Data Sheet FSW

FICHA DE DADOS
FortiSwitch ™ Família de Acesso Seguro

The FortiSwitch TM A família Secure Access oferece excelente segurança,
desempenho e capacidade de gerenciamento. Seguro, simples e escalável,
o FortiSwitch é a escolha certa para empresas preocupadas com ameaças
de todos os tamanhos.
Totalmente integrado ao Fortinet Security Fabric via FortiLink, o FortiSwitch
pode ser gerenciado diretamente a partir da interface familiar FortiGate. Esse
gerenciamento de painel único de vidro fornece visibilidade e controle completos
de usuários e dispositivos na rede, independentemente de como eles se
conectam. Isso torna o FortiSwitch ideal para implantações de SD-Branch com
aplicativos que variam de agregação de desktop a data center, permitindo que Ofertas de produtos
as empresas façam convergir sua segurança e acesso à rede. FS-108E, 108E-POE, 108E-FPOE, 124E, 124E-POE,
124E-FPOE, 148E, 148E-POE, 124F, 124F-POE,
124F-FPOE, 148F, 148F-POE, 148F-FPOE, 224D- FPOE,
224E, 224E-POE, 248D, 248E-POE, 248E-FPOE, 424D,
424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE,
424E-FIBER, M426EFPOE, 424E, 424E 424E-FPOE,
448E, 448E-POE, 448E-FPOE, 524-D, 524D-FPOE, 548D,
Integração do Security Fabric
548D-FPOE
através do FortiLink
FortiLink é um protocolo de gerenciamento proprietário inovador
que permite ao nosso FortiGate Next Generation Firewall

luzes
gerenciar perfeitamente qualquer FortiSwitch. O FortiLink permite
§ Projetado para instalações de
que o FortiSwitch se torne uma extensão lógica do FortiGate, desktops a wiring closets
integrando-o diretamente ao Fortinet Security Fabric. Essa opção § Ideal para implantações SD-Branch
§ Segurança centralizada e gerenciamento de acesso
de gerenciamento reduz a complexidade e diminui os custos de
de interfaces FortiGate com FortiLink
gerenciamento, pois as funções de segurança da rede e da
camada de acesso são ativadas e gerenciadas por meio de um § Ideal para ambientes de rede convergentes;
permitindo que o tráfego de voz, dados e sem
único console. A integração do FortiLink permite o gerenciamento
fio seja entregue em uma única rede
centralizado de políticas, incluindo acesso e controle baseados em
funções, tornando-o fácil de implementar e gerenciar. Este § Suporta implantações não FortiLink
por meio da interface de usuário integrada, API
controle e capacidade de gerenciamento tornam o FortiSwitch ou configuração de linha de comando
ideal para implantações SD-Branch. § Até 48 portas em um formato compacto de 1

RU
§ Empilháveis até 300 switches por FortiGate,

dependendo do modelo
§ Suporta comutação Wire-speed e modo

Store and Forwarding
FOLHA DE DADOS | FortiSwitch ™ Família de Acesso Seguro
luzes
Entrada Intervalo médio Prêmio Agregação

100 Series 200 Series 400 Series 500 Series
§ Chave de nível de entrada § Interruptor de nível médio § Switch Enterprise § Mudança de agregação
§ 8-48 portas GE, com capacidade PoE + § Portas 24-48 GE, com capacidade PoE + § Portas 24-48 GE, com capacidade PoE + § Portas 24-48 GE, com capacidade PoE +
§ Área de trabalho para armário de fiação § Chave típica do wiring closet § Maior armário de fiação ou requisitos § Maior armário de fiação ou requisitos
§ 2-4 portas de uplink GE SFP § 4 portas de uplink GE SFP de alto rendimento de alto rendimento
§ 4 portas de uplink 10GE SFP + § 4 portas de uplink SFP + 10 GE § 4x 10 GE SFP + e
2 portas de uplink QSFP de 40 GE
Desdobramento, desenvolvimento
FortiLink
Opção de gerenciamento de nuvem
FortiGate gerenciado. Tecido de segurança ativado.
Modelo de implantação mais comum.
FortiGate Cloud
Estar sozinho
Opção de gerenciamento de nuvem
Modelo de implantação padrão do setor. Comum
em ambientes não FortiGate.
FortiSwitch Cloud
2
Características
FORTISWITCH FORTILINK MODE (COM FORTIGATE)
Gestão e Configuração
Detecção Automática de Múltiplos Switches Número de sim
Switches Gerenciados por FortiGate FortiLink Stacking (Auto 8 a 300 dependendo do modelo FortiGate (consulte o guia de administração) Sim
Inter-Switch Links) Atualização de Software de Switches
sim
Configuração de VLAN centralizada sim
Mudar de controle POE sim
Configuração de agregação de link sim
Spanning Tree sim
LLDP / MED sim
IGMP Snooping sim
Roteamento L3 e roteamento Sim (FortiGate)
baseado em política de serviços Sim (FortiGate)
Domínio Virtual Sim (FortiGate)
Segurança e Visibilidade
Coleção de Syslog de autenticação 802.1x (baseada em porta, baseada sim
em MAC, MAB) sim
DHCP Snooping sim
Detecção de Dispositivo sim
Lista MAC Preto / Enquanto Sim (FortiGate)
Política de controle de usuários e dispositivos Sim (FortiGate)
Recursos UTM
Firewall Sim (FortiGate)
IPC, AV, controle de aplicativos, botnet Sim (FortiGate)
Alta disponibilidade
Suporte FortiLink FortiGate em HA Cluster LAG sim
suporte para conexão FortiLink sim
Active-Active Split LAG de FortiGate para FortiSwitches para redundância avançada Sim (com FS-2xx, 4xx, 5xx)
FORTISWITCH MODEL SERIES 2XXD, 4XXD, 5XXD 1XXE / 1XXF 2XXE, 4XXE
Camada 2
Molduras Jumbo sim sim sim
Negociação automática para velocidade de porta e sim sim sim
crossover automático duplex MDI / MDIX sim sim sim
IEEE 802.1D MAC Bridging / STP sim sim sim
IEEE 802.1w Protocolo de árvore de expansão rápida (RSTP) IEEE sim sim sim
802.1s Protocolo de árvore de expansão múltipla (MSTP) STP Root sim sim sim
Guard sim sim sim
STP BPDU Guard sim sim sim
Edge Port / Port Fast sim sim sim
IEEE 802.1Q VLAN Tagging VLAN sim sim sim
privada sim Não sim
Agregação de link IEEE 802.3ad com LACP sim sim sim
Equilíbrio de tráfego Unicast / Multicast na porta de entroncamento (dst-ip, sim sim sim
dst-mac, src-dst-ip, src-dst-mac, src-ip, src-mac)
Instâncias de Spanning Tree de Agregação de Link sim sim sim
IEEE 802.1AX (MSTP / CST) 15/1 15/1 15/1
Controle de fluxo e contrapressão IEEE 802.3x IEEE 802.3 sim sim sim
10Base-T sim sim sim
IEEE 802.3u 100Base-TX sim sim sim
IEEE 802.3z 1000Base-SX / LX sim sim sim
IEEE 802.3ab 1000Base-T sim sim sim
Ethernet IEEE 802.3ae 10 Gigabit Família 4xx e 5xx Sim N / A / Sim sim
Ethernet IEEE 802.3az com eficiência energética sim sim
IEEE 802.3bz Multi Gigabit Ethernet Não Não Sim (M426E-FPOE)
Método de acesso IEEE 802.3 CSMA / CD e

sim sim sim
especificações da camada física
Controle de tempestade sim sim sim
MAC, IP, VLANs baseadas em Ethertype sim sim sim
Virtual-Wire sim Não sim
Suporte para porta dividida (QSFP + breakout para 4x10G SFP + ou 4x1G Família FS-5xx N/D N/D
SFP) Time-Domain Reflectcometry (TDR) sim sim sim
3
Características
Camada 3 *
Roteamento estático (baseado em hardware) sim N/D sim
Entradas de roteamento 64 em 2xxE
1K em 424E, 424E-POE,
64 em FS-2xx, Família 4xx; 16K
N/D 424E-FPOE, M426E-FPOE
na família FS-5xx
16K em 448E, 448E-POE,
448E-FPOE, 424E-Fibra
Entradas de host 1K em 2xxE
2K em 424E, 424E-POE,
1K em FS-2xx, Família 4xx; 24K
N/D 424E-FPOE, M426E-FPOE
na Família FS-5xx
16K em 448E, 448E-POE,
Protocolos de roteamento dinâmico ** OSPFv2, RIPv2, VRRP; N/D OSPFv2, RIPv2, VRRP
BGP, ISIS em FS-5xx
Protocolos Multicast ** PIM-SSM em FS-5xx N/D N/D
ECMP Família FS-5xx N/D Não
Spanning Tree Instances 32 instâncias máximas

N/D N/D
para FS-5xx de 6.2.0+
Detecção de encaminhamento bidirecional (BFD) DHCP sim N/D sim
Relay sim N/D sim
Serviços
IGMP Snooping sim Não sim
Segurança e Visibilidade
Espelhamento de porta sim sim sim
Autenticação de administrador via RFC 2865 RADIUS IEEE sim sim sim
802.1x autenticação baseada em porta IEEE 802.1x sim sim sim
autenticação baseada em MAC IEEE 802.1x convidado e sim sim sim
substituto VLAN IEEE 802.1x acesso por MAC (MAB) IEEE sim sim sim
802.1x Atribuição dinâmica de VLAN Radius CoA (mudança sim sim sim
de autoridade) sim sim sim
sim sim sim
Contabilidade Radius sim sim sim
Ligação MAC-IP 5xx apenas Não Não
sFlow sim Não sim
ACL 1K entradas em FS-5xx Family 512 Não 512 entradas em 2xxE

em 2xx, 4xx Families 1K em 424E, 424E-POE,
424E-FPOE, M426E-FPOE
1,5K em 448E, 448E-POE,
IEEE 802.1ab Link Layer Discovery Protocol (LLDP) IEEE 802.1ab sim sim sim
LLDP-MED sim sim sim
IEEE 802.1ae MAC Security (MAC Sec) Portas FS-5xxD 10G Não Não
DHCP-Snooping sim sim sim
Inspeção ARP Dinâmica sim sim sim
Sticky MAC e Limite MAC sim sim sim
Alta disponibilidade
Agregação de Link Multi-Chassis (MCLAG) sim N/D sim
Qualidade de serviço
Enfileiramento prioritário baseado em IEEE 802.1p sim sim sim
IP TOS / DSCP Enfileiramento prioritário baseado sim sim sim
em IEEE 1588 PTP (relógio transparente) sim Não sim
Gestão
Gerenciamento de IPv4 e IPv6 Telnet sim sim sim
/ SSH sim sim sim
HTTP / HTTPS sim sim sim
SNMP v1 / v2c / v3 sim sim sim
SNTP sim sim sim
Download / upload de software de interface CLI padrão e sim sim sim
GUI da Web: TFTP / FTP / GUI sim sim sim
Gerenciado do FortiGate sim sim sim
Suporte para APIs REST HTTP para

sim sim sim
configuração e monitoramento
* Compatível com 2xx, 4xx e 5xx. ** Requer licença de 'Recursos avançados'.
4
Características
TODOS OS MODELOS DE FORTISWITCH
Suporte RFC e MIB *
BFD MIB
RFC 5880: Detecção de encaminhamento bidirecional (BFD) RFC 1724: RIPv2-MIB
RFC 5881: Detecção de encaminhamento bidirecional (BFD) para IPv4 e IPv6 (salto único) RFC 5882: Aplicação RFC 1850: OSPF versão 2 Management Information Base RFC 2233: O
genérica de detecção de encaminhamento bidirecional (BFD) BGP grupo de interfaces MIB usando SMIv2 RFC 2618: Radius-Auth-Client-MIB
RFC 1771: A Border Gateway Protocol 4 (BGP-4) RFC 2620: Radius-Acc-Client-MIB
RFC 1965: Confederações de Sistema Autônomo para BGP RFC 1997: RFC 2674: Definições de objetos gerenciados para pontes com classes de tráfego, filtragem multicast e extensões de LAN
Atributo de Comunidades BGP virtual
RFC 2545: Uso de extensões multiprotocolo BGP-4 para roteamento interdomínio IPv6 RFC 2796: Reflexão de RFC 2787: Definições de objetos gerenciados para o protocolo de redundância do roteador virtual RFC 2819: Base de
rota BGP - uma alternativa para malha completa IBGP RFC 2842: Propaganda de capacidades com BGP-4 informações de gerenciamento de monitoramento de rede remota RFC 2932: IPv4 Multicast Routing MIB
RFC 2858: Extensões Multiprotocolo para BGP-4 RFC 4271: RFC 2934: MIB multicast independente de protocolo para IPv4
BGP-4 RFC 3289: Base de informações de gerenciamento para a arquitetura de serviços diferenciados RFC 3433: Base de
RFC 6286: Identificador BGP exclusivo de todo o sistema autônomo para BGP-4 RFC 6608: informações de gerenciamento de sensor de entidade
subcódigos para erro de máquina de estado finito BGP RFC 3621: Power Ethernet MIB RFC 6933:
RFC 6793: suporte BGP para espaço de número do sistema autônomo de quatro octetos (AS) RFC 7606: Entidade MIB (versão 4) OSPF
tratamento de erros revisado para mensagens de atualização de BGP
RFC 7607: Codificação de Processamento AS 0 RFC 1583: OSPF versão 2
RFC 7705: Mecanismos de migração de sistema autônomo e seus efeitos no atributo BGP AS_PATH RFC 8212: comportamento de RFC 1765: OSPF Database Overflow RFC
propagação de rota de BGP externo padrão (EBGP) sem políticas RFC 8654: suporte de mensagem estendido para BGP 2328: OSPF versão 2
RFC 2370: A opção LSA opaca OSPF RFC 2740:
DHCP OSPF para IPv6
RFC 2131: Protocolo de configuração dinâmica de hosts RFC RFC 3101: A opção da área não tão atarracada do OSPF (NSSA) RFC 3137:
3046: opção de informações do agente de retransmissão DHCP anúncio do roteador stub do OSPF
RFC 7513: Solução de Melhoria de Validação de Endereço de Origem (SAVI) para DHCP IP / IPv4 RFC 3623: reinicialização otimizada do OSPF
RFC 5340: OSPF para IPv6 (OSPFv3)
RFC 3168: A adição de notificação explícita de congestionamento (ECN) ao IP RFC 5227: RFC 5709: OSPFv2 HMAC-SHA Cryptographic Authentication RFC 6549:
detecção de conflito de endereço IPv4 OSPFv2 Multi-Instance Extensions
RFC 5517: VLANs privadas da Cisco Systems: segurança escalonável em um ambiente de múltiplos clientes RFC 7039: RFC 6845: Transmissão híbrida OSPF e tipo de interface ponto a multiponto RFC 6860: ocultando
Estrutura de melhoria de validação de endereço de origem (SAVI) redes somente de trânsito no OSPF
Multicast IP RFC 7474: Extensão de segurança para OSPFv2 ao usar o gerenciamento manual de chaves RFC 7503:
RFC 2362: Protocolo Independent Multicast-Sparse Mode (PIM-SM): Especificação de protocolo RFC 2710: Multicast OSPF para IPv6
Listener Discovery (MLD) para IPv6 (MLDv1) RFC 8042: Rascunho de recomendação T.4 do CCITT
RFC 4541: Considerações sobre o protocolo de gerenciamento de grupo da Internet (IGMP) e interruptores de detecção de multicast RFC 8362: Extensibilidade do anúncio do estado do link OSPFv3 (LSA) OUTRO
Listener Discovery (MLD)
RFC 4605: Internet Group Management Protocol (IGMP) / Multicast Listener Discovery (MLD) -Based Multicast Forwarding RFC 2030: SNTP
(“IGMP / MLD Proxying”) RFC 3176: sFlow da InMon Corporation: um método para monitorar o tráfego em redes comutadas e roteadas
RFC 4607: Multicast específico da fonte para IP IPv6
RFC 3768: VRRP
RFC 2464: Transmissão de pacotes IPv6 em redes Ethernet: Transmissão de pacotes IPv6 em redes Ethernet RFC 3954: Cisco Systems NetFlow Services Export Versão 9
RFC 5101: Especificação do protocolo IP Flow Information Export (IPFIX) para a troca de informações de fluxo
RFC 2474: Definição do Campo de Serviços Diferenciados (Campo DS) nos Cabeçalhos e IPv6 (DSCP) RFC 2893: Mecanismos de
Transição para Hosts e Roteadores IPv6 RFC 5798: VRRPv3 (IPv4 e IPv6) RADIUS
RFC 4213: Mecanismos de transição básicos para hosts e roteadores IPv6 RFC 4291:
Arquitetura de endereçamento IP versão 6 RFC 2865: autenticação de administrador usando RADIUS RFC
RFC 4443: Internet Control Message Protocol (ICMPv6) para a especificação do protocolo da Internet versão 6 (IPv6) RFC 4861: descoberta 2866: contabilidade RADIUS
de vizinho para IP versão 6 (IPv6) RFC 5176: Extensões de autorização dinâmica para serviço de usuário de discagem com autenticação remota (RADIUS)
RFC 4862: Configuração automática de endereço sem estado IPv6
RFC 5095: Suspensão de cabeçalhos de roteamento tipo 0 no IPv6 DESCANSE EM PAZ
RFC 6724: Seleção de endereço padrão para protocolo da Internet versão 6 (IPv6) RFC 7113: IPv6 RFC 1058: Routing Information Protocol RFC 2080:
RA Guard RIPng para IPv6
RFC 8200: Protocolo da Internet, Versão 6 (IPv6) Especificação RFC 8201: RFC 2082: Autenticação RIP-2 MD5 RFC
Path MTU Discovery para IP versão 6 IS-IS 2453: RIPv2
RFC 4822: SNMP de autenticação criptográfica RIPv2
RFC 1195: Uso de OSI IS-IS para roteamento em TCP / IP e ambientes duplos RFC 5308:
Roteamento IPv6 com IS-IS RFC 1157: SNMPv1 / v2c
MIB RFC 2571: Arquitetura para Descrever SNMP
RFC 1213: peças MIB II que se aplicam a unidades FortiSwitch 100 RFC 1354: RFC 2572: Processamento e envio de mensagens SNMP RFC 2573:
Tabela de encaminhamento de IP MIB Aplicativos SNMP
RFC 1493: Bridge MIB RFC RFC 2576: Coexistência entre versões SNMP
1573: SNMP MIB II
RFC 1643: Interface MIB semelhante a Ethernet
* modelo.
RFC e MIB suportados pelo sistema operacional FortiSwitch. Verifique a matriz de recursos no guia de administração para obter suporte específico para o
5
Especificações
FORTISWITCH 108E FORTISWITCH 108E-POE FORTISWITCH 108E-FPOE
Especificações de Hardware
Total Network Interfaces 7x GE RJ45, 1x GE / POE-PD RJ45 e 2x 8x GE RJ45 e 2x GE SFP 8x GE RJ45 e 2x GE SFP
GE SFP
Porta de gerenciamento dedicado 10/100 Porta de 0 0 0
console serial RJ-45 1 1 1
Fator de forma Área de Trabalho 1 RU Rack Mount 1 RU Rack Mount
Power over Ethernet (PoE) Orçamento de 0 4 (802.3af / at) 8 (802.3af / at)
energia PoE 0 65 W 130 W
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos
Especificações do sistema
Capacidade de comutação (Duplex) 20 Gbps 20 Gbps 20 Gbps
Armazenamento de endereços MAC de 30 Mpps 30 Mpps 30 Mpps
pacotes por segundo (duplex) 8K 8K 8K
Latência da rede 4µs 4µs 4µs
VLANs com suporte 4K 4K 4K
Tamanho do grupo de agregação de links 8 8 8
Buffers de pacotes de grupos de 8 8 8
agregação de links 512 KB 512 KB 512 KB
DRAM 256 MB DDR3 256 MB DDR3 256 MB DDR3
INSTANTÂNEO 32 MB 32 MB 32 MB
Dimensões
Altura x Profundidade x Largura 1,5 x 6,3 x 8,7 1,7 x 8,2 x 13 1,7 x 8,2 x 13
(polegadas) Altura x Profundidade x 38 x 160 x 220 44 x 209 x 330 44 x 209 x 330
Largura (mm) Peso 2,2 lbs (1 kg) 4,3 lbs (1,95 kg) 4,5 lbs (2,04 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz / PoE-PSE (af) CA e 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA
Fonte de energia PoE-PD integrado integrado integrado
Poder Redundante - - -
Consumo de energia * (médio / máximo) Dissipação de 5,54 W / 6,26 W 70,19 W / 71,10 W 135,19 W / 136,10 W
calor 18,9 BTU / h 17,7 BTU / h 17,7 BTU / h
Temperatura de operação 32-113 ° F (0-45 ° C) 32-113 ° F (0-45 ° C) 32-113 ° F (0-45 ° C)
Temperatura de armazenamento - 40–158 ° F (-40–70 ° C) - 40–158 ° F (-40–70 ° C) - 40–158 ° F (-40–70 ° C)
Umidade 10–90% sem condensação 10–90% sem condensação 10–90% sem condensação
Direção do fluxo de ar lado a lado lado a lado lado a lado
Certificação e Conformidade
FCC, CE, RCM, VCCI, BSMI, UL, CB, RoHS2
garantia
Garantia Fortinet Garantia vitalícia limitada ** em todos os modelos
* em
O consumo
uso de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
* * Política de garantia Fortinet: http://www.fortinet.com/doc/legal/EULA.pdf
FortiSwitch 108E FortiSwitch 108E-POE FortiSwitch 108E-FPOE
6
Especificações
Total Network Interfaces 24x GE RJ45 e 4x GE SFP 0 24x GE RJ45 e 4x GE SFP 0 24x GE RJ45 e 4x GE SFP 0
Porta de gerenciamento dedicado 10/100 Porta de
Fator de forma 1 RU Rack Mount 1 RU Rack Mount 1 RU Rack Mount
pacotes por segundo (duplex) 8K 8K 8K
Latência da rede 4µs 4µs 4µs
agregação de links 512 KB 512 KB 512 KB
Dimensões
Altura x Profundidade x Largura 1,7 x 8,2 x 13 1,7 x 12,2 x 17,3 44 x 1,7 x 12,2 x 17,3 44 x
(polegadas) Altura x Profundidade x 44 x 209 x 330 309 x 440 309 x 440
Largura (mm) Peso 4,7 lbs (2,13 kg) 11,1 lbs (5,03 kg) 11,2 lbs (5,03 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA
Fonte de energia integrado integrado integrado
Poder Redundante - - -
Consumo de energia * (médio / máximo) Dissipação de 15,83 W /17,79 W 54 202,78 W / 205,45 W 387,78 W / 390,45 W
calor BTU / h 60,67 BTU / h 60,67 BTU / h
Temperatura de operação 32-113 ° F (0-45 ° C) 32-113 ° F (0-45 ° C) 32-113 ° F (0-45 ° C)
garantia
* em
O consumo
FortiSwitch 124E FortiSwitch 124E-POE
FortiSwitch 124E-FPOE
7
Especificações
FORTISWITCH 148E FORTISWITCH 148E-POE
Total Network Interfaces 48x GE RJ45 e 4x GE SFP 0 48x GE RJ45 e 4x GE SFP 0
Porta de gerenciamento dedicado 10/100 Porta de
console serial RJ-45 1 1
Fator de forma 1 RU Rack Mount 1 RU Rack Mount
Power over Ethernet (PoE) Orçamento de 0 24 (802.3af / at)
energia PoE 0 370 W
Tempo médio entre falhas > 10 anos > 10 anos
Capacidade de comutação (Duplex) 104 Gbps 104 Gbps
Armazenamento de endereços MAC de 155 Mpps 155 Mpps
pacotes por segundo (duplex) 16 K 16 K
Latência da rede 3860 ns 3860 ns
VLANs com suporte 4K 4K
Tamanho do grupo de agregação de links 8 8
Buffers de pacotes de grupos de 16 16
agregação de links 1,5 MB 1,5 MB
DRAM 256 MB DDR3 256 MB DDR3
INSTANTÂNEO 64 MB 64 MB
Dimensões
Altura x Profundidade x Largura 1,73 x 12,2 x 17,3 44 x 1,73 x 13,7 x 17,3 44 x
(polegadas) Altura x Profundidade x 309 x 440 348 x 440
Largura (mm) Peso 8,6 lbs (3,9 kg) 11,5 lbs (5,2 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA
Fonte de energia integrado integrado
Poder Redundante Não Não
Consumo de energia * (médio / máximo) Dissipação de 19,804 W / 22,137 W 389,742 W / 393,109 W
calor 67.574 BTU / h 78,82 BTU / h
Temperatura de operação 32-113 ° F (0-45 ° C) 32-113 ° F (0-45 ° C)
Temperatura de armazenamento - 4–158 ° F (-20–70 ° C) - 4–158 ° F (-20–70 ° C)
Umidade 10–90% sem condensação 10–90% sem condensação
Direção do fluxo de ar lado a lado lado a lado
garantia
* em
O consumo
8
Especificações
FORTISWITCH 124F FORTISWITCH 124F-POE FORTISWITCH 124F-FPOE
Total Network Interfaces 24x GE RJ45 e 24x GE RJ45 e 24x GE RJ45 e

4x 10GE SFP + 4x 10GE SFP + 4x 10GE SFP +
pacotes por segundo (duplex) 32 K 32 K 32 K
Latência da rede <1µs <1µs <1µs
agregação de links 2 MB 2 MB 2 MB
Dimensões
Altura x Profundidade x Largura 1,73 x 9,06 x 12,99 44 x 1,73 x 10,24 x 12,99 44 x 1,73 x 10,24 x 12,99 44 x
(polegadas) Altura x Profundidade x 230 x 330 260 x 330 260 x 330
Meio Ambiente
Energia necessária 100–240 V CA, 50-60 Hz CA 100–240 V CA, 50-60 Hz CA 100–240 V CA, 50-60 Hz CA
Poder Redundante Não Não Não
calor 89,683 BTU / h 809.534 BTU / h 1538.933 BTU / h
Temperatura de operação 32–113 ° F (0–45 ° C) 32–113 ° F (0–45 ° C) 32–113 ° F (0–45 ° C)
garantia
* em
O consumo
FortiSwitch 124F FortiSwitch 124F-POE
FortiSwitch 124F-FPOE
9
Especificações
Total Network Interfaces 48x GE RJ45 e 48x GE RJ45 e 48x GE RJ45 e

