 4x 10 GE SFP + ports.
FS-448E-POE Layer 2/3 FortiGate switch controller compatible switch with 48 GE RJ45, 4x 10 GE SFP + ports, 48 port PoE+ with maximum 421 W
FortiSwitch 448E-POE
limit.
FS-448E-FPOE Layer 2/3 FortiGate switch controller compatible switch with 48 GE RJ45, 4x 10 GE SFP + ports, 48 port PoE+ with maximum 772 W
FortiSwitch 448E-FPOE
limit.
FortiSwitch 524D FS-524D Layer 2/3 FortiGate switch controller compatible switch with 24 GE RJ45, 4x 10 GE SFP+ and 2x 40 GE QSFP+ ports.
FortiSwitch 524D-FPOE FS-524D-FPOE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45, 4x 10 GE SFP+, 2x 40 GE QSFP+ ports,
24 port PoE with maximum 400 W limit.
FortiSwitch 548D FS-548D Layer 2/3 FortiGate switch controller compatible switch with 48 GE RJ45, 4x 10 GE SFP+ and 2x 40 GE QSFP+ ports.
FortiSwitch 548D-FPOE FS-548D-FPOE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45, 4x 10 GE SFP+ and 2x 40 GE QSFP+ ports,
48 port PoE with maximum 750 W limit.
FortiSwitch Cloud Management License* FC-10-WMSC1-190-02-DD FortiSwitch Cloud Management License subscription 1 Year Contract.
19
DATA SHEET | FortiSwitch™ Secure Access Family
Order Information
Accessories
FortiSwitch Advanced Features License FS-SW-LIC-200 SW License for FS-200 Series Switches to activate Advanced Features.
FS-SW-LIC-400 SW License for FS-400 Series Switches to activate Advanced Features.
FS-SW-LIC-500 SW License for FS-500 Series Switches to activate Advanced Features.
External Redundant AC Power Supply FRPS-740 Redundant AC power supply for up to 2 units: FS-224D-FPOE, FS-248D-FPOE, FS-424D-FPOE, FS-448D-POE and FS-424D-POE.
Redundant AC Power Supply FS-PSU-150 AC power supply for FS-548D and FS-524D.
FS-PSU-600 AC power supply for FS-524D-FPOE.**
FS-PSU-900 AC power supply for FS-548D-FPOE.**
** When managing a FortiSwitch with a FortiGate via FortiGate Cloud, no additional license is necessary.
** Provides additional PoE capacity.
www.fortinet.com
Copyright © 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law
trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results
may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to
the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event,
only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version
of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without
notice, and the most current version of the publication shall be applicable.
FST-PROD-DS-SW3 FS-SA-DAT-R40-202011
FortiSwitch - Managed by FortiOS 6.4
Version 6.4.3
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
FEEDBACK
Email: techdoc@fortinet.com
Change log 7
Whatʼs new in FortiOS 6.4.3 8
Introduction 9
Supported models 9
Support of FortiLink features 10
Before you begin 12
Special notices 13
FortiSwitch management 14
Configuring FortiLink 14
1. Enable the switch controller on the FortiGate unit 14
2. Configuring the FortiLink interface 15
3. Auto-discovery of the FortiSwitch ports 18
Optional FortiLink configuration required before discovering and authorizing FortiSwitch
units 20
Migrating the configuration of standalone FortiSwitch units 20
VLAN interface templates for FortiSwitch units 20
Limiting the number of parallel processes for FortiSwitch configuration 23
Using the FortiSwitch serial number for automatic name resolution 24
Configuring access to management and internal interfaces 24
Enabling FortiLink VLAN optimization 25
Configuring the MAC sync interval 25
Discovering, authorizing, and deauthorizing FortiSwitch units 26
Adding preauthorized FortiSwitch units 26
Authorizing the FortiSwitch unit 26
Deauthorizing FortiSwitch units 26
Converting to FortiSwitch standalone mode 27
Optional FortiLink configuration 27
Changing the admin password on the FortiGate for all managed FortiSwitch units 27
Using automatic network detection and configuration 28
Determining the network topology 29
Single FortiGate managing a single FortiSwitch unit 29
Single FortiGate unit managing a stack of several FortiSwitch units 30
HA-mode FortiGate units managing a single FortiSwitch unit 31
HA-mode FortiGate units managing a stack of several FortiSwitch units 32
HA-mode FortiGate units managing a FortiSwitch two-tier topology 33
Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software
switch interface) 33
HA-mode FortiGate units using hardware-switch interfaces and STP 34
Standalone FortiGate unit with dual-homed FortiSwitch access 35
HA-mode FortiGate units with dual-homed FortiSwitch access 36
HA-mode FortiGate units in remote sites 37
FortiLink with an HA cluster of four FortiGate units 40
FortiLink over a point-to-point layer-2 network 42
The following list contains new managed FortiSwitch features added in FortiOS 6.4.3. Click on a link to navigate to that
section for further information.
l You can now configure the lldp-status and lldp-profile settings for a virtual switch port in a tenant
VDOM. See Configuring LLDP-MED settings on page 103.
l FortiLink and switch controller logs are now available in the FortiSwitch Events category in the Log & Report >
Events page.
l The Diagnostics and Tools form now includes a Logs button, which provides logs for that FortiSwitch unit. See
Diagnostics and tools on page 162.
l When the RADIUS server cannot be reached for 802.1x authentication, the device trying to authenticate is placed
into a RADIUS timeout VLAN after the authentication server timeout period expires. See Define an 802.1x security
policy on page 122.
l Flow control and ingress pause metering are now supported on managed FortiSwitch units. Pause metering allows
the FortiSwitch unit to apply flow control to ingress traffic when the queue is congested and to resume after the
queue is cleared. See Configuring flow control and ingress pause metering on page 158.
l You can now configure a FortiLink-over-layer-3 network to use the FortiLink interface as the source IP address for
the communication between the FortiGate unit and the FortiSwitch unit. The FortiOS default of using the outbound
interface as the source IP address is still available. See FortiLink mode over a layer-3 network on page 43.
l Starting in FortiOS 6.4.3, IoT detection can be also managed per FortiLink interface. IoT detection is disabled by
default on the FortiLink interface. Use the FortiOS CLI or GUI to enable IoT detection on the FortiLink interface so
that the FortiSwitch unit starts scanning for IoT devices. See Configuring IoT detection on page 102.
Introduction
This section provides information about how to set up and configure managed FortiSwitch units using the FortiGate unit
(termed “using FortiSwitch in FortiLink mode”).
NOTE: FortiLink is not supported in transparent mode.
The maximum number of supported FortiSwitch units depends on the FortiGate model:
Supported models
Refer to the FortiLink Compatibility table to find which FortiSwitchOS versions support which FortiOS versions.
New models (NPI releases) might not support FortiLink. Contact Customer Service &
Support to check support for FortiLink.
The following table lists the FortiSwitch models supported by FortiLink features.
Active-Active MCLAG from FortiGate to FortiSwitch units for Not supported on FS-1xx Series
Advanced Redundancy
Ingress pause metering 200 series, 400D and 400E series, 500 series, FS-
1024D, FS-1048D, FS-1048E, and FS-3032D
Before you configure the managed FortiSwitch unit, the following assumptions have been made in the writing of this
manual:
l You have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your
FortiSwitch model, and you have administrative access to the FortiSwitch GUI and CLI.
l You have installed a FortiGate unit on your network and have administrative access to the FortiGate GUI and CLI.
Special notices
FortiSwitch management
This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a FortiLink
connection.
In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the switch
ports (depending on the model) support auto-discovery of the FortiLink ports.
You can chose to connect a single FortiLink port or multiple FortiLink ports as a logical interface (link-aggregation group,
hardware switch, or software switch).
NOTE: FortiSwitch units, when used in FortiLink mode, support only the default administrative access HTTPS port
(443).
This section covers the following topics:
l Configuring FortiLink on page 14
l Optional FortiLink configuration required before discovering and authorizing FortiSwitch units on page 20
l Discovering, authorizing, and deauthorizing FortiSwitch units on page 26
l Optional FortiLink configuration on page 27
Configuring FortiLink
You need to physically connect the FortiSwitch unit to the FortiGate unit only after completing
this section. Some settings are only possible when the FortiGate unit has not authorized any
switches.
Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the
FortiGate unit with the FortiGate GUI or CLI to enable the switch controller. Depending on the FortiGate model and
software release, this feature might be enabled by default.
The FortiLink interface is created automatically as an aggregate interface type; if the FortiGate model does not support
the aggregate interface type, the FortiLink interface is created automatically as a hardware switch. Fortinet
recommends keeping the default type of the FortiLink; however, if a physcial interface or soft-switch interface type is
required, the interface must be enabled for FortiLink using the FortiOS CLI, and then the default FortiLink interface can
be deleted.
The FortiLink interface type is dependent on the network topology to be deployed. See Determining the network
topology on page 29.
The FortiGate unit manages all of the switches through one active FortiLink. The FortiLink can consist of one port or
multiple ports (for a LAG).
As a general rule, FortiLink is supported on all ports that are not listed as HA ports.
This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit.
You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the
CLI procedures are more complex (and therefore more prone to error).
If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection with no configuration
steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.
You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two
FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.
The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).
The FortiLink split interface is enabled by default. You can configure this feature with the FortiGate GUI and CLI.
NOTE: The FortiLink split interface is required before enabling MCLAG. See MCLAG peer groups on page 58.
This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate
GUI because the CLI procedures are more complex (and therefore more prone to error).
If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG)
with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.
You can also configure FortiLink mode over a layer-3 network.
Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.
In the following steps, port 1 is configured as the FortiLink port.
1. If required, remove port 1 from the lan interface:
config system virtual-switch
edit lan
config port
delete port1
end
end
end
2. Configure port 1 as the FortiLink interface:
config system interface
edit port1
set auto-auth-extension-device enable
set fortilink enable
end
end
3. Configure an NTP server on port 1:
config system ntp
set server-mode enable
set interface port1
end
4. Authorize the FortiSwitch unit as a managed switch:
config switch-controller managed-switch
edit FS224D3W14000370
set fsw-wan1-admin enable
end
end
5. The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.
You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch.
LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is
supported on some FortiGate models.
Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch unit. Ensure that you configure auto-
discovery on the FortiSwitch ports (unless it is auto-discovery by default).
NOTE: Starting with FortiOS 6.2.2, you can use the default fortilink aggregate interface and then add ports. This
configuration is available for all FortiGate E series models, 100 and higher. For FortiGate models lower than 100, you
can use the default fortilink hardware switch or software switch interface and then add ports.
In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.
NOTE: If the members of the aggregate interface connect to more than one FortiSwitch, you must enable
fortilink-split-interface.
3. Authorize the FortiSwitch unit as a managed switch:
config switch-controller managed-switch
edit FS224D3W14000370
set fsw-wan1-admin enable
end
end
NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.
NOTE: For details on how to connect the FortiSwitch topology, see Determining the network topology on page 29.
By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you connect
the FortiLink using one of these ports, no switch configuration is required.
In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You can also
run the show switch interface command on the FortiSwitch unit to see the ports that have auto-discovery
enabled.
The following table lists the default auto-discovery ports for each switch model.
NOTE: Any port can be used for FortiLink if it is manually configured.
FS-108D-POE port9–port10
FSR-112D-POE port5–port12
FS-224D-POE port21–port24
FS-224D-FPOE port21–port28
FS-248D-POE port47–port50
FS-424E-Fiber port1-port30
FS-426E-FPOE-MG port23-port30
FS-548D port39–port54
FS-1024D port1–port24
You can use any of the switch ports for FortiLink. Before connecting the switch to the FortiGate unit, use the following
FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:
config switch interface
edit <port>
set auto-discovery-fortilink enable
end
After a FortiSwitch unit is discovered and in FortiLink mode, all ports are enabled for FortiLink. Connect another
FortiSwitch unit to any of the already discovered FortiSwitch ports, and the ISL is formed automatically, and the new
unit is discovered by the FortiGate unit.
When a configured standalone FortiSwitch unit is converted to FortiLink mode, the standalone configuration is lost. To
save time, use the fortilinkify.py utility to migrate your standalone configuration from one or more FortiSwitch
units to a combined FortiGate-compatible configuration.
To get the script and instructions, go to:
https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/
You can create configuration templates that define the VLAN interfaces and are applied to new FortiSwitch devices
when they are discovered and managed by the FortiGate device.
For each VDOM, you can create templates, and then assign those templates to the automatically created switch VLAN
interfaces for six types of traffic. The network subnet that is reserved for the switch controller can also be customized.
To ensure that switch VLAN interface names are unique for each system, the following naming rules are used:
l root VDOM: The interface names are the same as the template names.
l other VDOMs: The interface name is created from the template name and the SNMP index of the interface. For
example, if the template name is quarantined and the SNMP index is 29, the interface name is
quarantined.29.
You can also customize the FortiLink management VLAN per FortiLink interface:
config system interface
edit <fortilink interface>
set fortilink enable
set switch-controller-mgmt-vlan <integer>
next
end
The management VLAN can be a number from 1 to 4094. the default value is 4094.
vlanid <integer> The unique VLAN ID for the type of traffic the template is assigned to
(1-4094; the default is 4094)
ip <ip/netmask> The IP address and subnet mask of the switch VLAN interface. This
can only be configured when auto-ip is disabled.
auto-ip {enable | disable} When enabled, the switch-controller will pick an unused 24 bit subnet
from the switch-controller-reserved-network (configured in config
system global).
dhcp-server {enable | disable} When enabled, the switch-controller will create a DHCP server for the
switch VLAN interface
default-vlan <template> Default VLAN assigned to all switch ports upon discovery.
To configure the network subnet that is reserved for the switch controller:
Example
In this example, six templates are configured with different VLAN IDs. Except for the default template, all of them have
DHCP server enabled. When a FortiSwitch is discovered, VLANs and the corresponding DHCP servers are automatically
created.
set color 6
set interface "fortilink"
set vlanid 4093
next
...
end
show system dhcp server
edit 2
set dns-service local
set ntp-service local
set default-gateway 169.254.1.1
set netmask 255.255.255.0
set interface "fortilink"
config ip-range
edit 1
set start-ip 169.254.1.2
set end-ip 169.254.1.254
next
end
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
next
edit 3
set dns-service default
set default-gateway 169.254.11.1
set netmask 255.255.255.0
set interface "quarantine"
config ip-range
edit 1
set start-ip 169.254.11.2
set end-ip 169.254.11.254
next
end
set timezone-option default
next
...
end
Use the following CLI commands to reduce the number of parallel processes that the switch controller uses for
configuring FortiSwitch units:
config global
config switch-controller system
set parallel-process-override enable
set parallel-process <1-300>
end
end
By default, you can check that FortiSwitch unit is accessible from the FortiGate unit with the execute ping
<FortiSwitch_IP_address> command. If you want to use the FortiSwitch serial number instead of the
FortiSwitch IP address, use the following commands:
config switch-controller global
set sn-dns-resolution enable
end
Optionally, you can omit the domain name (.fsw) from the command by setting the default DNS domain on the
FortiGate unit.
config system dns
set domain "fsw"
end
Now you can use the execute ping <FortiSwitch_serial_number> command to check if the FortiSwitch
unit is accessible from the FortiGate unit. For example:
FG100D3G15817028 (root) # execute ping S524DF4K15000024
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes
64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms
The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have
different access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-
access security policy with the following commands:
config switch-controller security-policy local-access
edit <policy_name>
set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
end
For example:
config switch-controller security-policy local-access
edit policy1
set mgmt-allowaccess https ping ssh radius-acct
set internal-allowaccess https ssh snmp telnet
end
config switch-controller managed-switch
edit S524DF4K15000024
set access-profile policy1
end
NOTE: After you upgrade to FortiOS 6.2, the allowaccess settings for the FortiSwitch mgmt and internal interfaces are
overridden by the default local-access security policy.
set min-bundle <int>
set max-bundle <int>
set members <port1 port2 ...>
next
end
end
end
When inter-switch links (ISLs) are automatically formed on trunks, the switch controller allows VLANs 1-4093 on ISL
ports. This configuration can increase data processing on the FortiSwitch unit. When VLAN optimization is enabled, the
FortiSwitch unit allows only user-defined VLANs on the automatically generated trunks.
NOTE: VLAN optimization is enabled by default.
To enable FortiLink VLAN optimization on FortiSwitch units from the FortiGate unit:
NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable
command.
Use the following commands to configure the global MAC synch interval.
The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the
default value is 60.
config switch-controller mac-sync-settings
set mac-sync-interval <30-600>
end
After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.
To preauthorize a FortiSwitch:
1. Go to WiFi & Switch Controller > Managed FortiSwitch.
2. Click Create New.
3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
4. Move the Authorized slider to the right.
5. Select OK. The Managed FortiSwitch page lists the preauthorized switch.
If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the
following steps:
1. Go to WiFi & Switch Controller > Managed FortiSwitch.
2. Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the
automatic authorization field of the interface.
To deauthorize a device:
end
end
Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no
longer be managed by a FortiGate:
l execute switch-controller factory-reset <switch-id>—This command returns the FortiSwitch
to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-
discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example: execute switch-
controller factory-reset S1234567890
l execute switch-controller switch-action set-standalone <switch-id>—This command
returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from
automatically detecting and authorizing the FortiSwitch. For example: execute switch-controller set-
standalone S1234567890
You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:
config switch-controller global
set disable-discovery <switch-id>
end
For example:
config switch-controller global
set disable-discovery S1234567890
end
You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using
the following commands:
config switch-controller global
append disable-discovery <switch-id>
unselect disable-discovery <switch-id>
end
For example:
config switch-controller global
append disable-discovery S012345678
unselect disable-discovery S1234567890
end
Changing the admin password on the FortiGate for all managed FortiSwitch units
By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all
FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:
config switch-controller switch-profile
edit default
set login-passwd-override {enable | disable}
If you had already applied a profile with the override enabled and the password set and then decide to remove the
admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously
set password will remain in the FortiSwitch. For example:
config switch-controller switch-profile
edit default
set login-passwd-override enable
unset login-passwd
next
end
There are three commands that let you use automatic network detection and configuration.
To specify which policies can override the defaults for a specific ISL, ICl, or FortiLink interface:
config switch-controller auto-config custom
edit <automatically configured FortiLink, ISL, or ICL interface name>
config switch-binding
edit "switch serial number"
set policy "custom automatic-configuation policy"
end
To specify policies that are applied automatically for all ISL, ICL, and FortiLink interfaces:
config switch-controller auto-config default
set fgt-policy <default FortiLink automatic-configuration policy>
set isl-policy <default ISL automatic-configuration policy>
set icl-policy <default ICL automatic-configuration policy>
end
The FortiGate unit requires only one active FortiLink to manage all of the subtending FortiSwitch units (called stacking).
You can configure the FortiLink as a physical interface or as a logical interface (associated with one or more physical
interfaces). Depending on the network topology, you can also configure a standby FortiLink.
NOTE: For any of the topologies:
l All of the managed FortiSwitch units will function as one Layer-2 stack where the FortiGate unit manages each
FortiSwitch separately.
l The active FortiLink carries data as well as management traffic.
This section covers the following topics:
l Single FortiGate managing a single FortiSwitch unit on page 29
l Single FortiGate unit managing a stack of several FortiSwitch units on page 30
l HA-mode FortiGate units managing a single FortiSwitch unit on page 31
l HA-mode FortiGate units managing a stack of several FortiSwitch units on page 32
l HA-mode FortiGate units managing a FortiSwitch two-tier topology on page 33
l Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software switch interface) on page
33
l HA-mode FortiGate units using hardware-switch interfaces and STP on page 34
l Standalone FortiGate unit with dual-homed FortiSwitch access on page 35
l HA-mode FortiGate units with dual-homed FortiSwitch access on page 36
l HA-mode FortiGate units in remote sites on page 37
l FortiLink with an HA cluster of four FortiGate units on page 40
l FortiLink over a point-to-point layer-2 network on page 42
l FortiLink mode over a layer-3 network on page 43
l Grouping FortiSwitch units on page 47
l Adding link aggregation groups (trunks) on page 54
On the FortiGate unit, the FortiLink interface is configured as a physical or aggregate interface. The 802.3ad aggregate
interface type provides a logical grouping of one or more physical interfaces.
NOTE:
l For the aggregate interface, you must disable the split interface on the FortiGate unit.
l When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of
the FortiLink aggregate interface must be set to static. Unless MCLAG is enabled and you are using 6.2.0 or
later, see Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58 for details.
The FortiGate unit connects directly to one FortiSwitch unit using a physical or aggregate interface. The remaining
FortiSwitch units connect in a ring using inter-switch links (that is, ISL).
Optionally, you can connect a standby FortiLink connection to the last FortiSwitch unit. For this configuration, you
create a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link).
NOTE:
l When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of
the FortiLink aggregate interface must be set to static. Unless MCLAG is enabled and you are using 6.2.0 or
later, see Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58 for details.
l Do not create loops or rings with the FortiGate unit in the path.
The master and slave FortiGate units both connect a FortiLink to the FortiSwitch unit. The FortiLink port(s) and
interface type must match on the two FortiGate units.
NOTE: Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be
active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
The master and slave FortiGate units both connect a FortiLink to the first FortiSwitch unit and (optionally) to the last
FortiSwitch unit. The FortiLink ports and interface type must match on the two FortiGate units.
When using an aggregate interface for the active/standby FortiLink configuration, make sure the FortiLink split interface
is enabled (this forces one link to be active and the rest to be standby links, which avoids loops in the network). This
option can be disabled later if you enable an MCLAG. See Transitioning from a FortiLink split interface to a FortiLink
MCLAG on page 58.
NOTE:
l When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of
the FortiLink aggregate interface must be set to static. Unless MCLAG is enabled and you are using 6.2.0 or
later, see Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58 for details.
l Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be
active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
The distribution FortiSwitch unit connects to the master and slave FortiGate units. The FortiLink port(s) and interface
type must match on the two FortiGate units.
NOTE: Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be
active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
The FortiGate unit connects directly to each FortiSwitch unit. Each of these FortiLink ports is added to the logical
hardware-switch or software-switch interface on the FortiGate unit.
Optionally, you can connect other devices to the FortiGate logical interface. These devices, which must support
IEEE 802.1q VLAN tagging, will have Layer 2 connectivity with the FortiSwitch ports.
NOTE:
l Using the hardware or software switch interface in FortiLink mode is not recommended in most cases. It can be
used when the traffic on the ports is very light because all traffic across the switches moves through the FortiGate
unit.
l Do not create loops or rings in this topology.
In most FortiLink topologies, MCLAG or LAG configurations are used for FortiSwitch redundancy. However, some
FortiGate models do not support the FortiLink aggregate interface, or some FortiSwitch models do not support MCLAG.
The following network topology uses a hardware-switch interface on each FortiGate unit. Each FortiSwitch unit is
connected to a single port of the hardware-switch interface of the FortiGate unit. The inter-switch link (ISL) between the
FortiSwitch units provides redundancy.
For this network topology to function, use the following commands on each FortiLink hardware-switch interface:
config system interface
edit <FortiLink_hardware_switch_interface>
set stp enable
end
NOTE:
l The FortiLink interface uses the Link Layer Discovery Protocol (LLDP) for neighbor detection.
l Spanning Tree Protocol (STP) and STP forwarding are both supported by the FortiLink hardware-switch interface.
l The software-switch interface is not supported.
This network topology provides high port density with two tiers of FortiSwitch units.
See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58.
After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically
established with the access switches (FortiSwitch 3 and FortiSwitch 4).
NOTE:
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks.
They are both enabled by default.
l Fortinet recommends using at least two links for ICL redundancy.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
l The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink
trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks.
These settings are enabled by default.
l IGMP proxy must be enabled.
In HA mode, only one FortiGate is active at a time. If the active FortiGate unit fails, the backup FortiGate unit becomes
active.
See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58.
After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically
established with the access switches (FortiSwitch 3, FortiSwitch 4, and FortiSwitch 5).
NOTE:
l Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be
active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks.
They are both enabled by default.
l Fortinet recommends using at least two links for ICL redundancy.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
l The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink
trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks.
These settings are enabled by default.
l IGMP proxy must be enabled.
There are two sites in this topology, each with a FortiGate unit. The two sites share the FortiGate units in active-passive
HA mode. The FortiGate units use the FortiSwitch units in FortiLink mode as the heartbeat connections because of
limited physical connections between the two sites.
FortiOS 6.4.2 or higher and FortiSwitchOS 6.4.2 or higher are required.
NOTE: Fortinet recommends using at least two links for ICL redundancy.
e. Under the config switch-controller managed-switch command, set the native VLAN of the
switch ports connected to the heartbeat ports using the VLAN created in step 2d.
In this example, you need to assign port1 of core-switch1 to vlan998 and connect port1 of the active FortiGate
unit to port1 of core-switch1. Then you need to assign port1 of core-switch2 to vlan999 and connect port2 of
the active FortiGate unit to port1 of core-switch2.
A FortiGate HA cluster consists of two to four FortiGate units configured for HA operation. Each FortiGate in a cluster is
called a cluster unit. All cluster units must be the same FortiGate model with the same FortiOS firmware build installed.
All cluster units must also have the same hardware configuration (for example, the same number of hard disk) and be
running in the same operating mode (NAT mode or transparent mode).
In addition, the cluster units must be able to communicate with each other through their heartbeat interfaces. This
heartbeat communication is required for the cluster to be created and to continue operating. Without it, the cluster acts
like a collection of standalone FortiGate units.
On startup, after configuring the cluster units with the same HA configuration and connecting their heartbeat interfaces,
the cluster units use the FortiGate Clustering Protocol (FGCP) to find other FortiGate units configured for HA operation
and to negotiate to create a cluster. During cluster operation, the FGCP shares communication and synchronization
information among the cluster units over the heartbeat interface link. This communication and synchronization is called
the FGCP heartbeat or the HA heartbeat. Often, this is shortened to just heartbeat.
NOTE: You can create an FGCP cluster of up to four FortiGate units.
The cluster uses the FGCP to select the primary unit, and to provide device, link, and session failover. The FGCP also
manages the two HA modes; active-passive (failover HA) and active-active (load-balancing HA).
The FGCP supports a cluster of two, three, or four FortiGate units. You can add more than two units to a cluster to
improve reliability: if two cluster units fail the third will continue to operate and so on. A cluster of three or four units in
active-active mode may improve performance because another cluster unit is available for security profile processing.
However, active-active FGCP HA results in diminishing performance returns as you add units to the cluster, so the
additional performance achieved by adding the third cluster unit might not be worth the cost.
There are no special requirements for clusters of more than two units. Here are a few recommendations though:
l The matching heartbeat interfaces of all of the cluster units must be able to communicate with each other. So each
unitʼs matching heartbeat interface should be connected to the same switch. If the ha1 interface is used for
heartbeat communication, the ha1 interfaces of all of the units in the cluster must be connected together so
communication can happen between all of the cluster units over the ha1 interface.
l Redundant heartbeat interfaces are recommended. You can reduce the number of points of failure by connecting
each matching set of heartbeat interfaces to a different switch. This is not a requirement; however, and you can
connect both heartbeat interfaces of all cluster units to the same switch. However, if that switch fails the cluster will
stop forwarding traffic.
l For any cluster, a dedicated switch for each heartbeat interface is recommended because of the large volume of
heartbeat traffic and to keep heartbeat traffic off of other networks, but it is not required.
l Full mesh HA can scale to three or four FortiGate units. Full mesh HA is not required if you have more than two
units in a cluster.
l Virtual clustering can only be done with two FortiGate units.
l Fortinet recommends using at least two links for ICL redundancy.
The following network topology uses four FortiGate units; each is a 3200D model and is running FortiOS 6.4.0 build
1533. The FortiSwitch models are 1048E, 448D, and 426EF; they are running FortiSwitchOS 6.2.0 build 0202:
Starting in FortiSwitchOS 6.4.0, you can run FortiLink mode over a point-to-point layer-2 network. To create this
topology, you form an inter-switch link (ISL) between two FortiSwitch units over a layer-2 device or non-FortiSwitch
device (such as a wireless bridge) and configure the tag protocol identifier (TPID) between the two FortiSwitch units.
NOTE:
l The set fortilink-p2p-tpid command is not supported on the FS-108E, FS-108E-POE, FS-108E-FPOE,
FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.
l The set fortlink-p2p command is available in Fortilink mode and standalone mode. The set
fortilink-p2p-tpid command is available only in FortiLink mode.
2. Make certain that the FortiLink point-to-point TPID value is the same on each FortiSwitch unit. By default, it is
0x8100.
NOTE:
l Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.
l NAT is not supported between the FortiSwitch unit and FortiGate unit.
This feature allows FortiSwitch islands to operate in FortiLink mode over a layer-3 network, even though they are not
directly connected to the switch-controller FortiGate unit. FortiSwitch islands contain one or more FortiSwitch units.
There are two main deployment scenarios for using FortiLink mode over a layer-3 network:
l In-band management, which uses the FortiSwitch unitʼs internal interface to connect to the layer-3 network
l Out-of-band management, which uses the FortiSwitch unitʼs mgmt interface to connect to the layer-3 network
Starting in FortOS 6.4.3, you can now configure a FortiLink-over-layer-3 network to use the FortiLink interface as the
source IP address for the communication between the FortiGate unit and the FortiSwitch unit. You can still use the
outbound interface as the source IP address if you prefer.
In-band management
NOTE: You must enter these commands in the indicated order for this feature to work.
1. Reset the FortiSwitch to factory default settings with the execute factoryreset command.
2. Manually set the FortiSwitch unit to FortiLink mode:
3. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery to
find the IP address of the FortiGate unit (switch controller) that manages this switch. The default dhcp-option-
code is 138.
4. Configure only one physical port or LAG interface of the FortiSwitch unit as an uplink port. When the FortiSwitch
unit is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3
network with the following commands:
The fortilink-l3-mode command is only visible after you configure DHCP or static discovery.
NOTE:
l Make certain that each FortiSwitch unit can successfully ping the FortiGate unit.
l The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server
must be reachable from the FortiSwitch unit.
l If more than one port (switch interface) has fortilink-l3-mode enabled, the FortiSwitch unit automatically
forms a link aggregation group (LAG) trunk that contains all fortilink-l3-mode-enabled ports as a single
logical interface.
l If you have more than one port with fortilink-l3-mode enabled, all ports are automatically added to the __
FoRtILnk0L3__ trunk. Make certain that the layer-3 network is also configured as a LAG with a matching LACP
mode.
l In addition to the two layer-3 discovery modes (DHCP and static), there is the default layer-2 discovery broadcast
mode. The layer-3 discovery multicast mode is unsupported.
In this scenario, the default FortiLink-enabled port of FortiSwitch 2 is connected to FortiSwitch 1, and the two switches
then form an auto-ISL. You only need to configure the discovery settings (see Step 3) for additional switches
(FortiSwitch 2 in the following diagram). You do not need to enable fortilink-l3-mode on the uplink port. Check
that each FortiSwitch unit can reach the FortiGate unit.
Out-of-band management
If you use the mgmt port to connect to the layer-3 network, you do not need to enable fortilink-l3-mode on any
physical port because the mgmt port is directly connected to the layer-3 network.
You can use the internal interface for one FortiSwitch island to connect to the layer-3 network
and the mgmt interface for another FortiSwitch island to connect to the same layer-3 network.
Do not mix the internal interface connection and mgmt interface connection within a single
FortiSwitch island.
Other topologies
If you have a layer-2 loop topology, make certain that the alternative path can reach the FortiGate unit and that STP is
enabled on the FortiLink layer-3 trunk.
If you have two FortiSwitch units separately connected to two different intermediary routers or switches, the uplink
interfaces for both FortiSwitch units must have fortilink-l3-mode enabled. If the FortiSwitch units are also
connected to each other, an auto-ISL forms automatically, and STP must be enabled to avoid loops.
A single logical interface (which can be a LAG) is supported when they use the internal interface as the FortiLink
management interface.
You can use a LAG connected to a single intermediary router or switch. A topology with multiple ports connected to
different intermediary routers or switches is not supported.
Limitations
The following limitations apply to FortiSwitch islands operating in FortiLink mode over a layer-3 network:
l All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
l No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the
FortiSwitch unit.
l All FortiSwitch units within an FortiSwitch island must be connected to the same FortiGate unit.
l The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any feature-
configured destination, such as syslog or 802.1x.
l Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
l If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FortiSwitch island
can contain only one FortiSwitch unit. All switch ports must remain in standalone mode. If you need more than one
physical link, you can group the links as a link aggregation group (LAG).
l Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
l If the network has a wide geographic distribution, some features, such as software downloads, might operate
slowly.
l After a topology change, make certain that every FortiSwitch unit can reach the FortiGate unit.
You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A group can
include one or more FortiSwitch units and you can include different models in a group.
Grouping FortiSwitch units allows you to restart all of the switches in the group instead of individually. For example, you
can use the following command to restart all of the FortiSwitch units in a group named my-sw-group:
execute switch-controller switch-action restart delay switch-group my-sw-group
Upgrading the firmware of FortiSwitch groups is easier, too, because fewer commands are needed. See Firmware
upgrade of stacked or tiered FortiSwitch units on page 49.
Stacking configuration
To set up stacking:
1. Configure the active FortiLink interface on the FortiGate unit.
2. (Optional) Configure the standby FortiLink interface.
3. Connect the FortiSwitch units together, based on your chosen topology.
Configure the FortiLink interface (as described in Configuring FortiLink on page 14).
When you configure the FortiLink interface, the stacking capability is enabled automatically.
Configure the standby FortiLink interface. Depending on your configuration, the standby FortiLink might connect to the
same FortiGate unit as the active FortiLink or to a different FortiGate unit.
If the FortiGate unit receives discovery requests from two FortiSwitch units, the link from one FortiSwitch unit will be
selected as active, and the link from other FortiSwitch unit will be selected as standby.
If the active FortiLink fails, the FortiGate unit converts the standby FortiLink to active.
Refer to the topology diagrams to see how to connect the FortiSwitch units.
Inter-switch links (ISLs) form automatically between the stacked switches.
The FortiGate unit will discover and authorize all of the FortiSwitch units that are connected. After this, the FortiGate
unit is ready to manage all of the authorized FortiSwitch units.
Disable stacking
To disable stacking, execute the following commands from the FortiGate CLI. In the following example, port4 is the
FortiLink interface:
config system interface
edit port4
set fortilink-stacking disable
end
end
In this topology, the core FortiSwitch units are model FS-224E, and the access FortiSwitch units are model FS-108E-
FPOE. Because the switches are stacked or tiered, the procedure to update the firmware is simpler. The FortiGate unit
is running FOS 6.2.2 GA. In the following procedure, the four FortiSwitch units are upgraded from 6.2.1 to 6.2.2.
1. Check that all of the FortiSwitch units are connected and which firmware versions they are running. For example:
FGT81ETK19001274 # execute switch-controller get-conn-status
Managed-devices in current vdom root:
STACK-NAME: FortiSwitch-Stack-flink
SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME NAME
S108EF5918003577 v6.2.1 (176) Authorized/Up - 10.105.22.6 Thu Oct 24 10:47:27
2019 -
S108EP5918008265 v6.2.1 (176) Authorized/Up - 10.105.22.5 Thu Oct 24 10:47:20
2019 -
S224ENTF18001408 v6.2.1 (176) Authorized/Up - 10.105.22.2 Thu Oct 24 10:44:36
2019 -
S224ENTF18001432 v6.2.1 (176) Authorized/Up - 10.105.22.3 Thu Oct 24 10:44:49
2019 -
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync
error
Managed-Switches: 4 (UP: 4 DOWN: 0)
2. (Optional) To speed up how fast the image is pushed from the FortiGate unit to the FortiSwitch units, enable the
HTTPS image push instead of the CAPWAP image push. For example:
FGT81ETK19001274 # config switch-controller global
FGT81ETK19001274 (global) # set https-image-push enable
FGT81ETK19001274 (global) # end
3. Download the file for the FortiSwitchOS 6.2.2 GA build 194 in the FortiGate unit. For example:
FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_224E-v6-
build0194-FORTINET.out 10.105.16.15
File Syncing...
File Syncing...
File Syncing...
FGT81ETK19001274 #
FGT81ETK19001274 #
8. Reboot all switches (or reboot the switches by group). For example:
FGT81ETK19001274 # execute switch-controller switch-action restart delay all
Delayed restart operation is requested for FortiSwitch S224ENTF18001408 ...
Delayed restart operation is requested for FortiSwitch S224ENTF18001432 ...
Delayed restart operation is requested for FortiSwitch S108EP5918008265 ...
Delayed restart operation is requested for FortiSwitch S108EF5918003577 ...
STACK-NAME: FortiSwitch-Stack-flink
SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME NAME
S108EF5918003577 v6.2.1 () Authorized/Down D 0.0.0.0 N/A -
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync
error
Managed-Switches: 4 (UP: 0 DOWN: 4)
FGT81ETK19001274 #
10. Wait for a while before checking that all switches are online. For example:
FGT81ETK19001274 # execute switch-controller get-upgrade-status
Device Running-version Status Next-boot
===========================================================================================
VDOM : root
S224ENTF18001408 S224EN-v6.2.2-build194,191018 (GA) (0/100/100) S224EN-v6.2-
build194 (Idle)
S224ENTF18001432 S224EN-v6.2.2-build194,191018 (GA) (0/100/100) S224EN-v6.2-
build194 (Idle)
S108EP5918008265 S108EP-v6.2.2-build194,191018 (GA) (0/100/100) S108EP-v6.2-
build194 (Idle)
S108EF5918003577 S108EF-v6.2.2-build194,191018 (GA) (0/100/100) S108EF-v6.2-
build194 (Idle)
STACK-NAME: FortiSwitch-Stack-flink
SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME
NAME
S108EF5918003577 v6.2.2 (194) Authorized/Up - 10.105.22.6 Thu Oct 24 13:22:27
2019 -
S108EP5918008265 v6.2.2 (194) Authorized/Up - 10.105.22.5 Thu Oct 24 13:22:41
2019 -
S224ENTF18001408 v6.2.2 (194) Authorized/Up - 10.105.22.2 Thu Oct 24 13:20:11
2019 -
S224ENTF18001432 v6.2.2 (194) Authorized/Up - 10.105.22.3 Thu Oct 24 13:19:58
2019 -
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync
error
Managed-Switches: 4 (UP: 4 DOWN: 0)
FGT81ETK19001274 #
config switch-controller global
append disable-discovery S012345678
unselect disable-discovery S1234567890
end
on page 58.
l Make sure to select ports from switches that are part of the same MCLAG peer group.
7. Select OK.
If you disable the MCLAG ICL (with the set mclag-icl disable command), you need
to enable the fortilink-split-interface.
NOTE: Each FortiSwitch unit that is part of the MCLAG must have the same
MCLAG trunk name configured.
Log into each managed FortiSwitch to check the MCLAG configuration with the following command:
diagnose switch mclag
When an MCLAG is formed, the time on all FortiSwitch units is synchronized with an NTP server. To confirm that each
FortiSwitch in the MCLAG is using an NTP server, use the following command:
show system ntp
A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they
appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any
interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP).
This section covers the following topics:
l MCLAG requirements on page 58
l Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58
l MCLAG topologies on page 60
MCLAG requirements
l Both peer switches should be of the same hardware model and same software version. Mismatched configurations
might work but are unsupported.
l There is a maximum of two FortiSwitch models per MCLAG.
l The routing feature is not available within an MCLAG.
l When min_bundle or max_bundle is combined with MCLAG, the bundle limit properties are applied only to the
local aggregate interface.
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks.
They are both enabled by default.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. By default, mclag-
igmpsnooping-aware is enabled in the FortiSwitchOS CLI.
l The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink
trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks.
These settings are enabled by default.
l IGMP proxy must be enabled.
You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two
FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.
In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate unit to two
FortiSwitch units. The aggregate interface of the FortiGate unit for this configuration contains at least one physical port
connected to each FortiSwitch unit.
NOTE:
l Make sure that the split interface is enabled.
l This procedure also applies to a FortiGate unit in HA mode.
l More links can be added between the FortiGate unit and FortiSwitch unit.
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks.
They are both enabled by default.
l Fortinet recommends using at least two links for ICL redundancy.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
l The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink
trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks.
These settings are enabled by default.
l IGMP proxy must be enabled.
The following procedure uses zero-touch provisioning to change the configuration of the FortiSwitch units without losing
their management from the FortiGate unit. The MCLAG-ICL can also be enabled directly using console cables or
management ports.
1. Log into FortiSwitch 2 using the Connect to CLI button in the FortiGate GUI, use the get switch lldp
auto-isl-status command to find out the name of the trunk connecting the peer switches, and change the
ISL to an ICL. For example:
get switch lldp auto-isl-status
If you disable the MCLAG ICL (with the set mclag-icl disable command), you need
to enable the fortilink-split-interface.
MCLAG topologies
To configure a multichassis LAG, you need to configure FortiSwitch 1 and FortiSwitch 2 as MCLAG peer switches
before creating a two-port LAG. See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58.
Then you set up two MCLAGs towards the servers, each MCLAG using one port from each FortiSwitch unit.
This topology is supported when the FortiGate unit is in HA mode.
NOTE:
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks.
They are both enabled by default.
l Fortinet recommends using at least two links for ICL redundancy.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
l The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink
trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks.
These settings are enabled by default.
l IGMP proxy must be enabled.
Step 1: Ensure the MCLAG ICL is already configured between FortiSwitch 1 and FortiSwitch 2.
To set up Server 1:
To set up Server 2:
If you disable the MCLAG ICL (with the set mclag-icl disable command), you need
to enable the fortilink-split-interface.
NOTE:
l Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be
active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
l In this topology, you must use the auto-isl-port-group setting as described in the following configuration
example. This setting instructs the switches to group ports from MCLAG peers together into one MCLAG when the
inter-switch link (ISL) is formed.
l The inter-chassis link (ICL) and auto-isl-port-group settings must be done directly on the FortiSwitch unit.
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks.
They are both enabled by default.
l CLI commands in red are manually configured.
l Fortinet recommends using at least two links for ICL redundancy.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
l The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink
trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks.
These settings are enabled by default.
l IGMP proxy must be enabled.
next
edit "distribute-2"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port3" "port4"
next
end
3. Continue to configure FortiSwitch-2 for the tier-1 MCLAG:
a. Configure the two auto-isl-port-groups based on the topology diagram. The group name must match
the name that is configured on the peer switch.
config switch auto-isl-port-group
edit "distribute-1"
set members "port1" "port2"
next
edit "distribute-2"
set members "port3" "port4"
end
b. After you complete the CLI commands in Steps 1 and 3a, the trunks are automatically formed:
config switch trunk
edit "D243Z14000288-0"
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port21" "port22"
next
edit "FG100D3G15817032" // trunk name derived from FortiGate-2
set mclag enable
set members "port24" "port23"
next
edit "distribute-1"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port1" "port2"
next
edit "distribute-2"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port3" "port4"
next
end
4. Tier-2 MCLAGs. Enable the ICL between the MCLAG peer switches. For example, configure FortiSwitch-6 as
follows.
a. Change the tier-2 MCLAG peer switches to FortiLink mode and connect them to each other. Enable the ICL on
the ISL formed with the MCLAG peer switches.
config switch trunk
edit "8DN3X15000026-0" // trunk name derived from FortiSwitch-7 SN
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port43" "port44"
end
On FortiSwitch-7:
config switch trunk
edit "_FlInK1_MLAG0_"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port47" "port48"
next
end
If you disable the MCLAG ICL (with the set mclag-icl disable command), you
need to enable the fortilink-split-interface.
To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.
NOTE: Fortinet recommends using at least two links for ICL redundancy.
1. Find the trunk between the two MCLAG switches. Enable mclag-icl on the MCLAG-ICL trunk. The default
name of the MCLAG-ICL trunk is the last 13 characters of the peer switch name plus “-0”.
2. Wire all switches in closet 1 by following the figure. Do not make the dotted-line connections for now. Wait for all
switches to be up in FortiLink mode.
3. Add two auto-isl-port-groups for the tier-3 MCLAG switches on both switch 3 and switch 4:
4. Enable the tier-2 MCLAG-ICL trunk on switch 4 using the FortiOS CLI of the switch console port.
5. Enable the tier-3 MCLAG-ICL trunks on switch 6 and switch 8.
NOTE: The trunk must be configured from the end of the daisy-chain switch.
6. Enable the tier-3 MCLAG-ICL trunks on switch 5 and switch 7.
7. Enable the tier-2 MCLAG-ICL trunk on switch 3.
8. Verify that all the FortiLinks are up and double-check that the MCLAG-ICL configuration on each MCLAG switch.
9. Connect switch 4 to switch 2.
10. Verify that the FortiLinks are up.
11. Connect switch 6 and switch 8 to switch 4.
12. Verify that the FortiLinks are up.
13. Use the diagnose switch mclag peer CLI command to verify that the tier-1, tier-2, and tier-3 MCLAG-
switches are formed correctly.
14. Check the traffic on switch 1 and switch 2 during the configuration.
15. Repeat steps 2 to 14 for closet 2.
16. All FortiLinks should be up.
HA-mode FortiGate units connect to redundant distribution FortiSwitch units. Access FortiSwitch units are arranged in a
stack in each IDF, connected to both distribution switches.
For the FortiLink connection to each distribution switch, you create a FortiLink split interface (an aggregate interface
that contains one active link and one standby link).
NOTE:
l Before FortiSwitchOS 3.6.4, MCLAG was not supported when access rings were present. Starting with
FortiSwitchOS 3.6.4, MCLAG is supported, even with access rings present.
l Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be
active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
l When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of
the FortiLink aggregate interface must be set to static. Unless MCLAG is enabled and you are using 6.2.0 or
later, see Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58 for details.
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks.
They are both enabled by default.
l This is only an example topology. Other combinations of FortiGate units and FortiSwitch units can be used to
create a similar topology.
l Fortinet recommends using at least two links for ICL redundancy.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
l The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink
trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks.
These settings are enabled by default.
l IGMP proxy must be enabled.
Configuring VLANs
Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you
to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent
automatically within the VLAN. You must configure routing for traffic between VLANs.)
From the FortiGate unit, you can centrally configure and manage VLANs for the managed FortiSwitch units.
In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The
switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 1-4095) to each of the
VLANs. For FortiSwitch units in FortiLink mode (FortiOS 6.2.0 and later), you can assign a name to each VLAN.
You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch
port.
Creating VLANs
Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either
the Web GUI or CLI.
Color Choose a unique color for each VLAN, for ease of visual display.
config ip-range
set start-ip <IP address>
set end-ip <IP address>
end
set netmask <Network mask>
end
The WiFi & Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.
You can change which VLANs the set allowed-vlans command affects.
If you want the set allowed-vlans command to apply to all user-defined VLANs, use the following CLI commands:
config switch-controller global
set vlan-all-mode defined
end
If you want the set allowed-vlans command to apply to all possible VLANs (1-4094), use the following CLI
commands:
config switch-controller global
set vlan-all-mode all
end
NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable
command.
You can use the WiFi & Switch Controller > FortiSwitch Ports page to do the following with FortiSwitch switch ports:
l Set the native VLAN and add more VLANs
l Edit the description of the port
l Enable or disable the port
l Set the access mode to network access control (NAC) or normal
l Enable or disable PoE for the port
l Enable or disable DHCP snooping (if supported by the port)
l Enable or disable whether a port is an edge port
l Enable or disable STP (if supported by the port)
l Enable or disable loop guard (if supported by the port)
l Enable or disable STP BPDU guard (if supported by the port)
l Enable or disable STP root guard (if supported by the port)
Use the following commands to set port speed and other base port settings:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set description <text>
set speed <speed>
set status {down | up}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set description "First port"
set speed auto
set status up
end
end
Configuring PoE
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set poe-status enable
end
end
Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet
cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example,
wireless access points, IP cameras, and VoIP phones).
The following command resets PoE on the port:
execute switch-controller poe-reset <FortiSwitch_serial_number> <port_name>
The following example displays the PoE status for port 6 on the specified switch:
IPv4 source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses.
Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.
IPv4 source guard allows traffic from the following sources:
l Static entries—IP addresses that have been manually associated with MAC addresses.
l Dynamic entries—IP addresses that have been learned through DHCP snooping.
By default, IPv4 source guard is disabled. You must enable it on each port that you want protected.
If you add more than 2,048 IP source guard entries from a FortiGate unit, you will get an error. When there is a conflict
between static entries and dynamic entries, static entries take precedence over dynamic entries.
IPv4 source guard can be configured in FortiOS only for managed FortiSwitch units that support IP source guard. The
following FortiSwitch models support IP source guard:
l FSR-124D
l FS-224D-FPOE
l FS-248D
l FS-424D-POE
l FS-424D-FPOE
l FS-448D-POE
l FS-448D-FPOE
l FS-424D
l FS-448D
l FSW-2xxE
Configuring IPv4 source guard consists of the following steps:
1. Enable IPv4 source guard in the FortiOS CLI.
2. Create static entries on the FortiSwitch unit by binding IPv4 addresses with MAC addresses.
3. Check the IPv4 source-guard entries on the FortiSwitch unit.
You must enable IPv4 source guard in the FortiOS CLI before you can configure it.
edit <FortiSwitch_serial_number
config ports
edit <port_name>
set ip-source-guard enable
next
end
end
For example:
config switch-controller managed-switch
edit S424DF4K15000024
config ports
edit port20
set ip-source-guard enable
next
end
end
After you enable IPv4 source guard in the FortiOS CLI, you can create static entries in the FortiOS CLI by binding IPv4
addresses with MAC addresses. For IPv4 source-guard dynamic entries, you need to configure DHCP snooping. See
Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports on page 83.
For example:
config switch-controller managed-switch
edit S424DF4K15000024
config ip-source-guard
edit port4
config binding-entry
edit 1
set ip 172.168.20.1
set mac 00:21:cc:d2:76:72
next
end
next
end
next
end
After you configure IPv4 source guard , you can check the entries.
Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are
added by DHCP snooping.
Use this command in the FortiOS CLI to display all IP source-guard entries:
diagnose switch-controller switch-info ip-source-guard hardware <FortiSwitch_serial_number>
On some FortiSwitch models that provide QSFP (quad small form-factor pluggable) interfaces, you can install a
breakout cable to convert one interface into four interfaces. See the list of supported FortiSwitch models in the notes in
this section.
FortiLink mode supports the FortiSwitch split-port configuration:
l Configuring split ports on a previously discovered FortiSwitch unit on page 77
l Configuring split ports with a new FortiSwitch unit on page 78
l Configuring a split port on the FortiSwitch unit on page 78
Notes
l Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.
l Split ports are not configured for pre-configured FortiSwitch units.
l Splitting ports is supported on the following FortiSwitch models:
o FS-3032D (ports 5 to 28 are splittable)
o FS-3032E (Ports can be split into 4 x 25G when configured in 100G QSFP28 mode or can be split into 4 x 10G
when configured in 40G QSFP mode. Use the set <port_name>-phy-mode disabled command to
disable some 100G ports to allow up to sixty 25G, 10G, or 1G ports.)
o FS-524D and FS-524D-FPOE (ports 29 and 30 are splittable)
o FS-1048E (In the 4 x 100G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 25G. In the 6 x 40G
configuration, ports 49, 50, 51, 52, 53, 54 are splittable as 4 x 10G.)
Use the set port-configuration ? command to check which ports are supported for each model.
l Currently, the maximum number of ports supported in software is 64 (including the management port). Therefore,
only 10 QSFP ports can be split. This limitation applies to all of the models, but only the FS-3032D, FS-3032E, and
the FS-1048E models have enough ports to encounter this limit.
1. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit on page 78.
2. Restart the FortiSwitch unit.
The system applies the configuration only after you enter the end command, displaying the following message:
This change will cause a ports to be added and removed, this will cause loss of configuration
on removed ports. The system will have to reboot to apply this change.
Do you want to continue? (y/n)y
To configure one of the split ports, use the notation ".x" to specify the split port:
config switch physical-port
edit "port1"
set lldp-profile "default-auto-isl"
set speed 40000full
next
edit "port2"
set lldp-profile "default-auto-isl"
set speed 40000full
next
edit "port3"
set lldp-profile "default-auto-isl"
set speed 40000full
next
edit "port4"
set lldp-profile "default-auto-isl"
set speed 40000full
next
edit "port5.1"
set speed 10000full
next
edit "port5.2"
set speed 10000full
next
edit "port5.3"
set speed 10000full
next
edit "port5.4"
set speed 10000full
next
end
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as
multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication,
security policies, routing, and VPN configurations.
FortiSwitch ports can now be shared between VDOMs.
Starting in FortiOS 6.2.0, the following features are supported on FortiSwitch ports shared between VDOMs:
l POE pre-standard detection (on a per-port basis if the FortiSwitch model supports this feature)
l Learning limit for dynamic MAC addresses on ports, trunks, and VLANs (if the FortiSwitch unit supports this
feature)
l QoS egress CoS queue policy (if the FortiSwitch unit supports this feature)
l Port security policy
The following example shows how to share FortiSwitch ports between VDOMs:
1. In the tenant VDOM named bbb, create a VLAN interface using the following CLI commands (not supported in the
GUI):
FG5H0E3917900081 (bbb) #
config system interface
edit "bbb-vlan99"
set vdom "bbb"
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 58
set switch-controller-dhcp-snooping enable
set interface "flink-lag" // this is the FortiLink interface in the root VDOM
set vlanid 99
next
end
2. Go back to the root VDOM. Pick a switch port to share between VDOMs, port10 in this case.
end
3. Go back to the bbb VDOM to claim port11 because it is in the virtual pool but not directly exported to the VDOM
yet. (The administrator might want to pre-assign some ports in the tenant VDOM and let the tenant VDOM
administrator claim them before they are used.)
You can create your own export tags using the following CLI commands:
config switch-controller switch-interface-tag
edit <tag_name>
end
Use the following CLI command to list the contents of a specific VPP:
execute switch-controller virtual-port-pool show-by-pool <VPP_name>
Use the following CLI command to list all VPPs and their contents:
execute switch-controller virtual-port-pool show
You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or
allows all frames access to the port. By default, all frames have access to each FortiSwitch port.
Use the following CLI commands:
config switch-controller managed-switch <SN>
config ports
edit <port_name>
set discard-mode <none | all-tagged | all-untagged>
next
next
end
Go to WiFi & Switch Controller > FortiSwitch Ports. Right-click any port and then enable or disable the following
features:
l DHCP Snooping—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example,
typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To
prevent this, DHCP blocking filters messages on untrusted ports.
l Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network
topology.
l Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects.
Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its
subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP
rather than as a replacement for STP.
l STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard
is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes.
The BPDUs are not forwarded, and the network edge is enforced.
l STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When
enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root
guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause
your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured
device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By
enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce
the specified network topology.
STP and IGMP snooping are enabled on all ports by default. Loop guard is disabled by default on all ports.
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set edge-port enable
end
end
A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard
helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any
downstream loops. Loop guard and STP should be used separately for loop protection. By default, loop guard is
disabled on all ports.
Use the following commands to configure loop guard on a FortiSwitch port:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set loop-guard {enabled | disabled}
set loop-guard-timeout <0-120 minutes>
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set loop-guard enabled
set loop-guard-timeout 10
end
end
NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.
The managed FortiSwitch unit supports Spanning Tree Protocol (a link-management protocol that ensures a loop-free
layer-2 network topology) as well as Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q
standard.
MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the
mapping of VLANs to instances is configurable). MSTP is backward-compatible with STP and Rapid Spanning Tree
Protocol (RSTP). A layer-2 network can contain switches that are running MSTP, STP, or RSTP. MSTP is built on RSTP,
so it provides fast recovery from network faults and fast convergence times.
For example:
config switch-controller stp-instance
edit 1
config vlan-range vlan1 vlan2 vlan3
end
config switch-controller managed-switch
edit S524DF4K15000024
config stp-instance
edit 1
set priority 16384
next
end
next
end
Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed
FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.
NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.
Use the following commands to enable or disable STP on FortiSwitch ports:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set stp-state {enabled | disabled}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set stp-state enabled
end
end
For example:
FG100D3G15817028 # diagnose switch-controller switch-info stp S524DF4K15000024 0
MST Instance Information, primary-Channel:
Instance ID : 0
Switch Priority : 24576
Root MAC Address : 085b0ef195e4
Root Priority: 24576
Root Pathcost: 0
Regional Root MAC Address : 085b0ef195e4
Regional Root Priority: 24576
Regional Root Path Cost: 0
Remaining Hops: 20
This Bridge MAC Address : 085b0ef195e4
This bridge is the root
Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface,
superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates
in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of
traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic
through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can
create a perimeter around your existing paths to root to enforce the specified network topology.
Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have
STP enabled to be able to use root guard.
Use the following commands to enable or disable STP root guard on FortiSwitch ports:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set stp-root-guard {enabled | disabled}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set stp-root-guard enabled
end
end
Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge
ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not
forwarded, and the network edge is enforced.
There are two prerequisites for using BPDU guard:
l You must define the port as an edge port with the set edge-port enable command.
l You must enable STP on the switch interface with the set stp-state enabled command.
You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port
timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will
have manually reset the port.
Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set stp-bpdu-guard {enabled | disabled}
set stp-bpdu-guard-time <0-120>
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set stp-bpdu-guard enabled
set stp-bpdu-guard-time 10
end
end
To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command:
diagnose switch-controller switch-info bpdu-guard-status <FortiSwitch_serial_number>
For example:
port1 enabled - 10 0 -
port2 disabled - - - -
port3 disabled - - - -
port4 disabled - - - -
port5 disabled - - - -
port6 disabled - - - -
port7 disabled - - - -
port8 disabled - - - -
port9 disabled - - - -
port10 disabled - - - -
port11 disabled - - - -
port12 disabled - - - -
port13 disabled - - - -
port14 disabled - - - -
port15 disabled - - - -
port16 disabled - - - -
port17 disabled - - - -
port18 disabled - - - -
port19 disabled - - - -
port20 disabled - - - -
port21 disabled - - - -
port22 disabled - - - -
port23 disabled - - - -
port25 disabled - - - -
port26 disabled - - - -
port27 disabled - - - -
port28 disabled - - - -
port29 disabled - - - -
port30 disabled - - - -
__FoRtI1LiNk0__ disabled - - - -
Starting in FortiOS 6.4.2, managed FortiSwitch units can now interoperate with a network that is running RPVST+. The
existing networkʼs configuration can be maintained while adding managed FortiSwitch units as an extended region. By
default, interoperation with RPVST+ is disabled.
When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain
works in two ways:
l If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region
duplicates instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+
domain.
In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1
defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST
root bridge within MSTP region.
l If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN
1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected
RPVST+ domain are used only for consistency checks.
In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of
VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.
For example:
FGT-1 (testvdom) # config switch-controller managed-switch
FGT-1 (managed-switch) # edit FS3E32T419000006
FGT-1 (FS3E32T419000006) # config ports
FGT-1 (ports) # edit port5
FGT-1 (port5) # set rpvst-port enabled
FGT-1 (port5) # next
FGT-1 (ports) # end
For example:
diagnose switch-controller switch-info rpvst FS3E32T419000006 port5
You can enable or disable dynamic MAC address learning on a port or VLAN. The existing dynamic MAC entries are
flushed when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming
packet with an unknown MAC address (to drop or forward the packet).
You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1
to 128. If the limit is set to the default value zero, there is no learning limit.
NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.
Use the following CLI commands to limit MAC address learning on a VLAN:
config switch vlan
edit <integer>
set switch-controller-learning-limit <limit>
end
end
For example:
config switch vlan
edit 100
set switch-controller-learning-limit 20
end
end
Use the following CLI commands to limit MAC address learning on a port:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set learning-limit <limit>
next
end
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port3
set learning-limit 50
next
end
end
end
You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after
300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value
ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.
config switch-controller global
set mac-aging-interval <10 to 1000000>
end
For example:
config switch-controller global
set mac-aging-interval 500
end
If the mac-aging-interval is disabled by being set to 0, you can still control when inactive MAC addresses are removed
from the FortiSwitch hardware. By default, inactive MAC addresses are removed after 24 hours. The value ranges from
0 to 168 hours. Set the value to 0 to use the mac-aging-interval setting to control when inactive MAC addresses are
deleted.
config switch-controller global
set mac-retention-period <0 to 168>
end
For example:
config switch-controller global
set mac-retention-period 36
end
If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the
learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.
By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the
system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the
most recent 128 violations are displayed in the console.
Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses
are save:
config switch-controller global
set mac-violation-timer <0-1500>
set log-mac-limit-violations {enable | disable}
end
For example:
config switch-controller global
set mac-violation-timer 1000
set log-mac-limit-violations enable
end
To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following
commands:
l diagnose switch-controller switch-info mac-limit-violations all <FortiSwitch_
serial_number>
l diagnose switch-controller switch-info mac-limit-violations interface
<FortiSwitch_serial_number> <port_name>
l diagnose switch-controller switch-info mac-limit-violations vlan <FortiSwitch_
serial_number> <VLAN_ID>
For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit:
diagnose switch-controller switch-info mac-limit-violations vlan S124DP3XS12345678 5
To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:
l execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_
number>
l execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_
number> <VLAN_ID>
l execute switch-controller mac-limit-violation reset interface <FortiSwitch_
serial_number> <port_name>
For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:
execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5
You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes
down or up). By default, MAC addresses are not persistent.
Use the following commands to configure the persistence of MAC addresses on an interface:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set sticky-mac {enable | disable}
next
end
You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded
when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the
following commands to save persistent MAC addresses for a specific interface or all interfaces:
execute switch-controller switch-action sticky-mac save interface <FortiSwitch_serial_number>
<port_name>
execute switch-controller switch-action sticky-mac save all <FortiSwitch_serial_number>
Use one of the following commands to delete the persistent MAC addresses instead of saving them in the FortiSwitch
configuration file:
execute switch-controller switch-action delete sticky-mac delete-unsaved all <FortiSwitch_
serial_number>
execute switch-controller switch-action delete sticky-mac delete-unsaved interface
<FortiSwitch_serial_number> <port_name>
Use the following commands to create syslog entries for when MAC addresses are learned, aged out, and removed:
config switch-controller global
set mac-event-logging enable
end
Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a
LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.
When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of
traffic to drop: broadcast, unknown unicast, or multicast. By default, these three types of traffic are not dropped.
To configure storm control for all switch ports (including both FortiLink ports and non-FortiLink ports) on the managed
switches, use the following FortiOS CLI commands:
config switch-controller storm-control
set rate <rate>
set unknown-unicast {enable | disable}
set unknown-multicast {enable | disable}
set broadcast {enable | disable}
end
To configure storm control for a FortiSwitch port, use the FortiOS CLI to select the override storm-control-mode in the
storm-control policy and then assigning the storm-control policy for the FortiSwitch port.
config switch-controller storm-control-policy
edit <storm_control_policy_name>
set description <description_of_the_storm_control_policy>
set storm-control-mode override
set rate <1-10000000 or 0 to drop all packets>
set unknown-unicast {enable | disable}
set unknown-multicast {enable | disable}
set broadcast {enable | disable}
next
end
For example:
config switch-controller storm-control-policy
edit stormpol1
set description "storm control policy for port 5"
set storm-control-mode override
set rate 1000
set unknown-unicast enable
set unknown-multicast enable
set broadcast enable
next
end
You need to configure global IGMP-snooping settings and then configure IGMP-snooping settings on a FortiSwitch unit.
Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer
value from 15 to 3600. The default value is 300.
Flood-unknown-multicast controls whether the system will flood unknown multicast messages within the VLAN.
config switch-controller igmp-snooping
set aging-time <15-3600>
set flood-unknown-multicast {enable | disable}
end
IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network
traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving
each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from
links that do not contain a multicast listener.
NOTE: When an inter-switch link (ISL) is formed automatically in FortiLink mode, the igmps-flood-reports and
igmps-flood-traffic options are disabled by default.
Use the following commands to configure IGMP settings on a FortiSwitch port:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set igmps-flood-reports {enable | disable}
set igmps-flood-traffic {enable | disable}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port3
set igmps-flood-reports enable
set igmps-flood-traffic enable
end
end
Use the Precision Time Protocol (PTP) transparent-clock mode to measure the overall path delay for packets in a
network to improve the time precision. There are two transparent-clock modes:
l End-to-end measures the path delay for the entire path
l Peer-to-peer measures the path delay between each pair of nodes
Use the following steps to configure PTP transparent-clock mode:
1. Configure the global PTP settings.
By default, PTP is disabled.
For example:
config switch-controller ptp settings
set mode transparent-p2p
end
Device detection
Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by
the managed FortiSwitch unit.
To enable network-assisted device detection on a VDOM:
config switch-controller network-monitor-settings
set network-monitoring enable
end
You can display a list of detected devices from the Device Inventory menu in the GUI. To list the detected devices in
the CLI, enter the following command:
diagnose user device list
FortiSwitch is able to parse LLDP messages from voice devices such as FortiFone, and pass this information to
FortiGate for device detection. You can use FortiSwitch NAC policies to assign a device to an LLDP profile, QoS policy,
and VLAN policy. When a detected device is matched to a NAC policy, the corresponding policy actions will be applied
on the switch port.
Example
In the following example, FortiFone is connected to port11 of FortiSwitch. A NAC policy is created to apply a VLAN
policy, LLDP policy, and QoS policy to Device Family FortiFone.
1. Configure a NAC policy on a switch port. See FortiSwitch network access control on page 109.
2. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
3. Create or edit an NAC policy.
4. Set the Category to Device.
5. Enable Device family, and enter name such as FortiFone.
6. Select Apply Port Specific Settings.
7. Enable LLDP profile, and select a voice profile from the dropdown.
8. Enable QoS policy, and select a voice policy from the dropdown.
9. Enable VLAN policy, and select a voice policy from the dropdown.
1. Assign the FortiFone to a VLAN policy, LLDP policy, and QoS Policy.
config user nac-policy
edit "FortiFone"
set family "FortiFone"
set switch-fortilink "fortilink"
set switch-port-policy "FortiFone"
next
end
config switch-controller port-policy
edit "FortiFone"
set fortilink "fortilink"
set lldp-profile "fortivoice.fortilink"
set qos-policy "voice-qos"
set vlan-policy "fortiFone"
next
end
config switch-controller vlan-policy
edit "fortiFone"
set fortilink "fortilink"
set vlan "voice"
next
end
config switch-controller lldp-profile
edit "fortivoice.fortilink"
set med-tlvs inventory-management network-policy location-identification
set auto-isl disable
config med-network-policy
edit "voice"
set status enable
set vlan-intf "voice"
set assign-vlan enable
set dscp 46
next
edit "voice-signaling"
set status enable
set vlan-intf "voice"
set assign-vlan enable
set dscp 46
next
edit "guest-voice"
next
edit "guest-voice-signaling"
next
edit "softphone-voice"
next
edit "video-conferencing"
next
edit "streaming-video"
next
edit "video-signaling"
next
end
next
end
config switch-controller qos qos-policy
edit "voice-qos"
set trust-dot1p-map "voice-dot1p"
set trust-ip-dscp-map "voice-dscp"
set queue-policy "voice-egress"
next
end
2. FortiSwitch receives an LLDP message from FortiFone after it is plugged into port11.
3. Run diagnose switch-controller switch-info to check the device information on FortiGate. The
FortiFone is identified.
# diagnose switch-controller switch-info lldp neighbors-detail S124EP5918000276 port11
Vdom: root
Managed Switch : S124EP5918000276 0
Capability codes:
R:Router, B:Bridge, T:Telephone, C:DOCSIS Cable Device
W:WLAN Access Point, P:Repeater, S:Station, O:Other
_______________________________________________________________
Neighbor learned on port port11 by LLDP protocol
Last change 20 seconds ago
Last packet received 20 seconds ago
System Capabilities: BT
Enabled Capabilities: BT
MED type: Communication Device Endpoint (Class III)
MED Capabilities: CP
Management IP Address: 169.254.15.3
A MAC address of an IoT device must be detected by the FortiSwitch unit for more than a specified number of minutes
before the MAC address is passed along to the FortiGuard service for IoT identification. The default number of minutes
is 5. The range of values is 0 to 10,080 minutes. Set the iot-holdoff value to 0 to disable this setting.
If a MAC address entryʼs last-seen time is greater than the iot-mac-idle value, the MAC address entry is not
considered for IoT detection. By default, the iot-mac-idle value is 1,440 minutes. The range of values is 0 to
10,080 minutes.
Starting in FortiOS 6.4.3, IoT detection can be managed per FortiLink interface as well. IoT detection is disabled by
default on the FortiLink interface. Use the FortiOS CLI or GUI to enable IoT detection on the FortiLink interface so that
the FortiSwitch unit starts scanning for IoT devices.
Starting in FortiOS 6.4.0 and FortiSwitchOS 6.4.0, LLDP neighbor devices are dynamically detected. By default, this
feature is enabled in FortiOS but disabled in managed FortiSwitch units. Dynamic detection must be enabled in both
FortiOS and FortiSwitchOS for this feature to work.
Variable Description
802.3-tlvs {max-frame-size | power- Select whether to transmit the IEEE 802.3 maximum frame size TLV, the
negotiation} power-negotiation TLV for PoE, or both. Separate multiple options with a
space.
auto-isl-hello-timer <1-30> If you enabled auto-isl, you can set the number of seconds for the
automatic inter-switch LAG hello timer. The default value is 3 seconds.
auto-isl-port-group <0-9> If you enabled auto-isl, you can set the automatic inter-switch LAG port
group identifier.
auto-isl-receive-timeout <3-90> If you enabled auto-isl, you can set the number of seconds before the
automatic inter-switch LAG times out if no response is received. The
default value is 9 seconds.
config med-network-policy
{guest-voice | guest-voice-signaling | Select which Media Endpoint Discovery (MED) network policy type-length-
softphone-voice | streaming-video | value (TLV) category to edit.
video-conferencing | video-signaling |
voice | voice-signaling}
Variable Description
vlan-intf <string> If you enabled the status, you can enter the VLAN interface to advertise.
The maximum length is 15 characters.
priority <0-7> If you enabled the status, you can enter the advertised Layer-2 priority. Set
to 7 for the highest priority.
dscp <0-63> If you enabled the status, you can enter the advertised Differentiated
Services Code Point (DSCP) value to indicate the level of service requested
for the traffic.
config med-location-service
{address-civic | coordinates | elin- Select which Media Endpoint Discovery (MED) location type-length-value
number} (TLV) category to edit.
sys-location-id <string> If you enabled the status, you can enter the location service identifier. The
maximum length is 63 characters.
config-tlvs
<TLV_name> Enter the name of a custom TLV entry.
oui <hexadecimal_number> Ener the organizationally unique identifier (OUI), a 3-byte hexadecimal
number, for this TLV.
information-string <0-507> Enter the organizationally defined information string in hexadecimal bytes.
Variable Description
tx-hold Number of tx-intervals before the local LLDP data expires. Therefore, the
packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1
to 16, and the default value is 4.
tx-interval How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095
seconds, and the default is 30 seconds.
fast-start-interval How often the FortiSwitch transmits the first 4 LLDP packets when a link
comes up. The range is 2 to 5 seconds, and the default is 2 seconds. Set this
variable to zero to disable fast start.
Variable Description
device-detection {enable | disable} Enable or disable whether LLDP neighbor devices are dynamically detected.
By default, this setting is disabled.
You can use the following commands to add an LLDP asset tag for a managed FortiSwitch:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set switch-device-tag <string>
end
You can use the following commands to add media endpoint discovery (MED) features to an LLDP profile:
config switch-controller lldp-profile
edit <lldp-profle>
config med-network-policy
edit guest-voice
set status {disable | enable}
next
edit guest-voice-signaling
set status {disable | enable}
next
edit guest-voice-signaling
set status {disable | enable}
next
edit softphone-voice
set status {disable | enable}
next
edit streaming-video
set status {disable | enable}
next
edit video-conferencing
set status {disable | enable}
next
edit video-signaling
set status {disable | enable}
next
edit voice
set status {disable | enable}
next
edit voice-signaling
The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception
wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent
information from adjacent layer-2 peers.
Starting in FortiOS 6.4.3, you can also configure the lldp-status and lldp-profile settings of a virtual switch
port in a tenant VDOM. NOTE: The auto-isl setting in config switch-controller lldp-profile is
ignored, and the setting remains disabled for the tenantʼs ports.
Use the following commands to configure LLDP on a FortiSwitch port:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set lldp-status {rx-only | tx-only | tx-rx | disable}
set lldp-profile <profile_name>
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port2
set lldp-status tx-rx
set lldp-profile default
end
end
Use the following commands to configure LLDP on a virtual FortiSwitch port in a tenant VDOM:
config vdom
edit <VDOM_name>
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set lldp-status {rx-only | tx-only | tx-rx | disable}
set lldp-profile <profile_name>
next
end
end
end
For example:
config vdom
edit VDOM_1
config switch-controller managed-switch
edit "S424ENTF19000007"
config ports
edit port28
set lldp-status tx-rx
set lldp-profile lldpprofile1
next
end
end
end
FortiSwitch security
You can configure a FortiSwitch network access control (NAC) policy within FortiOS that matches devices with the
specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices
that match are assigned to a specific VLAN or have port-specific settings applied to them.
NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. See Configuring the FortiSwitch
NAC settings on page 111.
1. Define a FortiSwitch NAC VLAN. See Defining a FortiSwitch NAC VLAN on page 109.
2. Configure the FortiSwitch NAC settings. See Configuring the FortiSwitch NAC settings on page 111.
3. Create a FortiSwitch NAC policy. See Defining a FortiSwitch NAC policy on page 113.
4. View the devices that match the NAC policy. See Viewing the devices that match the NAC policy on page 118.
When devices are matched by a NAC policy, you can assign those devices to a FortiSwitch NAC VLAN. By default, there
are six VLAN templates:
l default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
l quarantine—This VLAN contains quarantined traffic.
l rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
l voice—This VLAN is dedicated for voice devices.
l video—This VLAN is dedicated for video devices.
l onboarding—This VLAN is for NAC onboarding devices.
You can use the default onboarding VLAN, edit it, or create a new NAC VLAN. If you want to use the default onboarding
NAC VLAN, specify it when you configure the FortiSwitch NAC settings. If you want to edit the default onboarding VLAN
or create a new NAC VLAN, use the following procedures.
1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
Color Choose a unique color for each VLAN, for ease of visual display.
NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. You can either manually
configure the NAC settings or use the NAC wizard. See Using the NAC wizard on page 112.
The local mode uses the local port-level settings of managed FortiSwitch units. The global mode applies the NAC to all
managed FortiSwitch ports. Be default, the mode is local.
You can set how many minutes that NAC devices are allowed to be inactive. By default, NAC devices can be inactive for
15 minutes. The range of values is 0 to 1 440 minutes. If you set the inactive-timer to 0, there is no limit to how long the
NAC devices can be inactive for.
When NAC devices are discovered, they are assigned to the NAC onboarding VLAN. You can specify the default
onboarding VLAN or specify another existing VLAN. By default, there is no NAC onboarding VLAN assigned.
When NAC devices are discovered and match a NAC policy, they are automatically authorized by default.
When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the
DHCP process for that switch.
When a link goes down, the NAC devices are cleared from all switch ports by default.
The NAC wizard helps with configuring the FortiSwitch NAC settings and defining a FortiSwitch NAC VLAN. If you do
not want to manually configure the FortiSwitch NAC settings, use the NAC wizard instead.
NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy.
1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
2. Select Configure NAC Settings.
3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is
onboarding.
4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is
configured on the port.
5. Select All or Specify to apply NAC policies to all FortiSwitch ports or to specific FortiSwitch ports.
6. If you selected Specify, select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC
policies to.
7. Select Next.
8. Select one of the default NAC VLANs to be the onboarding VLAN, create a new NAC VLAN, or edit one of the
default NAC VLANs. The default onboarding VLAN is onboarding. See Defining a FortiSwitch NAC VLAN on page
109.
9. Select Submit.
In the FortiOS GUI, you can create three types of NAC policies:
l Device—The NAC policy matches devices with the specified MAC address, hardware vendor, device family, type,
operating system, and user.
l User—The NAC policy matches devices belonging to the specified user group.
l EMS tag—The NAC policy matches devices with the specified FortiClient EMS tag.
Using the CLI, you can specify a port policy and MAC policy to be applied to devices that have been matched by the
NAC policy. See Creating a port policy on page 117 and Creating a MAC policy on page 118.
NOTE: The FortiSwitch NAC settings must be configured before defining a FortiSwitch NAC policy. See Configuring the
FortiSwitch NAC settings on page 111.
A device policy matches devices with the specified criteria and then assigns a specific VLAN to those devices or applies
port-level settings to those devices. You can specify the MAC address, hardware vendor, device family, type, operating
system, and user for the devices to match.
By default, there is a default device policy, Onboarding VLAN, which uses the default onboarding NAC VLAN. You
can use the default Onboarding VLAN policy, edit it, or create a new NAC policy.
8. If you want the device to match a hardware vendor, move the Hardware Vendor slider and enter the name of the
hardware vendor to match.
9. If you want the device to match a device family, move the Device Family slider and enter the name of the device
family to match.
10. If you want the device to match a device type, move the Type slider and enter the device type to match.
11. If you want the device to match an operating system, move the Operating System slider and enter the operating
system to match.
12. If you want the device to match a user, move the User slider and enter the user name to match.
13. If you want to assign a specific VLAN to the device that matches the specified criteria, select Assign VLAN and
enter the VLAN identifier.
14. If you want to assign port-level settings to the device that matches the specified criteria select Apply Port Specific
Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
15. Select OK to create the new NAC policy.
A user policy matches devices that are assigned to the specified user group and then assigns a specific VLAN to those
devices or applies port-level settings to those devices.
An EMS-tag policy matches devices with a specified MAC address and then assigns a specific VLAN to those devices or
applies port-level settings to those devices. The MAC address is derived from an Endpoint Management Server (EMS)
tag created in FortiClient.
NOTE: The FortiClient EMS server must be 6.4.1 build 1442 or higher. FortiOS must be 6.4.2 build 1709 or higher.
Before creating an EMS-tag policy on a managed FortiSwitch unit:
1. In FortiClient, group FortiClient Fabric Agent endpoints with an EMS tag.
2. In FortiClient, share these endpoint groups with a FortiGate unit over the EMS connector.
3. In FortiOS, add an on-premise FortiClient EMS server to the Security Fabric:
For example:
5. In FortiOS, check that the FortiGate unit and FortiClient are connected:
6. In FortiOS, verify which MAC addresses the dynamic firewall address resolves to:
For example:
next
end
You can apply a port policy to the devices that were matched by the NAC policy. In the port policy, you can specify which
LLDP profile, QoS policy, 802.1x policy, and VLAN policy are used on the ports.
config switch-controller port-policy
edit <port_policy_name>
set description <policy_description>
set fortilink <FortiLink_interface>
set lldp-profile <LLDP_profile>
set qos-policy <QoS_policy>
set 802-1x <802.1x_policy>
set vlan-policy <VLAN_policy>
set bounce-port-link {enable | disable}
next
end
For example:
You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be
applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether
to discard untagged or tagged frames or to not discard any frames.
config switch-controller vlan-policy
edit <VLAN_policy_name>
set description <policy_description>
set fortilink <FortiLink_interface>
set vlan <VLAN_name>
set allowed-vlans <lists_of_VLAN_names>
set untagged-vlans <lists_of_VLAN_names>
set allowed-vlans-all {enable | disable}
set discard-mode {none | all-untagged | all-tagged}
next
end
For example:
end
You can apply a MAC policy to the devices that were matched by the NAC policy. You can specify which VLAN is
applied, select which traffic policy is used, and enable or disable packet count.
config switch-controller mac-policy
edit <MAC_policy_name>
set description <policy_description>
set fortilink <FortiLink_interface>
set vlan <VLAN_name>
set traffic-policy <traffic_policy_name>
set count {enable | disable}
next
end
To show known NAC devices with a known location that match a NAC policy:
diagnose switch-controller nac-device known
To show pending NAC devices with an unknown location that match a NAC policy:
diagnose switch-controller nac-device pending
The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and
unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters
messages on untrusted ports.
Set the port as a trusted or untrusted DHCP-snooping interface:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set dhcp-snooping {trusted | untrusted}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set dhcp-snooping trusted
end
end
DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have
valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.
To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By
default, DAI is disabled on all VLANs.
After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the
following CLI commands to enable DAI and then enable DAI for a VLAN:
config system interface
edit vsw.test
set switch-controller-arp-inpsection {enable | disable}
end
Use the following CLI command to check DAI statistics for a FortiSwitch unit:
diagnose switch-controller switch-info arp-inspection stats <FortiSwitch_serial_number>
Use the following CLI command to delete DAI statistics for a specific VLAN:
diagnose switch-controller switch-info arp-inspection stats-clear <VLAN_ID> <FortiSwitch_
serial_number>
To control network access, the managed FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected
to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The
supplicant and the authentication server communicate using the switch using the EAP protocol. The managed
FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.
To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups
on the managed FortiSwitch unit.
NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1x authentication
from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through the FortiGate.
The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each
supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.
You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond
to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the
user name and password for authentication.
You can configure a guest VLAN for unauthorized users and a VLAN for users whose authentication was unsuccessful.
Starting in FortiSwitchOS 6.4.3, if the RADIUS server cannot be reached for 802.1x authentication, you can specify a
RADIUS timeout VLAN for users after the authentication server timeout period expires.
When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow
network traffic to flow, even if there are configuration problems or authentication failures.
The FortiSwitch unit supports up to 20 devices per port for 802.1x MAC-based authentication. System-wide, the
FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1x MAC-based authentication:
108 80
112 120
124/224/424/524/1024 240
148/248/448/548/1048 480
3032 320
To configure the 802.1x security policy for a virtual domain, use the following commands:
config switch-controller 802-1X-settings
set reauth-period <integer>
set max-reauth-attempt <integer>
set link-down-auth {*set-unauth | no-action}
end
Option Description
set link-down-auth If a link is down, this command determines the authentication state.
Choosing set-auth sets the interface to unauthenticated when a link is
down, and reauthentication is needed. Choosing no-auth means that the
interface does not need to be reauthenticated when a link is down.
set reauth-period This command sets how often reauthentication is needed. The range is 1-
1440 minutes. The default is 60 minutes. Setting the value to 0 minutes
disables reauthentication.
You can override the virtual domain settings for the 802.1x security policy.
5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The
maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to
unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface
does not need to be reauthenticated when a link is down.
7. Select OK.
For a description of the options, see Configure the 802.1x settings for a virtual domain.
Option Description
set security-mode You can restrict access with 802.1x port-based authentication or with
802.1x MAC-based authentication.
set user-group You can set a specific group name, Guest-group, or SSO_Guest_Users to
have access. This setting is mandatory.
set mac-auth-bypass You can enable or disable MAB on this interface.
set eap-passthrough You can enable or disable EAP pass-through mode on this interface.
set guest-vlan You can enable or disable guest VLANs on this interface to allow restricted
access for some users.
set guest-vlan-id "<guest- You can specify the name of the guest VLAN.
VLAN-name>"
set guest-auth-delay You can set the authentication delay for guest VLANs on this interface. The
range is 1-900 seconds.
set auth-fail-vlan You can enable or disablethe authentication fail VLAN on this interface to
allow restricted access for users who fail to access the guest VLAN.
set auth-fail-vlan-id You can specify the name of the authentication fail VLAN
"<auth-fail-VLAN-name>"
set radius-timeout- You can enable or disable whether the session timeout for the RADIUS
overwrite server will overwrite the local timeout.
set policy-type 802.1X You can set the policy type to the 802.1x security policy.
set authserver-timeout-vlan Enable or disable the RADIUS timeout VLAN on this interface to allow
limited access for users when the RADIUS server times out before finishing
authentication.
By default, this option is disabled.
Option Description
set authserver-timeout- You can set how many seconds the RADIUS server has to authenticate
period users. The range of values is 3-15 seconds; the default time is 3 seconds.
This option is only visible when authserver-timeout-vlan is
enabled.
set authserver-timeout- The VLAN name that is used for users when the RADIUS server times out
vlanid "<RADIUS-timeout- before finishing authentication.
VLAN-name>" This option is only visible when authserver-timeout-vlan is
enabled.
You can apply a different 802.1x security policy to each FortiSwitch port.
To apply an 802.1x security policy to a managed FortiSwitch port, use the following commands:
config switch-controller managed-switch
edit <managed-switch>
config ports
edit <port>
set port-security-policy <802.1x-policy>
next
end
next
end
Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test
port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass.
Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the
users fail authentication.
To enable or disable monitor mode, use the following commands:
config switch-controller security-policy 802-1X
edit "<policy_name>"
set open-auth {enable | disable}
next
end
The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the
RADIUS accounting server to support FortiGate RADIUS single sign-on:
l START—The FortiSwitch has been successfully authenticated, and the session has started.
l STOP—The FortiSwitch session has ended.
l INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command.
l ON—FortiSwitch will send this message when the switch is turned on.
l OFF—FortiSwitch will send this message when the switch is shut down.
You can specify more than one value to be sent in the RADIUS Service-Type attribute. Use a space between multiple
values.
Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed
FortiSwitch units:
config user radius
edit <RADIUS_server_name>
set acct-interim-interval <seconds>
set switch-controller-service-type {administrative | authenticate-only | callback-
administrative | callback-framed | callback-login | callback-nas-prompt | call-check
| framed | login | nas-prompt | outbound}
config accounting-server
edit <entry_ID>
set status {enable | disable}
set server <server_IP_address>
set secret <secret_key>
set port <port_number>
next
end
next
end
For increased security, each subnet interface that will be receiving CoA requests must be configured with the set
allowaccess radius-acct command.
Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA support EAP and MAB 802.1x authentication.
The FortiSwitch unit supports two types of RADIUS CoA messages:
l CoA messages to change session authorization attributes (such as data filters and the session-timeout setting )
during an active session.
l Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are
unchanged, and the port stays up. For port-based authentication, only one session is deleted.
RADIUS CoA messages use the following Fortinet proprietary attribute:
Fortinet-Host-Port-AVPair 42 string
The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages.
Unsupported Attribute 401 This error is a fatal error, which is sent if a request
contains an attribute that is not supported.
NAS Identification Mismatch 403 This error is a fatal error, which is sent if one or more
NAS-Identifier Attributes do not match the identity of
the NAS receiving the request.
Invalid Attribute Value 407 This error is a fatal error, which is sent if a CoA-Request
or Disconnect-Request message contains an attribute
with an unsupported value.
Session Context Not Found 503 This error is a fatal error if the session context identified
in the CoA-Request or Disconnect-Request message
does not exist on the NAS.
Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS
server:
config system interface
edit "mgmt"
set ip <address> <netmask>
set allowaccess <access_types>
set type physical
next
config user radius
edit <RADIUS_server_name>
set radius-coa {enable | disable}
set radius-port <port_number>
set secret <secret_key>
set server <server_name_IPv4>
end
Variable Description
allowaccess <access_types> Enter the types of management access permitted on this interface.
Valid types are as follows: http https ping snmp ssh telnet
radius-acct. Separate each type with a space. You must include
radius-acct to receive CoA and disconnect messages.
<RADIUS_server_name> Enter the name of the RADIUS server that will be sending CoA and
disconnect messages to the FortiSwitch unit. By default, the messages
use port 3799.
radius-port <port_number> Enter the RADIUS port number. By default, the value is 0 for FortiOS,
which uses port 1812 for the FortiSwitch unit in FortiLink mode.
secret <secret_key> Enter the shared secret key for authentication with the RADIUS server.
There is no default.
server <server_name_IPv4> Enter the domain name or IPv4 address for the RADIUS server. There
is no default.
The following example uses the FortiOS CLI to enable the FortiSwitch unit to receive CoA and disconnect messages
from the specified RADIUS server:
config switch-controller security-policy local-access
edit default
set internal-allowaccess ping https http ssh snmp telnet radius-acct
next
end
config user radius
edit "Radius-188-200"
set radius-coa enable
set radius-port 0
set secret ENC
+2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoeZf
OQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hpCiVU
MiPOU6fSrj
set server "10.105.188.200"
next
end
To control network access, you can configure 802.1x authentication from a FortiGate unit managing FortiSwitch units. A
supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the
network.
To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups
on the FortiSwitch unit. You also need a firewall policy on the FortiGate unit to allow traffic from the FortiSwitch unit to
the RADIUS server.
To create a firewall policy to allow the FortiSwitch unit to reach the RADIUS server:
end
You can create an 802.1x security policy using the FortiGate GUI by going to WiFi & Switch Controller > FortiSwitch
Security Policies and selecting Create New.
config switch-controller security-policy 802-1X
edit "802-1X-policy-default"
set security-mode 802.1X-mac-based
set user-group "dot1x-local"
set mac-auth-bypass enable
set eap-passthru enable
set guest-vlan enable
set guest-vlan-id "guest-VLAN"
set auth-fail-vlan enable
set auth-fail-vlan-id "auth-fail-VLAN"
set radius-timeout-overwrite disable
next
end
You can apply an 802.1x security policy to a managed FortiSwitch port using the FortiGate GUI by going to WiFi &
Switch Controller > FortiSwitch Ports.
config switch-controller managed-switch
edit S548DN4K16000360
config ports
edit "port1"
set dhcp-snooping trusted
set dhcp-snoop-option82-trust enable
set port-security-policy "802-1X-policydefault"
next
end
l Using more than one security group (with the set security-groups command) per security profile is not
supported.
l CoA and single sign-on are supported only by the CLI in this release.
l RADIUS CoA is supported in standalone mode. In addition, RADIUS CoA is supported in FortiLink mode when NAT
is disabled in the firewall policy (set nat disable under the config firewall policy command), and
the interfaces on the link between the FortiGate unit and FortiSwitch unit are assigned routable addresses other
than 169.254.1.x.
l The FortiSwitch unit supports using FortiAuthenticator, FortiConnect, Microsoft Network Policy Server (NPS),
Aruba ClearPass, and Cisco Identity Services Engine (ISE) as the RADIUS server for CoA and RSSO.
l Each RADIUS CoA server can support only one accounting manager in this release.
l RADIUS accounting/CoA/VLAN-by-name features are supported only with eap-passthru enable.
l Fortinet recommends a unique secret key for each accounting server.
l For CoA to correctly function with FortiAuthenticator or FortiConnect, you must include the User-Name attribute
(you can optionally include the Framed-IP-Address attribute) or the User-Name and Calling-Station-ID attributes in
the CoA request.
l To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the
802.1x-authenticated ports of your VLAN network for both port and MAC modes.
l Port-based basic statistics for RADIUS accounting messages are supported in the Accounting Stop request.
l By default, the accounting server is disabled. You must enable the accounting server with the set status
enable command.
l The default port for FortiAuthenticator single sign-on is 1813 for the FortiSwitch unit.
l In MAC-based authentication, the maximum number of client MAC addresses is 20. Each model has its own
maximum limit.
l Static MAC addresses and sticky MAC addresses are mechanisms for manual/local authorization; 802.1x is a
mechanism for protocol-based authorization. Do not mix them.
l Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.
l Starting in FortiSwitch 6.2.0, when 802.1x authentication is configured, the EAP pass-through mode (set eap-
passthru) is enabled by default.
l For information about the RADIUS attributes supported by FortiSwitchOS, refer to the “Supported attributes for
RADIUS CoA and RSSO” appendix in the FortiSwitchOS Administration Guide—Standalone Mode.
This example shows one of the key components in the concept of Security Fabric: FortiSwitches in FortiLink. In the
FortiGate GUI, you can see the whole picture of the Security Fabric working for your network security.
Sample topology
You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit. This prevents direct client-to-
client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client
traffic reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the
client by shifting the client's network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled.
Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified
VLAN. Use disable to allow normal traffic on the specified VLAN.
NOTE:
l IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled.
l Intra-VLAN traffic blocking is not supported when the FortiLink interface type is hardware switch.
l When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP
with the config system proxy-arp CLI command and configure a firewall policy. For example:
end
Quarantines
Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit. Quarantined
MAC addresses are isolated from the rest of the network and LAN.
You can use the FortiGate GUI or CLI to quarantine a MAC address.
NOTE: If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP
address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.
In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.
1. Select the host to quarantine.
l Go to Security Fabric > Physical Topology , right-click on a host, and select Quarantine Host on FortiSwitch.
l Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
l Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on
FortiSwitch.
2. Select Accept to confirm that you want to quarantine the host.
NOTE: Previously, this feature used the config switch-controller quarantine CLI command.
There are two kinds of quarantines:
l Quarantine-by-VLAN sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN (starting
in FortiOS 6.0.0 and FortiSwitchOS 6.0.0).
l Quarantine-by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit (starting
in FortiOS 6.4.0 and FortiSwitchOS 6.4.0).
By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware
version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was
disabled in the older configuration, it will be disabled after the upgrade.
You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are
only quarantined when the quarantine feature is enabled.
The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined
per quarantine entry.
Optionally, you can configure a traffic policy for quarantined devices to control how much bandwidth and burst they use
and which class of service (CoS) queue they are assigned to. Without a traffic policy, you cannot control how much
network resources quarantined devices use.
Quarantine-by-redirect is the default. If you are upgrading to FortiOS 6.4.0 or higher and already have a quarantine-by
VLAN configuration, the quarantine mode does not change during the upgrade.
If you have a quarantine-by-VLAN configuration and want to migrate to a quarantine-by-redirect configuration:
1. Disable quarantine.
2. Change the quarantine-mode to by-direct.
3. Remove the quarantine VLAN from the switch ports.
4. Enable quarantine.
Option Description
traffic-policy <traffic_policy_name> Optional. A name for the traffic policy that controls quarantined devices. If
you do add a traffic policy, you need to configure it with the config
switch-controller traffic-policy command.
firewall-groups <firewall_address_ Optional. By default, the firewall address group is
group> QuarantinedDevices. If you are using quarantine-by-redirect, you
must use the default firewall address group.
drop {enable | disable} Enable to drop quarantined device traffic. Disable to send quarantined
device traffic to the FortiGate unit.
For example:
config switch-controller global
set quarantine-mode by-redirect
end
Option Description
traffic-policy <traffic_policy_name> Enter a name for the traffic policy that controls quarantined devices.
guaranteed-bandwidth <0-524287000> Enter the guaranteed bandwidth in kbps. The maximum value is
524287000. The default value is 0.
guaranteed-burst <0-4294967295> Enter the guaranteed burst size in bytes. The maximum value is
4294967295. The default value is 0.
maximum-burst <0-4294967295> The maximum burst size is in bytes. The maximum value is 4294967295.
The default value is 0.
set cos-queue <0-7> Set the class of service for the VLAN traffic. Use the unset cos-queue
command to disable this setting.
For example:
config switch-controller traffic-policy
edit qtrafficp
set description "quarantined traffic policy"
set policer-status enable
set guaranteed-bandwidth 10000
set guaranteed-burst 10000
set maximum-burst 10000
unset cos-queue
end
When a device using DHCP is quarantined, the device becomes inaccessible until the DHCP is renewed. To avoid this
problem, enable the bounce-quarantined-link option, which shuts down the switch port where the quarantined device
was last seen and then brings it back up again. Bouncing the port when the device is quarantined and when the device is
released from quarantine causes the DHCP to be renewed so that the device is connected to the correct network. By
default, the bounce-quarantined-link option is disabled.
To bounce the switch port where a quarantined device was last seen:
After a device is authorized with IEEE 802.1x MAC-based authentication, you can quarantine that device. If the device
was quarantined before 802.1x MAC-based authentication was enabled, the deviceʼs traffic remains in the quarantine
VLAN 4093 after 802.1x MAC-based authentication is enabled.
1. By default, detecting the quarantine VLAN is enabled on a global level on the managed FortiSwitch unit. You can
verify that quarantine-vlan is enabled with the following commands:
2. By default, 802.1x MAC-based authentication and quarantine VLAN detection are enabled on a port level on the
managed FortiSwitch unit. You can verify the settings for the port-security-mode and quarantine-vlan. For example:
next
end
next
end
4. The FortiGate unit pushes the MAC-VLAN binding to the managed FortiSwitch unit. You can verify that the
managed FortiSwitch unit received the MAC-VLAN binding with the following command:
5. The 802.1x session shows that the MAC address is quarantined in VLAN 4093. You can verify that the managed
FortiSwitch port has the quarantined MAC address. For example:
Sessions info:
00:50:56:ad:51:81 Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=41
params:reAuth=1800
6. The MAC address table also shows the MAC address in VLAN 4093. You can verify the entries in the MAC address
table with the following commands:
Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.
Use the following command to view the quarantine list of MAC addresses:
show user quarantine
For example:
show user quarantine
When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_
name>) and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The
quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.
Use the following command to view the quarantine VLAN:
show system interface qtn.<FortiLink_port_name>
For example:
show system interface qtn.port7
Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all
connected FortiSwitch ports:
show switch-controller managed-switch
For example:
show switch-controller managed-switch
To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which
will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all
quarantined MAC addresses from quarantine.
Starting in FortiOS 6.4.2 with FortiSwitchOS 6.4.2, you can check your FortiSwitch network and get recommendations
on how to optimize it. If you agree with the configuration recommendations, you can accept them, and they are
automatically applied.
NOTE: The Security Rating feature is available only when VDOMs are disabled.
4. Under Failed, select + next to each item to see more details in the right pane.
5. If you agree with a suggestion in the Recommendations section, select Apply for the change to be made.
Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.
NOTE: The FortiGate unit does not support QoS for hard or soft switch ports.
The FortiSwitch unit supports the following QoS configuration capabilities:
l Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound
QoS queue number.
l Providing eight egress queues on each port.
l Policing the maximum data rate of egress traffic on the interface.
l If you select weighted-random-early-detection for the drop-policy, you can enable explicit
congestion notification (ECN) marking to indicate that congestion is occurring without just dropping packets.
A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a
trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the
default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the
switch assigns a CoS value of zero.
NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to
trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch
will use the Dot1p value and mapping only if the packet contains no DSCP value.
2. Configure a DSCP map. A DSCP map defines a mapping between IP precedence or DSCP values and the egress
queue values. For IP precedence, you have the following choices:
l network-control—Network control
l internetwork-control—Internetwork control
l critic-ecp—Critic and emergency call processing (ECP)
l flashoverride—Flash override
l flash—Flash
l immediate—Immediate
l priority—Priority
l routine—Routine
3. Configure the egress QoS policy. In a QoS policy, you set the scheduling mode for the policy and configure one or
more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:
o With strict scheduling, the queues are served in descending order (of queue number), so higher number
queues receive higher priority.
o In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each
queue before moving on to the next one.
o In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to
63.
4. Configure the overall policy that will be applied to the switch ports.
Explicit Congestion Notification (ECN) allows ECN enabled endpoints to notify each other when they are experiencing
congestion. It is supported on the following FortiSwitch models: FS-3032E, FS-3032D, FS-1048E, FS-1048D, FS-5xxD
series, and FS-4xxE series.
On the FortiGate unit that is managing the compatible FortiSwitch unit, ECN can be enabled for each class of service
(CoS) queue to enable packet marking to drop eligible packets. The command is only available when the dropping policy
is weighted random early detection. It is disabled by default.
You can export the logs of managed FortiSwitch units to the FortiGate unit or send FortiSwitch logs to a remote Syslog
server.
You can enable and disable whether the managed FortiSwitch units export their logs to the FortiGate unit. The setting is
global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported
FortiSwitch logs.
To allow a level of filtering, the FortiGate unit sets the user field to “fortiswitch-syslog” for each entry.
Use the following CLI command syntax:
config switch-controller switch-log
set status {*enable | disable}
set severity {emergency | alert | critical | error | warning | notification | *information |
debug}
end
You can override the global log settings for a FortiSwitch unit, using the following commands:
config switch-controller managed-switch
edit <switch-id>
config switch-log
set local-override enable
At this point, you can configure the log settings that apply to this specific switch.
Instead of exporting FortiSwitch logs to a FortiGate unit, you can send FortiSwitch logs to one or two remote Syslog
servers. After enabling this option, you can select the severity of log messages to send, whether to use comma-
separated values (CSVs), and the type of remote Syslog facility. By default, FortiSwitch logs are sent to port 514 of the
remote Syslog server.
Use the following CLI command syntax to configure the default syslogd and syslogd2 settings:
config switch-controller remote-log
edit {syslogd | syslogd2}
set status {enable | *disable}
set server <IPv4_address_of_remote_syslog_server>
set port <remote_syslog_server_listening_port>
set severity {emergency | alert | critical | error | warning | notification |
*information | debug}
set csv {enable | *disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron |
authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 |
local4 | local5 | local6 | *local7}
next
end
You can override the default syslogd and syslogd2 settings for a specific FortiSwitch unit, using the following
commands:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config remote-log
edit {edit syslogd | syslogd2}
set status {enable | *disable}
set server <IPv4_address_of_remote_syslog_server>
set port <remote_syslog_server_listening_port>
set severity {emergency | alert | critical | error | warning | notification |
*information | debug}
set csv {enable | *disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2
| local3 | local4 | local5 | local6 | *local7}
next
end
next
end
The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same
FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for
external analysis and capture.
Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-
2 domains for analysis. You can have multiple RSPAN sessions but only one ERSPAN session.
In RSPAN mode, traffic is encapsulated in VLAN 4092. The FortiSwitch unit assigns the uplink port and the dst port. The
switching functionality is enabled on the dst interface when mirroring.
NOTE: RSPAN is supported on FSR-112D-POE and on platforms 2xx and higher.
In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By
focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount
of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which must be reachable by IPv4 ICMP
ping. If no IP address is specified, the traffic is not mirrored.
NOTE: ERSPAN is supported on platforms 2xx and higher. ERSPAN cannot be used with the other FortiSwitch port-
mirroring method.
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config mirror
edit 2
set status active
set dst port1
set switching-packet enable
set src-ingress port2 port3
set src-egress port4 port5
next
end
next
For example:
config switch-controller traffic-sniffer
set mode rspan
config target-mac
edit 00:00:00:aa:bb:cc
set description MACtarget1
end
config target-ip
edit 10.254.254.192
set description IPtarget1
end
config target-port
edit S524DF4K15000024
set description PortTargets1
set in-ports port5 port6 port7
set out-ports port10
end
end
For example:
config switch-controller traffic-sniffer
set mode erspan-auto
set erspan-ip 10.254.254.254
config target-mac
edit 00:00:00:aa:bb:cc
set description MACtarget1
end
config target-ip
edit 10.254.254.192
set description IPtarget1
end
config target-port
edit S524DF4K15000024
set description PortTargets1
set in-ports port5 port6 port7
set out-ports port10
end
end
Configuring SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.
The managed FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers
have read-only access to FortiSwitch system information through queries and can receive trap messages from the
managed FortiSwitch unit.
To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and
FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that
are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP
trap, event, and query messages sent by the FortiSwitch SNMP agent.
FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting
the FortiSwitch MIB File download link.
You configure SNMP on a global level so that all managed FortiSwitch units use the same settings. If you want one of
the FortiSwitch units to use different settings from the global settings, configure SNMP locally.
To configure SNMP for a specific FortiSwitch unit, configure the following settings:
1. Configure the SNMP system information.
2. Configure the SNMP community.
3. Configure the SNMP trap threshold values.
4. Configure the SNMP user.
Configuring sFlow
sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact
performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch
implements sFlow version 5 and supports trunks and VLANs.
NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.
sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined
intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on
network throughput, the information sent is only a sampling of the data.
The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled
packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow
datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to
indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software
vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.
sFlow can monitor network traffic in two ways:
l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample.
l Counter samples—You specify how often (in seconds) the network device sends interface counters.
Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is
0.0.0.0, and the port number is 6343.
config switch-controller sflow
collector-ip <x.x.x.x>
collector-port <port_number>
end
For example:
config switch-controller sflow
collector-ip 1.2.3.4
collector-port 10
end
next
next
end
You can sample IP packets on managed FortiSwitch units and then export the data in NetFlow format or Internet
Protocol Flow Information Export (IPFIX) format. You can choose to sample on a single ingress or egress port, on all
FortiSwitch units, or on all FortiSwitch ingress ports.
When a new FortiSwitch unit or trunk port is added, the flow-tracking configuration is updated automatically based on
the specified sampling mode. When a FortiSwitch port becomes part of an ISL or ICL or is removed, the flow-tracking
configuration is updated automatically based on the specified sampling mode.
The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest
flow expires and is exported.
You can set the format of exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX
sampling.
Configure collector IP address
The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.
For example:
diagnose switch-controller switch-info flow-tracking flows 100 all S524DF4K15000024 port6
Flow control allows you to configure a port to send or receive a “pause frame” (that is, a special packet that signals a
source to stop sending flows for a specific time interval because the buffer is full). By default, flow control is disabled on
all ports.
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set flow-control {both | rx | tx | disable}
next
end
end
For example:
config switch-controller managed-switch
edit S424ENTF19000007
config ports
edit port29
set flow-control tx
set pause-meter 900
set pause-meter-resume 50%
next
end
end
Go to WiFi & Switch Controller > Managed FortiSwitch to see all of the switches being managed by your FortiGate.
Select Topology from the drop-down menu in the upper right corner to see which devices are connected.
When the FortiLink is established successfully, the status is green (next to the FortiGate interface name and on the
FortiSwitch faceplate), and the link between the ports is a solid line.
If the link has gone down for some reason, the line will be dashed, and a broken link icon will appear. You can still edit
the FortiSwitch unit though and find more information about the status of the switch. The link to the FortiSwitch unit
might be down for a number of reasons; for example, a problem with the cable linking the two devices, firmware
versions being out of synch, and so on. You need to make sure the firmware running on the FortiSwitch unit is
compatible with the firmware running on the FortiGate unit.
From the Managed FortiSwitch page, you can edit any of the managed FortiSwitch units, remove a FortiSwitch unit
from the configuration, refresh the display, connect to the CLI of a FortiSwitch unit, or deauthorize a FortiSwitch unit.
The WiFi & Switch Controller > FortiSwitch Ports page displays port information about each of the managed switches.
The following figure shows the display for a FortiSwitch 248E-FPOE:
In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each
device, the table displays the IP address of the device and the interface (FortiSwitch name and port).
From the CLI, the following command displays information about the host devices:
For the following commands, if the managed FortiSwitch unit is not specified, the command is applied to all ports of all
managed FortiSwitch units.
For example:
FG100D3G15817028 (global) # diagnose switch-controller switch-info port-stats S524DF4K15000024
port8
Vdom: dmgmt-vdom
Vdom: roort
Vdom: root
S524DF4K15000024:
Port(port8) is Admin up, line protocol is down
Interface Type is Serial Gigabit Media Independent Interface(SGMII/SerDes)
Address is 08:5B:0E:F1:95:ED, loopback is not set
MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II
half-duplex, 0 Mb/s, link type is auto
input : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns
output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts
0 fragments, 0 undersizes, 0 collisions, 0 jabbers
Vdom: vdom-1
For example:
FG100D3G15817028 (global) # diagnose switch-controller trigger reset-hardware-counters
S524DF4K15000024 1,3,port6-7
NOTE: This command is provided for debugging; accuracy is not guaranteed when the counters are reset. Resetting
the counters might have a negative effect on monitoring tools, such as SNMP and FortiGate. The statistics gathered
during the time when the counters are reset might be discarded.
For example:
On the Network > Interfaces page, you can see the FortiGate interface connected to the FortiSwitch unit. The GUI
indicates Dedicated to FortiSwitch in the IP/Netmask field.
The Diagnostics and Tools form reports the general health of the FortiSwitch unit, displays details about the
FortiSwitch unit, and allows you to run diagnostic tests.
When you have multiple FortiSwitch units and need to locate a specific switch, you can flash all port LEDs on and off for
a specified number of minutes.
NOTE: Running cable diagnostics on a port that has the link up interrupts the traffic for several seconds.
You can check the state of cables connected to a specific port. The following pair states are supported:
l Open
l Short
l Ok
l Open_Short
l Unknown
l Crosstalk
If no cable is connected to the specific port, the state is Open, and the cable length is 0 meters.
Data statistics
This example shows a FortiLink scenario where the FortiGate acts as the switch controller that collects the data
statistics of managed FortiSwitch ports. This is counted by each FortiSwitch and concentrated in the controller.
Sample topology
You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each
managed FortiSwitch unit.
Use the following command to synchronize the full configuration of a FortiGate unit with a managed FortiSwitch unit:
diagnose switch-controller trigger config-sync <FortiSwitch_serial_number>
You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch unit to a new firmware
version. The FortiGate unit will suggest an upgrade when a new version is available in FortiGuard.
Use the following command to stage a firmware image on all FortiSwitch units:
diagnose switch-controller switch-software stage all <image id>
Use the following command to upgrade the firmware image on one FortiSwitch unit:
Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:
config switch-controller global
set https-image-push enable
end
From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model
using a single execute command. The command includes the name of a firmware image file and all of the managed
FortiSwitch units compatible with that firmware image file are upgraded. For example:
execute switch-controller switch-software stage all <firmware-image-file>
You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.
execute switch-controller switch-action restart delay all
After authorizing a FortiSwitch, administrators can register the FortiSwitch to FortiCloud directly from the FortiOS GUI.
1. Go to WiFi & Switch Controller > Managed FortiSwitch and ensure the Topology view is selected.
2. In the topology, right-click on an unregistered device and click Registration.
The registration information is submitted to FortiCare, and FortiOS attempts to collect the registration status
from FortiGuard. Since FortiGuard and FortiCare synchronize periodically, the registration status may not
update immediately (it may take up to a few hours).
c. Click Close.
4. After a while, go back to WiFi & Switch Controller > Managed FortiSwitch.
5. Right-click on the device and click Registration. The device is shown as Registered to the corresponding
FortiCloud account.
If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same
FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces.
The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.
NOTE:
l Both FortiSwitch units must be of the same model.
l The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
l If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL
trunk.
l After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want
different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name.
At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
l If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch
to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the
FortiGate unit with the correct configuration.
config vdom
edit <VDOM_name>
execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_
FortiSwitch_serial_number>
For example:
config vdom
edit vdom_new
If the failed FortiSwitch unit was not part of a VDOM, enter the following command:
After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different
trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name.
Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches.
You need a maintenance window for the change.
1. Shut down the FortiLink interface on the FortiGate unit.
a. On the FortiGate unit, execute the show system interface command. For example:
b. Write down the member port information. In this example, port45 and port48 are the member ports.
c. Shut down the member ports with the config system interface, edit <member-port#>, set
status down, and end commands. For example:
d. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For
example:
b. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch
mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For
example:
peer-serial-number FS1D483Z17000282
Local uptime 0 days 1h:49m:24s
Peer uptime 0 days 1h:49m:17s
MCLAG-STP-mac 70:4c:a5:49:50:52
keepalive interval 1
keepalive timeout 60
Counters
received keepalive packets 4852
transmited keepalive packets 5293
received keepalive drop packets 20
receive keepalive miss 1
c. Shut down the ICL member ports using the config switch physical-port, edit <member
port#>, set status down, next, and end commands. For example:
d. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete
<mclag-icl-trunk-name>, and end commands. For example:
e. Use the show switch trunk command to verify that the trunk is deleted.
f. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the
set auto-isl 0 command in the configuration. For example:
g. Use the show switch trunk command to check the trunk configuration.
h. Start the trunk member ports by using the config switch physical-port, edit <member port#>,
set status up, next, and end commands. For example:
Counters
received keepalive packets 5838
transmited keepalive packets 6279
received keepalive drop packets 27
receive keepalive miss 1
From the FortiGate unit, you can execute a custom script on a managed FortiSwitch unit. The custom script contains
generic FortiSwitch commands.
NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch unit.
Use the following syntax to create a custom script from the FortiGate unit:
config switch-controller custom-command
edit <cmd-name>
set command "<FortiSwitch_command>"
end
For example, use the custom script to set the STP max-age parameter on a managed FortiSwitch unit:
config switch-controller custom-command
edit "stp-age-10"
set command "config switch stp setting %0a set max-age 10 %0a end %0a"
end
After you have created a custom script, you can manually execute it on any managed FortiSwitch unit. Because the
custom script is not bound to any switch, the FortiSwitch unit might reset some parameters when it is restarted.
Use the following syntax on the FortiGate unit to execute the custom script once on a specified managed FortiSwitch
unit:
execute switch-controller custom-command <cmd-name> <target-switch>
For example, you can execute the stp-age-10 script on the specified managed FortiSwitch unit:
execute switch-controller custom-command stp-age-10 S124DP3X15000118
If you want the custom script to be part of the managed switchʼs configuration, the custom script must be bound to the
managed switch. If any of the commands in the custom script are locally controlled by a switch, the commands might be
overwritten locally.
Use the following syntax to bind a custom script to a managed switch:
config switch-controller managed-switch
edit "<FortiSwitch_serial_number>"
config custom-command
edit <custom_script_entry>
set command-name "<name_of_custom_script>"
next
end
next
end
For example:
config switch-controller managed-switch
edit "S524DF4K15000024"
config custom-command
edit 1
set command-name "stp-age-10"
next
end
next
end
If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more
PoE-enabled ports and select Reset PoE from the context menu.
You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of
interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the
context menu.
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
FEEDBACK
Email: techdoc@fortinet.com
Change log 13
Introduction 14
Supported models 14
Whatʼs new in FortiSwitchOS 6.4.3 14
Feature matrix: FortiSwitchOS 6.4.3 17
Before you begin 24
How this guide is organized 24
Management ports 26
Models without a dedicated management port 26
Models with a dedicated management port 29
Remote access to the management port 31
Example configurations 32
Configuring administrator tasks 35
Setting the time and date 35
Configuring system banners 36
Configuring the temperature sensor 38
Upgrading the firmware 38
Verifying image integrity 40
Restore or upgrade the BIOS 40
Setting the boot partition 40
Backing up the system configuration 41
Remote authentication servers 41
RADIUS server 41
TACACS+ server 43
Configuring system administrators 44
Administrator profiles 45
Creating administrator profiles 45
Access control 46
Adding administrators 48
Monitoring administrators 49
Setting the default administrator password 49
Setting the password retries and lockout time 50
Setting the idle timeout 50
Configuring administrative logins 51
Using PKI 52
Configuring security checks 53
Syntax (for model FS-112D-POE) 53
Syntax (for all other FortiSwitch models) 54
Logging 55
Syslog server 56
Fault relay support 57
Using SSH and the Telnet client 57
Change log
Introduction
This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you
manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the
GUI) or the CLI.
If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Managed
by FortiOS 6.4.
This chapter covers the following topics:
l Supported models on page 14
l Whatʼs new in FortiSwitchOS 6.4.3 on page 14
l Feature matrix: FortiSwitchOS 6.4.3 on page 17
l Before you begin on page 24
l How this guide is organized on page 24
Supported models
This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series,
and F-series models.
l When a neighboring router has a graceful restart, the FortiSwitch unit now enters the helper (neighbor) mode and
keeps the restarting router in the forwarding path for OSPF routing.
l OSPF database overflow protection is now supported.
l IPv6 support has been expanded. You can now use IPv6 addresses with BGP routing, IS-IS routing, and RIP
routing. Multicast Listener Discovery (MLD) snooping, MLD proxy, and MLD querier are now supported for IPv6
multicast traffic.
l IPv4 and IPv6 static routes now support virtual routing and forwarding (VRF).
l You can now view events that violate the IP source-guard settings with the IP source-guard violation log.
l You can now specify system banner messages in the CLI that will appear when users log in using either the CLI or
the GUI.
l You can now configure the maximum burst size allowed by storm control per port or per switch.
l You can use the new diagnose certificate {all | ca | local | remote} commands to verify
your system certificates.
The following REST API changes were made in this release:
l You can now use the current release version in the FortiSwitch REST API requests (https://<switch_IP_
address>/api/v<x.x.x>/) to get the latest (v6.4.3) schema content in the response. You can still use
FortiSwitch REST API requests with https://<switch_IP_address>/api/v2/ to get the older v2 schema
in the response.
l The monitor/switch/log endpoint is now monitor/system/log.
l The new cmdb/router/ripng endpoint supports RIP routing for IPv6 traffic.
l The new cmdb/switch.mld-snooping/globals endpoint supports MLD snooping.
l The cmdb/router/route-map endpoint now supports RIP routing for IPv6 traffic and IS-IS routing for IPv6
traffic.
l The cmdb/router/isis endpoint now supports IS-IS routing for IPv6 traffic.
l The cmdb/router/bgp endpoint now supports BGP routing for IPv6 traffic.
l The cmdb/system/global endpoint now supports specifying system banner messages that will appear when
users log in using either the CLI or the GUI.
l The cmdb/switch/physical-port endpoint and the cmdb/switch/storm-control endpoint now
support configuring the maximum burst size allowed by storm control.
The following CLI changes were made in this release:
l Under the config router ospf command, the set default-information-route-map command has
been removed.
l Under the config router isis command, the set default-information-route-map command has
been removed.
l Under the config switch vlan command, set igmp-fast-leave is now set igmp-snooping-
fast-leave.
l Under the config switch vlan command, set igmp-proxy is now set igmp-snooping-proxy.
l Under the config switch vlan command, set querier-addr is now set igmp-snooping-
querier-addr.
l Under the config switch vlan command, config igmp-static-group is now config igmp-
snooping-static-group.
l Under the config switch interface command, set igmps-flood-reports is now set igmp-
snooping-flood-reports.
l Under the config switch interface command, set igmps-flood-traffic is now set mcast-
snooping-flood-traffic.
l The set flood-unknown-multicast command moved from under config switch igmp-snooping
globals to under config switch global.
l The get switch igmp-snooping interface command was replaced with get switch igmp-
snooping status.
l The diagnose debug application igmp_snooping command is now diagnose debug
application mcast-snooping.
l Under the config router bgp command, set aspath-filter-list-in is now set filter-list-
in.
l Under the config router bgp command, set aspath-filter-list-out is now set filter-list-
out.
l Under the config router bgp command, log-neighbor-changes is now set neighbour-changes.
Refer to Feature matrix: FortiSwitchOS 6.4.3 on page 17 for details about the features supported on each FortiSwitch
model.
The following table lists the FortiSwitch features in release 6.4.3 that are supported on each series of FortiSwitch
models. All features are available in release 6.4.3, unless otherwise stated.
Feature GUI 112D- FSR- 1xxE, 4xxE 200 500 1024D, 3032D,
supported POE 124D 1xxF Series, Series 1048D, 3032E
400 1048E
Series
IP conflict detection ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
and notification
FortiSwitch Cloud ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
configuration
Auto topology — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
802.1x MAC-based ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
security mode
User-based (802.1x) ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
VLAN assignment
802.1x ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
enhancements,
including MAB
MAB — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
reauthentication
disabled
open-auth mode ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Feature GUI 112D- FSR- 1xxE, 4xxE 200 500 1024D, 3032D,
supported POE 124D 1xxF Series, Series 1048D, 3032E
400 1048E
Series
Support of RADIUS — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
CoA and disconnect
messages
EAP Pass-Through ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Network device — — ✓ — ✓ ✓ ✓ ✓ ✓
detection
IP-MAC binding ✓ — — — — — ✓ ✓ ✓
(IPv4)
sFlow (IPv4) ✓ ✓ ✓ — ✓ ✓ ✓ ✓ ✓
ACL (IPv4) ✓ — ✓ ✓ ✓ ✓ ✓ ✓ ✓
Multistage ACL ✓ — — — — — ✓ ✓ ✓
(IPv4)
Multiple ingress ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
ACLs (IPv4)
DHCP snooping ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
DHCPv6 snooping ✓ — — — ✓ ✓ ✓ ✓ ✓
Allowed DHCP ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
server list
IP source guard ✓ — ✓ — ✓ ✓ — — —
(IPv4)
IP source-guard — — ✓ — ✓ ✓ — — —
violation log
Dynamic ARP ✓ — ✓ ✓ ✓ ✓ ✓ ✓ ✓
inspection (IPv4)
Access VLANs — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
RMON group 1 — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Feature GUI 112D- FSR- 1xxE, 4xxE 200 500 1024D, 3032D,
supported POE 124D 1xxF Series, Series 1048D, 3032E
400 1048E
Series
Reliable syslog — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Packet capture ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
Layer 2
LAG min-max- — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
bundle
IPv6 RA guard — — — — ✓ ✓ ✓ ✓ ✓
IGMP snooping ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
IGMP proxy ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
IGMP querier — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
MLD snooping — — — — — — ✓ ✓ ✓
MLD proxy — — — — — — ✓ ✓ ✓
MLD querier — — — — — — ✓ ✓ ✓
LLDP-MED — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
LLDP-MED: ELIN ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
support
Learning limit — — ✓ ✓ ✓ ✓ ✓ — —
violation log (See
Note 4.)
set mac-violation- — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
timer
Sticky MAC ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Feature GUI 112D- FSR- 1xxE, 4xxE 200 500 1024D, 3032D,
supported POE 124D 1xxF Series, Series 1048D, 3032E
400 1048E
Series
MSTP instances — 0-15 0-15 0-15 0-15 0-15 0-32 0-32 0-32
Rapid PVST — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
interoperation
'forced-untagged' or — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
'force-tagged'
setting on switch
interfaces
Private VLANs ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
Multi-stage load — — — — — — — ✓ ✓
balancing
Priority-based flow — — — — — — ✓ ✓ ✓
control
Storm control ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Per-port storm ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
control
Global burst-size — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
control
MAC/IP/protocol- ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
based VLAN
assignment
Virtual wire ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
Loop guard ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Percentage rate ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
control
VLAN stacking — — ✓ — ✓ ✓ ✓ ✓ ✓
(QinQ)
VLAN mapping — — ✓ — ✓ ✓ ✓ ✓ ✓
SPAN ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Feature GUI 112D- FSR- 1xxE, 4xxE 200 500 1024D, 3032D,
supported POE 124D 1xxF Series, Series 1048D, 3032E
400 1048E
Series
Flow control — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Layer 3
Static routing ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
(IPv4/IPv6)
Hardware routing ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
offload (IPv4/IPv6)
Software routing ✓ ✓ — ✓ — — — — —
only (IPv4/IPv6)
OSPF (IPv4/IPv6) ✓ — — — ✓ ✓ ✓ ✓ ✓
(See Note 3.)
OSPF database — — — — ✓ ✓ ✓ ✓ ✓
overflow protection
(IPv4)
OSPF graceful — — — — ✓ ✓ ✓ ✓ ✓
restart (helper mode
only) (IPv4)
VRRP (IPv4/IPv6) ✓ — — — ✓ ✓ ✓ ✓ ✓
(See Note 3.)
BGP (IPv4/IPv6) — — — — — — ✓ ✓ ✓
(See Note 3.)
IS-IS (IPv4/IPv6) — — — — ✓ ✓ ✓ ✓ ✓
(See Note 3.)
Hardware-based — — — — — — ✓ ✓ ✓
ECMP (IPv4)
VRF (IPv4/IPv6) — — — — — — — ✓ ✓
Static BFD ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
(IPv4/IPv6)
Feature GUI 112D- FSR- 1xxE, 4xxE 200 500 1024D, 3032D,
supported POE 124D 1xxF Series, Series 1048D, 3032E
400 1048E
Series
uRPF — — — — — — ✓ ✓ ✓
High Availability
MCLAG Partial — — — ✓ ✓ ✓ ✓ ✓
(multichassis link
aggregation)
STP supported in — — — — ✓ ✓ ✓ ✓ ✓
MCLAGs
IGMP snooping in ✓ — — — ✓ ✓ ✓ ✓ ✓
MCLAG
Quality of Service
802.1p support, ✓ — ✓ ✓ ✓ ✓ ✓ ✓ ✓
including priority
queuing trunk and
WRED
QoS marking — — ✓ — ✓ ✓ ✓ ✓ ✓
(IPv4/IPv6)
Summary of ✓ — ✓ ✓ ✓ ✓ ✓ ✓ ✓
configured queue
mappings
Egress priority — — ✓ — ✓ ✓ ✓ ✓ ✓
tagging (IPv4/IPv6)
ECN (IPv4/IPv6) — — — — ✓ — ✓ ✓ ✓
Real-time egress — — — — — ✓ ✓ ✓ ✓
queue rates
Miscellaneous
PoE-pre-standard — ✓ ✓ FS-1xxE ✓ ✓ ✓ — —
detection (See Note POE
1.)
Feature GUI 112D- FSR- 1xxE, 4xxE 200 500 1024D, 3032D,
supported POE 124D 1xxF Series, Series 1048D, 3032E
400 1048E
Series
Control of — ✓ ✓ — ✓ ✓ ✓ ✓ ✓
temperature alerts
TDR (time-domain ✓ — ✓ ✓ ✓ ✓ ✓ — —
reflectometer)/cable
diagnostics support
Cut-through — — — — — — — ✓ ✓
switching
Energy-efficient ✓ ✓ ✓ ✓ ✓ ✓ ✓ — —
Ethernet
Notes
1. PoE features are applicable only to the model numbers with a POE or FPOE suffix.
2. 24-port LAG is applicable to 524D, 524-FPOE, 1024D, and 3032D models. 48-port LAG is applicable to 548D, 548-
FPOE, and 1048D models.
3. To use the dynamic layer-3 protocols, you must have an advanced features license.
4. The per-VLAN MAC learning limit and per-trunk MAC learning limit are not supported on the 448D/448D-
POE/448D-FPOE/248E-POE/248E-FPOE/248D series.
5. Supported only in 100G mode (clause 91).
6. On the 3032E, you can split one port at the full base speed, split one port into four sub-ports of 25 Gbps each
(100G QSFP only), or split one port into four sub-ports of 10 Gbps each (40G or 100G QSFP).
7. Supported on 5xxD 10G ports.
Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of
the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to
the FortiSwitch unit’s GUI and CLI.
Management ports
This chapter describes how to configure management ports on the FortiSwitch unit.
The following topics are covered:
l Models without a dedicated management port on page 26
l Models with a dedicated management port on page 29
l Remote access to the management port on page 31
l Example configurations on page 32
For FortiSwitch models without a dedicated management port, configure the internal interface as the management
port.
NOTE: For FortiSwitch models without a dedicated management port, the internal interface has a default VLAN ID of 1.
end
next
edit <vlan name>
set ip <IP_address_and_netmask>
set allowaccess <access_types>
set interface internal
set vlanid <VLAN id>
set secondary-IP enable
config secondaryip
edit <id>
set ip <IP_address_and_netmask>
set allowaccess <access_types>
end
end
For FortiSwitch models with a dedicated management port, configure the IP address and allowed access types for the
management port.
NOTE: For FortiSwitch models with a dedicated management port, the internal interface has a default VLAN identifier
of 4094.
1. Go to System > Network > Interface > Physical, select Edit for the mgmt interface.
next
edit internal
set type physical
end
end
To provide remote access to the management port, configure a static route. Set the gateway address to the IP address
of the router.
Example configurations
In this example, the internal interface is used as an inbound management interface. Also, the FortiSwitch unit has a
default VLAN across all physical ports and its internal port.
Syntax
In this example, an out-of-band management interface is used as the dedicated management port. You can configure
the management port for local or remote access.
Router
(192.168.0.10)
Remote
Access
You can use the default “admin” account to configure administrator accounts, adjust system settings, upgrade firmware,
create backup files, and configure security features.
This chapter covers the following topics:
l Setting the time and date on page 35
l Configuring system banners on page 36
l Configuring the temperature sensor on page 38
l Setting the boot partition on page 40
l Upgrading the firmware on page 38
l Backing up the system configuration on page 41
l Remote authentication servers on page 41
l Configuring system administrators on page 44
l Configuring administrative logins on page 51
l Using PKI on page 52
l Configuring security checks on page 53
l Logging on page 55
l Fault relay support on page 57
l Using SSH and the Telnet client on page 57
For effective scheduling and logging, the system date and time must be accurate. You can either manually set the
system date and time or configure the system to automatically keep its time correct by synchronizing with a Network
Time Protocol (NTP) server.
NOTE: Some FortiSwitch models do not have a battery-backup real-time clock. For FortiSwitch models without a real-
time clock, the time is reset when the switch is rebooted. These models must be connected to an NTP server if you want
to maintain the correct system date and time.
The Network Time Protocol enables you to keep the system time synchronized with other network systems. This will
also ensure that logs and other time-sensitive settings are correct.
When the system time is synchronized, polling occurs every 2 minutes. When the system time is not synchronized but
the NTP server can be reached, polling is attempted every 2 seconds to synchronize quickly. If the NTP server cannot be
reached, polling occurs up to every 64 seconds. If DNS cannot resolve the host name, polling occurs up to every 60
seconds.
Starting in FortiSwitchOS 6.4.0, the default Sync Interval is 10 minutes. The polling interval is one-fifth of the configured
Sync Interval.
If you use an NTP server, you can identify the IPv4 or IPv6 address for this self-originating traffic with the set
source-ip or set source-ip6 command. For example, you can set the source IPv4 address of NTP to be on the
DMZ1 port with an IP of 192.168.4.5:
config system ntp
set authentication enable
set ntpsyn enable
set syncinterval 5
set source-ip 192.168.4.5
end
You can specify system banner messages in the CLI that will appear when users log in using either the CLI or the GUI.
You can enter up to 2,048 characters for each system banner. Currently, only text is supported. By default, no system
banners are displayed.
The GUI displays the pre-login banner before you enter your user name or password:
The GUI displays the post-login banner after you enter your user name and password and select Log In:
For example:
S548DF5018000776 # config system global
S548DF5018000776 (global) # set pre-login-banner "All systems will be unavailable,
> starting at midnight. Please exit all applications by then."
S548DF5018000776 (global) # set post-login-banner "Remember to exit before midnight."
S548DF5018000776 (global) # end
NOTE: For multi-line messages, just press the Return key between lines.
If your FortiSwitch unit has a temperature sensor, you can set a warning and an alarm for when the system temperature
reaches specified temperatures. When these thresholds are exceeded, a log message and SNMP trap are generated.
The warning threshold must be lower than the alarm threshold.
Use the following commands to set warning and alarm thresholds:
config system snmp sysinfo
set status enable
set trap-temp-warning-threshold <temperature in degrees Celsius>
set trap-temp-alarm-threshold <temperature in degrees Celsius>
end
By default, the FortiSwitch unit generates an alert (in the form of an SNMP trap and a SYSLOG entry) every 30 minutes
when the temperature sensor exceeds its set threshold. You can change this interval with the following commands:
config system global
set alertd-relog enable
set alert-interval <1-1440 minutes>
end
You can upgrade the firmware from the dashboard or from the system configuration page.
1. Go to System > Dashboard.
2. Next to the Firmware Version field, select Update.
3. Select Apply.
You can download a firmware image from an FTP server, from a FortiManager unit, or from a TFTP server. The
FortiSwitch unit reboots and then loads the new firmware.
execute restore image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>
[<username_str> <password_str>]
execute restore image management-station <version_int>
execute restore image tftp <filename_str> <server_ipv4>
The following example shows how to upload a configuration file from a TFTP server to the FortiSwitch unit and restart
the FortiSwitch unit with this configuration. The name of the configuration file on the TFTP server is backupconfig.
The IP address of the TFTP server is 192.168.1.23.
execute restore config tftp backupconfig 192.168.1.23
You can also load a firmware image from an FTP or TFTP server without restarting the FortiSwitch unit:
execute stage image ftp <string> <ftp server>[:ftp port]
execute stage image tftp <string> <ip>
To verify the integrity of the images in the primary and secondary (if applicable) flash partitions, use the following
commands:
execute verify image primary
execute verify image secondary
If the image is corrupted or missing, the command fails with a return code of -1.
For example:
execute verify image primary
You can restore or upgrade the basic input/output system (BIOS) if needed. After a BIOS upgrade, passwords for all
FortiSwitch local users must be reconfigured using the config user local setting.
CAUTION: Only restore or upgrade the BIOS if Customer Support recommends it.
To upgrade or restore the BIOS from the CLI:
execute restore bios tftp <filename_str> <server_ipv4[:port_int]>
For example:
execute restore bios tftp PPC/FS-3032D/04000009/FS3D323Z14000004.bin 10.105.2.201
The example downloads the BIOS file from the TFTP server at the specified IPv4 address.
NOTE: If the BIOS upgrade fails, do not restart the FortiSwitch unit. Instead, try the CLI command again. If repeating
the CLI command does not work, the FortiSwitch unit might require a return merchandise authorization (RMA).
You can specify the flash partition for the next reboot. The system can use the boot image from either the primary or the
secondary flash partition:
execute set-next-reboot <primary | secondary>
NOTE: You must disable image rotation before you can use the execute set-next-reboot command.
If your FortiSwitch model has dual flash memory, you can use the primary and backup partitions for image rotation. By
default, this feature is enabled.
config system global
set image-rotation <enable | disable>
end
1. Go to System > Dashboard.
2. Next to the System Configuration field, select Backup.
You can enter a password to encrypt the backup file. Passwords can be up to 15 characters in length.
If you are using remote authentication for administrators or users, you need to configure one of the following:
l RADIUS server
l TACACS+ server
RADIUS server
The information you need to configure the system to use a RADIUS server includes:
l the RADIUS server’s domain name or IP address
l the RADIUS server’s shared secret key
The default port for RADIUS traffic is 1812. Some RADIUS servers use port 1645. You can configure the FortiSwitch
unit to use port 1645:
config system global
set radius-port 1645
end
Field Description
Name Enter a name to identify the RADIUS server on the FortiSwitch unit.
Primary Server Address Enter the domain name (such as fgt.example.com) or the IP address of the
RADIUS server.
Primary Server Secret Enter the server secret key, such as radiusSecret. This key can be a
maximum of 16 characters long.
This value must match the secret on the RADIUS primary server.
Secondary Server Optionally enter the domain name (such as fgt.example.com) or the IP
Name/IP address of the secondary RADIUS server.
Field Description
Secondary Server Secret Optionally, enter the secondary server secret key, such as radiusSecret2.
This key can be a maximum of 16 characters long.
This value must match the secret on the RADIUS secondary server.
Authentication Scheme If you know the RADIUS server uses a specific authentication protocol,
select Specify Authentication Protocol and select the protocol from the list.
Otherwise, select Use Default Authentication Scheme. The default
authentication scheme will usually work.
NAS IP/Called Station ID Enter the IP address to be used as an attribute in RADIUS access requests.
The NAS IP address is a RADIUS setting or IP address of the FortiSwitch
interface used to talk to the RADIUS server, if not configured.
The Called Station ID is the same value as the NAS IP address but in text
format.
Include in every User When this option is enabled, this RADIUS server is automatically included in
Group all user groups. This option is useful if all users will be authenticating with
the remote RADIUS server.
To configure the FortiSwitch unit for RADIUS authentication, see 802.1x authentication on page 289.
TACACS+ server
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and
other networked computing devices using one or more centralized servers. TACACS+ allows a client to accept a user
name and password and send a query to a TACACS+ authentication server. The server host determines whether to
accept or deny the request and sends a response back that allows or denies the user access to the network.
TACACS+ offers fully encrypted packet bodies and supports both IP and AppleTalk protocols. TACACS+ uses TCP port
49, which is seen as more reliable than RADIUS’s UDP protocol.
Field Description
Authentication Type Select the authentication type to use for the TACACS+ server.
Auto tries PAP, MSCHAP, and CHAP (in that order).
To configure the FortiSwitch unit for TACACS+ authentication, see TACACS on page 319.
In addition to the default “admin” account, you might want to set up other administrators with different levels of system
access.
This section covers the following topics:
l Administrator profiles on page 45
l Creating administrator profiles on page 45
l Access control on page 46
l Adding administrators on page 48
l Monitoring administrators on page 49
l Setting the default administrator password on page 49
l Setting the password retries and lockout time on page 50
l Setting the idle timeout on page 50
Administrator profiles
Administer profiles define what the administrator user can do when logged into the FortiSwitch unit. When you set up an
administrator user account, you also assign an administrator profile, which dictates what the administrator user will see.
Depending on the nature of the administrator’s work, access level, or seniority, you can allow them to view and
configure as much, or as little, as required.
The super_admin administrator is the administrative account that the primary administrator should have to log into the
FortiSwitch unit. The profile cannot be deleted or modified to ensure there is always a method to administer the
FortiSwitch unit. This user profile has access to all components of the system, including the ability to add and remove
other system administrators. For some administrative functions, such as backing up and restoring the configuration
using SCP, super_admin access is required.
To configure administrator profiles, go to System > Admin > Profiles. You can only assign one profile to each
administrator user.
On the Add Profile page, you define the components of the FortiSwitch unit that will be available to view and/or edit.
For example, if you configure a profile so that the administrator can only access System Configuration, this admin will
not be able to change Network settings. For more detail about what is covered by each access control, see Access
control on page 46.
Access control
Adding administrators
Only the default “admin” account can create a new administrator account. If required, you can add an additional account
with read-write access control to add new administrator accounts.
If you log in with an administrator account that does not have the super_admin admin profile, the administrators list will
show only the administrators for the current virtual domain.
When adding administrators, you are setting up the administrator’s user account. An administrator account comprises
an administrator’s basic settings as well as their access profile. The access profile is a definition of what the
administrator is capable of viewing and editing.
Follow one of these procedures to add an administrator.
Monitoring administrators
You can find out which administrators are logged in by looking at the System Information section of the Dashboard.
The Current Administrator row shows the administrators logged in and the total logged in. Selecting Details displays
the information for each administrator: where they are logging in from and how and when they logged in.
By default, your system has an administrator account set up with the user name admin and no password. On your first
login to the GUI or CLI of a new FortiSwitch unit, you must create a password. You are also forced to create a password
after resetting the FortiSwitch configuration to the factory default settings with the execute factory reset or
execute factoryresetfull command.
1. From the admin menu in the page banner, select Change Password.
2. Enter the new password in the Password and Confirm Password fields. Passwords can be up to 64 characters in
length.
3. Select Change.
By default, the system includes a set number of three password retries, allowing the administrator a maximum of three
attempts to log into their account before they are locked out for a set amount of time (by default, 60 seconds).
The number of attempts can be set to an alternate value, as well as the default wait time before the administrator can
try to enter a password again. You can also change this value to make it more difficult to hack. Both settings are must be
configured with the CLI
For example, to set the lockout threshold to one attempt and the duration before the administrator can try again to log in
to five minutes, enter these commands:
config system global
set admin-lockout-threshold 1
set admin-lockout-duration 300
end
By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone
from using the GUI if the management PC is left unattended.
o Display language
4. Select Apply.
You can configure the RADIUS server to set the access profile. This process uses RADIUS vendor-specific attributes
(VSAs) passed to the FortiSwitch unit for authorization. The RADIUS access profile override is mainly used for
administrative logins.
4. In the Administrator field, enter a name for the RADIUS system administrator.
5. Select the user group.
6. Select Wildcard.
7. Select Accprofile Override.
8. Select Add.
The following code creates a RADIUS-system admin group with accprofile-override enabled:
config system admin
edit "RADIUS_Admins"
set remote-auth enable
set accprofile no_access
set wildcard enable
Ensure that the RADIUS server is configured to send the appropriate VSA.
To send an appropriate group membership and access profile, set VSA 1 and VSA 6, as in the following code:
VENDOR fortinet 12356
ATTRIBUTE Fortinet-Group-Name 1 <admin profile>
ATTRIBUTE Fortinet-Access-Profile 6 <access profile>
The value of VSA 1 must match the remote group, and VSA 6 must match a valid access profile.
Using PKI
You can use Public Key Infrastructure (PKI) to require administrators to provide a valid certificate when logging in with
HTTPS.
Use the following steps to configure PKI:
1. Configure a peer user.
2. Add the peer user to a user group.
3. Configure the administrator account.
4. Configure the global settings.
For example:
config user peer
edit pki_peer_1
set ca Fortinet_CA
next
end
For example:
For example:
config system admin
edit pki_admin_1
set peer-auth enable
set peer-group pki_group_1
next
end
You can enable various security checks for incoming TCP/UDP packets. The packet is dropped if the system detects the
specified condition. Use the appropriate syntax for your FortiSwitch model:
l Syntax (for model FS-112D-POE) on page 53
l Syntax (for all other FortiSwitch models) on page 54
tcp-syn-data TCP SYN packet contains additional data (possible DoS attack). disable
tcp-udp-port-zero TCP or UDP packet has source or destination port set to zero. disable
tcp_flag_FUP TCP packet with FIN, URG and PSH flag set. disable
tcp_flag_SF TCP packet with SYN and FIN flag set. disable
tcp_flag_SR TCP packet with SYN and RST flag set. disable
tcp_arp_mac_mismatch ARP packet with MAC source address mismatch between the layer- 2 disable
header and the ARP packet payload.
tcp-port-eq TCP packet with source and destination TCP port equal. disable
tcp-flag-FUP TCP packet with FIN, URG, and PSH flags set, and sequence disable
number is zero.
tcp-flag-SF TCP packet with SYN and FIN flag set. disable
udp-port-eq IP packet with source and destination UDP port equal. disable
Logging
FortiSwitchOS provides a robust logging environment that enables you to monitor, store, and report traffic information
and FortiSwitch events, including attempted log ins and hardware status. Depending on your requirements, you can log
to a number of different hosts.
4. From the User dropdown list, select which user or process generated the log entry.
5. From the User Interface dropdown list, select the IP network service that applies to the log entry.
6. From the Action dropdown list, select the event to view.
7. From the Status dropdown list, select the event result to view.
Syslog server
Sysog is an industry standard for collecting log messages for off-site storage. You can send logs to a single syslog
server. The syslog server can be configured in the GUI or CLI. Reliable syslog (RFC 6587) can be configured only in the
CLI.
end
For example, to set the source IP address of a syslog server to have an IP address of 192.168.4.5:
config log syslogd setting
set status enable
set source-ip 192.168.4.5
end
For example:
config log syslogd setting
set status enable
set source-ip 192.168.4.5
set mode reliable
set port 6514 // This is the default port used for reliable syslog.
set enc-algorithm high-medium
set certificate "155-sub-client"
end
Fault relays are normally closed relays. When the FSR-112D-POE loses power, the relay contact is in a closed state,
and the alarm circuit is triggered.
Starting in FortiSwitchOS 6.2.0, you can use both IPv4 and IPv6 addresses with SSH and Telnet. If the IPv6 address is a
link-local address, you must specify an output interface using %. For example:
execute ssh admin@fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.
execute ssh admin@172.20.120.122
execute ssh 1002::21
execute ssh 12.345.6.78
execute telnet fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.
execute telnet 1002::21
execute telnet 12.345.6.78
Configuring SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.
The FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers have
read-only access to FortiSwitch system information through queries and can receive trap messages from the FortiSwitch
unit.
To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and
FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that
are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP
trap, event, and query messages sent by the FortiSwitch SNMP agent.
FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting
the FortiSwitch MIB File download link.
This chapter covers the following topics:
l SNMP access on page 58
l SNMP agent on page 59
l SNMP community on page 59
SNMP access
Ensure that the management VLAN has SNMP added to the access-profiles.
NOTE: Re-enter the existing allowed access types and add snmp to the list.
SNMP agent
SNMP community
An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community,
devices can communicate by sending and receiving traps and other information. One device can belong to multiple
communities, such as one administrator terminal monitoring both a FortiGate SNMP and a FortiSwitch SNMP
community.
Add SNMP communities to your FortiSwitch unit so that SNMP managers can connect to view system information and
receive SNMP traps.
You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and
traps. Each community can be configured to monitor the FortiSwitch unit for a different set of events. You can also add
the IP addresses of up to eight SNMP managers for each community.
6. Select V1, V2C, or both and enter the local and remote port numbers that the FortiSwitch unit uses to send SNMP
v1 and SNMP v2c traps to the SNMP managers in this community.
7. Select which events to report.
8. Select Add.
l Manually Save—You must manually save configuration changes from the Backup link on the System >
Dashboard.
l Manually Save and Revert Upon Timeout—You must manually save configuration changes. The system
reverts to the saved configuration after a timeout. You can set the timeout using the CLI:
config system global
set cfg-revert-timeout <integer>
3. If you select Revision Backup on Logout, the FortiSwitch unit creates a configuration file each time a user logs out.
4. If you select Revision Backup on Upgrade, the FortiSwitch unit creates a configuration file before starting a
system upgrade.
5. Select Update.
SSL configuration
You can set strong cryptography and select which certificates are used by the FortiSwitch unit.
has been signed by a public CA. This is the default certificate for 802.1x authentication.
l Fortinet_Factory —This certificate is embedded in the hardware at the factory and is unique to this unit. It has
has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other
unit could use this same certificate to spoof the identity of this unit.
4. Select one of the 802.1x certificate authority (CA) options:
l Entrust_802.1x_CA—Select this CA if you are using 802.1x authentication.
l Entrust_802.1x_G2_CA—Select this CA if you want to use the Google Internet Authority G2.
l Entrust_802.1x_L1K_CA—Select this CA if you want to use http://ocsp.entrust.net.
l Fortinet_CA—Select this CA if you want to use the factory-installed certificate.
lFortinet_CA2—Select this CA if you want to use the factory-installed certificate.
5. Select one of the GUI HTTPS certificate options:
l Entrust_802.1x —This certificate is embedded in the firmware and is the same on every unit (not unique). It
has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other
unit could use this same certificate to spoof the identity of this unit.
6. Select Update.
Use the following command to display the list of configuration file revisions:
execute revision list config
The FortiSwitch unit assigns a numerical ID to each configuration file. To display a particular configuration file contents,
use the following command and specify the ID of the configuration file:
execute revision show config id <ID number>
The following example displays the configuration file contents for revision ID 62:
#config-version=FS1D24-3.04-FW-build171-160201:opmode=0:vdom=0:user=admin
#conf_file_ver=1784779075679102577
#buildno=0171
#global_vdom=1
config system global
set admin-concurrent enable
...
(output truncated)
IP conflict detection
IP conflicts can occur when two systems on the same network are using the same IP address. The FortiSwitch unit
monitors the network for conflicts and raises a system log message and an SNMP trap when it detects a conflict.
The IP conflict detection feature provides two methods to detect a conflict. The first method relies on a remote device to
send a broadcast ARP (Address Resolution Protocol) packet claiming ownership of a particular IP address. If the IP
address in the source field of that ARP packet matches any of the system interfaces associated with the receiving
FortiSwitch system, the system logs a message and raises an SNMP trap.
For the second method, the FortiSwitch unit actively broadcasts gratuitous ARP packets when any of the following
events occurs:
l System boot-up
l Interface status changes from down to up
l IP address change
If a system is using the same IP address, the FortiSwitch unit receives a reply to the gratuitous ARP. If it receives a
reply, the system logs a message.
If the system detects an IP conflict, the system generates the following log message:
IP Conflict: conflict detected on system interface mgmt for IP address 10.10.10.1
A flapping port is a port that changes status rapidly from up to down. A flapping port can create instability in protocols
such as STP. If a port is flapping, STP must continually recalculate the role for each port. Flap guard also prevents
unwanted access to the physical ports.
The port flap guard detects how many times a port changes status during a specified number of seconds, and the
system shuts down the port if necessary. You can manually reset the port and restore it to the active state.
When the flap guard is triggered, the status for the port is shown as “triggered” in the output of the diagnose
flapguard status command. By default, rebooting the switch resets the state of the flap guard and removes the
“triggered” state. You can change the setting so that the triggered state remains after a switch is rebooting until the port
is reset. See Resetting a port on page 66.
The port flap guard is configured and enabled on each port. The default setting is disabled.
The flap rate counts how many times a port changes status during a specified number of seconds. The range is 1 to 30
with a default setting of 5.
The flap duration is the number of seconds during which the flap rate is counted. The range is 5 to 300 seconds with a
default setting of 30 seconds.
The flap timeout (CLI only) is the number of minutes before the flap guard is reset. The range is 0 to 120 minutes. The
default setting of 0 means that there is no timeout.
NOTE:
l If a triggered port times out while the switch is in a down state, the port is initially in a triggered state until the switch
has fully booted up and calculated that the timeout has occurred.
l The following models do not store time across reboot; therefore, any triggered port is initially in a triggered state
until the switch has fully booted up—at which point the trigger is cleared:
o FS-1xxE
o FS-2xxD/E
o FS-4xxD
o FS-4xxE
For example:
config switch physical-port
edit port10
set flapguard enabled
set flap-rate 15
set flap-duration 100
set flap-timeout 30
end
Resetting a port
After the flap guard detects that a port is changing status rapidly and the system shuts down the port, you can reset the
port and restore it to service.
3. Select Reset.
For example:
execute flapguard reset port15
Use the following command to check if the flap guard is enabled on a specific port:
show switch physical-port <port_name>
For example:
show switch physical-port port10
Use the following command to display the port flap guard information for all ports:
diagnose flapguard status
Link monitor
You can monitor the link to a server. The FortiSwitch unit sends periodic ping messages to test that the server is
available. In the CLI, you can use both IPv4 and IPv6 addresses.
Variable Description
addr-mode {ipv4 | Select whether to use IPv4 or IPv6 addresses. The default is IPv4 addresses.
ipv6}
protocol {arp Protocols used to detect the server. Select ARP or ping.
| ping}
gateway-ip Gateway IPv4 address used to PING the server. This option is available only when
<IPv4 address> addr-mode is set to ipv4.
gateway-ip6 <IPv6 Gateway IPv6 address used to PING the server. This option is available only when
address> addr-mode is set to ipv6.
source-ip Source IPv4 address used in packet to the server. This option is available only when
<IPv4 address> addr-mode is set to ipv4.
source-ip6 <IPv6 Source IPv6 address used in packet to the server. This option is available only when
address> addr-mode is set to ipv6.
interval <integer> Detection interval in seconds. The range is 1-3600.
failtime <integer> Number of retry attempts before bringing the server down. The range is 1-10.
recoverytime Number of retry attempts before bringing the server up. The range is 1-10.
<integer>
status {enable | Enable or disable link monitor administrative status. The default is enabled.
disable}
Unicast hashing
You can configure the trunk hashing algorithm for unicast packets to use the source port:
config switch global
set trunk-hash-unicast-src-port {enable | disable}
end
By default, all FortiSwitch models use the store-and-forward technique to forward packets. This technique waits until the
entire packet is received, verifies the content, and then forwards the packet.
The FS-1024D, FS-1048D, and FS-3032D models also have a cut-through switching mode to reduce latency. This
technique forwards the packet as soon as the switch receives it.
NOTE: For the FS-3032D model, the cut-through switching mode is not supported on split ports.
To change the switching mode for the main buffer for these three models, use the following commands:
config switch global
set packet-buffer-mode {store-forward | cut-through}
end
NOTE: Changing the switching mode might stop traffic on all ports during the change.
NOTE: These commands apply only to the 200 Series and 400 Series.
If you want to use layer-3 interfaces and IGMP snooping on certain FortiSwitch models, you must enable the forwarding
of reserved multicast packets and IPv6 neighbor-discovery packets to the CPU. These features are enabled by default.
config switch global
set reserved-mcast-to-cpu {enable | disable}
set neighbor-discovery-to-cpu {enable | disable}
end
By default, ARP entries in the cache are removed after 300 seconds. Use the following commands to change the default
ARP timeout value:
config system global
set arp-timeout <seconds>
end
Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet
cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example,
wireless access points, IP cameras, and VoIP phones).
PoE is only available on models with the POE suffix in the model number (for example, FS-108E-POE).
Creating a schedule
Use schedules to control when policies are enforced. For example, you can use a schedule to control when an access
control list policy is enforced.
NOTE: If the status of an ACL policy is inactive, the schedule is ignored.
You can create a one-time schedule, a recurring schedule, or a group schedule:
l Use a one-time schedule when you want a policy enforced for a specified period.
l Use a recurring schedule when you want a policy enforced for specified hours and days every week.
l Use a group schedule to combine one-time schedules and recurring schedules.
For example:
config system schedule onetime
edit schedule1
set start 07:00 2019/03/22
set end 07:00 2019/03/29
end
For example:
config system schedule recurring
edit schedule2
set day monday wednesday friday
set start 07:00
set end 08:00
end
For example:
config system schedule group
edit group1
set member schedule1 schedule2
end
Overlapping subnets
You can use the set allow-subnet-inteface command to allow two interfaces to include the same IP address
in the same subnet. The command applies only between the mgmt interface and an internal interface.
NOTE: Different interfaces cannot have overlapping IP addresses or subnets. The same IP address can be used on
different switches.
For example:
config system global
set admintimeout 480
set allow-subnet-overlap enable
set auto-isl enable
end
config system interface
edit "mgmt"
set ip 172.16.86.112 255.255.255.0
set allowaccess ping https http ssh snmp telnet
set type physical
set alias "test"
set snmp-index 27
next
edit "internal"
set ip 10.0.1.112 255.255.255.0
set allowaccess ping
set type physical
set alias "testing-2"
set snmp-index 26
next
end
Use Precision Time Protocol (PTP) transparent-clock mode to measure the overall path delay for packets in a network to
improve the time precision. There are two transparent-clock modes:
l End-to-end measures the path delay for the entire path
l Peer-to-peer measures the path delay between each pair of nodes
Use the following steps to configure PTP transparent-clock mode:
1. Configure the global PTP settings.
By default, PTP is disabled.
2. Enable the PTP policy.
By default, the PTP policy is disabled.
3. Apply the PTP policy to a port.
next
end
For example:
config switch ptp settings
set mode transparent-e2e
end
Use the auto topology feature to automatically form an inter-switch link (ISL) between two switches. You need to enable
the feature and specify the mgmt-vlan. The mgmt-vlan is the VLAN to use for the native VLAN on ISL ports and the
native VLAN on the internal switch interface.
NOTE: Do not use the same VLAN for the mgmt-vlan and an existing switch virtual interface (SVI).
config switch auto-network
set mgmt-vlan <1-4094>
set status {enable | disable}
end
For example:
config switch auto-network
set mgmt-vlan 101
set status enable
end
The following sections describe the configuration settings that are associated with FortiSwitch physical ports:
l Configuring general port settings on page 75
l Configuring flow control, priority-based flow control, and ingress pause metering on page 77
l Auto-module speed detection on page 78
l Setting port speed (autonegotiation) on page 78
l Configuring power over Ethernet on a port on page 79
l Energy-efficient Ethernet on page 81
l Diagnostic monitoring interface module status on page 83
l Configuring split ports on page 84
l Configuring QSFP low-power mode on page 87
l Configuring physical port loopbacks on page 87
To clear the statistics on all ports, select Select All and then select Reset Stats.
To clear the statistics on some of the ports, select the ports and then select Reset Stats.
For example:
diagnose switch physical-ports port-stats list 1,3,4-6
To clear all hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports:
diagnose switch physical-ports set-counter-zero [<list_of_ports>]
To restore hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports:
diagnose switch physical-ports set-counter-revert [<list_of_ports>]
Flow control allows you to configure a port to send or receive a “pause frame” (that is, a special packet that signals a
source to stop sending flows for a specific time interval because the buffer is full). By default, flow control is disabled on
all ports.
config switch physical-port
edit <port_name>
set flow-control {both | rx | tx | disable}
end
When priority-based flow control is disabled, 802.3 flow control can be used.
NOTE: Priority-based flow control does not support half-duplex speed. When FortiSwitch ports are set to autonegotiate
the port speed (the default), priority-based flow control is available if the FortiSwitch model supports it. Lossless buffer
management and traffic class mapping are not supported.
If you enable flow control to transmit pause control frames (with the set flow-control tx command), you can
also use ingress pause metering to limit the input bandwidth of an ingress port. Because ingress pause metering stops
the traffic temporarily instead of dropping it, ingress pause metering can provide better performance than policing when
the port is connected to a server or end station. To use ingress pause metering, you need to set the ingress metering
rate in kilobits and set the percentage of the threshold for resuming traffic on the ingress port.
config switch physical-port
edit <port_name>
set flow-control tx
set pause-meter-rate <64–2147483647; set to 0 to disable>
set pause-resume {25% | 50% | 75%}
next
end
For example:
config switch physical-port
edit port29
set flow-control tx
set pause-meter-rate 900
set pause-resume 50%
next
end
When you enable auto-module speed detection, the system reads information from the module and sets the port speed
to the maximum speed that is advertised by the module. If the system encounters a problem when reading from the
module, it sets the default speed (default value is platform specific).
When auto-module sets the speed, the system creates a log entry noting this speed.
NOTE: Auto-speed detection is supported on 1/10G ports, but not on higher speed ports (such as 40G).
By default, all of the FortiSwitch user ports are set to autonegotiate the port speed. You can also manually set the port
speed. The port speeds available differ, depending on the port and switch.
The Fortinet data center switches support LLDP (transmission and reception). The link layer discovery protocol (LLDP) is
a vendor-neutral layer-2 protocol that enables devices on a layer-2 segment to discover information about each other.
For details, refer to LLDP-MED on page 126.
You can enable PoE, configure dynamic guard band, and set the priority power allocation for a specific port.
The dynamic guard band is set automatically to the expected power of a port before turning on the port. So, when a PoE
device is plugged in, the dynamic guard band is set to the maximum power of the device type based on the AF or AT
mode. The AF mode DGB is 15.4 W, and the AT mode DGB is 36 W. When the FortiSwitch unit is fully loaded, the
dynamic guard band prevents a new PoE device from turning on.
When power to PoE ports is allocated by priority, lower numbered ports have higher priority so that port 1 has the
highest priority. When more power is needed than is available, higher numbered ports are disabled first.
When power to PoE ports is allocated by first-come, first-served (FCFS), connected PoE devices receive power, but new
devices do not receive power if there is not enough power.
If both priority power allocation and FCFS power allocation are selected, the physical port setting takes precedence over
the global setting.
PoE pre-standard detection is a global setting for the following FortiSwitch models:
FSR-112D-POE, FS-548D-FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE,
FS-108E-POE, FS-108E-FPOE, FS-124E-POE, and FS-124E-FPOE.
For the other FortiSwitch PoE models, PoE pre-standard detection is set on each
port.
Go to Switch > Port > Physical. The Power column displays the power capacity for each PoE port.
Go to Switch > Port > Physical to see information about each PoE port. Hover over the traffic column to get specific
values.
Energy-efficient Ethernet
When no data is being transferred through a port, energy-efficient Ethernet (EEE) puts the data link in sleep mode to
reduce the power consumption of the FortiSwitch unit. When data flows through the port, the port resumes using the
normal amount of power. EEE works over standard twisted-pair copper cables and supports 10 Mbps, 100 Mbps, 1 Gps,
and 10 Ge. EEE does not reduce bandwidth or throughput.
If you are using the CLI, you can also specify the number of microseconds that circuits are turned off to save power and
the number of microseconds during which no data is transmitted while the circuits that were turned off are being
restarted.
In addition, you can use the LLDP 802.3 TLV to advertise the EEE configuration.
NOTE: EEE is not supported on SFP and QSFP modules.
To check which ports have EEE enabled, go to Switch > Port > Physical. A green arrow in the EEE column indicates
that EEE is enabled for that port. A red arrow in the EEE column indicates that EEE is disabled for that port.
NOTE: When you change the eee-tx-wake-time value, the port resets, and the connection is lost briefly.
config switch physical-port
edit <port_name>
set energy-efficient-ethernet {enable | disable}
set eee-tx-idle-time <0-2560>
set eee-tx-wake-time <0-2560>
end
With diagnostic monitoring interface (DMI), you can view the following information
l Module details (detail)
l Eeprom contents (eeprom)
l Module limits (limit)
l Module status (status)
l Summary information of all a port’s modules (summary)
Use the following commands to enable or disable DMI status for the port. If you set the status to global, the port
setting will match the global setting:
config switch physical-port
edit <interface>
set dmi-status {disable | enable | global}
end
Use the get switch modules detail/status command to display DMI information:
FS108E3W14000720 # get switch modules detail port10
____________________________________________________________
Port(port10)
identifier SFP/SFP+
connector Unk (0x00)
transceiver 1000-Base-T
encoding 8B/10B
Length Decode Common
length_smf_1km N/A
length_cable 100 meter
SFP Specific
length_smf_100m N/A
length_50um_om2 N/A
length_62um_om1 N/A
length_50um_om3 N/A
vendor FINISAR CORP.
vendor_oid 0x009065
vendor_pn FCLF-8521-3
vendor_rev A
vendor_sn PBR1X35
manuf_date 06/20/2007
The following is an example of the output for the switch modules status command:
FS108E3W14000720 # get switch modules status port9
____________________________________________________________
Port(port9)
alarm_flags 0x0040
warning_flags 0x0040
temperature 18.792969 C
voltage 3.315100 volts
laser_bias 0.750800 mAmps
tx_power -2.502637 dBm
rx_power -40.000000 dBm
options 0x000F ( TX_DISABLE TX_FAULT RX_LOSS TX_POWER_LEVEL1 )
options_status 0x000C ( RX_LOSS TX_POWER_LEVEL1 )
On FortiSwitch models that provide 40G QSFP (quad small form-factor pluggable) interfaces, you can install a breakout
cable to convert one 40G interface into four 10G interfaces.
Notes
o 3032E (Ports can be split into 4 x 25G when configured in 100G QSFP28 mode or can be split into 4 x 10G
when configured in 40G QSFP mode. Use the set <port-name>-phy-mode disabled command to
disable some 100G ports to allow up to sixty-two 100G/25G/10G/1G ports.
o 524D, 524D-FPOE (ports 29 and 30 are splittable)
o 1048E (In the 4 x 100G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 25G, 4 x 10G, 4 x 1G, or 2 x
50G. Only two of the available ports can be split.)
o 1048E (In the 4 x 4 x 25G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 4 x 25G or 2 x 50G. All
four ports can be split, but ports 47 and 48 are disabled.)
o 1048E (In the 6 x 40G configuration, ports 49, 50, 51, 52, 53, 54 are splittable as 4 x 10G or 4 x 1G.)
Use the set port-configuration ? command to check which ports are supported for each model.
l Currently, the maximum number of ports supported in software is 64 (including the management port). Therefore,
only 10 QSFP ports can be split. This limitation applies to all of the models, but only the 3032D, the 3032E, and the
1048E models have enough ports to encounter this limit.
l Starting in FortiOS 6.2.0, splitting ports is supported in FortiLink mode (that is, the FortiSwitch unit managed by a
FortiGate unit).
l Starting in FortiSwitchOS 6.4.0, FC-FEC (cl74) is enabled as the default setting for ports that have been split to
4x25G. Use the following commands to change the setting:
end
In the following example, a FortiSwitch 1048E model is configured so that each port is split into four subports of 25
Gbps each.
config switch phy-mode
set port-configuration 4x4x25G
set port49-phy-mode 4x25G
set port50-phy-mode 4x25G
set port51-phy-mode 4x25G
set port52-phy-mode 4x25G
end
The system applies the configuration only after you enter the end command, displaying the following message:
This change will cause a ports to be added and removed, this will cause loss of configuration
on removed ports. The system will have to reboot to apply this change.
Do you want to continue? (y/n)y
To configure one of the split ports, use the notation ".x" to specify the split port:
config switch physical-port
edit "port1"
set lldp-profile "default-auto-isl"
set speed 40000full
next
edit "port2"
set lldp-profile "default-auto-isl"
set speed 40000full
next
edit "port3"
set lldp-profile "default-auto-isl"
set speed 40000full
next
edit "port4"
set lldp-profile "default-auto-isl"
set speed 40000full
next
edit "port5.1"
set speed 10000full
next
edit "port5.2"
set speed 10000full
next
edit "port5.3"
set speed 10000full
next
edit "port5.4"
set speed 10000full
next
end
On FortiSwitch models with QSFP (quad small form-factor pluggable) ports, you can enable or disable the low-power
mode with the following CLI commands:
config switch physical-port
edit <port_name>
set qsfp-low-power-mode {enabled | disabled}
end
For example:
config switch physical-port
edit port12
set qsfp-low-power-mode disabled
end
You can use the CLI to loop a physical port back on itself, either locally or remotely:
l The local loopback is a physical-layer loopback. If the hardware does not support a physical-layer loopback, a MAC-
address loopback is used instead.
l The remote loopback is a physical-layer lineside loopback.
By default this feature is disabled.
Layer-2 interfaces
Switched interfaces
Default configuration will suffice for regular switch ports. By default, VLAN is set to 1, STP is enabled, and all other
optional capabilities are disabled.
You can configure optional capabilities such as Spanning Tree Protocol, sFlow , 802.1x authentication, and Private
VLANs. These capabilities are covered in subsequent sections of this document.
You can enable or disable dynamic MAC address learning on a port. The existing dynamic MAC entries are deleted
when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet
with an unknown MAC address (to drop or forward the packet).
You can limit the number of learned MAC addresses on an interface or VLAN. The limit ranges from 1 to 128. If the
learning limit is set to zero (the default), no limit exists. When the limit is exceeded, the FortiSwitch unit adds a warning
to the system log.
NOTE: If you enable 802.1x MAC-based authorization on a port, you cannot change the l2-learning setting.
By default, each learned MAC address is deleted after 300 seconds. The value ranges from 10 to 1000,000 seconds.
Set the value to zero to not delete learned MAC addresses.
Use the following command to change this value:
config switch global
set mac-aging-interval 200
end
By default, dynamic MAC address events are not logged. When you enable logging for an interface, the following events
are logged:
l When a dynamic MAC address is learned
l When a dynamic MAC address is moved
l When a dynamic MAC address is deleted
NOTE: Some dynamic MAC address events might take a long time to be logged. If too many events happen within a
short period of time, some events might not be logged.
If you want to see the first MAC address that exceeded a learning limit for an interface or VLAN, you can enable the
learning-limit violation log for a FortiSwitch unit. Only one violation is recorded per interface or VLAN.
To enable or disable the learning-limit violation log, use the following commands. By default, the learning-limit violation
log is disabled. The most recent violation that occurred on each interface or VLAN is logged. After that, no more
violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are
displayed in the console.
NOTE: The set log-mac-limit-violations command is only displayed if your FortiSwitch model supports it.
config switch global
set log-mac-limit-violations {enable | disable}
end
To view the content of the learning-limit violation log, use one of the following commands:
l get switch mac-limit-violations all—to see the first MAC address that exceeded the learning limit
on any interface or VLAN. An asterisk by the interface name indicates that the interface-based learning limit was
exceeded. An asterisk by the VLAN identifier indicates the VLAN-based learning limit was exceeded.
l get switch mac-limit-violations interface <interface_name>—to see the first MAC address
that exceeded the learning limit on a specific interface
l get switch mac-limit-violations vlan <VLAN_ID>—to see the first MAC address that exceeded
the learning limit on a specific VLAN. This command is only displayed if your FortiSwitch model supports it.
To reset the learning-limit violation log, use one of the following commands:
l execute mac-limit-violation reset all—to clear all learning-limit violation logs
l execute mac-limit-violation reset interface <interface_name>—to clear the learning-limit
violation log for a specific interface
l execute mac-limit-violation reset vlan <VLAN_ID>—to clear the learning-limit violation log for a
specific VLAN
You can also specify how often the learning-limit violation log is reset, use the following commands:
config switch global
set log-mac-limit-violations enable
set mac-violation-timer <0-1500>
end
For example:
config switch global
set log-mac-limit-violations enable
set mac-violation-timer 60
end
You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes
down or up). By default, MAC addresses are not persistent.
NOTE:
l You cannot use persistent MAC addresses with 802.1x authentication.
l If you move a device within your network that has a sticky MAC address entry on the switch, remove the sticky MAC
address entry from the interface. If you move the device and do not clear the sticky MAC address from the original
port it was learned on, the new port will not learn the MAC address of the device.
To delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:
1. Go to Switch > Monitor > Forwarding Table.
2. In the Unsaved sticky MACs on field, select an interface or select All.
3. Select Delete.
Use the following command to configure the persistence of MAC addresses on an interface:
config switch interface
edit <port>
set sticky-mac <enable | disable>
next
end
You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded
when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the
following command to save persistent MAC addresses for a specific interface or all interfaces:
execute sticky-mac save {all | interface <interface_name>}
Use the following command to delete the persistent MAC addresses instead of saving them in the FortiSwitch
configuration file:
execute sticky-mac delete-unsaved {all | interface <interface_name>}
For example:
config switch static-mac
edit 1
set description "first static MAC address"
set interface port10
set mac d6:dd:25:be:2c:43
set type static
set vlan-id 10
end
Loop guard
A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Loop guard helps to
prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any
downstream loops.
The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. Each port that has
loop guard enabled will periodically broadcast loop guard data packets (LGDP) packets to its network. If a broadcast
packet is subsequently received by the sending port, a loop exists downstream.
You can also have the port check for a high rate of MAC address moves per second, which indicates a physical loop only
when the rate exceeds the threshold for 6 consecutive seconds.
NOTE: If a port detects a loop, the system takes the port out of service to protect the overall network. The port returns
to service after a configured timeout duration. If the timeout value is zero, you must manually reset the port.
By default, loop guard is disabled on all ports. When loop guard is enabled, the default loop-guard-timeout is 45
minutes, and the default loop-guard-mac-move-threshold is 0, which means that the traditional loop guard is
used instead of the MAC-move loop guard.
1. Go to Switch > Interface > Physical or Switch > Interface > Trunk.
2. Select one or more interfaces to update and then select Edit.
If you selected more than one port, the port names are displayed in the name field, separated by commas.
3. Select Enable Loop Guard.
4. Select OK to save your changes.
When loop guard takes a port out of service, the system creates the following log messages:
Loop Guard: loop detected on <port_name>. Shutting down <port_name>
Go to Switch > Interface > Physical and check the Loop Guard column.
FortiSwitch ports process tagged and untagged Ethernet frames. Untagged frames do not carry any VLAN information.
Tagged frames include an additional header (the 802.1Q header) after the Source MAC address. This header includes a
VLAN ID. This allows the VLAN value to be transmitted between switches.
The FortiSwitch unit provides port parameters to configure and manage VLAN tagging.
This chapter covers the following topics:
l Native VLAN on page 95
l Allowed VLAN list on page 95
l Untagged VLAN list on page 96
l Packet processing on page 96
l Configuring VLANs on page 97
l Example 1 on page 97
l Example 2 on page 98
l VLAN stacking (QinQ) on page 99
Native VLAN
You can configure a native VLAN for each port. The native VLAN is like a default VLAN for untagged incoming packets.