4x 10GE SFP + 4x 10GE SFP + 4x 10GE SFP +
agregação de links 2 MB 2 MB 2 MB
Dimensões
Meio Ambiente
Energia necessária 100–240 V CA, 50-60 Hz CA 100–240 V CA, 50-60 Hz CA 100–240 V CA, 50-60 Hz CA
Poder Redundante Não Não Não
Consumo de energia * (médio / máximo) Dissipação de 55,8 W / 57 W 474,8 W / 476,3 W 893,5 W / 895,7 W
garantia
* em
O consumo
10
Especificações
FORTISWITCH 224D-FPOE FORTISWITCH 224E FORTISWITCH 224E-POE
Total Network Interfaces 24 portas GE RJ45 e 4 24 portas GE RJ45 e 4 24 portas GE RJ45 e 4

portas GE SFP portas GE SFP portas GE SFP
Power over Ethernet (PoE) Orçamento de 24 (802.3af / 802.3at) N/D 12 (802.3af / 802.3at)
energia PoE 370 W N/D 180 W
Buffers de pacotes de grupos de Até o número de portas Até o número de portas Até o número de portas
agregação de links 1,5 MB 1,5 MB 1,5 MB
Dimensões
Altura x Profundidade x Largura 1,73 x 12,2 x 17,5 44 x 1,73 x 9 x 12,99 44 x 1,73 x 9 x 12,99 44 x
Meio Ambiente
Poder Redundante FRPS-740 opcional AC redundante FRPS-740 opcional
Consumo de energia * (médio / máximo) Dissipação de 380 W / 397 W 17,2 W / 17,3 W 220,18 W / 223,57 W
calor 85 BTU / h 59,095 BTU / h 74,29554 BTU / h
garantia
* em
O consumo
FortiSwitch 224D-FPOE FortiSwitch 224E
FortiSwitch 224E-POE
11
Especificações
FORTISWITCH 248D FORTISWITCH 248E-POE FORTISWITCH 248E-FPOE
Total Network Interfaces 48 portas GE RJ45 e 4 48 portas GE RJ45 e 4 48 portas GE RJ45 e 4

portas GE SFP portas GE SFP portas GE SFP
Power over Ethernet (PoE) Orçamento de - 24 (802.3af / 802.3at) 48 (802.3af / 802.3at)
energia PoE N/D 370 W 740 W
Dimensões
Meio Ambiente
Poder Redundante - FRPS-740 opcional FRPS-740 opcional
Consumo de energia * (médio / máximo) Dissipação de 38,66 W / 39,19 W 134 457,46 W / 466,47 W 842 W / 855,02 W
calor BTU / h 177,14268 BTU / h 162.87865 BTU / h
garantia
* em
O consumo
FortiSwitch 248D FortiSwitch 248E-POE
12
Especificações
FORTISWITCH 424D FORTISWITCH 424D-POE FORTISWITCH 424D-FPOE
Total Network Interfaces Portas 24x GE RJ45 e 2x10 GE SFP + Portas 24x GE RJ45 e 2x10 GE SFP + Portas 24x GE RJ45 e 2x10 GE SFP +
Observação: as portas SFP + são compatíveis Observação: as portas SFP + são compatíveis Observação: as portas SFP + são compatíveis
com 1 GE SFP com 1 GE SFP com 1 GE SFP
Power over Ethernet (PoE) Orçamento de - 24 (802.3af / at) 24 (802.3af / at)
DRAM 1 GB DDR3 1 GB DDR3 1 GB DDR3
Dimensões
Meio Ambiente
Poder Redundante AC redundante FRPS-740 opcional FRPS-740 opcional
Consumo de energia * (médio / máximo) Dissipação de 17,3 W / 17,2 W 208 W / 210 W 397 W / 403 W
calor 69 BTU / h 89 BTU / h 100 BTU / h
garantia
* em
O consumo
FortiSwitch 424D FortiSwitch 424D-POE
FortiSwitch 424D-FPOE
13
Especificações
Total Network Interfaces 48x GE RJ45 e 4x10 GE SFP + portas 48x GE RJ45 e 4x10 GE SFP + portas 48x GE RJ45 e 4x10 GE SFP + portas
Nota: as portas SFP + são compatíveis com 1 GE SFP Nota: as portas SFP + são compatíveis com 1 GE SFP Nota: as portas SFP + são compatíveis com 1 GE SFP
Dimensões
Meio Ambiente
Poder Redundante AC redundante FRPS-740 opcional AC redundante
Consumo de energia * (médio / máximo) Dissipação de 38 W / 38 W 417 W / 419 W 790 W / 792 W
calor 147 BTU / h 177 BTU / h 193 BTU / h
garantia
* em
O consumo
14
Especificações
FORTISWITCH-424E-FIBER FORTISWITCH-M426E-FPOE
Total Network Interfaces 24x GE SFP e 4x 10GE SFP + portas Nota: As 16x GE RJ45, 8 portas 2,5 GE RJ45, 2x 5 GE RJ45 e 4x 10 GE SFP + portas Nota: as portas SFP +
portas SFP + são compatíveis com 1 GE SFP são compatíveis
com 1 GE SFP
Porta de gerenciamento dedicado 10/100 Porta de 1 1
console serial RJ-45 1 1
Fator de forma 1 RU Rack Mount 1 RU Rack Mount
Power over Ethernet (PoE) Orçamento de N/D 24 (16x 802.3af / at, 8x 802.3af / at / UPOE) 420 W
energia PoE N/D
Tempo médio entre falhas > 10 anos > 10 anos
Capacidade de comutação (Duplex) 128 Gbps 172 Gbps
Armazenamento de endereços MAC de 204 Mpps 255 Mpps
pacotes por segundo (duplex) 32 K 16 K
Latência da rede <1µs <1µs
VLANs com suporte 4K 4K
Tamanho do grupo de agregação de links 8 8
Buffers de pacotes de grupos de Até o número de portas 4 Até o número de portas 2
agregação de links MB MB
DRAM 1 GB DDR4 1 GB DDR4
INSTANTÂNEO 256 MB 256 MB
Dimensões
Altura x Profundidade x Largura 1,75 x 7,87 x 17,3 44 x 1,73 x 16,14 x 17,3 44 x
(polegadas) Altura x Profundidade x 200 x 440 410 x 440
Largura (mm) Peso 5,62 lbs (2,55 kg) 13,00 lbs (5,9 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz CA 100–240 V CA, 50/60 Hz CA
Fonte de energia integrado integrado
Poder Redundante AC redundante AC redundante
Consumo de energia * (médio / máximo) Dissipação de 36 W / 38 W 441 W / 442 W
calor 132,5 BTU / h 132,734 BTU / h
Temperatura de operação 32–113 ° F (0–45 ° C) 32–122 ° F (0–50 ° C)
Temperatura de armazenamento - 4–158 ° F (-20–70 ° C) - 4–158 ° F (-20–70 ° C)
Umidade 5–95% sem condensação 5–95% sem condensação
Direção do fluxo de ar lado a lado lado a lado
garantia
* em
O consumo
FortiSwitch 424E-Fiber FortiSwitch M426E-FPOE
15
Especificações
Total Network Interfaces 24x GE RJ45 e 4x10 GE SFP + portas 24x GE RJ45 e 4x10 GE SFP + portas 24x GE RJ45 e 4x10 GE SFP + portas
Buffers de pacotes de grupos de Até o número de portas 2 Até o número de portas 2 Até o número de portas 2
agregação de links MB MB MB
Dimensões
Meio Ambiente
Poder Redundante AC redundante AC redundante AC redundante
garantia
* em
O consumo
16
Especificações
Total Network Interfaces 48x GE RJ45 e 4 portas 10GE SFP + 48x GE RJ45 e 4 portas 10GE SFP + 48x GE RJ45 e 4 portas 10GE SFP +
energia PoE - 421 W 772 W
Buffers de pacotes de grupos de Até o número de portas 2 Até o número de portas 2 Até o número de portas 2
agregação de links MB MB MB
DRAM 1GB DDR4 1GB DDR4 1GB DDR4
Dimensões
Meio Ambiente
Poder Redundante AC redundante AC redundante AC redundante
garantia
* em
O consumo
17
Especificações
FORTISWITCH 524D FORTISWITCH 524D-FPOE FORTISWITCH 548D FORTISWITCH 548D-FPOE
Total Network Interfaces 24 portas GE / RJ45, 24 portas GE / RJ45, 48 portas GE / RJ45, 48 portas GE / RJ45,
4 portas 10 GE SFP + e 2x 40 4 portas 10 GE SFP + e 2x 40 4 portas 10 GE SFP + e 2x 40 4 portas 10 GE SFP + e 2x 40

GE QSFP GE QSFP GE QSFP GE QSFP
Nota: as portas SFP + são compatíveis Nota: as portas SFP + são compatíveis Nota: as portas SFP + são compatíveis Nota: as portas SFP + são compatíveis
com 1G SFP com 1G SFP com 1G SFP com 1G SFP
Portas 10/100/1000 de gerenciamento dedicado Porta de 1 1 1 1
console serial RJ-45 1 1 1 1
Fator de forma 1 RU Rack Mount 1 RU Rack Mount 1 RU Rack Mount 1 RU Rack Mount
Power over Ethernet (PoE) Orçamento de N/D 24 (802.3af / at) N/D 48 (802.3af / at)
energia PoE N/D 400 W N/D 750 W
Tempo médio entre falhas > 10 anos > 10 anos > 10 anos > 10 anos
Capacidade de comutação (Duplex) 288 Gbps 288 Gbps 336 Gbps 336 Gbps
Armazenamento de endereços MAC de 428 Mpps 428 Mpps 512 Mpps 512 Mpps
pacotes por segundo (duplex) 96 K 96 K 96 K 96 K
Latência da rede <2µs <2µs <2µs <2µs
VLANs com suporte 4K 4K 4K 4K
Tamanho do grupo de agregação de links 24 24 48 48
Buffers de pacotes de grupos de Até o número de portas 4 Até o número de portas 4 Até o número de portas 4 Até o número de portas 4
agregação de links MB MB MB MB
DRAM 2 GB DDR3 2 GB DDR3 2 GB DDR3 2 GB DDR3
INSTANTÂNEO 128 MB 128 MB 128 MB 128 MB
Dimensões
Altura x Profundidade x Largura 1,75 x 13,8 x 17,3 44 x 1,75 x 13,8 x 17,3 44 x 1,75 x 13,8 x 17,3 44 x 1,75 x 13,8 x 17,3 44 x
(polegadas) Altura x Profundidade x 350 x 439 350 x 439 350 x 439 350 x 439
Largura (mm) Peso 13,6 lbs (6,2 kg) 15,74 lbs (7,14 kg) 14,1 lbs (6,4 kg) 15,74 lbs (7,14 kg)
Meio Ambiente
Energia necessária 100–240 V CA, 50/60 Hz 150 W 100–240 V CA, 50/60 Hz 600 W 100–240 V CA, 50/60 Hz 150 W 100–240 V CA, 50/60 Hz 920 W
Fonte de energia CA PSU * CA PSU * CA PSU * CA PSU *
Poder Redundante FS-PSU-150 opcional * FS-PSU-600 opcional * FS-PSU-150 opcional * FS-PSU-900 opcional *
(apenas para backup de 150 W) (para 600 W para PoE adicional) (apenas para backup de 150 W) (para 900 W para PoE adicional)
Consumo de energia ** (média / máxima) Dissipação de 73 W / 75 W 570 W / 579 W (carga PoE total) 296 74 W / 77 W 925 W / 961 W (carga PoE total) 318
calor 247 BTU / h BTU / h (carga PoE total) 32–113 ° F 252 BTU / h BTU / h (carga PoE total) 32–113 ° F
Temperatura de operação 32–113 ° F (0–45 ° C) (0–45 ° C) 32–113 ° F (0–45 ° C) (0–45 ° C)
Temperatura de armazenamento - 40–158 ° F (-40–70 ° C) - 40–158 ° F (-40–70 ° C) - 40–158 ° F (-40–70 ° C) - 40–158 ° F (-40–70 ° C)
Umidade 5–95% sem condensação 5–95% sem condensação 5–95% sem condensação 5–95% sem condensação
Direção do fluxo de ar de frente para trás de frente para trás de frente para trás de frente para trás
garantia
Garantia Fortinet Garantia vitalícia limitada *** em todos os modelos
*quente
FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE As unidades de fonte de alimentação podem ser trocadas a
* em
* O uso
consumo de energia dos modelos POE é semelhante ao modelo não POE se o POE não estiver
* * * Política de garantia Fortinet: http://www.fortinet.com/doc/legal/EULA.pdf
FortiSwitch 524D FortiSwitch 524D-FPOE
18
Informações do pedido
produtos SKU Descrição
FortiSwitch 108E FS-108E Interruptor compatível com controlador de switch FortiGate de camada 2 com 8 portas GE RJ45 + 2 SFP, linha AC e PSE com alimentação dupla. Fanless.
FortiSwitch 108E-POE FS-108E-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 8 portas GE RJ45 + 2 SFP,
PoE de 4 portas com limite máximo de 65 W PoE. Fanless.
FortiSwitch 108E-FPOE FS-108E-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 8 portas GE RJ45 + 2 SFP, 8
portas PoE com limite máximo de 130 W PoE. Fanless.
FortiSwitch 124E FS-124E Interruptor compatível com controlador de switch FortiGate de camada 2 com 24 GE RJ45 + 4 portas SFP. Fanless.
FortiSwitch 124E-POE FS-124E-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 24 GE RJ45 + 4 portas SFP, 12 portas PoE com limite máximo de 185 W. Switch
FortiSwitch 124E-F-POE FS-124E-FPOE PoE + compatível com o controlador de switch FortiGate de camada 2 com 24 portas GE RJ45 + 4 SFP, PoE de 24 portas com limite máximo de 370 W. Interruptor
FortiSwitch 148E FS-148E compatível com o controlador de switch FortiGate de camada 2 com 48 GE RJ45 + 4 portas SFP.
FortiSwitch 148E-POE FS-148E-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 48 GE RJ45 + 4 portas SFP, PoE de 24 portas com limite máximo de 370 W.
FortiSwitch 124F FS-124F Interruptor compatível com controlador de switch FortiGate de camada 2 com 24 GE RJ45 + 4 portas 10G SFP +.
FortiSwitch 124F-POE FS-124F-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 24 GE RJ45 + 4 portas 10G SFP +, 12 portas PoE com limite máximo de 185 W.
FortiSwitch 124F-FPOE FS-124F-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 24 GE RJ45 + 4 portas 10G SFP +, 24 portas PoE com limite máximo de 370 W.
FortiSwitch 148F FS-148F Interruptor compatível com controlador de switch FortiGate de camada 2 com 48 GE RJ45 + 4 portas 10G SFP +.
FortiSwitch 148F-POE FS-148F-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 48 GE RJ45 + 4 portas 10G SFP +, 24 portas PoE com limite máximo de 370 W.
FortiSwitch 148F-FPOE FS-148F-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2 com 48 GE RJ45 + 4 portas 10G SFP +, 48 portas PoE com limite máximo de 740 W.
FortiSwitch 224D-FPOE FS-224D-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 24 GE RJ45 + 4 portas SFP, PoE
de 24 portas com limite máximo de 370 W.
FortiSwitch 224E FS-224E Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 24 GE RJ45 + 4 portas SFP. Fanless.
FortiSwitch 224E-POE FS-224E-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 24 GE RJ45 + 4 portas SFP, 12
portas PoE com limite máximo de 180 W.
FortiSwitch 248D FS-248D Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 48 GE RJ45 + 4 portas SFP.
FortiSwitch 248E-POE FS-248E-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 48 GE RJ45 + 4 portas SFP, PoE
de 24 portas com limite máximo de 370 W.
FortiSwitch 248E-FPOE FS-248E-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 48 GE RJ45 + 4 portas SFP, 48
FortiSwitch 424D FS-424D Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 24 GE RJ45 + 2x 10 GE SFP + portas.
FortiSwitch 424D-POE FS-424D-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 24 GE RJ45 + 2x 10 GE SFP + portas, 24
FortiSwitch 424D-FPOE FS-424D-FPOE Switch PoE + compatível com o controlador de switch FortiGate Layer 2/3 com 24 GE RJ45 + 2x 10 GE SFP + portas, 24 portas
PoE com limite máximo de 370 W.
FortiSwitch 448D FS-448D Interruptor compatível com o controlador de switch FortiGate de camada 2/3 com 48 GE RJ45 + 4x 10 GE SFP + portas.
FortiSwitch 448D-POE FS-448D-POE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 48 GE RJ45 + 4x 10 GE SFP + portas, 48
FortiSwitch 448D-FPOE FS-448D-FPOE Interruptor PoE + compatível com controlador de switch FortiGate de camada 2/3 com 48 GE RJ45 + 4x 10 GE SFP + portas, 48
FortiSwitch 424E-Fiber FS-424E-Fiber Interruptor compatível com o controlador de switch FortiGate de camada 2/3 com 24x GE SFP e 4x 10 GE SFP + Uplinks
FortiSwitch M426E-FPOE FS-M426E-FPOE Interruptor PoE + / UPoE compatível com o controlador de switch FortiGate de camada 2/3 com 16x GE RJ45, 8x 2,5 RJ45, 2x 5 GE RJ45 e 4x 10 GE
SFP +, 24 portas PoE + com limite máximo de 420 W.
FortiSwitch 424E FS-424E Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 24 GE RJ45, 4x 10 GE SFP + portas.
FortiSwitch 424E-POE FS-424E-POE Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 24 GE RJ45, 4 portas 10 GE SFP +, 24
portas PoE + com limite máximo de 283,5 W.
FortiSwitch 424E-FPOE FS-424E-FPOE Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 24 GE RJ45, 4 portas 10 GE SFP +, 24
portas PoE + com limite máximo de 433,7 W.
FortiSwitch 448E FS-448E Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 48 GE RJ45, 4x 10 GE SFP + portas.
FS-448E-POE Interruptor compatível com controlador de switch FortiGate de camada 2/3 com 48 GE RJ45, 4 portas 10 GE SFP +, 48 portas PoE + com limite máximo de 421 W.
FS-448E-FPOE Interruptor compatível com o controlador de switch FortiGate de camada 2/3 com 48 GE RJ45, 4 portas 10 GE SFP +, 48 portas PoE + com limite máximo de 772 W.
FortiSwitch 524D FS-524D Switch do controlador de switch FortiGate de camada 2/3 com portas 24 GE RJ45, 4x 10 GE SFP + e 2x 40 GE QSFP +.
FortiSwitch 524D-FPOE FS-524D-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 24 GE RJ45, 4x 10 GE SFP +, 2x 40 GE QSFP + portas, 24 portas
PoE com limite máximo de 400 W.
FortiSwitch 548D FS-548D Switch do controlador de switch FortiGate de camada 2/3 com portas 48 GE RJ45, 4x 10 GE SFP + e 2x 40 GE QSFP +.
FortiSwitch 548D-FPOE FS-548D-FPOE Switch PoE + compatível com o controlador de switch FortiGate de camada 2/3 com 48 GE RJ45, 4 portas 10 GE SFP + e 2x 40 GE QSFP + portas, 48
Licença de gerenciamento de nuvem FortiSwitch * FC-10-WMSC1-190-02-DD FortiSwitch Cloud Management License subscrição de 1 ano de contrato.
19
Informações do pedido
Acessórios
Licença de recursos avançados FortiSwitch FS-SW-LIC-200 Licença SW para switches da série FS-200 para ativar recursos avançados. Licença SW
FS-SW-LIC-400 para switches da série FS-400 para ativar recursos avançados. Licença SW para
FS-SW-LIC-500 switches da série FS-500 para ativar recursos avançados.
Fonte de alimentação CA redundante externa Fonte FRPS-740 Fonte de alimentação CA redundante para até 2 unidades: FS-224D-FPOE, FS-248D-FPOE, FS-424D-FPOE, FS-448D-POE e FS-424D-POE. Fonte de alimentação
de alimentação CA redundante FS-PSU-150 AC para FS-548D e FS-524D.
FS-PSU-600 Fonte de alimentação CA para FS-524D-FPOE.
FS-PSU-900 ** Fonte de alimentação CA para FS-548D-FPOE. **
* * Ao gerenciar um FortiSwitch com um FortiGate via FortiGate Cloud, nenhuma licença adicional é necessária.
* * Fornece capacidade PoE adicional.
Para obter detalhes sobre os módulos do transceptor, consulte o Folha de dados dos Transceptores Fortinet.
Observe que todos os PoE FortiSwitches são Alternativos-A.
www.fortinet.com
Copyright © 2020 Fortinet, Inc. Todos os direitos reservados. Fortinet®, FortiGate®, FortiCare® e FortiGuard® e algumas outras marcas são marcas registradas da Fortinet, Inc., e outros nomes Fortinet aqui mencionados também podem ser marcas registradas e / ou de direito consuetudinário da Fortinet. Todos os outros nomes
de produtos ou empresas podem ser marcas comerciais de seus respectivos proprietários. O desempenho e outras métricas aqui contidas foram obtidos em testes de laboratório internos sob condições ideais, e o desempenho real e outros resultados podem variar. Variáveis de rede, diferentes ambientes de rede e outras
condições podem afetar os resultados de desempenho. Nada neste documento representa qualquer compromisso vinculativo da Fortinet, e a Fortinet se isenta de todas as garantias, expressas ou implícitas, exceto na medida em que a Fortinet celebra um contrato vinculativo por escrito, assinado pelo Conselho Geral da Fortinet,
com um comprador que garanta expressamente que o produto identificado terá um desempenho de acordo com certas métricas de desempenho expressamente identificadas e, nesse caso, apenas as métricas de desempenho específicas expressamente identificadas em tal contrato por escrito vinculativo serão vinculativas para
a Fortinet. Para maior clareza, qualquer garantia será limitada ao desempenho nas mesmas condições ideais dos testes de laboratório internos da Fortinet. A Fortinet se isenta totalmente de quaisquer acordos, representações e garantias de acordo com este instrumento, sejam expressas ou implícitas. A Fortinet reserva-se o
direito de alterar, modificar, transferir ou revisar esta publicação sem aviso prévio, e a versão mais atual da publicação será aplicável. A Fortinet se isenta totalmente de quaisquer acordos, representações e garantias de acordo com este instrumento, sejam expressas ou implícitas.
FST-PROD-DS-SW3 FS-SA-DAT-R40-202011
DATA SHEET
FortiSwitch™ Secure Access Family

The FortiSwitchTM Secure Access Family
delivers outstanding security, performance, and
manageability. Secure, simple, and scalable,
FortiSwitch is the right choice for threat-conscious
businesses of all sizes.
Tightly integrated into the Fortinet Security Fabric via
FortiLink, FortiSwitch can be managed directly from the
familiar FortiGate interface. This single pane of glass
management provides complete visibility and control of
users and devices on the network regardless of how they
connect. This makes the FortiSwitch ideal for SD-Branch Product Offerings
deployments with applications that range from desktop to FS-108E, 108E-POE, 108E-FPOE, 124E,
data center aggregation, enabling businesses to converge 124E-POE, 124E-FPOE, 148E, 148E-POE,
124F, 124F-POE, 124F-FPOE, 148F,
their security and network access. 148F-POE, 148F-FPOE, 224D-FPOE, 224E,
224E-POE, 248D, 248E-POE, 248E-FPOE,
424D, 424D-POE, 424D-FPOE, 448D,
448D-POE, 448D-FPOE, 424E-FIBER, M426E-
Security Fabric Integration
FPOE, 424E, 424E-POE, 424E-FPOE, 448E,
through FortiLink 448E-POE, 448E-FPOE, 524-D, 524D-FPOE,
548D, 548D-FPOE
FortiLink is an innovative proprietary
management protocol that allows our
Highlights
FortiGate Next Generation Firewall to
§ Designed for installations from
seamlessly manage any FortiSwitch. FortiLink desktops to wiring closets
enables the FortiSwitch to become a logical § Ideal for SD-Branch deployments
extension of the FortiGate, integrating it § Centralized security and access
management from FortiGate interfaces
directly into the Fortinet Security Fabric. This with FortiLink
management option reduces complexity and § Optimal for converged network
environments; enabling voice, data,
decreases management costs as network and wireless traffic to be delivered
security and access layer functions are across a single network
enabled and managed through a single § Supports non-FortiLink deployments
through onboard GUI, API, or
console. FortiLink integration enables command line configuration
centralized policy management, including § Up to 48 ports in a compact 1 RU
role-based access and control, making it form factor
§ Stackable up to 300 switches per
easy to implement and manage. This control FortiGate, depending on model
and manageability make FortiSwitch ideal § Supports Wire-speed switching and
for SD-Branch deployments. Store and Forward forwarding mode
DATA SHEET | FortiSwitch™ Secure Access Family
Highlights
Entry Mid-Range Premium Aggregation

100 Series 200 Series 400 Series 500 Series
§ Entry level switch § Mid-level switch § Enterprise switch § Aggregation switch
§ 8-48 GE ports, PoE+ capable § 24-48 GE ports, PoE+ capable § 24-48 GE ports, PoE+ capable § 24-48 GE ports, PoE+ capable
§ Desktop to wiring closet § Typical wiring closet switch § Larger wiring closet or high § Larger wiring closet or high
§ 2-4 GE SFP uplink ports § 4 GE SFP uplink ports throughput requirements throughput requirements
§ 4x 10GE SFP+ uplink ports § 4x 10 GE SFP+ uplink ports § 4x 10 GE SFP+ and
2x 40 GE QSFP uplink ports
Deployment
FortiLink
FortiGate Managed. Security Fabric Enabled. Cloud Management Option
Most common deployment model.
FortiGate Cloud
Standalone Cloud Management Option

Industry Standard Deployment Model.
Common in non-FortiGate environments.
FortiSwitch Cloud
2
Features
FORTISWITCH FORTILINK MODE (WITH FORTIGATE)

Management and Configuration
Auto Discovery of Multiple Switches Yes
Number of Managed Switches per FortiGate 8 to 300 Depending on FortiGate Model (Please refer to admin guide)
FortiLink Stacking (Auto Inter-Switch Links) Yes
Software Upgrade of Switches Yes
Centralized VLAN Configuration Yes
Switch POE Control Yes
Link Aggregation Configuration Yes
Spanning Tree Yes
LLDP/MED Yes
IGMP Snooping Yes
L3 Routing and Services Yes (FortiGate)
Policy-Based Routing Yes (FortiGate)
Virtual Domain Yes (FortiGate)
Security and Visibility
802.1x Authentication (Port-based, MAC-based, MAB) Yes
Syslog Collection Yes
DHCP Snooping Yes
Device Detection Yes
MAC Black/While Listing Yes (FortiGate)
Policy Control of Users and Devices Yes (FortiGate)
UTM Features
Firewall Yes (FortiGate)
IPC, AV, Application Control, Botnet Yes (FortiGate)
High Availability
Support FortiLink FortiGate in HA Cluster Yes
LAG support for FortiLink Connection Yes
Active-Active Split LAG from FortiGate to FortiSwitches for Advanced Redundancy Yes (with FS-2xx, 4xx, 5xx)
Layer 2
Jumbo Frames Yes Yes Yes
Auto-negotiation for Port Speed and Duplex Yes Yes Yes
MDI/MDIX Auto-crossover Yes Yes Yes
IEEE 802.1D MAC Bridging/STP Yes Yes Yes
IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) Yes Yes Yes
IEEE 802.1s Multiple Spanning Tree Protocol (MSTP) Yes Yes Yes
STP Root Guard Yes Yes Yes
STP BPDU Guard Yes Yes Yes
Edge Port / Port Fast Yes Yes Yes
IEEE 802.1Q VLAN Tagging Yes Yes Yes
Private VLAN Yes No Yes
IEEE 802.3ad Link Aggregation with LACP Yes Yes Yes
Unicast/Multicast traffic balance over trunking port Yes Yes Yes
(dst-ip, dst-mac, src-dst-ip, src-dst-mac, src-ip, src-mac)
IEEE 802.1AX Link Aggregation Yes Yes Yes
Spanning Tree Instances (MSTP/CST) 15/1 15/1 15/1
IEEE 802.3x Flow Control and Back-pressure Yes Yes Yes
IEEE 802.3 10Base-T Yes Yes Yes
IEEE 802.3u 100Base-TX Yes Yes Yes
IEEE 802.3z 1000Base-SX/LX Yes Yes Yes
IEEE 802.3ab 1000Base-T Yes Yes Yes
IEEE 802.3ae 10 Gigabit Ethernet 4xx and 5xx Family N/A / Yes Yes
IEEE 802.3az Energy Efficient Ethernet Yes Yes Yes
IEEE 802.3bz Multi Gigabit Ethernet No No Yes (M426E-FPOE)
IEEE 802.3 CSMA/CD Access Method and
Yes Yes Yes
Physical Layer Specifications
Storm Control Yes Yes Yes
MAC, IP, Ethertype-based VLANs Yes Yes Yes
Virtual-Wire Yes No Yes
Split Port (QSFP+ breakout to 4x10G SFP+ or 4x1G SFP) FS-5xx Family N/A N/A
Time-Domain Reflectcometry (TDR) Support Yes Yes Yes
3
Features
Layer 3*
Static Routing (Hardware-based) Yes N/A Yes
Routing Entries 64 on 2xxE
1K on 424E, 424E-POE,
64 on FS-2xx, 4xx Family;
N/A 424E-FPOE, M426E-FPOE
16K on FS-5xx Family
16K on 448E, 448E-POE,
448E-FPOE, 424E-Fiber
Host Entries 1K on 2xxE
2K on 424E, 424E-POE,
1K on FS-2xx, 4xx Family;
N/A 424E-FPOE, M426E-FPOE
24K on FS-5xx Family
16K on 448E, 448E-POE,
Dynamic Routing Protocols** OSPFv2, RIPv2, VRRP; N/A OSPFv2, RIPv2, VRRP
BGP, ISIS on FS-5xx
Multicast Protocols** PIM-SSM on FS-5xx N/A N/A
ECMP FS-5xx Family N/A No
Spanning Tree Instances 32 instances max for
N/A N/A
FS-5xx from 6.2.0+
Bidirectional Forwarding Detection (BFD) Yes N/A Yes
DHCP Relay Yes N/A Yes
Services
IGMP Snooping Yes No Yes
Port Mirroring Yes Yes Yes
Admin Authentication Via RFC 2865 RADIUS Yes Yes Yes
IEEE 802.1x authentication Port-based Yes Yes Yes
IEEE 802.1x Authentication MAC-based Yes Yes Yes
IEEE 802.1x Guest and Fallback VLAN Yes Yes Yes
IEEE 802.1x MAC Access Bypass (MAB) Yes Yes Yes
IEEE 802.1x Dynamic VLAN Assignment Yes Yes Yes
Radius CoA (Change of Authority) Yes Yes Yes
Radius Accounting Yes Yes Yes
MAC-IP Binding 5xx only No No
sFlow Yes No Yes
ACL 1K entries on FS-5xx Family No 512 entries on 2xxE
512 on 2xx, 4xx Families 1K on 424E, 424E-POE,
424E-FPOE, M426E-FPOE
1.5K on 448E, 448E-POE,
IEEE 802.1ab Link Layer Discovery Protocol (LLDP) Yes Yes Yes
IEEE 802.1ab LLDP-MED Yes Yes Yes
IEEE 802.1ae MAC Security (MAC Sec) FS-5xxD 10G ports No No
DHCP-Snooping Yes Yes Yes
Dynamic ARP Inspection Yes Yes Yes
Sticky MAC and MAC Limit Yes Yes Yes
High Availability
Multi-Chassis Link Aggregation (MCLAG) Yes N/A Yes
Quality of Service
IEEE 802.1p Based Priority Queuing Yes Yes Yes
IP TOS/DSCP Based Priority Queuing Yes Yes Yes
IEEE 1588 PTP (Transparent Clock) Yes No Yes
Management
IPv4 and IPv6 Management Yes Yes Yes
Telnet / SSH Yes Yes Yes
HTTP / HTTPS Yes Yes Yes
SNMP v1/v2c/v3 Yes Yes Yes
SNTP Yes Yes Yes
Standard CLI and Web GUI Interface Yes Yes Yes
Software download/upload: TFTP/FTP/GUI Yes Yes Yes
Managed from FortiGate Yes Yes Yes
Support for HTTP REST APIs for
Yes Yes Yes
Configuration and Monitoring
* Supported on 2xx, 4xx and 5xx. ** Requires ‘Advanced Features’ License.
4
Features
ALL FORTISWITCH MODELS

RFC and MIB Support*
BFD MIB
RFC 5880: Bidirectional Forwarding Detection (BFD) RFC 1724: RIPv2-MIB
RFC 5881: Bidirectional Forwarding Detection (BFD) for IPv4 and IPv6 (Single Hop) RFC 1850: OSPF Version 2 Management Information Base
RFC 5882: Generic Application of Bidirectional Forwarding Detection (BFD) RFC 2233: The Interfaces Group MIB using SMIv2
BGP RFC 2618: Radius-Auth-Client-MIB
RFC 1771: A Border Gateway Protocol 4 (BGP-4) RFC 2620: Radius-Acc-Client-MIB
RFC 1965: Autonomous System Confederations for BGP RFC 2674: Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering
RFC 1997: BGP Communities Attribute and Virtual LAN extensions
RFC 2545: Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing RFC 2787: Definitions of Managed Objects for the Virtual Router Redundancy Protocol
RFC 2796: BGP Route Reflection - An Alternative to Full Mesh IBGP RFC 2819: Remote Network Monitoring Management Information Base
RFC 2842: Capabilities Advertisement with BGP-4 RFC 2932: IPv4 Multicast Routing MIB
RFC 2858: Multiprotocol Extensions for BGP-4 RFC 2934: Protocol Independent Multicast MIB for IPv4
RFC 4271: BGP-4 RFC 3289: Management Information Base for the Differentiated Services Architecture
RFC 6286: Autonomous-System-Wide Unique BGP Identifier for BGP-4 RFC 3433: Entity Sensor Management Information Base
RFC 6608: Subcodes for BGP Finite State Machine Error RFC 3621: Power Ethernet MIB
RFC 6793: BGP Support for Four-Octet Autonomous System (AS) Number Space RFC 6933: Entity MIB (Version 4)
RFC 7606: Revised Error Handling for BGP UPDATE Messages OSPF
RFC 7607: Codification of AS 0 Processing RFC 1583: OSPF version 2
RFC 7705: Autonomous System Migration Mechanisms and Their Effects on the BGP AS_PATH Attribute RFC 1765: OSPF Database Overflow
RFC 8212: Default External BGP (EBGP) Route Propagation Behavior without Policies RFC 2328: OSPF version 2
RFC 8654: Extended Message Support for BGP RFC 2370: The OSPF Opaque LSA Option
DHCP RFC 2740: OSPF for IPv6
RFC 2131: Dynamic Host Configuration Protocol RFC 3101: The OSPF Not-So-Stubby Area (NSSA) Option
RFC 3046: DHCP Relay Agent Information Option RFC 3137: OSPF Stub Router Advertisement
RFC 7513: Source Address Validation Improvement (SAVI) Solution for DHCP RFC 3623: OSPF Graceful Restart
IP/IPv4 RFC 5340: OSPF for IPv6 (OSPFv3)
RFC 3168: The Addition of Explicit Congestion Notification (ECN) to IP RFC 5709: OSPFv2 HMAC-SHA Cryptographic Authentication
RFC 5227: IPv4 Address Conflict Detection RFC 6549: OSPFv2 Multi-Instance Extensions
RFC 5517: Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment RFC 6845: OSPF Hybrid Broadcast and Point-to-Multipoint Interface Type
RFC 7039: Source Address Validation Improvement (SAVI) Framework RFC 6860: Hiding Transit-Only Networks in OSPF
IP Multicast RFC 7474: Security Extension for OSPFv2 When Using Manual Key Management
RFC 2362: Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification RFC 7503: OSPF for IPv6
RFC 2710: Multicast Listener Discovery (MLD) for IPv6 (MLDv1) RFC 8042: CCITT Draft Recommendation T.4
RFC 4541: Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener RFC 8362: OSPFv3 Link State Advertisement (LSA) Extensibility
Discovery (MLD) Snooping Switches OTHER
RFC 4605: Internet Group Management Protocol (IGMP)/Multicast Listener Discovery (MLD)-Based RFC 2030: SNTP
Multicast Forwarding (“IGMP/MLD Proxying”) RFC 3176: InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed
RFC 4607: Source-Specific Multicast for IP Networks
IPv6 RFC 3768: VRRP
RFC 2464: Transmission of IPv6 Packets over Ethernet Networks: Transmission of IPv6 Packets over RFC 3954: Cisco Systems NetFlow Services Export Version 9
Ethernet Networks RFC 5101: Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of
RFC 2474: Definition of the Differentiated Services Field (DS Field) in the and IPv6 Headers (DSCP) Flow Information
RFC 2893: Transition Mechanisms for IPv6 Hosts and Routers RFC 5798: VRRPv3 (IPv4 and IPv6)
RFC 4213: Basic Transition Mechanisms for IPv6 Hosts and Router RADIUS
RFC 4291: IP Version 6 Addressing Architecture RFC 2865: Admin Authentication Using RADIUS
RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification RFC 2866: RADIUS Accounting
RFC 4861: Neighbor Discovery for IP version 6 (IPv6) RFC 5176: Dynamic Authorization Extensions to Remote Authentication Dial In User Service
RFC 4862: IPv6 Stateless Address Auto configuration (RADIUS)
RFC 5095: Deprecation of Type 0 Routing Headers in IPv6 RIP
RFC 6724: Default Address Selection for Internet Protocol version 6 (IPv6) RFC 1058: Routing Information Protocol
RFC 7113: IPv6 RA Guard RFC 2080: RIPng for IPv6
RFC 8200: Internet Protocol, Version 6 (IPv6) Specification RFC 2082: RIP-2 MD5 Authentication
RFC 8201: Path MTU Discovery for IP version 6 RFC 2453: RIPv2
IS-IS RFC 4822: RIPv2 Cryptographic Authentication
RFC 1195: Use of OSI IS-IS for Routing in TCP/IP and Dual Environments SNMP
RFC 5308: Routing IPv6 with IS-IS RFC 1157: SNMPv1/v2c
MIB RFC 2571: Architecture for Describing SNMP
RFC 1213: MIB II parts that apply to FortiSwitch 100 units RFC 2572: SNMP Message Processing and Dispatching
RFC 1354: IP Forwarding Table MIB RFC 2573: SNMP Applications
RFC 1493: Bridge MIB RFC 2576: Coexistence between SNMP versions
RFC 1573: SNMP MIB II
RFC 1643: Ethernet-like Interface MIB
* RFC and MIB supported by FortiSwitch Operating System. Check feature matrix in administration guide for model specific support.
5
Specifications

Hardware Specifications
Total Network Interfaces 7x GE RJ45, 1x GE/POE-PD RJ45, 8x GE RJ45 and 2x GE SFP 8x GE RJ45 and 2x GE SFP
and 2x GE SFP
Dedicated Management 10/100 Port 0 0 0
RJ-45 Serial Console Port 1 1 1
Form Factor Desktop 1 RU Rack Mount 1 RU Rack Mount
Power over Ethernet (PoE) Ports 0 4 (802.3af/at) 8 (802.3af/at)
PoE Power Budget 0 65 W 130 W
Mean Time Between Failures > 10 years > 10 years > 10 years
System Specifications
Switching Capacity (Duplex) 20 Gbps 20 Gbps 20 Gbps
Packets Per Second (Duplex) 30 Mpps 30 Mpps 30 Mpps
MAC Address Storage 8K 8K 8K
Network Latency 4µs 4µs 4µs
VLANs Supported 4K 4K 4K
Link Aggregation Group Size 8 8 8
Total Link Aggregation Groups 8 8 8
Packet Buffers 512 KB 512 KB 512 KB
FLASH 32 MB 32 MB 32 MB
Dimensions
Height x Depth x Width (inches) 1.5 x 6.3 x 8.7 1.7 x 8.2 x 13 1.7 x 8.2 x 13
Height x Depth x Width (mm) 38 x 160 x 220 44 x 209 x 330 44 x 209 x 330
Weight 2.2 lbs (1 kg) 4.3 lbs (1.95 kg) 4.5 lbs (2.04 kg)
Environment
Power Required 100–240V AC, 50/60 Hz / PoE-PSE(af) 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC & PoE-PD Built in AC Built in AC Built in
Redundant Power — — —
Power Consumption* (Average / Maximum) 5.54 W / 6.26 W 70.19 W / 71.10 W 135.19 W / 136.10 W
Heat Dissipation 18.9 BTU/h 17.7 BTU/h 17.7 BTU/h
Operating Temperature 32-113°F (0–45°C) 32-113°F (0–45°C) 32-113°F (0–45°C)
Storage Temperature -40–158°F (-40–70°C) -40–158°F (-40–70°C) -40–158°F (-40–70°C)
Humidity 10–90% non-condensing 10–90% non-condensing 10–90% non-condensing
Air-Flow Direction side-to-back side-to-back side-to-back
Certification and Compliance

Warranty
Fortinet Warranty Limited lifetime** warranty on all models
* POE models power consumption is similar to non-POE model if POE is not in use
** Fortinet Warranty Policy: http://www.fortinet.com/doc/legal/EULA.pdf
FortiSwitch 108E FortiSwitch 108E-POE FortiSwitch 108E-FPOE
6
Specifications

Total Network Interfaces 24x GE RJ45 and 4x GE SFP 24x GE RJ45 and 4x GE SFP 24x GE RJ45 and 4x GE SFP
Form Factor 1 RU Rack Mount 1 RU Rack Mount 1 RU Rack Mount
MAC Address Storage 8K 8K 8K
Network Latency 4µs 4µs 4µs
Packet Buffers 512 KB 512 KB 512 KB
Dimensions
Height x Depth x Width (inches) 1.7 x 8.2 x 13 1.7 x 12.2 x 17.3 1.7 x 12.2 x 17.3
Weight 4.7 lbs (2.13 kg) 11.1 lbs (5.03 kg) 11.2 lbs (5.03 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC Built in AC Built in AC Built in
Redundant Power — — —
Power Consumption* (Average / Maximum) 15.83 W /17.79 W 202.78 W / 205.45 W 387.78 W / 390.45 W
Heat Dissipation 54 BTU/h 60.67 BTU/h 60.67 BTU/h
Operating Temperature 32-113°F (0–45°C) 32-113°F (0–45°C) 32-113°F (0–45°C)

Warranty
7
Specifications
FORTISWITCH 148E FORTISWITCH 148E-POE

Total Network Interfaces 48x GE RJ45 and 4x GE SFP 48x GE RJ45 and 4x GE SFP
Dedicated Management 10/100 Port 0 0
RJ-45 Serial Console Port 1 1
Form Factor 1 RU Rack Mount 1 RU Rack Mount
Power over Ethernet (PoE) Ports 0 24 (802.3af/at)
PoE Power Budget 0 370 W
Mean Time Between Failures > 10 years > 10 years
Switching Capacity (Duplex) 104 Gbps 104 Gbps
Packets Per Second (Duplex) 155 Mpps 155 Mpps
MAC Address Storage 16 K 16 K
Network Latency 3860 ns 3860 ns
VLANs Supported 4K 4K
Link Aggregation Group Size 8 8
Total Link Aggregation Groups 16 16
Packet Buffers 1.5 MB 1.5 MB
DRAM 256 MB DDR3 256 MB DDR3
FLASH 64 MB 64 MB
Dimensions
Height x Depth x Width (inches) 1.73 x 12.2 x 17.3 1.73 x 13.7 x 17.3
Height x Depth x Width (mm) 44 x 309 x 440 44 x 348 x 440
Weight 8.6 lbs (3.9 kg) 11.5 lbs (5.2 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC Built in AC Built in
Redundant Power No No
Power Consumption* (Average / Maximum) 19.804 W / 22.137 W 389.742 W /393.109 W
Heat Dissipation 67.574 BTU/h 78.82 BTU/h
Operating Temperature 32-113°F (0–45°C) 32-113°F (0–45°C)
Storage Temperature -4–158°F (-20–70°C) -4–158°F (-20–70°C)
Humidity 10–90% non-condensing 10–90% non-condensing
Air-Flow Direction side-to-back side-to-back

Warranty
8
Specifications

Total Network Interfaces 24x GE RJ45 and 24x GE RJ45 and 24x GE RJ45 and
4x 10GE SFP+ 4x 10GE SFP+ 4x 10GE SFP+
MAC Address Storage 32 K 32 K 32 K
Network Latency < 1µs < 1µs < 1µs
Packet Buffers 2 MB 2 MB 2 MB
Dimensions
Height x Depth x Width (inches) 1.73 x 9.06 x 12.99 1.73 x 10.24 x 12.99 1.73 x 10.24 x 12.99
Environment
Power Required 100–240V AC, 50-60 Hz 100–240V AC, 50-60 Hz 100–240V AC, 50-60 Hz
Power Supply AC built in AC built in AC built in
Redundant Power No No No
Operating Temperature 32–113°F (0–45°C) 32–113°F (0–45°C) 32–113°F (0–45°C)

Warranty
9
Specifications

Total Network Interfaces 48x GE RJ45 and 48x GE RJ45 and 48x GE RJ45 and
4x 10GE SFP+ 4x 10GE SFP+ 4x 10GE SFP+
Dimensions
Environment
Power Required 100–240V AC, 50-60 Hz 100–240V AC, 50-60 Hz 100–240V AC, 50-60 Hz
Redundant Power No No No
Power Consumption* (Average / Maximum) 55.8 W / 57 W 474.8 W / 476.3 W 893.5 W / 895.7 W

Warranty
10
Specifications
FORTISWITCH 224D-FPOE FORTISWITCH 224E FORTISWITCH 224E-POE

Total Network Interfaces 24x GE RJ45 ports and 24x GE RJ45 ports and 24x GE RJ45 ports and
4x GE SFP ports 4x GE SFP ports 4x GE SFP ports
Power over Ethernet (PoE) Ports 24 (802.3af/802.3at) NA 12 (802.3af/802.3at)
PoE Power Budget 370 W NA 180 W
Total Link Aggregation Groups Up to number of ports Up to number of ports Up to number of ports
Packet Buffers 1.5 MB 1.5 MB 1.5 MB
Dimensions
Height x Depth x Width (inches) 1.73 x 12.2 x 17.5 1.73 x 9 x 12.99 1.73 x 9 x 12.99
Environment
Redundant Power Optional FRPS-740 Redundant AC Optional FRPS-740
Power Consumption* (Average / Maximum) 380 W / 397 W 17.2 W / 17.3 W 220.18 W / 223.57 W

Warranty
FortiSwitch 224D-FPOE FortiSwitch 224E
11
Specifications
FORTISWITCH 248D FORTISWITCH 248E-POE FORTISWITCH 248E-FPOE

Total Network Interfaces 48x GE RJ45 ports and 48x GE RJ45 ports and 48x GE RJ45 ports and
4x GE SFP ports 4x GE SFP ports 4x GE SFP ports
Power over Ethernet (PoE) Ports — 24 (802.3af/802.3at) 48 (802.3af/802.3at)
PoE Power Budget N/A 370 W 740 W
Dimensions
Environment
Redundant Power — Optional FRPS-740 Optional FRPS-740
Power Consumption* (Average / Maximum) 38.66 W / 39.19 W 457.46 W / 466.47 W 842 W / 855.02 W

Warranty
FortiSwitch 248D FortiSwitch 248E-POE
12
Specifications

Total Network Interfaces 24x GE RJ45 and 2x10 GE SFP+ ports 24x GE RJ45 and 2x10 GE SFP+ ports 24x GE RJ45 and 2x10 GE SFP+ ports
Note: SFP+ ports are compatible Note: SFP+ ports are compatible Note: SFP+ ports are compatible
with 1 GE SFP with 1 GE SFP with 1 GE SFP
Power over Ethernet (PoE) Ports — 24 (802.3af/at) 24 (802.3af/at)
Dimensions
Environment
Redundant Power Redundant AC Optional FRPS-740 Optional FRPS-740
Power Consumption* (Average / Maximum) 17.3 W / 17.2 W 208 W / 210 W 397 W / 403 W
Heat Dissipation 69 BTU/h 89 BTU/h 100 BTU/h

Warranty
13
Specifications

Note: SFP+ ports are compatible with 1 GE SFP Note: SFP+ ports are compatible with 1 GE SFP Note: SFP+ ports are compatible with 1 GE SFP
Dimensions
Environment
Redundant Power Redundant AC Optional FRPS-740 Redundant AC
Power Consumption* (Average / Maximum) 38 W / 38 W 417 W / 419 W 790 W / 792 W
Heat Dissipation 147 BTU/h 177 BTU/h 193 BTU/h

Warranty
14
Specifications
FORTISWITCH-424E-FIBER FORTISWITCH-M426E-FPOE
Total Network Interfaces 24x GE SFP and 4x 10GE SFP+ ports 16x GE RJ45, 8x 2.5 GE RJ45 ports, 2x 5 GE RJ45, and 4x 10 GE SFP+ ports
Note: SFP+ ports are compatlble Note: SFP+ ports are compatible
with 1 GE SFP with 1 GE SFP
Dedicated Management 10/100 Port 1 1
RJ-45 Serial Console Port 1 1
Form Factor 1 RU Rack Mount 1 RU Rack Mount
Power over Ethernet (PoE) Ports N/A 24 (16x 802.3af/at, 8x 802.3af/at/UPOE)
PoE Power Budget N/A 420 W
Mean Time Between Failures > 10 years > 10 years
Switching Capacity (Duplex) 128 Gbps 172 Gbps
Packets Per Second (Duplex) 204 Mpps 255 Mpps
MAC Address Storage 32 K 16 K
Network Latency < 1µs < 1µs
VLANs Supported 4K 4K
Link Aggregation Group Size 8 8
Total Link Aggregation Groups Up to number of ports Up to number of ports
Packet Buffers 4 MB 2 MB
DRAM 1 GB DDR4 1 GB DDR4
FLASH 256 MB 256 MB
Dimensions
Height x Depth x Width (inches) 1.75 x 7.87 x 17.3 1.73 x 16.14 x 17.3
Height x Depth x Width (mm) 44 x 200 x 440 44 x 410 x 440
Weight 5.62 lbs (2.55 kg) 13.00 lbs (5.9 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply AC built in AC built in
Redundant Power Redundant AC Redundant AC
Power Consumption* (Average / Maximum) 36 W / 38 W 441 W / 442 W
Heat Dissipation 132.5 BTU/h 132.734 BTU/h
Operating Temperature 32–113°F (0–45°C) 32–122°F (0–50°C)
Storage Temperature -4–158°F (-20–70°C) -4–158°F (-20–70°C)
Humidity 5–95% non-condensing 5–95% non-condensing
Air-Flow Direction side-to-back side-to-back

Warranty
FortiSwitch 424E-Fiber FortiSwitch M426E-FPOE
15
Specifications

Note: SFP+ ports are compatlble with 1 GE SFP Note: SFP+ ports are compatlble with 1 GE SFP Note: SFP+ ports are compatlble with 1 GE SFP
Dimensions
Environment
Redundant Power Redundant AC Redundant AC Redundant AC

Warranty
16
Specifications

Total Network Interfaces 48x GE RJ45 and 4x 10GE SFP+ ports 48x GE RJ45 and 4x 10GE SFP+ ports 48x GE RJ45 and 4x 10GE SFP+ ports
Note: SFP+ ports are compatible with 1 GE SFP Note: SFP+ ports are compatible with 1 GE SFP Note: SFP+ ports are compatible with 1 GE SFP
PoE Power Budget — 421 W 772 W
Network Latency <1µs <1µs <1µs
DRAM 1GB DDR4 1GB DDR4 1GB DDR4
Dimensions
Environment
Redundant Power Redundant AC Redundant AC Redundant AC
Humidity 10–90% non condensing 10–90% non condensing 10–90% non condensing

Warranty
17
Specifications
FORTISWITCH 524D FORTISWITCH 524D-FPOE FORTISWITCH 548D FORTISWITCH 548D-FPOE

Total Network Interfaces 24 GE/RJ45 ports, 24 GE/RJ45 ports, 48x GE/RJ45 ports, 48x GE/RJ45 ports,
4x 10 GE SFP+ ports and 4x 10 GE SFP+ ports and 4x 10 GE SFP+ ports and 4x 10 GE SFP+ ports and
2x 40 GE QSFP 2x 40 GE QSFP 2x 40 GE QSFP 2x 40 GE QSFP
Note: SFP+ ports are compatible Note: SFP+ ports are compatible Note: SFP+ ports are compatible Note: SFP+ ports are compatible
with 1G SFP with 1G SFP with 1G SFP with 1G SFP
Dedicated Management 10/100/1000 Ports 1 1 1 1
RJ-45 Serial Console Port 1 1 1 1
Form Factor 1 RU Rack Mount 1 RU Rack Mount 1 RU Rack Mount 1 RU Rack Mount
Power over Ethernet (PoE) Ports N/A 24 (802.3af/at) N/A 48 (802.3af/at)
PoE Power Budget N/A 400 W N/A 750 W
Mean Time Between Failures > 10 years > 10 years > 10 years > 10 years
Switching Capacity (Duplex) 288 Gbps 288 Gbps 336 Gbps 336 Gbps
Packets Per Second (Duplex) 428 Mpps 428 Mpps 512 Mpps 512 Mpps
MAC Address Storage 96 K 96 K 96 K 96 K
Network Latency < 2µs < 2µs < 2µs < 2µs
VLANs Supported 4K 4K 4K 4K
Link Aggregation Group Size 24 24 48 48
Total Link Aggregation Groups Up to number of ports Up to number of ports Up to number of ports Up to number of ports
Packet Buffers 4 MB 4 MB 4 MB 4 MB
DRAM 2 GB DDR3 2 GB DDR3 2 GB DDR3 2 GB DDR3
FLASH 128 MB 128 MB 128 MB 128 MB
Dimensions
Height x Depth x Width (inches) 1.75 x 13.8 x 17.3 1.75 x 13.8 x 17.3 1.75 x 13.8 x 17.3 1.75 x 13.8 x 17.3
Height x Depth x Width (mm) 44 x 350 x 439 44 x 350 x 439 44 x 350 x 439 44 x 350 x 439
Weight 13.6 lbs (6.2 kg) 15.74 lbs (7.14 kg) 14.1 lbs (6.4 kg) 15.74 lbs (7.14 kg)
Environment
Power Required 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz 100–240V AC, 50/60 Hz
Power Supply 150 W AC PSU* 600 W AC PSU* 150 W AC PSU* 920 W AC PSU*
Redundant Power Optional FS-PSU-150* Optional FS-PSU-600* Optional FS-PSU-150* Optional FS-PSU-900*
(for 150 W backup only) (for 600 W for additional PoE) (for 150 W backup only) (for 900 W for additional PoE)
Power Consumption** (Average / Maximum) 73 W / 75 W 570 W / 579 W (full PoE load) 74 W / 77 W 925 W / 961 W (full PoE load)
Heat Dissipation 247 BTU/h 296 BTU/h (full PoE loading) 252 BTU/h 318 BTU/h (full PoE loading)
Operating Temperature 32–113°F (0–45°C) 32–113°F (0–45°C) 32–113°F (0–45°C) 32–113°F (0–45°C)
Storage Temperature -40–158°F (-40–70°C) -40–158°F (-40–70°C) -40–158°F (-40–70°C) -40–158°F (-40–70°C)
Humidity 5–95% non-condensing 5–95% non-condensing 5–95% non-condensing 5–95% non-condensing
Air-Flow Direction front-to-back front-to-back front-to-back front-to-back

Warranty
Fortinet Warranty Limited lifetime*** warranty on all models
*FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE Power Supply Units are Hot-Swappable
** POE models power consumption is similar to non-POE model if POE is not in use
*** Fortinet Warranty Policy: http://www.fortinet.com/doc/legal/EULA.pdf
18
Order Information
Product SKU Description
FortiSwitch 108E FS-108E Layer 2 FortiGate switch controller compatible switch with 8 GE RJ45 + 2 SFP ports, line AC and PSE dual powered. Fanless.
FortiSwitch 108E-POE FS-108E-POE Layer 2 FortiGate switch controller compatible PoE+ switch with 8 GE RJ45 + 2 SFP ports,
4 port PoE with maximum 65 W PoE limit. Fanless.
FortiSwitch 108E-FPOE FS-108E-FPOE Layer 2 FortiGate switch controller compatible PoE+ switch with 8 GE RJ45 + 2 SFP ports,
8 port PoE with maximum 130 W PoE limit. Fanless.
FortiSwitch 124E FS-124E Layer 2 FortiGate switch controller compatible switch with 24 GE RJ45 + 4 SFP ports. Fanless.
FortiSwitch 124E-POE FS-124E-POE Layer 2 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 4 SFP ports, 12 port PoE with maximum 185 W limit.
FortiSwitch 124E-F-POE FS-124E-FPOE Layer 2 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 4 SFP ports, 24 port PoE with maximum 370 W limit.
FortiSwitch 148E FS-148E Layer 2 FortiGate switch controller compatible switch with 48 GE RJ45 + 4 SFP ports.
FortiSwitch 148E-POE FS-148E-POE Layer 2 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4 SFP ports, 24 port PoE with maximum 370 W limit.
FortiSwitch 124F FS-124F Layer 2 FortiGate switch controller compatible switch with 24 GE RJ45 + 4 10G SFP+ ports.
FortiSwitch 124F-POE FS-124F-POE Layer 2 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 4 10G SFP+ ports, 12 port PoE with maximum 185
W limit.
FortiSwitch 124F-FPOE FS-124F-FPOE Layer 2 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 4 10G SFP+ ports, 24 port PoE with maximum 370
W limit.
FortiSwitch 148F FS-148F Layer 2 FortiGate switch controller compatible switch with 48 GE RJ45 + 4 10G SFP+ ports.
FortiSwitch 148F-POE FS-148F-POE Layer 2 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4 10G SFP+ ports, 24 port PoE with maximum 370
W limit.
FortiSwitch 148F-FPOE FS-148F-FPOE Layer 2 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4 10G SFP+ ports, 48 port PoE with maximum 740
W limit.
FortiSwitch 224D-FPOE FS-224D-FPOE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 4 SFP ports,
24 port PoE with maximum 370 W limit.
FortiSwitch 224E FS-224E Layer 2/3 FortiGate switch controller compatible switch with 24 GE RJ45 + 4 SFP ports. Fanless.
FortiSwitch 224E-POE FS-224E-POE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 4 SFP ports,
FortiSwitch 248D FS-248D Layer 2/3 FortiGate switch controller compatible switch with 48 GE RJ45 + 4 SFP ports.
FortiSwitch 248E-POE FS-248E-POE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4 SFP ports,
FortiSwitch 248E-FPOE FS-248E-FPOE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4 SFP ports,
FortiSwitch 424D FS-424D Layer 2/3 FortiGate switch controller compatible switch with 24 GE RJ45 + 2x 10 GE SFP+ ports.
FortiSwitch 424D-POE FS-424D-POE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 2x 10 GE SFP+ ports,
FortiSwitch 424D-FPOE FS-424D-FPOE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45 + 2x 10 GE SFP+ ports,
FortiSwitch 448D FS-448D Layer 2/3 FortiGate switch controller compatible switch with 48 GE RJ45 + 4x 10 GE SFP+ ports.
FortiSwitch 448D-POE FS-448D-POE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4x 10 GE SFP+ ports,
FortiSwitch 448D-FPOE FS-448D-FPOE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45 + 4x 10 GE SFP+ ports,
FortiSwitch 424E-Fiber FS-424E-Fiber Layer 2/3 FortiGate switch controller compatible switch with 24x GE SFP and 4x 10 GE SFP+ Uplinks
FortiSwitch M426E-FPOE FS-M426E-FPOE Layer 2/3 FortiGate switch controller compatible PoE+/UPoE switch with 16x GE RJ45, 8x 2.5 RJ45, 2x 5 GE RJ45 and
4x 10 GE SFP+, 24 port PoE+ with maximum 420 W limit.
FortiSwitch 424E FS-424E Layer 2/3 FortiGate switch controller compatible switch with 24 GE RJ45, 4x 10 GE SFP + ports.
FortiSwitch 424E-POE FS-424E-POE Layer 2/3 FortiGate switch controller compatible switch with 24 GE RJ45, 4x 10 GE SFP + ports,
24 port PoE+ with maximum 283.5 W limit.
FortiSwitch 424E-FPOE FS-424E-FPOE Layer 2/3 FortiGate switch controller compatible switch with 24 GE RJ45, 4x 10 GE SFP + ports,
24 port PoE+ with maximum 433.7 W limit.
FortiSwitch 448E FS-448E Layer 2/3 FortiGate switch controller compatible switch with 48 GE RJ45, 4x 10 GE SFP + ports.
FS-448E-POE Layer 2/3 FortiGate switch controller compatible switch with 48 GE RJ45, 4x 10 GE SFP + ports, 48 port PoE+ with maximum 421 W
limit.
FS-448E-FPOE Layer 2/3 FortiGate switch controller compatible switch with 48 GE RJ45, 4x 10 GE SFP + ports, 48 port PoE+ with maximum 772 W
limit.
FortiSwitch 524D FS-524D Layer 2/3 FortiGate switch controller compatible switch with 24 GE RJ45, 4x 10 GE SFP+ and 2x 40 GE QSFP+ ports.
FortiSwitch 524D-FPOE FS-524D-FPOE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 24 GE RJ45, 4x 10 GE SFP+, 2x 40 GE QSFP+ ports,
FortiSwitch 548D FS-548D Layer 2/3 FortiGate switch controller compatible switch with 48 GE RJ45, 4x 10 GE SFP+ and 2x 40 GE QSFP+ ports.
FortiSwitch 548D-FPOE FS-548D-FPOE Layer 2/3 FortiGate switch controller compatible PoE+ switch with 48 GE RJ45, 4x 10 GE SFP+ and 2x 40 GE QSFP+ ports,
FortiSwitch Cloud Management License* FC-10-WMSC1-190-02-DD FortiSwitch Cloud Management License subscription 1 Year Contract.
19
Order Information
Accessories
FortiSwitch Advanced Features License FS-SW-LIC-200 SW License for FS-200 Series Switches to activate Advanced Features.
FS-SW-LIC-400 SW License for FS-400 Series Switches to activate Advanced Features.
FS-SW-LIC-500 SW License for FS-500 Series Switches to activate Advanced Features.
External Redundant AC Power Supply FRPS-740 Redundant AC power supply for up to 2 units: FS-224D-FPOE, FS-248D-FPOE, FS-424D-FPOE, FS-448D-POE and FS-424D-POE.
Redundant AC Power Supply FS-PSU-150 AC power supply for FS-548D and FS-524D.
FS-PSU-600 AC power supply for FS-524D-FPOE.**
FS-PSU-900 AC power supply for FS-548D-FPOE.**
** When managing a FortiSwitch with a FortiGate via FortiGate Cloud, no additional license is necessary.
** Provides additional PoE capacity.
For details of Transceiver modules, see the Fortinet Transceivers datasheet.