Outgoing packets for the native VLAN are sent as untagged frames.
The native VLAN is assigned to any untagged packet arriving at an ingress port.
At an egress port, if the packet tag matches the native VLAN, the packet is sent out without the VLAN header.
Allowed VLAN list
The allowed VLAN list for each port specifies the VLAN tag values for which the port can transmit or receive packets.
For a tagged packet arriving at an ingress port, the tag value must match a VLAN on the allowed VLAN list or the native
VLAN.
At an egress port, the packet tag must match the native VLAN or a VLAN on the allowed VLAN list.
Untagged VLAN list
The untagged VLAN list on a port specifies the VLAN tag values for which the port will transmit packets without the
VLAN tag. Any VLAN in the untagged VLAN list must also be a member of the allowed VLAN list.
The untagged VLAN list applies only to egress traffic on a port.
Packet processing
Ingress processing ensures that the port accepts only packets with allowed VLAN values (untagged packets are
assigned the native VLAN, which is implicitly allowed). At this point, all packets are now tagged with a valid VLAN.
The packet is sent to each egress port that can send the packet (because the packet tag value matches the native
VLAN or an Allowed VLAN on the port).
Ingress port
Untagged packet
l packet is tagged with the native VLAN and allowed to proceed
l the Allowed VLAN list is ignored
Tagged packet
l tag VLAN value must match an Allowed VLAN or the native VLAN
l packet retains the VLAN tag and is allowed to proceed
To control what types of frames are accepted by the port, use the following commands:
config switch interface
edit <interface>
set discard-mode <all-tagged | all-untagged | none>
end
Variable Description
all-tagged Tagged frames are discarded, and untagged frames can enter the switch.
all-untagged Untagged frames are discarded, and tagged frames can enter the switch.
none By default, all frames can enter the switch, and no frames are discarded.
Egress port
If the packet tag value is the native VLAN or on the Untagged VLAN list, the tag is stripped, and then the packet is sent
out.
Otherwise, the packet is dropped.
Configuring VLANs
Example 1
Purple flow
An untagged packet arriving at Port3 is assigned VLAN 100 (the native VLAN) and flows to all egress ports that will send
VLAN 100 (Port1 and Port4).
A tagged packet (VLAN 100) arriving at Port4 is allowed (VLAN 100 is allowed). The packet is sent out from Port1 and
Port3. On Port3, VLAN 100 is the native VLAN, so the packet is sent without a VLAN tag.
Blue flow
An untagged packet arriving at Port 4 is assigned VLAN 300 (the native VLAN). Then it flows out all ports that will send
Vlan300 (Port 3).
A tagged packet (VLAN 300) arriving at Port3 is allowed. The packet is sent to egress from Port4. VLAN 300 is the native
VLAN on Port4, so the packet is sent without a VLAN tag.
Example 2
Green flow
Between Port1 and Port2, packets are assigned to VLAN 1 at ingress, and then the tag is removed at egress.
Blue flow
Incoming on Port 3, a tagged packet with VLAN value 100 is allowed, because 100 is the Port 3 native VLAN (the
hardware VLAN table accepts a tagged or untagged match to a valid VLAN).
The packet will be sent on port1 and port4 (with packet tag 100).
VLAN stacking allows you to have multiple VLAN headers in an Ethernet frame. The value of the EtherType field
specifies where the VLAN header is placed in the Ethernet frame.
Use the VLAN TPID profile to specify the value of the EtherType field. The FortiSwitch unit supports a maximum of four
VLAN TPID profiles, including the default (0x8100). The default VLAN TPID profile (0x8100) cannot be deleted or
changed.
NOTE: The following FortiSwitch models support VLAN stacking:
124D, 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-
POE, 248E-FPOE, 524D, 524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E, 3032D, 3032E
NOTE: The following features are not supported with VLAN stacking:
l DHCP relay
l DHCP snooping
l IGMP snooping
l IP source guard
l PVLAN
l STP
NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-
vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).
vlan-tpid <default | string> Select which VLAN TPID profile to use. The default default
VLAN TPID profile has a value of 0x8100 and cannot be
deleted or changed.
This setting is only for service-provider VLANs (S-
VLANs).
NOTE: If you are not using the default VLAN TPID
profile, you must have already defined the VLAN TPID
profile with the config switch vlan-tpid
command.
config qnq
status {enable | *disable} Enable or disable VLAN stacking (QinQ) mode. disable
add-inner <1-4095> If the QinQ mode is enabled, add the inner tag for No default
untagged packets upon ingress.
edge-type customer If the QinQ mode is enabled, the edge type is set to customer
customer.
priority {follow-c-tag | *follow- If the QinQ mode is enabled, select whether to follow follow-s-tag
s-tag} the priority of the S-tag (service tag) or C-tag (customer
tag).
NOTE: This command is not available on the 224D-
FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D,
448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE
and 248E-FPOE models.
remove-inner {enable | If the QinQ mode is enabled, enable or disable whether disable
*disable} the inner tag is removed upon egress.
s-tag-priority <0-7> If packets follow the priority of the S-tag (service tag), 0
enter the priority value. This option is available only
when the priority is set to follow-s-tag.
NOTE: This command is not available on the 224D-
FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D,
448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE
and 248E-FPOE models.
vlan-tpid <default | string> Select which VLAN TPID profile to use. The default default
VLAN TPID profile has a value of 0x8100 and cannot be
deleted or changed.
This setting is only for service-provider VLANs (S-
VLANs).
NOTE: If you are not using the default VLAN TPID
profile, you must have already defined the VLAN TPID
profile with the config switch vlan-tpid
command.
config vlan-mapping
match-s-vlan <1-4094> If the direction is set to egress, enter the service (outer) 0
VLAN to match.
action {add | delete | replace} Select what happens when the packet is matched: No default
- add—When the packet is matched, add the service
VLAN. You cannot set the action to add for the egress
direction.
- delete—When the packet is matched, delete the
service VLAN. You cannot set the action to delete
for the ingress direction.
- replace—When the packet is matched, replace the
customer VLAN or service VLAN.
This option is only available after you set a value for
match-c-vlan or match-s-vlan.
new-s-vlan <1-4094> Set the new service (outer) VLAN. No default
<VLAN_TPID_profile_name> Enter a name for the VLAN TPID profile name. No default
ether-type <0x0001-0xfffe> Enter a hexadecimal value for the EtherType field. 0x8100
MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the
mapping of VLANs to instances is configurable).
MSTP is backward-compatible with STP and Rapid Spanning Tree Protocol (RSTP). A layer-2 network can contain
switches that are running MSTP, STP, or RSTP.
MSTP is built on RSTP, so it provides fast recovery from network faults and fast convergence times.
Regions
A region is a set of interconnected switches that have the same multiple spanning tree (MST) configuration (region
name, MST revision number, and VLAN-to-instance mapping). A network can have any number of regions. Regions are
independent of each other because the VLAN-to-instance mapping is different in each region.
The FortiSwitch unit supports 15 MST instances in a region. Multiple VLANs can be mapped to each MST instance.
Each switch in the region must have the identical mapping of VLANs to instances.
The MST region acts like a single bridge to adjacent MST regions and to non-MST STPs.
IST
Instance 0 is a special instance, called the internal spanning-tree instance (IST). IST is a spanning tree that connects all
of the MST switches in a region. All VLANs are assigned to the IST.
IST is the only instance that exchanges bridge protocol data units (BPDUs). The MSTP BPDU contains information for
each MSTP instance (captured in an M-record). The M-records are added to the end of a regular RSTP BPDU. This
allows MSTP region to inter-operate with an RSTP switch.
CST
The common spanning tree (CST) interconnects the MST regions and all instances of STP or RSTP that are running in
the network.
MST does not use the BPDU message age within a region. The message-age and maximum-age fields in the BPDU are
propagated unchanged within the region.
Within the region, a hop-count mechanism is used to age out the BPDU. The IST root sends out BPDUs with the hop
count set to the maximum number of hops. The hop count is decremented each time the BPDU is forwarded. If the hop
count reaches zero, the switch discards the BPDU and ages out the information on the receiving port.
STP port roles
STP assigns a port role to each switch port. The role is based on configuration, topology, relative position of the port in
the topology, and other considerations. Based on the port role, the port either sends or receives STP BPDUs and
forwards or blocks the data traffic. Here is a brief summary of each STP port role:
l Designated—One designated port is elected per link (segment). The designated port is the port closest to the root
bridge. This port sends BPDUs on the link (segment) and forwards traffic towards the root bridge. In an STP
converged network, each designated port is in the STP forwarding state.
l Root—The bridge can have only one root port. The root port is the port that leads to the root bridge. In an STP
converged network, the root port is in the STP forwarding state.
l Alternate—Alternate ports lead to the root bridge but are not root ports. The alternate ports maintain the STP
blocking state.
l Backup—This is a special case when two or more ports of the same switch are connected together (either directly
or through shared media). In this case, one port is designated, and the remaining ports are backup (in the STP
blocking state).
STP loop protection
The STP loop-protection feature provides additional protection against layer-2 forwarding loops (STP loops). An STP
loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state.
A port remains in blocking state only if it continues to receive BPDU messages. If it stops receiving BPDUs (for example,
due to unidirectional link failure), the blocking port (alternate or backup port) becomes designated and transitions to a
forwarding state. In a redundant topology, this situation may create a loop.
If the loop-protection feature is enabled on a port, that port is forced to remain in blocking state, even if the port stops
receiving BPDU messages. It will not transition to forwarding state and does not forward any user traffic.
The loop-protection feature is enabled on a per-port basis. Fortinet recommends that you enable loop protection on all
nondesignated ports (all root, alternate, and backup ports).
Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface,
superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates
in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of
traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic
through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can
create a perimeter around your existing paths to root to enforce the specified network topology.
Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge
ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not
forwarded, and the network edge is enforced.
MSTP configuration
Some STP settings (region name and MST revision number) are common to all MST instances. Also, protocol timers
are common to all instances because only the IST sends out BPDUs.
Settings Guidelines
Flood BPDU Packets Select this checkbox if you want the STP packets arriving at any port to
pass through the switch without being processed. If you do not select this
checkbox,STP packets arriving at any port are blocked.
This option is only available when MSTP is disabled.
Name Region name. All switches in the MST region must have the identical
name.
Revision The MSTP revision number. All switches in the region must have the
same revision number.
The range of values is 0 to 65535.
The default value is 0.
Hello Time (Seconds) Hello time is how often (in seconds) that the switch sends out a BPDU.
The range of values is 1 to 10.
The default value is 2.
Forward Time (Seconds) Forward time is how long (in seconds) a port will spend in the listening-
and-learning state before transitioning to forwarding state.
The range of values is 4 to 30.
The default value is 15.
Max Age (Seconds) The maximum age before the switch considers the received
BPDU information on a port to be expired. Max-age is used when
interworking with switches outside the region.
The range of values is 6 to 40.
The default value is 20.
Settings Guidelines
Max Hops Maximum hops is used inside the MST region. Hop count is
decremented each time the BPDU is forwarded. If max-hops reaches
zero, the switch discards the BPDU and ages out the information on the
receiving port.
The range ange of values is 1 to 40.
The default value is 20.
Configuring an MST instance
The STP topology is unique for each MST instance in the region. You can configure a different bridge priority and port
parameters for each instance.
2. Select Add Instance to create a new MST instance or select an existing instance and then select Edit.
Settings Guidelines
ID Instance identifier. The range is 0-32 for 5xx models and higher. For all
other models, the range is 0 - 15.
Priority Priority is a component of bridge ID. The switch with the lowest bridge ID
becomes the root switch for this MST instance.
Allowed values: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672,
32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.
The default value is 32768.
VLAN Range The VLANs that map to this MST instance. You can specify individual
VLAN numbers or a range of numbers.
NOTE: Do not assign any VLAN to more than one MST instance.
Each VLAN number is in the range 1-4094.
Port Configuration
Name Port that will participate in this MST instance.
Cost The switch uses port cost to select designated ports. Port cost is added
to the received BPDU root cost in any BPDU sent on this port.
A lower value is preferred. The range of values is 1 to 200,000,000.
The default value depends on the interface speed:
- 10 Gigabit Ethernet: 2,000
- Gigabit Ethernet: 20,000
- Fast Ethernet: 200,000
- Ethernet: 2,000,000
Priority The switch uses port priority to choose among ports of the same cost.
The port with the lowest priority is put into forwarding state. The valid
values are: 0, 32, 64, 96, 128, 160, 192, and 224.
The default value is 128.
Example:
config switch stp instance
edit "1"
set priority 8192
config stp-port
edit "port18"
set cost 0
set priority 128
next
edit "port19"
set cost 0
set priority 128
next
end
set vlan-range 5 7 11-20
end
You can use the edge-port setting when a device connected to a FortiSwitch port is not an STP bridge. When this setting
is enabled, the FortiSwitch port immediately moves to a forwarding state rather than passing through listening and
learning states.
By default, STP (and edge port) is enabled on all ports.
Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have
STP enabled to be able to use root guard.
You can set how long the port will go down for when a BPDU is received for a maximum of 120 minutes. The default port
timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will
have manually reset the port.
To check if BPDU guard has been triggered and on which ports, go to Switch > Monitor > BPDU Guard.
For example, to enable BPDU guard on port 30 with a timeout value of 1 hour:
config switch stp settings
set status enable
end
config switch interface
edit port30
set stp-state enabled
set edge-port enabled
set stp-bpdu-guard enabled
set stp-bpdu-guard-timeout 60
next
end
If you set the port timeout to 0, you will need to reset the port after it receives BPDUs and goes down. Use the following
command to reset the port:
execute bpdu-guard reset <port_name>
To check if BPDU guard has been triggered and on which ports, use the following command:
diagnose bpdu-guard display status
Portname State Status Timeout(m) Count Last-Event
_________________ _______ _________ ___________ _____ __________________
port1 disabled - - - -
port2 disabled - - - -
port3 disabled - - - -
port4 disabled - - - -
port5 disabled - - - -
port6 disabled - - - -
port7 disabled - - - -
port8 disabled - - - -
port9 disabled - - - -
port10 disabled - - - -
port11 disabled - - - -
port12 disabled - - - -
port13 disabled - - - -
port14 disabled - - - -
port15 disabled - - - -
port16 disabled - - - -
port17 disabled - - - -
port18 disabled - - - -
port19 disabled - - - -
port20 disabled - - - -
port21 disabled - - - -
port22 disabled - - - -
port23 disabled - - - -
port25 disabled - - - -
port26 disabled - - - -
port27 disabled - - - -
port28 disabled - - - -
port29 disabled - - - -
port30 enabled - 60 0 -
__FoRtI1LiNk0__ disabled - - - -
You can also check BPDU guard by going to the Monitor > BPDU Guard page.
A boundary port on an MST switch is a port that receives an STP (version 0) BPDU, an RSTP (version 2) BPDU, or a
BPDU from a different MST region.
If the port receives a version 0 BPDU, it will only send version 0 BPDUs on that port. Otherwise, it will send version 3
(MST) BPDUs because the RSTP switch will read this as an RSTP BPDU.
Use the following commands to display information about the MSTP instances in the network:
diagnose stp instance list
diagnose stp vlan list
diagnose stp mst-config list
Starting in FortiSwitchOS 6.2.2, FortiSwitch units can now interoperate with a network that is running RPVST+. The
existing networkʼs configuration can be maintained while adding FortiSwitch units as an extended region.
When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain
works in two ways:
l If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region
duplicates instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+
domain.
In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1
defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST
root bridge within MSTP region.
l If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN
1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected
RPVST+ domain are used only for consistency checks.
In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of
VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.
Use one of the following commands to check your configuration and to diagnose any problems.
l diagnose stp instance list
If either rule is violated, the RPVST port is flagged with “IC” in the command output, and the port is in the Discard
state.
If the VLANs used by the RPVST+ domain are not all within the VLAN range configured on the RPVST port, an “MV”
flag is displayed in the command output. NOTE: Only the ports in instance 0 show this flag.
This command shows the status of one port or all ports. If any of the ports is in the “IC” state, the command output
gives the reason: VLAN priority inconsistent, VLAN configuration mismatch, or both.
This command clears all flags and timers on the RPVST+ port.
This chapter provides information on how to configure a link aggregation group (LAG). For LAG control, the FortiSwitch
unit supports the industry-standard Link Aggregation Control Protocol (LACP). The FortiSwitch unit supports LACP in
active and passive modes. In active mode, you can optionally specify the minimum and maximum number of active
members in a trunk group.
You can also use the CLI to specify how an aggregator groups ports when the trunk is in LACP mode. Ports can be
grouped into the aggregator with the largest bandwidth or the aggregator with the most ports.
The FortiSwitch unit supports flap-guard protection for switch ports in a LAG.
This chapter covers the following topics:
l Configuring the trunk and LAG ports on page 116
l Checking the trunk configuration on page 118
set port-selection-criteria
{src-ip | src-mac | dst-ip |dst-mac | src-dst-ip |src-dst-mac}
end
end
Example configuration
Trunk/LAG ports
1. Configure the trunk 1 interface and assign member ports as a LAG group:
2. Configure the switch ports to have native VLAN assignments and allow those VLANs on the port that will be the
uplink port:
3. Configure the trunk 2 interface and assign member ports as a LAG group:
Go to Switch > Port > Trunk or Switch > Monitor > Trunks.
MCLAG
A link aggregation group (LAG) provides link-level redundancy. A multichassis LAG (MCLAG) provides node-level
redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either
switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the
delays associated with the Spanning Tree Protocol (STP).
This chapter covers the following topics:
l Notes on page 119
l Example configuration on page 120
l Detecting a split-brain state on page 121
l Viewing the configured trunk on page 121
l Configuring an MCLAG with IGMP snooping
Notes
l When min_bundle or max_bundle is combined with MCLAG, the bundle limit properties are applied only to the
local aggregate interface.
l Fortinet recommends that both peer switches be of the same hardware model and same software version.
Mismatched configurations might work but are unsupported.
l There is a maximum of two FortiSwitch models per MCLAG.
l The routing feature is not available within a MCLAG.
l Starting in FortiSwitchOS 3.6.4, by default, the MCLAG can use the STP.
l To use static MAC addresses within a MCLAG, you need to configure MAC addresses on both switches that form
the LAG.
l When you run an MCLAG, Fortinet recommends but does not require that peers use the same hardware and
software versions. Some hosts might not be dual-home supported when MCLAG peers have different hardware;
administrators need to size the layer-2 network to the MCLAG peer with the lowest capacity.
Example configuration
When the split-brain state occurs, one of switches in the MCLAG goes dormant. Any devices connected to the dormant
switch will lose network connectivity. The switch that goes dormant is the switch with the lowest numerical MAC address
between the two peers.
Starting in FortiSwitchOS 6.2.2, you can use the CLI to detect when an MCLAG is in a split-brain state when the
MCLAG ICL trunk is down. When the LACP is up again, the MCLAG trunk is reestablished. You can use this command
in both one-tier and two-tier MCLAG topologies.
By default, split-brain detection is disabled. To enable the detection of the split-brain state:
config switch global
set mclag-split-brain-detect enable
end
NOTE:
l Enabling split-brain detection can cause some traffic loss while the LACP is renegotiated.
l You can configure only one mclag-split-brain-detect at a time on a tier one or tier two of a two-tier MCLAG
topology.
l Only one failure in a system is supported.
For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware
enable command on all FortiSwitch units in the network topology and use the set igmp-snooping-flood-
reports enable command on each MCLAG core FortiSwitch unit. For example:
config switch global
set mac-aging-interval 600
set mclag-igmpsnooping-aware enable
config port-security
set max-reauth-attempt 3
end
end
config switch interface
edit "D483Z15000094-0"
set native-vlan 4094
set allowed-vlans 1-4094
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
set igmp-snooping-flood-reports enable
set snmp-index 58
next
end
You can use a FortiSwitch unit to configure multi-stage load balancing on a set of FortiGate units. This capability allows
you to scale security processing while maintaining a simple basic architecture. This configuration is commonly referred
to a “firewall sandwich.”
Because the FortiGate unit provides session-aware analysis, the load distribution algorithm must be symmetric (traffic
for a given session, in both directions, must all traverse the same FortiGate unit).
For larger scale deployment, the topology uses multiple layers of load distribution to allow for far larger numbers of
FortiGate devices.
The hash at the first and second stages must be symmetric. The two stages must provide different hashing results.
This chapter covers the following topics:
l Configuring the trunk ports on page 124
l Heartbeats on page 124
Use the following commands to configure the trunk members and set the port-selection criteria:
config switch trunk
edit <trunk name>
set description <description_string>
set members <ports>
set mode {fortinet-trunk | lacp-active | lacp-passive | static}
set port-selection-criteria src-dst-ip-xor16
end
end
Heartbeats
When in Fortinet-trunk mode, Heartbeat capability is enabled. Heartbeat messages monitor the status of FortiGate
units. If one is unavailable, the FortiSwitch unit stops sending traffic to that FortiGate unit until the FortiGate unit
becomes available.
If you enable hb-verify, each received heartbeat frame will be validated to match the signature (transmit-port plus
switch serial number) and the following configured heartbeat parameters:
l hb-in-vlan
l hb-src-ip
l hb-dst-ip
l hb-src-upd-port
l hb-dst-udp-port
The destination MAC address of the heartbeat frame is set by default to 02:80:c2:00:00:02. You can change the value
to any MAC address that is not a broadcast or multicast MAC address.
Configuring heartbeats
Configure the heartbeat fields using trunk configuration commands, as shown in this section. By default, all of the
configurable values are set to zero, and hb-verify is disabled.
Set the mode to forti-hb and set the heartbeat loss limit to a value between 3 and 32.
The heartbeat will transmit at 1-second intervals on any link in the trunk that is up. This value is not configurable.
The heartbeat frame has configurable parameters for the layer-3 source and destination addresses and the layer-4
UDP ports. You must also specify the transmit and receive VLANs.
config switch trunk
edit hb-trunk
set mode fortinet-trunk
set members <port> [<port>] ... [<port>]
set hb-loss-limit <3-32>
set hb-out-vlan <int>
set hb-in-vlan <int>
set hb-src-ip <x.x.x.x>
set hb-dst-ip <x.x.x.x>
Example
LLDP-MED
The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception
wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent
information from adjacent layer-2 peers.
Fortinet data center switches support LLDP-MED (Media Endpoint Discovery), which is an enhancement of LLDP that
provides the following facilities:
l Auto-discovery of LAN policies (such as VLAN, layer-2 priority, and differentiated services settings), to enable plug-
and-play networking.
l Device location discovery to allow the creation of location databases and Enhanced 911 services for Voice over
Internet Protocol (VoIP).
l Extended and automated power management for power over Ethernet (PoE) endpoints.
l Inventory management, allowing network administrators to track their network devices, and determine their
characteristics (manufacturer, software and hardware versions, serial or asset number).
The switch will multicast LLDP packets to advertise its identity and capabilities. The switch receives the equivalent
information from adjacent layer-2 peers.
Starting in FortiSwitch 6.2.0, you can use the CLI to configure the location table used by LLDP-MED for enhanced 911
emergency calls.
This chapter covers the following topics:
l Configuration notes on page 126
l LLDP global settings on page 127
l Configuring LLDP profiles on page 131
l Configuring an LLDP profile for the port on page 134
l Enabling LLDP on a port on page 135
l Checking the LLDP configuration on page 135
l Configuration deployment example on page 136
l Checking LLDP details on page 138
l LLDP OIDs on page 138
Configuration notes
NOTE: When 802.1x and LLDP turn on at the same port, switching between LLDP profiles requires a manual reset of all
authentication sessions.
Fortinet recommends LLDP-MED-capable phones.
The FortiSwitch unit functions as a Network Connectivity device (that is, NIC, switch, router, and gateway), and will only
support sending TLVs intended for Network Connectivity devices.
LLDP supports up to 16 neighbors per physical port.
The FortiSwitch unit accepts and parses packets using the CDP (Cisco Discovery Protocol) and count CDP neighbors
towards the neighbor limit on a physical port. If neighbors exist, the FortiSwitch unit transmits CDP packets in addition
to LLDP.
With release 3.5.1, CDP is independently controllable through cdp-status on the physical port. The FortiSwitch unit no
longer requires a neighbor to trigger it to transmit CDP; it will transmit provided cdp-status is configured as tx-only or tx-
rx. The default configuration for CDP-status is disabled. It still uses values pulled from the lldp-profile to configure its
contents.
LLDP must be globally enabled in switch.lldp.settings for CDP to be transmitted or received:
NOTE: If a port is added into a virtual-wire (connects two ends of a controlled system using a radio frequency [RF]
medium), the FortiSwitch unit will disable the transmission and receipt of LLDP and CDP packets and remove all
neighbors from the port. This virtual-wire state is noted in the get switch lldp neighbor-summary command
output.
If the combination of configured TLVs exceeds the maximum frame size on a port, that frame cannot be sent.
Variable Description
tx-hold Number of tx-intervals before the local LLDP data expires (that is, the
packet TTL (in seconds) is tx-hold times tx-interval). The
range for tx-hold is 1 to 16, and the default value is 4.
Variable Description
fast-start-interval How often the FortiSwitch unit transmits the first four LLDP packets
when a link comes up. The range is 2 to 5 seconds, and the default is 2
seconds.
Set this variable to zero to disable fast start.
To help identify the unit, LLDP uses the asset tag, which can be at most 32 characters. It will be added to the LLDP-
MED inventory TLV (when that TLV is enabled):
config system global
set asset-tag <string>
end
Because mobile phones have no fixed addresses associated with them, calls to 911 need the location information
provided in emergency location identifier numbers (ELINs). You need to first configure the location table used by LLDP-
MED for enhanced 911 emergency calls and then configure the LLDP profile to use the location table.
j. In the County field, enter the county (Canada, Germany, Korea, and United States), parish, gun (Japan), or
district (India).
k. In the Direction field, enter N, E, S, W, NE, NW, SE, or SW for the leading street direction.
l. In the Floor field, enter the floor number, for example, 4.
m. In the Landmark field, enter the nickname, landmark, or vanity address, for example, UC Berkeley.
n. In the Language field, enter the ISO 639 language code used for the address information.
o. In the Name field, enter the person or organization associated with the address, for example, Fortinet or
Textures Beauty Salon.
p. In the Number field, enter the street address, for example, 1560.
q. In the Number Suffix field, enter any modifier to the street address. For example, if the full street address is
1560A, enter 1560 for the number and A for the number suffix.
r. In the Place Type field, enter the type of place, for example, home, office, or street.
s. In the Post Office Box field, enter the post office box, for example, P.O. Box 1543. When the post-office-
box value is set, the street address components are replaced with this value.
t. In the Postal Community field, enter the postal community name, for example, Alviso. When the postal
community name is set, the civic community name is replaced by this value.
u. In the Primary Road field, enter the primary road or street name for the address.
v. In the Road Section field, enter the specific section or stretch of a primary road. This field is used when the
same street number appears more than once on the primary road.
w. In the Room field, enter the room number, for example, 7A.
x. In the Script field, enter the script used to present the address information, for example, Latn.
y. In the Seat field, enter the seat number in a stadium or theater or a cubicle number in an office or a booth in a
trade show.
z. In the Street field, enter the street (Canada, Germany, Korea, and United States).
aa. In the Street Name Post Mod field, enter an optional part of the street name that appears after the actual
street name. If the full street name is East End Avenue Extended, enter Extended.
ab. In the Street Name Pre Mod field, enter an optional part of the street name that appears before the actual
street name. If the full street name is Old North First Street, enter Old.
ac. In the Street Suffix field, enter the type of street, for example, Ave or Place. Valid values are listed in the
United States Postal Service Publication 28 [18], Appendix C.
ad. In the Sub Branch Road field, enter the name of a street that branches off of a branch road. This value is used
when the primary road, branch road, and subbranch road names are needed to identify the correct street.
ae. In the Trailing Str Suffix field, enter N, E, S, W, NE, NW, SE, or SW for the trailing street direction.
af. In the Unit field, enter the unit (apartment or suite), for example, Apt 27.
ag. In the ZIP field, enter the postal or zip code for the address, for example, 94089-1345.
6. Enter the GPS coordinates.
a. Required. In the Altitude field, enter the vertical height of a location in feet or meters. The format is +/-
floating-point number, for example, 117.47.
b. Select Feet or Meters for the unit of measurement for the altitude.
c. For the Datum drop-down list, select which map is used for the location: WGS84, NAD83, or NAD83/MLLW .
d. Required. In the Latitude field, enter the latitude. The format is floating point starting with +/- or ending with
N/S, for example, +/-16.67 or 16.67N.
e. Required. In the Longitude field, enter the longitude. The format is floating point starting with +/- or ending
with E/W, for example, +/-26.789 or 26.789E.
7. Select Add.
For example:
config system location
edit Fortinet
config address-civic
set country "US"
set language "English"
LLDP profile contains most of the port-specific configuration. Profiles are designed to provide a central point of
configuration for LLDP settings that are likely to be the same for multiple ports.
Two static LLDP profiles, default and default-auto-isl, are created automatically. They can be modified but not deleted.
The default-auto-isl profile always has auto-isl enabled and rejects any configurations that attempt to disable it.
LLDP-MED network policies cannot be deleted or added. To use a policy, set the med-tlvs field to include network-
policy and the desired network policy to enabled. The VLAN values on the policy are cross-checked against the
VLAN native and untagged attributes for any interfaces that contain physical-ports using this profile. The cross-check
determines if the policy Type Length Value (TLV) should be sent (VLAN must be native or allowed) and if the TLV should
mark the VLAN as tagged or untagged (VLAN is native, or is in untagged). The network policy TLV is automatically
updated when either a switch interface changes VLAN configuration or a physical port is added to, or removed from, a
trunk.
The FortiSwitch unit supports the following LLDP-MED TLVs:
l Inventory Management TLVs
l Location Identification TLVs
l Network Policy TLV
l Power Management TLVs
Refer to the Configuration deployment example on page 136.
Custom TLVs are configured in their own subtable, available in each profile. They allow you to emulate the TLVs
defined in various specifications by using their OUI and subtype and ensuring that the data is formatted correctly. You
could also define a purely arbitrary custom TLV for some other vendor or for their company.
The “name” value for each custom TLV is neither used by nor has an effect on LLDP; it simply differentiates between
custom TLV entries:
config custom-tlvs
edit <TLVname_str>
set information-string <hex-bytes>
set oui <hex-bytes>
set subtype <integer>
next
The OUI value for each TLV must be set to three bytes. If just one of those bytes is nonzero it is accepted; any value
other than "000" is valid. The subtype is optional and ranges from 0 (default) to 255. The information string can be 0 to
507 bytes, in hexadecimal notation.
The FortiSwitch unit does not check for conflicts either between custom TLV values or with standardized TLVs. That is,
other than ensuring that the OUI is nonzero, the FortiSwitch unit does not check the OUI, subtype (or data) values
entered in the CLI for conflicts with other Custom TLVs or with the OUI and subtypes of TLVs defined by the 802.1,
802.3, LLDP-MED, or other standards. While this behavior could cause LLDP protocol issues, it also allows a large
degree of flexibility were you to substitute a standard TLV that is not supported yet.
802.1 TLVs
The only 802.1 TLV that can be enabled or disabled is Port VLAN ID. This TLV sends the native VLAN of the port. This
value is updated when the native VLAN of the interface representing the physical port changes or if the physical port is
added to, or removed from, a trunk.
By default, no 802.1 TLVs are enabled.
802.3 TLVs
Auto-ISL
The auto-ISL configuration that was formerly in the switch physical-port command has been moved to the
switch lldp-profile command. All behavior and default values are unchanged.
You can configure the network policy of an LLDP profile to assign the specified VLAN to ports that use the LLDP profile.
The VLAN is added as though it were configured in the set allowed-vlans setting in the config switch
interface configuration.
This feature has the following requirements:
l The port cannot belong to a trunk or virtual wire.
l The port must have lldp-status set to rx-only, tx-only, or tx-rx.
l The port must have private-vlan set to disabled.
l LLDP must be enabled under the config switch lldp settings command.
l The set med-tlvs network-policy option must be set under the config switch lldp profile
configuration.
l The assign-vlan option must be enabled in the med-network-policy configuration under the config
switch lldp profile configuration.
l The VLAN assigned in the LLDP profile must be a valid VLAN.
Note:
l If the VLAN added to the interface by the LLDP profile is also listed under the set untagged-vlans
configuration in the config switch interface command, the VLAN is added as untagged.
l If the VLAN added to the interface by the LLDP profile is also the native VLAN of the port, no changes occur.
l The LLDP service determines the contents of the network-policy TLV being sent based on the current state of the
switch interface. If the LLDP VLAN assignment does not happen or the assigned VLAN is changed by another
configuration (such as the set untagged-vlans configuration in config switch interface), the LLDP
network policy TLVs being sent will reflect the actual state of the interface, not the configured value.
config med-network-policy
edit <policy_type_name>
set status enable
set assign-vlan enable
set dscp <0-63>
set priority <0-7>
set vlan <0-4094>
next
For example:
config med-network-policy
edit default
set status enable
set assign-vlan enable
set vlan 15
set dscp 30
set priority 3
next
Configure an LLDP profile for the port. By default, the port uses the default LLDP profile.
next
config med-network-policy
edit <policy_type_name>
set status {enable | disable}
set assign-vlan {enable | disable}
set dscp <0-63>
set priority <0-7>
set vlan <0-4094>
next
end
To enable LLDP MED on a port, set the LLDP status to receive-only, transmit-only, or receive and transmit. The default
value is TX/RX.
fast-start-interval : 2
management-interface: internal
Use the following commands to display the LLDP information about LLDP status or the layer-2 peers for this
FortiSwitch unit:
get switch lldp (auto-isl-status | neighbors-detail | neighbors-summary | profile | settings |
stats)
To configure LLDP:
1. Configure LLDP global configuration settings using the config switch lldp settings command.
2. Create LLDP profiles using the config switch lldp profile command to configure Type Length Values
(TLVs) and other per-port settings.
3. Assign LLDP profiles to physical ports.
4. Apply VLAN to interface. (NOTE: LLDP profile values that are tied to VLANs will only be sent if the VLAN is
assigned on the switch interface.)
a. Configure the profile.
edit "softphone-voice"
next
edit "video-conferencing"
next
edit "streaming-video"
set dscp 40
set priority 3
set status enable
set vlan 400
next
edit "video-signalling"
next
end
set med-tlvs inventory-management network-policy
next
end
c. Connect a phone with LLDP-MED capability to the interface. NOTE: Make certain the LLDP, Learning, and
DHCP features are enabled.
d. Verify.
LLDP OIDs
Starting in FortiSwitchOS 6.2.2, the following object identifiers (OIDs) are supported by the LLDP management
information base (MIB) file:
l .1.0.8802.1.1.2.1.1 (lldpConfiguration)
o lldpMessageTxInterval
o lldpMessageTxHoldMultiplier
o lldpReinitDelay
o lldpTxDelay
o lldpNotificationInterval
l .1.0.8802.1.1.2.1.4.1 (lldpRemoteSystemsData.lldpRemTable)
o lldpRemChassisIdSubtype
o lldpRemChassisId
o lldpRemPortSubtype
o lldpRemPortId
l lldpRemPortDesc
l lldpRemSysName
l lldpRemSysDesc
l lldpRemSysCapSupported
l lldpRemSysCapEnabled
l .1.0.8802.1.1.2.1.4.2 (lldpRemoteSystemsData.lldpRemManAddrTable)
o lldpRemManAddrIfSubtype
o lldpRemManAddrIfId
o lldpRemManAddrOID
MAC/IP/protocol-based VLANs
The FortiSwitch unit assigns VLANs to packets based on the incoming port or the VLAN tag in the packet. The
MAC/IP/protocol-based VLAN feature enables the assignment of VLANs based on specific fields in an ingress packet
(MAC address, IP address, or layer-2 protocol).
This chapter covers the following topics:
l Overview on page 140
l Configuring MAC/IP/protocol-based VLANs on page 141
l Checking the configuration on page 143
Overview
When a MAC/IP/protocol-based VLAN is assigned to a port, the default behavior is for egress packets with that
VLAN value to include the VLAN tag. Use the set untagged-vlans <vlan> configuration command to remove
the VLAN tag from egress packets. For an example of the command, see the Example configuration on page 142.
The MAC/IP/protocol-based VLAN feature assigns the VLAN based on MAC address, IP address, or layer-2 protocol.
MAC based
In MAC-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the originating
MAC address.
IP based
In IP-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the originating IP
address or IP subnet. IPv4 is supported with prefix masks from 1 to 32. IPv6 is also supported, depending on hardware
availability, with prefix lengths from 1 to 64.
Protocol based
In protocol-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the Ethernet
protocol value and the frame type (ethernet2, 802.3d/SNAP, LLC).
NOTE: There are hardware limits regarding how many MAC/IP/protocol-based VLANs that you can configure. If you try
to add entries beyond the limit, the CLI will reject the configuration:
l Editing an existing VLAN—when you enter next or end on the config member-by command
l Adding a new VLAN— when you enter next or end on the edit vlan command
l When VLANS are defined by config member-by-ipv4 or config member-by-ipv6 on some FortiSwitch
platforms (2xx and higher), matching ARP traffic is included in the assigned VLANs. For example, if the ARP target
IP address or the ARP sender IP address match the member-by-ipv4 or member-by-ipv6 IP address, those ARP
packets are included in the assigned VLANs.
Example configuration
The following example shows a CLI configuration for MAC-based VLAN where a VOIP phone and a PC share the same
switch port.
In this example, a unique VLAN is assigned to the voice traffic, and the PC traffic is on the default VLAN for the port.
1. The FortiSwitch Port 10 is connected to PC2 (a VOIP phone), with MAC address 00:21:cc:d2:76:72.
2. The phone also sends traffic from PC3 (MAC= 00:21:cc:d2:76:80).
3. Assign the PC3 traffic to the default VLAN (1) on port 10.
4. Assign the voice traffic to VLAN 100.
Mirroring
Packet mirroring allows you to collect packets on specified ports and then send them to another port to be collected and
analyzed. All FortiSwitch models support switched port analyzer (SPAN) mode, which mirrors traffic to the specified
destination interface without encapsulation.
Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-
2 domains. You can have multiple RSPAN sessions but only one ERSPAN session. In RSPAN mode, traffic is
encapsulated in a VLAN. In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation
(GRE) headers.
NOTE:
l Some models support setting the mirror destination to “internal.” This is intended only for debugging purposes and
might prevent critical protocols from operating on ports being used as mirror sources.
l When there are multiple mirror sessions in the FS-108D-POE, FS-224D-POE, and FSR-112D-POE models, some
traffic might not be mirrored to the destination ports.
l Some destination ports are not listed because those models (FSR-112D-POE, FS-108E, FS-124E, FS-108E-POE,
FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE) do not support mirroring to the
software interface.
l You cannot select a destination interface for the ERSPAN auto mirror.
l In cases where the mirrored traffic is not unicast, or is flooded unicast, and the mirrored and non-mirrored packets
both leave the mirror “dst” port, the mirror-qos value is overridden by the QoS value of the non-mirrored packet.
l You can use the following commands to specify the quality of service (QoS) priority for mirrored packets on the
FortiSwitch unit doing the mirroring:
112D- 108E, 124D, 248D, 424D, 448D, 424E, 424E- 524D, 1024D,
POE 108E- 224D- 248E- 424D- 448D- 424E- Fiber, 524D- 1048D,
FPO FPOE, FPOE, FPOE, FPOE, POE, 448E, FPOE, 3032D,
E, 224E, 248E- 424D- 448D- 424E- 448E- 548D, 3032E
108E- 224E- POE POE POE FPOE, POE, 548D-
POE, POE M426- 448E- FPOE,
124E, FPOE FPOE 1048E
124E-
FPO
E,
124E-
POE
“dst” Ports Ports Port or Port or Port or Port or Port or Port or Port or Port or
values only only trunk (no trunk (no trunk (no trunk (no trunk (no trunk (no trunk (no trunk (no
(can (can trunk trunk trunk trunk trunk trunk trunk trunk
be in be in member member member member member member member member
trunk) trunk) s) s) s) s) s) s) s) s)
Max. — — 32 32 32 32 32 32 32 32
sessions
(active or
inactive)
Max. 7 4 6 6 6 6 8 8 8 4
active
sessions
Max. 6 4 1 1 1 1 1 1 4 4
sessions
with src-
egress
Max. 6 4 1 1 1 1 1 4 4 4
sessions
with src-
ingress
112D- 108E, 124D, 248D, 424D, 448D, 424E, 424E- 524D, 1024D,
POE 108E- 224D- 248E- 424D- 448D- 424E- Fiber, 524D- 1048D,
FPO FPOE, FPOE, FPOE, FPOE, POE, 448E, FPOE, 3032D,
E, 224E, 248E- 424D- 448D- 424E- 448E- 548D, 3032E
108E- 224E- POE POE POE FPOE, POE, 548D-
POE, POE M426- 448E- FPOE,
124E, FPOE FPOE 1048E
124E-
FPO
E,
124E-
POE
VLAN N/A N/A Yes No Yes No Yes Yes Yes Yes
CFI and
priority
can be
configur
ed in
RSPAN
SPAN Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
support
RSPAN RSPA No Yes Yes Yes Yes Yes Yes Yes Yes
and N
ERSPAN
support
NOTE: You can use virtual wire ports as ingress and egress mirror sources. Egress mirroring of virtual wire ports will
have an additional VLAN header on all mirrored traffic.
For example:
config switch mirror
edit "m1"
set mode SPAN
set dst "port5"
set src-egress "port2"
set src-ingress "port3" "port4"
set switching-packet enable
set status active
end
With some FortiSwitch models, you can configure multiple mirror destination ports with the following guidelines and
restrictions:
l Always set the destination port before setting the src-ingress or src-egress ports.
l Any port configured as a src-ingress or src-egress port in one mirror cannot be configured as a destination port in
another mirror.
l The total number of active sessions depends on your configuration.
l For switch models 124D, 124D-POE, 224D-FPOE, 248D, 248D-POE, 248D-FPOE, 224E, 224E-POE, 248E-POE,
248E-FPOE, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, and 448D-FPOE:
o For access control lists, you can use a mirror destination that does not have src-ingress or src-egress
configured or a mirror destination that has src-ingress or src-egress configured.
l For switch models 524D, 524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E, 3032D, and 3032E:
o For access control lists, you can use a mirror destination that does not have src-ingress or src-egress
configured or a mirror destination that has src-ingress or src-egress configured.
l For switch model FSR-112D-POE:
o You can configure up to seven mirrors, each with a different destination port.
o Multiple ingress or egress ports can be mirrored to the same destination port.
o An ingress or egress port cannot be mirrored to more than one destination port.
These restrictions apply to active mirrors. If you try to activate an invalid mirror configuration, the system will display the
Hardware active mirror session limit reached. Please deactivate or delete another
active session to make room. error message.
The following example configuration is valid for FortiSwitch-3032D. This configuration includes three ingress ports, one
egress port, and four destination ports. The port3 ingress and egress ports are mirrored to multiple destinations.
config switch mirror
edit "m1"
set mode SPAN
set dst "port16"
set status active
set src-ingress "port3" "port5" "port7"
next
edit "m2"
set mode SPAN
set dst "port22"
set status active
set src-ingress "port3" "port5"
next
edit "m3"
set mode SPAN
set dst "port1"
set status active
set src-ingress "port3"
next
edit "m4"
set mode SPAN
set dst "port2"
set status active
set src-egress "port3"
end
The following example configuration includes three ingress ports, three egress ports and four destination ports. Each
ingress and egress port is mirrored to only one destination port.
config switch mirror
edit "m1"
set mode SPAN
set dst "port1"
set status active
set src-ingress "port2" "port7"
next
edit "m2"
set mode SPAN
set dst "port5"
set status active
set src-ingress "port2"
next
edit "m3"
set mode SPAN
set dst "port3"
set status active
set src-ingress "port6"
next
edit "m4"
set mode SPAN
set dst "port4"
set status active
set src-egress "port6" "port8"
end
NOTE: RSPAN traffic crossing a switch on a VLAN configured with “RSPAN-VLAN” enabled will appear as unknown
unicast, multicast, or broadcast traffic. This traffic is not exempt from storm control and might be rate limited as a result.
To avoid this issue, you can dedicate a port or ports to RSPAN and then disable storm control on those ports. Non-
RSPAN VLANs can be used on those ports as well, but they will not be protected by storm control.
For an ERSPAN auto mirror, traffic on specified ports is mirrored to the specified destination interface using ERSPAN
encapsulation. The header contents are automatically configured; you only need to specify the ERSPAN collector
address.
For an ERSPAN manual mirror, traffic on specified ports is mirrored to the specified destination interface using ERSPAN
encapsulation. You need to manually configure the header contents with layer-2 and layer-3 addresses.
20. In the Source MAC Address field, enter the source MAC address in the ERSPAN Ethernet header.
This field is available only if Add ERSPAN Headers is selected.
21. In the Destination MAC Address field, enter the MAC address of the next-hop or gateway on the path to the
ERSPAN collector IP address.
This field is available only if Add ERSPAN Headers is selected.
22. Select Create to create the mirror.
You can use access control lists (ACLs) to configure policies for three different stages in the pipeline:
l Ingress stage for incoming traffic
l Prelookup stage for processing traffic
l Egress stage for outgoing traffic
This chapter covers the following topics:
l ACL policy attributes on page 153
l Configuring an ACL policy on page 154
l Configuration examples on page 161
NOTES
l Before FortiSwitchOS 6.0.0, you used the config switch acl policy command to configure ACL policies
only for the ingress stage. In FortiSwitchOS 6.0.0 and later, the config switch acl command has changed to
specify which stage is being configured. Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress
ACLs.
l The FS-1024D and FS-524D-FPOE models do not support all action options on the ingress policy.
l There are some limitations for ACL configuration on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-
124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:
o The layer-4 port range is limited and might not be available in FortiSwitchOS 6.4.0.
o For the FS-108E, FS-108E-FPOE, FS-108E-POE, FS-124E, FS-124E-FPOE, and FS-124E-POE models, 256
counters are supported for the ingress stage.
o For the FS-448E, FS-448E-FPOE, and FS-448E-POE models, 504 counters are supported only for the
prelookup stage.
o If a classifier was created with only layer-2 fields, layer-3 fields cannot be added later. If a classifier was
created with only layer-3 fields, layer-2 fields cannot be added later.
o You cannot use both drop and redirect actions in the same ACL policy.
l The set redirect command works differently for the following switch models:
o For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and
FS-148E-POE models, the egress VLAN membership is not necessary.
o For the FS-148F, FS-148F-POE, FS-148F-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE models, the
egress VLAN membership is necessary.
ACL policy attributes
l Classifier. The classifier identifies the packets that the policy will act on. Each packet can be classified based on
one or more criteria. Criteria include source and destination MAC address, VLAN id, source and destination
IP address, or service (layer 4 protocol id and port number).
l Marking involves setting bits in the packet header to indicate the priority of this packet.
l Actions. If a packet matches the classifier criteria for a given ACL, the following types of action may be applied to
the packet:
o allow or block the packet, redirect the packet, mirror the packet
You can configure ACL policies for each stage: ingress, egress, and prelookup.
NOTE: The order of the classifiers provided during group creation (or during an ACL update in a group when new
classifiers are added ) matter. Hardware resources are allocated as best fit at the time of creation, which can cause
some fragmentation and segmentation of hardware resources because not all classifiers are available at all times.
Because the availability of classifiers is order dependent, some allocations succeed or fail at different times. Rebooting
the switch or running the execute acl key-compaction <acl-stage><group-id> command can help
reduce the classifier resource fragmentation.
Optionally, you can create or customize a service. When you create an ACL policy (ingress, egress, or prelookup), you
select the service to use with the set service <service_ID> command under config classifier.
The FortiSwitch unit provides a set of pre-configured services that you can use. Use the following command to list the
services:
show switch acl service custom
Creating a policer
Optionally, you can create a policer if you are defining ACLs to police different types of traffic. When you create an ACL
policy (ingress or egress), you select the policer to use with the set policer <policer> command under config
action.
Each policy is assigned a unique policy ID that is automatically assigned. To view it, use the get switch acl
{egress | ingress | prelookup} command.
Viewing counters
NOTE: On the 4xxE platforms, the ACL byte counters for the prelookup stage are not available (they will always show
as 0 on the CLI). The packet counters are available.
You can use the GUI and CLI to view the counters associated with the ingress, egress, and prelookup policies.
For example:
S524DF4K15000024 # get switch acl counters ingress
ingress:
ID Packets Bytes description
___________________________________________________________
0001 0 0 cnt_n_mirror13
0002 0 0 cnt_n_mirror31
0003 0 0 cnt_n_mirror41
Clearing counters
You can use the GUI or CLI to clear the counters associated with all policies or the counters associated with just ingress,
egress, or prelookup policies.
Use the following command to clear the unused classifiers on ASIC hardware associated with ingress, egress,
prelookup, or all policies for a particular group:
Configuration examples
Example 1
In the following example, traffic from VLAN 3 is blocked to a specified destination IP subnet (10.10.0.0/16) but allowed
to all other destinations:
config switch acl ingress
edit 1
config action
set count enable
set drop enable
end
config classifier
set dst-ip-prefix 10.10.0.0 255.255.0.0
set vlan-id 3
end
set ingress-interface-all enable
set status active
end
Example 2
In the following example, Server Message Block (SMB) traffic received on port 1 is mirrored to port 3. SMB protocol uses
port 445:
config switch acl service custom
edit "SMB"
set tcp-portrange 445
next
end
config switch acl ingress # apply policy to port 1 ingress and send to port 3
edit 1
set description "cnt_n_mirror_smb"
set ingress-interface-all disable
set ingress-interface "port1"
set status active
config action
set count enable
set mirror mirror-1
end
config classifier
set service "SMB"
set src-ip-prefix 20.20.20.100 255.255.255.255
set dst-ip-prefix 100.100.100.0 255.255.255.0
end
next
end
Example 3
The FortiSwitch unit can map different flows (for example, based on source and destination IP addresses) to specific
outgoing ports.
In the following example, flows are redirected (based on destination IP) to different outgoing ports, connected to
separate FortiDDOS appliances. This allows you to apply different FortiDDOS service profiles to different types of
traffic:
config switch acl ingress # apply policy to port 1 ingress and send to port 3
edit 1
config action
set count enable
set redirect "port3“
# use redirect to shift selected traffic to new destination
end
config classifier
set dst-ip-prefix 100.100.100.0 255.255.255.0
end
set description "cnt_n_mirror13"
set ingress-interface "port1"
set status active
next
edit 2
config action # apply policy to port 3 ingress and send to port 1
set count enable
set redirect "port1"
end
config classifier
set src-ip-prefix 100.100.100.0 255.255.255.0
end
set description "cnt_n_mirror31"
set ingress-interface-all disable
set ingress-interface "port3"
set status inactive
next
end
config switch acl ingress # apply policy to port 1 ingress and send to port 4
edit 3
config action
set count enable
set redirect "port4“
# use redirect to shift selected traffic to new destination
end
config classifier
set dst-ip-prefix 20.20.20.0 255.255.255.0
end
set description "cnt_n_mirror14"
set ingress-interface "port1"
set status active
next
edit 4
config action # apply policy to port 4 ingress and send to port 1
set count enable
Example 4
In the following example, a recurring schedule is created and then used to control when the ACL policy is active:
config system schedule recurring
edit schedule2
set day monday tuesday wednesday thursday friday saturday sunday
set start 07:00
set end 17:00
end
config switch acl ingress
edit 1
config action
set remark-cos 1
set remark-dscp 23
end
config classifier
set src-mac 00:21:cc:d2:76:72
set dst-mac d6:dd:25:be:2c:43
end
set ingress-interface-all enable
set schedule schedule2
set status active
next
end
Storm control
Storm control protects a LAN from disruption by traffic storms, which stem from mistakes in network configuration or
denial-of-service attacks. A traffic storm, which can consist of broadcast, multicast, or unicast traffic, creates excessive
traffic on the LAN and degrades network performance.
By default, storm control is disabled on a FortiSwitch unit. When enabled, it measures the data rate (in packets-per-
second) for unknown unicast, unknown multicast, and broadcast traffic. You can enable and disable storm control for
each of these traffic types individually. If the traffic rate for any of the types exceeds the configured threshold, the
FortiSwitch unit drops the excess traffic.
By default, storm control configuration is global. Starting in FortiSwitchOS 6.2.0, you can configure storm control on a
port level.
Starting in FortSwitchOS 6.4.3, you can configure the maximum burst size allowed by storm control. Using the CLI, you
can select the burst-size level from 0 to 4 with the highest number for the highest maximum burst size allowed. The
maximum number of packets or bytes allowed for each burst-size level depends on the switch model.
NOTE: The burst-size level cannot be controlled on a port level for the FS-108E, FS-108E-POE, FS-108-FPOE, FS-
124E, FS-124E-POE, and FS-124E-FPOE models.
This chapter covers the following topics:
l Configuring system-wide storm control on page 164
l Configuring port-level storm control on page 165
l Displaying the storm-control configuration on page 165
If you set the rate to zero, the system drops all packets (for the enabled traffic types).
DHCP snooping
The DHCP-snooping feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and
unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP snooping filters
messages on untrusted ports by performing the following activities:
l Validating DHCP messages received from untrusted sources and filtering out invalid messages. For example, a
request to decline an DHCP offer or release a lease is ignored if the request is from a different interface than the
one that created the entry.
l Building and maintaining a DHCP snooping binding database, which contains information about untrusted hosts
with leased IP addresses.
Other security features like dynamic ARP inspection (DAI), a security feature that rejects invalid and malicious ARP
packets, also use information stored in the DHCP-snooping binding database.
In the FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You
indicate that a source is trusted by configuring the trust state of its connecting interface.
For additional security, you can specify in the CLI which DHCP servers that DHCP snooping will include in the allowed
server list.
This chapter covers the following topics:
l Configuring DHCP snooping on page 166
l Checking the DHCP-snooping configuration on page 170
l Removing an entry from the DHCP-snooping binding database on page 171
Configuring DHCP snooping
DHCP snooping is enabled per VLAN and, by default, DHCP snooping is disabled.
Configuring DHCP snooping consists of the following steps:
1. Set the system-wide DHCP-snooping options.
2. Configure the VLAN settings.
3. Configure the interface settings.
Before you use DHCP snooping, you need to enable the trusted DHCP server list.
For example:
config system global
set dhcp-server-access-list enable
end
You can include option-82 data in the DHCP request. (DHCP option 82 provides additional security by enabling a
controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources.) You can select a fixed
format for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields.
The following is the fixed format for the option-82 Circuit ID field
Circuit-ID: vlan-mod-port
vlan - [ 2 bytes ]
mod - [ (1 Byte) -> Snoop - 1 , Relay - 0 ]
port - [ 1 byte ]
The following is the fixed format for the option-82 Remote ID field:
Remote-ID: mac [ 6 byte ]
If you want to select which values appear in the Circuit ID and Remote ID fields:
l For the Circuit ID field, you can include the interface description, host name, interface name, mode, and VLAN.
l For the Remote ID field, you can include the host name, IP address, and MAC address.
NOTE: If you enable dhcp-snooping-verify-mac, the system will verify that the source MAC address in the
DHCP request from an untrusted port matches the client hardware address.
NOTE: If you enable dhcp-snooping-option82, the system inserts option-82 data into the DHCP messages for
this VLAN.
For example, to configure IPv4 DHCP snooping:
config switch vlan
edit 10
set dhcp-snooping enable
config dhcp-server-access-list
edit "list1"
set server-ip 100.1.0.2
next
end
next
end
end
next
end
After you enable DHCP snooping on a VLAN, all interfaces are in an untrusted state by default, and DHCP snooping is
disabled on all untrusted interfaces. You must explicitly configure the trusted interfaces and enable DHCP snooping for
each interface.
In addition, you can set a limit for how many IP addresses are in the DHCP snooping binding database for each
interface by enabling the dhcp-snoop-learning-limit-check and setting the learning-limit. By default,
dhcp-snoop-learning-limit-check is disabled, and the number of entries for an untrusted ports is 5. You can
set the number of entries to 0. The maximum number of entries depends on which FortiSwitch unit you are using. For
example:
S548DN4K16000313 # show switch vlan 1
config switch vlan
edit 1
set learning-limit 100
set dhcp-snooping enable
next
end
NOTE: If the FortiSwitch unit has already learned more IP addresses than the dhcp-snoop-learning-limit
before the limit is set, the configuration is rejected because the FortiSwitch unit cannot select which IP addresses
should be kept. If the FortiSwitch unit has learned fewer IP address or the same number of IP addresses as the dhcp-
snoop-learning-limit before the limit is set, the configuration is accepted.
NOTE: The per-VLAN learning limit is not supported on dual-chip platforms (448 series).
1. Go to Switch > Interface > Physical or Switch > Interface > Trunk.
2. Select an interface.
3. Select Edit.
4. Select a Trusted or Untrusted interface for DHCP snooping.
5. If you want to accept DHCP messages with option-82 data from an untrusted interface, select the Option-82 Trust
check box.
6. Select OK.
For example:
config switch interface
edit "port5"
set native-vlan 10
set dhcp-snooping untrusted
set dhcp-snoop-learning-limit-check enable
set learning-limit 7
set dhcp-snoop-option82-trust enable
set snmp-index 5
next
end
Set dhcp-snooping to reflect the trust state of the interface. Where DHCP servers are located, you must configure
interfaces as trusted.
If you enable dhcp-snoop-option82-trust, the system accepts DHCP messages with option-82 data from an
untrusted interface.
Use the following command to view the detailed status of IPv4 and IPv6 DHCP-snooping VLANs and ports:
get switch dhcp-snooping database-summary
An entry in the DHCP snooping binding database that contains an * after the IP address indicates a temporary or
incomplete entry. For example:
08:00:27:13:16:51 2000 100.0.0.159* 10 4 port4
The DHCP server has not acknowledged this entry yet. If the DHCP server does not acknowledge the entry within 10
seconds, the entry is removed from the database. If the DHCP server does acknowledge the entry within 10 seconds,
the entry will be considered “complete” (that is, no * after the IP address), and a proper expiration time is assigned to it.
To view the details of the IPv4 and IPv6 DHCP-snooping client and server databases:
If the dhcp-server-access-list is enabled globally and the server is configured for the dhcp-server-access-list, the svr-list
column displays allowed for that server. If the dhcp-server-access-list is enabled globally and the server is not
configured in the dhcp-server-access-list, the svr-list column displays blocked for that server.
You can remove an IP address from the DHCP-snooping binding database by specifying the associated VLAN ID and
MAC address:
execute dhcp-snooping expire-client <1-4095> <xx:xx:xx:xx:xx:xx>
For example:
execute dhcp-snooping expire-client 100 01:23:45:67:89:01
IP source guard
IP source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses.
Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.
IP source guard allows traffic from the following sources:
l Static entries—IP addresses that have been manually associated with MAC addresses.
l Dynamic entries—IP addresses that have been learned through DHCP snooping.
By default, IP source guard is disabled. You must enable it on each port that you want protected. If you enable IP source
guard and then disable it, all static and dynamic entries are removed for that interface.
There is a maximum of 2,048 IP source guard entries. When there is a conflict between static entries and dynamic
entries, static entries take precedence over dynamic entries.
The following FortiSwitch models support IP source guard:
FSR-124D, FS-224D-FPOE, FS-248D, FS-2xxE, FS-424D, FS-424D-POE, FS-424D-FPOE, FS-448D, FS-448D-POE,
and FS-448D-FPOE
NOTE: IP source guard does not work with VLAN translation.
You must enable IP source guard before you can configure it.
For example:
config switch interface
edit port6
set ip-source-guard enable
end
After you enable IP source guard, you can configure static entries by binding IPv4 addresses with MAC addresses. For
IP source-guard dynamic entries, you need to configure DHCP snooping. See DHCP snooping on page 166.
For example:
config switch ip-source-guard
edit port4
config binding-entry
edit 1
set ip 172.168.20
set mac 00:21:cc:d2:76:72
next
end
next
end
After you configure IP source guard, you can check the database entries. Static entries are manually added by the
config switch ip-source-guard command. Dynamic entries are added by DHCP snooping.
If you want to see events that violate the IP source-guard settings, enable the IP source-guard violation log.
The IP source-guard violation log contains a maximum of 128 entries with a maximum of 5 entries per port, even if more
violations have occurred. The maximum values cannot be changed.
Dynamic ARP Inspection (DAI) prevents man-in-the-middle attacks and IP address spoofing by checking that packets
from untrusted ports have valid IP-MAC-address binding. To use DAI, you must first enable the DHCP snooping feature
and then enable DAI for each VLAN. See DHCP snooping on page 166.
This chapter covers the following topics:
l Configuring DAI on page 175
l Checking ARP packets on page 176
Configuring DAI
Use the following command to see how many ARP packets have been dropped or forwarded:
#diagnose switch arp-inspection status
IGMP snooping
The FortiSwitch unit uses the information passed in IGMP messages to optimize the forwarding of IPv4 multicast traffic.
IGMP snooping allows the FortiSwitch unit to passively listen to the Internet Group Management Protocol (IGMP)
network traffic between hosts and routers. The switch uses this information to determine which ports are interested in
receiving each multicast feed. The FortiSwitch unit can reduce unnecessary multicast traffic on the LAN by pruning
multicast traffic from links that do not contain a multicast listener.
Essentially, IGMP snooping is a layer-2 optimization for the layer-3 IGMP.
The current version of IGMP is version 3, and the FortiSwitch unit is also compatible with IGMPv1 and IGMPv2.
Starting in FortiSwitchOS 6.4.3, you can configure the IGMP-snooping querier version 2 or 3. When the IGMP querier
version 2 is configured, the FortiSwitch unit will send IGMP queries version 2 when no external querier is present. When
the IGMP querier version 3 is configured, the FortiSwitch unit will send IGMP queries version 3 when no external querier
is present. The default IGMP querier version is 2.
Here is the basic IGMP snooping operation:
1. A host expresses interest in joining a multicast group. (Sends or responds to a join message).
2. The FortiSwitch unit creates an entry in the layer-2 forwarding table (or adds the hostʼs port to an existing entry).
The switch creates one table entry per VLAN per multicast group.
3. The FortiSwitch unit removes the entry when the last host leaves the group (or when the entry ages out).
In addition, you can configure the FortiSwitch unit to send periodic queries from all ports in a specific VLAN to request
IGMP reports. The FortiSwitch unit uses the IGMP reports to update the layer-2 forwarding table.
NOTE: If you want to use IGMP snooping with an MCLAG, see Configuring an MCLAG with IGMP snooping on page
121.
This chapter covers the following topics:
l Notes on page 177
l Configuring IGMP snooping on page 179
l Configuring the IGMP querier on page 183
l Configuring mRouter ports on page 184
Notes
l To make well-known multicast packets, such as mDNS, flood to all ports when IGMP snooping is enabled on FSR-
112D-POE, you need to make the following configuration change.
If IPv6 multicast and/or non-IP multicast is expected to be forwarded to any ports other than querier ports, the
mcast-snooping-flood-traffic setting can be enabled on the required ports.
l Starting with FortiSwitchOS 6.4.0, when an inter-switch link (ISL) is formed automatically, the igmp-snooping-
flood-reports and mcast-snooping-flood-traffic options are disabled by default.
l Proxy reporting is not supported for IGMPv3.
l Explicit host tracking is not supported.
l Immediate leave for IGMPv3 is not supported.
l IGMP snooping and MLD snooping share the same lookup table. Starting with FortiSwitchOS 6.2.2, the following
snooping table limits apply:
112D 895
200 1022
400 1022
500 1022
3032 1022
NOTE: Until FortiSwitchOS 3.5.1, the table limits were hardware only. The software limit for all platforms was 8192.
Configuring IGMP snooping
By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300
seconds. This value can be in the range of 15-3,600 seconds. By default, flood-unknown-multicast is disabled,
and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-
multicast, unregistered multicast packets are forwarded to all ports in the VLAN.
For example:
config switch igmp-snooping globals
set aging-time 500
end
Optional. You can flood IGMP reports and flood multicast traffic on a specified switch interface. By default, these
options are disabled.
1. Go to Switch > Interface > Physical or Switch > Interface > Trunk.
2. Select an interface.
3. Select Edit.
4. In the IGMP Snooping area, select Flood Reports, Flood Traffic, or both if needed.
5. Select OK.
For example:
config switch interface
edit port10
set native-vlan 30
set igmp-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
edit port2
set native-vlan 30
set igmp-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
edit port4
set native-vlan 30
set igmp-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
edit port6
set native-vlan 30
set igmp-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
edit port8
set native-vlan 30
set igmp-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
end
Use the following command to clear the learned/configured multicast group from an interface:
execute clear switch igmp-snooping
Enable IGMP snooping on a specified VLAN and configure IGMP static groups. By default, IGMP snooping is disabled.
You can define static groups for particular multicast addresses in a VLAN that has IGMP snooping enabled. You can
specify multiple ports in the static group, separated by a space. The trunk interface can also be included in a static
group. There are two restrictions for IGMP static groups:
l The range of multicast addresses (mcast-addr) from 224.0.0.1 to 224.0.0.255 cannot be used.
l The VLAN must already be assigned as the native VLAN for a switch interface and be included in the range of
allowed VLANs for a switch interface. You can check the Physical Port Interfaces page to see which VLANs can be
used for IGMP static groups.
Starting in FortiSwitchOS 6.2.0, you can also use the CLI to enable IGMP proxy, which allows the VLAN to send IGMP
reports. After you enable igmp-snooping-proxy on a VLAN, it will start suppressing reports and leave messages.
For each multicast group, only one report is sent to the upstream interface. When a leave message is received, the
FortiSwitch unit will only send the leave message to the upstream interface when there are no more members left in the
multicast group. The FortiSwitch unit will also reply to generic queries and will send IGMP reports to the upstream
interface.
For example, to configure two static groups for the same VLAN:
config switch vlan
edit 30
set igmp-snooping enable
config igmp-snooping-static-group
edit g239-1-1-1
set mcast-addr 239.1.1.1
set members port2 port5 port28
next
edit g239-2-2-2
set mcast-addr 239.2.2.2
set members port5 port10 trunk-1
next
end
next
end
Use the following CLI command to see the learned multicast groups:
FS1D243Z13000023 # get switch igmp-snooping group
Number of Groups: 7
port of-port VLAN GROUP Age
(__port__9) 1 23 231.8.5.4 16
(__port__9) 1 23 231.8.5.5 16
(__port__9) 1 23 231.8.5.6 16
(__port__9) 1 23 231.8.5.7 16
(__port__9) 1 23 231.8.5.8 16
(__port__9) 1 23 231.8.5.9 16
(__port__9) 1 23 231.8.5.10 16
(__port__43) 3 23 querier 17
(__port__14) 8 --- flood-reports ---
(__port__10) 2 --- flood-traffic ---
VLAN ID Group-Name Multicast-addr Member-interface
_______ ______________ _______________ _________________________
11 g239-1 239:1:1:1 port6 trunk-2
11 g239-11 239:2:2:11 port26 port48 trunk-2
40 g239-1 239:1:1:1 port5 port25 trunk-2
40 g239-2 239:2:2:2 port25 port26
To use the IGMP querier, you need to configure how often IGMP queries are sent and enable the IGMP querier for a
specific VLAN. Optionally, you can specify the address for the IGMP querier.
Use the following commands to specify how many seconds are between IGMP queries. The default is 120 seconds.
config switch igmp-snooping globals
set query-interval <10-1200>
end
For example:
config switch igmp-snooping globals
set aging-time 150
set query-interval 200
end
Use the following commands to enable the IGMP querier for a specific VLAN and specify the address that IGMP reports
are sent to:
config switch vlan
edit 100
set igmp-snooping {enable | disable}
set igmp-snooping-querier {enable | disable}
set igmp-snooping-querier-addr <IPv4_address>
set igmp-snooping-querier-version {2 | 3}
next
end
For example:
config switch vlan
edit 100
set igmp-snooping enable
set igmp-snooping-querier enable
set igmp-snooping-querier-addr 1.2.3.4
set igmp-snooping-querier-version 3
next
end
MLD snooping
The FortiSwitch unit uses the information passed in Multicast Listener Discovery (MLD) messages to optimize the
forwarding of IPv6 multicast traffic.
MLD snooping allows the FortiSwitch unit to passively listen to the MLD network traffic between hosts and multicast
routers. The switch uses this information to determine which hosts are interested in receiving each multicast feed. The
FortiSwitch unit can reduce unnecessary multicast traffic on the VLAN by pruning multicast traffic from links that do not
contain a multicast listener.
FortiSwitch MLD snooping supports MLD version 1. RFC 2710 describes MLD snooping; RFC 4605 describes MLD
proxy and MLD querier.
Here is the basic MLD-snooping operation:
1. A host expresses interest in joining a multicast group. (Sends or responds to a join message).
2. The FortiSwitch unit creates one table entry per VLAN per multicast group per port.
3. The FortiSwitch unit removes the entry when the last host leaves the group (or when the entry ages out).
In addition, you can configure the FortiSwitch unit to send periodic queries from all ports in a specific VLAN to request
MLD reports. The FortiSwitch unit uses the MLD reports to update the layer-2 forwarding table.
This chapter covers the following topics:
l Notes on page 186
l Configuring MLD snooping on page 186
l Configuring the MLD querier on page 189
Notes
l Enabling the set flood-unknown-multicast command and then disabling it disrupts the forwarding of
unknown multicast traffic to mRouter ports for a short period, depending on the query interval, because the
mRouter ports need to be relearned.
l The MLD-snooping entries are added based on multicast group IP addresses.
l IGMP snooping and MLD snooping share the same lookup table. The following snooping table limits apply:
112D 895
400 1022
500 1022
3032 1022
By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300
seconds. This value can be in the range of 15-3,600 seconds. By default, flood-unknown-multicast is disabled,
and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-
multicast, unregistered multicast packets are forwarded to all ports in the VLAN.
For example:
config switch mld-snooping globals
Optional. You can flood MLD reports and flood multicast traffic on a specified switch interface. By default, these options
are disabled.
For example:
config switch interface
edit port10
set native-vlan 30
set mld-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
edit port2
set native-vlan 30
set mld-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
edit port4
set native-vlan 30
set mld-snooping-flood-reportsenable
set mcast-snooping-flood-traffic enable
next
edit port6
set native-vlan 30
set mld-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
edit port8
set native-vlan 30
set mld-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
end
Use the following command to clear the learned/configured multicast group from an interface:
execute clear switch mld-snooping
Enable MLD snooping on a specified VLAN and configure MLD static groups. By default, MLD snooping is disabled.
You can define static groups for particular multicast addresses in a VLAN that has MLD snooping enabled. You can
specify multiple ports in the static group, separated by a space. The trunk interface can also be included in a static
group. There are two restrictions for MLD static groups:
l The range of well-known IPv6 multicast addresses that cannot be used for static groups is FF00::/12.
l The VLAN must already be assigned as the native VLAN for a switch interface or be included in the range of
allowed VLANs for a switch interface. You can check the Physical Port Interfaces page to see which VLANs can be
used for MLD static groups.
You can also enable the MLD proxy, which allows the VLAN to send MLD reports. After you enable mld-snooping-
proxy on a VLAN, it will start suppressing reports and leave messages. For each multicast group, only one report is
sent to the upstream interface. When a leave message is received, the FortiSwitch unit will only send the leave
message to the upstream interface when there are no more members left in the multicast group. The FortiSwitch unit
will also reply to generic queries and will send MLD reports to the upstream interface. If mld-snooping-fast-
leave is disabled, the FortiSwitch unit sends a group-specific query (GSQ) when a leave message is received.
For example:
config switch vlan
edit 30
set mld-snooping enable
config mld-snooping-static-group
edit g239-1-1-1
set mcast-addr FF3E::1
set members port2 port5 port28
next
end
next
end
To use the MLD querier, you need to configure how often MLD queries are sent and enable the MLD querier for a
specific VLAN. Optionally, you can specify the address for the MLD querier.
Use the following commands to specify how many seconds are between MLD queries. The default is 125 seconds.
config switch mld-snooping globals
set query-interval <10-1200>
end
For example:
config switch mld-snooping globals
set aging-time 150
set query-interval 200
end
Use the following commands to enable the MLD querier for a specific VLAN and specify the address that MLD reports
are sent to:
config switch vlan
edit 100
set mld-snooping {enable | disable}
set mld-snooping-querier {enable | disable}
set mld-snooping-querier-addr <IPv6_address>
next
end
For example:
config switch vlan
edit 100
set mld-snooping enable
set mld-snooping-querier enable
set mld-snooping-querier-addr fe80::a5b:eff:fef1:95e5
next
end
IPv6-enabled routers send router advertisement (RA) messages to neighboring hosts in the local network. To prevent
the spoofing of the RA messages, RA guard inspects RA messages to see if they meet the criteria contained in an RA-
guard policy. If the RA messages match the criteria in the policy, they are forwarded. If the RA messages do not match
the criteria in the policy, they are dropped.
The IPv6 RA-guard policy checks for the following criteria in each RA message:
l Whether it has been flagged with the M (managed address configuration) flag or O (other configuration) flag
l Whether the hop number is equal or more than the minimum hop limit
l Whether the hop number is equal or less than the maximum hop limit
l Whether the default router preference is set to high, medium, or low
l Whether the source IPv6 address matches an allowed address in an IPv6 access list (created with the config
router access-list6 command)
l Whether the IPv6 address prefix matches an allowed prefix in an IPv6 prefix list (created with the config
router prefix-list6 command)
l Whether the device is a host or a router. If the device is a host, all RA messages are dropped. If the device is a
router, the other criteria in the policy are checked.
IPv6 RA guard is supported on 2xx models and higher.
Create an IPv6 access list if you want to specify which source IPv6 address are allowed in RA messages. When no rule
in the IPv6 access list is matched, the RA messages are dropped.
end
end
For example:
config router access-list6
edit accesslist1
set comments "IPv6 access list"
config rule
edit 1
set action permit
set prefix6 fe80::a5b:eff:fef1:95e5
set exact-match disable
next
end
end
Create an IPv6 prefix list if you want to specify which IPv6 prefixes in the RA option type 3 are allowed in RA messages.
When no rule in the IPv6 prefix list is matched, the RA messages are dropped.
For example:
config router prefix-list6
edit prefixlist1
set comments "IPv6 prefix list"
config rule
edit 1
set action permit
set prefix6 any
set ge 50
set le 50
next
end
end
In the IPv6 RA-guard policy, you specify the criteria that RA messages must match before the RA messages are
forwarded.
For example:
config switch raguard-policy
edit RApolicy1
set device-role router
set managed-flag On
set other-flag On
set max-hop-limit 100
set min-hop-limit 5
set max-router-preference medium
set match-src-addr accesslist1
set match-prefix prefixlist1
next
end
After you create an IPv6 RA-guard policy, you need to apply it to the appropriate switch ports or trunks and VLANs. You
can create and apply different policies to different VLANs.
For example:
Use the following command to list the available IPv6 RA-guard policies:
get switch raguard-policy
For example:
S524DF4K15000024 # get switch raguard-policy
== [ RApolicy1 ]
name: RApolicy1
Private VLANs
A private VLAN (PVLAN) divides the original VLAN (termed the primary VLAN) into sub-VLANs (secondary VLANs), while
retaining the existing IP subnet and layer-3 configuration. Unlike a regular VLAN, which is a single broadcast domain, a
PVLAN partitions one broadcast domain into multiple smaller broadcast subdomains.
After a PVLAN VLAN is configured, the primary VLAN forwards frames downstream to all secondary VLANs.
There are two main types of secondary VLANs:
l Isolated: Any switch ports associated with an isolated VLAN can reach the primary VLAN, but not any other
secondary VLAN. In addition, hosts associated with the same isolated VLAN cannot reach each other. Only one
isolated VLAN is allowed in one PVLAN domain.
l Community: Any switch ports associated with a common community VLAN can communicate with each other and
with the primary VLAN but not with any other secondary VLAN. You might have multiple distinct community VLANs
within one PVLAN domain.
There are mainly two types of ports in a PVLAN: promiscuous (P-Port) and host.
l Promiscuous Port (P-Port): The switch port connects to a router, firewall, or other common gateway device. This
port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a
type of a port that is allowed to send and receive frames from any other port on the VLAN.
l Host Ports further divides into two types – isolated port (I-Port) and community port (C-port).
l Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only
with P-Ports.
l Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port
communicates with P-Ports and ports on the same community VLAN.
This chapter covers the following topics:
l Creating and enabling a PVLAN on page 194
l Configuring the PVLAN ports on page 195
l Private VLAN example on page 195
1. Enable a PVLAN:
next
edit "port21"
set private-vlan sub-vlan
set primary-vlan 1000
set sub-vlan 101
end
end
Quality of service
Quality of service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.
QoS involves the following elements:
l Classification is the process of determining the priority of a packet. This can be as simple as trusting the QoS
markings in the packet header when it is received and so accept the packet. Alternatively, it can hinge on criteria
(such as incoming port, VLAN, or service) that are defined by the network administrator.
l Marking involves setting bits in the packet header to indicate the priority of this packet.
l Queuing involves defining priority queues to ensure that packets marked as high priority take precedence over
those marked as lower priority. If network congestion becomes so severe that packet drops are inevitable, the
queuing process will also select the packets to drop.
The FortiSwitch unit supports the following QoS configuration capabilities:
l Mapping the IEEE 802.1p and layer-3 QoS values (Differentiated Services and IP Precedence) to an outbound
QoS queue number.
l Providing eight egress queues on each port.
l Policing the maximum data rate of egress traffic on the interface.
NOTE: There are some differences in QoS configuration on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E,
FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:
l You can configure only one dot1p-map per switch.
l You can configure only one ip-dscp-map per switch.
l You cannot set min-rate, min-rate-percent, drop-policy, or wred-slope under the config
switch qos qos-policy command.
l Under the config switch qos qos-policy command, the switch rounds the max-rate value to the
nearest multiple of 16 internally. If the rounding result is 0, max-rate is disabled internally.
l You cannot configure priority tagging on outgoing frames (egress-pri-tagging) under the config switch
qos dot1p-map command.
l You can configure only one QoS drop policy per switch. You can configure the QoS drop policy under the config
switch global command. You can specify random early detection (RED) with the set qos-drop-policy
random-early-detection command.
l You can set the QoS RED/WRED drop probability (qos-red-probability) under the config switch
global command. The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE
models support 0-100 percent. The FS-148E, FS-148E-POE, and FS-148E-FPOE models support 0-25 percent.
l Adaptive or active RED (ARED) and robust RED (RRED) are not supported.
This chapter covers the following topics:
l Classification on page 198
l Marking on page 198
l Queuing on page 199
l Determining the egress queue on page 199
l Configuring FortiSwitch QoS on page 200
l Checking the QoS statistics on page 206
l Clearing and restoring QoS statistics on page 207
Classification
The IEEE 802.1p standard defines a class of service (CoS) value (ranging from 0-7) that is included in the Ethernet
frame. The Internet Protocol defines the layer-3 QoS values that are carried in the IP packet (Differentiated Services,
IP Precedence). The FortiSwitch unit provides configurable mappings from CoS or IP-DSCP values to egress queue
values.
Fortinet recommends that you do not enable trust for both Dot1p and DSCP at the same time on the same interface. If
you do want to trust both Dot1p and IP-DSCP, the switch uses the latter value (DSCP) to determine the queue. The
switch will use the Dot1p value and mapping only if the packet contains no DSCP value. For details, refer to
Determining the egress queue on page 199.
Marking
Queuing
Queuing determines how queued packets on an egress port are served. Each egress port supports eight queues, and
three scheduling modes are available:
l Strict Scheduling: The queues are served in descending order (of queue number), so higher number queues
receive higher priority. Queue7 has the highest priority, and queue0 has the lowest priority. The purpose of the
strict scheduling mode is to provide lower latency service to higher classes of traffic. However, if the interface
experiences congestion, the lower priority traffic could be starved.
l Simple Round Robin (RR): In round robin mode, the scheduler visits each backlogged queue, servicing a single
packet from each queue before moving on to the next one. The purpose of round robin scheduling is to provide fair
access to the egress port bandwidth.
l Weighted Round Robin (WRR): Each of the eight egress queues is assigned a weight value ranging from 0 to
63. The purpose of weighted round robin scheduling is to provide prioritized access to the egress port bandwidth,
such that queues with higher weight get more of the bandwidth, but lower priority traffic is not starved.
A drop policy determines what happens when a queue is full or exceeds a minimum threshold. Depending on your
switch model, you can select from one of two drop policies:
l The tail-drop drop policy is the default and is available on all platforms. When a queue is full, additional incoming
packets are dropped until there is space available in the queue.
l The random early detection (RED) drop policy is available on 124D, 2xx, and 4xxD models. When the queue
size exceeds the minimum threshold, packets are dropped at a constant rate until the queue is full. Using the RED
drop policy helps improve the throughput during network congestion.
l The weighted random early detection (WRED) drop policy is an advanced version of RED and is available on
4xxE, 5xx, 1xxx, and 3xxx models. When the queue size exceeds the threshold, the WRED slope controls the rate
at which packets are dropped until the queue is full. The drop rate increases when the queue buffer usage
increases. If you select weighted-random-early-detection in the CLI, you can enable explicit congestion
notification (ECN) marking to indicate that congestion is occurring without just dropping packets.
To determine the egress queue value for the packet, the FortiSwitch unit uses the configured trust values (and
mappings) on the port and the QoS/CoS fields in the packet.
If the port is set to trust DSCP, the switch uses this value to find the queue assignment in the DSCP map for the port.
If the port is set to trust Dot1p and not to trust DSCP, the switch uses the packet’s CoS value to look up the queue
assignment in the Dot1p map for the port.
If the port is not set to trust Dot1p, the switch uses the default queue 0.
If the port is set to trust DSCP, the switch uses the packet’s DSCP value to look up the queue assignment in the DSCP
map for the port.
If the port is set to trust Dot1p but not to trust DSCP, the switch uses the default CoS value of the port to look up the
queue assignment in the Dot1p map for the port.
If the port is not set to trust Dot1p, the switch uses the default queue 0.
FortiSwitch uses “queue-7” for network control and critical management traffic. To
avoid affecting critical network control and management traffic, do not
oversubscribe queue-7 or avoid using queue-7 for data traffic when configuring QoS.
Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to
queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.
You can configure an 802.1p map, which defines a mapping between IEEE 802.1p CoS values (from incoming packets
on a trusted interface) and the egress queue values.
If you want to enable priority tagging on outgoing frames, enable the egress-pri-tagging option. This option is
disabled by default.
NOTE: “Priority tagging” refers to adding a VLAN tag to untagged traffic with with VLAN 0 and a valid priority value. If
the port is configured to transmit packets with a valid VLAN, priority tagging is not applicable.
config switch qos dot1p-map
edit <dot1p map name>
set description <text>
set [priority-0|priority-1|priority-2|....priority-7] <queue number>
set egress-pri-tagging {disable | enable}
next
end
For example:
config switch qos dot1p-map
edit "test1"
set priority-0 queue-2
set priority-1 queue-0
set priority-2 queue-1
set priority-3 queue-3
set priority-4 queue-4
set priority-5 queue-5
set priority-6 queue-6
set priority-7 queue-7
set egress-pri-tagging enable
next
end
Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to
queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.
Use the set default-cos command to set a different default CoS value, ranging from 0 to 7:
config switch interface
edit port1
set default-cos <0-7>
NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D,
424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.
Configure a DSCP map
A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values.
In a QoS egress policy, you set the scheduling mode (Strict, Round Robin, or Weighted Round Robin) for the policy, and
configure one or more CoS queues.
NOTE: The egress-drop-mode command is available only for the 1024/1048/3032/5xx series.
When there are too many packets going through the same egress port, you can choose whether packets are dropped on
ingress or egress.
Use the following commands to set the drop mode:
config switch physical-port
edit <port>
set egress-drop-mode <disabled | enabled>
end
Variable Description
NOTE: Because too many packets are going through the same egress port, you might want to use the pause frame for
flow control on the ingress side. To see the pause frame on ingress, enable the flow control “tx” on the ingress interface
and disable egress-drop-mode on the egress interface.
You can configure the following QoS settings on a switch port or a trunk:
l trust dot1p values on ingress traffic and the dot1p map to use
l trust ip-dscp values on ingress traffic and the ip-dscp map to use. (NOTE: Trust the dot1p values or the ip-dscp
values but not both.)
l an egress policy for the interface
l a default CoS value (for packets with no CoS value)
If neither of the trust policies is configured on a port, the ingress traffic is mapped to queue 0 on the egress port.
If no egress policy is configured on a port, the FortiSwitch unit applies the default scheduling mode (that is, round-
robin).
NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D,
424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.
Configuring QoS on trunk interface follows the same configuration steps as for a switch port (configure a Dot1p/DSCP
map and an egress policy).
When you add a port to a trunk, the port inherits the QoS configuration of the trunk interface. A port member reverts to
the default QoS configuration when it is removed from the trunk interface.
When you configure an egress QoS policy with rate control on a trunk interface, that rate control value is applied to each
port in the trunk interface. The FortiSwitch unit does not support an aggregate value for the whole trunk interface.
NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D,
424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.