Note that all PoE FortiSwitches are Alternative-A.
www.fortinet.com
Copyright © 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law
trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results
may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to
the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event,
only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version
of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without
notice, and the most current version of the publication shall be applicable.
FST-PROD-DS-SW3 FS-SA-DAT-R40-202011
FortiSwitch - Managed by FortiOS 6.4
Version 6.4.3
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdoc@fortinet.com
October 22, 2020

FortiSwitch 6.4.3 Managed by FortiOS 6.4
11-643-655822-20201022
TABLE OF CONTENTS
Change log 7
Whatʼs new in FortiOS 6.4.3 8
Introduction 9
Supported models 9
Support of FortiLink features 10
Before you begin 12
Special notices 13
FortiSwitch management 14
Configuring FortiLink 14
1. Enable the switch controller on the FortiGate unit 14
2. Configuring the FortiLink interface 15
3. Auto-discovery of the FortiSwitch ports 18
Optional FortiLink configuration required before discovering and authorizing FortiSwitch
units 20
Migrating the configuration of standalone FortiSwitch units 20
VLAN interface templates for FortiSwitch units 20
Limiting the number of parallel processes for FortiSwitch configuration 23
Using the FortiSwitch serial number for automatic name resolution 24
Configuring access to management and internal interfaces 24
Enabling FortiLink VLAN optimization 25
Configuring the MAC sync interval 25
Discovering, authorizing, and deauthorizing FortiSwitch units 26
Adding preauthorized FortiSwitch units 26
Authorizing the FortiSwitch unit 26
Deauthorizing FortiSwitch units 26
Converting to FortiSwitch standalone mode 27
Optional FortiLink configuration 27
Changing the admin password on the FortiGate for all managed FortiSwitch units 27
Using automatic network detection and configuration 28
Determining the network topology 29
Single FortiGate managing a single FortiSwitch unit 29
Single FortiGate unit managing a stack of several FortiSwitch units 30
HA-mode FortiGate units managing a single FortiSwitch unit 31
HA-mode FortiGate units managing a stack of several FortiSwitch units 32
HA-mode FortiGate units managing a FortiSwitch two-tier topology 33
Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software
switch interface) 33
HA-mode FortiGate units using hardware-switch interfaces and STP 34
Standalone FortiGate unit with dual-homed FortiSwitch access 35
HA-mode FortiGate units with dual-homed FortiSwitch access 36
HA-mode FortiGate units in remote sites 37
FortiLink with an HA cluster of four FortiGate units 40
FortiLink over a point-to-point layer-2 network 42
FortiSwitch 6.4.3 Managed by FortiOS 6.4 3

Fortinet, Inc.
FortiLink mode over a layer-3 network 43
In-band management 44
Out-of-band management 46
Other topologies 47
Limitations 47
Grouping FortiSwitch units 47
Stacking configuration 48
Disable stacking 49
Firmware upgrade of stacked or tiered FortiSwitch units 49
Adding link aggregation groups (trunks) 54
MCLAG configuration for access ports 55
MCLAG peer groups 58
MCLAG requirements 58
Transitioning from a FortiLink split interface to a FortiLink MCLAG 58
MCLAG topologies 60
Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG 60
Multi-tiered MCLAG with HA-mode FortiGate units 62
Three-tier FortiLink MCLAG configuration 65
HA-mode one-tier MCLAG 68
Configuring FortiSwitch VLANs and ports 70
Configuring VLANs 70
Creating VLANs 70
Viewing FortiSwitch VLANs 72
Changing the VLAN configuration mode 73
Configuring ports using the GUI 73
Configuring port speed and status 73
Configuring PoE 74
Enable PoE on the port 74
Reset the PoE port 74
Display general PoE status 74
Configuring IPv4 source guard 75
Enabling IPv4 source guard 75
Creating static entries 76
Checking the IPv4 source-guard entries 77
Configuring FortiSwitch split ports (phy-mode) in FortiLink mode 77
Configuring split ports on a previously discovered FortiSwitch unit 77
Configuring split ports with a new FortiSwitch unit 78
Configuring a split port on the FortiSwitch unit 78
Sharing FortiSwitch ports between VDOMs 80
Restricting the type of frames allowed through IEEE 802.1Q ports 82
Configuring switching features 83
Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports 83
Configuring edge ports 84
Configuring loop guard 85
Configuring STP settings 85
Configuring STP on FortiSwitch ports 86

Fortinet, Inc.
Configuring STP root guard 88
Configuring STP BPDU guard 89
Configuring interoperation with per-VLAN RSTP 90
Dynamic MAC address learning 91
Limiting the number of learned MAC addresses on a FortiSwitch interface 91
Controlling how long learned MAC addresses are saved 92
Logging violations of the MAC address learning limit 93
Persistent (sticky) MAC addresses 94
Logging changes to MAC addresses 94
Configuring storm control 94
Configuring IGMP-snooping settings 95
Configure global IGMP-snooping settings 95
Configure IGMP-snooping settings on a switch 96
Configuring PTP transparent-clock mode 96
Device detection 98
Enabling network-assisted device detection 98
Voice device detection 98
Example 98
Configuring IoT detection 102
Configuring LLDP-MED settings 103
Create LLDP asset tags for each managed FortiSwitch 106
Add media endpoint discovery (MED) to an LLDP configuration 106
Display LLDP information 107
Configuring the LLDP settings 107
FortiSwitch security 109
FortiSwitch network access control 109
Summary of the procedure 109
Defining a FortiSwitch NAC VLAN 109
Configuring the FortiSwitch NAC settings 111
Defining a FortiSwitch NAC policy 113
Viewing the devices that match the NAC policy 118
Configuring the DHCP trust setting 118
Configuring dynamic ARP inspection (DAI) 119
FortiSwitch security policies 119
Increased number of devices supported per port for 802.1x MAC-based authentication 120
Configure the 802.1x settings for a virtual domain 121
Override the virtual domain settings 121
Define an 802.1x security policy 122
Apply an 802.1x security policy to a FortiSwitch port 124
Test 802.1x authentication with monitor mode 124
RADIUS accounting support 125
RADIUS change of authorization (CoA) support 125
802.1x authentication deployment example 128
Detailed deployment notes 129
Security Fabric showing 130
Blocking intra-VLAN traffic 131
Quarantines 133

Fortinet, Inc.
Quarantining MAC addresses 133
Using quarantine with DHCP 136
Using quarantine with 802.1x MAC-based authentication 137
Viewing quarantine entries 139
Releasing MAC addresses from quarantine 141
Optimizing the FortiSwitch network 143
Configuring QoS with managed FortiSwitch units 145
Configuring ECN for managed FortiSwitch devices 147
Logging and monitoring 148
FortiSwitch log settings 148
Exporting logs to FortiGate 148
Sending logs to a remote Syslog server 148
Configuring FortiSwitch port mirroring 149
Configuring SNMP 152
Configuring SNMP globally 152
Configuring SNMP locally 153
Configuring sFlow 155
Configuring flow tracking and export 156
Configuring flow control and ingress pause metering 158
Operation and maintenance 159
Managed FortiSwitch display 159
FortiSwitch ports display 160
FortiSwitch per-port device visibility 160
Displaying, resetting, and restoring port statistics 161
Network interface display 162
Diagnostics and tools 162
Run LED Blink 164
Run Cable Test 164
Data statistics 165
Sample topology 165
Synchronizing the FortiGate unit with the managed FortiSwitch units 166
Viewing and upgrading the FortiSwitch firmware version 166
Registering FortiSwitch to FortiCloud 167
Replacing a managed FortiSwitch unit 170
Executing custom FortiSwitch scripts 175
Create a custom script 175
Execute a custom script once 176
Bind a custom script to a managed switch 176
Resetting PoE-enabled ports 177

Fortinet, Inc.
Change log
Date Change Description
October 22, 2020 Initial document release for FortiOS 6.4.3

Fortinet, Inc.
Whatʼs new in FortiOS 6.4.3
Whatʼs new in FortiOS 6.4.3
The following list contains new managed FortiSwitch features added in FortiOS 6.4.3. Click on a link to navigate to that
section for further information.
l You can now configure the lldp-status and lldp-profile settings for a virtual switch port in a tenant
VDOM. See Configuring LLDP-MED settings on page 103.
l FortiLink and switch controller logs are now available in the FortiSwitch Events category in the Log & Report >
Events page.
l The Diagnostics and Tools form now includes a Logs button, which provides logs for that FortiSwitch unit. See
Diagnostics and tools on page 162.
l When the RADIUS server cannot be reached for 802.1x authentication, the device trying to authenticate is placed
into a RADIUS timeout VLAN after the authentication server timeout period expires. See Define an 802.1x security
policy on page 122.
l Flow control and ingress pause metering are now supported on managed FortiSwitch units. Pause metering allows
the FortiSwitch unit to apply flow control to ingress traffic when the queue is congested and to resume after the
queue is cleared. See Configuring flow control and ingress pause metering on page 158.
l You can now configure a FortiLink-over-layer-3 network to use the FortiLink interface as the source IP address for
the communication between the FortiGate unit and the FortiSwitch unit. The FortiOS default of using the outbound
interface as the source IP address is still available. See FortiLink mode over a layer-3 network on page 43.
l Starting in FortiOS 6.4.3, IoT detection can be also managed per FortiLink interface. IoT detection is disabled by
default on the FortiLink interface. Use the FortiOS CLI or GUI to enable IoT detection on the FortiLink interface so
that the FortiSwitch unit starts scanning for IoT devices. See Configuring IoT detection on page 102.

Fortinet, Inc.
Introduction
Introduction
This section provides information about how to set up and configure managed FortiSwitch units using the FortiGate unit
(termed “using FortiSwitch in FortiLink mode”).
NOTE: FortiLink is not supported in transparent mode.
The maximum number of supported FortiSwitch units depends on the FortiGate model:
FortiGate Model Range Number of

FortiSwitch Units
Supported
FortiGate 91E, FortiGate-VM01 8
FortiGate 6xE, 8xE, 90E 16
FortiGate 100D, FortiGate-VM02 24
FortiGate 100E, 100EF, 101E, 140E, 140E-POE 32
FortiGate 200E, 201E 64
FortiGate 300D to 500D 48
FortiGate 300E to 500E 72
FortiGate 600D to 900D and FortiGate-VM04 64
FortiGate 600E to 900E 96
FortiGate 1000D to 15xxD 128
FortiGate 1100E to 25xxE 196
FortiGate-3xxx and up and FortiGate-VM08 and up 300
Supported models
Refer to the FortiLink Compatibility table to find which FortiSwitchOS versions support which FortiOS versions.
New models (NPI releases) might not support FortiLink. Contact Customer Service &
Support to check support for FortiLink.

Fortinet, Inc.
Introduction
Support of FortiLink features
The following table lists the FortiSwitch models supported by FortiLink features.
FortiLink Features FortiSwitch Models
Centralized VLAN Configuration D-series, E-series
Switch POE Control D-series, E-series
Link Aggregation Configuration D-series, E-series
Spanning Tree Protocol (STP) D-series, E-series
LLDP/MED D-series, E-series
IGMP Snooping D-series, E-series
802.1x Authentication (Port-based, MAC-based, MAB) D-series, E-series
Syslog Collection D-series, E-series
DHCP Snooping D-series, E-series
Device Detection D-series, E-series
Support FortiLink FortiGate in HA Cluster D-series, E-series
LAG support for FortiLink Connection D-series, E-series
Active-Active MCLAG from FortiGate to FortiSwitch units for Not supported on FS-1xx Series
Advanced Redundancy
sFlow Not supported on FS-1xxE Series
Dynamic ARP Inspection (DAI) D-series, E-series
Port Mirroring D-series, E-series
RADIUS Accounting D-series, E-series
Centralized Configuration D-series, E-series
Block Intra-VLAN Traffic D-series, E-series
STP BDPU Guard, Root Guard, Edge Port D-series, E-series
Loop Guard D-series, E-series
Switch admin Password D-series, E-series
Storm Control D-series, E-series
802.1x-Authenticated Dynamic VLAN Assignment D-series, E-series
Host Quarantine on Switch Port D-series, E-series
QoS Not supported on FSR-112D-POE
Centralized Firmware Management D-series, E-series

Fortinet, Inc.
Introduction
Automatic network detection and configuration D-series, E-series
Dynamic VLAN assignment by group name D-series, E-series
Sticky MAC addresses D-series, E-series
NetFlow and IPFIX flow tracking and export D-series, E-series
FortiSwitch split ports FS-524D, FS-524D-FPOE, FS-548D, FS-548D-

FPOE, FS-1048E, FS-3032D, and FS-3032E
Encapsulated remote switched port analyzer (ERSPAN) FS-2xx and higher
MSTP instances D-series, E-series

NOTE: In FortiLink mode, the FortiGate unit supports 1-14
instances for all platforms.
QoS statistics D-series, E-series
Configuring SNMP through FortiLink D-series, E-series
IPv4 source guard FSR-124D, FS-224D-FPOE, FS-248D, FS-424D-

POE, FS-424D-FPOE, FS-448D-POE, FS-448D-
FPOE, FS-424D, FS-448D, FS-2xxE, and FS-4xxE
Integrated FortiGate network access control (NAC) function D-series, E-series
FortiGuard IoT identification D-series, E-series
Point-to-point layer-2 network supported Not supported on FS-108E, FS-108E-POE, FS-108E-

FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-
148E, and FS-148E-POE
Dynamic detection of LLDP neighbor devices D-series, E-series
Explicit congestion notification (ECN) FS-1024D, FS-1048D, FS-1048E, FS-3032D, FS-

3032E, FS-4xxE, and FS-5xxD
Aggregation mode selection for trunk members D-series, E-series
Multiple attribute values sent in a RADIUS Access-Request D-series, E-series
PTP transparent-clock mode FS-1048E, FS-224D, FS-224E, FS-3032D, FS-

3032E, FS-424D, FS-4xxE, and FS-5xxD
Rapid PVST interoperation D-series, E-series
Support of matching EMS tags in NAC policies D-series, E-series
Flash port LEDs D-series, E-series
Cable diagnostics Not supported on FSR-112D-POE, FS-1024D, FS-

1048D, FS-1048E, FS-3032D, or FS-3032E
Automated detection and recommendations D-series, E-series
Flow control D-series, E-series

Fortinet, Inc.
Introduction
Ingress pause metering 200 series, 400D and 400E series, 500 series, FS-
1024D, FS-1048D, FS-1048E, and FS-3032D
Before you begin
Before you configure the managed FortiSwitch unit, the following assumptions have been made in the writing of this
manual:
l You have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your
FortiSwitch model, and you have administrative access to the FortiSwitch GUI and CLI.
l You have installed a FortiGate unit on your network and have administrative access to the FortiGate GUI and CLI.

Fortinet, Inc.
Special notices
Special notices
There is an additional command available only on the FG-92D model:

config system global
set hw-switch-ether-filter {enable | disable}
end
By default, the hw-switch-ether-filter command is enabled. When the command is enabled:

l ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed.
l BPDUs are dropped, and no STP loop results.
l PPPoE packets are dropped.
l IPv6 packets are dropped.
l FortiSwitch devices are not discovered.
l HA might fail to form depending on the network topology.
When the hw-switch-ether-filter command is disabled, all packet types are allowed, but, depending on the
network topology, an STP loop might result.
To work around this issue:
1. Use either WAN1 or WAN2 as the HA heartbeat device.

2. Disable the hw-switch-ether-filter option.

Fortinet, Inc.
FortiSwitch management
This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a FortiLink
connection.
In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the switch
ports (depending on the model) support auto-discovery of the FortiLink ports.
You can chose to connect a single FortiLink port or multiple FortiLink ports as a logical interface (link-aggregation group,
hardware switch, or software switch).
NOTE: FortiSwitch units, when used in FortiLink mode, support only the default administrative access HTTPS port
(443).
This section covers the following topics:
l Configuring FortiLink on page 14
l Optional FortiLink configuration required before discovering and authorizing FortiSwitch units on page 20
l Discovering, authorizing, and deauthorizing FortiSwitch units on page 26
l Optional FortiLink configuration on page 27
Configuring FortiLink
You need to physically connect the FortiSwitch unit to the FortiGate unit only after completing
this section. Some settings are only possible when the FortiGate unit has not authorized any
switches.
1. Enable the switch controller on the FortiGate unit
Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the
FortiGate unit with the FortiGate GUI or CLI to enable the switch controller. Depending on the FortiGate model and
software release, this feature might be enabled by default.
Using the FortiGate GUI
1. Go to System > Feature Visibility.

2. Turn on the Switch Controller feature, which is in the Core Features list.
3. Select Apply.
The menu option WiFi & Switch Controller now appears.
Using the FortiGate CLI
Use the following commands to enable the switch controller:


Fortinet, Inc.
set switch-controller enable

end
2. Configuring the FortiLink interface
The FortiLink interface is created automatically as an aggregate interface type; if the FortiGate model does not support
the aggregate interface type, the FortiLink interface is created automatically as a hardware switch. Fortinet
recommends keeping the default type of the FortiLink; however, if a physcial interface or soft-switch interface type is
required, the interface must be enabled for FortiLink using the FortiOS CLI, and then the default FortiLink interface can
be deleted.
The FortiLink interface type is dependent on the network topology to be deployed. See Determining the network
topology on page 29.
Choosing the FortiGate ports
The FortiGate unit manages all of the switches through one active FortiLink. The FortiLink can consist of one port or
multiple ports (for a LAG).
As a general rule, FortiLink is supported on all ports that are not listed as HA ports.
This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit.
You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the
CLI procedures are more complex (and therefore more prone to error).
If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection with no configuration
steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.
Summary of the procedure
1. On the FortiGate unit, configure the FortiLink interface.

2. Authorize the managed FortiSwitch unit manually if you did not select Automatically authorize devices.
Configure the FortiLink interface
To configure the FortiLink interface on the FortiGate unit:
1. Go to WiFi & Switch Controller > FortiLink Interface.

2. Select + in the Interface members field and then select the ports to add to the FortiLink interface. You can create a
LAG type or software/hardware switch type of FortiLink interface; these types are more scalable than a physical
interface.
NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, right-click the
FortiLink physical port, select Edit, delete the port from the Interface Members field, and then select OK.
3. Configure the IP/Network Mask for your network.
4. Select Automatically authorize devices.
5. Select Apply.

Fortinet, Inc.
FortiLink split interface
You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two
FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.
The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).
The FortiLink split interface is enabled by default. You can configure this feature with the FortiGate GUI and CLI.
NOTE: The FortiLink split interface is required before enabling MCLAG. See MCLAG peer groups on page 58.
Using the FortiGate GUI:

2. Move the FortiLink split interface slider
Using the FortiGate CLI:
config system interface

edit <name of the FortiLink interface>
set fortilink-split-interface {enable | disable}
end
Edit a managed FortiSwitch unit
To edit a managed FortiSwitch unit:

1. Go to WiFi & Switch Controller > Managed FortiSwitch.
2. Click on the FortiSwitch unit and then click Edit or right-click on a FortiSwitch unit and select Edit.
From the Edit Managed FortiSwitch form, you can:
l Change the Name and Description of the FortiSwitch unit.
l View the Status of the FortiSwitch unit.
l Restart the FortiSwitch.
l Authorize or deauthorize the FortiSwitch unit.
l Update the firmware running on the switch.
l Override 802.1x settings, including the reauthentication interval, maximum reauthentication attempts, and link-
down action.
This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate
GUI because the CLI procedures are more complex (and therefore more prone to error).
If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG)
with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.
You can also configure FortiLink mode over a layer-3 network.

Fortinet, Inc.
1. Configure FortiLink on a physical port or configure FortiLink on a logical interface.

2. Authorize the managed FortiSwitch unit.
Configure FortiLink on a physical port
Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.
In the following steps, port 1 is configured as the FortiLink port.
1. If required, remove port 1 from the lan interface:
config system virtual-switch
edit lan
config port
delete port1
end
end
end
2. Configure port 1 as the FortiLink interface:
edit port1
set auto-auth-extension-device enable
set fortilink enable
end
end
3. Configure an NTP server on port 1:
config system ntp
set server-mode enable
set interface port1
end
4. Authorize the FortiSwitch unit as a managed switch:
config switch-controller managed-switch
edit FS224D3W14000370
set fsw-wan1-admin enable
end
end
5. The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.
Configure FortiLink on a logical interface
You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch.
LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is
supported on some FortiGate models.
Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch unit. Ensure that you configure auto-
discovery on the FortiSwitch ports (unless it is auto-discovery by default).
NOTE: Starting with FortiOS 6.2.2, you can use the default fortilink aggregate interface and then add ports. This
configuration is available for all FortiGate E series models, 100 and higher. For FortiGate models lower than 100, you
can use the default fortilink hardware switch or software switch interface and then add ports.
In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.

Fortinet, Inc.
1. If required, remove the FortiLink ports from the lan interface:

config system virtual-switch
edit lan
config port
delete port4
delete port5
end
end
end
2. Create a trunk with the two ports that you connected to the switch:
edit flink1 (enter a name, 11 characters maximum)
set ip 169.254.3.1 255.255.255.0
set allowaccess ping capwap https
set vlanforward enable
set type aggregate
set member port4 port5
set lacp-mode static
(optional) set fortilink-split-interface enable
next
end
NOTE: If the members of the aggregate interface connect to more than one FortiSwitch, you must enable
fortilink-split-interface.
3. Authorize the FortiSwitch unit as a managed switch:
edit FS224D3W14000370
end
end
NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.
3. Auto-discovery of the FortiSwitch ports
NOTE: For details on how to connect the FortiSwitch topology, see Determining the network topology on page 29.
By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you connect
the FortiLink using one of these ports, no switch configuration is required.
In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You can also
run the show switch interface command on the FortiSwitch unit to see the ports that have auto-discovery
enabled.
The following table lists the default auto-discovery ports for each switch model.
NOTE: Any port can be used for FortiLink if it is manually configured.
FortiSwitch Model Default Auto-FortiLink ports
FS-108D-POE port9–port10
FS-108E, FS-108E-POE, FS-108E-FPOE port7–port10

Fortinet, Inc.
FortiSwitch Model Default Auto-FortiLink ports
FSR-112D-POE port5–port12
FS-124D, FS-124D-POE port23–port26
FSR-124D port1-port4, port21–port28
FS-124E, FS-124E-POE, FS-124E-FPOE port21–port28
FS-148E, FS-148E-POE port21–port52
FS-224D-FPOE port21–port28
FS-224E, FS-224E-POE port21–port28
FS-248D, FS-248D-FPOE port45–port52
FS-248E-POE, FS-248E-FPOE port45–port52
FS-424D, FS-424D-POE, FS-424D-FPOE port23–port26
FS-424E-Fiber port1-port30
FS-426E-FPOE-MG port23-port30
FS-448D, FS-448D-POE, FS-448D-FPOE port45–port52
FS-524D, FS-524D-FPOE port21–port30
FS-548D port39–port54
FS-548D-FPOE, FS-548DN port45–port54
FS-1024D port1–port24
FS-1048D, FS-1048E port1–port52
FS-3032D, FS-3032E port1–port32
You can use any of the switch ports for FortiLink. Before connecting the switch to the FortiGate unit, use the following
FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:
config switch interface
edit <port>
set auto-discovery-fortilink enable
end
Automatic inter-switch links (ISLs)
After a FortiSwitch unit is discovered and in FortiLink mode, all ports are enabled for FortiLink. Connect another
FortiSwitch unit to any of the already discovered FortiSwitch ports, and the ISL is formed automatically, and the new
unit is discovered by the FortiGate unit.

Fortinet, Inc.
Optional FortiLink configuration required before discovering and

authorizing FortiSwitch units
Migrating the configuration of standalone FortiSwitch units
When a configured standalone FortiSwitch unit is converted to FortiLink mode, the standalone configuration is lost. To
save time, use the fortilinkify.py utility to migrate your standalone configuration from one or more FortiSwitch
units to a combined FortiGate-compatible configuration.
To get the script and instructions, go to:
https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/
VLAN interface templates for FortiSwitch units
You can create configuration templates that define the VLAN interfaces and are applied to new FortiSwitch devices
when they are discovered and managed by the FortiGate device.
For each VDOM, you can create templates, and then assign those templates to the automatically created switch VLAN
interfaces for six types of traffic. The network subnet that is reserved for the switch controller can also be customized.
To ensure that switch VLAN interface names are unique for each system, the following naming rules are used:
l root VDOM: The interface names are the same as the template names.
l other VDOMs: The interface name is created from the template name and the SNMP index of the interface. For
example, if the template name is quarantined and the SNMP index is 29, the interface name is
quarantined.29.
You can also customize the FortiLink management VLAN per FortiLink interface:
edit <fortilink interface>
set switch-controller-mgmt-vlan <integer>
next
end
The management VLAN can be a number from 1 to 4094. the default value is 4094.
Create VLAN interface templates
To configure the VLAN interface templates:
config switch-controller initial-config template

edit <template_name>
set vlanid <integer>
set ip <ip/netmask>
set allowaccess {options}
set auto-ip {enable | disable}
set dhcp-server {enable | disable}
next
end

Fortinet, Inc.
<template_name> The name, or part of the name, of the template.
vlanid <integer> The unique VLAN ID for the type of traffic the template is assigned to
(1-4094; the default is 4094)
ip <ip/netmask> The IP address and subnet mask of the switch VLAN interface. This
can only be configured when auto-ip is disabled.
allowaccess {options} The permitted types of management access to this interface.
auto-ip {enable | disable} When enabled, the switch-controller will pick an unused 24 bit subnet
from the switch-controller-reserved-network (configured in config
system global).
dhcp-server {enable | disable} When enabled, the switch-controller will create a DHCP server for the
switch VLAN interface
To assign the templates to the specific traffic types:
config switch-controller initial-config vlans

set default-vlan <template>
set quarantine <template>
set rspan <template>
set voice <template>
set video <template>
set nac <template>
end
default-vlan <template> Default VLAN assigned to all switch ports upon discovery.
quarantine <template> VLAN for quarantined traffic.
rspan <template> VLAN for RSPAN/ERSPAN mirrored traffic.
voice <template> VLAN dedicated for voice devices.
video <template> VLAN dedicated for video devices.
nac <template> VLAN for NAC onboarding devices.
To configure the network subnet that is reserved for the switch controller:

set switch-controller-reserved-network <ip/netmask>
end
The default value is 169.254.0.0 255.255.0.0.
Example
In this example, six templates are configured with different VLAN IDs. Except for the default template, all of them have
DHCP server enabled. When a FortiSwitch is discovered, VLANs and the corresponding DHCP servers are automatically
created.

Fortinet, Inc.
To configure six templates and apply them to VLAN traffic types:

edit "default"
set vlanid 1
set auto-ip disable
next
edit "quarantine"
set vlanid 4093
set dhcp-server enable
next
edit "rspan"
set vlanid 4092
next
edit "voice"
set vlanid 4091
next
edit "video"
set vlanid 4090
next
edit "onboarding"
set vlanid 4089
next
end
config switch-controller initial-config vlans
set default-vlan "default"
set quarantine "quarantine"
set rspan "rspan"
set voice "voice"
set video "video"
set nac "onboarding"
end
To see the automatically created VLANs and DHCP servers:
show system interface

edit "default"
set vdom "root"
set snmp-index 24
set switch-controller-feature default-vlan
set interface "fortilink"
set vlanid 1
next
edit "quarantine"
set vdom "root"
set ip 169.254.11.1 255.255.255.0
set description "Quarantine VLAN"
set security-mode captive-portal
set replacemsg-override-group "auth-intf-quarantine"
set device-identification enable
set snmp-index 25
set switch-controller-access-vlan enable
set switch-controller-feature quarantine

Fortinet, Inc.
set color 6
set vlanid 4093
next
...
end
show system dhcp server
edit 2
set dns-service local
set ntp-service local
set default-gateway 169.254.1.1
set netmask 255.255.255.0
config ip-range
edit 1
set start-ip 169.254.1.2
set end-ip 169.254.1.254
next
end
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
next
edit 3
set dns-service default
set interface "quarantine"
config ip-range
edit 1
set end-ip 169.254.11.254
next
end
set timezone-option default
next
...
end
Limiting the number of parallel processes for FortiSwitch configuration
Use the following CLI commands to reduce the number of parallel processes that the switch controller uses for
configuring FortiSwitch units:
config global
config switch-controller system
set parallel-process-override enable
set parallel-process <1-300>
end
end

Fortinet, Inc.
Using the FortiSwitch serial number for automatic name resolution
By default, you can check that FortiSwitch unit is accessible from the FortiGate unit with the execute ping
<FortiSwitch_IP_address> command. If you want to use the FortiSwitch serial number instead of the
FortiSwitch IP address, use the following commands:
config switch-controller global
set sn-dns-resolution enable
end
NOTE:sn-dns-resolution is enabled by default.

Then you can use the execute ping <FortiSwitch_serial_ number>.<domain_name> command to
check if the FortiSwitch unit is accessible from the FortiGate unit. For example:
FG100D3G15817028 (root) # execute ping S524DF4K15000024.fsw
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes
64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms
Optionally, you can omit the domain name (.fsw) from the command by setting the default DNS domain on the
FortiGate unit.
config system dns
set domain "fsw"
end
Now you can use the execute ping <FortiSwitch_serial_number> command to check if the FortiSwitch
unit is accessible from the FortiGate unit. For example:
FG100D3G15817028 (root) # execute ping S524DF4K15000024
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes
--- S524DF4K15000024.fsw ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
Configuring access to management and internal interfaces
The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have
different access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-
access security policy with the following commands:
config switch-controller security-policy local-access
edit <policy_name>
set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
end

Fortinet, Inc.

edit <FortiSwitch_serial_number>
set access-profile <name_of_policy>
end
For example:
edit policy1
set mgmt-allowaccess https ping ssh radius-acct
set internal-allowaccess https ssh snmp telnet
end
edit S524DF4K15000024
set access-profile policy1
end
NOTE: After you upgrade to FortiOS 6.2, the allowaccess settings for the FortiSwitch mgmt and internal interfaces are
overridden by the default local-access security policy.
set min-bundle <int>
set max-bundle <int>
set members <port1 port2 ...>
next
end
end
end
Enabling FortiLink VLAN optimization
When inter-switch links (ISLs) are automatically formed on trunks, the switch controller allows VLANs 1-4093 on ISL
ports. This configuration can increase data processing on the FortiSwitch unit. When VLAN optimization is enabled, the
FortiSwitch unit allows only user-defined VLANs on the automatically generated trunks.
NOTE: VLAN optimization is enabled by default.
To enable FortiLink VLAN optimization on FortiSwitch units from the FortiGate unit:

set vlan-optimization enable
end
NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable
command.
Configuring the MAC sync interval
Use the following commands to configure the global MAC synch interval.
The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the
default value is 60.
config switch-controller mac-sync-settings
set mac-sync-interval <30-600>

Fortinet, Inc.
end
Discovering, authorizing, and deauthorizing FortiSwitch units
Adding preauthorized FortiSwitch units
After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.
To preauthorize a FortiSwitch:
2. Click Create New.
3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
4. Move the Authorized slider to the right.
5. Select OK. The Managed FortiSwitch page lists the preauthorized switch.
Authorizing the FortiSwitch unit
If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the
following steps:
2. Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the
automatic authorization field of the interface.
Deauthorizing FortiSwitch units
A device can be deauthorized to remove it from the Security Fabric.
To deauthorize a device:
1. On the root FortiGate, go to Security Fabric > Fabric Connectors

2. In the topology tree, click the device and select Deauthorize.
After devices are deauthorized, the devicesʼ serial numbers are saved in a trusted list that can be viewed in the CLI
using the show system csf command. For example, this result shows a deauthorized FortiSwitch:
show system csf
config system csf
set status enable
set group-name "Office-Security-Fabric"
set group-password ENC 1Z2X345V678
config trusted-list
edit "FGT6HD391806070"
next
edit "S248DF3X17000482"
set action deny
next
end

Fortinet, Inc.
end
end
Converting to FortiSwitch standalone mode
Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no
longer be managed by a FortiGate:
l execute switch-controller factory-reset <switch-id>—This command returns the FortiSwitch
to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-
discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example: execute switch-
controller factory-reset S1234567890
l execute switch-controller switch-action set-standalone <switch-id>—This command
returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from
automatically detecting and authorizing the FortiSwitch. For example: execute switch-controller set-
standalone S1234567890
You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:
set disable-discovery <switch-id>
end
For example:
set disable-discovery S1234567890
end
You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using
the following commands:
append disable-discovery <switch-id>
unselect disable-discovery <switch-id>
end
For example:
append disable-discovery S012345678
unselect disable-discovery S1234567890
end
Optional FortiLink configuration
Changing the admin password on the FortiGate for all managed FortiSwitch units
By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all
FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:
config switch-controller switch-profile
edit default
set login-passwd-override {enable | disable}

Fortinet, Inc.
set login-passwd <password>

next
end
If you had already applied a profile with the override enabled and the password set and then decide to remove the
admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously
set password will remain in the FortiSwitch. For example:
config switch-controller switch-profile
edit default
set login-passwd-override enable
unset login-passwd
next
end
Using automatic network detection and configuration
There are three commands that let you use automatic network detection and configuration.
To specify which policies can override the defaults for a specific ISL, ICl, or FortiLink interface:
config switch-controller auto-config custom
edit <automatically configured FortiLink, ISL, or ICL interface name>
config switch-binding
edit "switch serial number"
set policy "custom automatic-configuation policy"
end
To specify policies that are applied automatically for all ISL, ICL, and FortiLink interfaces:
config switch-controller auto-config default
set fgt-policy <default FortiLink automatic-configuration policy>
set isl-policy <default ISL automatic-configuration policy>
set icl-policy <default ICL automatic-configuration policy>
end
NOTE: The ICL automatic-configuration policy requires FortiOS 6.2.0 or later.

To specify policy definitions that define the behavior on automatically configured interfaces:
config switch-controller auto-config policy
edit <policy_name>
set qos-policy <automatic-configuration QoS policy>
set storm-control-policy <automatic-configuation storm-control policy>
set poe-status {enable | disable}
set igmp-flood-report {enable | disable}
set igmp-flood-traffic {enable | disable}
end

Fortinet, Inc.
Determining the network topology
The FortiGate unit requires only one active FortiLink to manage all of the subtending FortiSwitch units (called stacking).
You can configure the FortiLink as a physical interface or as a logical interface (associated with one or more physical
interfaces). Depending on the network topology, you can also configure a standby FortiLink.
NOTE: For any of the topologies:
l All of the managed FortiSwitch units will function as one Layer-2 stack where the FortiGate unit manages each
FortiSwitch separately.
l The active FortiLink carries data as well as management traffic.
l Single FortiGate managing a single FortiSwitch unit on page 29
l Single FortiGate unit managing a stack of several FortiSwitch units on page 30
l HA-mode FortiGate units managing a single FortiSwitch unit on page 31
l HA-mode FortiGate units managing a stack of several FortiSwitch units on page 32
l HA-mode FortiGate units managing a FortiSwitch two-tier topology on page 33
l Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software switch interface) on page
33
l HA-mode FortiGate units using hardware-switch interfaces and STP on page 34
l Standalone FortiGate unit with dual-homed FortiSwitch access on page 35
l HA-mode FortiGate units with dual-homed FortiSwitch access on page 36
l HA-mode FortiGate units in remote sites on page 37
l FortiLink with an HA cluster of four FortiGate units on page 40
l FortiLink over a point-to-point layer-2 network on page 42
l FortiLink mode over a layer-3 network on page 43
l Grouping FortiSwitch units on page 47
l Adding link aggregation groups (trunks) on page 54
Single FortiGate managing a single FortiSwitch unit
On the FortiGate unit, the FortiLink interface is configured as a physical or aggregate interface. The 802.3ad aggregate
interface type provides a logical grouping of one or more physical interfaces.
NOTE:
l For the aggregate interface, you must disable the split interface on the FortiGate unit.
l When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of
the FortiLink aggregate interface must be set to static. Unless MCLAG is enabled and you are using 6.2.0 or
later, see Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58 for details.

Fortinet, Inc.
Single FortiGate unit managing a stack of several FortiSwitch units
The FortiGate unit connects directly to one FortiSwitch unit using a physical or aggregate interface. The remaining
FortiSwitch units connect in a ring using inter-switch links (that is, ISL).
Optionally, you can connect a standby FortiLink connection to the last FortiSwitch unit. For this configuration, you
create a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link).
NOTE:
l Do not create loops or rings with the FortiGate unit in the path.

Fortinet, Inc.
HA-mode FortiGate units managing a single FortiSwitch unit
The master and slave FortiGate units both connect a FortiLink to the FortiSwitch unit. The FortiLink port(s) and
interface type must match on the two FortiGate units.
NOTE: Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be
active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.

Fortinet, Inc.
HA-mode FortiGate units managing a stack of several FortiSwitch

units
The master and slave FortiGate units both connect a FortiLink to the first FortiSwitch unit and (optionally) to the last
FortiSwitch unit. The FortiLink ports and interface type must match on the two FortiGate units.
When using an aggregate interface for the active/standby FortiLink configuration, make sure the FortiLink split interface
is enabled (this forces one link to be active and the rest to be standby links, which avoids loops in the network). This
option can be disabled later if you enable an MCLAG. See Transitioning from a FortiLink split interface to a FortiLink
MCLAG on page 58.
NOTE:
l Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be

Fortinet, Inc.
HA-mode FortiGate units managing a FortiSwitch two-tier topology
The distribution FortiSwitch unit connects to the master and slave FortiGate units. The FortiLink port(s) and interface
type must match on the two FortiGate units.
NOTE: Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be
Single FortiGate unit managing multiple FortiSwitch units (using a

hardware or software switch interface)
The FortiGate unit connects directly to each FortiSwitch unit. Each of these FortiLink ports is added to the logical
hardware-switch or software-switch interface on the FortiGate unit.
Optionally, you can connect other devices to the FortiGate logical interface. These devices, which must support
IEEE 802.1q VLAN tagging, will have Layer 2 connectivity with the FortiSwitch ports.
NOTE:

Fortinet, Inc.
l Using the hardware or software switch interface in FortiLink mode is not recommended in most cases. It can be
used when the traffic on the ports is very light because all traffic across the switches moves through the FortiGate
unit.
l Do not create loops or rings in this topology.
HA-mode FortiGate units using hardware-switch interfaces and STP
In most FortiLink topologies, MCLAG or LAG configurations are used for FortiSwitch redundancy. However, some
FortiGate models do not support the FortiLink aggregate interface, or some FortiSwitch models do not support MCLAG.
The following network topology uses a hardware-switch interface on each FortiGate unit. Each FortiSwitch unit is
connected to a single port of the hardware-switch interface of the FortiGate unit. The inter-switch link (ISL) between the
FortiSwitch units provides redundancy.
For this network topology to function, use the following commands on each FortiLink hardware-switch interface:
edit <FortiLink_hardware_switch_interface>
set stp enable
end
NOTE:
l The FortiLink interface uses the Link Layer Discovery Protocol (LLDP) for neighbor detection.
l Spanning Tree Protocol (STP) and STP forwarding are both supported by the FortiLink hardware-switch interface.
l The software-switch interface is not supported.

Fortinet, Inc.
Standalone FortiGate unit with dual-homed FortiSwitch access
This network topology provides high port density with two tiers of FortiSwitch units.
See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58.
After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically
established with the access switches (FortiSwitch 3 and FortiSwitch 4).
NOTE:
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks.
They are both enabled by default.
l Fortinet recommends using at least two links for ICL redundancy.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
l The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink
trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks.
These settings are enabled by default.
l IGMP proxy must be enabled.

Fortinet, Inc.
HA-mode FortiGate units with dual-homed FortiSwitch access
In HA mode, only one FortiGate is active at a time. If the active FortiGate unit fails, the backup FortiGate unit becomes
active.
See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58.
After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically
established with the access switches (FortiSwitch 3, FortiSwitch 4, and FortiSwitch 5).
NOTE:

Fortinet, Inc.
HA-mode FortiGate units in remote sites
There are two sites in this topology, each with a FortiGate unit. The two sites share the FortiGate units in active-passive
HA mode. The FortiGate units use the FortiSwitch units in FortiLink mode as the heartbeat connections because of
limited physical connections between the two sites.
FortiOS 6.4.2 or higher and FortiSwitchOS 6.4.2 or higher are required.
NOTE: Fortinet recommends using at least two links for ICL redundancy.

Fortinet, Inc.
The following steps are an example of how to configure this topology:

1. Disconnect the physical connections between the two sites.
2. On Site 1:
a. Use the FortiGate unit to establish the FortiLinks on Site 1. See Configuring FortiLink on page 14.
b. Enable the MCLAG-ICL on the core switches of Site 1. See Transitioning from a FortiLink split interface to a
FortiLink MCLAG on page 58.
c. Enable the HA mode and set the heartbeat ports on FortiGate-1. FortiGate port1 and port2 are used as HA
heartbeat ports in this example. For example, set hbdev "port1" 242 "port2" 25.
d. Create a switch VLAN or VLANs dedicated to the FortiGate HA heartbeats between the two FortiGate units.
For example:

edit "hb1"
set vdom "vdom name"
set vlanid 998
next
edit "hb2"
set vdom "vdom name"
set vlanid 999
next
end

Fortinet, Inc.
e. Under the config switch-controller managed-switch command, set the native VLAN of the
switch ports connected to the heartbeat ports using the VLAN created in step 2d.
In this example, you need to assign port1 of core-switch1 to vlan998 and connect port1 of the active FortiGate
unit to port1 of core-switch1. Then you need to assign port1 of core-switch2 to vlan999 and connect port2 of
the active FortiGate unit to port1 of core-switch2.

edit <site1-core-switch1>
edit "port1"
set vlan "hb1"
next
end
edit <site1-core-switch2>
edit "port1"
set vlan "hb2"
next
end
f. Make sure all FortiLinks are up.

3. On Site 2:
a. Configure Site 2 using the same configuration as step 2, except for the HA priority.
b. Make sure all FortiLinks are up.
4. Disconnect the physical connections for the FortiGate HA and FortiLink interface on Site 2.
5. Connect the cables between the two pairs of core switches in Site 1 and Site 2.
6. On both sites:
a. On the MCLAG Peer Group switches at Site 1, use the config switch auto-isl-port-group
command in the FortiSwitch CLI to group the ports to Site 2. See MCLAG topologies on page 60.
b. On the MCLAG Peer Group switches at Site 2 , use the config switch auto-isl-port-group
command in the FortiSwitch CLI to group the ports to Site 1. See MCLAG topologies on page 60.
c. Make sure all the FortiLinks are up.
7. Connect the FortiGate HA and FortiLink interface connections on Site 2.
8. Check the configuration:
a. On both sites, enter the get system ha status command on the FortiGate unit to check the HA status.
b. On the active (master) FortiGate unit, enter the execute switch-controller get-conn-status
command to check the FortiLink state.

Fortinet, Inc.
9. In the GUI, the example configuration looks like the following:
FortiLink with an HA cluster of four FortiGate units
A FortiGate HA cluster consists of two to four FortiGate units configured for HA operation. Each FortiGate in a cluster is
called a cluster unit. All cluster units must be the same FortiGate model with the same FortiOS firmware build installed.
All cluster units must also have the same hardware configuration (for example, the same number of hard disk) and be
running in the same operating mode (NAT mode or transparent mode).

Fortinet, Inc.
In addition, the cluster units must be able to communicate with each other through their heartbeat interfaces. This
heartbeat communication is required for the cluster to be created and to continue operating. Without it, the cluster acts
like a collection of standalone FortiGate units.
On startup, after configuring the cluster units with the same HA configuration and connecting their heartbeat interfaces,
the cluster units use the FortiGate Clustering Protocol (FGCP) to find other FortiGate units configured for HA operation
and to negotiate to create a cluster. During cluster operation, the FGCP shares communication and synchronization
information among the cluster units over the heartbeat interface link. This communication and synchronization is called
the FGCP heartbeat or the HA heartbeat. Often, this is shortened to just heartbeat.
NOTE: You can create an FGCP cluster of up to four FortiGate units.
The cluster uses the FGCP to select the primary unit, and to provide device, link, and session failover. The FGCP also
manages the two HA modes; active-passive (failover HA) and active-active (load-balancing HA).
The FGCP supports a cluster of two, three, or four FortiGate units. You can add more than two units to a cluster to
improve reliability: if two cluster units fail the third will continue to operate and so on. A cluster of three or four units in
active-active mode may improve performance because another cluster unit is available for security profile processing.
However, active-active FGCP HA results in diminishing performance returns as you add units to the cluster, so the
additional performance achieved by adding the third cluster unit might not be worth the cost.
There are no special requirements for clusters of more than two units. Here are a few recommendations though:
l The matching heartbeat interfaces of all of the cluster units must be able to communicate with each other. So each
unitʼs matching heartbeat interface should be connected to the same switch. If the ha1 interface is used for
heartbeat communication, the ha1 interfaces of all of the units in the cluster must be connected together so
communication can happen between all of the cluster units over the ha1 interface.
l Redundant heartbeat interfaces are recommended. You can reduce the number of points of failure by connecting
each matching set of heartbeat interfaces to a different switch. This is not a requirement; however, and you can
connect both heartbeat interfaces of all cluster units to the same switch. However, if that switch fails the cluster will
stop forwarding traffic.
l For any cluster, a dedicated switch for each heartbeat interface is recommended because of the large volume of
heartbeat traffic and to keep heartbeat traffic off of other networks, but it is not required.
l Full mesh HA can scale to three or four FortiGate units. Full mesh HA is not required if you have more than two
units in a cluster.
l Virtual clustering can only be done with two FortiGate units.

Fortinet, Inc.
The following network topology uses four FortiGate units; each is a 3200D model and is running FortiOS 6.4.0 build
1533. The FortiSwitch models are 1048E, 448D, and 426EF; they are running FortiSwitchOS 6.2.0 build 0202:
FortiLink over a point-to-point layer-2 network
Starting in FortiSwitchOS 6.4.0, you can run FortiLink mode over a point-to-point layer-2 network. To create this
topology, you form an inter-switch link (ISL) between two FortiSwitch units over a layer-2 device or non-FortiSwitch
device (such as a wireless bridge) and configure the tag protocol identifier (TPID) between the two FortiSwitch units.
NOTE:
l The set fortilink-p2p-tpid command is not supported on the FS-108E, FS-108E-POE, FS-108E-FPOE,
FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.
l The set fortlink-p2p command is available in Fortilink mode and standalone mode. The set
fortilink-p2p-tpid command is available only in FortiLink mode.
1. Enable the FortiLink point-to-point network on each FortiSwitch unit:
config switch physical-port

edit <port_name>
set fortlink-p2p enable
end
2. Make certain that the FortiLink point-to-point TPID value is the same on each FortiSwitch unit. By default, it is
0x8100.

Fortinet, Inc.
config switch global

set fortilink-p2p-tpid <0x0001-0xfffe>
end
FortiLink mode over a layer-3 network
NOTE:
l Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.
l NAT is not supported between the FortiSwitch unit and FortiGate unit.
This feature allows FortiSwitch islands to operate in FortiLink mode over a layer-3 network, even though they are not
directly connected to the switch-controller FortiGate unit. FortiSwitch islands contain one or more FortiSwitch units.
There are two main deployment scenarios for using FortiLink mode over a layer-3 network:
l In-band management, which uses the FortiSwitch unitʼs internal interface to connect to the layer-3 network
l Out-of-band management, which uses the FortiSwitch unitʼs mgmt interface to connect to the layer-3 network
Starting in FortOS 6.4.3, you can now configure a FortiLink-over-layer-3 network to use the FortiLink interface as the
source IP address for the communication between the FortiGate unit and the FortiSwitch unit. You can still use the
outbound interface as the source IP address if you prefer.
To use the FortiLink interface as the source IP address:

edit <FortiLink_interface>
set switch-controller-source-ip fixed
end

Fortinet, Inc.
In-band management
To configure a FortiSwitch unit to operate in a layer-3 network:
NOTE: You must enter these commands in the indicated order for this feature to work.
1. Reset the FortiSwitch to factory default settings with the execute factoryreset command.
2. Manually set the FortiSwitch unit to FortiLink mode:

set switch-mgmt-mode fortilink
end
3. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery to
find the IP address of the FortiGate unit (switch controller) that manages this switch. The default dhcp-option-
code is 138.
To use DHCP discovery:

set ac-discovery-type dhcp
set dhcp-option-code <integer>
end
To use static discovery:

Fortinet, Inc.
set ac-discovery-type static

config ac-list
edit <id>
set ipv4-address <IPv4_address>
next
end
end
4. Configure only one physical port or LAG interface of the FortiSwitch unit as an uplink port. When the FortiSwitch
unit is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3
network with the following commands:

edit <port_number>
set fortilink-l3-mode enable
end
end
The fortilink-l3-mode command is only visible after you configure DHCP or static discovery.
NOTE:
l Make certain that each FortiSwitch unit can successfully ping the FortiGate unit.
l The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server
must be reachable from the FortiSwitch unit.
l If more than one port (switch interface) has fortilink-l3-mode enabled, the FortiSwitch unit automatically
forms a link aggregation group (LAG) trunk that contains all fortilink-l3-mode-enabled ports as a single
logical interface.
l If you have more than one port with fortilink-l3-mode enabled, all ports are automatically added to the __
FoRtILnk0L3__ trunk. Make certain that the layer-3 network is also configured as a LAG with a matching LACP
mode.
l In addition to the two layer-3 discovery modes (DHCP and static), there is the default layer-2 discovery broadcast
mode. The layer-3 discovery multicast mode is unsupported.
Connecting additional FortiSwitch units to the first FortiSwitch unit
In this scenario, the default FortiLink-enabled port of FortiSwitch 2 is connected to FortiSwitch 1, and the two switches
then form an auto-ISL. You only need to configure the discovery settings (see Step 3) for additional switches
(FortiSwitch 2 in the following diagram). You do not need to enable fortilink-l3-mode on the uplink port. Check
that each FortiSwitch unit can reach the FortiGate unit.

Fortinet, Inc.
Out-of-band management
If you use the mgmt port to connect to the layer-3 network, you do not need to enable fortilink-l3-mode on any
physical port because the mgmt port is directly connected to the layer-3 network.

Fortinet, Inc.
You can use the internal interface for one FortiSwitch island to connect to the layer-3 network
and the mgmt interface for another FortiSwitch island to connect to the same layer-3 network.
Do not mix the internal interface connection and mgmt interface connection within a single
FortiSwitch island.
Other topologies
If you have a layer-2 loop topology, make certain that the alternative path can reach the FortiGate unit and that STP is
enabled on the FortiLink layer-3 trunk.
If you have two FortiSwitch units separately connected to two different intermediary routers or switches, the uplink
interfaces for both FortiSwitch units must have fortilink-l3-mode enabled. If the FortiSwitch units are also
connected to each other, an auto-ISL forms automatically, and STP must be enabled to avoid loops.
A single logical interface (which can be a LAG) is supported when they use the internal interface as the FortiLink
management interface.
You can use a LAG connected to a single intermediary router or switch. A topology with multiple ports connected to
different intermediary routers or switches is not supported.
Limitations
The following limitations apply to FortiSwitch islands operating in FortiLink mode over a layer-3 network:
l All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
l No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the
FortiSwitch unit.
l All FortiSwitch units within an FortiSwitch island must be connected to the same FortiGate unit.
l The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any feature-
configured destination, such as syslog or 802.1x.
l Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
l If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FortiSwitch island
can contain only one FortiSwitch unit. All switch ports must remain in standalone mode. If you need more than one
physical link, you can group the links as a link aggregation group (LAG).
l Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
l If the network has a wide geographic distribution, some features, such as software downloads, might operate
slowly.
l After a topology change, make certain that every FortiSwitch unit can reach the FortiGate unit.
Grouping FortiSwitch units
You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A group can
include one or more FortiSwitch units and you can include different models in a group.

Fortinet, Inc.
Using the GUI:

2. Select Create New > FortiSwitch Group.
3. In the Name field, enter a name for the FortiSwitch group.
4. In the Members field, click + to select which switches to include in the FortiSwitch group.
5. In the Description field, enter a description of the FortiSwitch group.
6. Select OK.
Using the CLI:
config switch-controller switch-group

edit <name>
set description <string>
set members <serial-number> <serial-number> ...
end
end
Grouping FortiSwitch units allows you to restart all of the switches in the group instead of individually. For example, you
can use the following command to restart all of the FortiSwitch units in a group named my-sw-group:
execute switch-controller switch-action restart delay switch-group my-sw-group
Upgrading the firmware of FortiSwitch groups is easier, too, because fewer commands are needed. See Firmware
upgrade of stacked or tiered FortiSwitch units on page 49.
Stacking configuration
To set up stacking:
1. Configure the active FortiLink interface on the FortiGate unit.
2. (Optional) Configure the standby FortiLink interface.
3. Connect the FortiSwitch units together, based on your chosen topology.
1. Configure the active FortiLink
Configure the FortiLink interface (as described in Configuring FortiLink on page 14).
When you configure the FortiLink interface, the stacking capability is enabled automatically.
2. Configure the standby FortiLink
Configure the standby FortiLink interface. Depending on your configuration, the standby FortiLink might connect to the
same FortiGate unit as the active FortiLink or to a different FortiGate unit.
If the FortiGate unit receives discovery requests from two FortiSwitch units, the link from one FortiSwitch unit will be
selected as active, and the link from other FortiSwitch unit will be selected as standby.
If the active FortiLink fails, the FortiGate unit converts the standby FortiLink to active.

Fortinet, Inc.
3. Connect the FortiSwitch units
Refer to the topology diagrams to see how to connect the FortiSwitch units.
Inter-switch links (ISLs) form automatically between the stacked switches.
The FortiGate unit will discover and authorize all of the FortiSwitch units that are connected. After this, the FortiGate
unit is ready to manage all of the authorized FortiSwitch units.
Disable stacking
To disable stacking, execute the following commands from the FortiGate CLI. In the following example, port4 is the
FortiLink interface:
edit port4
set fortilink-stacking disable
end
end
Firmware upgrade of stacked or tiered FortiSwitch units
In this topology, the core FortiSwitch units are model FS-224E, and the access FortiSwitch units are model FS-108E-
FPOE. Because the switches are stacked or tiered, the procedure to update the firmware is simpler. The FortiGate unit
is running FOS 6.2.2 GA. In the following procedure, the four FortiSwitch units are upgraded from 6.2.1 to 6.2.2.