You can classify a packet by matching the CoS value, DSCP value, or both CoS and DSCP values. You can also
configure the action to set the CoS marking value, DSCP marking value, or both.
config switch acl ingress
edit <policy-id>
config classifier
set cos <802.1Q CoS value to match>
set dscp <DSCP value to match>
end
config action
set remark-cos <0-7>
set remark-dscp <0-63>
end
For example:
config switch acl ingress
edit 1
config classifier
set src-mac 11:22:33:44:55:66
set cos 2
set dscp 10
end
config action
set count enable
set remark-cos 4
set remark-dscp 20
end
set ingress-interface port2
set status active
end
To check the statistics for the QoS queues for all ports:
diagnose switch physical-ports qos-stats list
To check the statistics for the QoS queues for specific ports:
diagnose switch physical-ports qos-stats list <list_of_ports>
To view the real-time egress QoS queue rates for all ports:
diagnose switch physical-ports qos-rates list
The diagnose switch physical-ports qos-stats clear command is supported only for the 1xxxD,
3xxxD, and 5xxD FortiSwitch models. The diagnose switch physical-ports qos-stats clear command
is not available for the 4xxD, 4xxD-POE, 4xxD-FPOE, 2xxD, 2xxD-POE, or 2xxD-FPOE FortiSwitch models.
To clear the statistics for the QoS queues for all ports:
diagnose switch physical-ports qos-stats clear
To clear the statistics for the QoS queues for specified ports:
diagnose switch physical-ports qos-stats clear <list_of_ports>
To reset the QoS counters to zero (applies to all applications except SNMP) for the specified ports:
diagnose switch physical-ports qos-stats set-qos-counter-zero [<port_list>]
To restore the QoS counters to the hardware values for the specified ports:
diagnose switch physical-ports qos-stats set-qos-counter-revert [<port_list>]
For example:
diagnose switch physical-ports qos-stats clear 1,3,4-6
diagnose switch physical-ports qos-stats set-qos-counter-zero 2,4,7-9
diagnose switch physical-ports qos-stats set-qos-counter-revert 1,3-5,7
sFlow
sFlow is a method of monitoring the traffic on your network to identify areas on the network that may impact
performance and throughput. With sFlow you can export truncated packets and interface counters. The FortiSwitch unit
implements sFlow version 5 and supports trunks and VLANs.
This chapter covers the following topics:
l About sFlow on page 208
l Configuring sFlow on page 208
l Checking the sFlow configuration on page 210
About sFlow
sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined
intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on
network throughput, the information sent is only a sampling of the data.
The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled
packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow
datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to
indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software
vendors.
Configuring sFlow
1. Go to Switch > Interface > Physical or Switch > Interface > Physical.
2. Select one or more ports or a trunk to update and then select Edit.
3. In the sFlow area, select Polling Interval.
4. In the Interval (Seconds) field, enter the number of seconds to use for the polling interval.
5. Select OK to save the changes.
For example:
config switch interface
edit "port20"
set packet-sampler enabled
set packet-sample-rate 4
set sflow-counter-interval 3
set snmp-index 58
next
end
NOTE: Ensure that you can use the exec command ping collector_ip_address to ping the collector from the
FortiSwitch unit. Then, use the built-in sniffer to trace sFlow packets (diag sniff packet <vlan_interface_
name> "udp port 6343").
Feature licensing
About licenses
Each feature license is tied to the serial number of the FortiSwitch unit. Therefore, a feature license is valid on one
system.
Configuring licenses
Adding a license
NOTE: Adding license keys causes the system to log you out.
Removing a license
Layer-3 interfaces
Fortinet data center switches support loopback interfaces and switch virtual interfaces (SVIs), both of which are
described in this chapter.
This chapter covers the following topics:
l Loopback interfaces on page 213
l Switch virtual interfaces on page 214
l Layer-3 routing in hardware on page 215
l Equal cost multi-path (ECMP) routing on page 216
l Bidirectional forwarding detection on page 218
l Unicast reverse-path forwarding (uRPF) on page 219
l IP-MAC binding on page 220
l Virtual routing and forwarding on page 221
Loopback interfaces
A loopback interface is a special virtual interface created in software that is not associated with any hardware interface.
Dynamic routing protocols typically use a loopback interface as a reliable IP interface for routing updates. You can
assign the loopback IP address to the router rather than the IP address of a specific hardware interface. Services (such
as Telnet) can access the router using the loopback IP address, which remains available independent of hardware
interfaces status.
No limit exists on the number of loopback interfaces you can create.
A loopback interface does not have an internal VLAN ID or a MAC addresses and always uses a /32 network mask.
Switch virtual interfaces
A switch virtual interface (or SVI) is a logical interface that is associated with a VLAN and supports routing and switching
protocols.
You can assign an IP address to the SVI to enable routing between VLANs. For example, SVIs can route between two
different VLANs connected to a switch (no need to connect through a layer-3 router).
Example SVI configuration
2. Create L3 system interfaces that correspond to Port 1 (VLAN 4000) and Port 2 (VLAN 2):
In FortiSwitchOS 3.3.0 and later, some FortiSwitch models support hardware-based layer-3 forwarding.
For FortiSwitch models that support Equal Cost Multi-Path (ECMP) (see Feature matrix: FortiSwitchOS 6.4.3 on page
17), forwarding for all ECMP routes is performed in hardware.
For switch models that support hardware-based layer-3 forwarding but do not support ECMP, only one route to each
destination will be hardware-forwarded. If you configure multiple routes to the same destination, you can configure a
priority value for each route. Only the route with highest priority will be forwarded by the hardware. If no priority values
are assigned to the routes, the most recently configured route is forwarded by the hardware.
Router activity
ECMP is a forwarding mechanism that enables load-sharing of traffic to multiple paths of equal cost. An ECMP set is
formed when the routing table contains multiple next-hop address for the same destination with equal cost. Routes of
equal cost have the same preference and metric value. If there is an ECMP set for an active route, the switch uses a
hash algorithm to choose one of the next-hop addresses. As input to the hash, the switch uses one or more of the
following fields in the packet to be routed:
l Source IP
l Destination IP
l Input port
Configuring ECMP
When you configure a static route with a gateway, the gateway must be in the same IP subnet as the device. Also, the
destination subnet cannot match any of device IP subnets in the switch.
When you configure a static route without a gateway, the destination subnet must be in the same IP subnet as the
device.
Example ECMP configuration
In this configuration, ports 2 and 6 are routed ports. Interfaces I-RED and I-GREEN are routed VLAN interfaces. The
remaining ports in the switch are normal layer-2 ports.
1. Configure native VLANs for ports 2, 6, and 9. Also configure the “internal” interface to allow native VLANs for ports
2, 6, and 9:
3. Configure static routes. This code configures multiple next-hop gateways for the same network:
next
edit 3
set device "i-green"
set dst 8.8.8.0/24
set gateway 172.168.13.2
set status enable
next
Viewing ECMP configuration
FortiSwitchOS v3.4.2 and later supports static bidirectional forwarding detection (BFD), a point-to-point protocol to
detect faults in the datapath between the endpoints of an IETF-defined tunnel (such as IP, IP-in-IP, GRE, and
MPLS LSP/PW).
BFD defines demand mode and asynchronous mode operation. The FortiSwitch unit supports asynchronous mode. In
this mode, the systems periodically send BFD control packets to one another, and if a number of those packets in a row
are not received by the other system, the session is declared to be down.
BFD packets are transported using UDP/IP encapsulation and BFD control packets are identified using well-known UDP
destination port 3784 (NOTE: BFD echo packets are identified using 3785).
BFD packets are not visible to the intermediate nodes and are generated and processed by the tunnel end systems only.
Configuring BFD
Desired min TX interval: This is the minimum interval that the local system would like to use between
l
transmission of BFD control packets. Value range is 200 ms – 30,000 ms. Default value is 250.
l Required min RX interval: This is the minimum interval that the local system can support between receipt of
BFD control packets. If you set this value to zero, the remote system will not transmit BFD control packets.
The value range is 200 ms – 30000 ms. The default value is 250.
l Detect multi: This is the detection time multiplier. The negotiated transmit interval multiplied by this value is
the Detection Time for the receiving system. The value range is 1 – 20. The default is 3.
2. Enable BFD in the static router configuration.
RPF, also called anti-spoofing, prevents an IP packet from being forwarded if its source IP address does not belong to a
locally attached subnet (local interface) or is not part of the routing between the FortiSwitch unit and another source
(such as a static route, RIP, OSPF, or BGP).
In unicast RPF, the router not only looks up the destination information but it also looks up the source information to
ensure that it exists. If no source is found, that packet is dropped because the router assumes it is an error or an attack
on the network.
There are two uRPF modes:
l Strict—The packet must be received on the same interface that the router uses to forward the return packet. In this
mode, asymmetric routing paths in the network might cause legitimate traffic to be dropped.
l Loose—The routing table must include the source IP address of the packet. If you disable the src-check-
allow-default option, the packet is dropped if the source IP address is not found in the routing table. If you
enable the src-check-allow-default option, the packet is allowed even if the source IP address is not found
in the routing table, but the default route is found in the routing table.
Configuring uRPF
By default, uRPF is disabled. You must enable it on each interface that you want protected.
IP-MAC binding
Configuring IP-MAC binding
Notes
You can use the virtual routing and forwarding (VRF) feature to create multiple routing tables within the same router.
Use the following steps to configure VRF:
1. Create a VRF instance.
2. Assign the VRF instance to a switch virtual interface (SVI).
3. Assign theVRF instance to an IPv4 or IPv6 static route.
4. Check the VRF configuration.
For example:
config router vrf
edit vrfv4
set vrfid 1
next
edit vrfv6
set vrfid 2
next
end
You assign the VRF instance to an SVI when you create the SVI. After the SVI is created, the VRF instance cannot be
changed or unset.
You can assign the same VRF instance to more than one SVI. The VRF instance cannot be assigned to an internal SVI.
config system interface
edit <interface_name>
set vrf <string>
end
For example:
config system interface
edit v40
set vlanid 40
set vrf vrfv4
next
edit v50
set vlanid 50
set vrf vrfv4
next
end
You assign the VRF instance to an IPv4 or IPv6 static route when you create the static route. After the static route is
created, the VRF instance cannot be changed or unset.
You can assign the same VRF instance to more than one static route.
config router static
edit <seq-num>
set vrf <string>
end
For example:
config router static
edit 1
set device mgmt
set gateway 192.168.0.10
set status enable
set vrf vrfv4
end
A DHCP server provides an address, from a defined address range, to a client on the network that requests it.
You can configure one or more DHCP servers on any FortiSwitch interface. A DHCP server dynamically assigns IP
addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP
addresses using DHCP.
You can configure a FortiSwitch interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to
an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have the appropriate
routing so that its response packets to the DHCP clients arrive at the unit.
NOTE:
l DHCP snooping and the DHCP server can be enabled at the same time.
l The DHCP server and DHCP relay cannot be enabled at the same time.
This chapter covers the following topics:
l Configuring a DHCP server on page 224
l Detailed operation of a DHCP relay on page 230
l Configuring a DHCP relay on page 230
NOTE: The 4xx, 5xx, 1xxx, and 3xxx models support configuring DHCP servers. The following table lists the maximum
number of clients for the supported FortiSwitch models:
4xx 15,000
5xx 20,000
7. In the Interface drop-down list, select an interface. The DHCP server assigns IP configurations to clients connected
to this interface.
8. Required. In the Lease Time field, enter the lease time in seconds. The lease time determines the length of time
an IP address remains assigned to a client.
9. Required. In the Conflicted IP Timeout field, enter the number of seconds before a conflicted IP address is
removed from the DHCP range and is available to be reused.
10. In the Default Gateway field, enter the IP address of the default gateway that the DHCP server assigns to DHCP
clients.
11. In the Domain field, enter the domain name suffix for the IP addresses that the DHCP server assigns to the clients.
12. In the Next Server field, enter the IPv4 address of a server (for example, a TFTP sever) that DHCP clients can
download a boot file from.
13. In the Filename field, enter the name of the boot file on the TFTP server.
14. In the DNS Service Type drop-down list, select how DNS servers are assigned to DHCP clients.
o Select Default for clients to be assigned the FortiSwitch unitʼs configured DNS servers.
o Select Local to use the IP address of the DHCP server interface for the clientʼs DNS server IP address.
o Select Specify to enter IPv4 addresses for up to three DNS servers.
15. In the Controller 1, Controller 2, and Controller 3 fields, enter the IPv4 addresses for the WiFi access controllers.
16. In the NTP Service Type drop-down list, select how Network Time Protocol (NTP) servers are assigned to DHCP
clients.
o Select Default for clients to be assigned the FortiSwitch unitʼs configured NTP servers.
o Select Local to use the IP address of the DHCP server interface for the clientʼs NTP server IP address.
o Select Specify to enter the IPv4 address for up to three NTP servers.
17. In the WINS Server section, enter the IPv4 addresses for the Windows Internet Name Service (WINS) servers.
18. In the Timezone Mode drop-down list, select how the DHCP server sets the clientʼs time zone.
o Select Default for clients to be assigned the FortiSwitch unitʼs configured time zone.
o Select Disable for the DHCP server to not set the clientʼs time zone.
o Select Specify to choose which time zone is assigned to DHCP clients.
19. In the VCI area, select the Enable checkbox to enter the vendor class identifier (VCI) to match. When enabled, only
DHCP requests with a matching VCI are served.
20. In the IP Ranges section, you can configure the IP address range.
a. In the ID field, enter a unique number to identify the entry or use the default value.
b. Required. In the Start IP field, enter the start of the DHCP IP address range.
c. Required. In the End IP field, enter the end of the DHCP IP address range.
d. To add another IP address range, select Add IP Range.
21. In the Exclusion Ranges section, you can block a range of addresses that will not be included in the available
addresses for the connecting users.
a. Select Add Exclusion Range.
b. In the ID field, enter a number to identify the entry or use the default value.
c. In the Start IP field, enter the start of the IP address range that will not be assigned to clients.
d. In the End IP field, enter the end of the IP address range that will not be assigned to clients.
e. To add another exclusion range, select Add Exclusion Range.
22. In the Reserved Addresses section, you can reserve IP addresses for the DHCP server to use to assign IP
addresses to specific MAC addresses.
a. Select Add IP.
b. In the ID field, enter a number to identify the entry or use the default value.
c. In the Type drop-down list, select whether to match the IP address with the MAC address or DHCP option 82.
d. In the Action drop-down list, select how the DHCP server configures the client with the reserved MAC address.
Select Reserved for the DHCP server to assign the reserved IP address to the client with this MAC address.
Select Assign for the DHCP server to configure the client with this MAC address like any other client. Select
Block to prevent the DHCP server from assigning IP settings to the client with this MAC address.
e. In the Description field, enter a description of this entry.
f. In the IP field, enter the IPv4 address to be reserved for the MAC address. This value is required when the
action is Reserved and the type is MAC .
g. In the MAC field, enter the MAC address of the client that will get the reserved IP address. This value is
required when the type is MAC and the action is Assign or Block.
h. In the Circuit Type drop-down list, select whether the format of the Circuit ID is hexadecimal or string. This
option is only available when the type is Option-82.
i. In the Circuit ID field, enter the DHCP option-82 Circuit ID of the client that will get the reserved IP address.
The Circuit ID format is controlled by the Circuit Type setting. This value is required when the type is Option-
82.
j. In the Remote Type drop-down list, select whether the format of the Remote ID is hexadecimal or string. This
option is only available when the type is Option-82.
k. In the Remote ID field, enter the DHCP option-82 Remote ID of the client that will get the reserved IP address.
This value is required when the type is Option-82.
l. To add another reserved address, select Add IP.
23. In the Options section, you can add up to 30 DHCP custom options.
a. Select Add Option.
b. In the ID field, enter a number to identify the entry or use the default value.
c. In the Type drop-down list, select the format of the DHCP option: fully qualified domain name (FQDN),
hexadecimal, IP address, or string.
d. In the Code field, select the DHCP option code. The range is 0-255.
e. In the Value field, enter the DHCP option value. This value is required when the type is set to FQDN, Hex, or
String.
f. In the IP field, enter the IP address. This value is required when the type is set to IP.
g. To add another DHCP custom option, select Add Option.
24. Select Add to save the new DHCP server.
For example:
config system dhcp server
edit 1
set default-gateway 50.50.50.2
set domain "FortiswitchTest.com"
set filename "text1.conf"
set interface "svi10"
config ip-range
edit 1
set end-ip 50.50.0.10
set start-ip 50.50.0.5
next
end
set lease-time 360
set netmask 255.255.0.0
set next-server 60.60.60.2
config options
edit 1
set value "dddd"
next
end
set tftp-server "1.2.3.4"
set timezone-option specify
set wifi-ac1 5.5.5.1
set wifi-ac2 5.5.5.2
set wifi-ac3 5.5.5.3
set wins-server1 6.6.6.1
set wins-server2 6.6.6.2
set dns-server1 7.7.7.1
set dns-server2 7.7.7.2
set dns-server3 7.7.7.3
set ntp-server1 8.8.8.1
set ntp-server2 8.8.8.2
set ntp-server3 8.8.8.3
next
end
By default, the FortiSwitch unit assigns an address range based on the address of the interface for the complete scope
of the address. For example, if the interface address is 172.20.120.230, the default range created is 172.20.120.231 to
172.20.120.254.
If you have a large address range for the DHCP server, you can block a range of addresses that will not be included in
the available addresses for the connecting users.
If you want the DHCP server to assign IP addresses to specific MAC addresses, you need to reserve the IP addresses.
To reserve IP addresses:
The DHCP server maintains a table for the potential options. The FortiSwitch DHCP server supports up to a maximum
of 30 custom options.
The lease time determines the length of time an IP address remains assigned to a client. After the lease expires, the
address is released for allocation to the next client that requests an IP address. Use one of the following commands to
check the DHCP leases:
execute dhcp lease-list
execute dhcp lease-list <interface>
If you need to end an IP address lease, you can break the lease. This is useful if you have limited addresses and longer
lease times when some leases are no longer necessary, for example, with corporate visitors. Use one of the following
commands to break the DHCP leases:
execute dhcp lease-clear all
execute dhcp lease-clear <xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...>
Configuring a DHCP relay
OSPF routing
NOTE: You must have an advanced features license to use OSPF routing.
Open shortest path first (OSPF) is a link-state interior routing protocol that is widely used in large enterprise
organizations. OSPF provides routing within a single autonomous system (AS). This differs from BGP, which provides
routing between autonomous systems.
An OSPF AS can contain only one area, or it can consist of a group of areas connected to a backbone area. A router
connected to more than one area is an area border router (ABR). An autonomous system boundary router (ASBR) is
located between an OSPF autonomous system and a non-OSPF network. Routing information is contained in a link-
state database. Routing information is communicated between routers using link-state advertisements (LSAs).
The main benefit of OSPF is that it detects link failures in the network quickly and converges network traffic successfully
within seconds without any network loops. Also, OSPF has features to control which routes are propagated to contain
the size of the routing tables.
You can enable bidirectional forwarding detection (BFD) with OSPF. BFD is used to quickly locate hardware failures in
the network. Routers running BFD communicate with each other, and, if a timer runs out on a connection, that router is
declared to be down. BFD then communicates this information to OSPF, and the routing information is updated.
NOTE: OSPF MIBs are not supported in this release.
For additional information about OSPF routing, see the OSPF section of the FortiOS Administration Guide.
This chapter covers the following topics:
l How OSPF works on page 232
l Configuring OSPF on page 234
How OSPF works
Areas
An OSPF implementation consists of one or more areas. An area consists of a group of contiguous networks. If you
configure more than one area, Area Zero is always the backbone area. An ABR links one or more areas to the OSPF
backbone area.
The FortiSwitch unit supports different types of areas—stub areas, Not So Stubby areas (NSSA), and regular areas. A
stub area is an interface without a default route configured. NSSA is a type of stub area that can import AS external
routes and send them to the backbone but cannot receive AS external routes from the backbone or other areas. All other
areas are considered regular areas.
Adjacencies
When an OSPF router boots up, it sends OSPF Hello packets to find neighbors on the same network. Neighbors
exchange information, and the link-state databases of both neighbors are synchronized. At this point, these neighbors
are said to be adjacent.
For two OSPF routers to become neighbors, the following conditions must be met:
l The subnet number and subnet mask for the interface must match in both routers.
l The Hello interval and Dead interval values must match.
l The routers must have the same OSPF area ID.
l If authentication is used, they must pass authentication checks.
In OSPF, routing protocol packets are only passed between adjacent routers.
Route summarization
Using route summarization reduces the number of LSAs being sent between routers. OSPF offers two types of route
summarization:
l Between areas through an ABR. This method summarizes routes in the area configuration.
config area
edit <area_IPv4_address>
config range
edit <id>
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
next
end
next
end
l Between an OSPF AS and a non-OSPF network through an ASBR. This method summarizes external routes when
you redistribute them.
config summary-address
edit <id>
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
next
end
Starting in FortiSwitchOS 6.4.3, the FortiSwitch unit enters the helper (neighbor) mode when a neighboring router sends
a grace LSA before it restarts. The FortiSwitch unit keeps the restarting router in the forwarding path for OSPF routing,
as long as there are no network topology changes. After the restarting router completes its graceful restart, the
FortiSwitch unit exits the helper mode.
This feature is always enabled.
When the OSPF link-state database is large, some routers do not have enough resources to store the complete link-
state database. To prevent database overflow, you can limit the number of AS-external-LSAs in the link-state database.
When the maximum number of AS-external-LSAs is reached, the router deletes all AS-external-LSAs that it originated
and stops originating AS-external-LSAs for the specified number of seconds.
By default, this feature is disabled.
Use the following commands to configure database overflow protection:
config router ospf
Configuring OSPF
1. Create a switch virtual interface. See Configuring a switch virtual interface on page 214.
2. Go to Router > Config > OSPF > Settings.
a. Enter a unique 32-bit number in dotted decimal format for the router identifier. NOTE: Without a router
identifier, OSPF routing will not work.
b. If you are going to advertise default routes within OSPF, configure the default route option and enter the
routing metric (cost) for other routing protocols.
c. If you want to redistribute non-OSPF routes, select Enabled under Connected, Static, RIP, BGP, or ISIS and
then enter the routing metric in the Metric field.
d. Select Update.
3. Got to Router > Config > OSPF > Areas and select Add OSPF Area.
a. Enter the area IP address.
b. Select if the area is a stub area, NSSA, or a regular area.
c. Select Add.
4. Go to Router > Config > OSPF > Networks and select Add Network.
a. Enter the network identifier.
b. Enter the IP address and netmask, separated with a space. Use an IP address that includes the switch virtual
interface.
c. Select the area that you created.
d. Select Add.
5. Go to Router > Config > OSPF > Interfaces and select Configure OSPF Interface.
a. Select the same type of authentication that you selected for the area.
b. If you want static bidirectional forwarding detection, select Enable or Global.
c. Enter the maximum transmission unit.
d. Enter the cost.
e. Enter the number of seconds between Hello packets being sent.
f. Enter the number of seconds that a Hello packet is not received before the OSPF router decides that a
neighbor has failed.
g. Select Add.
Configuring OSPF using IPv4 on the FortiSwitch unit includes the following major steps:
1. Enter the OSPF configuration mode.
2. Set the router identifier. Each router must have a unique 32-bit number. NOTE: Without a router identifier, OSPF
routing will not work.
Each router within an area must have a unique 32-bit number. The router identifier is written in dotted decimal format,
but it is not an IPv4 address. NOTE: Without a router identifier, OSPF routing will not work.
set router-id <router-id>
For example:
# config router ospf
(ospf) # set router-id 1.1.1.2
3. Create an area
You must create at least one area. The area number is written in dotted decimal format (for example, configure area
100 as 0.0.0.100).
config area
edit <area number>
set shortcut (default | disable | enable)
set type {nssa | regular | stub}
end
For example:
(ospf) # config area
(area) # edit 0.0.0.4
(0.0.0.4) # set type nssa
Use this subcommand to identify the OSPF-enabled interfaces. The prefix length in the interface must be equal or
larger than the prefix length in the network statement.
config network
edit <network number>
set area <area>
set prefix <network prefix> <mask>
For example:
(ospf) # config network
(network) # edit 1
(1) # set area 0.0.0.4
(1) # set prefix 10.1.1.0 255.255.255.0
Configure interface-related OSPF settings. Enter a descriptive name for the OSPF interface name.
config interface
edit <OSPF_interface_name>
set priority <1-255>
For example:
(ospf) # config interface
(ospf-interface) # edit oi1
(oi1) # set priority 255
For example:
(ospf) # config redistribute connected
(connected) # set status enable
(connected) # end
The get router info ospf command has options to display different aspects of the OSPF configuration and
status. For example:
get router info ospf neighbor {<neighbor_ID> | all | detail | detail all | <interface_IP_
address>}
get router info ospf database {brief | self-originate | router | network | summary | asbr-
summary| external | nssa-external | opaque-link | opaque-area | opaque-as | max-age}
Example configuration
The following example shows a very simple OSPF network with one area. FortiSwitch 1 has one OSPF interface to
FortiSwitch 2:
Switch 1
next
edit "port4"
set native-vlan 40
next
end
Switch 2
Switch 1
config area
edit 0.0.0.0
next
end
config network
edit 1
set area 0.0.0.0
set prefix 10.11.101.0 255.255.255.0
next
end
config interface
edit "1"
set cost 100
set interface "vlan10"
set priority 100
next
end
end
Switch 2
config area
edit 0.0.0.0
next
end
config network
edit 1
set area 0.0.0.0
set prefix 10.11.101.0 255.255.255.0
next
end
config interface
edit "1"
set cost 100
set interface "vlan10"
set priority 100
next
end
end
RIP routing
NOTE: You must have an advanced features license to use RIP routing.
The Routing Information Protocol (RIP) is a distance-vector routing protocol that works best in small networks that have
no more than 15 hops. Each router maintains a routing table by sending out its routing updates and by asking neighbors
for their routes. RIP is relatively simple to configure on FortiSwitch units but slow to respond to network outages. RIP
routing is better than static routing but less scalable than open shortest path first (OSPF) routing.
The FortiSwitch unit supports RIP version 1 and RIP version 2:
l RIP version 1 uses classful addressing and broadcasting to send out updates to router neighbors. It does not
support different sized subnets or classless inter-domain routing (CIDR) addressing.
l RIP version 2 supports classless routing and subnets of various sizes. Router authentication supports MD5 and
authentication keys. Version 2 uses multicasting to reduce network traffic.
RIP uses three timers:
l The update timer determines the interval between routing updates. The default setting is 30 seconds.
l The timeout timer is the maximum time that a route is considered reachable while no updates are received for the
route. The default setting is 180 seconds. The timeout timer setting should be at least three times longer than the
update timer setting.
l The garbage timer is the is the how long that the FortiSwitch unit advertises a route as being unreachable before
deleting the route from the routing table. The default setting is 120 seconds.
You can enable bidirectional forwarding detection (BFD) with RIP. BFD is used to quickly locate hardware failures in the
network. Routers running BFD communicate with each other, and, if a timer runs out on a connection, that router is
declared to be down. BFD then communicates this information to RIP, and the routing information is updated.
When you configure RIP routing, you can choose the strategy the access list uses to permit or deny IP addresses:
l Prefix—Specify the IP address and bit mask to allow or block.
l Wildcard—Specify the Cisco-style filter to allow or block.
For additional information about RIP routing, see the RIP section of the FortiOS Administration Guide.
This chapter covers the following topics:
l Terminology on page 240
l Configuring RIP routing on page 241
Terminology
Access list: A list of IP addresses and the action to take for each one. Access lists provide basic route and network
filtering.
Active RIP interface: Each RIP router sends and receives updates by actively communicating with its neighbors.
Keychain: A list of one or more authentication keys including its lifetime, which is how long each key is valid.
Metric: RIP uses hop count as the metric for choosing the best route. A hop count of 1 represents a network that is
connected directly to the FortiSwitch unit. A hop count of 16 represents a network that cannot be reached.
Passive RIP interface: The RIP router listens to updates from other routers but does not send out updates. A passive
RIP interface reduces network traffic.
Prefix list: A more powerful prefix-based filtering mechanism. A prefix is an IP address and netmask.
Split horizon: A way to avoid routing loops.
NOTE: You must create a keychain first before you can use the MD5 authentication mode with RIP version 2.
1. Create a switch virtual interface (SVI). See Configuring a switch virtual interface on page 214.
2. Go to Router > Config > RIP > Settings.
a. Select whether you want to use RIP version 1 or RIP version 2. RIP version 2 is the default.
b. If you want to use BFD, select Bidirectional Forwarding Detection.
c. If you want to use a default route, select Default Information Originate.
d. If you want to change the default timer values, enter the number of seconds in the Update, Timeout, and
Garbage fields.
e. If you want to redistribute non-RIP routes, select Enable under Connected, Static, OSPF, BGP, or ISIS.
l If you select Enable under Connected, enter the routing metric to use.
If you select Enable under Static, OSPF, BGP, or ISIS, select Override Metric if you do not want to use
l
the default routing metric and then enter the routing metric to use.
f. Enter the default routing metric to use for static routing, OSPF, BGP, and ISIS.
3. Go to Router > Config > Access Lists and select Add Access List.
c. Select the access list that you added in the previous step.
d. Enter the IP address and netmask, separated with a space or with a slash. For example, enter 1.2.3.4/5 or
1.2.3.4 248.0.0.0.
e. Select Add.
5. Go to Router > Config > RIP > Networks and select Add Network.
a. If you want to change the RIP version used to send and receive routing updates, select from the Send Version
and Receive Version drop-down menus.
b. If you do not want to send RIP updates from this interface, select Passive Interface.
c. If you want to use authentication, select Text or MD5.
d. Select Add.
1. Create a switch virtual interface (SVI). See Configuring a switch virtual interface on page 214.
2. Go to Router > Config > RIP > Settings.
a. Select whether you want to use RIP version 1 or RIP version 2. RIP version 2 is the default.
b. If you want to use BFD, select Bidirectional Forwarding Detection.
c. If you want to use a default route, select Default Information Originate.
d. If you want to change the default timer values, enter the number of seconds in the Update, Timeout, and
Garbage fields.
e. If you want to redistribute non-RIP routes, select Enable under Connected, Static, OSPF, BGP, or ISIS.
l If you select Enable under Connected, enter the routing metric to use.
If you select Enable under Static, OSPF, BGP, or ISIS, select Override Metric if you do not want to use
l
the default routing metric and then enter the routing metric to use.
f. Enter the default routing metric to use for static routing, OSPF, BGP, and ISIS.
3. Go to Router > Config > Access Lists and select Add Access List.
d. Enter the IP address and netmask, separated with a space or with a slash. For example, enter 1.2.3.4/5 or
1.2.3.4 248.0.0.0.
e. Select Add.
5. Go to Router > Config > RIP > Networks and select Add Network.
a. If you want to change the RIP version used to send and receive routing updates, select from the Send Version
and Receive Version drop-down menus.
b. If you do not want to send RIP updates from this interface, select Passive Interface.
c. If you want to use authentication, select Text or MD5.
d. Select Add.
end
end
config offset-list
edit <offset-list_name>
set access-list6 <access-list_name>
set direction {in | out}
set interface {in | out}
set offset <1-16>
set status {disable | enable}
end
config aggregate-address
edit <aggregate-address_entry_ID>
set prefix6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>
end
config interface
edit <interface_name>
set passive {disable | enable}
set split-horizon-statsus {disable | enable}
set split-horizon {poisoned |regular}
end
end
end
The get router info rip and get router info6 rip commands have options to display different aspects
of the RIP configuration and status. For example, there are options to display the RIP general information and the RIP
database:
get router info rip status
get router info6 rip status
get router info rip database
get router info6 rip database
Example configuration
Switch 1: Configure the RIP router; add authentication between FortiSwitch 1 and FortiSwitch 2
config router rip
config network
edit 1
set prefix 170.38.65.0/24
next
edit 2
set prefix 180.1.1.0/24
next
end
config interface
edit "vlan35"
set auth-mode text
set auth-string simplepw1
next
end
end
set ip 128.8.2.1/16
set allowaccess ping https http ssh snmp telnet
set vlanid 70
next
end
Switch 2: Configure the RIP router; add authentication between FortiSwitch 1 and FortiSwitch 2
config router rip
config network
edit 1
set prefix 170.38.65.0/24
next
edit 2
set prefix 128.8.0.0/16
next
end
config interface
edit "vlan35"
set auth-mode text
set auth-string simplepw1
next
end
end
VRRP
Configuring VRRP
l Enter the priority. If the highest priority value of 255 is entered, the virtual router becomes the master router.
l Select Preempt if you want the router to preempt the master virtual router if the priority changes.
l Enter the source virtual IP address that will be shared across the VRRP group.
l Enter one or two IP addresses that the master router must track. The maximum number of IP addresses is
two. If these IP addresses cannot be reached by the master router, the priority of the master router changes to
0.
l Select Add VRRP to add each additional virtual router.
4. After filling in the fields for the virtual routers, select Update.
NOTE: You can also configure VRRP using IPv6 with the config ipv6 and config vrrrp6 commands under the
config system interface command.
Go to Router > Config > Interface to see which interfaces have VRRP configured.
Go to Router > Monitor > VRRP to see the interface, source virtual IP address that is shared across the VRRP group,
MAC address for the interface, and virtual router identifier for each VRRP configuration, as shown in the following
figure.
BGP routing
NOTE: You must have an advanced features license to use BGP routing.
Border Gateway Protocol (BGP) contains two distinct subsets: internal BGP (iBGP) and external BGP (eBGP). iBGP is
intended for use within your own networks. eBGP is used to connect many different networks together and is the main
routing protocol for the Internet backbone. FortiSwitch units support iBGP, and eBGP only for communities.
BGP was first used in 1989. The current version, BGP-4, was released in 1995 and is defined in RFC 1771. That RFC
has since been replaced by RFC 4271. The main benefits of BGP-4 are classless inter-domain routing and aggregate
routes. BGP is the only routing protocol to use TCP for a transport protocol. Other routing protocols use UDP.
BGP makes routing decisions based on path, network policies, and rulesets instead of the hop-count metric as RIP
does, or cost-factor metrics as OSPF does.
BGP-4+ supports IPv6. It was introduced in RFC 2858 and RFC 2545.
BGP is the routing protocol used on the Internet. It was designed to replace the old Exterior Gateway Protocol (EGP)
which had been around since 1982, and was very limited. BGP enabled more networks to take part in the Internet
backbone to effectively decentralize it and make the Internet more robust, and less dependent on a single ISP or
backbone network.
In a BGP network, there are some terms that need to be explained before going ahead. Some parts of BGP are not
explained here because they are common to other dynamic routing protocols. When determining your network topology,
note that the number of available or supported routes is not set by the configuration but depends on the available
memory on the FortiSwitch units.
FortiSwitch units support IPv6 over BGP using the same config router bgp CLI command as IPv4 but different
subcommands.
The main CLI keywords have IPv6 equivalents that are identified by the “6” on the end of the keyword, such as config
network6 or set allowas-in6. For more information about IPv6 BGP keywords, see the FortiSwitchOS CLI
Reference.
Dynamic routing has a number of different roles that routers can fill. BGP has a number of custom roles that routers can
fill. These include speaker routers, peer routers or neighbors, and route reflectors.
Speaker routers
Any router that is configured for BGP is considered a BGP speaker. This means that a speaker router advertises BGP
routes to its peers.
Any routers on the network that are not speaker routers are not treated as BGP routers.
In a BGP network, all neighboring BGP routers or peer routers are routers that are connected to a FortiSwitch unit. A
FortiSwitch unit learns about all other routers through these peers.
You need to manually configure BGP peers on a FortiSwitch unit as neighbors. Otherwise, these routers are not seen as
peers but simply as other routers on the network that do not support BGP. Optionally, you can use MD5 authentication
to password-protect BGP sessions with those neighbors (see RFC 2385).
You can configure up to 1000 BGP neighbors on a FortiSwitch unit. You can clear all or some BGP neighbor connections
(sessions), using the execute router clear bgp CLI command.
For example, if you have 10 routes in the BGP routing table and you want to clear the specific route to IP address
10.10.10.1, enter the following CLI command:
execute router clear bgp ip 10.10.10.1
To remove all routes for AS number 650001, enter the following CLI command:
execute router clear bgp as 650001
To remove route flap dampening information for the 10.10.0.0/16 subnet, enter the following CLI command:
execute router clear bgp dampening 10.10.0.0/16
In the following diagram, Router A is directly connected to five other routers in a network that contains 12 routers. These
routers (the ones in the blue circle) are Router A’s peers or neighbors.
As a minimum, when configuring BGP neighbors, you must enter their IP address and the AS number (remote-as). This
is all of the information the GUI allows you to enter for a neighbor.
Route reflectors
Route reflectors (RR) in BGP concentrate route updates so other routers only need to talk to the RRs to get all of the
updates. This results in smaller routing tables, fewer connections between routers, faster responses to network topology
changes, and less administration bandwidth. BGP RRs are defined in RFC 1966.
In a BGP RR configuration, the AS is divided into different clusters that each include client and reflector routers. The
client routers supply the reflector routers with the client’s route updates. The reflectors pass this information along to
other RRs and border routers. Only the reflectors need to be configured, not the clients, because the clients find the
closest reflector and communicate with it automatically. The reflectors communicate with each other as peers. A
FortiSwitch unit can be configured as either reflectors or clients.
Because RRs are processing more than the client routers, the reflectors should have more resources to handle the extra
workload.
Smaller networks running BGP typically do not require RRs. However, RRs are a useful feature for large companies,
where their AS may include 100 routers or more. For example, a full mesh 20 router configuration within an AS, there
would have to be 190 unique BGP sessions just for routing updates within the AS. The number of sessions jumps to 435
sessions for just 30 routers, or 4950 sessions for 100 routers. Based on these numbers, updating this many sessions will
quickly consume the limited bandwidth and processing resources of the routers involved.
The following diagram illustrates how RRs can improve the situation when only six routers are involved. The AS without
RRs requires 15 sessions between the routers. In the AS with RRs, the two RRs receive route updates from the reflector
clients (unlabeled routers in the diagram) in their cluster, as well as other RRs, and pass them on to the border router.
The RR configuration requires only six sessions. This example shows a reduction of 60% for the number of required
sessions.
Confederations
Confederations were introduced to reduce the number of BGP advertisements on a segment of the network and reduce
the size of the routing tables. Confederations essentially break up an AS into smaller units. Confederations are defined
in RFC 3065 and RFC 1965.
Within a confederation, all routers communicate with each other in a full mesh arrangement. Communications between
confederations is more like inter-AS communications because many of the attributes are changed as they would be for
BGP communications leaving the AS, or eBGP.
Confederations are useful when merging ASs. Each AS being merged can easily become a confederation, which
requires few changes. Any additional permanent changes can then be implemented over time, as required. The
diagram below shows the group of ASs before merging and the corresponding confederations afterward, as part of the
single AS with the addition of a new border router. It should be noted that after merging, if the border router becomes a
route reflector, then each confederation only needs to communicate with one other router instead of five others.
Confederations and RRs perform similar functions: they both sub-divide large ASs for more efficient operation. They
differ in that route reflector clusters can include routers that are not members of a cluster, whereas routers in a
confederation must belong to that confederation. Also, confederations place their confederation numbers in the AS_
PATH attribute, making it easier to trace.
NOTE: While confederations essentially create sub-ASs, all the confederations within an AS appear as a single AS to
external ASs.
Confederation related BGP commands include the following:
config router bgp
set confederation-identifier <peerid_integer>
end
Network Layer Reachability Information (NLRI) is unique to BGP-4. It is sent as part of the update messages sent
between BGP routers and contains information necessary to supernet, or aggregate route, information. The NLRI
includes the length and prefix that, when combined, are the address of the aggregated routes referred to.
There is only one NLRI entry per BGP update message.
BGP attributes
Each route in a BGP network has a set of attributes associated with it. These attributes define the route and are
modified, as required, along the route.
BGP can work well with mostly default settings, but if you're going to change settings you need to understand the roles
of each attribute and how they affect those settings.
The BGP attributes include the ones listed in the following table.
Attribute Description
AS_PATH A list of ASs a route has passed through. For more information, see AS_PATH on
page 262.
MULTI_EXIT_DESC (MED) Which router to use to exit an AS with more than one external connection. For
more information, see MULTI_EXIT_DESC on page 262.
COMMUNITY Used to apply attributes to a group of routes. For more information, see
COMMUNITY on page 263.
NEXT_HOP Where the IP packets should be forwarded to, like a gateway in static routing. For
more information, see NEXT_HOP on page 263.
ATOMIC_AGGREGATE Used when routes have been summarized to tell downstream routers not to de-
aggregate the route. For more information, see ATOMIC_AGGREGATE on page
263.
ORIGIN Used to determine if the route is from the local AS or not. For more information,
see ORIGIN on page 264.
LOCAL_PREF Used only within an AS to select the best route to a location (like MED).
Inbound policies on FortiSwitch units can change the NEXT-HOP, LOCAL-PREF, MED, and AS-PATH attributes of an
internal BGP (iBGP) route for its local route selection purposes. However, outbound policies on the device cannot affect
these attributes.
AS_PATH
AS_PATH is the BGP attribute that keeps track of each AS that a route advertisement has passed through. AS_PATH is
used by confederations and by exterior BGP (EBGP) to help prevent routing loops. A router knows there is a loop if it
receives an AS_PATH with that router's AS in it. The diagram shows the route between Router A and Router B. The AS_
PATH from A to B would read 701,702,703 for each AS that the route passes through.
As of the beginning of 2010, the industry upgraded from 2-byte to 4-byte AS_PATHs. This upgrade was due to the
imminent exhaustion of 2-byte AS_PATH numbers. FortiOS supports 4-byte AS_PATHs in its BGP implementation.
MULTI_EXIT_DESC
BGP AS systems can have one or more routers that connect them to other ASs. For ASs with more than one connecting
router, the Multi-Exit Discriminator (MED) lists which router is best to use when leaving the AS. The MED is based on
attributes, such as delay. It is a recommendation only, as some networks may have different priorities.
BGP updates advertise the best path to a destination network. When a FortiSwitch unit receives a BGP update, the
FortiSwitch unit examines the MED attribute of potential routes to determine the best path to a destination network
before recording the path in the local FortiSwitch routing table.
FortiSwitch units have the option to treat any routes without an MED attribute as the worst possible routing choice. This
can be useful because a lack of MED information is a lack of routing information, which can be suspicious as a possible
hacking attempt or an attack on the network. At best, it signifies an unreliable route to select.
The BGP commands related to MED include the following:
config router bgp
set always-compare-med {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
COMMUNITY
A community is a group of routes that have the same routing policies applied to them. This saves time and resources. A
community is defined by the COMMUNITY attribute of a BGP route.
A FortiSwitch unit can set the COMMUNITY attribute of a route to assign the route to predefined paths (see RFC 1997).
The FortiSwitch unit can examine the COMMUNITY attribute of learned routes to perform local filtering and/or
redistribution.
The BGP commands related to COMMUNITY include the following:
config router bgp
set send-community {both | disable | extended | standard}
set send-community6 {both | disable | extended | standard}
end
NEXT_HOP
The NEXT_HOP attribute says what IP address the packets should be forwarded to next. Each time the route is
advertised, this value is updated. The NEXT_HOP attribute is much like a gateway in static routing.
FortiSwitch units allow you to change the advertising of the FortiSwitch unit’s IP address (instead of the neighbor’s IP
address) in the NEXT_HOP information that is sent to IBGP peers. This is changed with the config neighbor, set
next-hop-self command.
The BGP commands related to NEXT_HOP include the following:
config router bgp
config neighbor
edit "<IPv4_IPv6_address>"
set attribute-unchanged [as-path] [med] [next-hop]
set attribute-unchanged6 {as-path | MED | next-hop}
set next-hop-self {enable | disable}
set next-hop-self6 {disable | enable}
next
end
end
ATOMIC_AGGREGATE
The ATOMIC_AGGREGATE attribute is used when routes have been summarized. It indicates which AS and which
router summarize the routes. It also tells downstream routers not to de-aggregate the route. Summarized routes are
routes with similar information that have been combined, or aggregated, into one route that is easier to send in updates
for. When it reaches its destination, the summarized routes are split back up into the individual routes.
The FortiSwitch unit does not specifically set this attribute in the BGP router command, but it is used in the route map
command.
The CLI commands related to ATOMIC_AGGREGATE include the following:
config router route-map
edit <route_map_name>
set protocol bgp
config rule
edit <route_map_rule_id>
set set-aggregator-as <id_integer>
set set-aggregator-ip <address_ipv4>
set set-atomic-aggregate {enable | disable}
end
end
end
ORIGIN
The ORIGIN attribute records where the route came from. The options can be IBGP, EBGP, or incomplete. This
information is important because internal routes (IBGP) are, by default, higher priority than external routes (EBGP).
However, incomplete ORIGINs are the lowest priority of the three.
The CLI commands related to ORIGIN include the following:
config router route-map
edit <route_map_name>
set protocol bgp
config rule
edit <route_map_rule_id>
set match-origin {egp | igp | incomplete | none}
end
end
end
BGP is a link-state routing protocol and keeps link-state information about the status of each network link it has
connected. A BGP router receives information from its peer routers that have been defined as neighbors. BGP routers
listen for updates from these configured neighboring routers on TCP port 179.
A BGP router is a finite state machine with six various states for each connection. As two BGP routers discover each
other and establish a connection, they go from the idle state and through the various states until they reach the
established state. An error can cause the connection to drop and the state of the router to reset to either active or idle.
These errors can be caused by TCP port 179 not being open, a random TCP port above port 1023 not being open, the
peer address being incorrect, or the AS number being incorrect.
When BGP routers start a connection, they negotiate which (if any) optional features will be used, such as multiprotocol
extensions, that can include IPv6 and VPNs.
When you read about BGP, you often see EBGP or IBGP mentioned. These are both BGP routing, but BGP used in
different roles. Exterior BGP (EBGP) involves packets crossing multiple autonomous systems (ASs) and interior BGP
(IBGP) involves packets that stay within a single AS. For example, the AS_PATH attribute is only useful for EBGP where
routes pass through multiple ASs.
These two modes are important because some features of BGP are used only for one of EBGP or IBGP. For example,
confederations are used in EBGP and RRs are used only in IBGP. Also, routes learned from IBGP have priority over
routes learned from EBGP.
FortiSwitch units have some commands that are specific to EBGP, including the following:
l automatically resetting the session information to external peers if the connection goes down: set fast-
external-failover {enable | disable}
l setting an administrative distance for all routes learned from external peers (you must also configure local and
internal distances if this is set): set distance-external <distance_integer>
l enforcing EBGP multihops and their TTL (number of hops): set ebgp-enforce-multihop {enable |
disable} and set ebgp-multihop-ttl <seconds_integer>
Firstly, recall that the number of available or supported routes is not set by the configuration but depends on the
available memory on the FortiSwitch unit. All learned routes and their attributes come into the BGP router in raw form.
Before routes are installed in the routing table or are advertised to other routers, three levels of decisions must be made.
The three phases of BGP best path determination do not change. However, some manufacturers have added more
information to the process, such as Cisco’s WEIGHT attribute, to allow an administrator to force one route’s selection
over another.
There is one Adj-RIB-IN and Adj-RIB-OUT for each configured neighbor. They are updated when the FortiSwitch unit
receives BGP updates or when the FortiSwitch unit sends out BGP updates.
Decision phase 1
At this phase, the decision is to calculate how preferred each route and its NRLI are the Adjacent Routing Information
Base Incoming (Adj-RIBs-In) compared to the other routes. For internal routes (IBGP), policy information or LOCAL_
PREF is used. For external peer learned routes, it is based strictly on policy. These rules set up a list of which routes are
most preferred going into Phase 2.
Decision phase 2
Phase 2 involves installing the best route to each destination into the local Routing Information Base (Loc-RIB).
Effectively, the Loc-RIB is the primary routing table. Each route from Phase 1 has their NEXT_HOP checked to ensure
the destination is reachable. If it is reachable, the AS_PATH is checked for loops. After that, routes are installed based
on the following decision process:
l If there is only one route to a location, it is installed.
l If there are multiple routes to the same location, use the most preferred route from Level 1.
l If there is a tie, break the tie based on the following, in descending order of importance: shortest AS_PATH,
smallest ORIGIN number, smallest MED, EBGP over IBGP, smallest metric or cost for reaching the NEXT_HOP,
BGP identifier, and lowest IP address.
Note that the new routes that are installed into the Loc-RIB are in addition to any existing routes in the table. Once
Phase 2 is completed, the Loc-RIB will consist of the best of both the new and older routes.
Decision phase 3
Phase 3 is route distribution or dissemination. This is the process of deciding which routes the router will advertise. If
there is any route aggregation or summarizing, it happens here. Also, any route filtering from route maps happens here.
Once Phase 3 is complete, an update can be sent out to update the neighbor of new routes.
BGP-4 allows classless routing, which uses netmasks as well as IP addresses. This classless routing allows the
configuration of aggregate routes by stating the address bits the aggregated addresses have in common.
The ATOMIC_AGGREGATE attribute informs routers that the route has been aggregated and should not be de-
aggregated. An associated AGGREGATOR attribute include the information about the router that did the aggregating
including its AS.
The BGP commands associated with aggregate routes and addresses are the following:
config router bgp
config aggregate-address
edit <aggr_addr_id>
set as-set {enable | disable}
set prefix <address_ipv4mask>
set summary-only {enable | disable}
end
end
config aggregate-address6
edit <aggr_addr_id>
set as-set {enable | disable}
set prefix6 <address_ipv6mask>
set summary-only {enable | disable}
end
end
Troubleshooting BGP
There are some features in BGP that are used to deal with problems that may arise. Typically, the problems with a BGP
network that has been configured involve routes going offline frequently. This is called route flap and causes problems
for the routers using that route.
To see if a new route is being properly added to the routing table, you can clear all or some BGP neighbor connections
(sessions) using the execute router clear bgp command.
For example, if you have 10 routes in the BGP routing table and you want to clear the specific route to IP address
10.10.10.1, enter the following CLI command:
execute router clear bgp ip 10.10.10.1
To remove all routes for AS number 650001, enter the following CLI command:
execute router clear bgp as 650001
Route flap
When routers or hardware along a route go offline and back online that is called a route flap. Flapping is the term that is
used if these outages continue, especially if they occur frequently.
Route flap is a problem in BGP because each time a peer or a route goes down, all the peer routers that are connected
to that out-of-service router advertise the change in their routing tables. This creates a lot of administration traffic on the
network and the same traffic re-occurs when that router comes back online. If the problem is something like a faulty
network cable that wobbles online and offline every 10 seconds, there could easily be an overwhelming amount of
routing updates sent out unnecessarily.
Another possible reason for route flap occurs with multiple FortiSwitch units in HA mode. When an HA cluster fails over
to the secondary unit, other routers on the network may see the HA cluster as being offline, resulting in route flap. While
this does not occur often, or more than once at a time, it can still result in an interruption in traffic that is unpleasant for
network users. The easy solution for this problem is to increase the timers on the HA cluster, such as TTL timers, so
they do not expire during the failover process. Also, configuring graceful restart on the HA cluster helps with a smooth
failover.
The first method of dealing with route flap is to check your hardware. If a cable is loose or bad, it can easily be replaced
and eliminate the problem. If an interface on the router is bad, either avoid using that interface or swap in a functioning
router. If the power source is bad on a router, either replace the power supply or use a power conditioning backup power
supply. These quick and easy fixes can save you from configuring more complex BGP options. However, if the route flap
is from another source, configuring BGP to deal with the outages will ensure your network users uninterrupted service.
Some methods of dealing with route flap in BGP include:
l Holdtime timer
l Dampening
l BFD
Holdtime timer
The first line of defense to a flapping route is the holdtime timer. This timer reduces how frequently a route going down
will cause a routing update to be broadcast.
After it is activated, the holdtime timer does not allow the FortiSwitch unit to accept any changes to that route for the
duration of the timer. If the route flaps five times during the timer period, only the first outage is recognized by the
FortiSwitch unit. For the duration of the other outages, there will not be changes because the FortiSwitch unit is
essentially treating this router as down. If the route is still flapping after the timer expires, it'll happen all over again.
Even if the route is not flapping (for example, if it goes down, comes up, and stays back up) the timer still counts down
and the route is ignored for the duration of the timer. In this situation, the route is seen as down longer than it really is
but there will be only the one set of route updates. This is not a problem in normal operation because updates are not
frequent.
Also, the potential for a route to be treated as down when it is really up can be viewed as a robustness feature. Typically,
you do not want most of your traffic being routed over an unreliable route. So if there is route flap going on, it is best to
avoid that route if you can. This is enforced by the holdtime timer.
There are three different route flapping situations that can occur: the route goes up and down frequently, the route goes
down and back up once over a long period of time, or the route goes down and stays down for a long period of time.
These can all be handled using the holdtime timer.
For example, your network has two routes that you want to set the timer for. One is your main route (to 10.12.101.4)
that all of your Internet traffic goes through, and it cannot be down for long if it is down. The second is a low speed
connection to a custom network that is used infrequently (to 10.13.101.4). The timer for the main route should be fairly
short (for example, 60 seconds). The second route timer can be left at the default because it is rarely used. In your BGP
configuration, this looks like the following:
config router bgp
config neighbor
edit 10.12.101.4
set holdtime-timer 60
next
edit 10.13.101.4
set holdtime-timer 180
next
end
end
Dampening
Dampening is a method that is used to limit the amount of network problems due to flapping routes. With dampening,
the flapping still occurs but the peer routers pay less and less attention to that route as it flaps more often. One flap
does not start dampening, but the second flap starts a timer where the router will not use that route because it is
considered unstable. If the route flaps again before the timer expires, the timer continues to increase. There is a period
of time called the reachability half-life, after which a route flap will be suppressed for only half the time. This half-life
comes into effect when a route has been stable for a while but not long enough to clear all the dampening completely.
For the flapping route to be included in the routing table again, the suppression time must expire.
If the route flapping was temporary, you can clear the flapping or dampening from the FortiSwitch unit's cache by using
one of the execute router clear bgp CLI commands:
execute router clear bgp dampening {<ip_address> | <ip/netmask>}
For example, to remove route flap dampening information for the 10.10.0.0/16 subnet, enter the following CLI
command:
execute router clear bgp dampening 10.10.0.0/16
BFD
Bidirectional Forwarding Detection (BFD) is a protocol that you can use to quickly locate hardware failures in the
network. Routers running BFD communicate with each other and if a timer runs out on a connection then that router is
declared down. BFD then communicates this information to the routing protocol and the routing information is updated.
For more information about BFD, see Bidirectional forwarding detection on page 218.
Configuring BGP
Configuring BGP on the FortiSwitch unit includes the following major steps:
1. Enter the BGP configuration mode.
2. Set the autonomous system and router identifier.
3. Configure a BGP neighbor.
4. Redistribute non-BGP routes. Advertise these non-BGP routes within BGP.
Enter the BGP configuration mode to access all of the BGP configuration commands:
# config router bgp
Set the autonomous system. For IBGP, the AS value needs to match the remote-as value in the neighbor router. For
EBGP, the AS value differs from the remote-as value in the neighbor router. You also need to specify a fixed router
identifier for the FortiSwitch unit. These two commands are mandatory.
# set as <AS number>
# set router-id <IP_address>
Other BGP commands
The get router info bgp and get router info6 bgp commands have options to display different aspects
of the BGP configuration and status.
For example:
get router info bgp neighbors
get router info bgp network
get router info6 bgp filter-list
get router info6 bgp route-map
If you are using equal-cost multi-path (ECMP) routing with the EBGP or IBGP, the maximum number of paths is 1 by
default. Use the following commands to change the default:
config router bgp
set maximum-paths-ebgp <1-64>
set maximum-paths-ibgp <1-64>
end
Sample configurations
edit vlan40-p4
set ip 172.168.111.6 255.255.255.0
set allowaccess ping https http ssh telnet
set vlanid 40
set interface internal
end
config switch interface
edit "port2"
set native-vlan 20
set stp-state disabled
next
edit "port4"
set native-vlan 40
set stp-state disabled
next
edit "internal"
set allowed-vlans 1,20, 40, 4094
set stp-state disabled
next
end
Internal BGP
In this example, the two neighboring switches are in the same autonomous system.
Configuration for FortiSwitch 1:
config router bgp
set as 6500
set router-id 1.2.3.4
config neighbor
edit "172.168.111.5"
set remote-as 6500
next
end
config network
edit 1
set prefix 192.168.2.0 255.255.255.0
next
end
config redistribute "connected"
end
end
end
edit 1
set prefix 10.50.2.0 255.255.255.0
next
end
config redistribute "connected"
end
end
end
External BGP
In this example, the two neighboring switches are in separate autonomous systems.
Configuration for FortiSwitch 1:
config router bgp
set as 6500
set router-id 1.2.3.4
config neighbor
edit "172.168.111.5"
set remote-as 7500
next
end
config network
edit 1
set prefix 192.168.2.0 255.255.255.0
next
end
config redistribute "connected"
end
end
end
Using the following command, you can check the BGP status on the local switch:
PIM routing
NOTE: You must have an advanced features license to use PIM routing.
A FortiSwitch unit can operate as a Protocol Independent Multicast (PIM) version-4 router. FortiSwitchOS supports PIM
source-specific multicast (SSM) and version 3 of Internet Group Management Protocol (IGMP).
You can configure a FortiSwitch unit to support PIM using the config router multicast CLI command. When
PIM is enabled, the FortiSwitch unit allocates memory to manage mapping information. The FortiSwitch unit
communicates with neighboring PIM routers to acquire mapping information and, if required, processes the multicast
traffic associated with specific multicast groups.
NOTE:
l Access lists, prefix lists, and route maps are not supported.
l Bidirectional forwarding detection (BFD) is not supported.
l You cannot use PIM and the IGMP querier at the same time on the same switch virtual interface.
l PIM and IGMP snooping work independently.
l IPv6 is not supported.
l IGMP version-3 explicit membership tracking is not supported.
l SSM mapping is not supported.
l The multicast routing information base (MRIB) is not supported.
l The PIM management information base (MIB) is not supported.
This chapter covers the following topics:
l Terminology on page 276
l Configuring PIM on page 276
l Checking the PIM configuration on page 277
Terminology
PIM domain: A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at
least one Boot Strap Router (BSR) and a number of Rendezvous Points (RPs) and Designated Routers (DRs).
RP: An RP represents the root of a non-source-specific distribution tree to a multicast group.
Configuring PIM
3. If you want multicast packets to be handled by specific (static) rendezvous points (RPs), record the IP addresses of
the PIM-enabled interfaces on those RPs.
4. Enable PIM version 4 on all participating routers between the source and receivers. Use the config router
multicast command to set global operating parameters.
5. Configure the PIM routers that have good connections throughout the PIM domain to be candidate boot strap
routers (BSRs).
6. Configure one or more of the PIM routers to be candidate RPs.
7. If required, adjust the default settings of PIM-enabled interface(s).
IS-IS routing
NOTE: You must have an advanced features license to use IS-IS routing.
Intermediate System to Intermediate System Protocol (IS-IS) allows routing of ISO’s OSI protocol stack Connectionless
Network Service (CLNS). IS-IS is an Interior Gateway Protocol (IGP) that is not intended to be used between
Autonomous Systems (AS).
IS-IS is a link state protocol that is well-suited to smaller networks. It is in widespread use and has near universal
support on routing hardware. It is quick to configure and works well if there are no redundant paths. However, IS-IS
updates are sent out node-by-node, so it can be slow to find a path around network outages. IS-IS also lacks good
authentication, can not choose routes based on different quality-of-service methods, and can create network loops if
you are not careful. IS-IS uses Djikstra’s algorithm to find the best path, like OSPF.
While OSPF is more widely known, IS-IS is a viable alternative to OSPF in enterprise networks and ISP infrastructures,
largely due to its native support for IPv6 and its nondisruptive methods for splitting, merging, migrating, and
renumbering network areas.
This chapter covers the following topics:
l Terminology on page 278
l Configuring IS-IS on page 278
l Checking the IS-IS configuration on page 281
Terminology
TLV: IS-IS uses type-length-value (TLV) parameters to carry information in Link-State PDUs (LSPs). The TLV field
consists of one octet of type (T), one octet of length (L), and “L” octets of value (V).
Link-state PDU (LSP): The LSP contains information about each router in an area and its connected interfaces.
Complete sequence number PDU (CSNP): CSNPs contain a list of all LSPs in the current LSDB.
Authentication keychain: A keychain is a list of one or more authentication keys including the send and receive
lifetimes for each key. Keys are used for authenticating routing packets only during the specified lifetimes.
Configuring IS-IS
Configuring IS-IS on the FortiSwitch unit includes the following major steps:
1. Enter the IS-IS configuration mode.
2. Configure the interface.
3. Configure the network.
4. Redistribute non-IS-IS routes. Advertise these non-IS-IS routes within IS-IS.
Enter the IS-IS configuration mode to access all of the IS-IS configuration commands:
# config router isis
Enable the status option for IPv4 traffic or the status6 option for IPv6 traffic on the specified interface:
config interface
edit <IS-IS interface name>
set auth-keychain-hello <string>
set auth-mode-hello {md5 | password}
set auth-password-hello <password>
set bfd {enable | disable}
set bfd6 {enable | disable}
set circuit-type {level-1 | level-1-2 | level-2}
set csnp-interval-l1 <1-65535 seconds>
set csnp-interval-l2 <1-65535 seconds>
set hello-interval-l1 <1-65535 seconds; 0 to use 1-second hold time>
set hello-interval-l2 <1-65535 seconds; 0 to use 1-second hold time>
set hello-multiplier-l1 <2-100>
set hello-multiplier-l2 <2-100>
set hello-padding {disable | enable}
set metric-l1 <1-63>
set metric-l2 <1-63>
set passive {disable | enable}
set priority-l1 <0-127>
set priority-l2 <0-127>
set status {disable | enable}
set status6 {disable | enable}
set wide-metric-l1 <1-16777214>
set wide-metric-l2 <1-16777214>
end
Redistribute non-IS-IS routes within IS-IS for IPv4 traffic or for IPv6 traffic:
config redistribute {bgp | connected | ospf | rip | static}
set status {disable | enable}
set metric <0-4261412864>
set metric-type {external | internal}
set level {level-1 | level-1-2 | level-2}
set routemap <string>
end
You can use bidirectional forwarding detection (BFD) for the IS-IS routing protocol using IPv4 or IPv6 addresses:
config router isis
config interface
edit <IS-IS interface name>
set bfd {enable| disable}
set bfd6 {enable| disable}
next
end
end
The FortiSwitch unit provides authentication mechanisms to control user access to the system (based on the user group
associated with the user). The members of user groups are user accounts. Local users and peer users are defined on
the FortiSwitch unit. User accounts can also be defined on remote authentication servers.
This section describes how to configure local users and peer users and how to configure user groups. For information
about configuring the authentication servers, see Remote authentication servers on page 41.
This chapter covers the following topics:
l Users on page 282
l User groups on page 283
Users
A user account consists of a user name, password, and potentially other information, configured in a local user database
or on an external authentication server.
Users can access resources that require authentication only if they are members of an allowed user group.
Field Description
User groups
Field Description
authtimeout <timeout> Sets the authentication timeout for the user group. The range is 1 to
480 minutes. If this field is set to 0, the global authentication timeout
value is used.
group-type <grp_type> Enter the group type. <grp_type> determines the type of users and is
one of the following:
l firewall—FortiSwitch users defined in user local, user ldap,
or user radius
l fsso-service—Directory Service users
member <names> Enter the names of users, peers, LDAP servers, or RADIUS servers
to add to the user group. Separate the names with spaces. To add or
remove names from the group, you must re-enter the whole list with
the additions or deletions required.
group-name <gname_str> Identifies the matching group on the remote authentication server.
MACsec
Media Access Control security (MACsec) secures each switch-to-switch link by encrypting all network traffic within an
Ethernet LAN.
MACsec uses the static connectivity association key (CAK) mode. You specify the connectivity association key (CAK)
and the connectivity association name (CKN) for the pre-shared key in the MACsec profile and then apply the profile to a
switch port.
Notes:
To use MACsec:
next
end
config traffic-policy
edit <traffic_policy_name>
set security-policy must-secure
set status enable
next
end
next
end
cipher_suite GCM_AES_128 Only the GCM-AES-128 cipher suite is available currently for GCM_AES_
encryption. 128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic 0
confidentiality offset. Selecting 0 means that all of the
MACsec traffic is encrypted. Selecting 30 or 50 bytes means
that the first 30 or 50 bytes of MACsec traffic are not
encrypted.
encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | Enable or disable whether to include the MACsec transmit enable
disable} secure channel identifier (SCI).
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) enable
indicator is always included.
macsec-mode static-cak The MACsec mode is always static connectivity association static-cak
key (CAK).
replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay disable
protection drops packets that arrive out of sequence,
depending on the replay-window value.
replay-window <0-16777215> Enter the number of packets for the MACsec replay window 32
size. If two packets arrive with the difference between their
packet identifiers more then the replay window size, the most
recent packet of the two is dropped. The range is 0-16777215
packets. Enter 0 to ensure that all packets arrive in order
without any repeats.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key No default
configuration.
crypto-alg AES_128_CMAC Only the AES_128_CMAC algorithm is available for encrypting AES_128_
mka-cak <string> Enter the string of hexadecimal digits for the connectivity No default
association key (CAK). The string can be up to 32-bytes long.
mka-ckn <string> Enter the string of hexadecimal digits for the connectivity No default
association name (CKN). The string can be 1-byte to 64-bytes
long.
status active The status of the pre-shared key pair is always active. active
security-policy must-secure The policy must secure traffic for MACsec. must-secure
status enable The status of this MACsec traffic policy is always enabled. enable
For example:
config switch macsec profile
edit "2"
set cipher_suite GCM_AES_128
set confident-offset 0
set encrypt-traffic enable
set include-macsec-sci enable
set include-mka-icv-ind enable
set macsec-mode static-cak
set macsec-validate strict
set mka-priority 199
config mka-psk
edit "2"
set crypto-alg AES_128_CMAC
set mka-cak "0123456789ABCDEF0123456789ABCDEE"
set mka-ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333436"
set status active
next
end
set replay-protect disable
set replay-window 32
set status enable
config traffic-policy
edit "2"
set security-policy must-secure
set status enable
next
end
next
end
For example:
config switch interface
edit port49
set native-vlan 50
set stp-state disabled
set auto-discovery-fortilink enable
set snmp-index 49
config port-security
set port-security-mode macsec
set macsec-profile "macsec_profile1"
end
next
end
You can view the MACsec status and the MACsec traffic statistics for a specific port:
l diagnose switch macsec status <port_name>
l diagnose switch macsec statistics <port_name>
You can view the creation and deletion of secure associations:
diagnose debug kernel level 8
For example:
execute macsec clearstat interface port15
execute macsec reset interface port15
802.1x authentication
To control network access, the FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port
on the switch must be authenticated by a RADIUS server to gain access to the network. The supplicant and the
authentication server communicate using the switch using EAP. The FortiSwitch unit supports EAP-PEAP, EAP-TTLS,
EAP-TLS, and EAP-MD5.
To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups
on the FortiSwitch unit.
The FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs
device. The switch provides network access only to devices that have successfully been authenticated.
The FortiSwitch unit supports up to 20 devices per port for 802.1x MAC-based authentication. System-wide, the
FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1x MAC-based authentication:
108 80
112 120
124/224/424/524/1024 240
148/248/448/548/1048 480
3032 320
You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond
to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the
user name and password for authentication.
Optionally, you can configure a guest VLAN for unauthorized users, a VLAN for users whose authentication was
unsuccessful, and a VLAN for users when the authentication server is unavailable.
When the authentication server is unavailable after the server timeout period expires:
l You can control how many seconds the authentication server tries to authenticate users for before assigning them
to the specified VLAN:
l You can control how often the server checks if the RADIUS server is available:
When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow
network traffic to flow, even if there are configuration problems or authentication failures.
This chapter covers the following topics:
l Dynamic VLAN assignment on page 290
l MAC authentication bypass (MAB) on page 291
l Configuring global settings on page 293
l Configuring the 802.1x settings on an interface on page 295
l Viewing the 802.1x details on page 297
l Clearing port authorizations on page 298
l Authenticating users with a RADIUS server on page 299
l Authenticating an admin user with RADIUS on page 307
l RADIUS accounting and FortiGate RADIUS single sign-on on page 310
l RADIUS change of authorization (CoA) on page 312
l Use cases on page 315
l Detailed deployment notes on page 318
You can configure the RADIUS server to return a VLAN in the authentication reply message:
1. On the FortiSwitch unit, select port-based authentication or MAC-based authentication and a security group.
2. On the RADIUS server, configure the attributes.
To select port-based authentication and the security group on the FortiSwitch unit:
config switch interface
edit <interface_name>
config port-security
set port-security-mode 802.1X
end
set security-groups <security-group-name>
end
The FortiSwitch unit will change the native VLAN of the port to that of the VLAN from the server.
To select MAC-based authentication and the security group on the FortiSwitch unit:
config switch interface
edit <interface_name>
config port-security
set port-security-mode 802.1X-mac-based
end
set security-groups <security-group-name>
end
Here, the switch assigns the returned VLAN only to this userʼs MAC address. The native VLAN of the port remains
unchanged.
Use the following configuration command to view the MAC-based VLAN assignments:
diagnose switch vlan assignment mac list [sorted-by-mac | sorted-by-vlan]
Devices such as network printers, cameras, and sensors might not support 802.1x authentication. If you enable the
MAB option on the port, the system will use the device MAC address as the user name and password for authentication.
MAB retries authentication three times before the device is assigned to a guest VLAN for unauthorized users. By
default, reauthentication is disabled. Use the following commands if you want to change the default behavior:
config switch global
config port-security
set mab-reauth enable
end
You must provision the RADIUS server to authenticate the devices that use MAB, either by adding the MAC addresses
as regular users or by implementing additional logic to resolve the MAC addresses in a network inventory database.
The following flowchart shows the FortiSwitch 802.1x port-based authentication with MAB enabled:
The following flowchart shows the FortiSwitch 802.1x MAC-based authentication with MAB enabled:
To select which 802.1x certificate and certificate authority that the FortiSwitch unit uses, see SSL configuration on page
62.
If a link goes down, you can select whether the impacted devices must reauthenticate. If reauthentication is
unnecessary, select Do Not Require Re-Authentication. To revert all devices to the unauthenticated state and force
each device to reauthenticate, select Require Re-Authentication.
MAB retries authentication before assigning a device to a guest VLAN for unauthorized users. MAB is disabled by
default in the CLI.
The Re-Authentication Period (Minutes) field defines how often the device needs to reauthenticate (that is, if a session
remains active beyond this number of minutes, the system requires the device to reauthenticate). Set the value to 0 to
disable reauthentication.
If 802.1x authentication fails, the Maximum Re-Authentication Attempts field caps the number of attempts that the
system will initiate. Set the value to 0 to disable the reauthentication attempts.
2. Select Require Reauthentication to revert all devices to the unauthenticated state if the link goes down or select
Do Not Require Reauthentication if reauthentication is unnecessary if the link goes down.
3. In the Re-Authentication Period (Minutes) field, enter the number of minutes before the system requires the device
to reauthenticate.
4. In the Maximum Re-Authentication Attempts field, enter the maximum number of times that the system tries to
reauthorize the session.
5. Select Update.
NOTE: Changes to global settings only take effect when new 802.1x/MAB sessions are created.
3. Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.
The Port Security section displays additional options.
11. If you are using port-based authentication or MAC-based authentication, select one or more security groups.
12. Select OK.
Sessions info:
STA=00:24:9b:1b:20:65 Type=802.1X EAP PEAP state=AUTHENTICATED
Link: Link up
Port State: authorized ( )
EAP pass-through mode : Enable
Native Vlan : 1
Allowed Vlan list: 1
Untagged Vlan list: 1
Guest VLAN :
Sessions info:
0a:0a:0b:0b:0a:0a Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3 params:reAuth=3600
0a:0a:0b:0b:0a:09 Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3 params:reAuth=3600
0a:0a:0b:0b:0a:08 Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3 params:reAuth=3600
0a:0a:0b:0b:0a:07 Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3 params:reAuth=2896
0a:0a:0b:0b:0a:06 Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3 params:reAuth=3600
0a:0a:0b:0b:0a:05 Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3 params:reAuth=3600
0a:0a:0b:0b:0a:04 Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3 params:reAuth=3600
0a:0a:0b:0b:0a:03 Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3 params:reAuth=3600
0a:0a:0b:0b:0a:02 Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3 params:reAuth=3600
0a:0a:0b:0b:0a:01 Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3
params:reAuth=3600h=120
e. Select OK.
f. Select Add.
2. Create a user group:
a. Go to System > User > Group.
b. Select Add Group.
c. In the Name field, enter Radius_group.
d. Select Add Server.
e. Select Radius_group.
f. Select OK.
Example: dynamic VLAN
To assign VLAN dynamically for a port on which a user is authenticated, configure the RADIUS server attributes to
return the VLAN ID when the user is authenticated. Assuming that the port security mode is set to 802.1X, the
FortiSwitch unit will change the native VLAN of the port to the value returned by the server.
Ensure that the following attributes are configured on the RADIUS server:
l Tunnel-Private-Group-Id <integer or string> (the VLAN ID or VLAN name)
l Tunnel-Medium-Type IEEE-802 (6)
l Tunnel-Type VLAN (13)
NOTE: If the Tunnel-Private-Group-Id is set to the VLAN name, the same string must be specified in the set
description command under the config switch vlan command.
If you want to use a RADIUS server to authenticate administrators, you must configure the authentication before you
create the administrator accounts. Do the following:
1. Configure the FortiSwitch unit to access the RADIUS server.
2. Configure an administrator to authenticate with a RADIUS server and match the user secret to the RADIUS server
entry.
3. Create the RADIUS user group.
h. Select Add.
2. Create a user:
a. Go to System > User > Definition.
b. Select Add User.
c. In the User Name field, enter RADIUS1.
d. Select Password from the Type field.
e. In the Password field and Confirm Password field, enter
6rF7O4/Zf3p2TutNyeSjPbQc73QrS21wNDmNXd/rg9k6nTR6yMhBRsJGpArhle6UOCb7b8InM3nr
CeuVETr/a02LpILmIltBq5sUMCNqbR6zp2fS3r35Eyd3IIrzmve4Vusi52c1MrCqVhzzy2EfxkBr
x5FhcRQWxStvnVt4+dzLYbHZ.
f. Select Add.
3. Create a user group:
a. Go to System > User > Group.
b. Select Add Group.
c. In the Name field, enter RADIUS_Admins.
d. Select RADIUS1 in the Available Users box and select the right arrow to move it to the Members box.
2. Create a user:
NOTE: To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the
802.1x-authenticated ports of your VLAN network for both port and MAC modes.
You can use your FortiSwitch unit for RADIUS single sign-on (RSSO) in two modes:
l Standalone mode
l FortiLink mode (FortiSwitch unit managed by FortiGate unit)
The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the
RADIUS accounting server to support FortiGate RADIUS single sign-on:
l START—The FortiSwitch unit has been successfully authenticated, and the session has started.
l STOP—The FortiSwitch session has ended.
l INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval
command.
l ON—The FortiSwitch unit will send this message when the switch is turned on.
l OFF—The FortiSwitch unit will send this message when the switch is shut down.
NOTE: Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA now support EAP and MAB 802.1x
authentication.
Configuring the RADIUS accounting server and FortiGate RADIUS single sign-on
Use the following commands to set up RADIUS accounting and enable a FortiSwitch unit to receive CoA and disconnect
messages from the RADIUS server:
config user radius
edit <RADIUS_server_name>
set acct-interim-interval <seconds>
set secret <secret_key>
Variable Description
<RADIUS_server_name> Enter the name of the RADIUS server that will be sending CoA and
disconnect messages to the FortiSwitch unit. By default, the
messages use port 3799.
acct-interim-interval <seconds> Enter the number of seconds between each interim accounting
message sent to the RADIUS server. The value range is 60-86400.
The default is 600.
addr-mode {ipv4 | ipv6} Select whether to connect to the RADIUS server with IPv4 or IPv6.
The default is IPv4.
secret <secret_key> Enter the shared secret key for authentication with the
RADIUS server.
server <domain_ipv4_ipv6> Enter the domain name, IPv4 address, or IPv6 address for the
RADIUS server. There is no default.
source-ip <ipv4_addr> If the addr-mode was set to ipv4, enter the IPv4 address of the
server that will be sending accounting messages. The default is
0.0.0.0.
source-ip6 <ipv6_addr> If the addr-mode was set to ipv6, enter the IPv6 address of the
server that will be sending accounting messages. There is no default.
status {enable | disable} Enable or disable RADIUS accounting. The default is disable.
server <accounting_server> Enter the domain name, IPv4 address, or IPv6 address of the RADIUS
server that will be receiving the accounting messages. There is no
default value.
secret <secret_key> Enter the shared secret key for the RADIUS accounting server.
port <port_number> Enter the port number for the RADIUS accounting server to receive
accounting messages from the FortiSwitch unit. The default is 1813.
NOTE: For increased security, each subnet interface that will be receiving CoA requests must be configured with the
set allowaccess radius-acct command.
NOTE: Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA support EAP and MAB 802.1x authentication.
The FortiSwitch unit supports two types of RADIUS messages:
l CoA messages to change session authorization attributes (such as data filters and the session-timeout setting)
during an active session. To change the session timeout for an authenticated session, the CoA-Request message
needs to use the IEEE session-timeout attribute.
l Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are
unchanged, and the port stays up. For port-based authentication, only one session is deleted.
RADIUS CoA messages use the following Fortinet proprietary attribute:
Fortinet-Host-Port-AVPair 42 string
The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages:
Unsupported Attribute 401 This error is a fatal error, which is sent if a request contains
an attribute that is not supported.
NAS Identification 403 This error is a fatal error, which is sent if one or more NAS-
Mismatch Identifier Attributes do not match the identity of the NAS
receiving the request.
Invalid Attribute Value 407 This error is a fatal error, which is sent if a CoA-Request or
Disconnect-Request message contains an attribute with an
unsupported value.
Session Context Not Found 503 This error is a fatal error if the session context identified in
the CoA-Request or Disconnect-Request message does
not exist on the NAS.
Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS
server:
config system interface
edit "mgmt"
set ip <address> <netmask>
set allowaccess <access_types>
set type physical
next
config user radius
edit <RADIUS_server_name>
set radius-coa {enable | disable}
set radius-port <port_number>
set secret <secret_key>
set server <server_name_ipv4_ipv6>
set addr-mode {ipv4 | ipv6}
end
Variable Description
allowaccess <access_types> Enter the types of management access permitted on this interface.
Valid types are as follows: http https ping snmp ssh
telnet radius-acct. Separate each type with a space. You must
include radius-acct to receive CoA and disconnect messages.
<RADIUS_server_name> Enter the name of the RADIUS server that will be sending CoA and
disconnect messages to the FortiSwitch unit. By default, the messages
use port 3799.
radius-coa {enable | disable} Enable or disable whether the FortiSwitch unit will accept CoA and
disconnect messages. The default is disable.
radius-port <port_number> Enter the RADIUS port number. By default, the value is 1812.
secret <secret_key> Enter the shared secret key for authentication with the RADIUS server.
server <server_name_ipv4_ Enter the domain name, IPv4 address, or IPv6 address for the RADIUS
ipv6> server. There is no default.
addr-mode {ipv4 | ipv6} Select whether to connect to the RADIUS server with IPv4 or IPv6.
The following example enables the FortiSwitch unit to receive CoA and disconnect messages from the specified
RADIUS server:
config system interface
edit "mgmt"
set ip 10.105.4.14 255.255.255.0
set allowaccess ping https http ssh snmp telnet radius-acct
set type physical
next
config user radius
edit "Radius-188-200"
set radius-coa enable
set secret ENC
+2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoeZf
OQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hpCiVU
MiPOU6fSrj
set server "10.105.188.200"
set addr-mode ipv4
next
end
Use cases
Use case 1
In this use case, a Cisco phone uses MAB and uses LLDP-MED to assign the voice VLAN. A PC behind the Cisco phone
uses 802.1x authentication with or without dynamic VLAN assignment.
The following is an example configuration:
config switch lldp profile
edit "lldp-cisco-104"
set 802.1-tlvs port-vlan-id
set 802.3-tlvs power-negotiation
config med-network-policy
edit "voice"
set assign-vlan enable
Use case 2
In this use case, the Cisco phone uses 802.1x authentication and uses LLDP-MED to assign the voice VLAN. A PC
behind the Cisco phone uses 802.1x authentication without dynamic VLAN assignment.
RADIUS dynamic VLAN assignment for the voice VLAN must match the voice VLAN configured in the LLDP-MED profile
for Cisco phone 802.1x authentication.
The following is an example configuration:
config switch lldp profile
edit "lldp-cisco-104"
set 802.1-tlvs port-vlan-id
set 802.3-tlvs power-negotiation
config med-network-policy
edit "voice"
set assign-vlan enable
set status enable
set vlan 104
next
set med-tlvs inventory-management network-policy
next
end
edit "port1"
set native-vlan 20
set security-groups "CISEGRP"
set snmp-index 1
config port-security
set mac-auth-bypass disable // Optional
set eap-auto-untagged-vlans disable // Required. Needed to allow voice traffic with
voice VLAN tag at egress
set port-security-mode 802.1X-mac-based // Required
end
next
end
Use case 3
In this use case, the Cisco phone uses 802.1x authentication and uses LLDP-MED to assign the voice VLAN. The PC
behind the Cisco phone uses 802.1x authentication with dynamic VLAN assignment.
RADIUS dynamic VLAN assignment for the voice VLAN has to match the voice VLAN configured in the LLDP-MED
profile for Cisco phone 802.1x authentication.
The VLAN ID from the RADIUS dynamic VLAN assignment for the PC has to be added in the untagged VLAN list on the
port.
The following is an example configuration:
config switch lldp profile
edit "lldp-cisco-104"
set 802.1-tlvs port-vlan-id
set 802.3-tlvs power-negotiation
config med-network-policy
edit "voice"
set assign-vlan enable
set status enable
set vlan 104
next
set med-tlvs inventory-management network-policy
next
end
l Using more than one security group (with the set security-groups command) per security profile is not
supported.
l CoA and single sign-on are supported only by the CLI in this release.
l RADIUS CoA is supported in standalone mode and in non-NAT FortiLink mode.
l The FortiSwitch unit supports using FortiAuthenticator, FortiConnect, Microsoft Network Policy Server (NPS),
Aruba ClearPass, and Cisco Identity Services Engine (ISE) as the RADIUS server for CoA and RSSO.
l Each RADIUS CoA server can support only one accounting manager in this release.
l RADIUS accounting/CoA/VLAN-by-name features are supported only with eap-passthru enable.
l Fortinet recommends a unique secret key for each accounting server.
l For CoA to correctly function with FortiAuthenticator or FortiConnect, you must include the User-Name attribute
(you can optionally include the Framed-IP-Address attribute) or the User-Name and Calling-Station-ID attributes in
the CoA request.
l To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the
802.1x-authenticated ports of your VLAN network for both port and MAC modes.
l Port-based basic statistics for RADIUS accounting messages are supported in the Accounting Stop request.
l By default, the accounting server is disabled. You must enable the accounting server with the set status
enable command.
l The default port for FortiAuthenticator single sign-on is 1813 for the FortiSwitch unit.
l In MAC-based authentication, the maximum number of client MAC addresses is 20. Each model has its own
maximum limit.
l Static MAC addresses and sticky MAC addresses are mechanisms for manual/local authorization; 802.1x is a
mechanism for protocol-based authorization. Do not mix them.
l Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.
l Starting in FortiSwitch 6.2.0, when 802.1x authentication is configured, the EAP pass-through mode (set eap-
passthru) is enabled by default.
l For information about RADIUS attributes supported by FortiSwitchOS, refer to the “Supported attributes for
RADIUS CoA and RSSO” appendix.
l The authentication and accounting server configuration must be in the same address mode within the same
member. The address mode is either IPv4 or IPv6, no matter what the address mode is in the FQDN or raw IP
address. The address mode cannot be mixed.
l When a client is authorized with the RADIUS timeout VLAN enabled, the client is placed in the authorization VLAN.
If the RADIUS server becomes unavailable afterward and the reauthentication timer expires for the session, the
device keeps the client in the authorization VLAN but the state changes from AUTHENTICATED to SERVER_
TIMEOUT.
l In general for 802.1x deployment, Fortinet suggests disabling STP in the 802.1x security ports. If STP is enabled
on the ports, the ports must be assigned to STP instances that belong to a dynamic VLAN, guest VLAN, or auth-fail
VLAN; otherwise, the network connectivity fails after the ports are authorized and assigned to a dynamic VLAN,
guest VLAN, or auth-fail VLAN.
TACACS
This chapter contains information on using Terminal Access Controller Access-Control System (TACACS+)
authentication with your FortiSwitch unit.
This chapter covers the following topics:
l Administrative accounts on page 319
l User accounts on page 320
l Example configuration on page 320
Administrative accounts
Administrative, or admin, accounts allow access to various aspects of the FortiSwitch configuration. The level of access
is determined by the admin profile that is assigned to the admin account.
See Configuring administrator tasks on page 35 for the steps to create an admin profile.
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and
other network computing devices using one or more centralized servers. If you have configured TACACS+ support and
an administrator is required to authenticate using a TACACS+ server, the FortiSwitch unit contacts the TACACS+ server
for authentication.
User accounts
User accounts identify a network user and determine what parts of the network the user is allowed to access.
Example configuration
The following is an example configuration of a TACACS+ user account, with the CLI syntax shown to create it:
1. Configuring a TACACS user account for login authentication:
edit 1
set server-name tacserver
set group-name tacgroup
end
end
end
end
The FortiSwitch unit provides various features for troubleshooting and support.
This chapter covers the following topics:
l Dashboard on page 322
l Virtual wire on page 325
l TFTP network port on page 326
l Cable diagnostics on page 327
l Selective packet sampling on page 328
l Packet capture on page 328
l Network monitoring on page 332
l Flow tracking and export on page 335
l Identifying a specific FortiSwitch unit on page 337
Dashboard
The dashboard displays your FortiSwitch management mode and shows the current values for the following:
l CPU
l RAM
l Temperature for FortiSwitch models that have temperature sensors
l PoE (on FortiSwitch PoE models)
l Bandwidth
l Losses
Operation mode
The Operation Mode field shows whether the FortiSwitch unit is managed by a FortiGate unit.
When the FortiSwitch unit is in FortiLink mode, a message is displayed above the dashboard, and the Operation Mode
is “Remote Management.”
When the FortiSwitch unit is in standalone mode, the Operation Mode is “Local Management.”
Select Remote Management or Local Management to go to the Config > Management Mode page, where you can
switch between FortiLink mode and standalone mode.
FortiSwitch Cloud
The FortiSwitchCloud field shows whether the FortiSwitch unit is managed by FortiSwitch Cloud. A FortiSwitch unit
must be in standalone mode to be manged by FortiSwitch Cloud. For more details about using FortiSwitch Cloud, refer
to the FortiSwitch Cloud Administration Guide.
Select Enable and then select Advanced Settings to configure your FortiSwitch unit to be managed by FortiSwitch
Cloud.
1. On the FortiSwitchCloud page, select Enable and then select Advanced Settings.
2. By default, the Name field is set to fortiswitch-dispatch.forticloud.com, the domain name for
FortiSwitch Cloud. No change is needed.
3. By default, the Port field is set to 443, the port number used to connect to FortiSwitch Cloud. No change is needed.
4. In the Interval (Seconds) field, enter the time in seconds allowed for domain name system (DNS) resolution. The
default is 15 seconds. The range of values is 3-300 seconds.
5. Select Update to save your changes.
Bandwidth
The Bandwidth graphs show the inbound and outbound bandwidth for the entire FortiSwitch unit over a day and over a
week. The Average Per Interface bar chart shows the average bandwidth (inbound bandwidth plus outbound bandwidth)
for each interface over a day and over a week; only the interfaces with the highest bandwidth are displayed.
Losses
The Losses graphs show the inbound errors, outbound errors, inbound drops, and outbound drops for the entire
FortiSwitch unit over a day and over a week.
Virtual wire
Some testing scenarios might require two ports to be wired 'back-to-back'. Instead of using a physical cable, you can
configure a virtual wire between two ports. The virtual wire forwards traffic from one port to the other port with minimal
filtering or modification of the packets.
Notes:
l ACL mirroring is not supported.
l You can select ports that are already ingress and egress mirror sources.
3. Enter a name and select the ports for first member and second member.
4. Select Add to save the changes.
Virtual wire ports set a special Tag Protocol Identifier (TPID) in the VLAN header. The default value is 0xdee5, a value
that real network traffic never uses.
Use the following commands to configure a value for the TPID:
config switch global
set virtual-wire-tpid <hex value from 0x0001 to 0xFFFE>
end
NOTE:
l Ports have ingress and egress VLAN filtering disabled. All traffic (including VLAN headers) is passed unchanged to
the peer. All egress traffic is untagged.
l Ports have L2 learning disabled.
l Ports have their egress limited to their peer and do no allow egress from any other ports.
l The system uses TCAM to force forwarding from a port to its peer.
l The TCAM prevents any copy-to-cpu or packet drops.
TFTP network port
When you power on the FortiSwitch unit, the BIOS performs basic device initialization. When this activity is complete,
and before the OS starts to boot, you can click any key to bring up the boot menu.
From the menu, click the "I" key to configure TFTP settings. With newer versions of the BIOS, you can specify the
network port (where you have connected your network cable). If you are not prompted to specify the network port, you
must connect your network cable to the default network port:
l If the switch model has a WAN port, the WAN port is the network port.
l If the switch has no WAN port, the highest port number is the network port.
Cable diagnostics
NOTE: There are some limitations for cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-
124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:
l Crosstalk cannot be detected.
l There is a 5-second delay before results are displayed.
l The value for the cable length is inaccurate.
l The results are inaccurate for open and short cables.
You can check the state of cables connected to a specific port. The following pair states are supported:
l Open
l Short
l Ok
l Open_Short
l Unknown
l Crosstalk
If no cable is connected to the specific port, the state is Open, and the cable length is 0 meters.
For supported models, see Supported models on page 14.
Use the following command to run a time domain reflectometry (TDR) diagnostic test on cables connected to a specific
port:
diagnose switch physical-ports cable-diag <physical port name>
NOTE: Running cable diagnostics on a port that has the link up will interrupt the traffic for several seconds.
For example:
# diagnose switch physical-ports cable-diag port1
Use the following command to check the medium dependent interface crossover (MDI-X) interface status for a specific
port:
diagnose switch physical-ports mdix-status <physical port name>
For example:
# diagnose switch physical-ports mdix-status port1
port1: MDIX(Crossover)
To examine the packets that have been sampled in the example, use the following command:
# diagnose sniffer packet sp17 none 6
Packet capture
When troubleshooting networks, it helps to look inside the header of the packets. This helps to determine if the packets,
route, and destination are all what you expect. Packet capture is also called a network tap, packet sniffing, or logic
analyzing.
To capture packets:
1xx 8 20
2xx 8 50
4xx 16 75
5xx 16 100
1xxx 16 100
3xxx 16 100
To specify which packets to capture, define a filter and select a switch or system interface on which to capture the
packets. You cannot select both a switch interface and a system interface.
The filter uses flexible logic. For example, if you want packets using UDP port 1812 between hosts named forti1 and
either forti2 or forti3:
'udp and port 1812 and host forti1 and \( forti2 or forti3 \)'
You can specify the number of packets to capture and the maximum packet length to be captured. The maximum
number of packets that can be captured depends on the RAM disk size.
8. Select Add.
For example:
config system sniffer-profile
edit profile1
set filter none
set max-pkt-count 100
set max-pkt-len 100
set system-interface mgmt
end
After you create a packet-capture profile, you can start the packet capture.
For example:
execute system sniffer-profile start profile1
A packet capture continues to run until the max-pkt-cnt value is reached, or the packet capture is paused or stopped.
You can restart a paused packet capture.
You can display parsed information from the packet capture or upload the .pcap file to a TFTP or FTP server for further
analysis.
2. Select .
The .pcap file is saved in your Downloads folder.
To upload the .pcap file for a specific packet-capture profile to an FTP server:
execute system sniffer-profile upload ftp <profile_name> <packet_capture_file_name.pcap> <FTP_
server_IP_address:<optional_port>>
To upload the .pcap file for a specific packet-capture profile to a TFTP server:
execute system sniffer-profile upload tftp <profile_name> <packet_capture_file_name.pcap>
<TFTP_server_IP_address:<optional_port>>
After you have examined the packet capture, you can manually delete the .pcap file. You can only delete the .pcap
after the packet capture is stopped. You cannot delete the .pcap file if the packet capture is paused or running. All
.pcap files are deleted when you power cycle the switch.
2. Select .
To delete all packet-capture files, select Select All and then select Delete.
For example:
execute system sniffer-profile delete-capture profile1
Network monitoring
You can monitor specific unicast MAC addresses in directed mode, monitor all detected MAC addresses on a
FortiSwitch unit in survey mode, or do both. The FortiSwitch unit gives the directed mode a higher priority than survey
mode. The directed mode and survey mode are disabled by default.
NOTE: Network monitoring is not available on FSR-112D-POE.
Directed mode
In directed mode, you select which unicast MAC addresses that you want examined. The FortiSwitch unit detects
various fields of the packet—such as MAC address, IP address, VLAN, and user name—and stores the data in either of
two databases.
NOTE: You cannot specify broadcast or multicast MAC addresses.
The maximum number of MAC addresses that can be monitored depends on the FortiSwitch model.
To find out how many network monitors are available, use the following command:
diagnose switch network-monitor cfg-stats
To find out which network monitors are being used currently, use the following command:
diagnose switch network-monitor dump-monitors
To specify a single unicast MAC address (formatted like this: xx:xx:xx:xx:xx:xx) to be monitored, use the
following commands:
config switch network-monitor directed
edit <unused network monitor>
set monitor-mac <MAC address>
next
end
For example:
config switch network-monitor directed
edit 1
set monitor-mac 00:25:00:61:64:6d
next
end
Survey mode
In survey mode, the FortiSwitch unit detects MAC addresses to monitor for a specified number of seconds. You can
specify network monitoring for 120 to 3,600 seconds. The default time is 120 seconds. The FortiSwitch unit detects
various fields of the packet—such as MAC address, IP address, VLAN, and user name—and stores the data in either of
two databases.
To start network monitoring in survey mode, use the following commands:
config switch network-monitor settings
set status enable
set survey-mode enable
set survey-mode-interval <120-3600 seconds>
end
For example:
config switch network-monitor settings
set status enable
set survey-mode enable
set survey-mode-interval 480
end
After you have enabled network monitoring, you can view the statistics for the number and types of packets.
To see the type of packets going to and from monitored MAC addresses, use the following command:
diagnose switch network-monitor parser-stats
To see the number of packets going to and from monitored MAC addresses, use the following command:
diagnose switch network-monitor dump-monitors
NOTE: The FortiSwitch unit creates an entry in the layer-3 database using the exact packet contents when they were
parsed. If the MAC address is then assigned to a different VLAN, this change might not be detected immediately. If
there is a discrepancy in the output for the diagnose switch network-monitor dump-l2-db and diagnose
switch network-monitor dump-l3-db commands, use the output with the more recent time stamp.
To see all detected devices from the layer-2 database, use the following command:
diagnose switch network-monitor dump-l2-db
To see all detected devices from the IP address database, use the following command:
diagnose switch network-monitor dump-l3-db
sources: arp ip
mac 00:10:20:30:40:50 ip 10.10.10.111 vlan 123
created 75 secs ago, last seen 45 secs ago
sources: arp ip
mac 00:11:22:33:44:55 ip 30.30.30.115 vlan 1
created 53 secs ago, last seen 53 secs ago
sources: dhcp arp ip
NOTE:
l Flow export is supported on FortiSwitch models 2xx and higher.
l Layer-2 flows for NetFlow version 1 and NetFlow version 5 are not supported.
l For 2xxE models and higher, flow export uses psudorandom sampling (approximately 1 of x packets).
You can sample IP packets on a FortiSwitch unit and then export the data in NetFlow format or Internet Protocol Flow
Information Export (IPFIX) format.
The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest
flow expires and is exported.
To use flow export, you need to enable packet sampling and then configure the flow export.
To use flow export, you must first enable packet sampling for each switch port and trunk:
config switch interface
edit <interface>
set packet-sampler enabled
set packet-sample-rate <0-99999>
end
from the lowest port number where sampling is enabled. Fortinet recommends that administrators using
NetFlow version 5 set the sample rate consistently across all ports.
b. In the Identity field, enter a unique number to identify which FortiSwitch unit the data originates from. If the
identity is not specified, the “Burn in MAC” value is used instead (from the get system status command
output).
c. In the Level field, select the flow-tracking level from one of the following:
—When you select IP, the FortiSwitch unit collects the source IP address and destination IP address from the
sample packet.
—When you select MAC , the FortiSwitch unit collects the source MAC address and destination MAC address
from the sample packet.
—When you select Port, the FortiSwitch unit collects the source IP address, destination IP address, source
port, destination port, and protocol from the sample packet.
—When you select Protocol, the FortiSwitch unit collects the source IP address, destination IP address, and
protocol from the sample packet.
—When you select VLAN , the FortiSwitch unit collects the source IP address, destination IP address, source
port, destination port, protocol, and VLAN from the sample packet.
d. In the Max Export Packet Size (Bytes) field, enter the maximum size of exported packets in the application
level.
4. Configure the timeouts.
a. In the General field, enter the general timeout in seconds for the flow session.
b. In the ICMP field, enter the ICMP timeout for the flow session.
c. In the Max field, enter the maximum number of seconds before the flow session times out.
d. In the TCP field, enter the TCP timeout for the flow session.
e. In the TCP FIN field, enter the TCP FIN flag timeout for the flow session.
f. In the TCP RST field, enter the TCP RST flag timeout for the flow session.
g. In the UDP field, enter the UDP timeout for the flow session.
5. Configure the aggregates.
a. Select +.
b. In the ID field, enter a number to identify the entry or use the default value.
c. Required. In the IP/Netmask field, enter the IPv4 address and mask to match. All matching sessions are
aggregated into the same flow.
d. To add another entry, select +.
6. Select Update.
You can display the flow-export data or raw data for a specified number of records or for all records. You can also display
statistics for flow-export data.
get system flow-export-data flows {all | <count>} {ip | subnet | mac | all} <switch_interface_
name>
get system flow-export-data flows-raw {all | <count>} {ip | subnet | mac | all} <switch_
interface_name>
get system flow-export-data statistics
NOTE: Layer-2 flows for netflow1 and netflow5 are not supported. For the output of the get system flow-
export-data statistics command, the Incompatible Type field displays how many flows are not exported
because they are not supported.
When you have multiple FortiSwitch units and need to locate a specific switch, use the following command to flash all
port LEDs on and off for a specified number of minutes:
diagnose switch physical-ports led-flash <disable | time>
You can flash the port LEDs for 5, 15, 30, or 60 minutes. After you locate the FortiSwitch unit, you can use disable to
stop the LEDs from flashing.
NOTE: For the FS-5xx switches, the diagnose switch physical-ports led-flash command flashes only
the SFP port LEDs, instead of all the port LEDs.
Deployment scenario
Summary
o Phone
o FortiSwitch
o FortiAuthenticator
o DHCP server
I. Configure the PC, phone, FortiSwitch, FortiAuthenticator [RADIUS server], and DHCP
server)
i. On the phone, enable the WAN port and leave the VLAN ID at the default to allow LLDP-Med (Policy)
designate for voice VLAN assignment.
ii. On the phone, enable the LAN port and assign the VLAN ID for data matching the RADIUS VLAN
assignment.
PC configuration
FortiSwitch configuration
edit "Corp_Grp_10"
set member "FAC_LAB"
next
end
ENCW82jBg06XhKD/4Dugqm8QF2f7D1B4bfFdDSZaLUQPwZXv4F8zMc5sWHRl9suwmbmzNnAnyqPaarAYcSLuT
8kVjFSRO0znx+TXVWTqdSeLCpbMv
+HYFNOHMbYlfES8wTYYD40InCgrYr2johvr2vfa5KG4g8XMwKSIM0LurR//1WqT0fH
set server
next
end
edit "port4"
set allowed-vlans 20-21,31,41
set security-groups "Corp_Grp_10"
set snmp-index 4
configure port-security
set auth-fail-vlan disable
set guest-auth-delay 120
set guest-vlan disable
set mac-auth-bypass enable
set port-security-mode 802.1X-mac-based
set radius-timeout-overwrite disable
set auth-fail-vlanid 40
set guest-vlanid 30
end
RADIUS configuration
MAB Authentication:
l Add phone MAC address to MAB list.
802.1X Authentication
1. Create a local user.
2. Create a user group with "Attributes" and enable PEAP and MSChapv2.
DHCP configuration
1. On the DHCP server, configure a pool for phone and a pool for the PC.
!
ip dhcp pool PC
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 10.1.1.1
!
ip dhcp pool PC
network 20.1.1.0 255.255.255.0
default-router 20.1.1.1
dns-server 20.1.1.5
2. Configure exclude lists for pools for both gateway and DNS.
ip dhcp excluded-address 20.1.1.1 20.1.1.1.5
<<<<gateway and dns server
ip dhcp excluded-address 10.1.1.1 10.1.1.1.5
<<<<gateway and dns server
!
ip dhcp pool PC
network 20.1.1.0 255.255.255.0
default-router 20.1.1.1
dns-server 20.1.1.5
3. Configure the switch port VLAN interface as a gateway for the phone.
# show run
Building configuration
Current configuration
!
interface vlan21 <<<<<<
ip address 20.1.1.1
end
4. Configure the switch port VLAN interface as a gateway for the PC.
# show run
Building configuration
Current configuration
!
interface vlan10 <<<<<<
ip address 10.1.1.1
end
# show run
Building configuration
Current configuration
!
interface GigabitEthernet g1/0/1 <<<<<<
switchport access vlan 21
switchport trunk encapsulation dot1q
switchport trunk all
switchport mode trunk
end
# show run
Building configuration
Current configuration
!
interface GigabitEthernet g1/0/2 <<<<<<
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk all
switchport mode trunk
end
II. Connect a link between the FortiSwitch unit and the DHCP server and assign
matching VLAN for the phone for both ports
III. Connect a link between the FortiSwitch unit and the DHCP server and assign a
matching VLAN for the PC for both ports
1. Connect the phone to the switch to authenticate with RADIUS through the MAB (mac-bypass).
2. Once authenticated:
a. On the FortiSwitch unit, verify that the port is authorized and that the voice VLAN is on the allowed list.
# diagnose switch 8 status
Signal 10 received - config reload scheduled
Sessions info:
68:f7:28:fb:c0:0f Type=802.1x,PEAP,state=AUTHENTICATED
params:reAuth=3600
00:a8:59:d8:f1:f6 Type=MAB,,state=AUTHENTICATED
params: reAuth=3600
b. On the FortiSwitch unit, verify that the lldp neighbor detail accurately reflects the phone and voice VLAN
designation.
# ping 10.1.1.7
1. Connect the PC to the phone for EAP authentication and VLAN assignment (for data)
2. After authentication:
a. On the FortiSwitch unit, verify that the port is authorized and that the data VLAN assigned to dynamic has
been placed on the allowed list.
00:a8:59:d8:f1:f6 MAB 1 0
Sessions info:
68:f7:28:fb:c0:0f Type=802.1x,PEAP,state=AUTHENTICATED
params:reAuth=3600
00:a8:59:d8:f1:f6 Type=MAB,,state=AUTHENTICATED
params:reAuth=3600
BFD
BGP
DHCP
IP/IPv4
IP multicast
IPv6
l RFC 2464: Transmission of IPv6 Packets over Ethernet Networks: Transmission of IPv6 Packets over Ethernet
Networks
l RFC 2474: Definition of the Differentiated Services Field (DS Field) in the and IPv6 Headers (DSCP)
l RFC 2893: Transition Mechanisms for IPv6 Hosts and Routers
l RFC 4213: Basic Transition Mechanisms for IPv6 Hosts and Router
l RFC 4291: IP Version 6 Addressing Architecture
l RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification
l RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
IS-IS
l RFC 1195: Use of OSI IS-IS for Routing in TCP/IP and Dual Environments
l RFC 5308: Routing IPv6 with IS-IS
MIB
l RFC 1213: Management Information Base for Network Management of TCP/IP-based internets: MIB-II
l RFC 1354: IP Forwarding Table MIB
l RFC 1493: Definitions of Managed Objects for Bridges
l RFC 1573: Evolution of the Interfaces Group of MIB-II
l RFC 1643: Definitions of Managed Objects for the Ethernet-like Interface Types
l RFC 1724: RIP Version 2 MIB Extension
l RFC 1850: OSPF Version 2 Management Information Base
l RFC 2233: The Interfaces Group MIB using SMIv2
l RFC 2618: RADIUS Authentication Client MIB
l RFC 2620: RADIUS Accounting Client MIB
l RFC 2674: Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN
Extensions
l RFC 2787: Definitions of Managed Objects for the Virtual Router Redundancy Protocol
l RFC 2819: Remote Network Monitoring Management Information Base
l RFC 2932: IPv4 Multicast Routing MIB
l RFC 2934: Protocol Independent Multicast MIB for IPv4
l RFC 3289: Management Information Base for the Differentiated Services Architecture
l RFC 3433: Entity Sensor Management Information Base
l RFC 3621: Power Ethernet MIB
l RFC 6933: Entity MIB (Version 4)
OSPF
Other protocols
RADIUS
RIP
SNMP
Attributes sent from the FortiSwitch unit to the RADIUS server during 802.1x
authentication (Access-Request)
Attributes sent from the RADIUS server to the FortiSwitch unit during 802.1x
authentication (Access-Accept)
Vendor-Specific 26 Fortinet-Group-Name.
Authentication fails if this
value does not match.
Vendor-Specific 26 Fortinet-Group-Name.
Authentication fails if this
value does not match.
Acct-Session-Id 44 802.1x or MAB session ID generated by the switch. For example: 0000004b
Acct-Multi-Session-Id 50 For example, e81cba8e8146 in MAC mode. This attribute cannot be used in port
mode.
NAS-Identifier 32 For example, S148EP591900009 for the host name of the switch.
Framed-IP-Address 8 This value is the host IP address if is found in the switch; otherwise, the switch does
not send this attribute. For example: 100.1.0.3
NAS-Port-Id 87 This value is a text string that identifies the port of the NAS connected to the host.
For example: port48
NAS-Port 5 This value indicates the physical port number of the NAS. For example: 48
Acct-Input-Octets 42 3200
Acct-Output-Octets 43 16050448
Acct-Input-Packets 47 20
Acct-Output-Packets 48 93606
Event-Timestamp 55 Time when the event occurred. For example: May 31, 2019 12:25:03.00000000
Pacific Daylight Time
The Message-Authenticator
attribute is a checksum of the
entire Access-Request
Message-
80 packet, containing the Type,
Authenticator
ID, Length, and Authenticator
field; the shared secret is
used as the key.
The Message-Authenticator
attribute is a checksum of the
entire Access-Request
Message-
80 packet, containing the Type,
Authenticator
ID, Length, and Authenticator
field; the shared secret is
used as the key.
Vendor-Specific 26 Fortinet-Group-Name
The Message-Authenticator
attribute is a checksum of the
entire Access-Request
Message-
80 packet, containing the Type,
Authenticator
ID, Length, and Authenticator
field; the shared secret is
used as the key.
Vendor-Specific 26 Fortinet-Group-Name
The Message-Authenticator
attribute is a checksum of the
entire Access-Request
Message-
80 packet, containing the Type,
Authenticator
ID, Length, and Authenticator
field; the shared secret is
used as the key.
Vendor-Specific 26 Fortinet-Group-Name
The Message-Authenticator
attribute is a checksum of the
entire Access-Request
Message-
80 packet, containing the Type,
Authenticator
ID, Length, and Authenticator
field; the shared secret is
used as the key.
The Message-Authenticator
attribute is a checksum of the
entire Access-Request
Message-
80 packet, containing the Type,
Authenticator
ID, Length, and Authenticator
field; the shared secret is
used as the key.
Unsupported Attribute 401 This error is a fatal error, which is sent if a request contains an
attribute that is not supported.
NAS Identification Mismatch 403 This error is a fatal error, which is sent if one or more NAS-
Identifier Attributes do not match the identity of the NAS
receiving the request.
Invalid Attribute Value 407 This error is a fatal error, which is sent if a CoA-Request or
Disconnect-Request message contains an attribute with an
unsupported value.
Session Context Not Found 503 This error is a fatal error if the session context identified in the
CoA-Request or Disconnect-Request message does not exist
on the NAS.
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
FEEDBACK
Email: techdoc@fortinet.com
Change log 13
Introduction 14
FortiSwitch models 14
How this guide is organized 14
Typographical conventions 14
CLI command syntax conventions 15
Entering configuration data 16
Entering text strings (names) 17
Entering numeric values 17
config 18
config log 18
config log custom-field 18
config log eventfilter 19
config log gui 20
config log memory filter 20
config log memory global-setting 21
config log memory setting 21
config log {syslogd | syslogd2 | syslogd3} filter 22
config log {syslogd | syslogd2 | syslogd3} setting 23
config router 25
config router access-list 25
config router access-list6 27
config router aspath-list 28
config router bgp 28
config router community-list 42
config router isis 43
config router key-chain 49
config router multicast 51
config router multicast-flow 52
config router ospf 52
config router ospf6 59
config router prefix-list 62
config router prefix-list6 63
config router rip 64
config router ripng 67
config router route-map 70
config router setting 73
config router static 74
config router static6 75
config router vrf 77
config switch 77
config switch acl egress 78
config switch acl ingress 80
config switch acl policer 83
config switch acl prelookup 84
This manual describes the command line interface (CLI) commands for FortiSwitchOS.
FortiSwitch models
This guide is applicable to all FortiSwitch models that are supported by FortiSwitchOS.
See the Release Notes for information about the software features supported on each of the models.
The chapters in this document describe the commands available for each of the top-level CLI commands:
l config—commands that allow you to configure various components of the FortiSwitch unit.
l diagnose—commands that help with troubleshooting.
l execute—commands that perform immediate operations.
l get—commands that provide information about FortiSwitch operation.
Typographical conventions
Convention Example
Emphasis HTTP connections are not secure and can be intercepted by a third party.
Convention Example
Keyboard entry Type a name for the remote VPN peer or client, such as Central_Office_1.
This guide uses the following conventions to describe the syntax to use when entering commands in the Command Line
Interface (CLI).
Convention Description
Angle brackets < > A word constrained by data type. To define acceptable input, the angled brackets
contain a descriptive name followed by an underscore ( _ ) and suffix that
indicates the valid data type.
For example: <retries_int>
indicates that you should enter a number of retries, such as 5.
<xxx_index> An index number referring to another part of the configuration, such as 0 for the
first static route.
<xxx_pattern> A regular expression or word with wild cards that matches possible variations,
such as *@example.com to match all email addresses ending in
@example.com.
<xxx_fqdn> A fully qualified domain name (FQDN), such as mail.example.com.
<xxx_ipv4mask> A dotted decimal IPv4 address and netmask separated by a space, such as
192.168.1.99 255.255.255.0.
<xxx_ipv4/mask> A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash,
such as such as 192.168.1.99/24.
Convention Description
<xxx_int> An integer number that is not another data type, such as 15 for the number of
minutes.
<xxx_url> A uniform resource locator (URL) and its associated protocol and host name
prefix, which together form a uniform resource identifier (URI), such as
http://www.fortinet./com/.
Square brackets [ ] A non-required word or series of words. For example: [verbose {1 | 2 | 3}] indicates
that you can either omit or type both the verbose word and its accompanying
option, such as:
verbose 3
Curly braces { } A word or series of words that is constrained to a set of options delimited by either
vertical bars or spaces.
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].
Options delimited by vertical Mutually exclusive options. For example: {enable | disable}
bars | indicates that you must enter either enable or disable but must not enter
both.
NOTE: To change the options, you must re-type the entire list. For example, to
add snmp to the previous example, you would type:
If the option adds to or subtracts from the existing list of options, instead of
replacing it, or if the list is comma-delimited, the exception will be noted.
The switch configuration is stored as a series of configuration settings in the FortiSwitchOS configuration database. To
change the configuration, you can use the CLI to add, delete, or change configuration settings. These configuration
changes are stored in the configuration database as they are made.
Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed
options, or on/off (enable/disable).
Text strings are used to name entities in the configuration, such as an administrative user name. You can enter any
character in a text string with the following exceptions (to prevent cross-site scripting vulnerabilities):
l " (double quote)
l & (ampersand)
l ' (single quote)
l < (less than)
l < (greater than)
You can determine the limit to the number of characters that are allowed in a text string by determining how many
characters the CLI allows for a given name field. From the CLI, you can also use the tree command to view the
number of characters that are allowed. For example, firewall address names can contain up to 64 characters. From the
CLI, you can do the following to confirm that the firewall address name field allows 64 characters:
config firewall address
tree
-- [address] --*name (64)
|- subnet
|- type
|- start-ip
|- end-ip
|- fqdn (256)
|- cache-ttl (0,86400)
|- wildcard
|- comment (64 xss)
|- associated-interface (16)
+- color (0,32)
NOTE: The tree command output also shows the number of characters allowed for other firewall address name
settings. For example, the fully qualified domain name (fqdn) field can contain up to 256 characters.
Numeric values are used to configure various sizes, rates, numeric addresses, or other numeric values. For example, a
static routing priority of 10, a port number of 8080, or an IP address of 10.10.10.1. Numeric values can be entered as a
series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example, the IP
address 10.10.10.1) or, as in the case of MAC or IPv6 addresses, separated by colons (for example, the MAC address
00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (such as MAC addresses)
require hexadecimal numbers.
CLI help includes information about allowed numeric value ranges.The CLI prevents you from entering invalid numbers.
Use the config commands to configure various components of the FortiSwitch unit:
l config log on page 18
l config router on page 25
l config switch on page 77
l config switch-controller global on page 147
l config system on page 148
l config user on page 204
config log
Use the config log commands to set the logging type, the logging severity level, and the logging location for the
system:
l config log custom-field on page 18
l config log eventfilter on page 19
l config log gui on page 20
l config log memory filter on page 20
l config log memory global-setting on page 21
l config log memory setting on page 21
l config log {syslogd | syslogd2 | syslogd3} filter on page 22
l config log {syslogd | syslogd2 | syslogd3} setting on page 23
Use the following command to customize the log fields with a name and/or value. The custom name and/or value will
appear in the log message.
Syntax
config log custom-field
edit <id>
set name <name>
set value <int>
end
<id > Enter the identification string for the custom log. No default
name <name> Enter a name to identify the log. You can use letters, numbers, No default
(‘_‘), but no special characters such as the number symbol (#).
The name cannot exceed 16 characters.
value <int> Enter an integer value to associate with the log. No default
Example
Syntax
config log eventfilter
set event {enable | disable}
set router {enable | disable}
set system {enable | disable}
set user {enable | disable}
end
event {enable | disable} Log event messages. Must be enabled to make the enable
following fields available.
Example
Use this command to select the device from which logs are displayed in the Web-based manager.
Syntax
config log gui
set log-device memory
end
log-device memory Select the device from which logs are displayed in the memory
Web-based manager.
Currently, only logging to memory is available.
Use this command to configure the filter for the memory buffer.
Syntax
config log memory filter
set severity {alert | critical | debug | emergency | error |
information | notification | warning}
end
severity Select the logging severity level. The system logs all messages information
{alert | critical | debug | at and above the logging severity level you select. For
emergency | error | information | example, if you select error, the system logs error,
notification | warning} critical, alert and emergency level messages.
l emergency — The system is unusable.
is probably affected.
l warning— Functionality might be affected.
operations.
l debug — Information used for diagnosing or debugging
the system.
Example
end
Use this command to configure log threshold warnings, as well as the maximum buffer lines, for the FortiSwitch system
memory.
The FortiSwitch system memory has a limited capacity and displays only the most recent log entries. Traffic logs are not
stored in the memory buffer, due to the high volume of traffic information. After all available memory is used, by default,
the system begins to overwrite the oldest log messages. All log entries are deleted when the system restarts.
Syntax
config log memory global-setting
set full-final-warning-threshold <int>
set full-first-warning-threshold <int>
set full-second-warning-threshold <int>
set hourly-upload {disable | enable}
set max-size <int>
end
full-final-warning-threshold <int> Enter to configure the final warning before reaching the 95
threshold. You can enter a number between 3 and 100.
full-first-warning-threshold <int> Enter to configure the first warning before reaching the 75
threshold. You can enter a number between 1 and 98.
hourly-upload {disable | enable} Enter enable to have log uploads occur hourly. disable
max-size <int> Enter the maximum size of the memory buffer log, in bytes. 98304
Example
This example shows how to configure log threshold warnings and the maximum buffer lines:
config log memory global-setting
set full-final-warning-threshold 45
set full-first-warning-threshold 25
set full-second-warning-threshold 45
set hourly-upload enable
set max-size 12288
end
Use this command to configure log settings for logging to the system memory.
The system memory has a limited capacity and only displays the most recent log entries. Traffic logs are not stored in
the memory buffer, due to the high volume of traffic information. After all available memory is used, by default, the
system begins to overwrite the oldest messages. All log entries are deleted when the system restarts.
Syntax
config log memory setting
set status {disable | enable}
set diskfull overwrite
end
status {disable | enable} Enter enable to enable logging to system memory. disable
diskfull overwrite Overwrite the oldest log when the log device is full. No default
Example
Use this command to configure log filter options. Log filters define the types of log messages sent to each log location.
Syntax
config log {syslogd | syslogd2 | syslogd3} filter
set severity {alert | critical | debug | emergency | error |
information | notification | warning}
end
severity Select the logging severity level. The system logs all messages information
{alert | critical | debug | at and above the logging severity level you select. For example,
emergency | error | information | if you select error, the system logs error, critical,
notification | warning} alert and emergency level messages.
l emergency — The system is unusable.
probably affected.
l warning— Functionality might be affected.
operations.
l debug — Information used for diagnosing or debugging
the system.
Example
Use this command to configure log settings for logging to the system memory.
The system memory has a limited capacity and only displays the most recent log entries. Traffic logs are not stored in
the memory buffer, due to the high volume of traffic information. After all available memory is used, by default, the
system begins to overwrite the oldest messages. All log entries are deleted when the system restarts.
Syntax
config log {syslogd | syslogd2 | syslogd3} setting
set status {disable | enable}
set enc-algorithm {disable | high | high-medium | low}
set certificate <certificate_name>
set server <server_name>
set mode {legacy-reliable | reliable | udp}
set port <port_number>
set csv {enable | disable}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel |
local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail |
news | ntp | syslog | user | uucp}
set source-ip <IPv4_address>
end
status {disable | enable} Enter enable to start logging to system memory. disable
enc-algorithm {disable | high | Set to high, high-medium, or low to specify which disable
high-medium | low} encryption algorithm that SSL communication uses for reliable
syslog. Set to disable if you do not want to use reliable
syslog.
certificate <certificate_name> Specify the certificate to use to communicate with the syslog No default
server.
server <server_name> This field is available with status is set to enable. Enter the No default
address of the remote syslog server.
mode {legacy-reliable | reliable | Set to legacy-reliable to use RFC 3195 for reliable udp
udp} syslog. Set to reliable to use RFC 6587 for reliable syslog.
Set to udp to use syslog over UDP.
This field is available with status is set to enable. This field
was previously named reliable.
port <port_number> Set the port number that the server listens to. 514
If the mode is set to reliable, the default port is 514. If the
mode is set to legacy-reliable, the default port is 601. If
the mode is set to udp, the default port is 6514.
This field is available with status is set to enable.
set facility {alert | audit | auth | This field is available with status is set to enable. Select local7
authpriv | clock | cron | daemon | the facility for remote syslog:
ftp | kernel | local0 | local1 | local2 l alert—Use the log alert.
messages.
l clock—Use the clock daemon.
syslog daemon.
l user—Use random user-level messages.
source-ip <IPv4_address> This field is available with status is set to enable. Enter the 0.0.0.0
source IPv4 address of the syslog.
Example
config router
Use the config router commands to configure options related to routing protocols and packet forwarding:
l config router access-list on page 25
l config router access-list6 on page 27
l config router aspath-list on page 28
l config router bgp on page 28
l config router community-list on page 42
l config router isis on page 43
l config router key-chain on page 49
l config router multicast on page 51
l config router multicast-flow on page 52
l config router ospf on page 52
l config router ospf6 on page 59
l config router prefix-list on page 62
l config router prefix-list6 on page 63
l config router rip on page 64
l config router ripng on page 67
l config router route-map on page 70
l config router setting on page 73
l config router static on page 74
l config router static6 on page 75
l config router vrf on page 77
Use this command to configure an IPv4 access list. An access list is a list of IP addresses and the action to take for each
one. Access lists provide basic route and network filtering.
Syntax
config router access-list
edit <list_str>
set comments <comment_str>
config rule
edit <rule_int>
set action {deny | permit}
set prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any}
set wildcard <IP_address>
set exact-match {enable | disable}
end
end
set the prefix to define regular filter criteria using the set
prefix {<xxx.xxx.xxx.xxx>
<xxx.xxx.xxx.xxx> | any} command.
comments <comment_str> Enter a descriptive comment. No default
action {deny | permit} Set whether the rule allows or denies the IPv4 address. permit
prefix {<xxx.xxx.xxx.xxx> Set the prefix to define regular filter criteria, such as any or any
<xxx.xxx.xxx.xxx> | any} subnets.
NOTE: The access list name must contain at least one
alphabetic character.
exact-match {enable | disable} Set whether the rule looks for an exact match with the value in disable
the prefix field.
Example
end
Use this command to configure an IPv6 access list. An access list is a list of IP addresses and the action to take for each
one. Access lists provide basic route and network filtering.
Syntax
config router access-list6
edit <name_of_IPv6_access_list>
set comments <string>
config rule
edit <rule_ID>
set action {deny | permit}
set prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}
set exact-match {enable | disable}
next
end
end
action {deny | permit} Set whether the rule allows or denies the IPv6 address. permit
prefix6 Set the IPv6 prefix to define regular filter criteria, such any
{<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> as any or X:X::X:X/M.
| any}
exact-match {enable | disable} Set whether the rule looks for an exact match with the disable
value in the prefix field.
Example
Use this command to set or unset Border Gateway Protocol (BGP) AS-path list parameters. By default, BGP uses an
ordered list of Autonomous System (AS) numbers to describe the route that a packet takes to reach its destination. A list
of these AS numbers is called the AS path. You can filter BGP routes using AS path lists.
Use the config router aspath-list command to define an access list that examines the AS_PATH attributes
of BGP routes to match routes. Each entry in the list defines a rule for matching and selecting routes based on the
setting of the AS_PATH attribute.
Syntax
config router aspath-list
edit <AS_path_list_name>
config rule
edit <rule_identifier>
set action {deny | permit}
set regexp <string>
end
end
action {deny | permit} Set whether to permit or deny route-based operations, based on No default
the routeʼs AS_PATH attribute.
regexp <string> Specify the regular expression that will be compared to the AS_ No default
PATH attribute (for example, ^730$). The value is used to match
AS numbers. Enclose a complex regular expression value within
double-quotation marks.
Use this command to configure Border Gateway Protocol version-4 (BGP-4) routing parameters. BGP can be used to
perform Classless Interdomain Routing (CIDR) and to route traffic between different autonomous systems or domains
using an alternative route if a link between a FortiSwitch unit and a BGP peer (such as an ISP router) fails.
The following RFCs are supported:
l RFC1771—A Border Gateway Protocol 4 (BGP-4)
l RFC1965—Autonomous System Confederations for BGP
l RFC1997—BGP Communities Attribute
l RFC2545—Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing
l RFC2796—BGP Route Reflection An alternative to full mesh IBGP
l RFC2858—Multiprotocol Extensions for BGP-4
l RFC2842—Capabilities Advertisement with BGP-4
l RFC2439—BGP Route Flap Damping
Syntax
config router bgp
set as <MANDATORY_router_AS_number>
set router-id <MANDATORY_IP_address>
set keepalive-timer <0-65535>
set holdtime-timer <0, 3-65535>
set always-compare-med {disable | enable}
set bestpath-as-path-ignore {disable | enable}
set bestpath-cmp-confed-aspath {disable | enable}
set bestpath-cmp-routerid {disable | enable}
set bestpath-med-confed {disable | enable}
set bestpath-med-missing-as-worst {disable | enable}
set client-to-client-reflection {disable | enable}
set dampening {disable | enable}
set dampening-reachability-half-life <1-45>
set dampening-reuse <1-20000>
set dampening-suppress <1-20000>
set dampening-max-suppress-time <1-255>
set deterministic-med {disable | enable}
set enforce-first-as {disable | enable}
set fast-external-failover {disable | enable}
set log-neighbour-changes {disable | enable}
set cluster-id <IP_address>
set confederation-identifier <1-4294967295>
set default-local-preference <0-4294967295>
set scan-time <5-60>
set maximum-paths-ebgp <1-64>
set bestpath-aspath-multipath-relax {disable | enable}
set maximum-paths-ibgp <1-64>
set distance-external <1-255>
set distance-internal <1-255>
set distance-local <1-255>
set graceful-stalepath-time <1-3600>
config admin-distance
edit <identifier>
set distance <1-255>
set neighbour-prefix <IP_address_netmask>
set route-list <string>
end
config aggregate-address
edit <identifier>
set as-set {disable | enable}
set prefix <IPv4_address_netmask>
set summary-only {disable | enable}
end
config aggregate-address6
edit <identifier>
set as-set {disable | enable}
set prefix <IPv6_address_netmask>
set summary-only {disable | enable}
end
config neighbor
edit "<IPv4_IPv6_address>"
set advertisement-interval <0-600>
set allowas-in-enable {disable | enable}
set allowas-in <1-10>
keepalive-timer <0-65535> How often (in seconds) the router sends out 60
keepalive messages to neighbor routers to
maintain those sessions.
holdtime-timer <0, 3-65535> How long (in seconds) the router will wait for a 180
keepalive message before declaring a router
offline. A shorter time will find an off-line router
faster.
bestpath-as-path-ignore {disable | AS_PATH is the BGP attribute that keeps track of disable
enable} each AS that a route advertisement has passed
through; it helps prevent routing loops. Enable this
option if you want BGP to not use the best AS
path. Disable this option if you want BGP to use
the best AS path.
fast-external-failover {disable | Reset peer BGP session if link goes down. enable
enable}
neighbour-prefix <IP_address_ Neighbor address prefix. Enter the class IP 0.0.0.0 0.0.0.0
netmask> address and netmask with correction.
route-list <string> The access list of routes this distance will be No default
applied to.
prefix <IPv4_address_netmask> Aggregate IPv4 prefix. The prefix 0.0.0.0 0.0.0.0 is No default
not allowed.
summary-only {disable | enable} Enable or disable filtering more specific routes disable
from updates.
summary-only {disable | enable} Enable or disable filtering more specific routes disable
from updates.
advertisement-interval <0-600> Set the minimum amount of time (in seconds) that 30
the FortiSwitch unit waits before sending a BGP
routing update to the BGP neighbor.
allowas-in-enable {disable | enable} Enable to allow my AS-in-AS path (for IPv4). disable
allowas-in-enable6 {disable | enable} Enable to allow my AS-in-AS path (for IPv6). disable
attribute-unchanged {as-path | MED | Propagate unchanged BGP attributes to the BGP No default
next-hop} neighbor using one of the following methods (for
IPv4):
l To advertise unchanged next-hop attributes,
select as-path.
l To advertise unchanged MULTI_EXIT_DISC
next-hop.
l An empty set (default) is a supported value.
attribute-unchanged6 {as-path | MED | Propagate unchanged BGP attributes to the BGP No default
next-hop} neighbor using one of the following methods (for
IPv6):
l To advertise unchanged next-hop attributes,
select as-path.
l To advertise unchanged MULTI_EXIT_DISC
next-hop.
l An empty set (default) is a supported value.
activate {disable | enable} Enable address family IPv4 for this neighbor. enable
activate6 {disable | enable} Enable address family IPv6 for this neighbor. enable
capability-orf {both | none | receive | Enable advertising of Outbound Routing Filter none
send} (ORF) prefix-list capability to the BGP neighbor
using one of the following methods (for IPv4):
list capability.
l receive: enable receive capability.
capability-default-originate {disable | Advertise the default IPv4 route to this neighbor. disable
enable}
capability-default-originate6 {disable | Advertise the default IPv6 route to this neighbor. disable
enable}
next-hop-self {disable | enable} Enable or disable IPv4 next-hop calculation for this disable
neighbor.
next-hop-self6 {disable | enable} Enable or disable IPv6 next-hop calculation for this disable
neighbor.
override-capability {disable | enable} Enable or disable the overriding of the result of the disable
capability negotiation.
remove-private-as {disable | enable} Enable or disable the removal of the private AS disable
number from the IPv4 outbound updates.
remove-private-as6 {disable | enable} Enable or disable the removal of the private AS disable
number from the IPv6 outbound updates.
route-reflector-client {disable | enable} Enable or disable the IPv4 AS route reflector disable
client.
route-server-client {disable | enable} Enable or disable the IPv4 AS route server client. disable
route-server-client6 {disable | enable} Enable or disable the IPv6 AS route server client. disable
shutdown {disable | enable} Enable or disable the shutting down of this disable
neighbor.
soft-reconfiguration {disable | enable} Enable or disable the allowance of IPv4 inbound disable
soft reconfiguration.
as-override {disable | enable} Enable or disable the replacement of the peer AS disable
with own AS for IPv4.
as-override6 {disable | enable} Enable or disable the replacement of the peer AS disable
with own AS for IPv6.
distribute-list-in <string> Limit route updates from the BGP neighbor based No default
on the Network Layer Reachability Information
(NLRI) prefixes defined in the specified IPv4
access list. You must create the access list before
it can be selected here. See config router access-
list on page 25.
distribute-list-in6 <string> Limit route updates from the BGP neighbor based No default
on the Network Layer Reachability Information
(NLRI) prefixes defined in the specified IPv6
access list. You must create the access list before
it can be selected here. See config router access-
list6 on page 27.
distribute-list-out <string> Limit route updates to the BGP neighbor based on No default
the NLRI defined in the specified IPv4 access list.
You must create the access list before it can be
selected here. See config router access-list on
page 25.
distribute-list-out6 <string> Limit route updates to the BGP neighbor based on No default
the NLRI defined in the specified IPv6 access list.
You must create the access list before it can be
selected here. See config router access-list6 on
page 27.
filter-list-in <string> BGP AS path filter for IPv4 inbound routes. You No default
must create the AS path list before it can be
selected here. See config router aspath-list on
page 28.
filter-list-in6 <string> BGP AS path filter for IPv6 inbound routes. You No default
must create the AS path list before it can be
selected here. See config router aspath-list on
page 28.
filter-list-out <string> BGP AS path filter for IPv4 outbound routes. You No default
must create the AS path list before it can be
selected here. See config router aspath-list on
page 28.
filter-list-out6 <string> BGP AS path filter for IPv6 outbound routes. You No default
must create the AS path list before it can be
selected here. See config router aspath-list on
page 28.
prefix-list-in <string> Limit route updates from a BGP neighbor based No default
on the Network Layer Reachability Information
(NLRI) in the specified IPv4 prefix list. The prefix
list defines the NLRI prefix and length advertised
in a route. You must create the prefix list before it
can be selected here. See config router prefix-list
on page 62.
prefix-list-in6 <string> Limit route updates from a BGP neighbor based No default
on the Network Layer Reachability Information
(NLRI) in the specified IPv6 prefix list. The prefix
list defines the NLRI prefix and length advertised
in a route. You must create the prefix list before it
can be selected here. See config router prefix-list6
on page 63.
send-community {both | disable | Enable sending the COMMUNITY attribute to the both
extended | standard} BGP neighbor using one of the following methods
(for IPv4):
send-community6 {both | disable | Enable sending the COMMUNITY attribute to the both
extended | standard} BGP neighbor using one of the following methods
(for IPv6):
l standard: advertise standard capabilities
capabilities (default)
l disable: disable the advertising of the
COMMUNITY attribute
keep-alive-timer <0-65535> How often (in seconds) the router sends out No default
keepalive messages to neighbor routers to
maintain those sessions.
holdtime-timer <0, 3-65535> How long (in seconds) the router will wait for a No default
keepalive message before declaring a router
offline. A shorter time will find an off-line router
faster.
unsuppress-map <string> Specify the name of the IPv4 route map to No default
selectively unsuppress suppressed routes. You
must create the route map before it can be
selected here. See config router route-map on
page 70.
unsuppress-map6 <string> Specify the name of the IPv6 route map to No default
selectively unsuppress suppressed routes. You
must create the route map before it can be
selected here. See config router route-map on
page 70.
prefix <IPv4_address_netmask> Set the network IPv4 prefix. Use the class IPv4 0.0.0.0 0.0.0.0
address and netmask with correction.
route-map <string> Specify the name of the route map. See config No default
router route-map on page 70.
prefix <IPv6_address_netmask> Set the network IPv6 prefix. Use the class IPv6 No default
address and netmask with correction.
route-map <string> Specify the name of the route map. See config No default
router route-map on page 70.
status {disable | enable} You can enable BGP to provide connectivity disable
between connected, static, RIP, and/or OSPF
IPv4 routes. BGP redistributes the routes from one
protocol to another. When a large internetwork is
divided into multiple routing domains, use the
subcommand to redistribute routes to the various
domains.
route-map <string> Specify the name of the route map that identifies No default
the routes to redistribute. If a route map is not
specified, all routes are redistributed to BGP. You
must create the route map before it can be
selected here. See config router route-map on
page 70.
status {disable | enable} You can enable BGP to provide connectivity disable
between connected, static, RIP, and/or OSPF
IPv6 routes. BGP redistributes the routes from one
protocol to another. When a large internetwork is
divided into multiple routing domains, use the
subcommand to redistribute routes to the various
domains.
route-map <string> Specify the name of the route map that identifies No default
the routes to redistribute. If a route map is not
specified, all routes are redistributed to BGP. You
must create the route map before it can be
selected here. See config router route-map on
page 70.
Example
Use this command to identify BGP routes according to their COMMUNITY attributes (see RFC 1997). Each entry in the
community list defines a rule for matching and selecting routes based on the setting of the COMMUNITY attribute.
Syntax
config router community-list
edit <community_list_name>
set type {expanded | standard}
config rule
edit <rule_identifier>
set action {deny | permit}
set regexp <regular_expression>
set match <community_number | internet | local-AS | no-advertise | no-export>
end
end
action {deny | permit} Permit or deny route-based operations, based on the routeʼs No default
COMMUNITY attribute.
regexp <regular_expression> If you select an expanded community, specify an ordered list of No default
COMMUNITY attributes as a regular expression. The value or
values are used to match a community. Enclose a complex
regular expression value within double-quotation marks.
match <community_number | If you select a standard community, specify the criteria for No default
internet | local-AS | no- matching a reserved community:
advertise | no-export> l Use decimal notation to match one or more COMMUNITY
internet.
l To match all routes in the LOCAL_AS community, type
Intermediate System to Intermediate System Protocol (IS-IS) allows routing of ISO’s OSI protocol stack Connectionless
Network Service (CLNS). IS-IS is an Interior Gateway Protocol (IGP) that is not intended to be used between
Autonomous Systems (AS).
Syntax
config router isis
set auth-keychain-area <string>
set auth-keychain-domain <string>
set auth-mode-area {md5 | password}
set auth-mode-domain {md5 | password}
set auth-password-area <password>
set auth-password-domain <password>
set auth-sendonly-area {enable | disable}
set auth-sendonly-domain {enable | disable}
set default-information-level {level-1 | level-1-2 | level-2}
set default-information-level6 {level-1 | level-1-2 | level-2}
set default-information-metric <0-4261412864>
set default-information-metric6 <0-4261412864>
set default-information-originate {always | disable | enable}
auth-keychain-area <string> IS-IS area (level-1) authentication keychain. This command is No default
applicable when the areaʼs authentication mode is md5.
auth-keychain-domain <string> IS-IS domain (level-2) authentication key-chain. This command No default
is applicable when domainʼs auth mode is md5.
auth-password-area <password> IS-IS area (level-1) authentication password. This command is No default
applicable when areaʼs authentication mode is password.
default-information-level {level-1 Distribute default IPv4 route into levelʼs link-state packet (LSP). level-2
| level-1-2 | level-2}
default-information-level6 {level- Distribute default IPv6 route into levelʼs LSP. level-2
1 | level-1-2 | level-2}
is-type {level-1 | level-1-2 | level- Set the IS-IS level to use: level-1-2
2-only} l level-1: intra-area
l level-2-only: inter-area
metric-style {narrow | transition | Use old-style (ISO 10589) or new-style packet formats. narrow
wide} l narrow: Use the old style of TLVs with narrow metric
(default)
l transition: Send and accept both styles of TLVs
overload-bit {disable | enable} Signal other routers not to use this bit in shortest-path-first disable
(SPF).
redistribute-l1 {disable | enable} Redistribute level-1 IPv4 routes into level 2. enable
redistribute-l1-list <string> Access-list for redistributing level-1 IPv4 routes to level 2. No default
redistribute6-l1 {disable | enable} Redistribute level-1 IPv6 routes into level 2. enable
redistribute6-l1-list <string> Access-list for redistributing level-1 IPv6 routes to level 2. No default
<IS-IS interface name> Select the IS-IS interface name to configure. No default
auth-keychain-hello <string> Hello protocol data unit (PDU) authentication keychain. This No default
command is applicable when the hello packetʼs authentication
mode is md5.
bfd {enable | disable} Enable or disable bidirectional forwarding detection (BFD) for disable
IPv4 traffic.
bfd6 {enable | disable} Enable or disable BFD for IPv6 traffic. disable
circuit-type {level-1 | level-1-2 | Set the IS-IS circuit type to use for this interface: level-1-2
level-2} l level-1: intra-area
l level-2-only: inter-area
hello-interval-l1 <1-65535> Level-1 hello packet interval, in number of seconds. Use 0 for a 10
1-second hold time.
hello-interval-l2 <1-65535> Level-2 hello packet interval, in number of seconds. Use 0 for a 10
1-second hold time.
status {disable | enable} Enable or disable the interface for IS-IS for IPv4 traffic. enable
status6 {disable | enable} Enable or disable the interface for IS-IS for IPv6 traffic. enable
<IS-IS net xx.xxxx. ... .xxxx.xx> Set the IS-IS network. No default
status {disable | enable} Enable or disable the redistribution of routes from other routing disable
protocols using IS-IS.
metric-type {external | internal} Select external or internal for the metric type. external
level {level-1 | level-1-2 | level-2} Set the IS-IS level to use for redistributing routes: level1-2
l level-1: intra-area
l level-2-only: inter-area
routemap <string> Enter the route map name. You must create the route map No default
before selecting it. See config router route-map on page 70.
status {disable | enable} Enable or disable the redistribution of routes from other routing disable
protocols using IS-IS.
level {level-1 | level-1-2 | level-2} Set the IS-IS level to use for redistributing routes: level1-2
l level-1: intra-area
l level-2-only: inter-area
routemap <string> Enter the route map name. You must create the route map No default
before selecting it. See config router route-map on page 70.
config summary-address Configure the summarizing IPv4 address ranges in the IS-IS routing table.
<summary address entry Enter the summary address entry ID. The value range is 0- No default
identifier> 4294967295.
level {level-1 | level-1-2 | level-2} Set the IS-IS level to use for the summary database: level-2
l level-1: intra-area
l level-2-only: inter-area
prefix <IPv4 address and Set the IPv4 address and netmask for the prefix. No default
netmask>
config summary-address6 Configure the summarizing IPv6 address ranges in the IS-IS routing table.
<summary address entry Enter the summary address entry ID. The value range is 0- No default
identifier> 4294967295.
level {level-1 | level-1-2 | level-2} Set the IS-IS level to use for the summary database: level-2
l level-1: intra-area
l level-2-only: inter-area
prefix6 <IPv6 address and Set the IPv6 address and netmask for the prefix. No default
netmask>
Example
Use this command to configure a keychain. A keychain is a list of one or more authentication keys including its lifetime,
which is how long each key is valid. Use keys with overlapping lifetimes to prevent the failure of routing updates.
Syntax
config router key-chain
edit <keychain_name>
config key
edit <keychain_int>
set key-string <key_str>
set accept-lifetime <START> <END>
set send-lifetime <START> <END>
end
end
end
accept-lifetime <START> <END> Enter the lifetime of a received authentication key. START and No default
END use the format of HH:MM:SS DAY MONTH YEAR where:
l HH:MM:SS is the time of day then the lifetime starts in
12.
l YEAR is the year to start. The range is 1993-2035.
send-lifetime <START> <END> Enter the lifetime of a sent authentication key. START and No default
END use the format of HH:MM:SS DAY MONTH YEAR where:
l HH:MM:SS is the time of day then the lifetime starts in
12.
l YEAR is the year to start. The range is 1993-2035.
Example
A FortiSwitch unit can operate as a Protocol Independent Multicast (PIM) version-4 router. FortiSwitchOS supports PIM
source-specific multicast (SSM) and version 3 of Internet Group Management Protocol (IGMP).
You can configure a FortiSwitch unit to support PIM using the config router multicast CLI command. When
PIM is enabled, the FortiSwitch unit allocates memory to manage mapping information. The FortiSwitch unit
communicates with neighboring PIM routers to acquire mapping information and, if required, processes the multicast
traffic associated with specific multicast groups.
Syntax
config router multicast
set multicast-routing {disable | enable}
config interface
edit {interface_name | internal | mgmt}
set pim-mode ssm-mode
set hello-interval <1-180>
set dr-priority <1-4294967295>
set multicast-flow <string>
config igmp
set query-interval <1-65535>
set query-max-response-time <1-25>
end
end
{interface_name | internal | Set which interface to configure for multicast routing. No default
mgmt}
pim-mode ssm-mode Set the PIM operation mode to SSM mode. ssm-mode
hello-interval <1-180> Specify the amount of time that the FortiSwitch unit waits 30
between sending hello messages to neighboring PIM routers.
dr-priority <1-4294967295> Assign a priority to the FortiSwitch unit Designated Router (DR) 1
candidacy. The value is compared to that of other DR
interfaces connected to the same network segment, and the
router having the highest DR priority is selected to be the DR. If
two DR priority values are the same, the interface having the
highest IP address is selected.
multicast-flow <string> Connect the named multicast flow to this interface. You must No default
create the multicast flow before it can be selected here. See
config router multicast-flow on page 52.
query-interval <1-65535> Set the interval between queries to IGMP hosts (in seconds). 125
query-max-response-time <1- Set the maximum time to wait for an IGMP query response (in 10
25> seconds).
Use this command to configure the source allowed for a multicast flow when using PIM-SM or PIM-SSM.
Syntax
config router multicast-flow
edit <name>
set comments <string>
config flows
edit <muliticast-flow_entry_identifier>
set group-addr <224-239.xxx.xxx.xxx>
set source-addr <IP_address>
end
end
source-addr <IP_address> Enter an IP address for the multicast source (IPv4). 0.0.0.0
Syntax
config router ospf
set router-id <router_ipv4>
set abr-type {cisco | ibm | shortcut | standard}
set database-overflow {enable | disable}
set database-overflow-max-external-lsa <integer>
set database-overflow-time-to-recover <integer>
set distance-external <external_int>
set distance-inter-area <inter_int>
set distance-intra-area <intra_int>
set default-information-originate {always | disable | enable}
set default-information-metric <metric_int>
set default-information-metric-type {1 | 2}
set distance <distance_int>
set rfc1583-compatible {disable | enable}
set spf-timers <delay_int> <hold_int>
set log-neighbour-changes {disable | enable}
set passive-interface <name_str>
config area
edit <area_ipv4>
set shortcut {default | disable | enable}
set type {nssa | regular | stub}
set default-cost <cost_int>
set stub-type {no-summary | summary}
set nssa-translator-role {always | candidate | never}
config filter-list
edit <filter_int>
set direction {in | out}
set list <list_str>
end
end
config range
edit <range_int>
set advertise {enable | disable}
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
set substitute <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
set substitute-status {enable | disable}
end
end
config virtual-link
edit <virtual_int>
set authentication {md5 | none | text}
set dead-interval <dead_int>
set hello-interval <hello_int>
set peer <peer_ipv4>
set retransmit-interval <retransmit_int>
set transmit-delay <transmit_int>
config md5-keys
edit <key_ID>
set key <MD5_key>
next
end
next
end
next
end
config interface
edit <interface_str>
set authentication {md5 | none | text}
set bfd {disable | enable}
set cost <cost_int>
set dead-interval <dead_int>
set hello-interval <hello_int>
set mtu <mtu_int>
set mtu-ignore {disable | enable}
set priority <pritority_int>
set retransmit-interval <retransmit_int>
set transmit-delay <transmit_int>
config md5-keys
edit <key_ID>
set key <MD5_key>
next
end
next
end
config network
edit <network_int>
set area <area_ipv4>
set prefix <xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx>
end
end
config summary-address
edit <summary_int>
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
set tag <tag_int>
next
end
config distribute-list
edit <distribute_int>
set access-list <access_str>
set protocol {bgp | connected | isis | rip | static}
next
end
config redistribute {bgp | connected | isis | rip | static}
set status {disable | enable}
set metric <metric_int>
set routemap <routemap_str>
set metric-type {1 | 2}
set tag <0-2147483647>
end
end
router-id <router_ipv4> Required. Enter the IPv4 address of the OSPF router. No default
abr-type {cisco | ibm | shortcut | Enter the area border router (ABR) type. Set abr-type to cisco
standard} cisco or ibm to allow routes through nonbackbone area when
links to the backbone are down. For more information about this
option, see RFC 3509, Alternative Implementations of OSPF
Area Border Routers.
distance-external <external_ Set the OSPF route administrative external distance. The value No default
int> range is from 0 to 255.
distance-inter-area <inter_int> Set the OSPF route administrative inter-area distance. The No default
value range is from 0 to 255.
distance-intra-area <intra_int> Set the OSPF route administrative intra-area distance. The No default
value range is from 0 to 255.
default-information-originate Enable or disable the generation of the default route into all disable
{always | disable | enable} external routing capable areas using the metric specified by the
default-information-metric value and the metric type
specified by the default-information-metric-type
value. Set the value to always for the default to always be
advertised, even when the routing table contains no default.
default-information-metric Set the metric value for the default route. The value range is 10
<metric_int> from 1 to 16777214.
distance <distance_int> Set the OSPF route administrative distance. The value range is 110
from 1 to 255.
spf-timers <delay_int> <hold_ Set the number of seconds before the shortest path first (SPF) is 5 10
int> calculated and the number of seconds between consecutive
SPF calculations. The range for each value is from 0 to 600.
log-neighbour-changes {disable Enable or disable the logging of changes to the OSPF neighbor. enable
| enable}
shortcut {default | disable | Enable or disable whether shortcuts are allowed in the area. default
enable}
default-cost <cost_int> If the area type is stub or not-so-stubby area (NSSA), set the 1
cost of default-summary LSAs announced to stubby areas. The
value range is 0-2147483647.
stub-type {no-summary | If the area type is stub or NSSA, set whether inter-area summary
summary} summaries can be used.
nssa-translator-role {always | If the area type is NSSA, set the type of NSSA translator role. candidate
candidate | never}
direction {in | out} Set the direction to or from the area for the prefix list and access out
list.
list <list_str> Enter the access-list name or prefix-list name for the area. No default
advertise {enable | disable} Enable or disable the advertise status. If this option is set to enable
disable, the intra area paths from this range are not
advertised in other areas.
substitute-status {enable | Enable or disable whether the substitute prefix is used instead of disable
disable} the prefix.
peer <peer_ipv4> Enter the IP address of the virtual link neighbor. 0.0.0.0
config md5-keys These commands are applicable only when the virtual-link authentication
field is set to md5.
authentication {md5 | none | Set the authentication type for OSPF packets. none
text}
cost <cost_int> Enter the link cost on this interface. The value range is 0-65535. 10
Set this option to 0 for auto-cost.
mtu <mtu_int> Enter the maximum transmission unit (MTU) size in bytes for the Not set
database description packets. The value range is 576-65535.
mtu-ignore {disable | enable} Set whether to use the MTU size. disable
priority <priority_int> Set the router priority for this interface. the router with the 1
highest priority is more eligible to become the designated router.
Setting the option to 0 makes the router ineligible to become the
designated router. The value range is 0-255.
config md5-keys Use these commands to add MD5 keys for the OSPF interface. These commands
are applicable only when the interface authentication field is set to md5.
set tag <tag_int> Enter the tag value. The range is 0-2147483647. 0
config redistribute {bgp | Use these commands for the redistribute configuration.
connected | isis | rip |
static}
routemap <routemap_str> Enter the route map name to filter the redistributed routes. No default
Example
This example shows how to set the router identifier, create an area, configure the OSPF interface, create the network
(set the network prefix and associate with an area), configure the IPv4 address summary, and redistribute the routes:
config router ospf
config area
edit 0.0.0.0
next
edit 0.0.0.1
next
end
config interface
edit "ospf_1"
set interface "vlan10"
next
edit "ospf_2"
set interface "vlan20"
next
end
config network
edit 1
set area 0.0.0.1
set prefix 20.1.1.0 255.255.255.0
next
edit 2
set area 0.0.0.0
set prefix 10.1.1.0 255.255.255.0
next
end
config summary-address
edit 1
set prefix 40.1.0.0 255.255.0.0
next
end
end
Use this command to configure open shortest path first (OSPF) routing for IPv6.
NOTE: You must have an advanced features license to use OSPF routing.
Syntax
config router ospf6
set router-id <router_ipv4>
set spf-timers <delay_int> <hold_int> <max_int>
set log-neighbor-changes {disable | enable}
config area
edit <area_ipv4>
set type {regular | stub}
set stub-type {summary | no-summary}
config filter-list
edit <filter_int>
set direction {in | out}
set list <list_str>
next
end
config range
edit <range_int>
set advertise {enable | disable}
set prefix <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>
next
end
next
end
config interface
edit <interface_str>
set area-id <Required_IPv4_address>
set bfd {disable | enable}
set cost <cost_int>
set dead-interval <dead_int>
set hello-interval <hello_int>
set passive {disable | enable}
set priority <pritority_int>
set retransmit-interval <retransmit_int>
set status {enable | disable}
set transmit-delay <transmit_int>
next
end
config redistribute {connected | static}
set status {disable | enable}
set routemap <routemap_str>
end
end
router-id <router_ipv4> Required. Enter the IPv4 address of the OSPF No default
router.
spf-timers <delay_int> <hold_int> <max_int> Set the number of milliseconds to delay before the 5 10 10
shortest path first (SPF) is calculated, the initial
number of milliseconds between consecutive SPF
calculations, and the maximum number of
milliseconds between consecutive SPF
calculations. The range for each value is from 0 to
600.
log-neighbor-changes {disable | enable} Enable or disable the logging of changes to the enable
OSPF neighbor
type {regular | stub} Set the area type to regular or stub. regular
stub-type {summary | no-summary} If the type is set to stub, set the stub type to summary
summary or no summary.
direction {in | out} Set the direction to or from the area for the prefix out
list and access list.
list <list_str> Enter the IPv6 access-list name or IPv6 prefix-list No default
name for the area.
advertise {enable | disable} Enable or disable the advertise status. If this option enable
is set to disable, the intra-area paths from this
range are not advertised in other areas.
area-id <IPv4_address> Required. Enter the IPv4 address of the area. none
cost <cost_int> Enter the link cost on this interface. The value 10
range is 0-65535.
priority <priority_int> Set the router priority for this interface. the router 1
with the highest priority is more eligible to become
the designated router. Setting the option to 0
makes the router ineligible to become the
designated router. The value range is 0-255.
status {enable | disable} Enable or disable the IPv6 OSPF routing on this enable
interface.
config redistribute {connected | static} Use these commands for the redistribute configuration.
routemap <routemap_str> Enter the route map name to filter the redistributed No default
routes.
Example
This example shows how to set the router identifier, create an area, configure the OSPF interface, and redistribute the
routes:
config router ospf6
set router-id 10.11.101.1
config area
edit 0.0.0.1
config filter-list
edit 1
set direction in
set list access1
next
end
config range
edit 1
set advertise disable
set prefix 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234/96
next
end
end
config interface
edit vlan35
set area 0.0.0.1
Syntax
config router prefix-list
edit <list_int>
set comments <comment_str>
config rule
edit <rule_int)
set action {deny | permit}
set prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any}
set ge <ge_int>
set le <le_int>
end
end
end
prefix {<xxx.xxx.xxx.xxx> Set the prefix to define regular filter criteria, such as any or 0.0.0.0 0.0.0.0
<xxx.xxx.xxx.xxx> | any} subnets.
ge <ge_int> Enter the minimum IPv4 prefix length to be matched. The No default
value range is between 0 and 32. The prefix list is used if the
prefix length is greater than or equal to this value.
le <le_int> Enter the maximum IPv4 prefix length to be matched. The No default
value range is between 0 and 32. The prefix list is used if the
prefix length is less than or equal to this value.
Syntax
config router prefix-list6
edit <name_of_IPv6_prefix_list>
set comments <string>
config rule
edit <rule_ID>
set action {deny | permit}
set prefix6 {<IPv6_prefix> | any}
set ge <0-128>
set le <0-128>
next
end
end
prefix6 {<IPv6_prefix> | any} Enter the IPV6 prefix to match or any. No default
ge <0-128> Enter the minimum IPv6 prefix length to be matched. The IPv6 No default
prefix list is used if the prefix length is greater than or equal to
this value.
le <0-128> Enter the maximum IPv6 prefix length to be matched. The IPv6 No default
prefix list is used if the prefix length is less than or equal to this
value.
Example
This example shows how to specify which IPv6 prefixes are allowed in RA messages:
config router prefix-list6
edit "r4"
config rule
edit 1
set action deny
set prefix6 "2001:4:4:4::4/64"
set ge 65
set le 128
next
edit 2
set action permit
set prefix6 "any"
next
end
next
end
Syntax
config router rip
set bfd {disable | enable}
set default-information-originate {disable | enable}
set default-metric <defaultmetric_int>
set garbage-timer <garbage_int>
set passive-interface <name_str>
set timeout-timer <timeout_int>
set update-timer <update_int>
set version {1 | 2}
config distance
edit <distanceid_int>
set access-list <access_string>
set distance <distance_int>
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
end
config distribute-list
edit <distribute_int>
set direction {in | out}
set interface <interface_str>
set listname <listname_str>
set status {disable | enable}
end
config interface
edit <interface_str>
set auth-keychain <keychain_str>
set auth-mode {md5 | none |text}
set auth-string <password_str>
set receive-version {1 | 2 | both | global}
set send-version {1 | 2 | both | global}
set split-horizon-status {disable | enable}
set split-horizon {poisoned | regular}
end
config neighbor
edit <neighbor_int>
set <neighbor_ipv4>
end
config network
edit <network_int>
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
end
config offset-list
edit <offsetlist_int>
set access-list <accesslist_str>
default-metric <defaultmetric_ Enter the default metric for redistributed routes. This setting 1
int> does not affect connected routes. The range of values is 1-16.
Use the config redistribute connected or config
offset-list command to set the metric value for connected
routes.
garbage-timer <garbage_int> Enter the number of seconds before a route is removed from 120
the routing table. The range of values is 5-2147483647.
timeout-timer <timeout_int> Enter the number of seconds before a route is no longer valid. 180
The route is not removed from the routing table until the
neighboring RIP routers are notified that the route has been
dropped. The range of values is 5-2147483647.
update-timer <update_int> Enter the number of seconds between when the complete 30
routing table is sent to neighboring RIP routers. The range of
values is 5-2147483647.
version {1 | 2} Set the RIP version for receiving and sending RIP packets. 2
config distance Set the admin distance based on the route prefix and RIP neighbor IP.
access-list <access_string> Enter the access list to match RIP routes. No default
distance <distance_int> Enter the RIP admin distance. The value range is from 1 to 255. 120
prefix <xxx.xxx.xxx.xxx> Enter the RIP neighbor IP prefix. Enter 0.0.0.0/0 to match all 0.0.0.0 0.0.0.0
<xxx.xxx.xxx.xxx> RIP neighbors.
interface <interface_str> Enter the RIP interface name for the distribute list. No default
status {disable | enable} Enable or disable whether the distribute list is used. disable
auth-keychain <keychain_str> Enter the name of the keychain to use for this interface. No default
auth-mode {md5 | none | text} Set the authentication mode used for packets. none
NOTE: You must create a keychain first before you can use the
MD5 authentication mode with RIP version 2.
auth-string <password_str> If the auth-mode is set to text, enter a password that is less No default
than 16 characters long.
receive-version {1 | 2 | both | Set which version of RIP packets are accepted on this interface. global
global} Setting this option to both accepts RIP version 1 and 2. Setting
this option to global uses the global RIP version. This setting
overrides the global RIP version setting.
send-version {1 | 2 | both | Set which version of RIP packets are sent for this interface. global
global} Setting this option to both sends RIP version 1 and 2. Setting
this option to global uses the global RIP version. This setting
overrides the global RIP version setting.
config neighbor Specify a neighbor router. These commands are required only when OSPF runs on
nonbroadcast media..
<neighbor_ipv4> Enter an IP address for a RIP neighbor. Use this command if a 0.0.0.0
RIP neighbor does not accept multicast packets.
config offset-list Configure the offset list to modify the RIP metric.
interface {in | out} Set whether to filter incoming or outgoing packets. No default
offset <offset_int> Enter the offset for incoming and outgoing metrics to routes 0
learned using RIP. The value range is between 1 and 16.
status {disable | enable} Enable or disable whether the offset list is used. enable
status {disable | enable} Enable or disable whether the routes are redistributed. disable
metric <metric_int> Enter the metric of the redistributed routes. The value range is 0
between 0 and 16.
routemap <routemap_str> Enter the route map name to filter the redistributed routes. No default
Example
This example shows how to configure the RIP router and add authentication:
config router rip
config network
edit 1
set prefix 170.38.65.0/24
next
edit 2
set prefix 128.8.0.0/16
next
end
config interface
edit "vlan35"
set auth-mode text
set auth-string simplepw1
next
end
end
Syntax
config router ripng
set bfd {disable | enable}
set default-information-originate {disable | enable}
set default-metric <defaultmetric_int>
set garbage-timer <garbage_int>
set timeout-timer <timeout_int>
set update-timer <update_int>
config aggregate-address
edit <aggregate-address_entry_ID_int>
set prefix6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>
end
config distribute-list
edit <distribute_int>
set direction {in | out}
set interface <interface_str>
set listname <listname_str>
set status {disable | enable}
end
config interface
edit <interface_str>
set passive {disable | enable}
set split-horizon-status {disable | enable}
set split-horizon {poisoned | regular}
end
config offset-list
edit <offsetlist_int>
set access-list6 <accesslist_str>
set direction {in | out}
set interface {in | out}
set offset <offset_int>
set status {disable | enable}
end
config redistribute {bgp | connected | isis | ospf6 | static}
set status {disable | enable}
set metric <metric_int>
set routemap <routemap_str>
end
end
interface <interface_str> Enter the RIP interface name for the distribute list. No default
listname <listname_str> Enter the IPv6 access or prefix list name. No default
status {disable | enable} Enable or disable whether the distribute list is used. enable
config offset-list Configure the offset list to modify the RIPng metric.
access-list6 <accesslist_str> Enter the name of the IPv6 access list. No default
interface {in | out} Set the interface to which the offset-list will be No default
applied.
offset <offset_int> Enter the offset for incoming and outgoing metrics 0
to routes learned using RIP. The value range is
between 1 and 16.
status {disable | enable} Enable or disable whether the offset list is used. enable
routemap <routemap_str> Enter the route map name to filter the redistributed No default
routes.
Use this command to configure a route map for BGP, IS-IS, OSPF, or RIP routing.
NOTE: You must have an advanced features license to use BGP, IS-IS, OSPF, or RIP routing.
Syntax
config router route-map
edit <routemap_str>
set comments <comments_str>
set protocol {bgp | isis | isis6 | ospf | ospf6 | rip | ripng | zebra}
config rule
edit <rule_int>
set action {deny | permit}
set match-as-path <string>
set match-community <string>
set match-interface {<interface_str> | internal | mgmt}
set match-ip-address <address_str>
set match-ip6-address <access-list6 or prefix-list6>
set match-ip-nexthop <nexthop_str>
set match-metric <metric_int>
set match-origin {egp | igp | incomplete | none}
set match-tag <tag_int>
set set-aggregator-as <1-4294967295>
set set-aggregator-ip <IPv4_address>
set set-aspath <1-4294967295>
set set-atomic-aggregate {enable | disable}
set set-community-delete <string>
set set-community <community>
set set-extcommunity-rt <community>
set set-extcommunity-soo <community>
set set-ip-nexthop <class_ipv4>
set set-ip6-nexthop <IPv6_address>
set set-ip6-nexthop-local <IPv6_address>
set set-local-preference <1-4294967295>
set set-metric <setmetric_int>
set set-metric-type {1 | 2}
set set-origin {egp | igp | incomplete | none}
<routemap_str> Enter the name for the individual route map. No default
protocol {bgp | isis | isis6 | ospf | ospf6 | rip Mandatory. Set the protocol to BGP, IS-IS, No default
| ripng | zebra} OSPF (IPv4 or IPv6), RIP (IPv4 or IPv6), or the
core router daemon.
action {deny | permit} Set whether the rule permits or denies routes permit
that match this rule.
match-as-path <string> Match the BGP Autonomous System (AS) path No default
list.
match-origin {egp | igp | incomplete | Match the BGP origin code: none
none} l egp—Set the value to the NLRI learned
set-aggregator-ip <IPv4_address> Set the IPv4 address for the BGP aggregator. 0.0.0.0
set-atomic-aggregate {enable | disable} Enable or disable the BGP atomic aggregate disable
attribute.
set-ip6-nexthop <IPv6_address> Enter the IPv6 global address of the next hop. No default
set-ip6-nexthop-local <IPv6_address> Enter the IPv6 local address of the next hop. No default
set-metric <setmetric_int> Enter the route metric value. The value range 0
is 0-2147483647.
set-origin {egp | igp | incomplete | none} Set the BGP origin code: none
l egp—Set the value to the NLRI learned
set-tag <settag_int> Enter the route tag value. The value range is 0
0-2147483647.
set-weight <0-2147483647> Set the BGP weight for the routing table. 0
Example
This example shows how to configure the RIP router and add authentication:
config router route-map
edit myroutemap
set comments "route map for RIP routing"
set protocol rip
config rule
edit 1
set action permit
set match-interface internal
set match-metric 12
set match-tag 36
set set-ip-nexthop 128.8.0.0
set auth-mode text
set set-metric 48
set set-tag 72
end
end
Use this command to filter incoming protocol routes in RIB. You can filter protocol routes so that they are not added in
the RIB routing table.
NOTE: You must have an advanced features license to use OSPF or RIP routing.
Syntax
config router setting
config filter-list
edit <routemap_int>
set protocol {any | bgp | connected | isis | ospf | rip | static}
set route-map <routemap_str>
end
end
protocol {any | bgp | connected | The protocol routes for which the filter will be applied. connected
isis | ospf | rip | static}
route-map <routemap_str> Enter the route map name. Only a route map created with the No default
protocol set to zebra can be applied here.
Example
Use this command to add, edit, or delete static routes for IPv4 traffic.
You add static routes to manually control traffic exiting the FortiSwitch unit. You configure routes by specifying
destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are the
next-hop routers to which traffic that matches the destination addresses in the route are forwarded.
Syntax
config router static
edit <sequence_number>
set bfd {enable | disable}
set blackhole {enable | disable}
set comment <comment_str>
set device <interface_name>
set distance <1-255>
set dst <destination-address_IPv4mask>
set dynamic-gateway {enable | disable}
set gateway <gateway-address_IPv4>
set status {enable | disable}
set vrf <string>
end
bfd {enable | disable} Enable or disable Bidirectional Forwarding for the route disable
gateway.
blackhole {enable | disable} Enable or disable dropping all packets that match this route. disable
device <interface_name> Enter the name of the interface through which to route traffic. No default
Enter ‘?’ to see a list of interfaces.
distance <1-255> Enter the administrative distance for the route. The range is an 10
integer from 1-255.
dst <destination-address_ Enter the destination IPv4 address and network mask for this 0.0.0.0 0.0.0.0
IPv4mask> route. You can enter 0.0.0.0/0 to create a new static
default route.
dynamic-gateway {enable | When enabled, the route gateway IP is obtained using DHCP disable
disable} running on the provided routeʼs device interface.
gateway <gateway-address_ Enter the IPv4 address of the next-hop router to which traffic is No default
IPv4> forwarded.
status {enable | disable} Enable this setting for the route to be added to the routing enable
table.
vrf <string> Assign the specified virtual routing and forwarding (VRF) No default
instance to this static route.
After the static route is created, the VRF instance cannot be
changed or unset.
Example
Use this command to add, edit, or delete static routes for IPv6 traffic.
You add static routes to manually control traffic exiting the FortiSwitch unit. You configure routes by specifying
destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are the
next-hop routers to which traffic that matches the destination addresses in the route are forwarded.
Syntax
config router static6
edit <sequence_number>
set bfd {enable | disable}
set blackhole {enable | disable}
set comment <comment_str>
set device <interface_name>
set distance <1-255>
set dst <destination-address_IPv6mask>
set gateway <gateway-address_IPv6>
set status {enable | disable}
set vrf <string>
end
The dst and gateway fields are required when blackhole is disabled. When
blackhole is enabled, the dst field is required. All other fields are optional.
bfd {enable | disable} Enable or disable bidirectional forwarding detection (BFD) for disable
the gateway.
blackhole {enable | disable} Enable or disable dropping all packets that match this route. disable
device <interface_name> Enter the name of the interface through which to route traffic. No default
Enter ‘?’ to see a list of interfaces.
distance <1-255> Enter the administrative distance for the route. The range is an 10
integer from 1-255.
dst <destination-address_ Enter the destination IPv6 address and network mask for this ::/0
IPv6mask> route.
gateway <gateway-address_ Enter the IPv6 address of the next-hop router to which traffic is ::
IPv6> forwarded.
status {enable | disable} Enable this setting for the route to be added to the routing enable
table.
vrf <string> Assign the specified virtual routing and forwarding (VRF) No default
instance to this static route.
After the static route is created, the VRF instance cannot be
changed or unset.
Example
This example shows how to configure a static route for IPv6 traffic:
config router static6
edit 1
set dst 5555::/64
set gateway 4000::2
set status enable
end
end
Use these commands to create virtual routing and forwarding (VRF) instances.
Syntax
config router vrf
edit <VRF_name>
set vrfid <integer>
end
vrfid <integer> Set the VRF identifier. The range of values is 1-1023. 0
You cannot use 252, 253, 254, or 255. After the VRF instance
is created, the VRF ID cannot be changed.
Example
config switch
Use the config switch commands to configure options related to switching functionality:
l config switch acl egress on page 78
l config switch acl ingress on page 80
l config switch acl policer on page 83
l config switch acl prelookup on page 84
l config switch acl service custom on page 85
Use this command to configure an access control list (ACL) for an egress policy.
Syntax
config switch acl egress
edit <policy_ID>
set description <string>
set interface <port_name>
set schedule <schedule_name>
set status {active | inactive}
config classifier
description <string> Enter a description or other information about the policy. No default
The description is limited to 63 characters. Enclose the
string in single quotes to enter special characters or spaces.
schedule <schedule_name> Select a schedule for when the ACL policy will be enforced. No default
The schedule must have been defined already with the
config system schedule command.
status {active | inactive} Make the egress ACL policy active or inactive. active
config classifier
cos <802.1Q CoS value to Enter the 802.1Q CoS value to match. No default
match>
dscp <DSCP value to match> Enter the DSCP value to match. No default
dst-ip-prefix <IP_address> Destination IP address and subnet mask to be matched. 0.0.0.0 0.0.0.0
<mask>
src-ip-prefix <IP_address> Source IP address and subnet mask to be matched. 0.0.0.0 0.0.0.0
<mask>
config action
count {enable | disable} Enable or disable the count action. disable
Use this command to configure an ACL for an ingress policy. Starting in FortiSwitchOS 6.2.0, you can create groups for
multiple ingress ACLs.
Syntax
config switch acl ingress
edit <policy-id>
set description <string>
set group <group_ID>
set ingress-interface <port > [<port > ... <port >]
set ingress-interface-all {enable | disable}
set schedule <schedule_name>
set status {active | inactive}
config classifier
set cos <802.1Q CoS value to match>
set dscp <DSCP value to match>
set src-mac <mac>
set dst-mac <mac>
set ether-type <integer>
set src-ip-prefix <IP address> <mask>
set dst-ip-prefix <IP address> <mask>
set service <service-id>
set vlan-id <vlan-id>
end
config action
set cos-queue <0 - 7>
set count {enable | disable}
set cpu-cos-queue <integer>
set drop {enable | disable}
set egress-mask {<physical_port_name> | internal}
set mirror <mirror_session>
set outer-vlan-tag <integer>
set policer <policer>
set redirect <interface_name>
set redirect-bcast-cpu {enable | disable}
description <string> Enter a description or other information about the policy. No default
The description is limited to 63 characters. Enclose the
string in single quotes to enter special characters or spaces.
group <group_ID> Enter the group identifier of the policy. The range of group 1
identifiers varies among the different platforms.