Fortinet, Inc.
To upgrade the firmware of stacked or tiered FortiSwitch units:
1. Check that all of the FortiSwitch units are connected and which firmware versions they are running. For example:
FGT81ETK19001274 # execute switch-controller get-conn-status
Managed-devices in current vdom root:
STACK-NAME: FortiSwitch-Stack-flink
SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME NAME
S108EF5918003577 v6.2.1 (176) Authorized/Up - 10.105.22.6 Thu Oct 24 10:47:27
2019 -
S108EP5918008265 v6.2.1 (176) Authorized/Up - 10.105.22.5 Thu Oct 24 10:47:20
2019 -
S224ENTF18001408 v6.2.1 (176) Authorized/Up - 10.105.22.2 Thu Oct 24 10:44:36
2019 -
2019 -
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync
error
Managed-Switches: 4 (UP: 4 DOWN: 0)
2. (Optional) To speed up how fast the image is pushed from the FortiGate unit to the FortiSwitch units, enable the
HTTPS image push instead of the CAPWAP image push. For example:
FGT81ETK19001274 # config switch-controller global
FGT81ETK19001274 (global) # set https-image-push enable
FGT81ETK19001274 (global) # end

Fortinet, Inc.
3. Download the file for the FortiSwitchOS 6.2.2 GA build 194 in the FortiGate unit. For example:
FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_224E-v6-
build0194-FORTINET.out 10.105.16.15
Downloading file FSW_224E-v6-build0194-FORTINET.out from tftp server 10.105.16.15...

#########################
Image checking ...
Image MD5 calculating ...
Image Saving S224EN-IMG.swtp ...
Successful!
File Syncing...
FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_108E_POE-v6-

Downloading file FSW_108E_POE-v6-build0194-FORTINET.out from tftp server 10.105.16.15...

##################
Image checking ...
Image Saving S108EP-IMG.swtp ...
Successful!
File Syncing...
FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_108E_FPOE-v6-

Downloading file FSW_108E_FPOE-v6-build0194-FORTINET.out from tftp server 10.105.16.15...

##################
Image checking ...
Image Saving S108EF-IMG.swtp ...
Successful!
File Syncing...
FGT81ETK19001274 #
4. Check the downloaded FortiSwitch image. For example:

FGT81ETK19001274 # execute switch-controller switch-software list-available
ImageName ImageSize(B) ImageInfo Uploaded Time

S108EF-IMG.swtp 19574769 S108EF-v6.2-build194 Thu Oct 24 13:03:51 2019
S108EP-IMG.swtp 19583362 S108EP-v6.2-build194 Thu Oct 24 13:03:23 2019
S224EN-IMG.swtp 27159659 S224EN-v6.2-build194 Thu Oct 24 13:03:02 2019
FGT81ETK19001274 #
5. Start the image staging. For example:

FGT81ETK19001274 # execute switch-controller switch-software stage all S224EN-IMG.swtp
Staged Image Version S224EN-v6.2-build194
Image staging operation is started for FortiSwitch S224ENTF18001408 ...
Image staging operation is started for FortiSwitch S224ENTF18001432 ...

Fortinet, Inc.
FGT81ETK19001274 # execute switch-controller switch-software stage all S108EF-IMG.swtp

Staged Image Version S108EF-v6.2-build194
Image staging operation is started for FortiSwitch S108EF5918003577 ...
FGT81ETK19001274 # execute switch-controller switch-software stage all S108EP-IMG.swtp

Staged Image Version S108EP-v6.2-build194
Image staging operation is started for FortiSwitch S108EP5918008265 ...
6. Check the status of the image staging. For example:

FGT81ETK19001274 # execute switch-controller get-upgrade-status
Device Running-version Status Next-boot
===========================================================================================
VDOM : root
S224ENTF18001408 S224EN-v6.2.1-build176,190620 (GA) (100/0/0) S224EN-v6.2-
build176 (Staging)
build176 (Staging)
S108EP5918008265 S108EP-v6.2.1-build176,190620 (GA) (18/0/0) S108EP-v6.2-
build176 (Staging)
S108EF5918003577 S108EF-v6.2.1-build176,190620 (GA) (25/0/0) S108EF-v6.2-
build176 (Staging)
7. Verify that the image staging has completed. For example:

===========================================================================================
VDOM : root
build194 (Idle)
build194 (Idle)
build194 (Idle)
build194 (Idle)
8. Reboot all switches (or reboot the switches by group). For example:
FGT81ETK19001274 # execute switch-controller switch-action restart delay all
Delayed restart operation is requested for FortiSwitch S224ENTF18001408 ...
Delayed restart operation is requested for FortiSwitch S108EP5918008265 ...
Delayed restart operation is requested for FortiSwitch S108EF5918003577 ...
9. Check the status of the switch reboot. For example:

FGT81ETK19001274 # execute switch-controller switch-action restart delay all
Delayed restart operation is requested for FortiSwitch S108EP5918008265 ...
Delayed restart operation is requested for FortiSwitch S108EF5918003577 ...

===========================================================================================
VDOM : root
S224ENTF18001408 Prepping for delayed restart triggered ... please

Fortinet, Inc.
wait for switch to reboot in a moment

S224ENTF18001432 Prepping for delayed restart triggered ... please
S108EP5918008265 Prepping for delayed restart triggered ... please
S108EF5918003577 Prepping for delayed restart triggered ... please

SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME NAME
S108EF5918003577 v6.2.1 () Authorized/Down D 0.0.0.0 N/A -
S108EP5918008265 v6.2.1 () Authorized/Down D 0.0.0.0 N/A -
S224ENTF18001408 v6.2.1 () Authorized/Down D 0.0.0.0 N/A -
S224ENTF18001432 v6.2.1 () Authorized/Down D 0.0.0.0 N/A -
error
FGT81ETK19001274 #
10. Wait for a while before checking that all switches are online. For example:
===========================================================================================
VDOM : root
build194 (Idle)
build194 (Idle)
build194 (Idle)
build194 (Idle)

SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME
NAME
S108EF5918003577 v6.2.2 (194) Authorized/Up - 10.105.22.6 Thu Oct 24 13:22:27
2019 -
S108EP5918008265 v6.2.2 (194) Authorized/Up - 10.105.22.5 Thu Oct 24 13:22:41
2019 -
2019 -
2019 -

Fortinet, Inc.
error
FGT81ETK19001274 #
append disable-discovery S012345678
unselect disable-discovery S1234567890
end
Adding link aggregation groups (trunks)
To create a link aggregation group for FortiSwitch user ports:

1. Go to WiFi & Switch Controller > FortiSwitch Ports.
2. Click Create New > Trunk.
3. In the New Trunk Group page, enter a Name for the trunk group.
4. Select two or more physical ports to add to the trunk group and then select Apply.
5. Select the Mode: Static, Passive LACP, or Active LACP.
6. Select Enabled or Disabled for the MCLAG.
l The MCLAG peer group must be configured before it is added to the MCLAG trunk. See MCLAG peer groups
on page 58.
l Make sure to select ports from switches that are part of the same MCLAG peer group.
7. Select OK.

Fortinet, Inc.
MCLAG configuration for access ports
Using the GUI

2. Select Create New > Trunk.
3. Enter a name for the MCLAG trunk.
4. For the MCLAG status, select Enabled to create an active MCLAG trunk.
5. For the mode, select Static, Passive LACP, or Active LACP.
l Set to Static for static aggregation. In this mode, no control messages are sent, and received control
messages are ignored.
l Set to Passive LACP to passively use LACP to negotiate 802.3ad aggregation.
l Set to Active LACP to actively use LACP to negotiate 802.3ad aggregation.
6. For trunk members, select Select Members, select the ports to include in the MCLAG trunk, and then select OK to
save the trunk members.
7. Select OK to save the MCLAG configuration.
The ports are listed as part of the MCLAG trunk on the FortiSwitch Ports page.
After the FortiSwitch units are configured as MCLAG peer switches, any port that supports advanced features on the
FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer set is
automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member
ports on the peer FortiSwitch.

Fortinet, Inc.
If you disable the MCLAG ICL (with the set mclag-icl disable command), you need
to enable the fortilink-split-interface.
Using the CLI
Configure a trunk in each switch that is part of the MCLAG pair:

l The trunk name for each switch must be the same.
l The port members for each trunk can be different.
l After you enable MCLAG, you can enable LACP if needed.

edit "<switch-id>"
config ports
edit "<trunk name>"
set type trunk
set mode {static | lacp-passive | lacp-active}
set members "<port>,<port>"
set mclag enable
next
end
next
Variable Description Default
<switch-id> FortiSwitch serial number. No default
<trunk name> Enter a name for the MCLAG trunk. No default
NOTE: Each FortiSwitch unit that is part of the MCLAG must have the same
MCLAG trunk name configured.
type trunk Set the interface type to a trunk port. physical
mode {static | lacp- Set the LACP mode. lacp-active

passive | lacp- —Set to static for static aggregation. In this mode, no control messages are
active} sent, and received control messages are ignored.
—Set to lacp-passive to passively use LACP to negotiate 802.3ad
aggregation.
—Set to lacp-active to actively use LACP to negotiate 802.3ad
aggregation.
members Set the aggregated LAG bundle interfaces. No default

"<port>,<port>"
mclag enable Enable or disable the MCLAG. disable
Log into each managed FortiSwitch to check the MCLAG configuration with the following command:
diagnose switch mclag

Fortinet, Inc.
When an MCLAG is formed, the time on all FortiSwitch units is synchronized with an NTP server. To confirm that each
FortiSwitch in the MCLAG is using an NTP server, use the following command:
show system ntp

Fortinet, Inc.
MCLAG peer groups
MCLAG peer groups
A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they
appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any
interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP).
l MCLAG requirements on page 58
l Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58
l MCLAG topologies on page 60
MCLAG requirements
l Both peer switches should be of the same hardware model and same software version. Mismatched configurations
might work but are unsupported.
l There is a maximum of two FortiSwitch models per MCLAG.
l The routing feature is not available within an MCLAG.
l When min_bundle or max_bundle is combined with MCLAG, the bundle limit properties are applied only to the
local aggregate interface.
l On the global switch level, mclag-igmpsnooping-aware must be enabled. By default, mclag-
igmpsnooping-aware is enabled in the FortiSwitchOS CLI.
Transitioning from a FortiLink split interface to a FortiLink MCLAG
You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two
FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.
In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate unit to two
FortiSwitch units. The aggregate interface of the FortiGate unit for this configuration contains at least one physical port
connected to each FortiSwitch unit.

Fortinet, Inc.
MCLAG peer groups
NOTE:
l Make sure that the split interface is enabled.
l This procedure also applies to a FortiGate unit in HA mode.
l More links can be added between the FortiGate unit and FortiSwitch unit.
The following procedure uses zero-touch provisioning to change the configuration of the FortiSwitch units without losing
their management from the FortiGate unit. The MCLAG-ICL can also be enabled directly using console cables or
management ports.
1. Log into FortiSwitch 2 using the Connect to CLI button in the FortiGate GUI, use the get switch lldp
auto-isl-status command to find out the name of the trunk connecting the peer switches, and change the
ISL to an ICL. For example:
get switch lldp auto-isl-status
config switch trunk

edit <trunk_name>
set
mclag-icl enable
next
end
2. Log into FortiSwitch 1 using the Connect to CLI button in the FortiGate GUI, use the get switch lldp
auto-isl-status command to find out the name of the trunk connecting the peer switches, and change the
ISL to an ICL. For example:
get switch lldp auto-isl-status
config switch trunk

edit <trunk_name>

Fortinet, Inc.
MCLAG peer groups
set mclag-icl enable

next
end
3. Log into the FortiGate unit and disable the split interface. For example:
edit <aggregate_name>
set fortilink-split-interface disable
next
end
4. From the FortiGate unit, enable the LACP static mode:
edit <aggregate_name>
set lacp-mode static
next
end
NOTE: If you are using FortiOS 6.2 or later, use the set lacp-mode active command instead.
5. Check that the LAG is working correctly. For example:
diagnose netlink aggregate name <aggregate_name>
MCLAG topologies
Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG
To configure a multichassis LAG, you need to configure FortiSwitch 1 and FortiSwitch 2 as MCLAG peer switches
before creating a two-port LAG. See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 58.
Then you set up two MCLAGs towards the servers, each MCLAG using one port from each FortiSwitch unit.
This topology is supported when the FortiGate unit is in HA mode.
NOTE:

Fortinet, Inc.
MCLAG peer groups
Step 1: Ensure the MCLAG ICL is already configured between FortiSwitch 1 and FortiSwitch 2.
diagnose switch mclag icl
Step 2: Configure a trunk in FortiSwitch 1 and then configure a trunk in FortiSwitch 2.
The trunk names must match.
Step 3: Set up the servers.
To set up Server 1:
config switch trunk

edit server_1
set members port10
set mclag enable
next
edit server_2
set members port15
set mclag enable
next
end

Fortinet, Inc.
MCLAG peer groups
To set up Server 2:
config switch trunk

edit server_1
set members port10
set mclag enable
next
edit server_2
set members port15
set mclag enable
next
end
Multi-tiered MCLAG with HA-mode FortiGate units
NOTE:
l In this topology, you must use the auto-isl-port-group setting as described in the following configuration
example. This setting instructs the switches to group ports from MCLAG peers together into one MCLAG when the
inter-switch link (ISL) is formed.
l The inter-chassis link (ICL) and auto-isl-port-group settings must be done directly on the FortiSwitch unit.
l CLI commands in red are manually configured.

Fortinet, Inc.
MCLAG peer groups
To configure a multi-tiered MCLAG with HA-mode FortiGate units:
1. Configure FortiSwitch-1 and FortiSwitch-2 for the tier-1 MCLAG:

For FortiSwitch-1, enable the ICL on the ISL formed with the MCLAG peer switch:
config switch trunk
edit "D243Z14000288-0" // trunk name derived from FortiSwitch-2 SN
set mode lacp-active
set auto-isl 1
set members "port21" "port22"
end
For FortiSwitch-2, enable the ICL on the ISL formed with the MCLAG peer switch:
config switch trunk
edit "D243Z14000289-0" // trunk name derived from FortiSwitch-1 SN
set auto-isl 1
end
2. Continue to configure FortiSwitch-1 for the tier-1 MCLAG:
a. Configure the two auto-isl-port-groups based on the topology diagram. The group name must match
the name that is configured on the peer switch.
config switch auto-isl-port-group
edit "distribute-1"
next
edit "distribute-2"
end
b. After you complete the CLI commands in Steps 1 and 2a, the trunks are automatically formed:
config switch trunk
edit "D243Z14000288-0"
set auto-isl 1
next
edit "FG100D3G15817028" // trunk name derived from FortiGate-1
set mclag enable
next
edit "distribute-1"
set auto-isl 1
set mclag enable

Fortinet, Inc.
MCLAG peer groups
next
edit "distribute-2"
set auto-isl 1
set mclag enable
next
end
3. Continue to configure FortiSwitch-2 for the tier-1 MCLAG:
a. Configure the two auto-isl-port-groups based on the topology diagram. The group name must match
the name that is configured on the peer switch.
edit "distribute-1"
next
edit "distribute-2"
end
b. After you complete the CLI commands in Steps 1 and 3a, the trunks are automatically formed:
config switch trunk
edit "D243Z14000288-0"
set auto-isl 1
next
edit "FG100D3G15817032" // trunk name derived from FortiGate-2
set mclag enable
next
edit "distribute-1"
set auto-isl 1
set mclag enable
next
edit "distribute-2"
set auto-isl 1
set mclag enable
next
end
4. Tier-2 MCLAGs. Enable the ICL between the MCLAG peer switches. For example, configure FortiSwitch-6 as
follows.
a. Change the tier-2 MCLAG peer switches to FortiLink mode and connect them to each other. Enable the ICL on
the ISL formed with the MCLAG peer switches.
config switch trunk
edit "8DN3X15000026-0" // trunk name derived from FortiSwitch-7 SN
set auto-isl 1
end

Fortinet, Inc.
MCLAG peer groups
b. The trunks are automatically formed as below:

config switch trunk
edit "8DN3X15000026-0"
set auto-isl 1
next
edit "_FlInK1_MLAG0_"
set auto-isl 1
set mclag enable
next
end
5. Access FortiSwitch units. The access switch trunks are formed automatically as below.
On FortiSwitch-6:
config switch trunk
set auto-isl 1
set mclag enable
next
end
On FortiSwitch-7:
config switch trunk
set auto-isl 1
set mclag enable
next
end
If you disable the MCLAG ICL (with the set mclag-icl disable command), you
need to enable the fortilink-split-interface.
Three-tier FortiLink MCLAG configuration
To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.

Fortinet, Inc.
MCLAG peer groups
NOTE: Fortinet recommends using at least two links for ICL redundancy.
To configure the two FortiGate units:
1. Set up an active-passive or active-active HA configuration.

2. (Optional) Disable override in the HA CLI configuration.
3. Use the GUI or CLI to create the FortiLink interface.
4. Configure the FortiLink interface:

set lacp-mode active
set fortilink-neighbor-detect lldp
set fortilink-split-interface disable
set lldp-reception enable
set lldp-transmission enable
next
end
To configure the FortiSwitch units in the core:
1. Find the trunk between the two MCLAG switches. Enable mclag-icl on the MCLAG-ICL trunk. The default
name of the MCLAG-ICL trunk is the last 13 characters of the peer switch name plus “-0”.
config switch trunk

edit <MCLAG-ICL_trunk_name>
next
end
2. Create downlink trunks on the MCLAG-ICL switches.

Note: Only the trunks from the higher tier MCLAG-ICL switches to the next tier MCLAG-ICL switches need this
configuration.

Fortinet, Inc.
MCLAG peer groups
To configure the three-tier MCLAG topology shown in the following figure:
1. Configure the tier-1 MCLAG switches.

a. Connect switch 1 and switch 2 to the FortiGate units and interconnect switch 1 and switch 2.
b. Wait for both switches to change to FortiLink mode and for both FortiLinks to be up.
c. Configure the ICL trunks on the inter-switch trunks to form MCLAG switches in FortiLink mode.
d. Use the diagnose switch mclag peer-consistency-check CLI command to verify that the
MCLAG-ICL trunk formed successfully.
e. Add an auto-isl-port-group for the tier-2 MCLAG switches on both switch 1 and switch 2:

edit tier2-closet-1
set members port1
next
edit tier2-closet-2
set members port2
next
end
2. Wire all switches in closet 1 by following the figure. Do not make the dotted-line connections for now. Wait for all
switches to be up in FortiLink mode.
3. Add two auto-isl-port-groups for the tier-3 MCLAG switches on both switch 3 and switch 4:

edit tier-2-closet-<1>-downlink-trunk-A

Fortinet, Inc.
MCLAG peer groups
set member <port_name>

next
edit tier-2-closet-<1>-downlink-trunk-B
set member <port_name>
next
end
4. Enable the tier-2 MCLAG-ICL trunk on switch 4 using the FortiOS CLI of the switch console port.
5. Enable the tier-3 MCLAG-ICL trunks on switch 6 and switch 8.
NOTE: The trunk must be configured from the end of the daisy-chain switch.
6. Enable the tier-3 MCLAG-ICL trunks on switch 5 and switch 7.
7. Enable the tier-2 MCLAG-ICL trunk on switch 3.
8. Verify that all the FortiLinks are up and double-check that the MCLAG-ICL configuration on each MCLAG switch.
9. Connect switch 4 to switch 2.
10. Verify that the FortiLinks are up.
11. Connect switch 6 and switch 8 to switch 4.
12. Verify that the FortiLinks are up.
13. Use the diagnose switch mclag peer CLI command to verify that the tier-1, tier-2, and tier-3 MCLAG-
switches are formed correctly.
14. Check the traffic on switch 1 and switch 2 during the configuration.
15. Repeat steps 2 to 14 for closet 2.
16. All FortiLinks should be up.
HA-mode one-tier MCLAG
HA-mode FortiGate units connect to redundant distribution FortiSwitch units. Access FortiSwitch units are arranged in a
stack in each IDF, connected to both distribution switches.
For the FortiLink connection to each distribution switch, you create a FortiLink split interface (an aggregate interface
that contains one active link and one standby link).
NOTE:
l Before FortiSwitchOS 3.6.4, MCLAG was not supported when access rings were present. Starting with
FortiSwitchOS 3.6.4, MCLAG is supported, even with access rings present.
l This is only an example topology. Other combinations of FortiGate units and FortiSwitch units can be used to
create a similar topology.

Fortinet, Inc.
MCLAG peer groups

Fortinet, Inc.
Configuring FortiSwitch VLANs and ports

l Configuring VLANs on page 70
l Configuring ports using the GUI on page 73
l Configuring port speed and status on page 73
l Configuring PoE on page 74
l Configuring IPv4 source guard on page 75
l Configuring FortiSwitch split ports (phy-mode) in FortiLink mode on page 77
l Sharing FortiSwitch ports between VDOMs on page 80
l Restricting the type of frames allowed through IEEE 802.1Q ports on page 82
Configuring VLANs
Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you
to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent
automatically within the VLAN. You must configure routing for traffic between VLANs.)
From the FortiGate unit, you can centrally configure and manage VLANs for the managed FortiSwitch units.
In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The
switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 1-4095) to each of the
VLANs. For FortiSwitch units in FortiLink mode (FortiOS 6.2.0 and later), you can assign a name to each VLAN.
You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch
port.
Creating VLANs
Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either
the Web GUI or CLI.

Fortinet, Inc.
Using the GUI
To create the VLAN:

1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
Interface Name VLAN name
VLAN ID Enter a number (1-4094)
Color Choose a unique color for each VLAN, for ease of visual display.
Role Select LAN , WAN , DMZ, or Undefined.
2. Enable DHCP for IPv4 or IPv6.

3. Set the Administrative access options as required.
4. Select OK.
To assign FortiSwitch ports to the VLAN:

2. Click a port row.
3. Click the Native VLAN column in one of the selected entries to change the native VLAN.
4. Select a VLAN from the displayed list. The new value is assigned to the selected ports.
5. Click the + icon in the Allowed VLANs column to change the allowed VLANs.
6. Select one or more of the VLANs (or the value all) from the displayed list. The new value is assigned to the selected
port.
Using the FortiSwitch CLI
1. Create the marketing VLAN.

edit <vlan name>
set vlanid <1-4094>
set color <1-32>
set interface <FortiLink-enabled interface>
end
2. Set the VLAN’s IP address.

edit <vlan name>
set ip <IP address> <Network mask>
end
3. Enable a DHCP Server.
config system dhcp server

edit 1
set default-gateway <IP address>
set interface <vlan name>

Fortinet, Inc.
config ip-range
set start-ip <IP address>
set end-ip <IP address>
end
set netmask <Network mask>
end
4. Assign ports to the VLAN.

edit <Switch ID>
config ports
edit <port name>
set vlan <vlan name>
set allowed-vlans <vlan name>
or
set allowed-vlans-all enable
next
end
end
5. Assign untagged VLANs to a managed FortiSwitch port:

edit <managed-switch>
config ports
edit <port>
set untagged-vlans <VLAN-name>
next
end
next
end
Viewing FortiSwitch VLANs
The WiFi & Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.
Each entry in the VLAN list displays the following information:

l Name—name of the VLAN
l VLAN ID—the VLAN number
l IP/Netmask—address and mask of the subnetwork that corresponds to this VLAN
l Access—administrative access settings for the VLAN
l Ref—number of configuration objects referencing this VLAN

Fortinet, Inc.
Changing the VLAN configuration mode
You can change which VLANs the set allowed-vlans command affects.
If you want the set allowed-vlans command to apply to all user-defined VLANs, use the following CLI commands:
set vlan-all-mode defined
end
If you want the set allowed-vlans command to apply to all possible VLANs (1-4094), use the following CLI
commands:
set vlan-all-mode all
end
NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable
command.
Configuring ports using the GUI
You can use the WiFi & Switch Controller > FortiSwitch Ports page to do the following with FortiSwitch switch ports:
l Set the native VLAN and add more VLANs
l Edit the description of the port
l Enable or disable the port
l Set the access mode to network access control (NAC) or normal
l Enable or disable PoE for the port
l Enable or disable DHCP snooping (if supported by the port)
l Enable or disable whether a port is an edge port
l Enable or disable STP (if supported by the port)
l Enable or disable loop guard (if supported by the port)
l Enable or disable STP BPDU guard (if supported by the port)
l Enable or disable STP root guard (if supported by the port)
Configuring port speed and status
Use the following commands to set port speed and other base port settings:
config ports
edit <port_name>
set description <text>
set speed <speed>
set status {down | up}
end
end

Fortinet, Inc.
For example:
edit S524DF4K15000024
config ports
edit port1
set description "First port"
set speed auto
set status up
end
end
Configuring PoE
The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.
Enable PoE on the port

config ports
edit <port_name>
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set poe-status enable
end
end
Reset the PoE port
Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet
cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example,
wireless access points, IP cameras, and VoIP phones).
The following command resets PoE on the port:
execute switch-controller poe-reset <FortiSwitch_serial_number> <port_name>
Display general PoE status

get switch-controller <FortiSwitch_serial_number> <port_name>
The following example displays the PoE status for port 6 on the specified switch:

Fortinet, Inc.
# get switch-controller poe FS108D3W14000967 port6

Port(6) Power:3.90W, Power-Status: Delivering Power
Power-Up Mode: Normal Mode
Remote Power Device Type: IEEE802.3AT PD
Power Class: 4
Defined Max Power: 30.0W, Priority:3
Voltage: 54.00V
Current: 78mA
Configuring IPv4 source guard
IPv4 source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses.
Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.
IPv4 source guard allows traffic from the following sources:
l Static entries—IP addresses that have been manually associated with MAC addresses.
l Dynamic entries—IP addresses that have been learned through DHCP snooping.
By default, IPv4 source guard is disabled. You must enable it on each port that you want protected.
If you add more than 2,048 IP source guard entries from a FortiGate unit, you will get an error. When there is a conflict
between static entries and dynamic entries, static entries take precedence over dynamic entries.
IPv4 source guard can be configured in FortiOS only for managed FortiSwitch units that support IP source guard. The
following FortiSwitch models support IP source guard:
l FSR-124D
l FS-224D-FPOE
l FS-248D
l FS-424D-POE
l FS-424D-FPOE
l FS-448D-POE
l FS-448D-FPOE
l FS-424D
l FS-448D
l FSW-2xxE
Configuring IPv4 source guard consists of the following steps:
1. Enable IPv4 source guard in the FortiOS CLI.
2. Create static entries on the FortiSwitch unit by binding IPv4 addresses with MAC addresses.
3. Check the IPv4 source-guard entries on the FortiSwitch unit.
Enabling IPv4 source guard
You must enable IPv4 source guard in the FortiOS CLI before you can configure it.
To enable IPv4 source guard:

Fortinet, Inc.
edit <FortiSwitch_serial_number
config ports
edit <port_name>
set ip-source-guard enable
next
end
end
For example:
edit S424DF4K15000024
config ports
edit port20
next
end
end
Creating static entries
After you enable IPv4 source guard in the FortiOS CLI, you can create static entries in the FortiOS CLI by binding IPv4
addresses with MAC addresses. For IPv4 source-guard dynamic entries, you need to configure DHCP snooping. See
Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports on page 83.
To create static entries:

config ip-source-guard
edit <port_name>
config binding-entry
edit <id>
set ip <xxx.xxx.xxx.xxx>
set mac <XX:XX:XX:XX:XX:XX>
next
end
next
end
next
end
For example:
edit S424DF4K15000024
config ip-source-guard
edit port4
edit 1
set ip 172.168.20.1
set mac 00:21:cc:d2:76:72
next
end
next
end

Fortinet, Inc.
next
end
Checking the IPv4 source-guard entries
After you configure IPv4 source guard , you can check the entries.
Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are
added by DHCP snooping.
Use this command in the FortiOS CLI to display all IP source-guard entries:
diagnose switch-controller switch-info ip-source-guard hardware <FortiSwitch_serial_number>
Configuring FortiSwitch split ports (phy-mode) in FortiLink mode
On some FortiSwitch models that provide QSFP (quad small form-factor pluggable) interfaces, you can install a
breakout cable to convert one interface into four interfaces. See the list of supported FortiSwitch models in the notes in
this section.
FortiLink mode supports the FortiSwitch split-port configuration:
l Configuring split ports on a previously discovered FortiSwitch unit on page 77
l Configuring split ports with a new FortiSwitch unit on page 78
l Configuring a split port on the FortiSwitch unit on page 78
Notes
l Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.
l Split ports are not configured for pre-configured FortiSwitch units.
l Splitting ports is supported on the following FortiSwitch models:
o FS-3032D (ports 5 to 28 are splittable)
o FS-3032E (Ports can be split into 4 x 25G when configured in 100G QSFP28 mode or can be split into 4 x 10G
when configured in 40G QSFP mode. Use the set <port_name>-phy-mode disabled command to
disable some 100G ports to allow up to sixty 25G, 10G, or 1G ports.)
o FS-524D and FS-524D-FPOE (ports 29 and 30 are splittable)
o FS-548D and FS-548D-FPOE (ports 53 and 54 are splittable)
o FS-1048E (In the 4 x 100G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 25G. In the 6 x 40G
configuration, ports 49, 50, 51, 52, 53, 54 are splittable as 4 x 10G.)
Use the set port-configuration ? command to check which ports are supported for each model.
l Currently, the maximum number of ports supported in software is 64 (including the management port). Therefore,
only 10 QSFP ports can be split. This limitation applies to all of the models, but only the FS-3032D, FS-3032E, and
the FS-1048E models have enough ports to encounter this limit.
Configuring split ports on a previously discovered FortiSwitch unit
1. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit on page 78.
2. Restart the FortiSwitch unit.

Fortinet, Inc.
3. Remove the FortiSwitch from being managed:

delete <FortiSwitch_serial_number>
end
4. Discover the FortiSwitch unit.
5. Authorize the FortiSwitch unit.
Configuring split ports with a new FortiSwitch unit

4. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit on page 78.
6. Remove the FortiSwitch from being managed:
delete <FortiSwitch_serial_number>
end
Configuring a split port on the FortiSwitch unit
Use the following commands to configure a split port:

config switch phy-mode
set port-configuration <default | disable-port54 | disable-port41-48 | 4x100G | 6x40G>
set <port_name>-phy-mode <1x40G | 4x10G>
...
(one entry for each port that supports split port)
end
The following settings are available:

l disable-port54—For 548D and 548D-FPOE, only port 53 is splittable; port 54 is unavailable.
l disable-port41-48—For 548D and 548D-FPOE, ports 41 to 48 are unavailable, but you can configure ports
53 and 54 in split-port mode.
l 4x100G—For 1048E, enable the maximum speed (100G) of ports 49 through 52. Ports 53 and 54 are disabled.
l 6x40G—For 1048E, enable the maximum speed (40G) of ports 49 through 54.
In the following example, a FortiSwitch 3032D is configured with ports 10, 14, and 28 set to 4x10G:
set port5-phy-mode 1x40G

Fortinet, Inc.

end
The system applies the configuration only after you enter the end command, displaying the following message:
This change will cause a ports to be added and removed, this will cause loss of configuration
on removed ports. The system will have to reboot to apply this change.
Do you want to continue? (y/n)y
To configure one of the split ports, use the notation ".x" to specify the split port:
edit "port1"
set lldp-profile "default-auto-isl"
set speed 40000full
next
edit "port2"
set speed 40000full
next
edit "port3"
set speed 40000full
next
edit "port4"
set speed 40000full
next
edit "port5.1"
set speed 10000full
next
edit "port5.2"
set speed 10000full
next
edit "port5.3"
set speed 10000full
next
edit "port5.4"
set speed 10000full
next
end

Fortinet, Inc.
Sharing FortiSwitch ports between VDOMs
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as
multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication,
security policies, routing, and VPN configurations.
FortiSwitch ports can now be shared between VDOMs.
Starting in FortiOS 6.2.0, the following features are supported on FortiSwitch ports shared between VDOMs:
l POE pre-standard detection (on a per-port basis if the FortiSwitch model supports this feature)
l Learning limit for dynamic MAC addresses on ports, trunks, and VLANs (if the FortiSwitch unit supports this
feature)
l QoS egress CoS queue policy (if the FortiSwitch unit supports this feature)
l Port security policy
The following example shows how to share FortiSwitch ports between VDOMs:
1. In the tenant VDOM named bbb, create a VLAN interface using the following CLI commands (not supported in the
GUI):
FG5H0E3917900081 (bbb) #
edit "bbb-vlan99"
set vdom "bbb"
set allowaccess ping
set role lan
set snmp-index 58
set switch-controller-dhcp-snooping enable
set interface "flink-lag" // this is the FortiLink interface in the root VDOM
set vlanid 99
next
end

set default-virtual-switch-vlan "bbb-vlan99"
end
2. Go back to the root VDOM. Pick a switch port to share between VDOMs, port10 in this case.
FG5H0E3917900081 (vdom) # edit root

current vf=root:0
FG5H0E3917900081 (root) # config switch-controller managed-switch
FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276
FG5H0E3917900081 (S548DF4K15000276) # config ports
FG5H0E3917900081 (ports) # edit port10
FG5H0E3917900081 (port10) # set export-to bbb
If you want to use the virtual-pool feature instead:
FG5H0E3917900081 (root) # config switch-controller virtual-port-pool

edit "bbb-pool"
set description "bbb-vlan-pool"

Fortinet, Inc.
end
FG5H0E3917900081 (root) # config switch-controller managed-switch

FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276
FG5H0E3917900081 (S548DF4K15000276) # config port
FG5H0E3917900081 (ports) # edit port11
FG5H0E3917900081 (port11) # set export-to-pool bbb-pool
3. Go back to the bbb VDOM to claim port11 because it is in the virtual pool but not directly exported to the VDOM
yet. (The administrator might want to pre-assign some ports in the tenant VDOM and let the tenant VDOM
administrator claim them before they are used.)
FG5H0E3917900081 (bbb) # execute switch-controller virtual-port-pool request

S548DF4K15000276 port11
FG5H0E3917900081 (bbb) # config switch-controller managed-switch // The switch port is now
in the bbb VDOM even though there is no FortiLink interface in the bbb VDOM.
FG5H0E3917900081 (managed-switch) # show
edit "S548DF4K15000276"
set poe-detection-type 1
set type virtual
set owner-vdom "root"
config ports
edit "port10"
set poe-capable 1
set vlan "bbb-vlan99"
next
edit "port11"
set poe-capable 1
next
end
next
end
4. Check your configuration on the root VDOM:
FG5H0E3917900081 (port10) # show

config ports
edit "port10"
set poe-capable 1
set export-to "bbb"
next
end
FG5H0E3917900081 (port11) # show

config ports
edit "port11"
set poe-capable 1
set export-to-pool "bbb-pool"
set export-to "bbb"
next
end
5. Check your configuration on the tenant VDOM:

Fortinet, Inc.
FG5H0E3917900081 (ports) # show

config ports
edit "port10"
set poe-capable 1
next
edit "port11"
set poe-capable 1
next
end
You can create your own export tags using the following CLI commands:
config switch-controller switch-interface-tag
edit <tag_name>
end
Use the following CLI command to list the contents of a specific VPP:
execute switch-controller virtual-port-pool show-by-pool <VPP_name>
Use the following CLI command to list all VPPs and their contents:
execute switch-controller virtual-port-pool show
NOTE: Shared ports do not support the following features:

l LLDP
l STP
l BPDU guard
l Root guard
l DHCP snooping
l IGMP snooping
l MCLAG
l Quarantines
NOTE: After you export a switch port to a pool, if you need to export the switch port to a different pool, you need to
exit/abort and then re-enter into the FortiSwitch CLI port configuration.
Restricting the type of frames allowed through IEEE 802.1Q ports
You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or
allows all frames access to the port. By default, all frames have access to each FortiSwitch port.
Use the following CLI commands:
config switch-controller managed-switch <SN>
config ports
edit <port_name>
set discard-mode <none | all-tagged | all-untagged>
next
next
end

Fortinet, Inc.
Configuring switching features
This section covers the following features:

l Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports on page 83
l Configuring edge ports on page 84
l Configuring loop guard on page 85
l Configuring STP settings on page 85
l Dynamic MAC address learning on page 91
l Configuring storm control on page 94
l Configuring IGMP-snooping settings on page 95
l Configuring PTP transparent-clock mode on page 96
Configuring DHCP blocking, STP, and loop guard on managed

FortiSwitch ports
Go to WiFi & Switch Controller > FortiSwitch Ports. Right-click any port and then enable or disable the following
features:
l DHCP Snooping—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example,
typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To
prevent this, DHCP blocking filters messages on untrusted ports.
l Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network
topology.
l Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects.
Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its
subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP
rather than as a replacement for STP.
l STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard
is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes.
The BPDUs are not forwarded, and the network edge is enforced.
l STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When
enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root
guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause
your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured
device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By
enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce
the specified network topology.
STP and IGMP snooping are enabled on all ports by default. Loop guard is disabled by default on all ports.

Fortinet, Inc.
Configuring edge ports
Use the following commands to enable or disable an interface as an edge port:

config ports
edit <port_name>
set edge-port {enable | disable}
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set edge-port enable
end
end

Fortinet, Inc.
Configuring loop guard
A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard
helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any
downstream loops. Loop guard and STP should be used separately for loop protection. By default, loop guard is
disabled on all ports.
Use the following commands to configure loop guard on a FortiSwitch port:
config ports
edit <port_name>
set loop-guard {enabled | disabled}
set loop-guard-timeout <0-120 minutes>
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set loop-guard enabled
set loop-guard-timeout 10
end
end
Configuring STP settings
NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.
The managed FortiSwitch unit supports Spanning Tree Protocol (a link-management protocol that ensures a loop-free
layer-2 network topology) as well as Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q
standard.
MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the
mapping of VLANs to instances is configurable). MSTP is backward-compatible with STP and Rapid Spanning Tree
Protocol (RSTP). A layer-2 network can contain switches that are running MSTP, STP, or RSTP. MSTP is built on RSTP,
so it provides fast recovery from network faults and fast convergence times.
To configure STP for all managed FortiSwitch units:
config switch-controller stp-settings

set name <name>
set revision <stp revision>
set hello-time <hello time>
set forward-time <forwarding delay>
set max-age <maximum aging time>
set max-hops <maximum number of hops>
end

Fortinet, Inc.
To override the global STP settings for a specific FortiSwitch unit:

edit <switch-id>
config stp-settings
set local-override enable
end
To configure MSTP instances:
config switch-controller stp-instance

edit <id>
config vlan-range <list of VLAN names>
end
config stp-instance
edit <id>
set priority <0 | 4096 | 8192 | 12288 | 16384 | 20480 | 24576 | 28672 | 32768 |
36864 | 40960 | 45056 | 49152 | 53248 | 57344 | 61440>
next
end
next
end
For example:
config switch-controller stp-instance
edit 1
config vlan-range vlan1 vlan2 vlan3
end
edit S524DF4K15000024
config stp-instance
edit 1
set priority 16384
next
end
next
end
Configuring STP on FortiSwitch ports
Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed
FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.
NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.
Use the following commands to enable or disable STP on FortiSwitch ports:
config ports
edit <port_name>
set stp-state {enabled | disabled}
end
end

Fortinet, Inc.
For example:
edit S524DF4K15000024
config ports
edit port1
set stp-state enabled
end
end
To check the STP configuration on a FortiSwitch, use the following command:

diagnose switch-controller switch-info stp <FortiSwitch_serial_number> <instance_number>
For example:
FG100D3G15817028 # diagnose switch-controller switch-info stp S524DF4K15000024 0
MST Instance Information, primary-Channel:
Instance ID : 0
Switch Priority : 24576
Root MAC Address : 085b0ef195e4
Root Priority: 24576
Root Pathcost: 0
Regional Root MAC Address : 085b0ef195e4
Regional Root Priority: 24576
Regional Root Path Cost: 0
Remaining Hops: 20
This Bridge MAC Address : 085b0ef195e4
This bridge is the root
Port Speed Cost Priority Role State Edge STP-Status

Loop Protection
________________ ______ _________ _________ ___________ __________ ____ __________ __
______
port1 - 200000000 128 DISABLED DISCARDING YES ENABLED

NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO

Fortinet, Inc.

NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED
NO
__FoRtI1LiNk0__ 1G 20000 128 DESIGNATED FORWARDING YES DISABLED
NO
Configuring STP root guard
Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface,
superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates
in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of
traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic
through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can
create a perimeter around your existing paths to root to enforce the specified network topology.
Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have
STP enabled to be able to use root guard.
Use the following commands to enable or disable STP root guard on FortiSwitch ports:
config ports

Fortinet, Inc.
edit <port_name>
set stp-root-guard {enabled | disabled}
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set stp-root-guard enabled
end
end
Configuring STP BPDU guard
Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge
ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not
forwarded, and the network edge is enforced.
There are two prerequisites for using BPDU guard:
l You must define the port as an edge port with the set edge-port enable command.
l You must enable STP on the switch interface with the set stp-state enabled command.
You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port
timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will
have manually reset the port.
Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:
config ports
edit <port_name>
set stp-bpdu-guard {enabled | disabled}
set stp-bpdu-guard-time <0-120>
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set stp-bpdu-guard enabled
set stp-bpdu-guard-time 10
end
end
To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command:
diagnose switch-controller switch-info bpdu-guard-status <FortiSwitch_serial_number>
For example:

Fortinet, Inc.
FG100D3G15817028 # diagnose switch-controller switch-info bpdu-guard-status S524DF4K15000024

Managed Switch : S524DF4K15000024 0
Portname State Status Timeout(m) Count Last-Event

_________________ _______ _________ ___________ _____ _______________
port1 enabled - 10 0 -
port2 disabled - - - -
__FoRtI1LiNk0__ disabled - - - -
Configuring interoperation with per-VLAN RSTP
Starting in FortiOS 6.4.2, managed FortiSwitch units can now interoperate with a network that is running RPVST+. The
existing networkʼs configuration can be maintained while adding managed FortiSwitch units as an extended region. By
default, interoperation with RPVST+ is disabled.
When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain
works in two ways:
l If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region
duplicates instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+
domain.
In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1
defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST
root bridge within MSTP region.

Fortinet, Inc.
l If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN
1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected
RPVST+ domain are used only for consistency checks.
In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of
VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.
To configure interoperation with RPVST+:

config ports
edit <port_name>
set rpvst-port {enabled | disabled}
next
end
For example:
FGT-1 (testvdom) # config switch-controller managed-switch
FGT-1 (managed-switch) # edit FS3E32T419000006
FGT-1 (FS3E32T419000006) # config ports
FGT-1 (ports) # edit port5
FGT-1 (port5) # set rpvst-port enabled
FGT-1 (port5) # next
FGT-1 (ports) # end
To check your configuration and to diagnose any problems:
diagnose switch-controller switch-info rpvst <FortiSwitch_serial_number> <port_name>
For example:
diagnose switch-controller switch-info rpvst FS3E32T419000006 port5
Dynamic MAC address learning
You can enable or disable dynamic MAC address learning on a port or VLAN. The existing dynamic MAC entries are
flushed when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming
packet with an unknown MAC address (to drop or forward the packet).
Limiting the number of learned MAC addresses on a FortiSwitch interface
You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1
to 128. If the limit is set to the default value zero, there is no learning limit.
NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.
Use the following CLI commands to limit MAC address learning on a VLAN:
config switch vlan

Fortinet, Inc.
edit <integer>
set switch-controller-learning-limit <limit>
end
end
For example:
config switch vlan
edit 100
set switch-controller-learning-limit 20
end
end
Use the following CLI commands to limit MAC address learning on a port:
config ports
edit <port_name>
set learning-limit <limit>
next
end
end
end
For example:
edit S524DF4K15000024
config ports
edit port3
set learning-limit 50
next
end
end
end
Controlling how long learned MAC addresses are saved
You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after
300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value
ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.
set mac-aging-interval <10 to 1000000>
end
For example:
set mac-aging-interval 500
end
If the mac-aging-interval is disabled by being set to 0, you can still control when inactive MAC addresses are removed
from the FortiSwitch hardware. By default, inactive MAC addresses are removed after 24 hours. The value ranges from
0 to 168 hours. Set the value to 0 to use the mac-aging-interval setting to control when inactive MAC addresses are
deleted.
set mac-retention-period <0 to 168>

Fortinet, Inc.
end
For example:
set mac-retention-period 36
end
Logging violations of the MAC address learning limit
If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the
learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.
By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the
system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the
most recent 128 violations are displayed in the console.
Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses
are save:
set mac-violation-timer <0-1500>
set log-mac-limit-violations {enable | disable}
end
For example:
set mac-violation-timer 1000
set log-mac-limit-violations enable
end
To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following
commands:
l diagnose switch-controller switch-info mac-limit-violations all <FortiSwitch_
serial_number>
l diagnose switch-controller switch-info mac-limit-violations interface
<FortiSwitch_serial_number> <port_name>
l diagnose switch-controller switch-info mac-limit-violations vlan <FortiSwitch_
serial_number> <VLAN_ID>
For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit:
diagnose switch-controller switch-info mac-limit-violations vlan S124DP3XS12345678 5
To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:
l execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_
number>
l execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_
number> <VLAN_ID>
l execute switch-controller mac-limit-violation reset interface <FortiSwitch_
serial_number> <port_name>
For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:
execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5

Fortinet, Inc.
Persistent (sticky) MAC addresses
You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes
down or up). By default, MAC addresses are not persistent.
Use the following commands to configure the persistence of MAC addresses on an interface:
config ports
edit <port_name>
set sticky-mac {enable | disable}
next
end
You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded
when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the
following commands to save persistent MAC addresses for a specific interface or all interfaces:
execute switch-controller switch-action sticky-mac save interface <FortiSwitch_serial_number>
<port_name>
execute switch-controller switch-action sticky-mac save all <FortiSwitch_serial_number>
Use one of the following commands to delete the persistent MAC addresses instead of saving them in the FortiSwitch
configuration file:
execute switch-controller switch-action delete sticky-mac delete-unsaved all <FortiSwitch_
serial_number>
execute switch-controller switch-action delete sticky-mac delete-unsaved interface
<FortiSwitch_serial_number> <port_name>
Logging changes to MAC addresses
Use the following commands to create syslog entries for when MAC addresses are learned, aged out, and removed:
set mac-event-logging enable
end
Configuring storm control
Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a
LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.
When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of
traffic to drop: broadcast, unknown unicast, or multicast. By default, these three types of traffic are not dropped.
To configure storm control for all switch ports (including both FortiLink ports and non-FortiLink ports) on the managed
switches, use the following FortiOS CLI commands:
config switch-controller storm-control
set rate <rate>
set unknown-unicast {enable | disable}
set unknown-multicast {enable | disable}
set broadcast {enable | disable}

Fortinet, Inc.
end
To configure storm control for a FortiSwitch port, use the FortiOS CLI to select the override storm-control-mode in the
storm-control policy and then assigning the storm-control policy for the FortiSwitch port.
config switch-controller storm-control-policy
edit <storm_control_policy_name>
set description <description_of_the_storm_control_policy>
set storm-control-mode override
set rate <1-10000000 or 0 to drop all packets>
next
end

config ports
edit port5
set storm-control-policy <storm_control_policy_name>
next
end
For example:
config switch-controller storm-control-policy
edit stormpol1
set description "storm control policy for port 5"
set rate 1000
set unknown-unicast enable
set unknown-multicast enable
set broadcast enable
next
end

edit S524DF4K15000024
config ports
edit port5
set storm-control-policy stormpol1
next
end
Configuring IGMP-snooping settings
You need to configure global IGMP-snooping settings and then configure IGMP-snooping settings on a FortiSwitch unit.
Configure global IGMP-snooping settings
Use the following commands to configure the global IGMP-snooping settings.

Fortinet, Inc.
Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer
value from 15 to 3600. The default value is 300.
Flood-unknown-multicast controls whether the system will flood unknown multicast messages within the VLAN.
config switch-controller igmp-snooping
set aging-time <15-3600>
set flood-unknown-multicast {enable | disable}
end
Configure IGMP-snooping settings on a switch
IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network
traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving
each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from
links that do not contain a multicast listener.
NOTE: When an inter-switch link (ISL) is formed automatically in FortiLink mode, the igmps-flood-reports and
igmps-flood-traffic options are disabled by default.
Use the following commands to configure IGMP settings on a FortiSwitch port:
config ports
edit <port_name>
set igmps-flood-reports {enable | disable}
set igmps-flood-traffic {enable | disable}
end
end
For example:
edit S524DF4K15000024
config ports
edit port3
set igmps-flood-reports enable
set igmps-flood-traffic enable
end
end
Configuring PTP transparent-clock mode
Use the Precision Time Protocol (PTP) transparent-clock mode to measure the overall path delay for packets in a
network to improve the time precision. There are two transparent-clock modes:
l End-to-end measures the path delay for the entire path
l Peer-to-peer measures the path delay between each pair of nodes
Use the following steps to configure PTP transparent-clock mode:
1. Configure the global PTP settings.
By default, PTP is disabled.

Fortinet, Inc.
2. Enable the PTP policy.

By default, the PTP policy is enabled.
3. Apply the PTP policy to a port.
NOTE: PTP policies are hidden on virtual ports
To configure the global PTP settings:
config switch-controller ptp settings

set mode {disable | transparent-e2e | transparent-p2p}
end
To enable the PTP policy:
config switch-controller ptp policy

edit {default | <policy_name>}
set status {enable | disable}
next
end
To apply the PTP policy to a port:

config ports
edit <port_name>
set ptp-policy {default | <policy_name>}
end
end
For example:
config switch-controller ptp settings
set mode transparent-p2p
end
config switch-controller ptp policy

edit ptppolicy1
set status enable
next
end

edit S524DF4K15000024
config ports
edit port5
set ptp-policy ptppolicy1
end
end

Fortinet, Inc.
Device detection
Device detection

l Enabling network-assisted device detection on page 98
l Configuring IoT detection on page 102
l Configuring LLDP-MED settings on page 103
l Voice device detection on page 98
Enabling network-assisted device detection
Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by
the managed FortiSwitch unit.
To enable network-assisted device detection on a VDOM:
config switch-controller network-monitor-settings
set network-monitoring enable
end
You can display a list of detected devices from the Device Inventory menu in the GUI. To list the detected devices in
the CLI, enter the following command:
diagnose user device list
Voice device detection
FortiSwitch is able to parse LLDP messages from voice devices such as FortiFone, and pass this information to
FortiGate for device detection. You can use FortiSwitch NAC policies to assign a device to an LLDP profile, QoS policy,
and VLAN policy. When a detected device is matched to a NAC policy, the corresponding policy actions will be applied
on the switch port.
Example
In the following example, FortiFone is connected to port11 of FortiSwitch. A NAC policy is created to apply a VLAN
policy, LLDP policy, and QoS policy to Device Family FortiFone.

Fortinet, Inc.
Device detection
To create a FortiSwitch NAC policy in the GUI:
1. Configure a NAC policy on a switch port. See FortiSwitch network access control on page 109.
2. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
3. Create or edit an NAC policy.
4. Set the Category to Device.
5. Enable Device family, and enter name such as FortiFone.
6. Select Apply Port Specific Settings.
7. Enable LLDP profile, and select a voice profile from the dropdown.
8. Enable QoS policy, and select a voice policy from the dropdown.
9. Enable VLAN policy, and select a voice policy from the dropdown.
10. Click OK.

The NAC policy is applied after a FortiFone is plugged into port11 of the FortiSwitch:

Fortinet, Inc.
Device detection
To create a FortiSwitch NAC policy in the CLI:
1. Assign the FortiFone to a VLAN policy, LLDP policy, and QoS Policy.
config user nac-policy
edit "FortiFone"
set family "FortiFone"
set switch-fortilink "fortilink"
set switch-port-policy "FortiFone"
next
end
config switch-controller port-policy
edit "FortiFone"
set fortilink "fortilink"
set lldp-profile "fortivoice.fortilink"
set qos-policy "voice-qos"
set vlan-policy "fortiFone"
next
end
config switch-controller vlan-policy
edit "fortiFone"
set fortilink "fortilink"
set vlan "voice"
next
end
config switch-controller lldp-profile
edit "fortivoice.fortilink"
set med-tlvs inventory-management network-policy location-identification
set auto-isl disable
config med-network-policy
edit "voice"
set status enable
set vlan-intf "voice"
set assign-vlan enable

Fortinet, Inc.
Device detection
set dscp 46
next
edit "voice-signaling"
set status enable
set vlan-intf "voice"
set dscp 46
next
edit "guest-voice"
next
edit "guest-voice-signaling"
next
edit "softphone-voice"
next
edit "video-conferencing"
next
edit "streaming-video"
next
edit "video-signaling"
next
end
next
end
config switch-controller qos qos-policy
edit "voice-qos"
set trust-dot1p-map "voice-dot1p"
set trust-ip-dscp-map "voice-dscp"
set queue-policy "voice-egress"
next
end
2. FortiSwitch receives an LLDP message from FortiFone after it is plugged into port11.
3. Run diagnose switch-controller switch-info to check the device information on FortiGate. The
FortiFone is identified.
# diagnose switch-controller switch-info lldp neighbors-detail S124EP5918000276 port11
Vdom: root
Managed Switch : S124EP5918000276 0
Capability codes:
R:Router, B:Bridge, T:Telephone, C:DOCSIS Cable Device
W:WLAN Access Point, P:Repeater, S:Station, O:Other
MED TLV Capability codes:

C:Capabilities, P:Network Policies, L:Location, S:MDI PSE
D:MDI PD, I:Inventory
_______________________________________________________________
Neighbor learned on port port11 by LLDP protocol
Last change 20 seconds ago
Last packet received 20 seconds ago
Chassis ID: 169.254.15.3 (ip)

System Name: FON-675i
System Description:
:14.0.0.1.r4
Time To Live: 60 seconds

Fortinet, Inc.
Device detection
System Capabilities: BT
Enabled Capabilities: BT
MED type: Communication Device Endpoint (Class III)
MED Capabilities: CP
Management IP Address: 169.254.15.3
Port ID: 70:4c:a5:e2:6b:b2 (mac)

Port description: WAN Port 10M/100M/1000M
IEEE802.3, Power via MDI:
Power devicetype: PD
PSE MDI Power: Not Supported
PSE MDI Power Enabled: No
PSE Pair Selection: Can not be controlled
PSE power pairs: Signal
Power class: 1 (class-0)
Power type: 802.3at off
Power source: Unknown
Power priority: Unknown
Power requested: 0.0W
Power allocated: 0.0W
LLDP-MED, Network Policies:
voice: VLAN: 256 (untagged), Priority: 0 DSCP: 46
voice-signaling: VLAN: 256 (untagged), Priority: 0 DSCP: 46
streaming-video: VLAN: 256 (untagged), Priority: 0 DSCP: 46
# diagnose user device list

hosts
vd root/0 70:4c:a5:e2:6b:b2 gen 5 req OUA/34
created 3522s gen 3 seen 24s onboarding gen 2
hardware vendor 'Fortinet' src lldp weight 128
type 'IP Phone' src lldp id 1523 weight 128
family 'FortiFone' src lldp id 1523 weight 128
host 'FON-675i' src lldp
Configuring IoT detection
NOTE: This feature requires an IoT Detection Service license.

Starting in FortiOS 6.4, FortiSwitch units can use a new FortiGuard service to identify Internet of things (IoT) devices.
FortiOS can use the identified devices for storage and display. You can use the FortiOS CLI to configure IoT detection.
Each detected MAC address of an IoT device has a confidence level assigned to it. If the confidence level is less than
the iot-weight-threshold value, the MAC address is scanned. The default value is 1. Set the iot-weight-
threshold value to 0 to disable IoT detection.
You can control how often a FortiSwitch unit scans for IoT devices. The range of values is 2 to 10,080 minutes. By
default, the scan interval is 60 minutes. Every MAC address will be scanned for a time interval of 60 minutes followed by
60 minutes when it will not be scanned. The start time of every MAC addressʼs 60-minute scan interval is unique. Set
the iot-scan-interval value to 0 to disable IoT detection.
A MAC address of an IoT device must be detected by the FortiSwitch unit for more than a specified number of minutes
before the MAC address is passed along to the FortiGuard service for IoT identification. The default number of minutes
is 5. The range of values is 0 to 10,080 minutes. Set the iot-holdoff value to 0 to disable this setting.