Starting in FortiSwitchOS 6.2.0, you can create groups for
multiple ingress ACLs.
ingress-interface <port > [<port > If ingress-interface-all is disabled, enter the interface list to No default
... <port >] which the policy is bound on the ingress.
schedule <schedule_name> Select a schedule for when the ACL policy will be enforced. No default
The schedule must have been defined already with the
config system schedule command.
status {active | inactive} Make the ingress ACL policy active or inactive. active
config classifier
cos <802.1Q CoS value to Enter the 802.1Q CoS value to match. No default
match>
dscp <DSCP value to match> Enter the DSCP value to match. No default
src-ip-prefix Enter the source IP address and subnet mask to be 0.0.0.0 0.0.0.0
matched.
dst-ip-prefix Enter the destination IP address and subnet mask to be 0.0.0.0 0.0.0.0
matched.
config action
cos-queue <0 - 7> CoS queue number (0 - 7). 0
cpu-cos-queue <integer> CPU CoS queue number. This CoS queue is only used if the disabled
packets reach the CPU. Enter set cpu-cos-queue ? to
see the value range.
remark-cos <0-7> Set the CoS marking value. The range is 0-7. No default
remark-dscp <0-63> Set the DSCP marking value. The range is 0-63. No default
Examples
In the following example, traffic from VLAN 3 is blocked to a specified destination IP subnet (10.10.0.0/16) but allowed
to all other destinations:
config switch acl ingress
edit 1
config action
set count enable
set drop enable
end
config classifier
set dst-ip-prefix 10.10.0.0 255.255.0.0
set vlan-id 3
end
set ingress-interface-all enable
set status inactive
next
edit 2
config classifier
set vlan-id 3
end
set ingress-interface-all enable
set status active
next
end
In the following example, packets are classified by matching both the CoS and DSCP values. Both the CoS and DSCP
marking values are set:
config switch acl ingress
edit 1
config classifier
set src-mac 11:22:33:aa:bb:cc
set cos 2
set dscp 10
end
config action
set count enable
set remark-cos 4
set remark-dscp 20
end
set ingress-interface port2
set status active
end
Syntax
config switch acl policer
edit <policer index>
set description <string>
set guaranteed-bandwidth <bandwidth_value>
set guaranteed-burst <in_bytes>
set maximum-burst <in_bytes>
set type {egress | ingress}
end
type {egress | ingress} Specify whether the policer is for egress or ingress policies. ingress
Example
Syntax
config switch acl prelookup
edit <policy_ID>
set description <string>
set interface <port_name>
set schedule <schedule_name>
set status {active | inactive}
config classifier
set cos <802.1Q CoS value to match>
set dscp <DSCP value to match>
set dst-ip-prefix <IP_address> <mask>
set dst-mac <MAC_address>
set ether-type <integer>
set service <service_ID>
set src-ip-prefix <IP_address> <mask>
set src-mac <MAC_address>
set vlan-id <VLAN_ID>
end
config action
set count {enable | disable}
set cos-queue <0-7>
set drop {enable | disable}
set outer-vlan-tag <integer>
set remark-cos <0-7>
end
end
description <string> Enter a description or other information about the policy. No default
The description is limited to 63 characters. Enclose the
string in single quotes to enter special characters or spaces.
schedule <schedule_name> Select a schedule for when the ACL policy will be enforced. No default
The schedule must have been defined already with the
config system schedule command.
status {active | inactive} Make the prelookup ACL policy active or inactive. active
config classifier
cos <802.1Q CoS value to Enter the 802.1Q CoS value to match. No default
match>
dscp <DSCP value to match> Enter the DSCP value to match. No default
dst-ip-prefix <IP_address> Destination IP address and subnet mask to be matched. 0.0.0.0 0.0.0.0
<mask>
src-ip-prefix <IP_address> Source IP address and subnet mask to be matched. 0.0.0.0 0.0.0.0
<mask>
config action
count {enable | disable} Enable or disable the count action. disable
cos-queue <0-7> CPU CoS queue number (20-29). Only if packets reach to No default
CPU. The value range is 20-29.
remark-cos <0-7> Set the CoS marking value. The range is 0-7. No default
Syntax
config switch acl service custom
edit <service name>
set comment <string>
set color <0-32>
set protocol {ICMP | IP | TCP/UDP/SCTP}
set icmptype <0-255>
set icmpcode <0-255>
set protocol-number <IP protocol number>
set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_
int>]
set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]
set udp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]
end
end
color <0-32> Set the icon color to use in the Web-based manager. A value 0
of zero sets the default color (1).
icmptype <0-255> If you set the protocol to ICMP, set the ICMP type. 0
icmpcode <0-255> If you set the protocol to ICMP, set the ICMP code. 0
sctp-portrange For SCTP services, enter the destination and source port No default
ranges.
tcp-portrange For TCP services, enter the destination and source port No default
ranges.
udp-portrange For UDP services, enter the destination and source port No default
ranges.
Notes:
l srcport_low and srcport_high can be omitted if the value pair is 1-65535
l dstport_high can be omitted if dstport_low is equal to dstport_high
l srcport_low and srcport_high can be omitted if the value pair is 1-65535
l dstport_high can be omitted if dstport_low is equal to dstport_high
Example
In the following example, Server Message Block (SMB) traffic received on port 1 is mirrored to port 3. SMB protocol uses
port 445:
config switch acl service custom
edit "SMB"
set tcp-portrange 445
next
end
config switch acl ingress # apply policy to port 1 ingress and send to port 3
edit 1
set description "cnt_n_mirror_smb"
set ingress-interface "port1"
config action
set count enable
set mirror "port3"
end
config classifier
set service "SMB"
set src-ip-prefix 20.20.20.100 255.255.255.255
set dst-ip-prefix 100.100.100.0 255.255.255.0
end
next
end
Syntax
config switch acl settings
set density-mode {disable | enable}
set trunk-load-balance {disable | enable}
end
Example
Use this command to create a multi-tiered MCLAG trunk when the FortiSwitch unit is managed by a FortiGate unit.
Syntax
config switch auto-isl-port-group
edit <trunk_name>
set members <one or more ports>
end
Example
Use this command to automatically form an inter-switch link (ISL) between two switches.
Syntax
config switch auto-network
set mgmt-vlan <1-4094>
set status {enable | disable}
end
mgmt-vlan <1-4094> Set the VLAN to use for the native VLAN on ISL ports and the 4094
native VLAN on the internal switch interface.
status {enable | disable} Enable or disable whether an ISL is automatically formed disable
between two switches.
Example
The following example enables the automatic formation of an ISL between two switches:
config switch auto-network
set mgmt-vlan 200
set status enable
end
Syntax
config switch global
set auto-fortilink-discovery {enable | disable}
set auto-isl {enable | disable}
set auto-isl-port-group <0-9>
set auto-stp-priority {enable | disable}
set dhcp-snooping-database-export {disable | enable}
set dmi-global-all {enable | disable}
set flapguard-retain-trigger {enable | disable}
set flood-unknown-multicast {enable | disable}
set fortilink-heartbeat-timeout <0-300>
set fortilink-p2p-tpid <interger>
set fortilink-vlan-optimization {enable | disable}
set forti-trunk-dmac <xx:xx:xx:xx:xx:xx>
set ip-mac-binding {enable | disable}
set log-mac-limit-violations {enable | disable}
set log-source-guard-violations {enable | disable}
set loop-guard-tx-interval <0-30>
set mac-aging-interval <seconds>
set mac-violation-timer <integer>
set max-frame-size <bytes_int>
set
max-path-in-ecmp-group <integer>
set
mclag-igmpsnooping-aware {enable | disable}
set
mclag-peer-info-timeout <integer>
set
mclag-port-base <integer>
set
mclag-split-brain-detect {enable | disable}
set
mclag-stp-aware {enable | disable}
set
mirror-qos <0-7>
set
name <string>
set
neighbor-discovery-to-cpu {enable | disable}
set
packet-buffer-mode {store-forward | cut-through}
set
poe-alarm-threshold <threshold (percent of total power budget) above which an alarm
event is generated>
set poe-guard-band <integer>
set poe-power-budget <integer>
set poe-power-mode {first-come-first-served | priority}
set poe-pre-standard-detect {disable | enable}
set qos-drop-policy {random-early-detection | taildrop}
set qos-red-probability <integer>
set reserved-mcast-to-cpu {enable | disable}
set source-guard-violation-timer <integer>
set trunk-hash-mode {default| enhanced}
set trunk-hash-unicast-src-port {enable | disable}
set trunk-hash-unkunicast-src-dst {enable | disable}
set virtual-wire-tpid <0x0001-0xfffe>
config port-security
set link-down-auth {no-action | set-unauth}
set mab-reauth {enable | disable}
set max-reauth-attempt <0-15>
set quarantine-vlan {enable | disable}
set reauth-period <1-1440>
set tx-period <12-60>
end
end
auto-fortilink-discovery Enable or disable the capability for the FortiGate unit to enable
{enable | disable} automatically discover the FortiLink interface on the switch.
flapguard-retain-trigger Enable this setting to keep the “triggered” status in the disable
{enable | disable} output of the diagnose flapguard status command
after a switch has been rebooted until the port has been
reset with the execute flapguard reset <port_
name> command.
flood-unknown-multicast Enable or disable whether to flood the VLAN with unknown disable
{enable | disable} multicast messages.
fortilink-heartbeat-timeout <0- Set how long before the FortiLink heartbeat times out. Set 60
300> the value to 0 to disable the FortiLink heartbeat.
fortilink-p2p-tpid <interger> Set the FortiLink point-to-point TPID value. The range of 0x8100
values is 0x0001 to 0xfffe.
This command is only available in FortiLink mode.
forti-trunk-dmac Enter the destination MAC address to be used for FortiTrunk 02:80:c2:00:00:02
<xx:xx:xx:xx:xx:xx> heartbeat packets.
ip-mac-binding {enable | disable} Enable or disable IP-MAC binding for the switch disable
log-mac-limit-violations {enable | Enable or disable the logging of layer-2 learning limit disable
disable} violations for an interface or VLAN. The most recent violation
that occurred on each interface or VLAN is logged. After that,
no more violations are logged until the log is reset for the
triggered interface or VLAN. Only the most recent 128
violations are displayed in the console.
NOTE: This command is only displayed if your FortiSwitch
model supports it.
loop-guard-tx-interval <0-30> Enter the loop guard transmit interval. Value range is 1-30. 3
The units is seconds.
mac-aging-interval <seconds> Specify how often the learning-limit violation log is reset. 300
The range is 10 to 1,000,000 seconds. Set to 0 to disable.
mac-violation-timer <integer> How long (in minutes) violations of the layer-2 learning limit 0
are kept in the log. The value range is 0-1500. Set to 0 to
disable the timer.
max-frame-size <bytes_int> Set the maximum frame size. The range is 68 to 16360. 9216
NOTE: For non-1xxE FortiSwitch units, this command is
under the config switch physical-port command.
mclag-igmpsnooping-aware Enable this option to synchronize both query ports and group disable
{enable | disable} entries across peer MCLAG trunks. This option can be used
in standalone mode and in FortiLink mode.
mclag-split-brain-detect {enable Enable or disable the detection of the MCLAG split-brain disable
| disable} state.
mclag-stp-aware {enable | Enable or disable whether the STP can be used within the enable
disable} MCLAG.
mirror-qos <0-7> Enter the quality of service (QoS) priority for packets 0
mirrored by this FortiSwitch unit. Applies only to the FS-
524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-
1048E, and FS-3032D models.
poe-guard-band <integer> Enter the power (W) to reserve in case of a spike in PoE 19
consumption.
poe-power-mode {first-come- Set the PoE power mode to priority based or first-come, first- priority
first-served | priority} served.
dropped.
l random-early-detection — As the queue fills, the
qos-red-probability <integer> Set the QoS RED/WRED drop probability. The FS-108E, FS- 12
108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, and
FS-124E-FPOE models support 0-100 percent. The FS-
148E, FS-148E-POE, and FS-148E-FPOE models support 0-
25 percent.
NOTE: This command is available only for the FS-108E, FS-
108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-
124E-FPOE, FS-148E, and FS-148E-POE models.
source-guard-violation-timer Enter the number of minutes for a global timeout for source 0
<intebger> guard violations. The range of values is 0-1500. Set this
option to 0 to disable it.
This command is only available when log-source-
guard-violations is enabled.
trunk-hash-mode Set the trunk hash mode to default or enhanced default
{default| enhanced}
trunk-hash-unicast-src-port Enable or disable whether the trunk hashing algorithm for disable
{enable | disable} unicast packets uses the source port.
trunk-hash-unkunicast-src-dst Enable or disable trunk hash for unknown unicast src-dst. enable
{enable | disable}
virtual-wire-tpid <0x0001-0xfffe> TPID value used by virtual-wires. The value range is from 0xdee5
0x0001 to 0xfffe.
Choose a value unlikely to be seen as a TPID or ethertype in
your network.
config port-security
link-down-auth If a link goes down, this setting determines if the affected set-unauth
devices needs to reauthenticate.
l set-unauth — revert all devices to the un-
mab-reauth {enable | disable} Enable or disable whether MAB retries authentication before disable
assigning a device to a guest VLAN for unauthorized users.
quarantine-vlan {enable | Enable or disable quarantine VLAN detection. Enable this enable
disable} setting to use quarantines with 802.1x MAC-based
authentication in FortiLink mode.
tx-period <12-60> Specify how many seconds are allowed for the 802.1x 30
reauthentication before it times out.
Example
Use this command to configure global settings for IGMP snooping on the FortiSwitch unit.
Syntax
config switch igmp-snooping globals
set aging-time <integer>
set leave-response-timeout <integer>
set query-interval <10-1200>
end
leave-response-timeout Enter the maximum number of seconds that the switch waits 10
<integer> after sending a group-specific query in response to the leave
message. The range of values is 1-20.
query-interval <10-1200> Enter the maximum number of seconds between IGMP 120
queries.
Example
The following example configures global settings for IGMP snooping on the FortiSwitch unit:
config switch igmp-snooping globals
set aging-time 150
set leave-response-timeout 15
set query-interval 200
end
Command
config switch interface
edit <interface_name>
set allowed-vlans {vlan1 vlan2 ...}
set arp-inspection-trust {trusted | untrusted}
set auto-discovery-fortilink {enable | disable}
set auto-discovery-fortilink-packet-interval <3-300>
set default-cos <0-7>
set description <string>
set discard-mode {all-tagged | all-untagged | none}
set dhcp-snooping {trusted | untrusted}
set dhcp-snoop-learning-limit-check {disable | enable}
set dhcp-snooping-option82-trust {enable | disable}
set edge-port {enabled | disabled}
set igmp-snooping-flood-reports {enable | disable}
set mcast-snooping-flood-traffic {enable | disable}
set mld-snooping-flood-reports {enable | disable}
set ip-mac-binding {enable | disable | global}
set ip-source-guard {enable | disable}
set learning-limit <1 - 128>
set log-mac-event {enable | disable}
set loop-guard {enabled | disabled}
set loop-guard-timeout <0-120>
set loop-guard-mac-move-threshold <0-100>
edit <id>
set description <string>
set match-c-vlan <1-4094>
set new-s-vlan <1-4094>
next
end
end
config vlan-mapping
edit <id>
set description <string>
set direction {egress | ingress}
set match-s-vlan <1-4094>
set match-c-vlan <1-4094>
set action {add | delete | replace}
set new-s-vlan <1-4094>
next
end
next
end
allowed-vlans Enter the names of the VLANs permitted on this interface. No default
{vlan1 vlan2 ...}
auto-discovery- Enable or disable automatically discovery of the port used for FortiLink. disable
fortilink
{enable | disable}
auto-discovery- Enter the FortiLink packet interval for automatic discovery. The value 5
fortilink-packet- range is 3 to 300 seconds.
interval <3-300>
default-cos <0-7> Set the default CoS value for untagged packets. Integer in the range of 0 0
to 7.
The configured default CoS only applies if you also set trust-dot1p-
map on the interface.
NOTE: The set default-cos command is not available on the
following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE,
424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-
POE, and 248E-FPOE.
discard-mode {all- Set the discard mode for this interface. none
tagged | all-untagged
| none}
dhcp-snoop-learning- Enable or disable whether there is a limit for how many IP addresses are disable
limit-check {disable | in the DHCP snooping binding database for this interface.
enable}
edge-port Enable if the port does not have another switch connected to it. disable
{enabled | disabled}
mcast-snooping- Enable or disable whether to flood multicast traffic to this interface. disable
flood-traffic
{enable | disable}
mld-snooping-flood- Enable or disable whether to flood MLD-snooping reports to this interface. disable
reports {enable |
disable}
ip-mac-binding Enable or disable IP-MAC binding for this interface. Set the value to disable
{enable | disable 'global', the interface inherits the global ip-mac-binding configuration
| global} value.
ip-source-guard Enable or disable IP source guard for this interface. After you enable this disable
{enable | disable} feature, use the config switch ip-source-guard command to
configure it.
learning-limit <1 - Limit the number of dynamic MAC addresses on this port. The value 0
128> range is between 0 and 128 (0 = no limit).
NOTE: You cannot set the learning-limit on the internal interface.
log-mac-event Enable or disable the logging of dynamic MAC address events. disable
{enable | disable}
loop-guard-timeout After enabling loop guard, set the number of minutes before loop guard 45
<0-120> resets. Setting this value to 0 means that there is no timeout.
loop-guard-mac- After enabling loop guard, set the number of MAC address moves per 0
move-threshold <0- second for this interface. The threshold must be exceeded for 6
100> consecutive seconds to trigger loop guard.
native-vlan <vlan_ Enter the native (untagged) VLAN for this interface. 1
int>
sample-direction Set the sFlow sample direction to monitor received traffic (rx), monitor both
{both | rx |tx} transmitted traffic (tx), or monitor both.
This option is only available when the packet-sampler is enabled.
packet-sample-rate If packet-sampler is set to enabled, you can change the packet sample 512
<0-99999> rate.
ptp-policy {<string> | Enter the name of the Precision Time Protocol (PTP) policy. default
default}
qos-policy {<string> | Enter the name of the QoS egress CoS queue policy. default
default}
rpvst-port {enabled | Enable or disable whether this interface interoperates with per-VLAN disabled
disabled} spanning tree (PVST).
security-groups Enter the security group name if you are using port-based authentication No default
<security-group- or MAC-based authentication.
name>
sflow-counter-interval Set the polling interval for the sFlow sampler counter. Set to 0 to disable 0
<0-255> polling.
snmp-index <integer> Enter the SNMP index for this interface. Default is the
port number
sticky-mac {disable | Enable or disable whether dynamically learned MAC addresses are disable
enable} persistent when the status of a FortiSwitch port changes (goes down or
up).
stp-bpdu-guard Enable or disable STP BPDU guard protection. To use STP BPDU guard disabled
{disabled | enabled} on this interface, you must enable stp-state and edge-port.
stp-root-guard Enable or disable STP root guard protection. To use STP root guard, you disabled
{disabled | enabled} must enable stp-state.
stp-state Enable or disable Spanning Tree Protocol (STP) on this interface. enabled
{enabled | disabled}
trust-dot1p-map Whether to trust the dot1p CoS value in the incoming packets. Specify a No default
map to map the CoS value to an egress queue value.
trust-ip-dscp-map Whether to trust the DSCP QoS value in the incoming packets. Specify a No default
map to map the DSCP value to an egress queue value.
vlan-mapping-miss- Enable or disable whether a packet is dropped if the VLAN ID in the disable
drop {enable | packetʼs tag is not defined in the vlan-mapping configuration.
disable}
vlan-tpid <default | Select which VLAN TPID profile to use. The default VLAN TPID profile default
string> has a value of 0x8100 and cannot be deleted or changed.
NOTE: If you are not using the default VLAN TPID profile, you must have
already defined the VLAN TPID profile with the config switch
vlan-tpid command.
config port-security
macsec} authentication.
l macsec—Use this setting for MACsec.
If you change the security mode from none, you must set the security
group with the set security-groups command.
auth-fail-vlan {enable When enabled, the system assigns the auth-fail-vlanid to users disable
| disable} who attempted to authenticate but failed to provide valid credentials.
auth-fail-vlanid Enter the VLAN identifier that the system assigns to users who attempted 200
<VLAN_id> to authenticate but failed to provide valid credentials. This field is
mandatory when auth-fail-vlan is enabled.
authserver-timeout- Enter the number of seconds before the authentication server stops trying 3
period <3-15> to authenticate users.
authserver-timeout- Enable or disable whether users are assigned to the specified VLAN when disable
vlan {enable | disable} the authentication server times out.
authserver-timeout- Enter the VLAN identifier that the system assigns to users when the 300
vlanid <1-4094> authentication server times out. This field is mandatory when
authserver-timeout-vlan is enabled.
eap-auto-untagged- Enable to allow voice traffic with voice VLAN tag at egress. enable
vlans {enable |
disable}
framevid-apply Enable or disable the capability to apply the EAP/MAB frame VLAN to the enable
{disable | enable} port native VLAN.
guest-auth-delay If a device does not attempt to authenticate within this timeframe (in 5
<integer> seconds), the guest VLAN is assigned.
guest-vlan {enable | When enabled, the system assigns the guest-vlanid to unauthorized disable
disable} users.
guest-vlanid <VLAN_ VLAN identifier. Mandatory field when guest VLAN is enabled. 100
id>
mab-eapol-request Set how many EAP packets are sent to trigger EAP authentication for 3
<0-10> “silent supplicants” (such as end devices running Windows 7) that send
non-EAP packets when they wake up from sleep mode.
To disable this feature, set mab-eapol-request to 0 or disable mac-
auth-bypass.
mac-auth-bypass Enable or disable MAC auth bypass. disable
{enable | disable}
open-auth {enable | Enable or disable open authentication (monitor mode) on this interface. disable
disable}
quarantine-vlan Enable or disable quarantine VLAN detection. Enable this setting to use enable
{enable | disable} quarantines with 802.1x MAC-based authentication in FortiLink mode.
radius-timeout- Enable this option to use the value of the session-timeout attribute. The disable
overwrite {enable | session-timeout attribute specifies how many seconds of idleness are
disable} allowed before the FortiSwitch unit disconnects a session. The value
must be more than 60 seconds.
config raguard
raguard-policy Enter the name of the RA-guard policy to use for this interface. No default
<name_of_RA_ The RA-guard policy must be created (with the config switch
guard_policy> raguard-policy command) before it is applied to an interface.
vlan-list <list_of_ Enter a VLAN or a range of VLANs to apply this policy to. Use less than All allowed
VLANs> 4,096 characters for the vlan-list value. Separate the VLANs and VLAN VLANs on this
ranges with commans, for example: port
1,3-4,6,7,9-100
config qnq
add-inner <1-4095> If the QinQ mode is enabled, add the inner tag for untagged packets upon No default
ingress.
edge-type customer If the QinQ mode is enabled, the edge type is set to customer. customer
priority {follow-c-tag | If the QinQ mode is enabled, select whether to follow the priority of the S- follow-s-tag
follow-s-tag} tag (service tag) or C-tag (customer tag).
NOTE: This command is not available on the 224D-FPOE, 248D, 424D,
424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-
POE, 248E-POE and 248E-FPOE models.
remove-inner {enable If the QinQ mode is enabled, enable or disable whether the inner tag is disable
| disable} removed upon egress.
s-tag-priority <0-7> If packets follow the priority of the S-tag (service tag), enter the priority 0
value. This option is available only when the priority is set to follow-s-
tag.
NOTE: This command is not available on the 224D-FPOE, 248D, 424D,
424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-
POE, 248E-POE and 248E-FPOE models.
vlan-mapping-miss- If the QinQ mode is enabled, enable or disable whether a packet is disable
drop {enable | dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-
disable} mapping configuration.
match-s-vlan <1- If the direction is set to egress, enter the service (outer) VLAN to match. 0
4094>
match-c-vlan <1- If the direction is set to ingress, enter the customer (inner) VLAN to 0
4094> match.
action {add | delete | Select what happens when the packet is matched: No default
replace} l add—When the packet is matched, add the service VLAN. You
You cannot set the action to delete for the ingress direction.
l replace—When the packet is matched, replace the customer
Example
Syntax
config switch ip-mac-binding
edit <sequence_int>
set ip <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
set mac <xx:xx:xx:xx:xx:xx>
set status {enable | disable}
next
end
<sequence_int> Enter a sequence number for the IP-MAC binding entry. No default
ip <xxx.xxx.xxx.xxx> Enter the source IP address and network mask for this rule. 0.0.0.0 0.0.0.0
<xxx.xxx.xxx.xxx>
mac <xx:xx:xx:xx:xx:xx> Enter the MAC address for this rule. 00:00:00:00:00:00
Example
The following example configures the IP-MAC binding for the FortiSwitch unit:
config switch ip-mac-binding
edit 1
set ip 172.168.20.1 255.255.255.255
set mac 00:21:cc:d2:76:72
set status enable
next
end
Use this command to configure IP source guard for a port by binding IPv4 addresses to MAC addresses.
Syntax
config switch ip-source-guard
edit <port_name>
config binding-entry
edit <id>
set ip <xxx.xxx.xxx.xxx>
set mac <XX:XX:XX:XX:XX:XX>
next
end
next
end
ip <xxx.xxx.xxx.xxx> Required. Enter the IPv4 address to bind to the MAC 0.0.0.0
address. Masks are not supported.
mac <XX:XX:XX:XX:XX:XX> Required. Enter the MAC address to bind to the IPv4 00:00:00:00:00:00
address.
Example
The following example binds an IPv4 address to a MAC address so that traffic from that IP address will be allowed on
port4:
config switch ip-source-guard
edit port4
config binding-entry
edit 1
set ip 172.168.20
set mac 00:21:cc:d2:76:72
next
end
next
end
Use this command to configure LLDP profile settings. The LLDP profile contains most of the port-specific configuration.
Profiles are designed to provide a central point of configuration for LLDP settings that are likely to be the same for
multiple ports.
There are two static LLDP profiles: default and default-auto-isl. These profiles are created automatically.
They can be modified but cannot be deleted. The default-auto-isl profile always has auto-isl enabled, and
rejects any configurations which attempt to disable it.
Syntax
config switch lldp profile
edit <profile>
set 802.1-tlvs port-vlan-id
set 802.3-tlvs {eee-config | max-frame-size | power-negotiation}
set auto-isl {enable | disable}
set auto-isl-hello-timer <1-30>
802.1-tlvs The only 802.1 TLV that can be enabled or disabled is no TLV enabled
port-vlan-id. This TLV will send the native VLAN of
the port. If the value is changed, the sent value will reflect
the updated value.
802.3-tlvs {eee-config | max- Set which 802.3 TLVs are enabled: no TLV enabled
frame-size | power- l eee-config—Use this TLV to send the energy-
auto-isl-hello-timer <1-30> Enter a value (in seconds) for the hello timer. The range is 1 3
to 30.
auto-isl-port-group <0-9> Enter a value for the port group. The range is 0 to 9. 0
auto-isl-receive-timeout Enter a value (in seconds) for the receive timeout. The 9
range is 3 to 90.
config custom-tlvs
config med-location-service
status {enable | disable} Enable the status to transmit the type-length-value (TLV) if disable
the LLDP-MED profile has been enabled on a port.
sys-location-id <string> Use the specified location entry that was already entered No default
with the config system location command.
status {enable | disable} Enable the status to transmit the type-length-value (TLV) if disable
the LLDP-MED profile has been enabled on a port.
sys-location-id <string> Use the specified location entry that was already entered No default
with the config system location command.
status {enable | disable} Enable the status to transmit the type-length-value (TLV) if disable
the LLDP-MED profile has been enabled on a port.
sys-location-id <string> Use the specified location entry that was already entered No default
with the config system location command.
config med-network-policy
status {enable | disable} Enable or disable the policy for the policy type. disable
assign-vlan {enable | disable} Enable or disable whether the VLAN is added as one of the disable
allowed-vlans for this port.
NOTE: LLDP-MED network policies cannot be deleted or added. To use a policy, the med-tlvs field must include
network-policy, and you must set the policy to enabled. The VLAN values on the policy are cross-checked
against the VLAN native, allowed, and untagged attributes for any interfaces that contain physical-ports using this
profile. The cross-check determines if the policy TLV should be sent (VLAN must be native or allowed), and if the TLV
should mark the VLAN as tagged or untagged (VLAN is native, or is in untagged). The network policy TLV is
automatically updated when a switch interface changes VLAN configuration, or if a physical port is added to, or removed
from, a trunk.
Example
set dscp 40
set priority 3
set status enable
set vlan 400
next
edit "video-signaling"
next
end
set med-tlvs inventory-management network-policy
next
end
Syntax
config switch lldp settings
set status {enable| disable}
set tx-hold <1-16>
set tx-interval <5-4095>
set fast-start-interval <0 or 2-5>
set management-interface (internal | <string>)
set device-detection {enable | disable}
end
device-detection {enable | Enable or disable whether LLDP neighbor devices are disable
disable} dynamically detected.
This option is available only in FortiLink mode.
Example
Use these commands to configure a Media Access Control security (MACsec) profile.
Syntax
config switch macsec profile
edit <profile_name>
set cipher_suite GCM_AES_128
set confident-offset {0 | 30 | 50}
set encrypt-traffic {enable | disable}
set include-macsec-sci {enable | disable}
set include-mka-icv-ind enable
set macsec-mode static-cak
set macsec-validate strict
set mka-priority <0-255>
set replay-protect {enable | disable}
set replay-window <0-16777215>
set status {enable | disable}
config mka-psk
edit <pre-shared key name>
set crypto-alg AES_128_CMAC
set mka-cak <string>
set mka-ckn <string>
set status active
next
end
config traffic-policy
edit <traffic_policy_name>
set security-policy must-secure
set status enable
next
end
next
end
cipher_suite GCM_AES_128 Only the GCM-AES-128 cipher suite is available currently for GCM_AES_
encryption. 128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic 0
confidentiality offset. Selecting 0 means that all of the
MACsec traffic is encrypted. Selecting 30 or 50 bytes means
encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | Enable or disable whether to include the MACsec transmit enable
disable} secure channel identifier (SCI).
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) enable
indicator is always included.
macsec-mode static-cak The MACsec mode is always static connectivity association static-cak
key (CAK).
replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay disable
protection drops packets that arrive out of sequence,
depending on the replay-window value.
replay-window <0-16777215> Enter the number of packets for the MACsec replay window 32
size. If two packets arrive with the difference between their
packet identifiers more then the replay window size, the most
recent packet of the two is dropped. The range is 0-16777215
packets. Enter 0 to ensure that all packets arrive in order
without any repeats.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key No default
configuration.
crypto-alg AES_128_CMAC Only the AES_128_CMAC algorithm is available for encrypting AES_128_
the pre-shared key. CMAC
mka-cak <string> Enter the string of hexadecimal digits for the connectivity No default
association key (CAK). The string can be up to 32-bytes long.
mka-ckn <string> Enter the string of hexadecimal digits for the connectivity No default
association name (CKN). The string can be 1-byte to 64-bytes
long.
status active The status of the pre-shared key pair is always active. active
security-policy must-secure The policy must secure traffic for MACsec. must-secure
status enable The status of this MACsec traffic policy is always enabled. enable
Example
Use these commands to configure the packet mirror. Packet mirroring allows you to collect packets on specified ports
and then send them to another port to be collected and analyzed.
Syntax
config switch mirror
edit <mirror session name>
set dst <interface>
set encap-gre-protocol <hexadecimal_integer>
set encap-ipv4-src <IPv4_address>
set encap-ipv4-tos <hexadecimal_integer>
set encap-ipv4-ttl <0-255>
set encap-mac-dst <MAC_address>
set encap-mac-src <MAC_address>
set encap-vlan {tagged | untagged}
set encap-vlan-cfi <0-1>
set encap-vlan-id <1-4094>
set encap-vlan-priority <0-7>
set encap-vlan-tpid <0x0001-0xfffe>
<mirror session name> Enter the name of the mirror session to edit (or enter a new No default
mirror session name).
encap-gre-protocol Set the protocol value in the ERSPAN GRE header. 0x88be
<hexadecimal_integer> This option is available when the mode is ERSPAN-auto or
ERSPAN-manual.
encap-ipv4-src <IPv4_address> Required when the mode is set to ERSPAN-manual and 0.0.0.0
the status is active.
Set the IPv4 source address in the ERSPAN IP header. The
range is 0.0.0.1-255.255.255.254.
This option is available when the mode is ERSPAN-
manual.
encap-ipv4-tos <hexadecimal_ Set the type of service (ToS) value or enter the DSCP and 0x00
integer> ECN values in the ERSPAN IP header.
This option is available when the mode is ERSPAN-auto or
ERSPAN-manual.
encap-ipv4-ttl <0-255> Set the IPv4 time-to-live (TTL) value in the ERSPAN 16
IP header.
This option is available when the mode is ERSPAN-auto or
ERSPAN-manual.
encap-mac-dst <MAC_address> Required when the mode is set to ERSPAN-manual and 00:00:00:00:00:00
the status is active.
Set the MAC address of the next-hop or gateway on the
path to the ERSPAN collector IP address. The range is
00:00:00:00:00:01-FF:FF:FF:FF:FF:FF.
encap-mac-src <MAC_address> Required when the mode is set to ERSPAN-manual and 00:00:00:00:00:00
the status is active.
Set the source MAC address in the ERSPAN Ethernet
header. The range is 00:00:00:00:00:01-
FF:FF:FF:FF:FF:FE.
This option is available when the mode is ERSPAN-
manual.
encap-vlan {tagged | untagged} Set the status of ERSPAN encapsulation headers to tagged untagged
or untagged to control whether the VLAN header is added
to the encapsulated traffic.
This option is available if the mode is ERSPAN-manual.
encap-vlan-cfi <0-1> Set the canonical format identifier (CFI) or drop eligible 0
indicator (DEI) bit in the ERSPAN or RSPAN VLAN header.
This option is available when the mode is RSPAN or
ERSPAN-auto. This option is available for the ERSPAN-
manual mode if encap-vlan is set to tagged.
When the mode is RSPAN, this option is not available on
the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE,
248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.
encap-vlan-id <1-4094> Set the VLAN identifier in the ERSPAN or RSPAN VLAN 1
header.
This option is available when the mode is RSPAN. This
option is available for the ERSPAN-manual mode if
encap-vlan is set to tagged.
encap-vlan-priority <0-7> Set the class of service (CoS) bits in the ERSPAN or 0
RSPAN VLAN header.
This option is available when the mode is RSPAN or
ERSPAN-auto. This option is available for the ERSPAN-
manual mode if encap-vlan is set to tagged.
When the mode is RSPAN, this option is not available on
the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE,
248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.
encap-vlan-tpid <0x0001-0xfffe> Set the tag protocol identifier (TPID) for the encapsulating 0x8100
VLAN header. The default value, 0x8100, is for an IEEE
802.1Q-tagged frame.
This option is available when the mode is RSPAN or
ERSPAN-auto. This option is available for the ERSPAN-
manual mode if encap-vlan is set to tagged.
erspan-collector-ip <IPv4_ Required when the status is active and the mode is set to 0.0.0.0
address> ERSPAN-auto or ERSPAN-manual.
Set the IPv4 address for the ERSPAN collector. The range
is 0.0.0.1-255.255.255.255.
This option is available only when the mode is ERSPAN-
auto or ERSPAN-manual.
rspan-ip <IPv4_address> Required when the mode is RSPAN, the status is active, 0.0.0.0
and the switch is in FortiLink mode.
Enter the destination IP address for the RSPAN collector.
The range is 0.0.0.1-255.255.255.255.
This option is available only when the mode is RSPAN and
the switch is in FortiLink mode.
src-egress <interface_name> Optional. Set the source egress physical ports that will be No default
mirrored. Only one active egress mirror session is allowed.
src-ingress <interface_name> Optional. Specify the source ingress physical ports that will No default
be mirrored.
strip-mirrored-traffic-tags {disable Enable or disable the removal of VLAN tags from mirrored disable
| enable} traffic.
This option is available if the mode is ERSPAN-auto or
ERSPAN-manual.
Example
edit "m1"
set mode SPAN
set dst "port5"
set src-egress "port2" "port3"
set src-ingress "port2" "port4"
set status active
set switching-packet enable
end
Use this command to configure global settings for Multicast Listener Discovery (MLD) snooping on the FortiSwitch unit.
Syntax
config switch mld-snooping globals
set aging-time <integer>
set leave-response-timeout <integer>
set query-interval <10-1200>
end
aging-time <integer> The maximum number of seconds to retain a multicast snooping 300
entry for which no packets have been seen (15-3600).
leave-response-timeout Enter the maximum number of seconds that the switch waits after 10
<integer> sending a group-specific query in response to the leave message.
The range of values is 1-20.
query-interval <10-1200> Enter the maximum number of seconds between MLD queries. 125
Example
The following example configures the global settings for MLD snooping on the FortiSwitch unit:
config switch mld-snooping globals
set aging-time 150
set leave-response-timeout 15
set query-interval 200
end
Use this command to configure a static entry for network monitoring on the FortiSwitch unit.
Syntax
config switch network-monitor directed
edit <unused network monitor>
set monitor-mac <xx:xx:xx:xx:xx:xx>
end
<unused network monitor> Enter the number of an unused network monitor. No default
Example
Use this command to configure global settings for network monitoring on the FortiSwitch unit.
Syntax
config switch network-monitor settings
set db-aging-interval <integer>
set status {disable | enable}
set survey-mode {disable | enable}
set survey-mode-interval <integer>
end
db-aging-interval <integer> Enter the network monitor database aging interval. The value 3600
range is 3600-86400 seconds. Set the option to 0 to disable it.
survey-mode {disable | enable} Enable or disable the network monitor survey mode. disable
survey-mode-interval <integer> Enter the duration for which a network monitor is programmed 120
in hardware in the survey mode. The value range is 120-3600
seconds.
Example
On FortiSwitch models that provide 40G QSFP (quad small form-factor pluggable) interfaces, you can install a breakout
cable to convert one 40G interface into four 10G interfaces. Use this command to configure split ports.
Notes
o 3032E (Ports can be split into 4 x 25G when configured in 100G QSFP28 mode or can be split into 4 x 10G
when configured in 40G QSFP mode. Use the set <port-name>-phy-mode disabled command to
disable some 100G ports to allow up to sixty 25G, 10G, or 1G ports.)
o 524D, 524D-FPOE (ports 29 and 30 are splittable)
o 1048E (In the 4 x 100G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 25G, 4 x 10G, 4 x 1G, or 2 x
50G. Only two of the available ports can be split.)
o 1048E (In the 4 x 4 x 25G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 4 x 25G or 2 x 50G. All
four ports can be split, but ports 47 and 48 are disabled.)
o 1048E (In the 6 x 40G configuration, ports 49, 50, 51, 52, 53, 54 are splittable as 4 x 10G or 4 x 1G.)
Use the set port-configuration ? command to check which ports are supported for each model.
l Currently, the maximum number of ports supported in software is 64 (including the management port). Therefore,
only 10 QSFP ports can be split. This limitation applies to all of the models, but only the 3032D and the 1048E
models have enough ports to encounter this limit.
l Starting in FortiOS 6.2.0, splitting ports is supported in FortiLink mode (that is, the FortiSwitch unit managed by a
FortiGate unit).
l Starting in FortiSwitchOS 6.4.0, FC-FEC (cl74) is enabled as the default setting for ports that have been split to
4x25G. Use the following commands to change the setting:
config switch physical-port
edit <split_port_name>
set fec-state {cl74 | disabled}
end
Syntax
config switch phy-mode
set port-configuration {default | disable-port54 | disable-port41-48 | 4x100G | 6x40G |
4x4x25G}
set {<port-name>-phy-mode <single-port| 4x25G | 4x10G | 4x1G | 2x50G}
...
end
port-configuration {default | For 548D and 548D-FPOE, set this option to disable- default
disable-port54 | disable-port41- port54 if only port 53 is splittable and port 54 is unavailable.
48 | 4x100G | 6x40G | 4x4x25G} For 548D and 548D-FPOE, set this option to disable-
port41-48 if ports 41 to 48 are unavailable, but ports 53 and
54 are splittable.
port<number>-phy-mode {<port- Use one entry for each port that supports split ports. 1x40G
name>-phy-mode <single-port| Set this option to single-port to use the port at the full
4x25G | 4x10G | 4x1G | 2x50G} base speed without splitting it.
For 100G QSFP only, set this option to 4x25G to split one port
into four subports of 25 Gbps each.
For 40G or 100G QSFP only, set this option to 4x10G to split
one port into four subports of 10Gbps each.
For 40G or 100G QSFP only, set this option to 4x1G to split
one port into four subports of 1 Gbps each.
For 100G QSFP only, set this option to 2x50G to split one port
into two subports of 50 Gbps each.
Example
In the following example, a FortiSwitch 3032D is configured with ports 10, 14, and 28 set to 4x10G:
config switch phy-mode
set port5-phy-mode 1x40G
set port6-phy-mode 1x40G
set port7-phy-mode 1x40G
set port8-phy-mode 1x40G
set port9-phy-mode 1x40G
set port10-phy-mode 4x10G
set port11-phy-mode 1x40G
set port12-phy-mode 1x40G
set port13-phy-mode 1x40G
set port14-phy-mode 4x10G
set port15-phy-mode 1x40G
set port16-phy-mode 1x40G
set port17-phy-mode 1x40G
set port18-phy-mode 1x40G
set port19-phy-mode 1x40G
set port20-phy-mode 1x40G
set port21-phy-mode 1x40G
set port22-phy-mode 1x40G
set port23-phy-mode 1x40G
set port24-phy-mode 1x40G
set port25-phy-mode 1x40G
set port26-phy-mode 1x40G
set port27-phy-mode 1x40G
set port28-phy-mode 4x10G
end
In the following example, a FortiSwitch 1048E model is configured so that each port is split into four subports of 25
Gbps each.
config switch phy-mode
set port-configuration 4x4x25G
set port49-phy-mode 4x25G
set port50-phy-mode 4x25G
set port51-phy-mode 4x25G
set port52-phy-mode 4x25G
end
Syntax
config switch physical-port
edit <port_name>
set cdp-status {disable | rx-only | tx-only | tx-rx}
set description <description_str>
set dmi-status {disable | enable | global}
set egress-drop-mode {disabled | enabled}
set energy-efficient-ethernet {enable | disable}
set eee-tx-idle-time <integer>
set eee-tx-wake-time <integer>
set flapguard {enabled | disabled}
set flap-duration <5-300>
set flap-rate <1-30>
set flap-timeout <0-120>
set flow-control {tx | rx | both | disable}
set pause-meter-rate <integer>
set pause-resume {25% | 50% | 75%}
set l2-learning {enable | disable}
set lldp-profile <profile name>
set lldp-status {tx-only | rx-only | tx-rx | disable}
set loopback {disable | local | remote}
set max-frame-size <bytes_int>
set poe-port-mode {IEEE802_3AF | IEEE802_3AT}
set poe-port-priority {critical-priority | high-priority | low-priority}
set poe-pre-standard-detect {disable | enable}
set poe-status {enable | disable}
set priority-based-flow-control {enable | disable}
set qsfp-low-power-mode {enabled | disabled}
set speed <speed_str>
set status {down | up}
set storm-control-mode {disabled | global | override}
config storm-control
set broadcast {enable | disable}
set burst-size-level <0-4>
set rate [0 | 2-10000000]
set unknown-multicast {enable | disable}
set unknown-unicast {enable | disable}
end
cdp-status {disable | rx-only | tx- Set the CDP transmit and receive status (LLDP must be disable
only | tx-rx} enabled in LLDP settings).
l disable disables CDP transmit and receive.
eee-tx-idle-time <integer> Enter the number of microseconds that circuits are turned off 60
to save power. The range is 0-2560 microseconds. This option
is available only if energy-efficient-ethernet is enabled.
flapguard {enabled | disabled} Enable or disable flap guard for this port. disabled
flap-duration <5-300> After enabling the port flap guard, set the number of seconds 30
during which the flap rate is counted.
flap-rate <1-30> After enabling the port flap guard, set how many times that a 5
portʼs status changes during a specified number of seconds
before the flap guard is triggered.
flap-timeout <0-120> After enabling the port flap guard, set the number of minutes 0
before flap guard resets. Setting this value to 0 means that
there is no timeout.
pause-meter-rate <integer> Enter the number of kilobits for the ingress metering rate. The 0
range is 64 to 2147483647. Set to 0 to disable. Available if
flow-control is set to tx.
pause-resume {25% | 50% | 75%} Enter the percentage of the threshold to resume traffic to the 75%
ingress port. Available if flow-control is set to tx and
pause-meter-rate is set to a nonzero value.
l2-learning Enable or disable dynamic IP learning for this interface enabled
lldp-profile Enter the LLDP profile name for this port. default
loopback {disable | local | Set whether the physical port loops back on itself, either locally disable
remote} or remotely:
l Select local for a physical-layer loopback. If the
max-frame-size <bytes_int> Set the maximum frame size. The range is 68 to 16360. 9216
NOTE: For the eight models in the 1xxE series, this command
is under the config switch global command.
poe-port-mode {IEEE802_3AF | Set the PoE port mode to IEEE802.3AFor IEEE802.3AT. IEEE802_3AT
IEEE802_3AT}
poe-port-priority {critical-priority | Set the port priority. If there is not enough power, power is low-priority
high-priority | low-priority} alloted first to critical-priority ports, then to high-priority ports,
and then to low-priority ports.
poe-status {enable | disable} Enable Power over Ethernet. This option is only available with enable
the FortiSwitch-324B-POE.
qsfp-low-power-mode {enabled | Enable or disable the low-power mode on FortiSwitch models disabled
disabled} with QSFP (quad small form-factor pluggable) ports.
speed <speed_str> Set the speed of this port. Values depend on the switch model auto
and port. For example:
l 1000auto—Auto-negotiation (1 Gbps full-duplex only).
l 100full—100 Mbps full-duplex.
l 100half—100 Mbps half-duplex.
l 10full—10 Mbps full-duplex.
l 10half—10 Mbps half-duplex.
l auto—Auto-negotiation.
l 10000cr—10 Gbps copper interface.
l 10000full—10 Gbps full-duplex.
l 10000sr—10 Gbps SFI interface.
l 1000full—1 Gbps full-duplex.
l auto-module—Maximum speed supported by module.
status {down | up} Set the administrative status of this interface: up or down. up
storm-control-mode {disabled | By default, you configure storm control on a system-wide level. global
global | override} Set this option to override if you want to configure storm
control on a per-port level using the config storm-
control command, which is only available when the
storm-control-mode is set to override. Set this option
to disabled to deactivate port-level storm-control
configuration.
config storm-control
broadcast {enable | disable} Enable or disable storm control for broadcast traffic. disable
burst-size-level <0-4> Set the burst-size level for storm control. Use a higher number 0
to handle bursty traffic. The maximum number of packets or
bytes allowed for each burst-size level depends on the switch
model.
NOTE: This command is not available for the FS-108E, FS-
108E-POE, FS-108-FPOE, FS-124E, FS-124E-POE, and FS-
124E-FPOE models.
rate [0 | 2-10000000] Specify the rate as packets-per-second. If you set the rate to 500
zero, the system drops all packets (for the enabled traffic
types).
unknown-multicast Enable or disable storm control for unknown multicast traffic. disable
{enable | disable}
unknown-unicast Enable or disable storm control for unknown unicast traffic. disable
{enable | disable}
Example
edit "port4"
set lldp-profile "Forti670i"
set speed auto
next
end
Use this command to configure the Precision Time Protocol (PTP) policy.
Syntax
config switch ptp policy
edit {default | <policy_name>}
set status {enable | disable}
next
end
{default | <policy_name>} Enter the name of the PTP policy or ue the default PTP No default
policy.
status {enable | disable} Enable or disable the PTP policy. The PTP policy will not disable
take effect until the mode is set under the config
switch ptp settings command.
Example
config switch ptp policy
edit "newptp"
set status enable
next
end
Use this command to configure the Precision Time Protocol (PTP) global settings.
Syntax
config switch ptp settings
set mode {disable | transparent-e2e | transparent-p2p}
end
transparent clock.
l transparent-p2p—Enable the peer-to-peer
transparent clock.
Example
config switch ptp settings
set mode transparent-e2e
end
Use this command to configure a dot1p map. A dot1p map defines a mapping between IEEE 802.1p CoS values (from
incoming packets on a trusted interface) and the egress queue values. For an example, see Appendix: FortiSwitch QoS
template on page 400.
NOTE: You can configure only one dot1p map per switch on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E,
FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.
Syntax
config switch qos dot1p-map
edit <dot1p map name>
set description <text>
set [priority-0|priority-1|priority-2|...priority-7] <queue number>
set egress-pri-tagging {disable | enable}
next
end
egress-pri-tagging {disable | enable} Enable or disable priority tagging on outgoing frames. disable
NOTE: This command is not available on the FS-108E,
FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE,
FS-124E-FPOE, FS-148E, and FS-148E-POE models.
Example
config switch qos dot1p-map
edit "test1"
set priority-0 queue-2
set priority-1 queue-0
set priority-2 queue-1
set priority-3 queue-3
Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to
queue 0.
If an incoming packet contains no CoS value, the switch assigns a CoS value of zero. Use the set default-cos
<interface> command to configure a different default CoS value. The valid range is from 0 to 7. The configured
default CoS only applies if you also set trust-dot1p-map on the interface.
Use this command to configure a DSCP map. A DSCP map defines a mapping between IP Precedence or Differentiated
Services Code Point (DSCP) values and the egress queue values. For an example, see Appendix: FortiSwitch QoS
template on page 400.
NOTE: You can configure only one DSCP map per switch on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E,
FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.
Syntax
config switch qos ip-dscp-map
edit <ip-dscp map name>
set description <text>
config map
edit <entry-name>
set diffserv [ [
AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 |
AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]
set ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash
Override | Flash, Immediate | Priority | Routine ]
set value <dscp raw value>
set cos-queue <queue number>
next
end
next
end
value <dscp raw value> enter the raw value of DSCP (0-63). No default
Example
Values that are not explicitly included in the map will follow the default mapping, which assigns queue 0 for all
DSCP values.
Use this command to configure QoS policies. For an example, see Appendix: FortiSwitch QoS template on page 400.
In a QoS policy, you set the scheduling mode (Strict, Round Robin, Weighted Round Robin) for the policy, and configure
one or more CoS queues.
Syntax
config switch qos qos-policy
edit <policy_name>
set rate-by {kbps | percent}
set schedule {strict | round-robin | weighted}
config cos-queue
rate-by {kbps | percent} Set whether the CoS queue rate is measured in kbps or by kbps
percentage.
drop-policy {taildrop | weighted- Set the CoS queue drop policy. taildrop
random-early-detection} l taildrop—When the queue is full, new packets are
dropped.
l weighted-random-early-detection—When the queue
POE models, set the CoS queue drop policy under the config
switch global command.
set ecn {enable | disable} If you select random early detection in the CLI, you can enable disable
explicit congestion notification (ECN) marking to indicate that
congestion is occuring without just dropping packets. If you
disable this option, the normal queue drop policy applies.
max-rate <rate kbps> If you set the rate-by to kbps, enter the maximum rate in kbps. 0
Set the value to 0 to disable.
NOTE: For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-
124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-
POE models, the switch rounds the max-rate value to the
nearest multiple of 16 internally. If the rounding result is 0,
max-rate is disabled internally.
min-rate <rate kbps> If you set the rate-by to kbps, enter the minimum rate in kbps. 0
Set the value to 0 to disable.
NOTE: This command is not available on the FS-108E, FS-
108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-
124E-FPOE, FS-148E, and FS-148E-POE models.
max-rate-percent <percentage> If you set the rate-by to percent, enter the maximum rate as a 0
percentage of the link speed.
min-rate-percent <percentage> If you set the rate-by to percent, enter the minimum rate as a 0
percentage of the link speed.
NOTE: This command is not available on the FS-108E, FS-
108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-
124E-FPOE, FS-148E, and FS-148E-POE models.
Example
set min-rate 10
set weight 5
set wred-slope 15
end
end
Syntax
config switch quarantine
edit <MAC_address_to_quarantine>
set cos-queue <0-7>
set description <string>
set drop {enable | disable}
set policer <integer>
end
cos-queue <0-7> Set the class-of-service queue for the quarantined device No default
traffic. Use the unset cos-queue command to disable this
setting.
description <string> Enter an optional description of the quarantined MAC address. No default
drop {enable | disable} Enable or disable whether quarantined device traffic is disable
dropped.
policer <integer> Set the ACL policer for the quarantined device traffic. 0
Use this command to specify the criteria that router advertisement (RA) messages must match before the RA messages
are forwarded. If the RA messages match the criteria in the RA-guard policy, they are forwarded. If the RA messages do
not match the criteria in the RA-guard policy, they are dropped.
IPv6 RA guard is supported on 2xx models and higher.
Syntax
config switch raguard-policy
edit <RA-guard policy name>
set device-role {host | router}
set managed-flag {Off | On}
set other-flag {Off | On}
set max-hop-limit <0-255>
set min-hop-limit <0-255>
<RA-guard policy name> Enter the name of the RA-guard policy. No default
device-role {host | router} Set whether this policy applies to hosts or routers. If this option host
is set to host, all RA messages are dropped. If this option is
set to router, the policy checks the other specified criteria.
managed-flag {Off | On} Set to On for the policy to accept RA messages that are No default
flagged with the M (managed address configuration) flag; if the
RA messages are not flagged, they are dropped.
Set to Off for the policy to accept RA messages that arenot
flagged with the M flag; if the RA messages are flagged, they
are dropped.
If this option is not set, the policy skips this check.
other-flag {Off | On} Set to On for the policy to accept RA messages that are No default
flagged with the O (other configuration) flag; if the RA
messages are not flagged, they are dropped.
Set to Off for the policy to accept RA messages that arenot
flagged with the O flag; if the RA messages are flagged, they
are dropped.
If this option is not set, the policy skips this check.
max-hop-limit <0-255> Enter the maximum hop number for the policy to accept RA 0
messages with a hop number equal or less than this value.
If this option is not set, the policy skips this check.
min-hop-limit <0-255> Enter the minimum hop number for the policy to accept RA 0
messages with a hop number equal or more than this value.
If this option is not set, the policy skips this check.
max-router-preference {high | Set the default router preference for the policy to accept RA No default
medium | low} messages with the router preference equal or less than this
setting. When the router preference of RA messages is not set
as high, medium, or low, RA guard acts as if the router
preference was set to medium.
If this option is not set, the policy skips this check.
match-src-addr <name_of_IPv6_ Enter the name of the IPv6 access list for the policy to check if No default
access_list> the source IPv6 address of the RA message matches an
allowed address. The IPv6 access list must be created (with
the config router access-list6 command) before it
is used in a policy.
match-prefix <name_of_IPv6_ Enter the name of the IPv6 prefix list for the policy to check if No default
prefix_list> the IPv6 address prefix of the RA message matches an allowed
prefix. The IPv6 prefix list must be created (with the config
router prefix-list6 command) before it is used in a
policy.
Example
Use this command to configure security checks for incoming TCP/UDP packets. The packet is dropped if the system
detects the specified condition.
tcp-syn-data TCP SYN packet contains additional data (possible DoS attack). disable
tcp-udp-port-zero TCP or UDP packet has source or destination port set to zero. disable
tcp_flag_FUP TCP packet with FIN, URG and PSH flag set. disable
tcp_flag_SF TCP packet with SYN and FIN flag set. disable
tcp_flag_SR TCP packet with SYN and RST flag set. disable
tcp_arp_mac_mismatch ARP packet with MAC source address mismatch between the Layer 2 disable
header and the ARP packet payload.
sip-eq-dip TCP packet with a source IP address equal to the destination IP disable
address.
tcp-port-eq TCP packet with source and destination TCP ports equal. disable
tcp-flag-FUP TCP packet with FIN, URG and PSH flags set, and sequence number disable
is zero.
tcp-flag-SF TCP packet with SYN and FIN flag set. disable
udp-port-eq IP packet with source and destination UDP ports equal. disable
macsa-eq-macda Packet with source MAC address equal to destination MAC address. disable
allow-sa-mac-all-zero Ethernet packet whose source MAC address is all zeros. enable
Example
Use this command to configure one (or more) static MAC address on an interface.
Syntax
config switch static-mac
edit <sequence number>
set description <optional_string>
set interface <interface_name>
set mac <static_MAC_address>
set type {sticky | static}
set vlan-id <1-4095>
end
description <optional_string> Optional. Enter a description of the static MAC address. No default
type {sticky | static} Set the MAC address as a persistent (sticky) addres or a static
static address.
Example
config switch static-mac
edit 1
set description "first static MAC address"
set interface port10
set mac d6:dd:25:be:2c:43
set type static
set vlan-id 10
end
Syntax
config switch storm-control
set broadcast {enable | disable}
set burst-size-level <0-4>
set rate [0 | 2-10000000]
set unknown-multicast {enable | disable}
set unknown-unicast {enable | disable}
end
broadcast {enable | disable} Enable or disable storm control for broadcast traffic. disable
burst-size-level <0-4> Set the burst-size level for storm control. Use a higher 0
number to handle bursty traffic. The maximum number of
packets or bytes allowed for each burst-size level
depends on the switch model.
rate [0 | 2-10000000] Specify the rate as packets-per-second. If you set the 500
rate to zero, the system drops all packets (for the enabled
traffic types).
unknown-multicast {enable | disable} Enable or disable storm control for unknown multicast disable
traffic.
unknown-unicast {enable | disable} Enable or disable storm control for unknown unicast disable
traffic.
Example
config switch storm-control
set broadcast enable
set burst-size-level 2
set rate 1000
set unknown-multicast enable
set unknown-unicast enable
end
Syntax
config switch stp instance
edit <instance_id>
set priority <priority_int>
set vlan-range <vlan_map>
config stp-port
<instance_id> Enter an instance identifier. The range is 0-32 for 5xx models No default
and higher. For all other models, the range is 0 - 15.
priority <priority_int> Set the STP priority. The acceptable priority values are 0, 32768
12288, 16384, 20480, 24576, 28672, 32768, 36864, 4096,
40960, 45056, 49152, 53248, 57344, 61440, and 8192.
vlan-range <vlan_map> Enter the VLANs to which STP applies. <vlan_map> is a No default
comma-separated list of VLAN IDs or VLAN ID ranges, for
example “1,3-4,6,7,9-100” .
config stp-port
<port name> Enter the name of the port. No default
cost <cost_int> Enter the cost of using this interface. Use set cost ? for 0
suggested cost values based on link speed.
priority <priority_int> Enter the priority of this interface. Use set priority ? to 128
list the acceptable priority values.
Example
config switch stp instance
edit "1"
set priority 8192
config stp-port
edit "port18"
set cost 0
set priority 128
next
edit "port19"
set cost 0
set priority 128
next
end
set vlan-range 5 7 11-20
end
Syntax
config switch stp settings
set flood {enable | disable}
flood {enable | disable} Set to enable if you want the STP packets arriving at any port disable
to pass through the switch without being processed. Set to
disable if you want to block STP packets arriving at any port.
This command is available only when status is set to
disable.
forward-time <fseconds_int> Enter the forwarding delay in seconds. Range 4 to 30. 15
mclag-stp-bpdu {both | single} Set to both to allow both core switches of an MCLAG to both
transmit STP BPDUs. Set to single to prevent both core
switches of an MCLAG from transmitting STP BPDUs.
Example
config switch stp settings
set forward-time 15
set hello-time 5
set max-age 20
set max-hops 20
set name "region1"
set revision 1
set status enable
end
Syntax
config switch trunk
aggregator-mode {bandwidth | Select how an aggregator groups ports when the trunk is in bandwidth
count} LACP mode. Select bandwidth to group ports into the
aggregator with the largest bandwidth. Select count to group
ports into the aggregator with the most ports.
min_bundle Set the minimum size of the bundle. This option is available 1
only when bundle has been enabled.
max_bundle Set the maximum size of the bundle. This option is available 24
only when bundle has been enabled.
lacp-speed {slow | fast} Select fast to send an LACP message every second. Select slow
slow to send an LACP message every 30 seconds.
mclag {disable | enable} Enable or disable multichassis LAG (MCLAG). disable
mclag-icl {disable | enable} Enable or disable the MCLAG inter-chassis link (ICL). disable
member-withdrawal-behavior Select how the port behaves after it withdraws because of loss- block
{block | forward} of-control packets.
members <intf1 ... intfn> Enter the names of the interfaces that belong to this trunk. No default
Separate the names with spaces.
addresses
l src-dst-mac — both source and destination
MAC addresses
Heartbeat Trunk
When you set the trunk mode to fortinet-trunk, the following configuration fields are available:
config switch trunk
edit hb-trunk
set mode fortinet-trunk
set port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-
mac}
set description <description_str>
set members <port> [<port>] ... [<port>]
set member-withdrawal-behavior {block | forward}
set max-miss-heartbeats <3-32>
set hb-out-vlan <int>
set hb-in-vlan <int>
set hb-src-ip <x.x.x.x>
set hb-dst-ip <x.x.x.x>
set hb-src-udp-port <int>
set hb-dst-udp-port <int>
set hb-verify {enable | disable}
end
addresses
members <port> [<port>] ... Enter the names of the ports that belong to this trunk. No default
[<port>] Separate the names with spaces.
member-withdrawal-behavior Set the port behavior after it withdraws because of the loss of block
{block | forward} control packets.
max-miss-heartbeats <3-32> Enter the maximum number of heartbeat messages that can 10
be lost before the FortiGate is deemed to be unavailable. Set a
value between 3 and 32.
hb-src-ip Enter the source IP address for the heartbeat packet. 0.0.0.0
hb-dst-ip Enter the destination IP address for the heartbeat packet. 0.0.0.0
hb-src-udp-port Enter the source UDP port value for the heartbeat packet. 0
hb-dst-udp-port Enter the destination UDP port value for the heartbeat packet. 0
Example
Use this command to forward traffic between two ports with minimal filtering or packet modifications. The VLAN setting
is optional.
NOTE: Virtual-wire ports will not be able to transmit or receive packets from other members of the VLAN or other virtual-
wires that use the same VLAN. The VLAN should not have complex configurations such as private VLAN.
Syntax
config switch virtual-wire
edit <id>
set first-member <port>
set second-member <port>
set vlan <1-4095>
next
end
vlan <1-4095> VLAN used. The VLAN can be shared between virtual-wires 4011
and non-virtual-wire ports
Example
Syntax
config switch vlan
edit <vlan id>
set access-vlan {enable | disable}
set cos-queue <0-7>
set description <description_str>
set dhcp-snooping {enable | disable}
set dhcp-snooping-verify-mac {enable | disable}
set dhcp-snooping-option82 {enable | disable}
set arp-inspection {enable | disable}
set dhcp6-snooping {enable | disable}
set igmp-snooping {enable | disable}
set igmp-snooping-querier {enable | disable}
set igmp-snooping-querier-addr <IPv4_address>
set igmp-snooping-querier-version {2|3}
set igmp-snooping-fast-leave {enable | disable}
set igmp-snooping-proxy {enable | disable}
access-vlan {enable | disable} Set to enable to block FortiSwitch port-to-port traffic on this disable
VLAN while allowing traffic to and from the FortiGate unit. Set
to disable to allow normal VLAN traffic.
cos-queue <0-7> Specify which class of service (CoS) queue is used for traffic on No default
this VLAN or use the unset cos-queue command to
disable this setting.
This command is available only in in FortiLink mode.
dhcp-snooping {enable | disable} Enable or disable IPv4 DHCP snooping for this VLAN. disable
dhcp-snooping-option82 Enable or disable whether to insert option-82 fields. This field disable
{enable | disable} is available only if dhcp-snooping is enabled.
dhcp6-snooping {enable | Enable or disable IPv6 DHCP snooping for this VLAN. disable
disable}
igmp-snooping-fast-leave Enable or disable IGMP-snooping fast leave on this VLAN. This enable
{enable | disable} field is only available if igmp-snooping is enabled.
igmp-snooping proxy {enable | Enable or disable the IGMP-snooping proxy on this VLAN. disable
disable} When the IGMP-snooping proxy is enabled, this VLAN sends
IGMP reports. This field is only available if igmp-snooping
is enabled.
learning {enable | disable} Enable or disable layer-2 learning on this VLAN. enable
learning-limit <integer> Limit the number of dynamic MAC addresses on this VLAN. 0
The per-VLAN MAC address learning limit is between 1 and
128. Set the value to 0 for no limit.
mld-snooping {enable | disable} Enable or disable Multicast Listener Discovery (MLD) snooping disable
for the this VLAN.
mld-snooping-fast-leave {enable Enable or disable MLD-snooping fast leave on this VLAN. This enable
| disable} field is only available if mld-snooping is enabled.
mld-snooping-querier {enable Enable or disable whether periodic MLD-snooping queries are disable
| disable} sent to get MLD reports. This field is only available if mld-
snooping is enabled.
mld-snooping-querier-addr Optional. Enter the IPv6 address for the MLD-snooping ::
<IPv6_address> querier. This field if only available if mld-snooping is
enabled.
mld-snooping-proxy {enable Enable or disable the MLD-snooping proxy on this VLAN. When disable
| disable} the MLD-snooping proxy is enabled, this VLAN sends MLD
reports. This field is only available if mld-snooping is
enabled.
policer <integer> Set the policer for the traffic on this VLAN. 0
This command is available only in in FortiLink mode.
isolated-vlan <integer> (Valid if private VLAN is enabled) Enter the isolated VLAN. 0
community-vlans <vlan_map> (Valid if private VLAN is enabled) Enter the communities within No default
this private VLAN. Enter single VLANs or ranges of VLANS
separated by commas without white space. For example: 1,3-
4,6,7,9-100
rspan-mode {enable | disable} Enable or disable port mirroring using the remote switch port disable
analyzer (RSPAN) on this VLAN.
config igmp-snooping-static-group
mcast-addr <IPv4_address> Enter the IPv4 multicast address for the IGMP static group. 0.0.0.0
members <interface_name1> Enter the interfaces that belong to the IGMP static group. No default
<interface_name2>...
config mld-snooping-static-group
mcast-addr <IPv6_address> Enter the IPv6 multicast address for the MLD static group. No default
members <interface_name1> Enter the interfaces that belong to the MLD static group. No default
<interface_name2>...
config member-by
Use this command to assign VLANs based on specific fields in the packet (source MAC address, source IP address, or
layer-2 protocol).
config switch vlan
edit <vlan id>
config member-by-mac
edit <id>
set mac XX:XX:XX:XX:XX:XX
set description <128 byte string>
next
end
config member-by-ipv4
edit <id>
set address a.b.c.d/e
set description <128-byte string>
next
end
config member-by-ipv6
edit <id>
set prefix xx:xx:xx:xx::/prefix
set description <128-byte string>
next
end
config member-by-proto
edit <id>
set frametypes {ethernet2 | 802.3d | llc}
set protocol <6-digit hex value>
end
config member-by-mac
edit <id> For a new entry, enter an unused ID. No default
config member-by-ipv4
edit <id> For a new entry, enter an unused ID. No default
address a.b.c.d/e Enter an IPv4 address and network mask. If the source 0.0.0.0 0.0.0.0
IP address of an incoming packet matches this value, the
associated VLAN will be assigned to the packet. The subnet
mask must be a value in the range of 1-32.
config member-by-ipv6
edit <id> For a new entry, enter an unused ID. No default
prefix xx:xx:xx:xx::/prefix Enter an IPv6 prefix. If the source IP address of an incoming ::/0
packet matches this value, the associated VLAN will be
assigned to the packet. The /prefix must in the range of 1-
64.
config member-by-proto
edit <id> For a new entry, enter an unused ID. No default
frametypes {ethernet2 | 802.3d | Enter one or more Ethernet frame type. Set this value to ethernet2 802.3d
llc} llc for logical link control. Set this value to 802.3d for llc
802.3d and SNAP.
protocol <6-digit hex value> Enter an Ethernet protocol value If the frametype and 0x0000
Ethernet protocol value of an incoming packet matches
these values, the associated VLAN will be assigned to the
packet. The value range is 0-65535.
Example
edit 1
set description "pc2"
set mac 00:21:cc:d2:76:72
next
end
end
end
config dhcp-server-access-list
Use this command to create a list of DHCP servers that DHCP snooping will include in the allowed server list. This list is
used only if the set dhcp-server-access-list command has been enabled; see config system global on page
169.
config switch vlan
edit <vlan id>
set dhcp-snooping enable
set dhcp6-snooping enable
config dhcp-server-access-list
edit <string>
set server-ip <xxx.xxx.xxx.xxx>
set server-ip6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>
next
end
next
end
server-ip <xxx.xxx.xxx.xxx> If you enabled IPv4 DHCP snooping, enter Class A, B, 0.0.0.0
or C IPv4 address for the DHCP server.
server-ip6 If you enabled IPv6 DHCP snooping, enter the IPv6 No default
<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> address for the DHCP server.
Example
The following example configures IPv4 DHCP snooping to include the specified DHCP server in the allowed server list:
config switch vlan
edit 100
set dhcp-snooping enable
config dhcp-server-access-list
edit "DHCPserver1"
set server-ip 128.8.0.0
next
end
next
end
The following example configures IPv6 DHCP snooping to include the specified DHCP server in the allowed server list:
config switch vlan
edit 100
set dhcp6-snooping enable
config dhcp-server-access-list
edit "DHCPserver1"
set server-ip6 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234
next
end
next
end
Use this command to configure the VLAN TPID profile for VLAN stacking (QinQ). Each VLAN TPID profile contains one
value for the EtherType field.
The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). The default VLAN
TPID profile (0x8100) cannot be deleted or changed.
To configure VLAN stacking and to select which VLAN TPID profile to use, see config switch interface on page 94.
Syntax
config switch vlan-tpid
edit <VLAN_TPID_profile_name>
set ether-type <0x0001-0xfffe>
next
end
<VLAN_TPID_profile_name> Enter a name for the VLAN TPID profile name. No default
ether-type <0x0001-0xfffe> Enter a hexadecimal value for the EtherType field. 0x8100
Syntax
config switch-controller global
set ac-data-port <1024-49150>
set ac-dhcp-option-code <integer>
set ac-discovery-mc-addr <Class-D IPv4 address>
set ac-discovery-type {broadcast | dhcp | multicast | static}
set ac-port <1024-49150>
set echo-interval <1-600>
set location <string>
set name <string>
set max-discoveries <0-64>
set max-retransmit <0-64>
config ac-list
edit <id>
set ipv4-address <IPv4_address>
next
end
end
ac-data-port <1024-49150> Set the switch-controller control port. Valid values are 1024- 15250
49150.
ac-dhcp-option-code <integer> Set the DHCP option code for CAPUTP AC. 138
ac-discovery-type {broadcast | Select the AC discovery type: broadcast discovery, DHCP broadcast
dhcp | multicast | static} discovery, multicast discovery, or static configuration.
echo-interval <1-600> Set the number of seconds before SWTP sends an echo 30
request after joining AC.
max-discoveries <0-64> Set the maximum number of discovery request messages for 3
every round.
max-retransmit <0-64> Set the maximum number of retransmissions for the tunnel 6
packet.
ipv4-address <IPv4_address> Enter a Class A, B, or C IPv4 address in the following format: No default.
xxx.xxx.xxx.xxx
Example
The following example configures static discovery to find the IP address of the FortiGate unit (switch controller) that
manages the FortiSwitch unit:
config switch-controller global
set ac-discovery-type static
config ac-list
edit 1
set ipv4-address <IPv4_address>
next
end
end
config system
Use the config system commands to configure options related to the overall operation of the FortiSwitch unit:
l config system accprofile on page 149
l config system admin on page 150
l config system arp-table on page 152
l config system bug-report on page 153
l config system certificate ca on page 154
l config system certificate crl on page 155
l config system certificate local on page 155
l config system certificate ocsp on page 157
l config system certificate remote on page 157
l config system console on page 158
l config system dhcp server on page 158
l config system dns on page 164
l config system flow-export on page 165
l config system fsw-cloud on page 168
Use this command to add access profile groups that control administrator access to FortiSwitch features. Each
FortiSwitch administrator account must include an access profile. You can create access profiles that deny access, allow
read only, or allow both read and write access to FortiSwitch features.
Syntax
config system accprofile
edit <profile-name>
set admingrp {none | read | read-write}
set loggrp {none | read | read-write}
set netgrp {none | read | read-write}
set routegrp {none | read | read-write}
set sysgrp {none | read | read-write}
end
admingrp {none | read | read- Set the access permission for admingrp. none
write}
loggrp {none | read | read-write} Set the access permission for loggrp. none
netgrp {none | read | read-write} Set the access permission for netgrp. none
routegrp {none | read | read-write} Set the access permission for routegrp. none
sysgrp {none | read | read-write} Set the access permission for sysgrp. none
Example
This example shows how to configure an access profile with just read-only permission:
config system accprofile
edit profile1
set admingrp read
set loggrp read
set netgrp read
set routegrp read
set sysgrp read
end
Use the default admin account or an account with system configuration read and write privileges to add new
administrator accounts and control their permission levels. Each administrator account except the default admin must
include an access profile. You cannot delete the default super admin account or change the access profile (super_
admin). In addition, there is also an access profile that allows read-only super admin privileges, super_admin_readonly.
The super_admin_readonly profile cannot be deleted or changed, similar to the super_admin profile. This read-only
super-admin may be used in a situation where it is necessary to troubleshoot a customer configuration without making
changes.
You can authenticate administrators using a password stored on the FortiSwitch unit or you can use a RADIUS server to
perform authentication. When you use RADIUS authentication, you can authenticate specific administrators or you can
allow any account on the RADIUS server to access the FortiSwitch unit as an administrator.
Syntax
config system admin
edit <admin_name>
set accprofile <profile-name>
set accprofile-override {enable | disable}
set allow-remove-admin-session {enable | disable}
set comments <comments_string>
set gui-detail-panel-location {bottom | ide | side}
set {ip6-trusthost1 | ip6-trusthost2 | ip6-trusthost3 |
ip6-trusthost4 | ip6-tru sthost5 | ip6-trusthost6 |
ip6-trusthost7 | ip6-trusthost8 | ip6-trusthost9 |
ip6-trusthost10} <address_ipv6mask>
set password <admin_password>
set peer-auth {disable | enable}
set peer-group <peer-grp>
set remote-auth {enable | disable}
set remote-group <name>
set wildcard {enable | disable}
set schedule <schedule-name>
set ssh-public-key1 "<key-type> <key-value>"
set ssh-public-key2 "<key-type> <key-value>"
set ssh-public-key3 "<key-type> <key-value>"
set {trusthost1 | trusthost2 | trusthost3 | trusthost4 |
trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9
| trusthost10} <address_ipv4mask>
end
end
accprofile <profile-name> Enter the name of the access profile to assign to this No default
administrator account. Access profiles control
administrator access to FortiSwitch features.
accprofile-override {enable | disable} Enable or disable whether the remote authentication disable
server can override the accesss profile.
comments Enter the last name, first name, email address, phone No default
<comments_string> number, mobile phone number, and pager number for
this administrator. Separate each attribute with a
comma, and enclose the string in double-quotes. The
total length of the string can be up to 128 characters.
(Optional)
{ip6-trusthost1 | ip6-trusthost2 | Any IPv6 address and netmask from which the ::/0
ip6-trusthost3 | ip6-trusthost4 | administrator can connect to the FortiSwitch unit.
ip6-trusthost5 | ip6-trusthost6 | If you want the administrator to be able to access the
ip6-trusthost7 | ip6-trusthost8 | system from any address, set the trusted hosts to ::/0.
ip6-trusthost9 | ip6-trusthost10}
<address_ipv6mask>
peer-auth {disable | enable} Set to enable peer certificate authentication (for HTTPS disable
admin access).
peer-group <peer-grp> Name of peer group defined under config user No default
peergrp or user group defined under config user
group. Used for peer certificate authentication (for
HTTPS admin access). This option is available only when
peer-auth has been enabled.
remote-auth Enable or disable authentication of this administrator disable
{enable | disable} using a remote RADIUS, LDAP, or TACACS+ server.
remote-group <name> Enter the administrator user group name, if you are using No default
RADIUS, LDAP, or TACACS+ authentication.
This is available only when remote-auth is enabled.
wildcard {enable | disable} Enable or disable wildcard RADIUS authentication. This disable
option is available only when remote-auth is enabled.
schedule <schedule-name> Restrict times that an administrator can log in. Defined in No default
config firewall schedule. No default indicates
that the administrator can log in at any time.
ssh-public-key1 "<key-type> You can specify the public keys of up to three SSH No default
<key-value>" clients. These clients are authenticated without being
asked for the administrator password. You must create
ssh-public-key2 "<key-type> the public-private key pair in the SSH client application. No default
<key-value>"
<key type> is ssh-dss for a DSA key or ssh-rsa
ssh-public-key3 "<key-type> for an RSA key. No default
<key-value>" <key-value> is the public key string of the SSH client.
{trusthost1 | trusthost2 | Any IPv4 address or subnet address and netmask from 0.0.0.0
trusthost3 | trusthost4 | which the administrator can connect to the system. 0.0.0.0
trusthost5 | trusthost6 | If you want the administrator to be able to access the
trusthost7 | trusthost8 | system from any address, set the trusted hosts to 0.0.0.0
and the netmask to 0.0.0.0.
trusthost9 | trusthost10}
<address_ipv4mask>
Example
Use this command to manually add ARP table entries to the FortiSwitch unit. ARP table entries consist of a interface
name, an IP address, and a MAC address.
Syntax
config system arp-table
edit <table_value>
set interface {<string> | internal | mgmt}
set ip <address_ipv4>
set mac <mac_address>
end
interface {<string> | internal | Enter the interface to associate with this ARP entry No default
mgmt}
mac <mac_address> Enter the MAC address of the device entered in the table, in 00:00:00:00:00:00
the form of xx:xx:xx:xx:xx:xx.
Example
Use this command to configure a custom email relay for sending problem reports to Fortinet customer support.
Syntax
config system bug-report
set auth {no | yes}
set mailto <email_address>
set password <password>
set server <servername>
set username <name>
set username-smtp <account_name>
end
auth {no | yes} Enter yes if the SMTP server requires authentication or no
no if it does not.
mailto <email_address> The email address for bug reports. fortiswitch@fortinet.com
password <password> If the SMTP server requires authentication, enter the No default
required password.
server <servername> The SMTP server to use for sending bug report email. fortinet.com
username <name> A valid user name on the specified SMTP server. bug_report
username-smtp <account_ A valid user name for authentication on the specified bug_report
name> SMTP server.
Example
Syntax
config system certificate ca
edit <name>
set ca <certificate>
set scep-url <string>
next
end
Example
# config system certificate ca
# get
== [ Fortinet_CA ]
== [ OracleSSLCA ]
== [ ca ]
FortiCore-VM # config system certificate ca
FortiCore-VM (ca) # edit ca-new
FortiCore-VM (ca-new) # set certificate "-----BEGIN CERTIFICATE-----
> MIID0TCCArmgAwIBAgIJAKr1/WtE48FeMA0GCSqGSIb3DQEBCwUAMGgxEzARBgoJ
> kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG
> EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0Eg
> MTAeFw0xNDA0MzAxNDE4MDhaFw0zNDA0MzAxNDE4MDhaMGgxEzARBgoJkiaJk/Is
> ZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJVUzEQ
> MA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0EgMTCCASIw
> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQQzsB9Uc37VuIyt5xJxcYYkc6K
> XpYihHgskTQp6YYB4XHVimouHafMYyoFsnenrcgf2NGFDvi9l9x9mnL77920JqGr
> LijieMiFEyP1nhGW8C6nJjkSsXLbgZNh9u6U+0oAbspsFRwdHDZOI7gIHSJ2zuiY
> CkMAvjw9TN44Q4IFCvSIf7mfzZgBH7AW1sbgznqnAJsWQhQGTpxZAxubItesyduD
> vj8tz9eb5u8JO3iQ/LYhMspNnxcpTFdaLn2v82NAFTtCrZdCd7aLj1DM0DPEX7Nw
> V/rt/l+tlscglYyEoUnlPYuSQN0Q6Aj5i1GcKPvnFS0Oy9lGY1lT1vZJ4F0CAwEA
> AaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
> edJiQpuHMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3DQEBCwUA
> A4IBAQCq5KUHQNg51uh1pxKMXQ98ADj2bNzQbswdAFslPow8tTZIBMwhdrq02ZHC
> XPyp2IHxfv+G+pMV1JFtdR0fy8ivilMNyjObEGh1Ss3kvvU7d1z3XwPxqpNcwDqs
> 1K6RRg4zpNWCFPcliAkPDsDbaN1B6A6zJXqOpGgzwocU3dZbPe5sYLgkWZO2/8MI
> eAEk7zoU1ZPSZiu5HghPafKuE1HYshvsak090tRgC6VLvaSLoNZlwR0GuFVGdewH
> 4jR1HpENH7QiLCB1NGCoJgDi3qiFosw3M2+0ExevE1afj2Usm4oZir+Uty0rvR8D
> 03RHH8yYbZ9rw0kuwTkJEo3bYDxH
> -----END CERTIFICATE-----"
Syntax
config system certificate crl
edit <name>
set crl <crl>
set http-url <string>
set ldap-server <LDAP>
set scep-cert <certificate>
set scep-url <string>
end
crl PEM format CRL. Paste the contents of a CRL file between No default
quotation marks.
scep-cert Local certificate used for CRL update using SCEP Fortinet_
Factory
Use this command to manage local certificates. FortiSwitch includes a reserved entry named “Factory”. You cannot
modify this entry.
Syntax
config system certificate local
edit <name>
set comments <string>
set password <passwd>
set private-key <key>
set scep-url <string>
next
end
password Password that was used to encrypt the file. The FortiCore *
system uses the password to decrypt and install the certificate.
private-key Paste the contents of a key file between quotation marks as No default
shown in the example.
Example
# config system certificate local
# get
== [ Factory ]
== [ csr_name_test ]
# show
config system certificate local
edit "csr_name_test"
t7e4fiX6Sd6T5426Gg/HQXRH41mBwGmjKdBSHUbVUZTka2FtD1oLMWE2mTq1c9GMUz0DokPfoqxkjkmja5mWv4/w
A5XdQ00lQmTeMZK/X5OSFmSS
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5/vf1VQB/28CAggA
MBQGCCqGSIb3DQMHBAgZorM0zlnPNASCAViZk4wTZYYMPl0e7NwyxqvLND3LxUaV
UG1XpUSPfnUP4YgrV2d0Uijclj5M7MS341cMVKZ7G1pS/6jvxUr0NamQv4j7JsJ0
t3G7LMkzcTiep26GUCy55Qt+iob7lh0iiKa+4uPOq/Mzy+84AWnRNLfIhevHPsYb
rk4UbwNOFb0ZD9i06+UrFLsRGmtp/vlDyBgAoBojKxB/4j0G299QamnzPz4qneBc
HtPqTMPELyqtT6w4cmnwp6Ti2OOAr9c44mKdyyAVZKie+Iu/4pSVBNSfuC+jjtmC
k8OrCrG14NwrhbTY9zEnGxBRR1NMTEBBTqAQNYWtjUEQVjmY1GAJA3/oBQe7l8C/
G/IUVvc/aaqMvsKSNfDpgZaudTDe1Wxi1792ADGh7zslls+ykH9nmqh7BPfm30Nv
f8O1hXgq01Lvo4v1xdC0w5oAeCyGlbTY5ZnXJFm0HCp0kA==
-----END ENCRYPTED PRIVATE KEY-----
"
set csr "-----BEGIN CERTIFICATE REQUEST-----
MIIBNzCB4gIBADBqMQswCQYDVQQIEwJjYTESMBAGA1UEBxMJc3Vubnl2YWxlMREw
DwYDVQQKEwhmb3J0aW5ldDENMAsGA1UECxMEZmFkYzEQMA4GA1UEAxMHZXhhbXBs
ZTETMBEGCSqGSIb3DQEJARYEcm9vdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDK
XH/MC1KTkkZJiQDFb6IXHLYsSVbJzF0K30s3CVmKZvJQSBnmV8aq3fJjN281rrFT
iUovVdBzwCF5jKbxsrPLAgMBAAGgEzARBgNVHRMxChMIQ0E6RkFMU0UwDQYJKoZI
hvcNAQEFBQADQQB96NU+xjds83/6VRSzsyxeVxAGVD7F9Npuji8r/MpxPiMT0PQM
G8Wg//26ZqpwjuPq2V1+7QU4MDk3B5VUJSEF
Syntax
config system certificate ocsp
set cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA |
Fortinet_CA | Fortinet_CA2}
set unavail-action {ignore | revoke}
set url <string>
end
cert {<string> | Entrust_802.1x_ Enter the name of the certificate or select one of the listed No default
CA | Entrust_802.1x_G2_CA | certificates.
Entrust_802.1x_L1K_CA |
Fortinet_CA | Fortinet_CA2}
unavail-action {ignore | revoke} Set if the FortiSwitch should ignore the OCSP check or revoke revoke
the certificate if the server is unavailable.
url <string> Enter the URL for the OCSP server. No default
Example
Use this command to install remote certificates. The remote certificates are public certificates without a private key.
config system certificate remote
edit <name>
set remote "<cert>"
end
Use this command to set the console command mode, the number of lines displayed by the console, and the baud rate.
Syntax
config system console
set baudrate <speed>
set mode {batch | line}
set output {standard | more}
end
baudrate <speed> Set the console port baudrate. Select one of 9600, 19200, 115200
38400, 57600, or 115200.
mode {batch | line} Set the console mode to line or batch. Used for autotesting line
only.
output {standard | more} Set console output to standard (no pause) or more (pause after more
each screen is full and resume when a key is pressed).
This setting applies to show or get commands only.
Example
Syntax
config system dhcp server
edit <id>
set auto-configuration {enable | disable}
set conflicted-ip-timeout <integer>
set default-gateway <xxx.xxx.xxx.xxx>
set dns-server1 <xxx.xxx.xxx.xxx>
set dns-server2 <xxx.xxx.xxx.xxx>
set dns-server3 <xxx.xxx.xxx.xxx>
set dns-service {default | local | specify
set domain <string>
set filename <string>
set interface <string>
set lease-time <integer>
dns-server1 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the DNS server 1. 0.0.0.0
This option is only available when dns-
service is set to specify.
dns-server2 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the DNS server 2. 0.0.0.0
This option is only available when dns-
service is set to specify.
dns-server3 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the DNS server 3. 0.0.0.0
This option is only available when dns-
service is set to specify.
dns-service {default | local | Select how DNS servers are assigned to specify
specify} DHCP clients. Select local to use the
IP address of the DHCP server interface for
the clientʼs DNS server IP address. Select
default for clients to be assigned the
FortiSwitch unitʼs configured DNS servers.
Select specify to enter the IPv4 address for
up to three DNS servers.
domain <string> Enter the domain name suffix for the IP No default
addresses that the DHCP server assigns to
the clients.
filename <string> Enter the name of the boot file on the TFTP No default
server.
interface <string> Enter the name of the interface. The DHCP No default
server can assign IP configurations to clients
connected to this interface.
lease-time <integer> The lease time determines the length of time 604800
an IP address remains assigned to a client.
After the lease expires, the address is
released for allocation to the next client that
requests an IP address.
netmask <xxx.xxx.xxx.xxx> Enter the netmask of the addresses that the 0.0.0.0
DHCP server assigns.
ntp-server1 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the NTP server 1. 0.0.0.0
This option is only available when ntp-
service is set to specify.
ntp-server2 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the NTP server 2. 0.0.0.0
This option is only available when ntp-
service is set to specify.
ntp-server3 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the NTP server 3. 0.0.0.0
This option is only available when ntp-
service is set to specify.
ntp-service {default | local | Select how Network Time Protocol (NTP) specify
specify} servers are assigned to DHCP clients. Select
local to use the IP address of the DHCP
server interface for the clientʼs NTP server
IP address. Select default for clients to be
assigned the FortiSwitch unitʼs configured
NTP servers. Select specify to enter the
IPv4 address for up to three NTP servers.
timezone-option {default | Select how the DHCP server sets the clientʼs disable
disable | specify} time zone. Select disable for the DHCP
server to not set the clientʼs time zone. Select
default for clients to be assigned the
FortiSwitch unitʼs configured time zone.
Select specify to enter the time zone to be
assigned to DHCP clients.
vci-match {enable | disable} Enable or disable vendor class identifier (VCI) disable
matching. When enabled, only DHCP
requests with a matching VCI are served.
vci-string <VCI_strings> Enter one or more VCI strings. This option is No default
only available if vci-match is set to
enable.
wifi-ac1 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the WiFi Access 0.0.0.0
Controller 1 (DHCP option 138, RFC 5417).
wifi-ac2 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the WiFi Access 0.0.0.0
Controller 2 (DHCP option 138, RFC 5417).
wifi-ac3 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the WiFi Access 0.0.0.0
Controller 3 (DHCP option 138, RFC 5417).
wins-server1 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the WINS server 1. 0.0.0.0
wins-server2 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the WINS server 2. 0.0.0.0
config exclude-range
end-ip <xxx.xxx.xxx.xxx> Enter the end of the IP address range that will 0.0.0.0
not be assigned to clients.
start-ip <xxx.xxx.xxx.xxx> Enter the start of the IP address range that will 0.0.0.0
not be assigned to clients.
config ip-range
end-ip <xxx.xxx.xxx.xxx> Enter the end of the DHCP IP address range. 0.0.0.0
start-ip <xxx.xxx.xxx.xxx> Enter the start of the DHCP IP address range. 0.0.0.0
config options
type {fqdn | hex | ip | string} Select the format of the DHCP option: fully hex
qualified domain name, hexadecimal,
IP address, or string.
value <string> Enter the DHCP option value. This option is No default
available when type is set to fqdn, hex, or
string.
config reserved-address
action {assign | block | Select how the DHCP server configures the reserved
reserved} client with the reserved MAC address. Select
assign for the DHCP server to configure the
client with this MAC address like any other
client. Select block to prevent the DHCP
server from assigning IP settings to the client
with this MAC address. Select reserved for
the DHCP server to assign the reserved IP
address to the client with this MAC address.
circuit-id {<string> | <hex>} Enter the DHCP option-82 Circuit ID of the No default
client that will get the reserved IP address.
The circuit-id format is controlled by the
circuit-id-type setting. This option is
only available when type is set to
option82.
circuit-id-type {hex | string} Select whether the format of circuit-id is string
hexadecimal or string. This option is only
available when type is set to option82.
mac <xx:xx:xx:xx:xx:xx>. Enter the MAC address of the client that will 00:00:00:00:00:00
get the reserved IP address. This option is
only available when type is set to mac.
remote-id {<string> | <hex>} Enter the DHCP option-82 Remote ID of the No default
client that will get the reserved IP address.
This option is only available when type is set
to option82.
type {mac | option82} Select whether to match the IP address with mac
the MAC address or DHCP option 82.
Example
Use this command to set the DNS server addresses. Several FortiSwitch functions, including sending email alerts and
URL blocking, use DNS.
Syntax
config system dns
set cache-notfound-responses {enable | disable}
cache-notfound-responses Enable to cache NOTFOUND responses from the DNS server. disable
{enable | disable}
dns-cache-limit <integer> Set maximum number of entries in the DNS cache. 5000
dns-cache-ttl <int> Enter the duration, in seconds, that the DNS cache retains 1800
information.
source-ip <ipv4_addr> Enter the IP address for communications to DNS server. 0.0.0.0
Example
You can sample IP packets on a FortiSwitch unit and then export the data in NetFlow format or Internet Protocol Flow
Information Export (IPFIX) format.
The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest
flow expires and is exported.
NOTE:
l Flow export is supported on FortiSwitch models 2xx and higher.
l To use flow export, you must first enable packet sampling for each switch port and trunk:
config switch interface
edit <interface>
set packet-sampler enabled
set packet-sample-rate <0-99999>
end
Syntax
config system flow-export
set collector-ip <IPv4_address>
set collector-port <port_number>
set format {netflow1 | netflow5 | netflow9 | ipfix}
set identity <hexadecimal>
set level {ip | mac | port | proto | vlan}
set max-export-pkt-size <integer>
set timeout-general <integer>
set timeout-icmp <integer>
set timeout-max <integer>
set timeout-tcp <integer>
set timeout-tcp-fin <integer>
set timeout-tcp-rst <integer>
set timeout-udp <integer>
set transport {sctp | tcp | udp}
config aggregates
edit <id>
set ip <IPv4_address_mask>
end
end
format {netflow1 | netflow5 | You can set the format of the exported flow data as NetFlow netflow9
netflow9 | ipfix} version 1, NetFlow version 5, NetFlow version 9, or IPFIX
sampling.
identity <hexadecimal> Required. Enter a unique number to identify which FortiSwitch 0x00000000
unit the data originates from. The range of values is
0x00000000-0xFFFFFFFF. If identity is not specified, the
“Burn in MAC” value is used instead (see get system
status).
level {ip | mac | port | proto | vlan} You can set the flow-tracking level to one of the following: - ip
ip—The FortiSwitch unit collects the source IP address and
destination IP address from the sample packet.
l mac—The FortiSwitch unit collects the source MAC
max-export-pkt-size <integer> Set the maximum size in bytes of exported packets in the 512
application level. The range of values is 512-9216.
timeout-general <integer> Set the general timeout in seconds for the flow session. The 3600
range of values is 60-604800.
timeout-icmp <integer> Set the ICMP timeout for the flow session. The range of values 300
is 60-604800.
timeout-max <integer> Set the maximum number of seconds before the flow session 604800
times out. The range of values is 60-604800.
timeout-tcp <integer> Set the TCP timeout for the flow session. The range of values 3600
is 60-604800.
timeout-tcp-fin <integer> Set the TCP FIN flag timeout for the flow session. The range 300
of values is 60-604800.
timeout-tcp-rst <integer> Set the TCP RST flag timeout for the flow session. The range 120
of values is 60-604800.
timeout-udp <integer> Set the UDP timeout for the flow session. The range of values 300
is 60-604800.
transport {sctp | tcp | udp} You can set exported packets to use UDP, TCP, or SCTP for udp
transport.
<IPv4_address_mask> Enter the IPv4 address and mask to match. All matching No default
sessions are aggregated into the same flow.
Example
Use this command to configure the FortiSwitch Cloud. The FortiSwitch Cloud allows you to quickly check the status and
to configure multiple FortiSwitch units through a single management portal.
NOTE: To use the FortiSwitch Cloud, you must have a Cloud Management license, and your FortiSwitch unit must be
in standalone mode, connected to the Internet, and the system time must be accurate. To set the time on your
FortiSwitch unit, see config system ntp on page 192.
Syntax
config system fsw-cloud
set interval <integer>
set name <string>
set port <port_number>
set status {enable | disable}
end
interval <integer> The time in seconds allowed for domain name system 45
(DNS) resolution. The value range is 3-300 seconds.
name <string> The domain name for the FortiSwitch Cloud. fortiswitch-
dispatch.forticloud.com
port <port_number> Port number used to connect to the FortiSwitch Cloud. 443
status {enable | disable} Whether the FortiSwitch Cloud is enabled or disabled. disable
Example
Use this command to configure global settings that affect various FortiSwitch systems and configurations.
Syntax
config system global
set 802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA
| Fortinet_CA | Fortinet_CA2}
set 802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_
Firmware}
set admin-concurrent {enable | disable}
set admin-https-pki-required {enable | disable}
set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | tlsv1-3}
set admin-lockout-duration <time_int>
set admin-lockout-threshold <failed_int>
set admin-port <port_number>
set admin-scp {enable | disable}
set admin-server-cert {self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 |
Fortinet_Firmware}
set admin-sport <port_number>
set admin-ssh-grace-time <time_int>
set admin-ssh-port <port_number>
set admin-ssh-v1 {enable | disable}
set admin-telnet-port <port_number>
set admintimeout <admin_timeout_minutes>
set alertd-relog {enable | disable}
set alert-interval <1-1440 minutes>
set allow-subnet-overlap {enable | disable}
set arp-timeout <seconds>
set asset-tag <string>
set cfg-save {automatic | manual | revert}
set clt-cert-req {enable | disable}
set csr-ca-attribute {enable | disable}
set daily-restart {enable | disable}
set detect_ip_conflict {enable | disable}
set dhcp-client-location {description | hostname | intfname | mode | vlan}
set dhcp-option-format {ascii | legacy}
set dhcp-remote-id {hostname | ip | mac}
set dhcp-server-access-list {enable | disable}
set dhcp-snoop-client-req {drop-untrusted | forward-untrusted}
set dhcps-db-exp <number_of_seconds>
set dhcps-db-per-port-learn-limit <number_of_entries>
set dst {enable | disable}
set hostname <unithostname>
set image-rotation {enable | disable}
set ip-conflict-ignore-default {enable | disable}
set ipv6-accept-dad <0 | 1 | 2>
set ipv6-all-forwarding {enable | disable}
set kernel-crashlog {enable | disable}
set kernel-devicelog {enable | disable}
set l3-host-expiry {enable | disable}
set language <language>
set ldapconntimeout <ldaptimeout_msec>
set post-login-banner "<string>"
set pre-login-banner "<string>"
802.1x-ca-certificate {Entrust_ Set the CA certificate for port security (802.1x): Entrust_802.1x_CA
802.1x_CA | Entrust_802.1x_ l Entrust_802.1x_CA—Select this CA if you are
factory-installed certificate.
l Fortinet_CA2—Select this CA if you want to use
802.1x-certificate {Entrust_ Set the certificate for port security (802.1x): Entrust_802.1x
802.1x | Fortinet_Factory | l Entrust_802.1x—This certificate is embedded in
Fortinet_Factory2 | Fortinet_ the firmware and is the same on every unit (not
Firmware} unique). It has been signed by a public CA. This is the
default certificate for 802.1x authentication.
l Fortinet_Factory—This certificate is embedded
admin-https-ssl-versions {tlsv1- Set the allowed SSL/TLS versions for Web administration. tlsv1-1 tlsv1-2 tlsv1-
0 | tlsv1-1 | tlsv1-2 | tlsv1-3} 3
admin-port <port_number> Enter the port to use for HTTP administrative access. 80
admin-sport <port_number> Enter the port to use for HTTPS administrative access. 443
admin-ssh-port <port_number> Enter the port to use for SSH administrative access. 22
alertd-relog {enable | disable} Enable or disable re-logs when a sensor exceeds its disable
threshold.
allow-subnet-overlap {enable | Use this command to allow two interfaces to include the disable
disable} same IP address in the same subnet. The command
applies only between the mgmt interface and an internal
interface.
Note: Different interfaces cannot have overlapping IP
addresses or subnets.
Caution: For advanced users only. Use this only for
existing network configurations that cannot be changed to
eliminate IP address overlapping.
arp-timeout <seconds> Set the number of seconds before dynamic ARP entries are 300
removed from the cache.
asset-tag LLDP uses the asset tag to help identify the unit. The asset No default
tag can be up to 32 characters, and will be added to the
LLDP-MED inventory TLV (when that TLV is enabled).
cfg-save {automatic | Set the method for saving the FortiSwitch system automatic
manual | revert} configuration and enter into runtime-only configuration
mode. Methods for saving the configuration are:
l automatic automatically save the configuration after
every change.
l manual manually save the configuration using the
clt-cert-req {enable | disable} Enable or disable the requirement to have a client disable
certificate to log in to the GUI.
dhcp-client-location Select which parameters to include to describe the client intfname vlan mode
{description | hostname | location. Separate multiple parameters with a space.
intfname | mode | vlan} l description—Include the interface description.
dhcp-option-format {ascii | Select the format for the DHCP string: ascii
legacy} l ascii—This format allows the user to choose the values
dhcp-remote-id {hostname | ip | Select which parameters to include in the remote-id field: mac
mac} l hostname—Include the host name.
dhcp-server-access-list {enable Set to disable for DHCP snooping to allow any DHCP disable
| disable} server from trusted interfaces. Set to enable for DHCP
snooping to allow only DHCP servers that are included in
the allowed server list.
dhcp-snoop-client-req {drop- Select which transmission mode to use for broadcasting forward-untrusted
untrusted | forward-untrusted} client DHCP packets:
l drop-untrusted—Client packets are broadcasted on
dhcps-db-exp <number_of_ Set the number of seconds for a DHCP-snooping server 86400
seconds> database entry to be kept.The range of values is 300-
259200.
dhcps-db-per-port-learn-limit Set the maximum number of DHCP server entries that are 64
<number_of_entries> learned per interface. The range of values is 0-1024.
hostname <unithostname> Enter a name to identify this FortiSwitch unit. A hostname FortiSwitch serial
can only include letters, numbers, hyphens, and underlines. number.
No spaces are allowed.
While the hostname can be longer than 16 characters, if it
is longer than 16 characters it will be truncated and end with
a “~” to indicate it has been truncated. This shortened
hostname will be displayed in the CLI, and other locations
the hostname is used.
Some models support hostnames up to 35 characters.
By default the hostname of your system is its serial number
which includes the model.
image-rotation {enable | Enable or disable the rotation of the partition used to enable
disable} upgrade the FortiSwitch image.
ipv6-accept-dad <0 | 1 | 2> Specify whether to accept IPv6 duplicat address detection 1
(DAD). Set to 0 to disable DAD. Set to 1 to enable DAD. Set
to 2 to enable DAD and disable IPv6 operation if a MAC-
based duplicate link-local address is found.
kernel-devicelog {enable | Enable or disable the capture of kernel device messages to enable
disable} the log.
language <language> Set the display language. You can set <language> to one english
of english, french, japanese, korean,
portuguese, spanish, simch (Simplified Chinese) or
trach (Traditional Chinese).
ldapconntimeout LDAP connection timeout in msec 500
<ldaptimeout_msec>
post-login-banner "<string>" Enter a message for the system post-login banner. No default
pre-login-banner "<string>" Enter a message for the system pre-login banner. No default
private-data-encryption {enable Enable or disable private data encryption using an AES 128- disable
| disable} bit key.
radius-coa-port <port_number> Set the port number to be used for the RADIUS change of 3799
authorization (CoA).
radius-port <radius_port> Change the default RADIUS port. The default port for 1812
RADIUS traffic is 1812. If your RADIUS server is using port
1645 you can use the CLI to change the default RADIUS
port on your system.
strong-crypto {enable | disable} Strong encryption and only allow strong ciphers (AES, disable
3DES) and digest (SHA1) for HTTPS/SSH admin access.
When strong encryption is enabled, HTTPS is supported by
the following web browsers: Netscape 7.2, Netscape 8.0,
Firefox, and Microsoft Internet Explorer 7.0 (beta).
NOTE: Microsoft Internet Explorer 5.0 and 6.0 are not
supported in strong encryption.
switch-mgmt-mode {fortilink | Determines whether the switch is being managed locally, or local
local} managed by a FortiGate through a FortiLink connection.
tcp-mss-min <48-10000> Enter the minimum allowed TCP MSS value in bytes. 48
tcp6-mss-min <48-10000> Enter the minimum allowed TCP MSS value in bytes. 48
timezone <timezone_number> The number corresponding to your time zone from 00 to 72. 00
Press ? to list time zones and their numbers. Choose the
time zone for the FortiSwitch from the list and enter the
correct number.
Example
This example shows how to set your private data encryption key:
This example shows how to set the lockout threshold to one attempt and the duration before the administrator can try
again to log in to five minutes:
config system global
set admin-lockout-threshold 1
set admin-lockout-duration 300
end
If you enter a name string in the edit command that is not the name of a physical interface,
the command creates a VLAN subinterface.
Syntax
config system interface
edit <interface_name>
set allowaccess <access_types>
set alias <name_string>
set bfd {enable | disable | global}
set bfd-desired-min-tx <interval_msec>
set bfd-detect-mult <multiplier>
set bfd-required-min-rx <interval_msec>
set description <text>
set dhcp-relay-service {enable | disable}
set dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}
set dhcp-relay-option82 {enable | disable}
set dhcp-vendor-specific-option <string>
set external {enable | disable)
set fail-detect {enable | disable}
set fail-detect-option {link-down | detectserver}
set fail-alert-method {link-d own | link-failed-signal}
set fail-alert-interfaces {port1 port2 ...}
set icmp-redirect {enable | disable}
set interface <interface_name>
set ip <interface_ipv4mask>
set log {enable | disable}
set mode <static | dhcp>
set dhcp-client-identifier <client_name_str>
allowaccess <access_types> Enter the types of management access permitted on this Varies for each
interface or secondary IP address. Valid types are: interface.
http https ping radius-acct snmp ssh telnet.
Separate each type with a space.
To add or remove an option from the list, retype the complete
list as required.
alias <name_string> Enter an alias name for the interface. Once configured, the No default.
alias will be displayed with the interface name to make it
easier to distinguish. The alias can be a maximum of 25
characters. This option is only available when interface type is
physical.
bfd {enable | disable | global} The status of bidirectional forwarding detection (bfd) on this global
interface:
l enable — enable BFD and ignore global BFD
configuration.
l disable — disable BFD on this interface.
bfd-desired-min-tx <interval_ Enter the minimum desired interval for the BFD transmit 50
msec> interval. Valid range is from 1 to 100 000 msec. This option is
available only when bfd is enabled.
bfd-detect-mult <multiplier> Select the BFD detection multiplier. This option is available 3
only when bfd is enabled.
bfd-required-min-rx <interval_ Enter the minimum required interface for the BFD receive 50
msec> interval. Valid range is from 1 to 100 000 msec. This is
available only when bfd is enabled.
dhcp-relay-service {enable | Enable to provide DHCP relay service on this interface. The disable
disable} DHCP type relayed depends on the setting of dhcp-relay-
type.
There must be no other DHCP server of the same type (regular
or ipsec) configured on this interface.
dhcp-relay-ip <dhcp_relay1_ Set DHCP relay IP addresses. You can specify up to eight No default
ipv4> {... <dhcp_relay8_ipv4>} DHCP relay servers for DHCP coverage of subnets. Replies
from all DHCP servers are forwarded back to the client. The
client responds to the offer it wants to accept.
Do not set dhcp-relay-ip to 0.0.0.0. This option is
available only when dhcp-relay-service is enabled.
dhcp-relay-option82 {enable | Enable to allow option-82 insertion in the DHCP relay. This disable
disable} option is available only when dhcp-relay-service is
enabled.
dhcp-vendor-specific-option Set the value for DHCP vendor-specific option 43. No default
<string>
external {enable | disable) Enable to indicate that an interface is an external interface disable
connected to an external network. This option is used for SIP
NAT when the config VoIP profile SIP contact-
fixup option is disabled.
fail-detect {enable | disable} Enable interface failure detection. disable
fail-detect-option {link-down Select whether the system detects interface failure by port link-down
| detectserver} detection (link-down) or ping server (detectserver).
This option is available only when fail-detect is enabled.
fail-alert-method Select the signal that the system uses to signal the link failure: link-down
{link-down | link-failed-signal} Link Down or Link Failed. This option is available only when
fail-detect is enabled.
fail-alert-interfaces {port1 port2 Select the interfaces to which failure detection applies. This No default
...} option is available only when fail-detect is enabled.
icmp-redirect {enable | disable} Disable to stop ICMP redirect from sending from this interface. enable
ICMP redirect messages are sent by a router to notify the
original sender of packets that there is a better route available.
interface <interface_name> Enter the name of the interface. This option is available ony internal
when vlanid is set.
ip <interface_ipv4mask> Enter the interface IP address and netmask. This option is not Varies for each
available if mode is set to dhcp. You can set the IP and interface.
netmask, but they are not displayed. This is only available in
NAT/Route mode. The IP address cannot be on the same
subnet as any other interface.
log {enable | disable} Enable or disable traffic logging of connections to this disable
interface. Traffic will be logged only when it is on an
administrative port. All other traffic will not be logged. Enabling
this setting may reduce system performance, and is normally
used only for troubleshooting.
mode <interface_mode> Configure the connection mode for the interface as one of: static
dhcp-client-identifier Override the default DHCP client identifier used by this No default
interface. The DHCP client identifier is used by DHCP to
identify individual DHCP clients (in this case individual
interfaces). By default, the DHCP client identifier for each
interface is created based on the model name and the
interface MAC address. In some cases, you might want to
specify your own DHCP client identifier using this command.
This option is available only when the mode is set to dhcp.
defaultgw {enable | disable} Enable to get the gateway IP address from the DHCP server. disable
This option is available only when the mode is set to dhcp.
dns-server-override {enable | Disable to prevent this interface from using DNS server enable
disable} addresses it acquires by DHCP. This option is available only
when the mode is set to dhcp.
mtu-override {enable | disable} Select enable to use custom MTU size instead of default disable
(1 500). This is available only for physical interfaces and some
tunnel interfaces (not IPsec). If you change the MTU size, you
must reboot the FortiSwitch to update the MTU values of the
VLANs on this interface. Some models support MTU sizes
larger than the standard 1 500 bytes.
secondary-IP {enable | disable} Enable to add a secondary IP address to the interface. This disable
option must be enabled before configuring a secondary IP
address. When disabled, the Web-based manager interface
displays only the option to enable secondary IP.
src-check {disable | loose | strict} Set to disable if you do not want to use unicast reverse-path disable
forwarding (uRPF).
Set to strict to ensure that the packet was received on the
same interface that the router uses to forward the return
packet.
Set to loose to ensure that the routing table includes the
source IP address of the packet.
type {loopback | vlan} Enter the type of interface. NOTE: Some types are read only vlan
and are set automatically by hardware.
l loopback — a virtual interface that is always up. This
vlanid <id_number> Enter a VLAN ID that matches the VLAN ID of the packets to No default
be received by this VLAN subinterface. The VLAN ID can be
any number between 1 and 4094, as 0 and 4095 are reserved,
but it must match the VLAN ID added by the IEEE 802.1Q-
compliant router on the other end of the connection. Two
VLAN subinterfaces added to the same physical interface
cannot have the same VLAN ID. However, you can add two or
more VLAN subinterfaces with the same VLAN ID to different
physical interfaces, and you can add more multiple VLANs with
different VLAN IDs to the same physical interface. This is
available only when editing an interface with a type of VLAN.
vrf <string> Assign this virtual routing and forwarding (VRF) instance to a No default
switch virtual interface (SVI).
vrrp-virtual-mac Enable VRRP virtual MAC addresses for the IPv4 VRRP disable
{enable | disable} routers added to this interface.See RFC 5798 for information
about the VRRP virtual MAC addresses.
config ipv6
Syntax
config system interface
edit <interface_name>
config ipv6
set ip6-address <ipv6_netmask>
set ip6-allowaccess <access_types>
set autoconf {disable | enable}
set ip6-unknown-mcast-to-cpu {disable | enable}
set ip6-mode {dhcp | static}
set ip6-dns-server-override {disable | enable}
set dhcp6-information-request {disable | enable}
set ip6-send-adv {disable | enable}
set ip6-manage-flag {disable | enable}
set ip6-other-flag {disable | enable}
set ip6-max-interval <4-1800>
set ip6-min-interval <3-1350>
set ip6-link-mtu <integer>
set ip6-reachable-time <0-3600000>
set ip6-retrans-time <0-2147483647>
set ip6-default-life <0-9000>
set ip6-hop-limit <0-255>
set vrip6_link_local {enable | disable}
set vrrp-virtual-mac6 {enable | disable}
config ip6-extra-address
edit <prefix_ipv6>
end
config ip6-prefix-list
edit <prefix_ipv6>
set autonomous-flag {disable | enable}
set onlink-flag {disable | enable}
set preferred-life-time <0-2147483647>
set valid-life-time <0-2147483647>
end
end
end
ip6-address <ipv6_netmask> The interface IPv6 address and netmask. The format for IPv6 ::/0
addresses and netmasks is described in RFC 3513.
This command is only available in NAT/Route mode.
ip6-allowaccess <access_types> Enter the types of management access permitted on this IPv6 Varies for each
interface. Valid types are: fgfm, http, https, ping, interface.
snmp, ssh, and telnet. Separate the types with spaces. If
you want to add or remove an option from the list, retype the
list as required.
autoconf {disable | enable} Enable or disable the automatic address configuration. disable
ip6-mode {dhcp | static} Set the addressing mode to be static or DHCP. static
DHCP addressing mode is available only when autoconf is
disabled.
ip6-dns-server-override {disable | Enable or disable using the DNS server acquired by DHCP. enable
enable} This command is available only when the ip6-mode is set to
dhcp.
ip6-send-adv {disable | enable} Enable or disable the sending of the IPv6 router disable
advertisement.
This command is only available when autoconf is disabled.
ip6-manage-flag {disable | Enable or disable the sending of the IPv6 managed flag. disable
enable}
ip6-other-flag {disable | enable} Enable or disable the sending of the IPv6 other flag. disable
ip6-max-interval <4-1800> Specify the maximum number of seconds before the RA is 600
sent.
ip6-min-interval <3-1350> Specify the minium number of seconds before the RA is sent. 198
vrip6_link_local {enable | Enter the link-local IPv6 address of virtual router. No default
disable}
vrrp-virtual-mac6 {enable | Enable VRRP virtual MAC addresses for the IPv6 VRRP disable
disable} routers added to this interface. See RFC 5798 for information
about the VRRP virtual MAC addresses.
config ip6-extra-addr
<prefix_ipv6> IPv6 address prefix. Configure addditonal IPv6 prefixes for this No default
IPv6 interface.
config ip6-prefix-list
<prefix_ipv6> IPv6 advertised prefix list. Configure which IPv6 prefixes are No default
advertised..
preferred-life-time <0- Specify the preferred lifetime in seconds for the advertised 604800
2147483647> IPv6 prefix.
valid-life-time <0-2147483647> Specify the valid lifetime in seconds for the advertised IPv6 2592000
prefix.
config secondaryip
Syntax
config system interface
edit <interface_name>
config secondaryip
edit <id>
set ip <IP_address_and_netmask>
set allowaccess <access_types>
end
end
allowaccess <access_types> Enter the types of management access permitted on this No default
interface or secondary IP address. Valid types are:
http https ping radius-acct snmp ssh telnet.
config vrrp
Add one or more VRRP virtual routers to a interface. For information about VRRP, see RFC 5798.
Syntax
config system interface
edit <interface_name>
config vrrp
edit <VRID_int>
set adv-interval <seconds_int>
set preempt {enable | disable}
set priority <prio_int>
set start-time <seconds_int>
set status {enable | disable}
set version {2 | 3}
set vrdst <ipv4_addr>
set vrgrp <integer>
set vrip <ipv4_addr>
end
<VRID_int> VRRP virtual router ID (1 to 255). Identifies the VRRP virtual None
router.
preempt {enable | disable} Enable or disable VRRP preempt mode. In preempt mode a enable
higher priority backup system can preempt a lower priority
master system.
priority <prio_int> Priority of this virtual router (1-255). The VRRP virtual router on 100
a network with the highest priority becomes the master.
start-time <seconds_int> The startup time of this virtual router (1-255 seconds). The 3
startup time is the maximum time that the backup system
waits between receiving advertisement messages from the
master system.
Example
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
mac <MAC_address> Enter the MAC address in the following format: 00:00:00:00:00:00
xx:xx:xx:xx:xx:xx
Example
This example shows how to configure an entry in the IPv6 neighbor cache table.
config system ipv6-neighbor-cache
edit id
set interface internal
set ipv6 e80::a5b:eff:fef1:95e4
set mac 00:21:cc:d2:76:72
end
addr-mode {ipv4 | ipv6} Select whether to use IPv4 or IPv6 addresses. ipv4
protocol {arp | ping} Protocols used to detect the server. Select ARP or ping. arp
gateway-ip Gateway IPv4 address used to PING the server. This option is 0.0.0.0
<IPv4 address> available only when addr-mode is set to ipv4.
gateway-ip6 <IPv6 Gateway IPv6 address used to PING the server. This option is No default
address> available only when addr-mode is set to ipv6.
source-ip Source IPv4 address used in packet to the server. This option is 0.0.0.0
<IPv4 address> available only when addr-mode is set to ipv4.
source-ip6 <IPv6 Source IPv6 address used in packet to the server. This option is No default
address> available only when addr-mode is set to ipv6.
failtime <integer> Number of retry attempts before bringing server down. The range is 5
1-10.
recoverytime <integer> Number of retry attempts before bringing server up. The range is 1- 5
10.
Use this command to configure the location table used by LLDP-MED for enhanced 911 emergency calls.
config system location
edit <name>
config address-civic
set additional <string>
set additional-code <string>
set block <string>
set branch-road <string>
set building <string>
set city <string>
set city-division <string>
set country <string>
set country-subdivision <string>
set county <string>
set direction <string>
set floor <string>
set landmark <string>
set language <string>
set name <string>
set number <string>
set number-suffix <string>
set place-type <string>
set post-office-box <string>
set postal-community <string>
config address-civic
additional <string> Enter additional location information, for example, west No default
wing.
additional-code <string> Enter the additional country-specific code for the No default
location. In Japan, use the Japan Industry Standard (JIS)
address code.
branch-road <string> Enter the branch road name. This value is used when No default
side streets do not have unique names so that both the
primary road and side street are used to identify the
correct road.
building <string> Enter the name of the building (structure) if the address No default
includes more than one building, for example, Law
Library.
city <string> Enter the city (Germany), township, or shi (Japan). No default
city-division <string> Enter the city division, borough, city district (Germany), No default
ward, or chou (Japan).
country <string> Enter the two-letter ISO 3166 country code in capital No default
ASCII letters, for example, US, CA, DK, and DE.
country-subdivision <string> Enter the national subdivision (such as state, canton, No default
region, province, or prefecture). In Canada, the
subdivision is province. In Germany, the subdivision is
state. In Japan, the subdivision is metropolis. In Korea,
the subdivision is province. In the United States, the
subdivision is state.
county <string> Enter the county (Canada, Germany, Korea, and United No default
States), parish, gun (Japan), or district (India).
direction <string> Enter N, E, S, W, NE, NW, SE, or SW for the leading No default
street direction.
landmark <string> Enter the nickname, landmark, or vanity address, for No default
example, UC Berkeley.
language <string> Enter the ISO 639 language code used for the address No default
information.
name <string> Enter the person or organization associated with the No default
address, for example, Fortinet or Textures Beauty Salon.
number <string> Enter the street address, for example, 1560. No default
number-suffix <string> Enter any modifier to the street address. For example, if No default
the full street address is 1560A, enter 1560 for the
number and A for the number-suffix.
place-type <string> Enter the type of place, for example, home, office, or No default
street.
post-office-box <string> Enter the post office box, for example, P.O. Box 1543. No default
When the post-office-box value is set, the street address
components are replaced with this value.
postal-community <string> Enter the postal community name, for example, Alviso. No default
When the postal-community name is set, the civic
community name is replaced by this value.
primary-road <string> Enter the primary road or street name for the address. No default
road-section <string> Enter the specific section or stretch of a primary road. No default
This field is used when the same street number appears
more than once on the primary road.
room <string> Enter the room number, for example, 7A. No default
script <string> Enter the script used to present the address information, No default
for example, Latn.
street <string> Enter the street (Canada, Germany, Korea, and United No default
States).
street-name-post-mod <string> Enter an optional part of the street name that appears No default
after the actual street name. If the full street name is
East End Avenue Extended, the street-name-
post-mod is Extended.
street-name-pre-mod <string> Enter an optional part of the street name that appears No default
before the actual street name. If the full street name is
Old North First Street, the street-name-pre-
mod is Old.
street-suffix <string> Enter the type of street, for example, Ave or Place. Valid No default
values are listed in the United States Postal Service
Publication 28 [18], Appendix C.
sub-branch-road <string> Enter the name of a street that branches off of a branch No default
road. This value is used when the primary road, branch
road, and subbranch road names are needed to identify
the correct street.
trailing-str-suffix <string> Enter N, E, S, W, NE, NW, SE, or SW for the trailing No default
street direction.
unit <string> Enter the unit (apartment or suite), for example, Apt 27. No default
zip <string> Enter the postal or zip code for the address, for example, No default
94089-1345.
config coordinates
altitude <string> Enter the vertical height of a location using the altitude- No default
unit to specify the unit used. The format is +/- floating
point number, for example, 117.47.
datum {NAD83 | NAD83/MLLW | Select which map is used for the location: WGS84, WGS84
WGS84} NAD83, or NAD83/MLLW.
latitude <string> Enter the latitude. The format is floating point starting No default
with +/- or ending with N/S, for example, +/-16.67 or
16.67N.
longitude <string> Enter the longitude. The format is floating point starting No default
with +/- or ending with E/W, for example, +/-26.789 or
26.789E.
config elin-number
Example
This example shows how to configure the location table for Fortinet.
config system location
edit Fortinet
config address-civic
set country "US"
set language "English"
set county "Santa Clara"
set city "Sunnyvale"
set street "Kifer"
set street-suffix "Road"
set number "899"
set zip "94086"
set building "1"
set floor "1"
set seat "1293"
end
next
edit "Fortinet"
config elin-number
set elin-number "14082357700"
end
end
Syntax
config system ntp
set allow-unsync-source {enable | disable}
set authentication {enable | disable}
set log-time-adjustments {enable | disable}
set ntpsync {enable | disable}
set source-ip <ipv4_addr>
set source-ip6 <ipv6_addr>
set syncinterval <interval_int>
config ntpserver
edit <serverid_int>
set authentication {enable | disable}
set key <string>
set key-id <integer>
set ntpv3 {enable | disable}
set server {<ipv4_addr>| <ipv6_addr>}
end
end
log-time-adjustments {enable | Enable or disable whether FortiSwitch logs when NTP adjusts enable
disable} the system time.
ntpsync {enable | disable} Enable or disable whether the system time is synchronized with enable
the NTP server.
source-ip <ipv4_addr> Enter the source IPv4 address for communication with the NTP 0.0.0.0
server.
source-ip6 <ipv6_addr> Enter the source IPv6 address for communication with the NTP No default
server.
syncinterval <interval_int> Enter the interval in minutes between contacting the NTP 10
server to synchronize time. The range is from 1 to 1,440
minutes.
This option is availabe only when ntpsync is enabled.
<serverid_int> Enter the number for this NTP server entry. No default
authentication {enable | diable} Enable or disable authentication. If you enable authenication disable
and use the NTPv3 protocol, MD5 authentication is used. If
you enable authentication and use the NTPv4 protocol, SHA1
authentication is used.
ntpv3 {enable | disable} Enable this option to use the NTPv3 protocol. Disable this disable
option to use the NTPv4 protocol.
server {<ipv4_addr> | <ipv6_ Enter the IPv4 or IPv6 address for this NTP server. No default
addr>}
Example
Use this command to configure higher security requirements for administrator passwords and IPsec VPN pre-shared
keys.
Syntax
config system password-policy
set status enable
set apply-to [admin-password ipsec-preshared-key]
set change-4-characters {enable | disable}
set minimum-length <chars>
set min-lower-case-letter <num_int>
set min-upper-case-letter <num_int>
set min-non-alphanumeric <num_int>
set min-number <num_int>
set expire-status {enable | disable}
set expire-day <num_int>
end
status enable Enable password policy. The password policy cannot be enable
disabled.
apply-to [admin-password ipsec- Select where the policy applies: administrator passwords or admin-password
preshared-key] IPSec preshared keys. This option is available only when
status is enabled.
change-4-characters Enable to require the new password to differ from the old disable
{enable | disable} password by at least four characters. This option is available
only when status is enabled.
expire-status {enable | disable} Enable to have passwords expire. This option is available only enable
when status is enabled.
expire-day <num_int> Enter the number of days before the current password is 90
expired and the user will be required to change their password.
This option is available only when status is enabled and
expire-status is enabled.
Example
This example shows how to configure a password policy for administrator passwords:
config system password-policy
set status enable
set apply-to admin-password
set change-4-characters enable
set minimum-length 10
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 30
end
Use this command to define a schedule group. A schedule group can contain both one-time schedules and recurring
schedules. To create one-time and recurring schedules, see config system schedule onetime on page 195 and config
system schedule recurring on page 196.
Syntax
config system schedule group
edit <schedule_group_name>
set member <schedule_name1> <schedule_name2> ...
end
member <schedule_name1> Enter the names of the schedules to include. Separate No default
<schedule_name2> ... multiple names with a space.
The schedules must already be defined with the config system
schedule onetime or config system schedule recurring
command.
Example
Use this command to define a one-time schedule for when a policy will be enforced.
Syntax
config system schedule onetime
edit <schedule_name>
set start <time_date>
set end <time_date>
end
start <time_date> Enter the start time and date for the schedule 00:00 1900/01/01
in the following format: hh:mm yyyy/mm/dd
end <time_date> Enter the end time and date for the schedule in 00:00 1900/01/01
the following format: hh:mm yyyy/mm/dd
Example
Use this command to define a schedule for specified hours every week.
Syntax
config system schedule recurring
edit <schedule_name>
set day {monday | tuesday | wednesday | thursday | friday | saturday | sunday}
set start <time>
set end <time>
end
day {monday | tuesday | wednesday | Enter one or more days for the ACL to be monday tuesday
thursday | friday | saturday | sunday} enforced. Separate days with a space. wednesday thursday
friday
start <time> Enter the start time for the schedule in the 24:00
following format: hh:mm
end <time> Enter the end time for the schedule in the 24:00
following format: hh:mm
Example
Syntax
config system settings
set ip-ecmp-mode {source-ip-based | dst-ip-based | port-based}
end
TCP/UDP port.
l source-ip-based — Select the next hop based on the
source IP address.
Example
Use this command to add or change the IP address and UDP port that FortiSwitch sFlow agents use to send sFlow
datagrams to an sFlow collector.
sFlow is a network monitoring protocol described in http://www.sflow.org. FortiSwitch implements sFlow version 5. You
can configure one or more FortiSwitch interfaces as sFlow agents that monitor network traffic and send sFlow
datagrams containing information about traffic flow to an sFlow collector.
sFlow is normally used to provide an overall traffic flow picture of your network. You would usually operate sFlow agents
on switches, routers, and firewall on your network, collect traffic data from all of them and use a collector to show traffic
flows and patterns.
Syntax
config system sflow
set collector-ip <collector_ipv4>
set collector_port <port_int>
end
collector-ip <collector_ipv4> The sFlow agents send sFlow datagrams to the sFlow collector 0.0.0.0
at this IP address.
collector_port <port_int> The UDP port number used for sending sFlow datagrams. 6343
Change this setting only if required by your sFlow collector or
your network configuration. The value range is 0-65535.
Example
Use this command to define a packet-capture profile to select which packets to examine. To start, stop, and pause the
packet capture, see the execute system sniffer-profile commands.
Syntax
config system sniffer-profile
edit <profile_name>
set filter {<string> | none}
set max-pkt-count <1-maximum>
set max-pkt-len <64-1534>
set switch-interface <switch_interface_name>
set system-interface <system_interface_name>
end
filter {<string> | none} Enter none or enter the filter for selecting which packets to none
capture. For example, if you want packets using UDP port
1812 between hosts named forti1 and either forti2 or
forti3:
max-pkt-count <1-maximum> Enter how many packets to be captured on the selected 4000
interface. The maximum number of packets that can be
captured differs according to platform. See the FortiSwitchOS
Adminstration Guide for details.
max-pkt-len <64-1534> Enter the maximum packet length in bytes to be captured on 128
the interface.
switch-interface <switch_ Enter the switch interface name that you want to capture No default
interface_name> packets on. You cannot select both a switch interface and a
system interface.
system-interface <system_ Enter the system interface name that you want to capture No default
interface_name> packets on. You cannot select both a switch interface and a
system interface.
Example
Use this command to configure SNMP communities on your FortiSwitch unit. You add SNMP communities so that
SNMP managers can connect to the system to view system information and receive SNMP traps. SNMP traps are
triggered when system events occur.
You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and
traps. Each community can be configured to monitor the system for a different set of events. You can also the add IP
addresses of up to 8 SNMP managers for each community.
Whey you configure an SNMP manager, ensure that you list it as a host in a
community on the FortiSwitch that it will be monitoring. Otherwise, the SNMP
monitor will not receive any traps from that FortiSwitch unit, and will not be able to
query it.
Syntax
config system snmp community
edit <index_number>
set events <events_list>
set name <community_name>
set query-v1-port <port_number>
set query-v1-status {enable | disable}
set query-v2c-port <port_number>
set query-v2c-status {enable | disable}
set status {enable | disable}
set trap-v1-lport <port_number>
set trap-v1-rport <port_number>
set trap-v1-status {enable | disable}
set trap-v2c-lport <port_number>
set trap-v2c-rport <port_number>
set trap-v2c-status {enable | disable}
config hosts
edit <host_number>
set interface <if_name>
set ip <address_ipv4>
set source-ip <address_ipv4/mask>
end
config hosts6
edit <host_number>
set interface <if_name>
set ip6 <address_ipv6>
set source-ip6 <address_ipv6>
end
end
<index_number> Enter the index number of the community in the SNMP No default
communities table. Enter an unused index number to create a new
SNMP community.
events <events_list> Enable the events for which the system should send traps to the All events
SNMP managers in this community. enabled.
query-v1-port <port_number> Enter the SNMP v1 query port number used for SNMP manager 161
queries.
query-v1-status Enable or disable SNMP v1 queries for this SNMP community. enable
{enable | disable}
query-v2c-port <port_number> Enter the SNMP v2c query port number used for SNMP manager 161
queries.
query-v2c-status Enable or disable SNMP v2c queries for this SNMP community. enable
{enable | disable}
trap-v1-lport <port_number> Enter the SNMP v1 local port number used for sending traps to the 162
SNMP managers.
trap-v1-rport <port_number> Enter the SNMP v1 remote port number used for sending traps to 162
the SNMP managers.
trap-v1-status {enable | disable} Enable or disable SNMP v1 traps for this SNMP community. enable
trap-v2c-lport <port_number> Enter the SNMP v2c local port number used for sending traps to 162
the SNMP managers.
trap-v2c-rport <port_number> Enter the SNMP v2c remote port number used for sending traps to 162
the SNMP managers.
trap-v2c-status Enable or disable SNMP v2c traps for this SNMP community. enable
{enable | disable}
interface <if_name> Enter the name of the FortiSwitch interface to which the SNMP No default
manager connects.
ip <address_ipv4> Enter the IPv4 IP address of the SNMP manager (for hosts). 0.0.0.0
ip6 <address_ipv6> Enter the IPv6 IP address of the SNMP manager (for hosts6). ::
source-ip <address_ipv4/mask> Enter the source IPv4 IP address for SNMP traps sent by the 0.0.0.0/
FortiSwitch (for hosts). 0.0.0.0
source-ip6 <address_ipv6> Enter the source IPv6 IP address for SNMP traps sent by the ::
FortiSwitch (for hosts6).
Use this command to enable the FortiSwitch SNMP agent and to enter basic system information used by the SNMP
agent. Enter information about the system to identify it. When your SNMP manager receives traps from this FortiSwitch
unit, you will know which system sent the information. Some SNMP traps indicate high CPU usage, log full, or low
memory.
Syntax
config system snmp sysinfo
set contact-info <info_str>
set description <description>
contact-info <info_str> Add the contact information for the person responsible for this No default
FortiSwitch unit. The contact information can be up to 35
characters long.
description <description> Add a name or description of the system. The description can No default
be up to 35 characters long.
engine-id <engine-id_str> Each SNMP engine maintains a value, snmpEngineID, which No default
uniquely identifies the SNMP engine. This value is included in
each message sent to or from the SNMP engine. In FortiOS,
the snmpEngineID is composed of two parts:
l Fortinet prefix 0x8000304404
location <location> Describe the physical location of the system. The system No default
location description can be up to 35 characters long.
trap-high-cpu-threshold Enter the percentage of CPU used that will trigger the 80
<percentage> threshold SNMP trap for the high-cpu.
There is some smoothing of the high CPU trap to ensure the
CPU usage is constant rather than a momentary spike. This
feature prevents frequent and unnecessary traps.
trap-log-full-threshold Enter the percentage of disk space used that will trigger the 90
<percentage> threshold SNMP trap for the log-full.
trap-low-memory-threshold Enter the percentage of memory used that will be the threshold 80
<percentage> SNMP trap for the low-memory.
trap-temp-alarm-threshold Set an alarm for when the system temperature reaches the 60
<temperature in degrees specified temperature.
Celsius>
trap-temp-warning-threshold Set a warning for when the system temperature reaches the 50
<temperature in degrees specified temperature. The warning threshold must be lower
Celsius> than the alarm threshold.
Example
This example shows how to set a warning and an alarm for specified system temperatures:
config system snmp sysinfo
set status enable
set trap-temp-alarm-threshold 80
set trap-temp-warning-threshold 70
end
Use this command to configure an SNMP user including which SNMP events the user wants to be notified about, which
hosts will be notified, and if queries are enabled which port to listen on for them.
FortiSwitchOS implements the user security model of RFC 3414. You can require the user to authenticate with a
password and you can use encryption to protect the communication with the user.
Syntax
config system snmp user
edit <user_name>
set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}
set auth-pwd <password>
set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}
set priv-pwd <password>
set queries {enable | disable}
set query-port <port_int>
set security-level {no-auth-no-priv | auth-no-priv | auth-priv}
end
des} protocol
l aes192—CFB128-AES-192 symmetric encryption
protocol
l aes192c—CFB128-AES-192-C symmetric encryption
protocol (required for certain clients)
l aes256—CFB128-AES-256 symmetric encryption
protocol
l aes256c—CFB128-AES-256-C symmetric encryption
queries {enable | disable} Enable or disable SNMP v3 queries for this user. Queries are enable
used to determine the status of SNMP variables.
query-port <port_int> Enter the number of the port used for SNMP v3 queries. If 161
multiple versions of SNMP are being supported, each version
should listen on a different port.
config user
The config user commands provide configuration of user accounts and user groups for firewall policy
authentication, administrator authentication, and some types of VPN authentication:
l config user group on page 204
l config user ldap on page 206
l config user local on page 207
l config user peer on page 208
l config user peergrp on page 210
l config user radius on page 210
l config user setting on page 214
l config user tacacs+ on page 216
Syntax
config user group
edit <group_name>
set group-type <grp_type>
set authtimeout <timeout>
set http-digest-realm <attribute>
set member <names>
config match
edit <match_id>
set group-name <gname_str>
set server-name <srvname_str>
end
end
<group_name> Enter a new name to create a new group or enter an existing No default
group name to edit that group.
group-type <grp_type> Enter the group type. <grp_type> determines the type of firewall
users and is one of the following:
l firewall - FortiSwitch users defined in user local,
user ldap or user radius
l fsso-service - Directory Service users
authtimeout <timeout> Set the authentication timeout for the user group, range 1 to 0
480 minutes. If set to 0, the global authentication timeout value
is used.
http-digest-realm <attribute> Enter the realm attribute for MD5-digest authentication No default
member <names> Enter the names of users, peers, LDAP servers, or RADIUS No default
servers to add to the user group.
Separate the names with spaces.
To add or remove names from the group you must re-enter the
whole list with the additions or deletions required.
config match
<match_id> Enter an ID for the entry. No default
group-name <gname_str> The name of the matching group on the remote authentication No default
server. Specify the user group names on the authentication
servers that are members of this FortiSwitch user group. If no
matches are specified, all users on the server can authenticate.
Example
end
Use this command to add or edit the definition of an LDAP server for user authentication.
To authenticate with the FortiSwitch unit, the user enters a user name and password. The system sends this user name
and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated
with the FortiSwitch unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiSwitch
unit.
Syntax
config user ldap
edit <server_name>
set cnid <id>
set dn <dname>
set group-member-check {user-attr | group-object}
set member-attr <attr_name>
set port <number>
set server <domain>
set type <auth_type>
set username <ldap_username>
set password <ldap_passwd>
set password-expiry-warning {disable | enable}
set password-renewal {disable | enable}
set secure <auth_port>
end
cnid <id> Enter the common name identifier for the LDAP server. The cn
common name identifier for most LDAP servers is cn. However
some servers use other common name identifiers such as uid.
Maximum 20 characters.
dn <dname> Enter the distinguished name used to look up entries on the No default
LDAP server. It reflects the hierarchy of LDAP database object
classes above the Common Name Identifier. The FortiSwitch
passes this distinguished name unchanged to the server.
You must provide a dn value if type is simple.
Maximum 512 characters.
member-attr <attr_name> An attribute of the group that is used to authenticate users. No default
port <number> Enter the port number for communication with the LDAP 389
server.
server <domain> Enter the LDAP server domain name or IP address. No default
type <auth_type> Enter the authentication type for LDAP searches. One of: simple
anonymous, regular or simple
See the notes following the table for additional information.
username <ldap_username> This field is available only if type is regular. For regular No default
authentication, you need a user name and password. See your
server administrator for more information.
password <ldap_passwd> This field is available only if type is regular. For regular No default
authentication, you need a user name and password. See your
server administrator for more information.
Use this command to add local user names and configure user authentication for the system. To add authentication by
LDAP or RADIUS server you must first add servers using the config user ldap and config user radius
commands.
Syntax
config user local
edit <user_name>
set ldap-server <server_name>
set passwd <password_str>
set radius-server <server_name>
set tacacs+-server <server_name>
set status {enable | disable}
set type <auth-type>
end
<user_name> Enter the user name. Enter a new name to create a new user No default
account or enter an existing user name to edit that account.
ldap-server <server_name> Enter the name of the LDAP server with which the user must No default
authenticate. You can only select an LDAP server that has
been added to the list of LDAP servers. This option is available
when type is set to ldap.
passwd <password_str> Enter the password with which the user must authenticate. No default
Passwords at least 6 characters long provide better security
than shorter passwords. This option is available when type is
set to password.
radius-server <server_name> Enter the name of the RADIUS server with which the user must No default
authenticate. You can only select a RADIUS server that has
been added to the list of RADIUS servers. This option is
available when type is set to radius.
tacacs+-server <server_name> Enter the name of the TACACS+ server with which the user No default
must authenticate. This option is available when type is set to
tacacs+.
status {enable | disable} Enter enable to allow the local user to authenticate with the enable
FortiSwitch unit.
type <auth-type> Enter one of the following to specify how this user’s password No default
is verified:
l ldap: The LDAP server specified in ldap-server verifies
the password.
l password: The system verifies the password against the
Syntax
config user peer
edit <peer_name>
set ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA |
Fortinet_CA2}
set cn <string>
set cn-type {FQDN | email | ipv4 | ipv6 | string}
set ldap-mode {password | principal-name}
set ldap-password <password>
set ldap-server <string>
set ldap-username <string>
set mandatory-ca-verify {enable | disable}
set passwd <password>
set subject <string>
set two-factor {enable |disable}
next
end
ca {Entrust_802.1x_CA | Entrust_ Select a certificate authority (CA) for the peer certificate. No default
802.1x_G2_CA | Entrust_
802.1x_L1K_CA | Fortinet_CA |
Fortinet_CA2}
cn <string> Enter the common name for the peer certificate. No default
cn-type {FQDN | email | ipv4 | Enter the type of common name for the peer certificate: fully string
ipv6 | string} qualified domain name, email address, IPv4 address, IPv6
address, or a text description.
ldap-mode {password | principal- Select whether the peer LDAP requires a password or an email password
name} address. The password is specified with the set ldap-
password command.
ldap-password <password> Enter the password for the peer LDAP. No default
This option is available only when the ldap-mode is set to
password.
ldap-server <string> Enter the name of the LDAP server used for checking access No default
permission.
ldap-username <string> Enter the user name for the LDAP server. No default
passwd <password> Enter the user password for two-factor authentication. No default
This option is available only when two-factor is enabled.
subject <string> Enter any limitations on the peer certificate name. No default
two-factor {enable |disable} Enable or disable two-factor authentication. When this option is disable
enabled, the certificate and password are required. Specify the
password in the set passwd command.
Syntax
config user peergrp
edit <peer_group_name>
set member <list_of_peer_names>
next
end
<list_of_peer_names> Enter one of more peer users. Separate the names with a No default
space. The peer users must already be configured with the
config user peer command before they are added to a
peer user group.
Use this command to add or edit the information used for RADIUS authentication.
The default port for RADIUS traffic is 1812. If your RADIUS server is using a different port you can change the default
RADIUS port. You may set a different port for each of your RADIUS servers. The maximum number of remote RADIUS
servers that can be configured for authentication is 10.
The RADIUS server is provided with more information to make authentication decisions, based on values in server,
nas-ip, and the config user group subcommand config match. Attributes include:
l NAS-IP-Address — RADIUS setting or IPv4 address of FortiSwitch interface used to talk to RADIUS server, if not
configured
l NAS-IPv6-Address — RADIUS setting or IPv6 address of FortiSwitch interface used to talk to RADIUS server, if
not configured
l NAS-Port — physical interface number of the traffic that triggered the authentication
l Called-Station-ID — same value as NAS-IP Address but in text format
l Fortinet-Vdom-Name — name of VDOM of the traffic that triggered the authentication
l NAS-Identifier — configured hostname in non-HA mode; HA cluster group name in HA mode
l Acct-Session-ID — unique ID identifying the authentication session
l Connect-Info — identifies the service for which the authentication is being performed (web-auth, vpn-ipsec, vpn-
pptp, vpn-l2tp, vpn-ssl, admin-login, test)
You can select an alternative authentication method for each server. These include CHAP, PAP, MS-CHAP, and MS-
CHAP-v2.
Syntax
config user radius
edit <RADIUS_user_name>
set acct-fast-framedip-detect <integer>
<server_name> Enter a name of the RADIUS user group. Enter a new name to No default
create a new group definition or enter an existing group name
to edit that group definition.
acct-interim-interval <integer> Enter the number of seconds between each interim accounting 600
message sent to the RADIUS server. The value range is 60-
86400.
addr-mode {ipv4 | ipv6) Select whether to connect to the RADIUS server with IPv4 or ipv4
IPv6. NOTE: If you select ipv4, you must use an IPv4
address for the set server command. If you select ipv6,
you must use an IPv6 address for the set server
command.
all-usergroup {enable | disable} Enable to automatically include this RADIUS server in all user disable
groups.
auth-type {auto | chap | ms_chap Select the authentication method for this RADIUS server. auto auto
| ms_chap_v2 | pap} uses pap, ms_chap_v2, and chap.
frame-mtu-size <integer> Enter the maximum frame size in octets used to advertise to 1500
the authentication server. The range is 600-1500.
link-monitor {enable | disable} Enable or disable whether this server sends periodic ping disable
messages to the RADIUS server to test if it is available.
link-monitor-interval <5-120> Enter how often (in seconds) the server checks if the RADIUS 15
server is available.
radius-coa {enable | disable} Enable or disable whether this server will use RADIUS change disable
of authorization (CoA).
radius-port <radius_port_num> Change the default RADIUS port for this server. Range is 0- 1812
65535
secret <server_password> Enter the RADIUS server shared secret. The server secret key No default
should be a maximum of 16 characters in length.
server <domain_ipv4_ipv6> Enter the RADIUS server domain name, IPv4 address, or IPv6 No default
address. NOTE: If you selected ipv4 for addr-mode, you
must use an IPv4 address for the set server command. If
you selected ipv6 for addr-mode, you must use an IPv6
address for the set server command.
source-ip <ipv4_addr> Enter the source IPv4 address for communicating to the 0.0.0.0
RADIUS server.
This option is available when the addr-mode is set to ipv4.
source-ip6 <ipv6_addr> Enter the source IPv6 address for communicating to the No default
RADIUS server.
This option is available when the addr-mode is set to ipv6.
config acct-server
<accounting_server_ID> Enter the identifier for the accounting server. The value range No default
is 0-4294967295.
secret <accounting_server_ Enter the shared secret key for the RADIUS accounting server. *
secret>
server <accounting_server> Enter the RADIUS server domain name, IPv4 address, or IPv6 No default
address of the RADIUS server that will be receiving the
accounting messages.
service-type {administrative | Select the Service-Type value. Separate multiple values with a none
authenticate-only | call-check | space.
callback-administrative |
callback-framed | callback-login |
callback-nas-prompt | framed |
login | nas-prompt | outbound}
port <accounting_server_port> Enter the port number for the RADIUS accounting server to 1813
receive accounting messages from the FortiSwitch unit.
The number of seconds that a user context entry can remain in the user context list without the system receiving a
communication session from the carrier end point. If a user context entry is not being looked up, then the user must no
longer be connected to the network.
This timeout is only required if the system doesn’t receive the RADIUS Stop record. However, even if the accounting
system does send RADIUS Stop records this timeout should be set in case the FortiSwitch misses a Stop record.
The default user context entry timeout is 28800 seconds (8 hours). You can keep this timeout relatively high because its
not usually a problem to have a long list, but entries that are no longer used should be removed regularly.
You might want to reduce this timeout if the accounting server does not send RADIUS Stop records. Also if customer IP
addresses change often you might want to set this timeout lower so that out of date entries are removed from the list.
If this timeout is too low the FortiSwitch could remove user context entries for users who are still connected.
l none — Disable writing event log messages for dynamic profile events.
l accounting-event — Enable to write an event log message when the system does not find the expected
information in a RADIUS Record. For example, if a RADIUS record contains more than the expected number of
addresses.
l accounting-stop-missed — Enable to write an event log message whenever a user context entry timeout
expires indicating that the system removed an entry from the user context list without receiving a RADIUS Stop
message.
l context-missing — Enable to write an event log message whenever a user context creation timeout expires
indicating that the system was not able to match a communication session because a matching entry was not
found in the user context list.
l profile-missing — Enable to write an event log message whenever the system cannot find a profile group
name in a RADIUS start message that matches the name of a profile group added to the system.
l protocol-error — Enable to write an event log message if RADIUS protocol errors occur. For example, if a
RADIUS record contains a RADIUS secret that does not match the one added to the dynamic profile.
l radiusd-other — Enable to write event log messages for other events. The event is described in the log
message. For example, write a log message if the memory limit for the user context list is reached and the oldest
entries in the table have been dropped.
Example
Syntax
config user setting
set auth-blackout-time <blackout_time_int>
set auth-cert <cert_name>
set auth-http-basic {disable | enable}
auth-blackout-time <blackout_ When a firewall authentication attempt fails 5 times within one 0
time_int> minute the IP address that is the source of the authentication
attempts is denied access for the <blackout_time_int>
period in seconds. The range is 0 to 3600 seconds.
auth-cert <cert_name> HTTPS server certificate for policy authentication. Fortinet_ self-sign
Factory, Fortinet_Firmware (if applicable to your FortiSwitch),
and self-sign are built-in certificates but others will be listed as
you add them.
auth-http-basic {disable | enable} Enable or disable support for HTTP basic authentication for disable
identity-based firewall policies. HTTP basic authentication
usually causes a browser to display a pop-up authentication
window instead of displaying an authentication web page.
Some basic web browsers, for example, web browsers on
mobile devices, may only support HTTP basic authentication.
auth-multi-group This option can be disabled if the Active Directory structure is enable
{enable | disable} setup such that users belong to only 1 group for purpose of
firewall authentication.
auth-type {ftp | http | https | Set the user authentication protocol support for firewall policy No Default
telnet} authentication. User controls which protocols should support
the authentication challenge.
auth-timeout <auth_timeout_ Set the number of minutes before the firewall user 5
minutes> authentication timeout requires the user to authenticate again.
The maximum authtimeout interval is 480 minutes (8 hours).
To improve security, keep the authentication timeout at the
default value of 5 minutes.
config auth-ports
<auth-table-entry-id> Create an entry in the authentication port table if you are using No Default
non-standard ports.
type {ftp | http | https | telnet} Specify the protocol to which port applies. http
Use this command to add or edit the information used for TACACS+ authentication.
Syntax
config user tacacs+
edit <user name>
set authen-type {ascii | auto | chap | mschap | pap}
set authorization {enable | disable}
set key <passwd>
set port <port number>
set server <domain>
set source-ip <ipv4_addr>
end
authen-type{ascii | auto | chap | Set the authentication type. Auto will use PAP, MSCHAP, and auto
mschap | pap} CHAP (in that order).
Example
This example shows how to configure a TACACS user account for login authentication:
config user tacacs+
edit tacserver
set authen-type ascii
set authorization enable
set key temporary
set server tacacs_server
end
Use this command to display the status of the spanning tree protocol (STP) bridge protocol data unit (BPDU) guard:
diagnose bpdu-guard display status
To configure STP BPDU guard, see config switch interface on page 94.
Example output
port1 disabled - - - -
port2 disabled - - - -
port3 disabled - - - -
port4 disabled - - - -
port5 disabled - - - -
port6 disabled - - - -
port9 disabled - - - -
port10 disabled - - - -
port11 disabled - - - -
port12 disabled - - - -
port13 disabled - - - -
port14 disabled - - - -
port15 disabled - - - -
port16 disabled - - - -
port17 disabled - - - -
port18 disabled - - - -
port19 disabled - - - -
port20 disabled - - - -
port21 disabled - - - -
port22 disabled - - - -
port23 disabled - - - -
port24 disabled - - - -
port25 disabled - - - -
port26 disabled - - - -
port27 disabled - - - -
port28 disabled - - - -
port29 disabled - - - -
port30 enabled - 60 0 -
Example output
Certificate Authority
----------------------------------------------------------------------------
Name : Fortinet_802.1x_CA
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB
Serial Number : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality : Passed
Timeliness : Valid (Expires on 2028-10-22 12:00:00 GMT)
Name : Fortinet_CA
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9
Serial Number : da:f6:36:b4:43:d4:a5:8b
Integrality : Passed
Timeliness : Valid (Expires on 2038-01-19 22:34:39 GMT)
Name : Fortinet_CA2
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9
Serial Number : da:f6:36:b4:43:d4:a5:8b
Integrality : Passed
Timeliness : Valid (Expires on 2038-01-19 22:34:39 GMT)
Name : Fortinet_fsw_cloud_CA
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB
Serial Number : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality : Passed
Timeliness : Valid (Expires on 2028-10-22 12:00:00 GMT)
Local
----------------------------------------------------------------------------
Name : Fortinet_802.1x
Fingerprint(MD5) : 0C:7B:E2:32:85:D0:05:DA:CA:16:15:86:82:D7:28:63
Serial Number : 0d:b1:1b:bc:13:51:13:23:18:64:23:55:cd:db:3b:fe
Integrality : Passed
Key-pair : Passed
Timeliness : Valid (Expires on 2022-05-24 12:00:00 GMT)
Name : Fortinet_Factory
Fingerprint(MD5) : B1:92:9D:7B:63:4B:9D:F7:57:FF:E6:59:AE:C2:21:2A
Serial Number : 19:c1:ea
Integrality : Passed
Key-pair : Passed
Timeliness : Valid (Expires on 2038-01-19 03:14:07 GMT)
Name : Fortinet_Factory2
Fingerprint(MD5) : F8:E4:51:61:B6:F0:98:FA:43:1F:4C:FD:C1:5D:B2:62
Serial Number : 19:c1:ec
Integrality : Passed
Key-pair : Passed
Timeliness : Valid (Expires on 2038-01-19 03:14:07 GMT)
Name : Fortinet_Firmware
Fingerprint(MD5) : A3:09:DB:D7:31:CA:7C:A6:CD:03:B1:91:FB:D7:13:23
Serial Number : 41:1d:d5
Integrality : Passed
Key-pair : Passed
Timeliness : Valid (Expires on 2038-01-19 03:14:07 GMT)
Remote
----------------------------------------------------------------------------
diagnose certificate ca
Example output
Name : Fortinet_802.1x_CA
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB
Serial Number : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality : Passed
Timeliness : Valid (Expires on 2028-10-22 12:00:00 GMT)
Name : Fortinet_CA
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9
Serial Number : da:f6:36:b4:43:d4:a5:8b
Integrality : Passed
Timeliness : Valid (Expires on 2038-01-19 22:34:39 GMT)
Name : Fortinet_CA2
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9
Serial Number : da:f6:36:b4:43:d4:a5:8b
Integrality : Passed
Timeliness : Valid (Expires on 2038-01-19 22:34:39 GMT)
Name : Fortinet_fsw_cloud_CA
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB
Serial Number : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality : Passed
Timeliness : Valid (Expires on 2028-10-22 12:00:00 GMT)
Example output
Name : Fortinet_802.1x
Fingerprint(MD5) : 0C:7B:E2:32:85:D0:05:DA:CA:16:15:86:82:D7:28:63
Serial Number : 0d:b1:1b:bc:13:51:13:23:18:64:23:55:cd:db:3b:fe
Integrality : Passed
Key-pair : Passed
Timeliness : Valid (Expires on 2022-05-24 12:00:00 GMT)
Name : Fortinet_Factory
Fingerprint(MD5) : B1:92:9D:7B:63:4B:9D:F7:57:FF:E6:59:AE:C2:21:2A
Serial Number : 19:c1:ea
Integrality : Passed
Key-pair : Passed
Timeliness : Valid (Expires on 2038-01-19 03:14:07 GMT)
Name : Fortinet_Factory2
Fingerprint(MD5) : F8:E4:51:61:B6:F0:98:FA:43:1F:4C:FD:C1:5D:B2:62
Serial Number : 19:c1:ec
Integrality : Passed
Key-pair : Passed
Timeliness : Valid (Expires on 2038-01-19 03:14:07 GMT)
Name : Fortinet_Firmware
Fingerprint(MD5) : A3:09:DB:D7:31:CA:7C:A6:CD:03:B1:91:FB:D7:13:23
Serial Number : 41:1d:d5
Integrality : Passed
Key-pair : Passed
Timeliness : Valid (Expires on 2038-01-19 03:14:07 GMT)
Use this command to set the debug level for application daemons. Some applications must be set to level 8 or higher to
enable output for other diagnose debug commands. If you do not specify the debugging level, the current debugging
level is returned.
diagnose debug application <application> [<debugging_level>]
Example output
Variable Description
fsso filter group <group_name> List only the logons by the specified FSSO group.
fsso filter server <FSSO_agent_name> List only the logons for the specified FSSO agent.
fsso filter source <IPv4_address> <IPv4_address> List only the logons for the specified range of IPv4
addresses.
fsso filter user <user_name> List only the logons by the specified user.
Variable Description
Example output
Use this command to enable, show, or disable the debugging level for bidirectional forwarding detection (BFD):
diagnose debug bfd {all | appl | fsm | net | show | zebra } {enable | disable}
Use this command to enable, show, or disable the debugging level for Border Gateway Protocol (BGP) routing:
diagnose debug bgp {all | appl | as4 | flowspec | keepalives | neighbor-events | nht | normal
| show | updates | zebra} {enable | disable}
Use this command to set or find the debug level for the CLI:
diagnose debug cli [<0-8>]
Example output
Use this command to display information about the configuration error log:
diagnose debug config-error-log {clear | read}
Variable Description
Variable Description
no-user-log-msg {enable | disable} Enable or disable the display of user log messages on the console.
Variable Description
kill-with-crashlog <process_ID> End the daemon using the specified process ID.
Example output
Rk9SVP94nDK0NLPUNTTSNTZUMDSzMjCwMjVXSErOjc9IzEvJSY3PTM8tKI5Pzk2x
UvB1dgwO0Q1xdPJx1Q32jHK1MjQwMuECCCAjA0NzXQNLXQMzBUOgZgMrQ0uFkoxU
hezMnJzUFIWUxNTc/DyFzGIF/aTMPP301JKSSiuF4pLEktJiW4MKAy6AAELWb2gF
dIKJKUn6AQIIVb+JmZWpCUn6AQIIWb+RlYGxlbExSfoBAghZv7GVqamVEWn+Bwgg
ZP0mVgYWwCAkST9AAKHqNzQHxR8p+gECCFW/MdALhiToN+ICCCA0/WZWxqTpBwgg
ZP3AwDMGJkGS3A8QQKj6TYBJwIIk/QABhKbfBBiFJLkfIIDQ9JtaGZNivxEXQAAh
6zcDxb8RafEHEECo+oH+NyAt/QMEEKp+UP41Ikk/QADB9ZuD8r+RpRXQIOL1GxsY
cAEEEKoJphakpgCAAELWbwgKQQPSQhAggFD1A3OAMWkhABBAaPotrUxIsx8ggJD1
A0sgU1JzMEAAIesHZl8jICJJP0AAIesHpgBz0koAAy6AAELWb24FTgQk6QcIIFT9
JkD3k5KCDLgAAghNPzD+SbMfIIBQ9ZsaAyshkvQDBBCyfqDlwEKYtBIIIIBQ9QOj
0IS08AcIIDT9ZqSlHyMugABC1W8EDH/SakCAAELVD8w/JMY/QAAh6wcWH0bAJECS
foAAguu3UDAwtzIClmCklB+gEggggJBNsLQCV8MkuQAggND0A+sA0lIQQACh6jcC
1mGklYAAAYSkH1gCGZkCnUCSfoAAQtUPKgFJsx8ggFD1mwBzEGklGEAAoek3AUYi
...
Example output
Use this command to enable, show, or disable the debugging level for Intermediate System to Intermediate System
Protocol (IS-IS) routing:
diagnose debug isis {adj-packets | all | appl | bfd | events | flooding | lsp-gen | lsp-sched
| packet-dump | route-events | show | snp-packets | spf-events | tx-queue | update-
packets} {enable | disable}
Use this command to display or set the debugging level for the kernel:
diagnose debug kernel level [<integer>]
Example output
Use this command to enable, show, or disable the debugging level for open shortest path first (OSPF) routing for IPv4
traffic:
diagnose debug ospf {all | appl | event | ism-debug | lsa-debug | nsm-debug | nssa | packet-
debug | show | zebra-debug} {enable | disable}
Use this command to enable or disable the debugging level for open shortest path first (OSPF) routing for IPv6 traffic:
diagnose debug ospf6 {abr | all | appl | asbr | border-routers | flooding | interface | lsa |
lsa-debug | message | neighbor | packet-debug | route | route-debug | spf | zebra}
{enable | disable}
Use this command to display a report about the specified port for technical support:
diagnose debug packet_test <port_ID>
Example output
Send: 2, Recv: 2
Use this command to enable, show, or disable the debugging level for Protocol Independent Multicast (PIM) routing:
diagnose debug pim {all | appl | events | igmp-events | igmp-packets | igmp-trace | mroute |
packet-dump | packets | show | static | trace | zebra} {enable | disable}
NOTE: This command is available only on FortiSwitch units that have the split-port feature available.
Use this command to display the mapping between MAC addresses and ports:
diagnose debug port-mac {check-mac | list}
Variable Description
Example output
port27 27 0 08:5b:0e:f1:96:00
port28 28 0 08:5b:0e:f1:96:01
port29 29 0 08:5b:0e:f1:96:02
port30 30 0 08:5b:0e:f1:96:03
internal 31 0 08:5b:0e:f1:95:e4
Use this command to display a detailed debugging report for technical support:
diagnose debug report
Example output
----------------------------------------------------------------
Serial Number: S524DF4K15000024 Diagnose output
----------------------------------------------------------------
Use this command to reset all debugging levels to the default levels:
diagnose debug reset
Use this command to enable, show, or disable the debugging level for IPv4 Routing Information Protocol (RIP) routing:
diagnose debug rip {all | appl | events | packet-rx | packet-tx | show | zebra} {enable |
disable}
Use this command to enable, show, or disable the debugging level for IPv6 Routing Information Protocol (RIP) routing:
diagnose debug ripng {all | appl | events | packet-rx | packet-tx | show | zebra} {enable |
disable}
Use this command to enable or disable the debugging level for static routes:
diagnose debug static {all | appl} {enable | disable}
Example output
Use this command to enable, show, or disable the debugging level for the core router daemon:
diagnose debug zebra {all | appl | events | fpm | kernel | packet-rx | packet-rx-detail |
packet-tx | packet-tx-detail | rib | rib-queue | show} {enable | disable}
Use this command to get flap-guard information for all switch ports:
diagnose flapguard status
Example output
port1 disabled - - 5 30
0 -
port2 disabled - - 5 30
0 -
port3 disabled - - 5 30
0 -
port4 disabled - - 5 30
0 -
port5 disabled - - 5 30
0 -
port6 disabled - - 5 30
0 -
port7 disabled - - 5 30
0 -
port8 disabled - - 5 30
0 -
port9 enabled - 0 5 30
0 -
port10 disabled - - 5 30
0 -
port11 disabled - - 5 30
0 -
port12 disabled - - 5 30
0 -
port13 disabled - - 5 30
0 -
port14 disabled - - 5 30
0 -
port15 disabled - - 5 30
0 -
port16 disabled - - 5 30
0 -
port17 disabled - - 5 30
0 -
port18 disabled - - 5 30
0 -
port19 enabled - 30 15 10
0 -
port20 disabled - - 5 30
0 -
port21 disabled - - 5 30
0 -
port22 disabled - - 5 30
0 -
port23 disabled - - 5 30
0 -
port24 disabled - - 5 30
0 -
port25 disabled - - 5 30
0 -
port26 disabled - - 5 30
0 -
port27 disabled - - 5 30
0 -
port28 disabled - - 5 30
0 -
port29 disabled - - 5 30
0 -
port30.1 disabled - - 5 30
0 -
port30.2 disabled - - 5 30
0 -
port30.3 disabled - - 5 30
0 -
port30.4 disabled - - 5 30
0 -
diagnose hardware
Use these commands to diagnose the hardware. You must be logged in as a super user for these commands.
diagnose hardware certificate
diagnose hardware ioport {byte <value> | long <arguments> | word <arguments>}
diagnose hardware switchinfo {l3-ecmp-table | l3-egress-table | l3-host-table | l3-intf-table
| l3-summary | l3-v6-host-table | routing-table | v6-routing-table}
diagnose hardware sysinfo {bootenv | cpu | interrupts | iomem | memory | slab}
Variable Description
certificate Verify which certificates are present on the FortiSwitch unit and
that all installed certificates are valid.
ioport {byte <value> | long Read and write data using the input/output port.
<arguments> | word <arguments>}
Example output
diagnose ip address
Variable Description
delete <interface_name> <IPv4_ Delete an IPv4 address from the specified interface.
address>
list List all IP addresses and which interfaces they are assigned to.
Example output
diagnose ip arp
Use these commands to manage the Address Resolution Protocol (ARP) table:
diagnose ip arp add <interface_name> <IPv4_address> <MAC_address>
diagnose ip arp delete <interface_name> <IPv4_address>
diagnose ip arp flush <interface_name>
diagnose ip arp list
Variable Description
arp add <interface_name> <IPv4_ Add an Address Resolution Protocol (ARP) entry for the IP address
address> on the specified interface.
arp delete <interface_name> Delete an Address Resolution Protocol (ARP) entry for the
<IPv4_address> IP address on the specified interface.
arp flush <interface_name> Delete the ARP table for the specified interface.
Example output
update=67371 ref=1
index=70 ifname=internal 192.168.0.10 state=00000001 use=24 confirm=178601 update=124 ref=1
index=74 ifname=vlan-8 11.1.1.100 00:00:5e:00:01:05 (proxy)
diagnose ip route
Use these commands to manage static routes and the routing table:
diagnose ip route add <interface_name> <IPv4_address> <IP_network_mask>
diagnose ip route delete <interface_name> <IPv4_address>
diagnose ip route flush
diagnose ip route list [<arguments>]
diagnose ip route verify <interface_name> <IPv4_address> <IP_network_mask>
Variable Description
delete <interface_name> <IPv4_ Delete a static route from the specified interface.
address>
Example output
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng |
static | zebra}
Use these commands to display statistics for bidirectional forwarding detection (BFD), Border Gateway Protocol (BGP)
routing, Intermediate System to Intermediate System Protocol (IS-IS) routing, open shortest path first (OSPF) routing
for IPv4 traffic, OSPF routing for IPv6 traffic, Protocol Independent Multicast (PIM) routing, Routing Information
Protocol (RIP) routing for IPv4 traffic, RIP routing for IPv6 traffic, static routes, and core routing daemon:
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | | ripng | static | zebra}
cpu-usage
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra}
crash-backtrace-clear
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra}
crash-backtrace-read
diagnose ip router zebra fpm-counters clear
diagnose ip router zebra fpm-counters show
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra}
memory-usageripng |
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra}
work-queues
Variable Description
Use these commands to send commands to various daemons in enable mode (cmd) or in configure terminal mode
(cmd-conf-term).:
diagnose ip router command bfd {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command bgp {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command isis {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command ospf {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command ospf6 {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command pim {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command rip {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command static {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command zebra {cmd <arguments>| cmd-conf-term <arguments>}
Variable Description
Use this command to display information about the process launch of the core routing daemon, static routing daemon,
BGD daemon, OSPF (IPv4 and IPv6) daemons, BFD daemon, RIP daemon, IS-IS daemon, and PIM daemon:
diagnose ip router process show
Use this command to enable or disable the display of router information on the terminal:
diagnose ip router terminal-monitor {enable | disable}
diagnose ip tcp
Example
diagnose ip udp
Example
Variable Description
add <interface_name> <IPv6_ Add an IPv6 address to the specified interface. Use the following
address> format for the IPv6 address:
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx
delete <interface_name> <IPv4_ Delete an IPv6 address from the specified interface. Use the
address> following format for the IPv6 address:
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx
list List all IPv6 addresses and which interfaces they are assigned to.
multicast <interface_name> Add an IPv6 multicast address to the specified interface. Use the
<IPv6_address> following format for the IPv6 address:
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx
Example output
Variable Description
Variable Description
l 1 — disableIPv6 operation.
Variable Description
add <tunnel_name> <interface_ Create a tunnel between two IPv6 addresses on the specified
name> <source_IPv6_address> interface. Use the following format for the IPv6 addresses:
<destination_IPv6_address> xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Example output
Use these commands to manage the IPv6 Address Resolution Protocol (ARP) table:
diagnose ipv6 neighbor-cache add <interface_name> <IPv6_address> <MAC_address>
diagnose ipv6 neighbor-cache delete <interface_name> <IPv4_address>
diagnose ipv6 neighbor-cache flush <interface_name>
diagnose ipv6 neighbor-cache list
Variable Description
add <interface_name> <IPv6_ Add an ARP entry for the IPv6 address on the specified interface.
address>
delete <interface_name> <IPv6_ Delete an ARP entry for the IPv6 address on the specified
address> interface.
flush <interface_name> Delete the ARP table for the specified interface.
Example output
Variable Description
Example output
Variable Description
add <tunnel_name> <interface_ Create a tunnel between two IPv4 addresses on the specified
name> <source_IPv4_address> interface. Use the following format for the IPv4 addresses:
<destination_IPv4_address> XXX.XXX.XXX.XXX
Example output
Variable Description
Example output
Use this command to display which ports have loop guard enabled:
diagnose loop-guard status
To enable loop guard on a port, see config switch interface on page 94.
Example output
port1 disabled - - - - -
port2 disabled - - - - -
port3 disabled - - - - -
port4 disabled - - - - -
port5 disabled - - - - -
port6 disabled - - - - -
port7 disabled - - - - -
port10 disabled - - - - -
port11 disabled - - - - -
port12 enabled - 45 0 0 -
port13 disabled - - - - -
port14 disabled - - - - -
port15 disabled - - - - -
port16 disabled - - - - -
port17 disabled - - - - -
port18 disabled - - - - -
port19 disabled - - - - -
port20 disabled - - - - -
port21 enabled - 45 50 0 -
port22 disabled - - - - -
port24 disabled - - - - -
port25 disabled - - - - -
port26 disabled - - - - -
port27 disabled - - - - -
port28 disabled - - - - -
port29 disabled - - - - -
port30.1 disabled - - - - -
port30.2 disabled - - - - -
port30.3 disabled - - - - -
port30.4 disabled - - - - -
G100D3G15817028 disabled - - - - -
Use this command to display the option-82 setting for DHCP relay for each valid system interface:
Example output
Use this command to display the option-82 settings for DHCP snooping for a specific VLAN and FortiSwitch interface:
diagnose option82-mapping snooping <VLAN_ID> <valid_switch_interface>
Example output
diagnose settings
Variable Description
Example output
Variable Description
<interface_name | any> Enter the name of a network interface or enter any to examine packets
received on all interfaces.
<logical_filter | none> Enter a logical filter or none. Use the following format for the filter:
'[[src|dst] host<IP_address>] [[src|dst] host<IP_
address>] [[arp|ip|gre|esp|udp|tcp] [port_
number]] [[arp|ip|gre|esp|udp|tcp] [port_
number]]'
For example, to examine UDP packets received at port 1812 from host
forti1 and host forti2 or forti3:
'udp and port 1812 and host forti1 and \( forti2
or forti3 \)'
To examine TCP packets between two PCs through port 80:
diag sniffer packet internal 'host 192.168.0.130
and 192.168.0.1 and tcp port 80' 1
To examine packets with the RST flag set:
diagnose sniffer packet internal "tcp[13] & 4 !=
0"
To examine packets with the destination MAC address of
00:09:0f:89:10:ea:
diagnose sniffer packet internal "(ether
[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"
available).
l 4— Include the packet header and interface name.
data.
l 6 — Include the packet header, interface name, and Ethernet
Variable Description
Example output
diagnose snmp
Variable Description
trap send Generate a trap event and send it to the SNMP daemon.
Example output
ReasmTimeout = 0
ReasmReqds = 0
ReasmOKs = 0
ReasmFails = 0
FragOKs = 0
FragFails = 0
FragCreates = 0
Use this command to display information about Multiple Spanning Tree Protocol (MSTP) instances:
diagnose stp instance list <STP_ID> <port_number>
To create an STP instance, see config switch stp instance on page 134.
Variable Description
<STP_ID> Enter the STP identifier. If you enter a higher number than the valid
range, the results for all STP instances are displayed. If no STP
identifier is specified, results for all STP instances are displayed.
<port_number> Enter the port number. If no port number is specified, results for all
physical ports are displayed.
Example output
Instance ID 0 (CST)
Config Priority 32768
Bridge MAC 085b0ef195e4, MD5 Digest 40d5eca178c657835c83bbcb16723192
Active Times Forward Time 15, Max Age 20, Remaining Hops 20
TCN Events Triggered 1 (1d 0h 19m 56s ago), Received 0 (1d 0h 19m 56s ago)
To configure an MSTP instance, see config switch stp settings on page 135.
Example output
Unit: primary
MST Configuration Name: region1
MST Configuration Revision: 1
MST Configuration Digest: ac36177f50283cd4b83821d8ab26de62
Use these commands to diagnose the interoperation with per-VLAN RSTP (Rapid PVST+ or RPVST+):
diagnose stp rapid-pvst-port clear [<port_name>]
diagnose stp rapid-pvst-port list [<port_name>]
Variable Description
clear [<port_name>] Clear all flags and timers on the RPVST+ port.
list [<port_name>] Show the status of one port or all ports. If any of the ports is in the “IC”
state, the command output gives the reason: VLAN priority
inconsistent, VLAN configuration mismatch, or both.
Use this command to display the MSTP information for a specific VLAN:
diagnose stp vlan list <VLAN_ID>
Variable Description
Example output
Instance ID : 0
Use this command to display the status of a port using IEEE 802.1x authentication:
diagnose switch 802-1x status [<port_name>]
Variable Description
[<port_name>] Enter the port name. If the port is not specified, the status of all 802.1x-
authenticated ports is returned. In the output, the value in the “Traffic-
Vlan” column is the VLAN where the client was successfully
authenticated.
To enable IEEE 802.1x authentication on a port, see config switch interface on page 94.
Example output
Sessions info:
94:10:3e:b9:12:65 Type=802.1x,TLS,state=AUTHENTICATED,etime=0,eap_cnt=8 params:reAuth=3600
cc:5a:53:5f:d5:16 Type=802.1x,TLS,state=AUTHENTICATED,etime=0,eap_cnt=7 params:reAuth=3600
Use these commands to display information about access control lists (ACLs):
diagnose switch acl counter all
diagnose switch acl counter app <name>
diagnose switch acl counter id <policy_ID>
diagnose switch acl counter list-apps
Variable Description
id <policy_ID> List the ACL counter for this ACL policy identifier.
Example output
loop-gaurd (2049-2049)
l3-arp-req (2050-2050)
l3-arp-reply (2051-2051)
dst-mac (2052-2052)
bfd-single-hop (2053-2053)
bfd-multi-hop (2054-2054)
ospf (2055-2055)
rip (2056-2056)
mclag (2057-2057)
mclag-l3-arp-req (2058-2058)
mclag-l3-arp-reply (2059-2059)
mclag-bfd-single-hop (2060-2060)
mclag-bfd-multi-hop (2061-2061)
mclag-ospf (2062-2062)
mclag-rip (2063-2063)
fortilink (2064-2064)
fortilink-1 (2065-2065)
mclag-fortilink (2066-2066)
mclag-icl (2067-2067)
mac-sa-mcast (2068-2068)
forti-trunk (2069-2069)
vwire (2304-2367)
vwire-acl (2368-133503)
dhcp-snooping (133504-141695)
arp-snooping (141696-145792)
access-vlan (145793-149889)
network-monitor (149890-149930)
NOTE: This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-
124E-FPOE, FS-148E, and FS-148E-POE models.
Use this command to find the hardware mapping for the specified ACL policy identifier:
diagnose switch acl hw-entry-index <id>
Variable Description
Example output
000001 896 n 7
Variable Description
Example output
Variable Description
To enable dynamic ARP inspection on a VLAN, see config switch vlan on page 140.
NOTES:
l Be careful about changing the CPU queue rate because the change is made directly to the hardware.
l After the switch is rebooted, the CPU queue rate returns to the default value.
l For the FS-108E and FS-124E families, the configured CPU queue rate has a 16-kbps granularity. Use the
diagnose switch cpuq show command to see the actual queue rate.
l For the FS-108E and FS-124E families, the CPU queue rate is more accurate with larger packets.
Use this command to display the CPU queue rate on the FSR-112D-POE, FS-1xxE, FS-2xx, FS-4xx, FS-5xx, FS-1xxx,
and FS-3xxx families:
diagnose switch cpuq show
Use this command to change the CPU queue rate on the FSR-112D-POE, FS-2xx, FS-4xx, FS-5xx, FS-1xxx, and FS-
3xxx families:
diagnose switch cpuq rate <queue_number> <new_pps_rate>
Use this command to change the CPU queue rate on the FS-108E and FS-124E families:
diagnose switch cpuq rate <queue_number> <new_Kbps_rate>
Variable Description
rate <queue_number> <new_pps_rate> Change the CPU queue rate for the specified queue to the new
packets-per-second (PPS) rate.
diagnose switch cpuq rate <queue_ Change the CPU queue rate for the specified queue to the new Kbps
number> <new_Kbps_rate> rate.
NOTE: The number of queues, queue classifications, and default CPU queue rates can differ among the FortiSwitch
platforms.
S548DF5018000776 # diagnose switch cpuq show
Queue | Rate(pps)
----------------------
17 2000 (MIRROR/SFLOW)
18 500 (L3_DEST_MISS)
19 5000 (ARP_REQ)
20 10000 (DEFAULT)
21 1000 (NHOP)
22 8000 (DHCP/OSPF/BFD/RIP/IGMP/FORTLINK_VLAN)
23 6000 (ARP_REPLY)
24 5000 (FORTILINK/MCLAG)
25 1500 (BPDU/LOOPGUARD)
Variable Description
Example output
Use this command to display the counters for an IP-MAC binding entry:
diagnose switch ip-mac-binding entry <entry_ID>
Variable Description
Example output
Binding Entry: 1
Binding IP: 1.20.168.172 255.255.255.255
Binding MAC: 00:21:CC:D2:76:72
Status: Enabled
Statistic:
Permit packets: 0x00
Drop packets: 0x00
-----------------------------------------------------
Variable Description
mac <MAC_address> <mask> Delete entries for the specified MAC address and mask.
Use this command to display all IP source-guard entries. Static entries were manually added by the config switch
ip-source-guard command. Dynamic entries were added by DHCP snooping.
diagnose switch ip-source-guard hardware entry list
Variable Description
delete {all | entry Delete all MAC address entries or a specific MAC address entry.
<xx:xx:xx:xx:xx:xx>}
filter clear Delete the filter for the MAC address table list.
filter flags <flag bit pattern> Specify the flag bit pattern to match. Use this pattern to mask
important bits. This value is hexadecimal.
filter port-id-map <port-ID list> List the port identifiers to display MAC addresses for. Separate the
port identifiers with commas. For example: 1,3,5-17,19
filter show Display the filter for the MAC address table list.
Variable Description
filter trunk-id-map <trunk-ID list> List the trunk identifiers to display MAC addresses for. Separate the
trunk identifiers with commas. For example: 1,2-4,77
filter vlan-map <VLAN_list> List the VLAN identifiers to display MAC addresses for. Separate the
VLAN identifiers with commans. For example: 1,2-4,77
list List the MAC address entries and the total number of entries.
Example output
Total Displayed: 2
Total MACs : 30
MAC-1 : 08:5b:0e:f1:95:e6
MAC-2 : 08:5b:0e:f1:95:e8
MAC-3 : 08:5b:0e:f1:95:ea
MAC-4 : 08:5b:0e:f1:95:ec
MAC-5 : 08:5b:0e:f1:95:ee
MAC-6 : 08:5b:0e:f1:95:f0
MAC-7 : 08:5b:0e:f1:95:f2
MAC-8 : 08:5b:0e:f1:95:f4
MAC-9 : 08:5b:0e:f1:95:f6
MAC-10 : 08:5b:0e:f1:95:f8
MAC-11 : 08:5b:0e:f1:95:fa
MAC-12 : 08:5b:0e:f1:95:fc
MAC-13 : 08:5b:0e:f1:95:fe
MAC-14 : 08:5b:0e:f1:96:00
MAC-15 : 08:5b:0e:f1:96:02
MAC-16 : 08:5b:0e:f1:95:e7
MAC-17 : 08:5b:0e:f1:95:e9
MAC-18 : 08:5b:0e:f1:95:eb
MAC-19 : 08:5b:0e:f1:95:ed
MAC-20 : 08:5b:0e:f1:95:ef
MAC-21 : 08:5b:0e:f1:95:f1
MAC-22 : 08:5b:0e:f1:95:f3
MAC-23 : 08:5b:0e:f1:95:f5
MAC-24 : 08:5b:0e:f1:95:f7
MAC-25 : 08:5b:0e:f1:95:f9
MAC-26 : 08:5b:0e:f1:95:fb
MAC-27 : 08:5b:0e:f1:95:fd
MAC-28 : 08:5b:0e:f1:95:ff
MAC-29 : 08:5b:0e:f1:96:01
MAC-30 : 08:5b:0e:f1:96:03
Use this command to display MACsec traffic statistics for the specified port. If no port is specified, statistics for all ports
are returned.
diagnose switch macsec statistics [<port_name>]
Use this command to display the MACsec status of the specified port. If no port is specified, the status for all ports is
returned.
diagnose switch macsec status [<port_name>]
Use this command to display information about the FortiSwitch unit when it is managed by a FortiGate unit:
diagnose switch managed-switch dump xlate-vlan
Variable Description
clear-stats {all | icl | mclag} Delete statistics for all MCLAGs, delete MCLAG ICLs, or delete the
statistics for the MCLAG with the specified trunk.
Variable Description
list <trunk_name> Display statistics for the MCLAG with the specified trunk.
Example output
MCLAG-ICL-trunk
icl-ports port15 port16
egress-block-ports none
interface-mac 08:5b:0e:f1:95:e5
lacp-serial-number S524DF4K15000024
peer-info N/A
keepalive interval 1
keepalive timeout 30
Counters
Use these commands to manage switch mirroring using ERSPAN encapsulation with automatically configured header
contents:
diagnose switch mirror auto-config restart
diagnose switch mirror auto-config status
Variable Description
Example output
Config:
Last good config update: never
Route Lookup:
Last good route update: never
Hardware updates:
Last good update: never
Last failed update: never
Last update return: 0:Success.
Resolved/Running state:
Last entered: never
Last left: never
Use this command to display information about the driver-level and hardware-level switch mirroring:
diagnose switch mirror hardware status
Example output
[flink.sniffer]===========================
Installed : no ( inactive)
Use these commands to display information about physical layer (PHY) modules:
diagnose switch modules eeprom <physical_port_name>
diagnose switch modules state-machine <physical_port_name>
Variable Description
trap send Generate a trap event and send it to the SNMP daemon.
Example output
DMI Status
----------------------------------
monitor_interval 10 minutes
next_monitor_in 0:44
dmi_trace 0
alarm_trap_enabled 0
num_ports 30
mod_pres 0x0000000000000000
mod_rxlos 0x0000000000000000
state_runs 62380
state_transitions 6
Variable Description
Example output
Tcp : 0
Dhcp : 0
Eapol : 0
Unsupported : 0
Use these commands to manage information from switch packet PDU counters:
diagnose switch pdu-counters clear
diagnose switch pdu-counters list
Variable Description
Example output
Use this command to display the results of a time-domain reflectometer (TDR) diagnostic test on the specified port.
Example output
Use this command to display the number of packets received and transmitted on the specified ports as well as the data
rate. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.
diagnose switch physical-ports datarate [<port_list>]
Example output
ctrl-c to stop
Use this command to display whether the specified port has energy-efficient Ethernet (EEE) enabled. If the port is not
specified, the status of all ports is displayed.
diagnose switch physical-ports eee-status [<port_name>]
Example output
----------------------------------------------------------------------------------------------
----
port9 Enabled Inactive Inactive 0 0 0
0
Variable Description
hw-counter add {rx | tx} <counter_id> Add trigger flags to a specified counter.
<counter|counter|counter...>
hw-counter info Display the supported trigger flags (RX and TX).
hw-counter remove {rx | tx} <counter_ Remove trigger flags from the specified counters.
id> <counter|counter|counter...>
hw-counter search <port_name> Retrieve the data for the specified triggers on a specified port
<interval_seconds> within the interval in seconds.
<counter|counter|counter...>
hw-counter show {rx | tx | all} <port_ Show all trigger flags and statistics on a specified port.
name>
Example output
Variable Description
io-stats clear-local <port_list> Delete the statistics for input and output packets for the specified
ports. Use commas to separate ports. For example: 1,3,4-6
io-stats cumulative Display the cumulative statistics for input and output packets for all
ports.
io-stats list [<port_list>] List the statistics for input and output packets for the specified ports.
If the ports are not specified, the statistics for all ports are displayed.
Example output
Use this command to flash all port LEDs on and off for a specified number of minutes so that a particular switch can be
identified. Valid times are 5, 15, 30, or 60 minutes. Use disable to stop the LEDs from flashing.
diagnose switch physical-ports led-flash disable
diagnose switch physical-ports led-flash {5 | 15 | 30 | 60}
Use this command to display the number of packets received and transmitted on the specified ports as well as the line
rate. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.
diagnose switch physical-ports linerate [<port_list>]
Example output
ctrl-c to stop
Use this command to display the details for the specified port. If the port is not specified, the details for all ports are
displayed.
diagnose switch physical-ports list [<port_name>]
Example output
Use this command to display which drivers are associated with which ports:
diagnose switch physical-ports mapping
Example output
Use this command to display whether a specified port is a medium-dependent interface crossover (MDIX) port:
diagnose switch physical-ports mdix-status <port_name>
Example output
Use these commands to list port statistics for the specified ports or list port statistics that are not zero. Use commas to
separate ports. If the ports are not specified, the statistics for all ports are displayed.
diagnose switch physical-ports port-stats [<port_list> | non-zero]
Example output
Rx Bytes: 0
Rx Packets: 0
Rx Unicasts: 0
Rx NUnicasts: 0
Rx Multicasts: 0
Rx Broadcasts: 0
Rx Discards: 0
Rx Errors: 0
Rx Oversize: 0
Rx Pauses: 0
Rx IPMC Dropped: 0
Rx 64 Octets Packets: 0
Rx 65-127 Octets Packets: 0
Rx 128-255 Octets Packets: 0
Rx 256-511 Octets Packets: 0
Rx 512-1023 Octets Packets: 0
Rx 1024-1518 OctetsPackets: 0
Rx 1519-2047 Octets Packets: 0
Rx 2048-4095 Octets Packets: 0
Rx 4096-9216 Octets Packets: 0
Rx 9217-16383 Octets Packets: 0
Rx L3 Packets: 0
Tx Bytes: 0
Tx Packets: 0
Tx Unicasts: 0
Tx NUnicasts: 0
Tx Multicasts: 0
Tx Broadcasts: 0
Tx Discards: 0
Tx Errors: 0
Tx Oversize: 0
Tx Pauses: 0
Tx IPMC Dropped: 0
Tx 64 Octets Packets: 0
Tx 65-127 Octets Packets: 0
Tx 128-255 Octets Packets: 0
Tx 256-511 Octets Packets: 0
Tx 512-1023 Octets Packets: 0
Tx 1024-1518 Octets Packets: 0
Tx 1519-2047 Octets Packets: 0
Tx 2048-4095 Octets Packets: 0
Tx 4096-9216 Octets Packets: 0
Tx 9217-16383 Octets Packets: 0
Fragments: 0
Undersize: 0
Jabbers: 0
Collisions: 0
CRC Alignment Errors: 0
IPMC Bridged: 0
IPMC Routed: 0
----------------------------------------------------------------------------------
Use these commands to display real-time egress QoS queue rates, including the data rate, line rate, and drop rate:
diagnose switch physical-ports qos-rates clear <port_list>
diagnose switch physical-ports qos-rates list [<port_list>]
diagnose switch physical-ports qos-rates non-zero
Variable Description
qos-rates clear <port_list> Delete the QoS statistics for the specified ports. If the ports are not
specified, the statistics for all ports are deleted.
qos-rates list [<port_list>] Display the real-time egress QoS queue rates for the specified ports. If
the ports are not specified, the rates for all ports are displayed. Press
Ctrl+c to stop the output.
qos-stats non-zero Display only the real-time egress QoS queue rates that are not zero.
Press Ctrl+c to stop the output.
Example output
---------------------------- ---------------------------------------------
---------------------------- ---------------------------------------------
--------------------------- ---------------------------------------------
ctrl-c to
port6 QoS Rates:
ctrl-c to stop
^C
Variable Description
qos-stats clear [<port_list>] Delete the QoS statistics for the specified ports. If the ports are not
specified, the statistics for all ports are deleted.
qos-stats list [<port_list>] Display the QoS statistics for the specified ports. If the ports are not
specified, the statistics for all ports are displayed.
qos-stats non-zero List only QoS statistics that are not zero.
Variable Description
qos-stats set-qos-counter-revert Restore QoS counters to direct hardware values for the specified
[<port_list> ] ports. Use commas to separate ports. If the ports are not specified,
the command affects all ports.
qos-stats set-qos-counter-zero Clear QoS counters (applies to all applications except SNMP) for the
[<port_list>] specified ports. Use commas to separate ports. If the ports are not
specified, the command affects all ports.
Example output
queue | ucast drop pkts | ucast drop bytes | mcast drop pkts | mcast drop bytes
----------------------------------------------------------------------------------
0 | 0 | 0 | 0 | 0
1 | 0 | 0 | 0 | 0
2 | 0 | 0 | 0 | 0
3 | 0 | 0 | 0 | 0
4 | 0 | 0 | 0 | 0
5 | 0 | 0 | 0 | 0
6 | 0 | 0 | 0 | 0
7 | 0 | 0 | 0 | 0
----------------------------------------------------------------------------------
Use these commands to display the bandwidth setting (kbps or percentage) for the egress queues. If the ports are not
specified, the bandwidth setting for all egress queues are displayed.
diagnose switch physical-ports queue-bandwidth-setting [<port_list>]
Example output
Use this command to restore hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports.
Use commas to separate ports. If the ports are not specified, the command affects all ports.
diagnose switch physical-ports set-counter-revert [<port_list>]
Use this command to clear all hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports.
Use commas to separate ports. If the ports are not specified, the command affects all ports.
diagnose switch physical-ports set-counter-zero [<port_list>]
Example output
Variable Description
stats clear-local <port_list> Delete the statistics for received and transmitted packets for the
specified ports for only the local session. Use commas to separate
ports. For example: 1,3,4-6
stats list [<port_list>] List the statistics for received and transmitted packets for the specified
ports. Use commas to separate ports. If the ports are not specified, the
statistics for all ports are displayed.
stats non-zero List the statistics for counters that are not zero.
Example output
port30 | 0 | 0 || 0 | 0 | 0 |
internal | 393 | 9343000 || 0 | 0 | 0 |
Use this command to display a summary about the specified physcial port. If the port is not specified, summaries for all
ports are displayed.
diagnose switch physical-ports summary [<port_name>]
Example output
Example output
Use this command to display power over Ethernet (PoE) information for a specific port:
diagnose switch poe status <physicial_port_name>
Variable Description
Example output
Use this command to add an estimated link delay in nanosecods to the specified poort. Adding a link delay helps with
debugging, and the setting is cleared when the switch is rebooted:
diagnose switch ptp port add-link-delay <port_name> <estimated_link_delay>
Example output
Use this command to display link-delay information for the specified port:
diagnose switch ptp port get-link-delay <port_name>
Example output
Use this command to display information about the VLAN stacking (QinQ) configuation:
diagnose switch qnq dtag-cfg
Example output
Port Name | QinQ Mode | Add Inner-Tag | Remove Inner-Tag | Priority | Ether-
Type
======================================================================================
port39 | customer | add (vid 456) | enable | follow-s-tag | 0x8100
Variable Description
[<trunk_name>] Display link aggregation information for the specified trunk. If the trunk
is not specified, link aggregation information for all trunks is displayed.
Example output
port1 BLOCK
port2 BLOCK
port15 BLOCK
port16 BLOCK
status: down
ports: 2
LACP mode: active
LACP speed: slow
aggregator ID: 1
actor key: 0
actor MAC address: 08:5b:0e:f1:95:f4
partner key: 1
partner MAC address: 00:00:00:00:00:00
slave: port15
status: down
link failure count: 0
permanent MAC addr: 08:5b:0e:f1:95:f4
actor state: ASAIDD
partner state: PSIODD
aggregator ID: 1
slave: port16
status: down
link failure count: 0
permanent MAC addr: 08:5b:0e:f1:95:f5
actor state: ASAODD
partner state: PSIODD
aggregator ID: 2
port2 BLOCK
Variable Description
[<trunk_name>] Display a summary of the link aggregation information for the specified trunk. If
the trunk is not specified, a summary for all trunks is displayed.
Example output
Variable Description
assignment ether-proto flush Delete all VLAN entries assigned by Ethernet frame type and
protocol.
assignment ether-proto list Display VLAN assignments by Ethernet frame type and protocol. Use
[{sorted-by-protocol | sorted-by- sorted-by-protocol to list VLAN entries by protocol. Use
vlan}] sorted-by-vlan to list VLAN entries by the VLAN identifier.
assignment ipv4 flush Delete all VLAN entries assigned by IPv4 address or subnet.
assignment ipv4 list [{sorted-by- Display VLAN assignments by IPv4 address or subnet. Use
address | sorted-by-vlan}] sorted-by-address to list VLAN entries by the mask length and
IP address. Use sorted-by-vlan to list VLAN entries by the
VLAN identifier.
assignment ipv6 flush Delete all VLAN entries assigned by IPv6 address or subnet.
assignment ipv6 list [{sorted-by- Display VLAN assignments by IPv6 address or subnet. Use
address | sorted-by-vlan}] sorted-by-address to list VLAN entries by the mask length and
IP address. Use sorted-by-vlan to list VLAN entries by the
VLAN identifier.
assignment mac flush Delete all VLAN entries assigned by MAC address.
assignment mac list [{sorted-by- Display VLAN assignments by MAC address. Use sorted-by-mac
mac | sorted-by-vlan}] to list VLAN entries by the MAC address. Use sorted-by-vlan to
list VLAN entries by the VLAN identifier.
list [<VLAN_ID>] Display which ports are assigned to the specified VLAN identifier. If
the VLAN identifier is not specified, the information for all VLAN
identifiers is displayed.
Example output
Private-VLANs:
Use the following command to check the VLAN mapping on an interface for the egress direction:
diagnose switch vlan-mapping egress hardware-entry
Use the following command to check the VLAN mapping on an interface for the ingress direction:
diagnose switch vlan-mapping ingress hardware-entry
Use the following command to check which tables are using the entry:
diagnose sys checkused <path.object.mkey>
Variable Description
Example output
Use this command to display information about which CPU set uses a specific process:
diagnose sys cpuset <process_ID> <CPU_set_mask>
Variable Description
<process_ID> <CPU_set_mask> Specify the process identifier and CPU set mask to find out which
CPU set uses the process.
Example output
Example output
Module Status
___________________________________
Fan OK
Fan speed is set to 50.0%.
Variable Description
list [<file>] Display statistics for a file or directory in flash memory. If no file or
directory is specified, statistics for all flash memory are returned.
Example output
Variable Description
Use these commands to manage the SSL tunnel for FortiSwitch cloud management:
diagnose sys fsw-cloud-mgr close-access-socket
diagnose sys fsw-cloud-mgr shutdown-ssl
Variable Description
close-access-socket Restart the SSL tunnel between a FortiSwitch and FortiSwitch cloud
management by closing the socket.
shutdown-ssl Restart the SSL tunnel between a FortiSwitch and FortiSwitch cloud
management by sending a SSL_SHUTDOWN request.
Variable Description
To find out which processes are currently running, see diagnose sys vlan list on page 296.
To configure the link health monitor, see config system link-monitor on page 187.
Variable Description
status {entry | all} Display information about a specified link-monitor entry or all link-
monitor entries.
Variable Description
<delay> <loops> Display information about the CPU use after the specified number of
seconds (default is 5) and for the specified number of loops (default is
1,000,000). If the values for <delay> <loops> are not specified, there is
no delay, and the output continues until a key is pressed.
Example output
Use this command to display the configuration of the Network Time Protocol (NTP) servers:
diagnose sys ntp status
To configure the NTP servers, see config system ntp on page 192.
Use this command to display the printed circuit board (PCB) temperature:
diagnose sys pcb temp
Example output
Module Status
__________________________________
Sensor1 42.0 C
Variable Description
To find out which processes are currently running, see diagnose sys vlan list on page 296.
Use this command to display information about the power supply unit (PSU):
diagnose sys psu status
Example output
PSU1 is OK.
PSU2 is not present.
Use this command to list the processes currently running on your FortiSwitch unit:
diagnose sys top <delay> <lines>
Variable Description
<delay> <lines> Enter the number of seconds to delay (the default is 5) and the
maximum lines of output (the default is 20).
In the output, the codes displayed on the second output line mean the following:
l U is % of user space applications using CPU. In the example, 0U means 0% of the user space applications are
using CPU.
l S is % of system processes (or kernel processes) using CPU. In the example, 0S means 0% of the system
processes are using the CPU.
l I is % of idle CPU. In the example, 98I means the CPU is 98% idle.
l T is the total FortiOS system memory in Mb. In the example, 123T means there are 123 Mb of system memory.
l F is free memory in Mb. In the example, 25F means there is 25 Mb of free memory.
Each additional line of the command output displays the following information for each of the processes running on the
FortiSwitch (from left to right):
l Process name
l Process identifier
l State that the process is running in. The process state can be:
o R for running
o S for sleep
o Z for zombie
l Amount of CPU that the process is using. CPU usage can range from 0.0 for a process that is sleeping to higher
values for a process that is taking a lot of CPU time.
l Amount of memory that the process is using. Memory usage can range from 0.1 to 5.5 and higher.
Example output
Variable Description
dnsproxy <test_level> Specify the test level for the DNS proxy daemon:
1. Clear DNS cache.
2. Show statistics.
3. Dump DNS setting.
4. Reload the fully qualified domain name (FQDN).
5. Requery the FQDN.
6. Dump the FQDN.
fpmd <test_level> Specify the test level for the hardware offload daemon.
radiusd <test_level> Specify the test level for the RADIUS daemon:
l 2: Clear the RADIUS server database.
l 99: Restart.
sflowd <test_level> Specify the test level for the sFlow daemon:
l 1: Show collector setting.
l 2: Show state.
snmpd <test_level> Specify the test level for the SNMP daemon:
l 1: Display daemon process identifier.
Variable Description
Example output
Variable Description
ldap <server_name> <user_ Test the connection to an LDAP server. For the server_name, use
name> <password> the name of the LDAP object, not the LDAP server name. Use
credentials that you have used in the LDAP object itself.
Variable Description
radius <server_name> <chap | pap Test the connection to the RADIUS server.
| mschap | mschap2> <user_
name> <password>
radius-direct <server_name _or_ Test the connection to the RADIUS server. For the port number,
IP_address> <port_number> enter -1 to use the default port. Otherwise, enter the port number
<secret> to check.
Use this command to display information about RADIUS authentication and RADIUS accounting:
diagnose user radius coa
To configure RADIUS authentication and RADIUS accounting, see config user radius on page 210.
Use the execute commands perform immediate operations on the FortiSwitch unit:
l execute 802-1x clear interface on page 300
l execute acl clear-counter on page 301
l execute acl key-compaction on page 301
l execute backup config on page 302
l execute acl key-compaction on page 301
l execute backup memory on page 303
l execute batch on page 304
l execute bpdu-guard on page 305
l execute cfg reload on page 305
l execute cfg save on page 306
l execute clear switch igmp-snooping on page 307
l execute clear switch mld-snooping on page 307
l execute clear system arp table on page 307
l execute cli check-template-status on page 307
l execute cli status-msg-only on page 307
l execute date on page 308
l execute dhcp lease-clear on page 308
l execute dhcp lease-list on page 309
l execute dhcp-snooping on page 309
l execute disconnect-admin-session on page 310
l execute factoryreset on page 310
l execute factoryresetfull on page 310
l execute flapguard reset on page 311
l execute interface dhcpclient-renew on page 311
l execute interface dhcp6client-renew on page 311
l execute interface pppoe-reconnect on page 312
l execute license add on page 312
l execute license enhanced-debugging on page 312
l execute license status on page 313
l execute log delete on page 313
l execute log delete-all on page 313
l execute log display on page 314
l execute log filter on page 314
l execute log-report reset on page 315
l execute factoryresetfull on page 310
l execute mac clear on page 315
l execute mac-limit-violation reset on page 316
l execute macsec clearstat interface on page 317
l execute macsec reset interface on page 317
Example
Use this command to clear the ACL counters associated with the specified policy:
execute acl clear-counter {all | ingress | egress | prelookup}
Variable Description
Example
Variable Description
ingress Delete the unused classifiers for ingress policies for the
specified group.
egress Delete the unused classifiers for egress policies for the
specified group.
prelookup Delete the unused classifiers for lookup policies for the
specified group.
Variable Description
Example
Use the execute backup config commands to perform a partial backup of the FortiSwitch configuration to a flash
disk, FTP server, or TFTP server.
Syntax
Variable Description
config flash <comment> Back up the system configuration to the flash disk. Optionally, include a
comment.
config ftp <filename_str> <server_ipv4 Back up the system configuration to an FTP server.
[:port_int] | server_fqdn[:port_int]> Optionally, you can specify a password to protect the saved data.
[<username_str> [<password_str>]]
[<backup_password_str>]
config tftp <filename_str> <server_ Back up the system configuration to a file on a TFTP server. Optionally,
ipv4> [<backup_password_str>] you can specify a password to protect the saved data.
Example
This example shows how to perform a partial backup of the FortiSwitch configuration to a file named fgt.cfg on a
TFTP server at IP address 192.168.1.23.
execute backup config tftp fgt.cfg 192.168.1.23
Use the execute backup full-config commands to back up the full FortiSwitch configuration to a TFTP or FTP
server.
Syntax
Variable Description
full-config ftp <filename_str> <server_ipv4 Back up the full system configuration to a file on an FTP server. You
[:port_int] | server_fqdn[:port_int]> can optionally specify a password to protect the saved data.
[<username_str> [<password_str>]]
[<backup_password_str>]
full-config tftp <filename_str> <server_ipv4> Back up the full system configuration to a file on a TFTP server. You
[<backup_password_str>] can optionally specify a password to protect the saved data.
Example
This example shows how to back up the full FortiSwitch configuration to a file named fgt.cfg on a TFTP server at IP
address 192.168.1.23.
execute backup full-config tftp fgt.cfg 192.168.1.23
Use the execute backup memory commands to back up the FortiSwitch logs to a TFTP or FTP server.
Syntax
Variable Description
memory alllogs ftp <server_ipv4[:port_int] | Back up either all memory or all hard disk log files for to an FTP
server_fqdn[:port_int]> [<username_str> server. The disk option is available on FortiSwitch models that log to
<password_str>] a hard disk.
Variable Description
memory alllogs tftp <server_ipv4> Back up either all memory or all hard disk log files for this FortiSwitch
to a TFTP server. he disk option is available on FortiSwitch models
that log to a hard disk.
memory log ftp <server_ipv4[:port_int] | Back up the specified type of log file from either hard disk or memory
server_fqdn[:port_int]> <username_str> to an FTP server.
<password_str> {app-ctrl | event | ids | im | The disk option is available on FortiSwitch models that log to a hard
spam | virus | voip | webfilter} disk.
memory log tftp <server_ipv4> {app-ctrl | Back up the specified type of log file from either hard disk or memory
event | ids | im | spam | virus | voip | webfilter} to an FTP server.
The disk option is available on FortiSwitch models that log to a hard
disk.
Example
This example shows how to back up all FortiSwitch log files to a file named fgt.cfg on a TFTP server at IP address
192.168.1.23.
execute backup memory alllogs tftp fgt.cfg 192.168.1.23
execute batch
Syntax
Example
execute bpdu-guard
Use this command to reset a port that goes down after receiving a BPDU:
execute bpdu-guard reset {internal | port<number>}
Example
This example shows how to reset port 1 after it receives a BPDU and goes down:
execute bpdu-guard reset port1
Use this command to restore the saved configuration when the configuration change mode is manual or revert. This
command has no effect if the mode is automatic, the default. The set cfg-save command in system global
sets the configuration change mode.
When you reload the saved system configuration, the your session ends and the FortiSwitch performs a restart.
In the default configuration change mode, automatic, CLI commands become part of the saved system configuration
when you execute them by entering either next or end.
In manual mode, commands take effect but do not become part of the saved configuration unless you execute the
execute cfg save command. When the system restarts, the saved configuration is loaded. Configuration changes
that were not saved are lost.
The revert mode is similar to manual mode, except that configuration changes are saved automatically if the
administrative session is idle for more than a specified timeout period. This provides a way to recover from an erroneous
configuration change, such as changing the IP address of the interface you are using for administration. You set the
timeout in system global using the set cfg-revert-timeout command.
Syntax
Example
Use this command to save configuration changes when the configuration change mode is manual or revert. If the
mode is automatic, the default, all changes are added to the saved configuration as you make them and this
command has no effect. The set cfg-save command in system global sets the configuration change mode.
In manual mode, commands take effect but do not become part of the saved configuration unless you execute the
execute cfg save command. When the system restarts, the saved configuration is loaded. Configuration changes
that were not saved are lost.
The revert mode is similar to manual mode, except that configuration changes are reverted automatically if the
administrative session is idle for more than a specified timeout period. This provides a way to recover from an erroneous
configuration change, such as changing the IP address of the interface you are using for administration. To change the
timeout from the default of 600 seconds, go to system global and use the set cfg-revert-timeout
command.
Syntax
Example
Use this command to clear the learned and configured IPv4 multicast groups from the FortiSwitch unit.
Syntax
Use this command to clear the learned and configured IPv6 multicast groups from the FortiSwitch unit.
Syntax
Use this command to cslear all the entries in the ARP table.
Syntax
Use this command to report the status of the secure copy protocol (SCP) script template.
Syntax
Use this command to enable or disable the display of standardized CLI error output messages. If executed, this
command stops other debug messages from displaying in the current CLI session.
Syntax
execute date
Syntax
Example
lease-clear Clear the DHCP leases for the specified IPv4 No default
<xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...> addresses. Use a comma to separate IPv4
addresses.
Example
This example shows how to clear all DHCP leases on the specified IPv4 addresses:
execute dhcp lease-clear 1.2.3.4,5.6.7.8
lease-list <interface> List the DHCP leases for the specified interface. No default
Example
execute dhcp-snooping
Use this command to remove an IP address from the DHCP-snooping client or server database on a specific VLAN:
execute dhcp-snooping expire-client <VLAN-ID> <xx:xx:xx:xx:xx:xx>
execute dhcp-snooping expire-server <VLAN-ID> <xx:xx:xx:xx:xx:xx>
<VLAN-ID> Enter the VLAN identifier. The value range is 1-4095. No default
<xx:xx:xx:xx:xx:xx> Enter the MAC address for the IP address to remove. No default
Example
This example shows how to remove the IP address that corresponds to VLAN 100 and to the MAC address
01:23:45:67:89:01 from the DHCP-snooping client database:
execute dhcp-snooping expire-client 100 01:23:45:67:89:01
execute disconnect-admin-session
Syntax
To determine the index of the administrator that you want to disconnect, view the list of logged-in administrators with
the following command:
execute disconnect-admin-session ?
Example
execute factoryreset
Use this command to reset the FortiSwitch configuration to factory default settings.
Syntax
execute factoryreset
This procedure deletes all changes that you have made to the FortiSwitch
configuration and reverts the system to its original configuration, including resetting
interface addresses.
execute factoryresetfull
Use this command to fully reset the FortiSwitch configuration to factory default settings.
Syntax
execute factoryreset
This procedure removes all configurations, saved user and application data, and
licenses and resets the BIOS environment to the default. Images saved to the
partitions are not removed.
Use this command to reset the specified port if flap guard was triggered on that port:
execute flapguard reset <port_name>
Example
This example shows how to reset port 1 after flap guard was triggered on it:
execute flapguard reset port1
Use this command to renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no
DHCP connection on the specified port, there is no output.
Syntax
Example output
This is the output for renewing the DHCP client on port 1 before the session closes:
# execute interface dhcpclient-renew port1
renewing dhcp lease on port1
Use this command to renew the DHCPv6 client for the specified DHCPv6 interface and close the CLI session. If there is
no DHCPv6 connection on the specified port, there is no output.
Syntax
Use this command to reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If
there is no PPPoE connection on the specified port, there is no output.
Syntax
Syntax
Use this command to get information about the enhanced debugging license or to remove it.
Syntax
Variable Description
Example output
Syntax
Example output
Use this command to clear all traffic log entries in memory. You will be prompted to confirm the command.
Syntax
Use this command to clear all log entries in memory and current log files on hard disk. If your system has no hard disk,
only log entries in system memory are cleared. You will be prompted to confirm the command.
Syntax
Use this command to display log messages that you have selected with the execute log filter command.
Syntax
The console displays the first 10 log messages. To view more messages, run the command again. You can do this until
you have seen all of the selected log messages. To restart viewing the list from the beginning, use the following
commands:
execute log filter start-line 1
execute log display
You can restore the log filters to their default values using the following command:
execute log filter reset
Use this command to select log messages for viewing or deletion. You can view one log category on one device at a
time. Optionally, you can filter the messages to select only specified date ranges or severities of log messages. For
traffic logs, you can filter log messages by source or destination IP address.
Commands are cumulative. If you omit a required variable, the command displays the current setting.
Use as many execute log filter commands as you need to define the log messages that you want to view.
execute log filter category <category_name>
execute log filter device {memory | faz | fds}
execute log filter dump
execute log filter field <name>
execute log filter ha-member <unitsn_str>
execute log filter max-checklines <int>
execute log filter reset
execute log filter start-line <line_number>
execute log filter view-lines <count>
category <category_name> Enter the type of log you want to select. event
For SQL logging and memory logging, one of:
utm, content, event, or traffic
device {memory | faz | fds} Device where the logs are stored. memory
field <name> Press Enter to view the fields that are available for the No default
associated category. Enter the fields you want, using commas
to separate multiple fields.
ha-member <unitsn_str> Select logs from the specified HA cluster member. Enter the No default
serial number of the system.
max-checklines <int> Set maximum number lines to check. Range 100 to 1,000,000. No default
A value of 0 disables the feature.
start-line <line_number> Select logs starting at specified line number. The value must 1
be 1 or higher.
view-lines <count> Set lines per view. The value range is 5 to 1000. 10
Use this command to delete all logs, archives, and user configured report templates.
Syntax
Use this command to reset a port that has been put out of service by loop-guard.
execute loop-guard reset <interface>
Example
This example shows how to reset port 1 after loop guard was triggered on it:
execute loop-guard reset port1
Syntax
Variable Description
by-mac-address <mac_address> Clear all MAC entries for a specified MAC address.
by-vlan-and-interface <vlan_int> Clear all MAC entries for a specified VLAN on a specified interface.
<interface>
by-vlan-and-mac-address <vlan_int> Clear all MAC entries for a specified VLAN that match the specified MAC
<mac_address> address.
Syntax
Variable Description
interface <interface_name> Clear the learning limit violation log for a specific interface.
vlan <VLAN_ID> Clear the learning limit violation log for a specific VLAN.
Example
This example shows how to clear the learning limit violation log for VLAN 5:
execute mac-limit-violation reset vlan 5
Syntax
Example
Syntax
Example
execute ping
The execute ping command sends one or more ICMP echo request (ping) to test the network connection between
the FortiSwitch and another network device.
Syntax
<address_ipv4> is an IP address.
Example
This example shows how to ping a host with the IP address 172.20.120.16.
#execute ping 172.20.120.16
execute ping-options
Use this command to set ICMP echo request (ping) options to control the way ping tests the network connection
between the FortiSwitch and another network device.
Syntax
df-bit {yes | no} Set df-bit to yes to prevent the ICMP packet from being no
fragmented. Set df-bit to no to allow the ICMP packet to be
fragmented.
interface {Auto | <outgoing_ Specify the source interface or select auto for the source auto
interface>} interface to be automatically assigned.
interval <seconds> Specify the number of seconds between two pings. The value No default
must be greater than 0.
pattern <2-byte_hex> Used to fill in the optional data buffer at the end of the ICMP No default
packet. The size of the buffer is specified using the data_
size parameter. This allows you to send out packets of
different sizes for testing the effect of packet size on the
connection.
source Specify the FortiSwitch interface from which to send the ping. auto
{auto | <source-intf_ip>} If you specify auto, the system selects the source address and
interface based on the route to the <host-name_str> or
<host_ip>. Specifying the IP address of a FortiSwitch
interface tests connections to different network segments from
the specified interface.
timeout <seconds> Specify, in seconds, how long to wait until ping times out. 2
tos <service_type> Set the ToS (Type of Service) field in the packet header to 0
provide an indication of the quality of service wanted:
l lowdelay — minimize delay
ttl <hops> Specify the time to live. Time to live is the number of hops the 64
ping packet should be allowed to make before being discarded
or returned.
Example
Use the following command to send all pings from the FortiSwitch interface with IP address 192.168.10.23:
execute ping-options source 192.168.10.23
execute ping6
The ping6 command sends one or more ICMP echo request (ping) to test the network connection between the
FortiSwitch and an IPv6-capable network device.
Syntax
Example
This example shows how to ping a host with the IPv6 address 12AB:0:0:CD30:123:4567:89AB:CDEF.
execute ping6 12AB:0:0:CD30:123:4567:89AB:CDEF
execute ping6-options
Use this command to set ICMP echo request (ping) options to control the way ping tests the network connection
between the FortiSwitch and an IPv6-capable network device.
Syntax
df-bit {yes | no} Set df-bit to yes to prevent the ICMP packet from being no
fragmented. Set df-bit to no to allow the ICMP packet to be
fragmented.
interval <seconds> Specify the number of seconds between two pings. The value No default
must be greater than 0.
pattern <2-byte_hex> Used to fill in the optional data buffer at the end of the ICMP No default
packet. The size of the buffer is specified using the data_
size parameter. This allows you to send out packets of
different sizes for testing the effect of packet size on the
connection.
source Specify the FortiSwitch interface from which to send the ping. auto
{auto | <source-intf_ip>} If you specify auto, the system selects the source address and
interface based on the route to the <host-name_str> or
<host_ip>. Specifying the IP address of a FortiSwitch
interface tests connections to different network segments from
the specified interface.
timeout <seconds> Specify, in seconds, how long to wait until ping times out. 2
tos <service_type> Set the ToS (Type of Service) field in the packet header to 0
provide an indication of the quality of service wanted:
l lowdelay — minimize delay
ttl <hops> Specify the time to live. Time to live is the number of hops the 64
ping packet should be allowed to make before being discarded
or returned.
Example
execute poe-reset
Syntax
Example
execute reboot
Abruptly powering off your system may corrupt its configuration. Use the reboot or
shutdown commands to ensure proper shutdown procedures are followed to
prevent any loss of configuration.
Syntax
[comment <“comment_string”>]enables you to optionally add a message that will appear in the hard disk log
indicating the reason for the reboot. If the message is more than one word it must be enclosed in quotation marks.
Example
execute restore
Use this command to restore a configuration, firmware, or IPS signature file. The following options are available:
l restore the configuration from a file
l change the FortiSwitch firmware
l restore the bios from a file
When virtual domain configuration is enabled, the content of the backup file depends on the administrator account that
created it.
A backup of the system configuration from the super admin account contains the global settings and the settings for all
of the VDOMs. Only the super admin account can restore the configuration from this file.
A backup file from a regular administrator account contains the global settings and the settings for the VDOM to which
the administrator belongs. Only a regular administrator account can restore the configuration from this file.
Syntax
Variable Description
bios tftp <filename_str> <server_ipv4[:port_ Restore the BIOS. Download the restore file from a TFTP server.
int]>
config flash <revision> Restore the specified revision of the system configuration from the
flash disk.
config ftp <filename_str> <server_ipv4[:port_ Restore the system configuration from an FTP server. The new
int] | server_fqdn[:port_int]> [<username_ configuration replaces the existing configuration, including
str> <password_str>] [<backup_password_ administrator accounts and passwords.
str>] If the backup file was created with a password, you must specify the
password.
config tftp <filename_str> <server_ipv4> Restore the system configuration from a file on a TFTP server. The
[<backup_password_str>] new configuration replaces the existing configuration, including
administrator accounts and passwords.
If the backup file was created with a password, you must specify the
password.
image ftp <filename_str> <server_ipv4 Download a firmware image from an FTP server to the FortiSwitch
[:port_int] | server_fqdn[:port_int]> unit. The FortiSwitch unit reboots, loading the new firmware.
[<username_str> <password_str>] This command is not available in multiple VDOM mode.
image management-station <version_int> Download a firmware image from the central management station.
This is available if you have configured a FortiManager unit as a
central management server. This is also available if your account
with FortiGuard Analysis and Management Service allows you to
upload firmware images.
image tftp <filename_str> <server_ipv4> Download a firmware image from a TFTP server to the FortiSwitch
unit. The FortiSwitch unit reboots, loading the new firmware.
secondary-image ftp <filename_str> Download a firmware image from an FTP server to the FortiSwitch
<server_ipv4[:port_int] | server_fqdn[:port_ unit. The FortiSwitch unit saves the new firmware image in the
int]> [<username_str> <password_str>] secondary image partition.
secondary-image tftp <filename_str> Download a firmware image from a TFTP server to the FortiSwitch
<server_ipv4> unit. The FortiSwitch unit saves the new firmware image in the
secondary image partition.
Example
This example shows how to upload a configuration file from a TFTP server to the FortiSwitch and restart the FortiSwitch
with this configuration. The name of the configuration file on the TFTP server is backupconfig. The IP address of the
TFTP server is 192.168.1.23.
execute restore config tftp backupconfig 192.168.1.23
execute revision
Use this command to manage configuration and firmware image files on the local disk.
Syntax
Variable Description
delete config <revision> Delete the specified configuration revision on the local disk.
show config Display the details of the configuration revision on the local disk.
Example
Use the following command to delete revision 1 of the configuration file on the local disk:
execute revision delete config 1
Syntax
Variable Description
Variable Description
Example
Use this command to clear the OSPF routing configuration from the specified interface.
Syntax
Example
Use the following command to delete the OSPF routing configuration from the VLAN interface:
execute router clear ospf interface vlan20
Use this command to display the specified routing configuration and troubleshooting information.
Syntax
Example
Use the following command to display the BGP routing configuration and troubleshooting information:
execute router tech-support bgp
execute set-next-reboot
Use this command to specify the flash partition for the next reboot. The system can use the boot image from either the
primary or the secondary flash partition.
NOTE: You must disable image rotation before you can use the execute set-next-reboot command.
Syntax
Example
This example specifies that the next reboot will use the secondary flash partition:
execute set-next-reboot secondary
Set next reboot partition to secondary
execute shutdown
Use this command to shut down the system immediately. You will be prompted to confirm this command.
Abruptly powering off your system might corrupt its configuration. Using the reboot
and shutdown options in the CLI or in the Web-based manager ensure proper
shutdown procedures are followed to prevent any loss of configuration.
Syntax
The comment field is optional. Use it to add a message that will appear in the event log message that records the
shutdown. The comment message does not appear on the Alert Message console. If the message is more than one
word it must be enclosed in quotation marks.
Example
Syntax
Variable Description
execute ssh
Syntax
Examples
execute stage
Syntax
image is the image file name (including path) on the remote server.
execute sticky-mac
Use this command to manage MAC addresses that were dynamically learned and are persistent when the status of a
FortiSwitch port changes (goes down or up).
Syntax
Variable Description
delete-unsaved {all | interface <interface_name>} Delete all persistent MAC entries (instead of saving them in
the FortiSwitch configuration file) for all interfaces or for the
specified interface.
save {all | interface <interface_name>} Save all persistent MAC entries in the FortiSwitch
configuration file for all interfaces or for the specified
interface.
Use this command to display the status of the FortiLink connection. This command is valid only when the FortiSwitch is
managed by a FortiGate.
Syntax
Example
Use this command to import a CA certificate from a TFTP or SCEP server to the FortiSwitch or to export a CA certificate
from the FortiSwitch to a TFTP server.
Before using this command, you must obtain a CA certificate issued by a Certificate Authority.
Syntax
Variable Description
import Import the CA certificate from a TFTP server to the FortiSwitch unit.
export Export or copy the CA certificate from the FortiSwitch to a file on the TFTP
server. The available CA certificates are Entrust_802.1x_CA, Entrust_802.1x_
G2_CA, Entrust_802.1x_L1K_CA, Fortinet_CA, and Fortinet_CA2.
tftp Import the CA certificate to the FortiSwitch from a file on a TFTP server (local
administrator PC).
Use this command to get a certificate revocation list via LDAP, HTTP, or SCEP protocol, depending on the
autoupdate configuration.
To use this command, the authentication servers must already be configured.
Syntax
Variable Description
import Import the CRL from the configured LDAP, HTTP, or SCEP authentication
server to the FortiSwitch unit.
auto Trigger an auto-update of the CRL from the configured authentication server.
Use this command to export a local certificate from the FortiSwitch to a TFTP server.
Syntax
Variable Description
export Export or copy the local certificate from the FortiSwitch unit to a file on the
TFTP server.
<name> Enter the name of the local certificate. Available local certificates are Entrust_
802.1x, Fortinet_Factory, and Fortinet_Firmware.
Syntax
execute system certificate local generate <name> <key-length> <subject_str> <country> <state>
<city> <organization> <bu> <email> <SAN> <URL> <challenge> <source_IP> <CA_id> <password>
Variable Description
Variable Description
<key-length> Enter the key size, which can be 1024, 1536, or 2048.
<country> Enter the country name (such as canada), country code (such as ca), or
null for none.
<state> Enter the state.
<URL> This field is optional. Enter the URL of the CA server for signing using SCEP.
<source_IP> This field is optional. Enter the source IP address for communicating with the
CA server.
<CA_id> This field is optional. Enter the CA identifier of the CA server for sign using
SCEP.
<password> This field is optional. Enter the password if you are using a private key.
Use this command to import a local certificate to the FortiSwitch from a TFTP server.
Syntax
Variable Description
Use this command to import a remote certificate from a TFTP server or to export a remote certificate from the
FortiSwitch unit to a TFTP server. The remote certificates are public certificates without a private key. They are used as
OCSP (Online Certificate Status Protocol) server certificates.
Syntax
Variable Description
import Import the remote certificate from the TFTP server to the FortiSwitch
unit.
export Export or copy the remote certificate from the FortiSwitch to a file on
the TFTP server.
To view a list of the certificates, use the following command:
execute system certificate remote export tftp ?
Use this command to delete the .pcap file for a specific packet-capture profile. To create a packet-capture profile, see
config system sniffer-profile on page 198.
Syntax
Example
Use this command to pause a packet capture for a specific packet-capture profile. To create a packet-capture profile,
see config system sniffer-profile on page 198.
Syntax
Example
Use this command to start a packet capture for a specific packet-capture profile. To create a packet-capture profile, see
config system sniffer-profile on page 198.
Syntax
Example
Use this command to stop a packet capture for a specific packet-capture profile. To create a packet-capture profile, see
config system sniffer-profile on page 198.
Syntax
Examples
Use this command to upload the .pcap file for a specific packet-capture profile to a TFTP or FTP server. To create a
packet-capture profile, see config system sniffer-profile on page 198.
Syntax
Variable Description
<file_name> Enter the name of the .pcap file and the path where it is located.
<FTP_server_IP_address:<optional_ Enter the IP address of the FTP server and optionally enter the port
port>> number.
<TFTP_server_IP_address:<optional_ Enter the IP address of the TFTP server and optionally enter the port
port>> number.
Examples
execute telnet
Use this command to create a Telnet client. You can use this tool to test network connectivity.
Syntax
<telnet_ipv4 or telnet_ipv6> is the IPv4 or IPv6 address to connect with. If the IPv6 address is a link-local
address, you must specify an output interface using %.
Type exit to close the Telnet session.
Examples
execute time
Syntax
Example
execute traceroute
Use this command to test the connection between the FortiSwitch and another network device, and display information
about the network hops between the FortiSwitch and the device.
Syntax
Example
This example shows how to test the connection with http://docs.forticare.com. In this example, the traceroute
command times out after the first hop indicating a possible problem.
#execute traceoute docs.fortinet.com
traceroute to docs.fortinet.com (65.39.139.196), 30 hops max, 38 byte packets
1 172.20.120.2 (172.20.120.2) 0.324 ms 0.427 ms 0.360 ms
2 * * *
If your FortiSwitch is not connected to a working DNS server, you will not be able to connect to remote host-named
locations with traceroute.
execute tracert6
Use this command to test the connection between the FortiSwitch and another network device using the IPv6 protocol
and to display information about the network hops between the FortiSwitch and the device.
Syntax
Variable Description
-d Enable debugging.
-f <first_ttl> Set the initial time-to-live used in the first outgoing probe packet.
-m <max_ttl> Set the max time-to-live (max number of hops) used in outgoing
probe packets.
-w <waittime> Set the time in seconds to wait for response to a probe. Default is 5.
Use this command to upload system configurations to the flash disk from FTP or TFTP sources.
Syntax
Variable Description
Use this command to verify the integrity of the image in the primary or secondary (if applicable) flash partition.
Syntax
Example
The get commands provide information about the operation of the FortiSwitch unit:
l get hardware cpu on page 340
l get hardware memory on page 341
l get hardware status on page 342
l get log custom-field on page 342
l get log eventfilter on page 342
l get log gui on page 343
l get log memory on page 343
l get log syslogd on page 345
l get log syslogd2 on page 345
l get log syslogd3 on page 346
l get router info bfd neighbor on page 347
l get router info bgp on page 347
l get router info gwdetect on page 348
l get router info isis on page 348
l get router info kernel on page 349
l get router info multicast on page 349
l get router info ospf on page 350
l get router info rip on page 351
l get router info routing-table on page 352
l get router info vrrp on page 353
l get router info6 bfd neighbor on page 354
l get router info6 bgp on page 354
l get router info6 isis on page 355
l get router info6 kernel on page 355
l get router info6 ospf on page 356
l get router info6 rip on page 357
l get router info6 routing-table on page 357
l get router info6 vrrp on page 358
l get switch acl on page 358
l get switch dhcp-snooping on page 359
l get switch flapguard settings on page 361
l get switch global on page 361
l get switch igmp-snooping on page 362
l get switch interface on page 363
l get switch ip-mac-binding on page 364
l get switch ip-source-guard on page 364
l get switch ip-source-guard-violations on page 364
l get switch lldp on page 364
l get switch mac-limit-violations on page 365
Use this command to display detailed information about the CPUs installed in your FortiSwitch unit.
Syntax
Example output
processor : 1
BogoMIPS : 1993.93
Use this command to display information about FortiSwitch memory use. Information includes the total memory,
memory in use, and free memory.
Syntax
Example output
Report information about the FortiSwitch hardware including ASIC version, CPU type, amount of memory, flash drive
size, hard disk size (if present), and USB flash size (if present). Use this information to troubleshoot, to provide to
Fortinet Support, or to confirm the features that your FortiSwitch model supports.
Syntax
Example output
Use this command to get information about custom log fields that have been created. To create custom log fields, see
config log custom-field on page 18.
Syntax
Example output
== [ 1 ]
id: 1
== [ 2 ]
id: 2
This output shows that two custom fields have been created.
l Event logs show configuration changes and allow you to monitor the activities administrators perform.
l Router logs allow you to review all router activity. Router logs are available only on supported platforms if you have
the advanced features license.
l System logs show system-level activity such as IP conflicts.
l User logs show user activity such as who is logged on and when.
To enable event logging, see config log eventfilter on page 19.
Syntax
Example output
event : enable
router : enable
system : enable
user : enable
Use this command to find out which device is being used to display logs in the Web-based manager.
Syntax
Example output
This output shows that logs are being displayed from memory.
Use this command to find out the current settings for logging to system memory.
Syntax
Variable Description
filter Find out the severity level of log entries made in system memory. The system logs all
messages at and above the selected severity level. For example, if the severity is
error, the system logs error, critical, alert, and emergency level
messages.
l emergency — The system is unusable.
global-setting Find out the global settings for logging to system memory:
l full-final-warning-threshold — the number of log entries saved before
a final warning is sent. When all memory is filled, the system overwrites the oldest
log entries.
l full-first-warning-threshold — the number of log entries saved before
setting Find out the general settings for logging to system memory:
l diskfull — whether the oldest log entries are overwritten when the system
memory is full.
l status — whether logging to system memory is enabled.
Example output
Use this command to get information about your system log 1 settings.
Syntax
Variable Description
filter Find out the severity level of system log 1 entries. The system logs all
messages at and above the selected severity level. For example, if the
severity is error, the system logs error, critical, alert, and
emergency level messages.
l emergency — The system is unusable.
affected.
l warning— Functionality might be affected.
setting Find out the general settings for the system log 1:
l diskfull — whether the oldest log entries are overwritten when the
Example output
Use this command to get information about your system log 2 settings.
Syntax
Variable Description
filter Find out the severity level of system log 2 entries. The system logs all messages at and
above the selected severity level. For example, if the severity is error, the system logs
error, critical, alert, and emergency level messages.
l emergency — The system is unusable.
setting Find out the general settings for the system log 2:
l diskfull — whether the oldest log entries are overwritten when the system
memory is full.
l status — whether logging to system memory is enabled.
Example output
Use this command to get information about your system log 3 settings.
Syntax
Variable Description
filter Find out the severity level of system log 3 entries. The system logs all
messages at and above the selected severity level. For example, if the
severity is error, the system logs error, critical, alert, and
emergency level messages.
l emergency — The system is unusable.
affected.
l warning— Functionality might be affected.
Variable Description
Example output
Use this command to find out where bidirectional forwarding detection (BFD) has been enabled. If you do not specify
the BFD peer IPv4 address or interface, all BFD peers are returned.
Syntax
Example output
Use this command to get information about the Border Gateway Protocol (BGP) routing configuration.
Syntax
Variable Description
network-longer-prefixes Show the BGP information for routes and more specific routes.
paths Display the BGP path information for IPv4 and IPv6.
quote-regexp Display routes matching the AS path with regular expressions within quotation marks.
summary Display a summary of the BGP neighbor status for IPv4 and IPv6.
Syntax
Use this command to get information about the Intermediate System to Intermediate System Protocol (IS-IS) routing
configuration for IPv4 traffic.
Syntax
get router info isis {interface | neighbor | database | route | summary | summary-table |
topology}
Variable Description
Use this command to get information about the IPv4 kernel routing table. The IPv4 kernel routing table displays
information about all of the routes in the kernel.
Syntax
Use this command to get information about the Protocol Independent Multicast (PIM) routing configuration.
Syntax
Variable Description
Use this command to get information about any IPv4 open shortest path first (OSPF) routing that has been configured.
To set up IPv4 OSPF routing, see config router ospf on page 52.
Syntax
Variable Description
config Display detailed information about the current OSPF configuration, including interfaces,
areas, access lists, and IP addresses.
interface [<interface_ Display information about the specified OSPF interface. If the interface is not specified,
name>] information about all OSPF interfaces is returned.
status Display the current status of the OSPF routing, including router identifier, flags, timers,
and areas.
Example output
Use this command to get information about any Routing Information Protocol (RIP) routing that has been configured.
To set up RIP routing, see config router rip on page 64.
Syntax
Variable Description
config Display detailed information about the current RIP configuration, including keys in the
keychain, interfaces, access lists, and IP addresses.
status Display the current status of the RIP routing, including filter lists, redistribution, RIP
version, and interfaces.
Example output
Use these commands to get information about the IPv4 routing table.
Syntax
Variable Description
details <A.B.C.D/M> Display the routing table entries that include the specified IP address or route prefix.
dump <A.B.C.D> Display the details of routing table entries that include the specified IP address or route
prefix.
Example output
Use this command to get information about Virtual Router Redundancy Protocol (VRRP) groups for IPv4.
Syntax
Example output
Use this command to find out where bidirectional forwarding detection (BFD). If you do not specify the BFD peer IPv6
address, all BFD peers are returned.
Syntax
Use this command to get information about the Border Gateway Protocol (BGP) routing configuration.
Syntax
Variable Description
network-longer-prefixes Show the BGP information for routes and more specific routes.
Variable Description
Use this command to get information about the Intermediate System to Intermediate System Protocol (IS-IS) routing
configuration for IPv6 traffic.
Syntax
get router info6 isis {interface | neighbor | database | route | summary | summary-table6 |
topology}
Variable Description
Use this command to get information about the IPv6 kernel routing table. The IPv6 kernel routing table displays
information about all of the routes in the kernel.
Syntax
Example output
Use this command to get information about any IPv6 open shortest path first (OSPF) routing that has been configured.
To set up IPv6 OSPF routing, see config router ospf6 on page 59.
Syntax
get router info6 ospf database [{router | network | inter-prefix | inter-router | external |
link | intra-prefix}]
get router info6 ospf interface [<interface_name>]
get router info6 ospf route [<IPv6_address>]
get router info6 ospf redistribute
get router info6 ospf border-route [detail]
get router info6 ospf neighbor {<A.B.C.D> | detail}
get router info6 ospf status
Variable Description
database [{router | Display information about the OSPF link state advertisement (LSA) database. Specify
network | inter-prefix | the router LSA, network LSA, inter-prefix LSA, inter-router LSA, external LSA, link LSA,
inter-router | external | link or intra-prefix LSA database. If you do not specify which LSA database, information
| intra-prefix}] about all LSA databases is returned.
interface [<interface_ Display information about the OSPF interface. If you do not specify the interface,
name>] information about all interfaces is returned.
route [<IPv6_address>] Display the OSPF routing table. If you do not specify an IPv6 address, all IPv6 routes are
returned.
border-route [detail] Display general or detailed information about OSPF border routers.
Variable Description
neighbor {<A.B.C.D> | Display information about OSPF neighbors in general or in detail or specify a neighbor
detail} ID.
status Display the current status of the OSPF routing, including router identifier, flags, timers,
and areas.
Use this command to get information about any IPv6 Routing Information Protocol (RIP) routing that has been
configured. To set up IPv6 RIP routing, see config router ripng on page 67.
Syntax
Variable Description
status Display the current status of the RIP routing, including timers, filter lists, and neighbors.
Use these commands to get information about the IPv6 routing table. If you do not specify which IPv6 routing table,
information about all IPv6 routing tables is returned.
Syntax
Variable Description
Variable Description
Example output
Use this command to get information about Virtual Router Redundancy Protocol (VRRP) groups for IPv6.
Syntax
Syntax
Variable Description
counters {all | egress | Display information about all ACL policies, egress ACL policies, ingress ACL policies, or
ingress | prelookup} lookup ACL policies.
egress Display information about the ACL policy for the egress stage.
ingress Display information about the ACL policy for the ingress stage.
policer List which ACL policers are available for different types of traffic.
prelookup Display information about the ACL policy for the lookup stage.
settings Display the global ACL settings for the FortiSwitch unit.
Example output
0002 0 0 cnt_n_mirror31
0003 0 0 cnt_n_mirror41
Use these commands to display more information about the IPv4 or IPv6 DHCP-snooping databases.
Syntax
Variable Description
database-summary List the number of VLANs with various features enabled, list trusted and untrusted ports,
and report how much of the databases are used.
status Display details about the DHCP-snooping client and server database.
Example output
vlan ip
10 xxx.x.x.x
mac vlan ip lease(sec) expiry(sec) interface hostname domainname vendor server-ip
00:01:00:00:00:01 100 xxx.x.x.xxx 86400 86398 port3
00:03:00:00:00:03 100 xxx.x.x.x 86400 86394 port5
00:03:00:00:00:04 100 xxx.x.x.x 86400 86394 port5
mac vlan ip interface status svr-list last-seen-time expiry-time OFFER/ACK/NAK/OTHER
00:11:01:00:00:01 10 xxx.x.x.x port1 trusted allowed 2018-09-11 11:21:09 2018-09-12 11:21:09 7/5/0/0
Syntax
Example output
flap-duration : 30
flap-rate : 5
status : disable
Use this command to get information about the global settings of your FortiSwitch unit.
Syntax
Example output
trunk-hash-unkunicast-src-dst: enable
auto-fortilink-discovery: enable
auto-isl : enable
mclag-peer-info-timeout: 300
auto-isl-port-group : 0
max-path-in-ecmp-group: 4
virtual-wire-tpid : 0xdee5
loop-guard-tx-interval: 15
dhcp-snooping-database-export: enable
forti-trunk-dmac : 02:80:c2:00:00:02
port-security:
link-down-auth : set-unauth
reauth-period : 60
max-reauth-attempt : 2
Use this command to get the IGMP-snooping settings of your FortiSwitch unit.
Syntax
Variable Description
Example output
VLAN ID Group-Name Multicast-addr Member-interface
_______ ______________ _______________ _________________________
11 g239-1 239:1:1:1 port6 trunk-2
11 g239-11 239:2:2:11 port26 port48 trunk-2
40 g239-1 239:1:1:1 port5 port25 trunk-2
40 g239-2 239:2:2:2 port25 port26
Use this command to get information about the interfaces, including the class of service (CoS) value, whether sFlow is
enabled on the interface, and whether dynamically learned MAC addresses are persistent on the interface.
Syntax
Example output
== [ port1 ]
name: port1 sflow-sampler: disabled port-security:
default-cos: 0 sticky-mac: disable
== [ port2 ]
name: port2 sflow-sampler: disabled port-security:
default-cos: 0 sticky-mac: disable
== [ port3 ]
name: port3 sflow-sampler: disabled port-security:
default-cos: 0 sticky-mac: disable
...
Syntax
Example output
== [ 1 ]
seq-num: 1
Syntax
Syntax
Variable Description
Syntax
Variable Description
auto-isl-status Display statistics and staus for the automatic ISL configuration.
settings Display whether LLDP is enabled globally, the number of tx-intervals before the local
LLDP data expires, the frequency of LLDP PDU transmission, how often the FortiSwitch
transmits the first four LLDP packets when a link comes up, and the primary
management interface advertised in LLDP and CDP PDUs.
stats Display the number of packets transmitted, received, and discarded; the number of
neighbors added, deleted, and expired; and the number of unknown TLVs.
Example output
Use this command to see the first MAC address that exceeded the learning limit for an interface or VLAN.
To enable the learning limit violation log for a FortiSwitch unit, see config switch global on page 88.
Syntax
Variable Description
all Display the first MAC address that exceeded the learning limit on any interface
or VLAN. An asterisk by the interface name indicates that the interface-based
learning limit was exceeded. An asterisk by the VLAN identifier indicates the
VLAN-based learning limit was exceeded.
interface <interface_name> Display the first MAC address that exceeded the learning limit on a specific
interface
vlan <VLAN_ID> Display the first MAC address that exceeded the learning limit on a specific
VLAN.
Example output
Use this command to get information about the ERSPAN-auto mirror sessions of your FortiSwitch unit. To configure a
packet mirror, see config switch mirror on page 111.
Syntax
Example output
flink.sniffer
Mode : ERSPAN-auto
Status : Inactive
Source-Ports:
Ingress: port2, port3
Egress : port8, port9
Used-by-ACLs : False
Auto-config-state : N/A
Last-update : never
Issues : None
Collector-IP : 0.0.0.0
Source-IP : N/A
Source-MAC : N/A
Next-Hop :
IP : N/A
MAC : N/A
Via-System-Interface : N/A
VLAN : N/A
Via-Switch-Interface : N/A
Use this command to get the MLD-snooping settings of your FortiSwitch unit.
Syntax
Variable Description
Example output
aging-time : 300
leave-response-timeout: 10
query-interval : 125
MLD-SNOOPING mcast-groups:
Max Entries: 1022
Use this command to get information about the modules in your FortiSwitch unit.
Syntax
Variable Description
detail [<port>] Display module details for a specific port, split port, or all available ports.
limits [<port>] Display module limits for a specific port, split port, or all available ports.
status [<port>] Display module status for a specific port, split port, or all available ports.
summary [<port>] Display summary information of all modules for a specific port or all available ports and
split ports.
Example output
length_50um_om2 N/A
length_62um_om1 N/A
length_50um_om3 N/A
vendor FINISAR CORP.
vendor_oid 0x009065
vendor_pn FCLF-8521-3
vendor_rev A
vendor_sn PBR1X35
manuf_date 06/20/2007
Use this command to get information about network monitoring on the FortiSwitch unit.
Syntax
Variable Description
directed List the static entries for network monitoring on the switch.
settings Display the global settings for network monitoring on the switch.
Example output
Use this command to find out which split ports have been configured. to configure split ports, see config switch phy-
mode on page 117.
Syntax
Example output
Use this command to get information about the physical ports of your FortiSwitch unit. To configure physical ports, see
config switch physical-port on page 119.
Syntax
Example output
Use this command to get information about the system’s power over Ethernet (PoE) functions.
Syntax
Example output
Syntax
Variable Description
dot1p-map List the available dot1p maps, as well as the CoS values.
Example output
Use the following command to list the available IPv6 RA-guard policies. To create an IPv6 RA-guard policy, see config
switch raguard-policy on page 129.
Syntax
Example output
Use this command to display the security-feature settings. To configure security checks for incoming TCP/UDP packets,
see config switch security-feature on page 131.
Syntax
Example output
sip-eq-dip : enable
tcp-flag : enable
tcp-port-eq : enable
tcp-flag-FUP : enable
tcp-flag-SF : enable
v4-first-frag : enable
udp-port-eq : enable
tcp-hdr-partial : enable
macsa-eq-macda : enable
allow-mcast-sa : enable
allow-sa-mac-all-zero: enable
Syntax
Example output
== [ 1 ]
seq-num: 1 interface: port5 mac: 00:21:cc:d2:76:72 vlan-id: 35
Use this command to display storm control settings on your FortiSwitch unit. To configure storm control, see config
switch storm-control on page 134.
Syntax
Example output
broadcast : enable
rate : 1000
unknown-multicast : enable
unknown-unicast : enable
Use this command to get information about STP instances on your FortiSwitch unit. To configure an STP instance, see
config switch stp instance on page 134.
Syntax
Example output
Use this command to get information about STP settings on your FortiSwitch unit. To configure STP settings, see config
switch stp settings on page 135.
Syntax
Example output
forward-time : 15
hello-time : 5
max-age : 20
max-hops : 20
name : region1
revision : 1
status : enable
Use this command to get information about which trunks on the FortiSwitch unit have been configured for link
aggregation. To configure link aggregation, see config switch trunk on page 136.
Syntax
Example output
Virtual wire allows you to forward traffic between two ports with minimal filtering or packet modifications. To configure a
virtual wire, see config switch virtual-wire on page 139.
Syntax
Example output
== [ 1 ]
name: 1
Use this command to get information about VLANs on the FortiSwitch unit. To configure a VLAN, see config switch vlan
on page 140.
Syntax
Example output
== [ 1 ]
id: 1 private-vlan-type: primary isolated-vlan: 2 community-vlans: 3
== [ 2 ]
id: 2 private-vlan-type: isolated sub-VLAN primary-vlan: 1
== [ 3 ]
id: 3 private-vlan-type: community sub-VLAN primary-vlan: 1
Use this command to view a list of all the system administration access groups. To add an access profile group, see
config system accprofile on page 149.
Syntax
Example output
== [ prof_admin ]
name: prof_admin
== [ profile1 ]
name: profile1
Use this command to view a list of all the current administration sessions.
Syntax
Example output
username local device remote started
admin sshv2 port1:172.20.120.148:22 172.20.120.16:4167 2006-08-09 12:24:20
admin https port1:172.20.120.148:443 172.20.120.161:56365 2006-08-09 12:24:20
admin https port1:172.20.120.148:443 172.20.120.16:4214 2006-08-09 12:25:29
Variable Description
device The interface, IP address, and port used by this session to connect to the system.
remote The IP address and port used by the originating computer to connect to the system.
Use this command to view the status of the currently logged in admin and their session. To configure an administrator
account, see config system admin on page 150.
Syntax
Example Output
username: admin
login local: sshv2
login device: port1:172.20.120.148:22
login remote: 172.20.120.16:4167
login vdom: root
login started: 2006-08-09 12:24:20
current time: 2006-08-09 12:32:12
Variable Description
login device The login information from the FortiSwitch including interface, IP
address, and port number.
login remote The computer the user is logging in from including the IP address
and port number.
login vdom The virtual domain the admin is current logged into.
Use this command to view the ARP table entries on the FortiSwitch unit. To manually add ARP table entries to the
FortiSwitch unit, see config system arp-table on page 152.
Syntax
Example output
Use this command to view the ARP tables on the FortiSwitch unit.
Syntax
Example output
Syntax
Variable Description
Example output
Use this command to get information about configuration related to bug reporting. To configure a custom email relay for
sending problem reports to Fortinet customer support, see config system bug-report on page 153.
Syntax
Example output
Syntax
Variable Description
Example output
Use this command to view information about configuration management database (CMDB) on the FortiSwitch unit.
Syntax
Variable Description
update index The updated index shows how many changes have been
made in the CMDB.
last request type Type of the last attempted access of the CMDB.
last request The number of the last attempted access of the CMDB.
Example output
Use this command to get information about the console connection. To configure the console, see config system
console on page 158.
Syntax
Example output
Use this command to get information about the DNS settings. To configure DNS, see config system dns on page 164.
Syntax
Example output
Use this command to display the flow-export configuration. To configure flow export, see config system flow-export on
page 165.
Syntax
Example output
timeout-udp : 300
transport : tcp
Use this command to display the flow-export data. To configure flow export, see config system flow-export on page 165.
Syntax
get system flow-export-data flows {all | <count>} {ip | subnet | mac | all} <switch_interface_
name>
get system flow-export-data flows-raw {all | <count>} {ip | subnet | mac | all} <switch_
interface_name>
get system flow-export-data statistics
NOTE: Layer-2 flows for netflow 1 and netflow 5 are not supported. For the output of the get system flow-
export-data statistics command, the Incompatible Type field displays how many flows are not exported
because they are not supported.
Variable Description
flows {all | <count>} {ip | subnet | mac | all} Display the specified number of records or all records of flow data for
<switch_interface_name> the specified IP address, subnet (class IP address and netmask),
MAC address, or all.
flows-raw {all | <count>} {ip | subnet | mac | Display the specified number of records or all records of raw flow
all} <switch_interface_name> data for the specified IP address, subnet (class IP address and
netmask), MAC address, or all.
Use this command to display the configuration of the FortiSwitch Cloud. To configure the FortiSwitch Cloud, see config
system fsw-cloud on page 168.
Syntax
Example output
interval : 15
name : fortiswitch-dispatch.forticloud.com
port : 443
status : enable
Syntax
Example output
Stats:
========
Switch Keep Alive Tx/Reply := 2408 / 2408
Manager Keep Alive Rx/Error := 2410 / 0
Use this command to get the global settings of your FortiSwitch unit. To configure global settings, config system global
on page 169.
Syntax
Example output
Use this command to display information about the SSH configuration on the FortiSwitch unit such as:
l the SSH port number
l the interfaces with SSH enabled
l the hostkey DSA fingerprint
l the hostkey RSA fingerprint
Syntax
Example output
Use this command to display administrators that are logged into the FortiSwitch unit.
Syntax
Variable Description
Example output
Use this command to list information about the physical network interfaces.
Syntax
Example output
== [onboard]
==[internal]
mode: static
ip: 0.0.0.0 0.0.0.0
ipv6: ::/0
status: up
speed: n/a (Duplex: n/a)
rx : 0 bytes 0 packets
tx : 8405158 bytes 160742 packets
==[mgmt]
mode: dhcp
ip: 10.105.19.3 255.255.252.0
ipv6: ::/0
status: up
speed: 1000Mbps (Duplex: full)
rx : 11558117 bytes 85986 packets
tx : 7048800 bytes 39380 packet
Use this command to list information about the IPv6 neighbor cache table. To configure the IPv6 neighbor cache table,
see config system ipv6-neighbor-cache on page 186.
Syntax
Use this command to list information about the physical network interfaces. To configure the link health monitor, see
config system link-monitor on page 187.
Syntax
Use this command to get information about the location table used by LLDP-MED for enhanced 911 emergency calls.
To configure a location table, see config system location on page 188.
Syntax
Example output
Use this command to get information about the NTP settings. To configure an NTP server, see config system ntp on
page 192.
Syntax
Example output
ntpserver:
== [ 1 ]
id: 1
== [ 2 ]
id: 2
ntpsync : enable
source-ip : 0.0.0.0
syncinterval : 1
Use this command to view the password policy. To create a password policy, see config system password-policy on
page 193.
Syntax
Example output
change-4-characters : disable
expire-status : disable
Use this command to display a list of traffic types (such as browsing, email, and DNS) and the number of packets and
number of payload bytes accepted by the firewall for each type since the system was restarted.
Syntax
Example output
Use this command to display FortiSwitch CPU usage, memory usage, network usage, sessions, virus, IPS attacks, and
system up time.
Syntax
Example output
Variable Description
CPU states The percentages of CPU cycles used by user, system, nice and idle
categories of processes. These categories are:
user -CPU usage of normal user-space processes
system -CPU usage of kernel
nice - CPU usage of user-space processes having other-than-
normal running priority
idle - Idle CPU cycles
Adding user, system, and nice produces the total CPU usage as seen
on the CPU widget on the web-based system status dashboard.
Average network usage The average amount of network traffic in kbps in the last 1, 10 and 30
minutes.
Use this command to display the list of processes running on the system (similar to the Linux top command).
The following commands are available when get system performance top is running:
Syntax
Variable Description
<delay_int> The delay, in seconds, between updating the process list. The default is 5 seconds.
<max_lines_int> The maximum number of processes displayed in the output. The default is 20 lines.
Example output
Use this command to list available schedule groups for when an access control list (ACL) will be active. To configure a
schedule group, see config system schedule group on page 195.
Syntax
Example output
Use this command to list available one-time schedules for when an access control list (ACL) will be active. To configure
a one-time schedule, see config system schedule onetime on page 195.
Syntax
Example output
Use this command to list schedules for when an access control list (ACL) will be active every week. To configure a
recurring schedule, see config system schedule recurring on page 196.
Syntax
Example output
Use this command to get information about equal cost multi-path (ECMP) routing. To configure ECMP routing, see
config system settings on page 197.
Syntax
Example output
Use this command to display the sFlow settings. To configure sFlow, see config system sflow on page 198.
Syntax
Example output
Use this command to display the packet capture for a specific packet-capture profile. To create a packet-capture profile,
see config system sniffer-profile on page 198.
Syntax
Use this command to display the status of all configured packet-capture profiles. To create a packet-capture profile, see
config system sniffer-profile on page 198.
Syntax
Example output
Use this command to get information about your system’s SNMP settings. To configure the SNMP agent, see config
system snmp sysinfo on page 201.
Syntax
Example output
contact-info : (null)
description : (null)
engine-id : (null)
location : (null)
status : disable
trap-high-cpu-threshold: 80
trap-log-full-threshold: 90
trap-low-memory-threshold: 80
trap-temp-alarm-threshold: 60
trap-temp-warning-threshold: 50
Syntax
Example output
service=NTP source-ip=172.18.19.101
service=DNS source-ip=172.18.19.101
vdom=root service=RADIUS name=server-pc25 source-ip=10.1.100.101
vdom=root service=TACACS+ name=tac_plus_pc25 source-ip=10.1.100.101
vdom=root service=FSAE name=pc26 source-ip=172.18.19.101
vdom=V1 service=RADIUS name=pc25-Radius source-ip=172.16.200.101
vdom=V1 service=TACACS+ name=pc25-tacacs+ source-ip=172.16.200.101
vdom=V1 service=FSAE name=pc16 source-ip=172.16.200.101
Use this command to display information about system startup errors. This command only displays information if an
error occurs when the system starts up.
Syntax
Syntax
Example output
get test
Use this command to display information about applications on this FortiSwitch unit:
Syntax
Variable Description
Example output
Use this command to list all user groups. To add a user group, see config user group on page 204.
Syntax
Example output
Use this command to list LDAP users. To add an LDAP user, see config user ldap on page 206.
Syntax
Use this command to list local users. To add a local user, see config user local on page 207.
Syntax
Example output
== [ user1 ]
name: user1
Use this command to list RADIUS users. To add a RADIUS user, see config user radius on page 210.
Syntax
Example output
== [ serve2 ]
name: serve2
== [ radone ]
name: radone
Use this command to get information about all the system’s user settings.
Syntax
Example output
auth-blackout-time : 0
auth-cert : (null)
auth-http-basic : disable
auth-invalid-max : 5
auth-multi-group : enable
auth-ports:
== [ 1 ]
id: 1
auth-secure-http : disable
auth-timeout : 5
auth-timeout-type : idle-timeout
auth-type : http https ftp telnet
Syntax
Example output
== [ tacserver ]
name: tacserver
edit "queue-7"
next
end
set schedule round-robin
next
edit "voice_egr_policy"
config cos-queue
edit "queue-0"
next
edit "queue-1"
set weight 0
next
edit "queue-2"
set weight 6
next
edit "queue-3"
set weight 37
next
edit "queue-4"
set weight 12
next
edit "queue-5"
next
edit "queue-6"
next
edit "queue-7"
next
end
set schedule weighted
next
end
edit "port5"
...
set trust-dot1p-map " voice-dot1p "
set trust-ip-dscp-map " voice-dscp "
next
edit "port6"
...
set trust-dot1p-map " voice-dot1p "
set trust-ip-dscp-map " voice-dscp "
next
edit "port7"
...
set trust-dot1p-map " voice-dot1p "
set trust-ip-dscp-map " voice-dscp "
next
end
edit "port14"
...
set qos-policy "voice_egr_policy"
end
Deverá suportar HTTP REST API para configuração e monitoração FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 14-15,17 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
O Switch de acesso deve ser gerenciado por controladora centralizada do mesmo fabricante do Firewall Fortigate, já
FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 14-15 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
em uso pela SEINFRA
Deve possuir garantia de, no mínimo, 36 meses Conforme Proposta Comercial ** **
FUNCIONALIDADES DE CAMADA 2
Deverá suportar Link Aggregation estático FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 54 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deve suportar LACP FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 54 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deverá suportar o padrão IEEE 802.3x Flow Control com Back-pressure FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3 CSMA/CD com método de acesso e as especificações da camada física FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
FortiSwitch_Secure_Access_Series.pdf 2 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o gerenciamento em nuvem
FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 323 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar Telnet / SSH para acesso a console FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 26-28 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá permitir a configuração do relógio através de um servidor NTP FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 35-36 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 80-81 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá contar com uma interface de linha de comando padrão e uma interface de configuração web
FortiSwitchOS-6.4.3-CLI_Reference.pdf 14 http://docs.fortinet.com/document/fortiswitch/6.4.3/fortiswitchos-cli-reference/608648/introduction
FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 38 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar atualizações de Software por TFTP/FTP/GUI
FortiSwitchOS-6.4.3-CLI_Reference.pdf 322 http://docs.fortinet.com/document/fortiswitch/6.4.3/fortiswitchos-cli-reference/608648/introduction
Deverá suportar HTTP REST API para configuração e monitoração FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 14-15,17 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
O Switch de acesso deve ser gerenciado por controladora centralizada do mesmo fabricante do Firewall Fortigate, já
FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 14-15 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
em uso pela SEINFRA
Deve possuir garantia de, no mínimo, 36 meses; Conforme Proposta Comercial ** **
FUNCIONALIDADES DE ALTA DISPONIBILIDADE
Deverá suportar Multi-Chassis LAG ( MCLAG ) FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar STO sobre Multi-Chassis LAG ( MCLAG) ** ** http://docs.fortinet.com/document/fortiswitch/6.4.2/administration-guide/860027/mclag
RECURSOS DE QUALIDADE DE SERVIÇO
Deve suportar a priorização de tráfego baseado em 802.1p FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deve suportar a priorização de tráfego baseado em IP TOS/DSCP FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 199-203 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar marcação de tráfego com 802.1p e/ou IP TOS/DSCP
FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
FUNCIONALIDADES DE CAMADA 2
Deverá suportar Link Aggregation estático FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 54 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deve suportar LACP FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 54 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deverá suportar Spanning Tree FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 54 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deverá suportar Jumbo Frames FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar a negociação automática de porta e de Duplex FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1D MAC Bridging/STP FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1s Multiple Spanning Tree Protocol ( MSTP) FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar a função STP Root Guard FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar STP BPDU Guard FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar Edge Port / Port Fast FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1Q VLAN Tagging FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar Private VLAN FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deve suportar o padrão IEEE 802.3ad Link Aggregation com LACP FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deve ser capaz de balancear o tráfego Unicast/Multicast em uma mesma porta Trunk (dst-ip, dst-mac, srcdst-ip, src-
FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
dst-mac, src-ip, src-mac)
Deve suportar o padrão IEEE 802.1AX Link Aggregation FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar instâncias de Spanning Tree (MSTP/CST) FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3x Flow Control com Back-pressure FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3 10Base-T FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3u 100Base-TX FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3z 1000Base-SX/LX FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3ab 1000Base-T FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3 CSMA/CD com método de acesso e as especificações da camada física FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá contar com a funcionalidade de Storm Control FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar a criação de VLANS por MAC, IP e Ethertype-based FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deve suportar números de identificador de local de emergência (ELINs) e não LLDP- MED FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 128 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a negociação de PoE em LLDP-MED FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 81-82,126 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá ser possível limitar a quantidade de MACs aprendidos por porta. FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 89 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá permitir um mínimo de 15 instâncias de MSTP FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá permitir Storm Control de broadcast de forma independente em cada porta FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 164-165 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar um mecanismo de detecção e prevenção de loops FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar VLAN Stacking (QinQ) fortiswitch-v6.4.3-release-notes.pdf 12 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deverá suportar SPAN FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 144 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar RSPAN e ERSPAN FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 144 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
FUNCIONALIDADES DE CAMADA 3
Deve suportar roteamento estático FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deve suportar RIP v2 FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar OSPF v2 FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar VRRP FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
fortiswitch-v6.4.3-release-notes.pdf 13 https://docs.fortinet.com/document/fortiswitch/6.4.3/release-notes
Deve suportar IS-IS ** ** http://docs.fortinet.com/document/fortigate/6.4.3/cli-reference/558620/router-isis
FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 14-15 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3