Fortinet, Inc.
Device detection
If a MAC address entryʼs last-seen time is greater than the iot-mac-idle value, the MAC address entry is not
considered for IoT detection. By default, the iot-mac-idle value is 1,440 minutes. The range of values is 0 to
10,080 minutes.
To configure system-wide settings for IoT detection:
config switch-controller system

set iot-weight-threshold <0-255>
set iot-scan-interval <2-10080>
set iot-holdoff <0-10080>
set iot-mac-idle <0-10080>
end
Starting in FortiOS 6.4.3, IoT detection can be managed per FortiLink interface as well. IoT detection is disabled by
default on the FortiLink interface. Use the FortiOS CLI or GUI to enable IoT detection on the FortiLink interface so that
the FortiSwitch unit starts scanning for IoT devices.
Using the GUI:

2. Enable IoT scanning.
Using the CLI:

set switch-controller-iot-scanning enable
end
Configuring LLDP-MED settings
Starting in FortiOS 6.4.0 and FortiSwitchOS 6.4.0, LLDP neighbor devices are dynamically detected. By default, this
feature is enabled in FortiOS but disabled in managed FortiSwitch units. Dynamic detection must be enabled in both
FortiOS and FortiSwitchOS for this feature to work.
To configure LLDP profiles in FortiOS:

edit <profile_name>
set med-tlvs (inventory-management | network-policy | power-management | location-
identification)
set 802.1-tlvs port-vlan-id
set 802.3-tlvs {max-frame-size | power-negotiation}
set auto-isl {enable | disable}
set auto-isl-hello-timer <1-30>
set auto-isl-port-group <0-9>
set auto-isl-receive-timeout <3-90>
edit {guest-voice | guest-voice-signaling | softphone-voice | streaming-video | video-
conferencing | video-signaling | voice | voice-signaling}
set vlan-intf <string>

Fortinet, Inc.
Device detection
set priority <0-7>

set dscp <0-63>
next
end
config med-location-service
edit {address-civic | coordinates | elin-number}
set sys-location-id <string>
next
end
config-tlvs
edit <TLV_name>
set oui <hexadecimal_number>
set subtype <0-255>
set information-string <0-507>
next
end
next
end
Variable Description
<profile_name> Enable or disable
med-tlvs (inventory-management Select which LLDP-MED type-length-value descriptions (TLVs) to transmit:

| network-policy | power-management | inventory-managment TLVs, network-policy TLVs, power-management
location-identification) TLVs for PoE, and location-identification TLVs. You can select one or more
option. Separate multiple options with a space.
802.1-tlvs port-vlan-id Transmit the IEEE 802.1 port native-VLAN TLV.
802.3-tlvs {max-frame-size | power- Select whether to transmit the IEEE 802.3 maximum frame size TLV, the
negotiation} power-negotiation TLV for PoE, or both. Separate multiple options with a
space.
auto-isl {enable | disable} Enable or disable the automatic inter-switch LAG.
auto-isl-hello-timer <1-30> If you enabled auto-isl, you can set the number of seconds for the
automatic inter-switch LAG hello timer. The default value is 3 seconds.
auto-isl-port-group <0-9> If you enabled auto-isl, you can set the automatic inter-switch LAG port
group identifier.
auto-isl-receive-timeout <3-90> If you enabled auto-isl, you can set the number of seconds before the
automatic inter-switch LAG times out if no response is received. The
default value is 9 seconds.
{guest-voice | guest-voice-signaling | Select which Media Endpoint Discovery (MED) network policy type-length-
softphone-voice | streaming-video | value (TLV) category to edit.
video-conferencing | video-signaling |
voice | voice-signaling}
status {enable | disable} Enable or disable whether this TLV is transmitted.

Fortinet, Inc.
Device detection
vlan-intf <string> If you enabled the status, you can enter the VLAN interface to advertise.
The maximum length is 15 characters.
priority <0-7> If you enabled the status, you can enter the advertised Layer-2 priority. Set
to 7 for the highest priority.
dscp <0-63> If you enabled the status, you can enter the advertised Differentiated
Services Code Point (DSCP) value to indicate the level of service requested
for the traffic.
{address-civic | coordinates | elin- Select which Media Endpoint Discovery (MED) location type-length-value
number} (TLV) category to edit.
status {enable | disable} Enable or disable whether this TLV is transmitted.
sys-location-id <string> If you enabled the status, you can enter the location service identifier. The
maximum length is 63 characters.
config-tlvs
<TLV_name> Enter the name of a custom TLV entry.
oui <hexadecimal_number> Ener the organizationally unique identifier (OUI), a 3-byte hexadecimal
number, for this TLV.
subtype <0-255> Enter the organizationally defined subtype.
information-string <0-507> Enter the organizationally defined information string in hexadecimal bytes.
To configure LLDP settings in FortiOS:
config switch-controller lldp-settings

set tx-hold <int>
set tx-interval <int>
set fast-start-interval <int>
set management-interface {internal | management}
set device-detection {enable | disable}
end
tx-hold Number of tx-intervals before the local LLDP data expires. Therefore, the
packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1
to 16, and the default value is 4.
tx-interval How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095
seconds, and the default is 30 seconds.
fast-start-interval How often the FortiSwitch transmits the first 4 LLDP packets when a link
comes up. The range is 2 to 5 seconds, and the default is 2 seconds. Set this
variable to zero to disable fast start.

Fortinet, Inc.
Device detection
management-interface Primary management interface to be advertised in LLDP and CDP PDUs.
device-detection {enable | disable} Enable or disable whether LLDP neighbor devices are dynamically detected.
By default, this setting is disabled.
To configure dynamic detection of LLDP neighbor devices in FortiSwitchOS:
config switch lldp settings

set device-detection enable
end
Create LLDP asset tags for each managed FortiSwitch
You can use the following commands to add an LLDP asset tag for a managed FortiSwitch:
set switch-device-tag <string>
end
Add media endpoint discovery (MED) to an LLDP configuration
You can use the following commands to add media endpoint discovery (MED) features to an LLDP profile:
edit <lldp-profle>
edit guest-voice
set status {disable | enable}
next
edit guest-voice-signaling
next
edit guest-voice-signaling
next
edit softphone-voice
next
edit streaming-video
next
edit video-conferencing
next
edit video-signaling
next
edit voice
next
edit voice-signaling

Fortinet, Inc.
Device detection

end
config custom-tlvs
edit <name>
set oui <identifier>
set subtype <subtype>
set information-string <string>
end
end
Display LLDP information
You can use the following commands to display LLDP information:

diagnose switch-controller switch-info lldp stats <switch> <port>
diagnose switch-controller switch-info lldp neighbors-summary <switch>
diagnose switch-controller switch-info lldp neighbors-detail <switch>
Configuring the LLDP settings
The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception
wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent
information from adjacent layer-2 peers.
Starting in FortiOS 6.4.3, you can also configure the lldp-status and lldp-profile settings of a virtual switch
port in a tenant VDOM. NOTE: The auto-isl setting in config switch-controller lldp-profile is
ignored, and the setting remains disabled for the tenantʼs ports.
Use the following commands to configure LLDP on a FortiSwitch port:
config ports
edit <port_name>
set lldp-status {rx-only | tx-only | tx-rx | disable}
set lldp-profile <profile_name>
end
end
For example:
edit S524DF4K15000024
config ports
edit port2
set lldp-status tx-rx
set lldp-profile default
end
end
Use the following commands to configure LLDP on a virtual FortiSwitch port in a tenant VDOM:
config vdom
edit <VDOM_name>
config ports

Fortinet, Inc.
Device detection
edit <port_name>
set lldp-status {rx-only | tx-only | tx-rx | disable}
set lldp-profile <profile_name>
next
end
end
end
For example:
config vdom
edit VDOM_1
edit "S424ENTF19000007"
config ports
edit port28
set lldp-status tx-rx
set lldp-profile lldpprofile1
next
end
end
end

Fortinet, Inc.
FortiSwitch security

l FortiSwitch security policies on page 119
l FortiSwitch network access control on page 109
l Configuring the DHCP trust setting on page 118
l Configuring dynamic ARP inspection (DAI) on page 119
l Security Fabric showing on page 130
l Blocking intra-VLAN traffic on page 131
l Quarantines on page 133
FortiSwitch network access control
You can configure a FortiSwitch network access control (NAC) policy within FortiOS that matches devices with the
specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices
that match are assigned to a specific VLAN or have port-specific settings applied to them.
NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. See Configuring the FortiSwitch
NAC settings on page 111.
1. Define a FortiSwitch NAC VLAN. See Defining a FortiSwitch NAC VLAN on page 109.
2. Configure the FortiSwitch NAC settings. See Configuring the FortiSwitch NAC settings on page 111.
3. Create a FortiSwitch NAC policy. See Defining a FortiSwitch NAC policy on page 113.
4. View the devices that match the NAC policy. See Viewing the devices that match the NAC policy on page 118.
Defining a FortiSwitch NAC VLAN
When devices are matched by a NAC policy, you can assign those devices to a FortiSwitch NAC VLAN. By default, there
are six VLAN templates:
l default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
l quarantine—This VLAN contains quarantined traffic.
l rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
l voice—This VLAN is dedicated for voice devices.
l video—This VLAN is dedicated for video devices.
l onboarding—This VLAN is for NAC onboarding devices.
You can use the default onboarding VLAN, edit it, or create a new NAC VLAN. If you want to use the default onboarding
NAC VLAN, specify it when you configure the FortiSwitch NAC settings. If you want to edit the default onboarding VLAN
or create a new NAC VLAN, use the following procedures.

Fortinet, Inc.
Creating a NAC VLAN
Using the GUI:
1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
Interface Name VLAN name
VLAN ID Enter a number (1-4094)
Color Choose a unique color for each VLAN, for ease of visual display.
Role Select LAN , WAN , DMZ, or Undefined.
2. Enable DHCP for IPv4 or IPv6.

3. Set the Admission access options as required.
4. Select OK.
Using the CLI:

edit <vlan name>
set vlanid <1-4094>
set color <1-32>
set interface <FortiLink-enabled interface>
end
Editing a NAC VLAN
You can edit the default onboarding NAC VLAN.
Using the GUI:
1. Go to WiFi & Switch Controller > FortiSwitch VLANs.

2. Select the onboarding NAC VLAN.
3. Select Edit.
4. Make your changes.
5. Select OK to save your changes.
Using the CLI:

edit onboarding
set vlanid <1-4094>
set allowaccess {ping | https |ssh | snmp | http | telnet | fgfm | radius-acct | probe-
response | fabric | ftm}
set auto-ip {enable | disable}
set dhcp-server {enable | disable}
end

Fortinet, Inc.
Configuring the FortiSwitch NAC settings
NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. You can either manually
configure the NAC settings or use the NAC wizard. See Using the NAC wizard on page 112.
The local mode uses the local port-level settings of managed FortiSwitch units. The global mode applies the NAC to all
managed FortiSwitch ports. Be default, the mode is local.
You can set how many minutes that NAC devices are allowed to be inactive. By default, NAC devices can be inactive for
15 minutes. The range of values is 0 to 1 440 minutes. If you set the inactive-timer to 0, there is no limit to how long the
NAC devices can be inactive for.
When NAC devices are discovered, they are assigned to the NAC onboarding VLAN. You can specify the default
onboarding VLAN or specify another existing VLAN. By default, there is no NAC onboarding VLAN assigned.
When NAC devices are discovered and match a NAC policy, they are automatically authorized by default.
When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the
DHCP process for that switch.
When a link goes down, the NAC devices are cleared from all switch ports by default.
Configuring NAC on a global level
Using the GUI:

2. Move the NAC Settings slider to expand the NAC Settings section.
3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is
onboarding.
4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is
configured on the port.
5. Select All or Specify to apply NAC policies to all FortiSwitch ports.
6. Select Apply to save your changes.
Using the CLI:
config switch-controller nac-settings

edit <name_of_this_NAC_configuration>
set mode global
set inactive-timer <integer>
set onboarding-vlan <string>
set auto-auth {enable | disable}
set bounce-nac-port {enable | disable}
set link-down-flush {enable | disable}
end

Fortinet, Inc.
Configuring NAC on a local level
Using the GUI:

2. Move the NAC Settings slider to expand the NAC Settings section.
onboarding.
5. Select Specify to apply NAC policies to specific FortiSwitch ports.
6. Select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC policies to.
7. Select Apply to save your changes.
Using the CLI:
config switch-controller nac-settings

edit <name_of_this_NAC_configuration>
set mode local
set inactive-timer <integer>
set onboarding-vlan <string>
set auto-auth {enable | disable}
set bounce-nac-port {enable | disable}
set link-down-flush {enable | disable}
end

config ports
edit <port_name>
set access-mode nac
next
end
next
end
Using the GUI:

2. Right-click a port.
3. Select Access Mode > NAC.
Using the NAC wizard
The NAC wizard helps with configuring the FortiSwitch NAC settings and defining a FortiSwitch NAC VLAN. If you do
not want to manually configure the FortiSwitch NAC settings, use the NAC wizard instead.
NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy.
2. Select Configure NAC Settings.

Fortinet, Inc.
onboarding.
5. Select All or Specify to apply NAC policies to all FortiSwitch ports or to specific FortiSwitch ports.
6. If you selected Specify, select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC
policies to.
7. Select Next.
8. Select one of the default NAC VLANs to be the onboarding VLAN, create a new NAC VLAN, or edit one of the
default NAC VLANs. The default onboarding VLAN is onboarding. See Defining a FortiSwitch NAC VLAN on page
109.
9. Select Submit.
Defining a FortiSwitch NAC policy
In the FortiOS GUI, you can create three types of NAC policies:
l Device—The NAC policy matches devices with the specified MAC address, hardware vendor, device family, type,
operating system, and user.
l User—The NAC policy matches devices belonging to the specified user group.
l EMS tag—The NAC policy matches devices with the specified FortiClient EMS tag.
Using the CLI, you can specify a port policy and MAC policy to be applied to devices that have been matched by the
NAC policy. See Creating a port policy on page 117 and Creating a MAC policy on page 118.
NOTE: The FortiSwitch NAC settings must be configured before defining a FortiSwitch NAC policy. See Configuring the
FortiSwitch NAC settings on page 111.
Creating a device policy
A device policy matches devices with the specified criteria and then assigns a specific VLAN to those devices or applies
port-level settings to those devices. You can specify the MAC address, hardware vendor, device family, type, operating
system, and user for the devices to match.
By default, there is a default device policy, Onboarding VLAN, which uses the default onboarding NAC VLAN. You
can use the default Onboarding VLAN policy, edit it, or create a new NAC policy.
Using the GUI:

2. Select Create New.
3. In the Name field, enter a name for the NAC policy.
4. Make certain that the status is set to Enabled.
5. Select which FortiSwitch units to apply the NAC policy to or select All.
6. Select Device for the category.
7. If you want the device to match a MAC address, move the MAC Address slider and enter the MAC address to
match.

Fortinet, Inc.
8. If you want the device to match a hardware vendor, move the Hardware Vendor slider and enter the name of the
hardware vendor to match.
9. If you want the device to match a device family, move the Device Family slider and enter the name of the device
family to match.
10. If you want the device to match a device type, move the Type slider and enter the device type to match.
11. If you want the device to match an operating system, move the Operating System slider and enter the operating
system to match.
12. If you want the device to match a user, move the User slider and enter the user name to match.
13. If you want to assign a specific VLAN to the device that matches the specified criteria, select Assign VLAN and
enter the VLAN identifier.
14. If you want to assign port-level settings to the device that matches the specified criteria select Apply Port Specific
Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
15. Select OK to create the new NAC policy.
Using the CLI:

edit <policy_name>
set description <description_of_policy>
set category device
set status enable
set mac <MAC_address>
set hw-vendor <hardware_vendor>
set type <device_type>
set family <device_family>
set os <operating_system>
set hw-version <hardware_version>
set sw-version <software_version>
set host <host_name>
set user <user_name>.
set src <source>
set switch-fortilink <FortiLink_interface>
set switch-scope <list_of_managed_FortiSwitch_serial_numbers>
set switch-auto-auth {enable | disable}
set switch-port-policy <switch_port_policy>
set switch-mac-policy <switch_mac_policy>
end
Creating a user policy
A user policy matches devices that are assigned to the specified user group and then assigns a specific VLAN to those
devices or applies port-level settings to those devices.
Using the GUI:


Fortinet, Inc.
6. Select User for the category.

7. Select which user group that devices must belong to.
8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and
9. If you want to assign port-level settings for devices assigned to the specific user group, select Apply Port Specific
Using the CLI:

edit <policy_name>
set category user
set status enable
set user-group <name_of_user_group>
end
Creating an EMS-tag policy
An EMS-tag policy matches devices with a specified MAC address and then assigns a specific VLAN to those devices or
applies port-level settings to those devices. The MAC address is derived from an Endpoint Management Server (EMS)
tag created in FortiClient.
NOTE: The FortiClient EMS server must be 6.4.1 build 1442 or higher. FortiOS must be 6.4.2 build 1709 or higher.
Before creating an EMS-tag policy on a managed FortiSwitch unit:
1. In FortiClient, group FortiClient Fabric Agent endpoints with an EMS tag.
2. In FortiClient, share these endpoint groups with a FortiGate unit over the EMS connector.
3. In FortiOS, add an on-premise FortiClient EMS server to the Security Fabric:
config endpoint-control fctems

edit <ems_name>
set server <ip_address>
set certificate <string>
next
end
For example:
config endpoint-control fctems

edit EMS_Server
set server 1.2.3.4
set certificate REMOTE_Cert_1
next
end

Fortinet, Inc.
4. In FortiOS, verify the EMS certificate. For example:
execute fctems verify EMS_Server
5. In FortiOS, check that the FortiGate unit and FortiClient are connected:
diagnose user device get <FortiClient_MAC_address>
6. In FortiOS, verify which MAC addresses the dynamic firewall address resolves to:
diagnose firewall dynamic list
Using the GUI to create an EMS-tag policy:

6. Select EMS Tag for the category.
7. Select which FortiClient EMS tag that devices must be assigned.
8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and
9. If you want to assign port-level settings for devices assigned to the specific user group, select Apply Port Specific
Using the CLI to create an EMS-tag policy:

edit <policy_name>
set category ems-tag
set ems-tag <string>
set status enable
next
end
For example:

edit nac_policy_1
set category ems-tag
set ems-tag MAC_FCTEMS0000108427_Low
set switch-fortilink fortilink1
set switch-port-policy port_policy_1

Fortinet, Inc.
next
end
Creating a port policy
You can apply a port policy to the devices that were matched by the NAC policy. In the port policy, you can specify which
LLDP profile, QoS policy, 802.1x policy, and VLAN policy are used on the ports.
edit <port_policy_name>
set description <policy_description>
set fortilink <FortiLink_interface>
set lldp-profile <LLDP_profile>
set qos-policy <QoS_policy>
set 802-1x <802.1x_policy>
set vlan-policy <VLAN_policy>
set bounce-port-link {enable | disable}
next
end
For example:

edit port_policy_1
set fortilink fortilink1
set vlan-policy vlan_policy_1
next
end
Creating a VLAN policy
You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be
applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether
to discard untagged or tagged frames or to not discard any frames.
edit <VLAN_policy_name>
set vlan <VLAN_name>
set allowed-vlans <lists_of_VLAN_names>
set untagged-vlans <lists_of_VLAN_names>
set allowed-vlans-all {enable | disable}
set discard-mode {none | all-untagged | all-tagged}
next
end
For example:

edit vlan_policy_1
set fortilink fortilink1
set vlan default
next

Fortinet, Inc.
end
Creating a MAC policy
You can apply a MAC policy to the devices that were matched by the NAC policy. You can specify which VLAN is
applied, select which traffic policy is used, and enable or disable packet count.
config switch-controller mac-policy
edit <MAC_policy_name>
set vlan <VLAN_name>
set traffic-policy <traffic_policy_name>
set count {enable | disable}
next
end
Viewing the devices that match the NAC policy
Using the GUI:

2. Select View Matched Devices.
3. Select Refresh to update the results.
Using the CLI:
To show known NAC devices with a known location that match a NAC policy:
diagnose switch-controller nac-device known
To show pending NAC devices with an unknown location that match a NAC policy:
diagnose switch-controller nac-device pending
Configuring the DHCP trust setting
The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and
unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters
messages on untrusted ports.
Set the port as a trusted or untrusted DHCP-snooping interface:
config ports
edit <port_name>
set dhcp-snooping {trusted | untrusted}
end

Fortinet, Inc.
end
For example:
edit S524DF4K15000024
config ports
edit port1
set dhcp-snooping trusted
end
end
Configuring dynamic ARP inspection (DAI)
DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have
valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.
To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By
default, DAI is disabled on all VLANs.
After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the
following CLI commands to enable DAI and then enable DAI for a VLAN:
edit vsw.test
set switch-controller-arp-inpsection {enable | disable}
end

config ports
edit <port_name>
arp-inspection-trust <untrusted | trusted>
next
end
next
end
Use the following CLI command to check DAI statistics for a FortiSwitch unit:
diagnose switch-controller switch-info arp-inspection stats <FortiSwitch_serial_number>
Use the following CLI command to delete DAI statistics for a specific VLAN:
diagnose switch-controller switch-info arp-inspection stats-clear <VLAN_ID> <FortiSwitch_
serial_number>
FortiSwitch security policies
To control network access, the managed FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected
to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The

Fortinet, Inc.
supplicant and the authentication server communicate using the switch using the EAP protocol. The managed
FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.
To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups
on the managed FortiSwitch unit.
NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1x authentication
from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through the FortiGate.
The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each
supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.
You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond
to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the
user name and password for authentication.
You can configure a guest VLAN for unauthorized users and a VLAN for users whose authentication was unsuccessful.
Starting in FortiSwitchOS 6.4.3, if the RADIUS server cannot be reached for 802.1x authentication, you can specify a
RADIUS timeout VLAN for users after the authentication server timeout period expires.
When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow
network traffic to flow, even if there are configuration problems or authentication failures.
Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.
This chapter covers the following topics:

l Increased number of devices supported per port for 802.1x MAC-based authentication on page 120
l Configure the 802.1x settings for a virtual domain on page 121
l Override the virtual domain settings on page 121
l Define an 802.1x security policy on page 122
l Apply an 802.1x security policy to a FortiSwitch port on page 124
l Test 802.1x authentication with monitor mode on page 124
l RADIUS accounting support on page 125
l RADIUS change of authorization (CoA) support on page 125
l 802.1x authentication deployment example on page 128
l Detailed deployment notes on page 129
Increased number of devices supported per port for 802.1x MAC-based

authentication
The FortiSwitch unit supports up to 20 devices per port for 802.1x MAC-based authentication. System-wide, the
FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1x MAC-based authentication:
Model Total number of devices supported per switch
108 80

Fortinet, Inc.
112 120
124/224/424/524/1024 240
148/248/448/548/1048 480
3032 320
Configure the 802.1x settings for a virtual domain
To configure the 802.1x security policy for a virtual domain, use the following commands:
config switch-controller 802-1X-settings
set reauth-period <integer>
set max-reauth-attempt <integer>
set link-down-auth {*set-unauth | no-action}
end
Option Description
set link-down-auth If a link is down, this command determines the authentication state.
Choosing set-auth sets the interface to unauthenticated when a link is
down, and reauthentication is needed. Choosing no-auth means that the
interface does not need to be reauthenticated when a link is down.
set reauth-period This command sets how often reauthentication is needed. The range is 1-
1440 minutes. The default is 60 minutes. Setting the value to 0 minutes
disables reauthentication.
NOTE: Setting the reauth-period to 0 is supported only in the CLI. The

RADIUS dynamic session timeout and CoA session timeout do not support
setting the Session Timeout to 0.
set max-reauth-attempt This command sets the maximum number of reauthentication attempts.
The range is 1-15. The default is 3. Setting the value to 0 disables
reauthentication.
Override the virtual domain settings
You can override the virtual domain settings for the 802.1x security policy.
To override the 802.1x settings for a virtual domain:

2. Click on a FortiSwitch faceplate and select Edit.
3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The
maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.

Fortinet, Inc.
5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The
maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to
unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface
does not need to be reauthenticated when a link is down.
7. Select OK.
To override the 802.1x settings for a virtual domain:

edit < switch >
config 802-1X-settings
set local-override [ enable | *disable ]
set reauth-period < int > // visible if override enabled
set max-reauth-attempt < int > // visible if override enabled
set link-down-auth < *set-unauth | no-action > // visible if override enabled
end
next
end
For a description of the options, see Configure the 802.1x settings for a virtual domain.
Define an 802.1x security policy
You can define multiple 802.1x security policies.
To create an 802.1x security policy:

1. Go to WiFi & Switch Controller > FortiSwitch Security Policies.
3. Enter a name for the new FortiSwitch security policy.
4. For the security mode, select Port-based or MAC-based.
5. Select + to select which user groups will have access.
6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
7. Enter the number of seconds for authentication delay for guest VLANs. The range is 1-900 seconds.
8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access
the guest VLAN.
9. Enable or disable MAC authentication bypass (MAB) on this interface.
10. Enable or disable EAP pass-through mode on this interface.
11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
12. Select OK.
To create an 802.1x security policy, use the following commands:

Fortinet, Inc.
config switch-controller security-policy 802-1X

edit "<policy.name>"
set security-mode {802.1X | 802.1X-mac-based}
set user-group <*group_name | Guest-group | SSO_Guest_Users>
set mac-auth-bypass {enable | *disable}
set eap-passthru {enable | disable}
set guest-vlan {enable | *disable}
set guest-vlan-id "<guest-VLAN-name>"
set guest-auth-delay <integer>
set auth-fail-vlan {enable | *disable}
set auth-fail-vlan-id "<auth-fail-VLAN-name>"
set radius-timeout-overwrite {enable | *disable}
set policy-type 802.1X
set authserver-timeout-vlan {enable | disable}
set authserver-timeout-period <integer>
set authserver-timeout-vlanid "<RADIUS-timeout-VLAN-name>"
end
end
Option Description
set security-mode You can restrict access with 802.1x port-based authentication or with
802.1x MAC-based authentication.
set user-group You can set a specific group name, Guest-group, or SSO_Guest_Users to
have access. This setting is mandatory.
set mac-auth-bypass You can enable or disable MAB on this interface.
set eap-passthrough You can enable or disable EAP pass-through mode on this interface.
set guest-vlan You can enable or disable guest VLANs on this interface to allow restricted
access for some users.
set guest-vlan-id "<guest- You can specify the name of the guest VLAN.
VLAN-name>"
set guest-auth-delay You can set the authentication delay for guest VLANs on this interface. The
range is 1-900 seconds.
set auth-fail-vlan You can enable or disablethe authentication fail VLAN on this interface to
allow restricted access for users who fail to access the guest VLAN.
set auth-fail-vlan-id You can specify the name of the authentication fail VLAN
"<auth-fail-VLAN-name>"
set radius-timeout- You can enable or disable whether the session timeout for the RADIUS
overwrite server will overwrite the local timeout.
set policy-type 802.1X You can set the policy type to the 802.1x security policy.
set authserver-timeout-vlan Enable or disable the RADIUS timeout VLAN on this interface to allow
limited access for users when the RADIUS server times out before finishing
authentication.
By default, this option is disabled.

Fortinet, Inc.
Option Description
set authserver-timeout- You can set how many seconds the RADIUS server has to authenticate
period users. The range of values is 3-15 seconds; the default time is 3 seconds.
This option is only visible when authserver-timeout-vlan is
enabled.
set authserver-timeout- The VLAN name that is used for users when the RADIUS server times out
vlanid "<RADIUS-timeout- before finishing authentication.
VLAN-name>" This option is only visible when authserver-timeout-vlan is
enabled.
Apply an 802.1x security policy to a FortiSwitch port
You can apply a different 802.1x security policy to each FortiSwitch port.
To apply an 802.1x security policy to a managed FortiSwitch port:

2. Select the + next to a FortiSwitch unit.
3. In the Security Policy column for a port, click + to select a security policy.
4. Select OK to apply the security policy to that port.
To apply an 802.1x security policy to a managed FortiSwitch port, use the following commands:
edit <managed-switch>
config ports
edit <port>
set port-security-policy <802.1x-policy>
next
end
next
end
Test 802.1x authentication with monitor mode
Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test
port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass.
Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the
users fail authentication.
To enable or disable monitor mode, use the following commands:
edit "<policy_name>"
set open-auth {enable | disable}
next

Fortinet, Inc.
end
RADIUS accounting support
The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the
RADIUS accounting server to support FortiGate RADIUS single sign-on:
l START—The FortiSwitch has been successfully authenticated, and the session has started.
l STOP—The FortiSwitch session has ended.
l INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command.
l ON—FortiSwitch will send this message when the switch is turned on.
l OFF—FortiSwitch will send this message when the switch is shut down.
You can specify more than one value to be sent in the RADIUS Service-Type attribute. Use a space between multiple
values.
Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed
FortiSwitch units:
config user radius
edit <RADIUS_server_name>
set acct-interim-interval <seconds>
set switch-controller-service-type {administrative | authenticate-only | callback-
administrative | callback-framed | callback-login | callback-nas-prompt | call-check
| framed | login | nas-prompt | outbound}
config accounting-server
edit <entry_ID>
set server <server_IP_address>
set secret <secret_key>
set port <port_number>
next
end
next
end
RADIUS change of authorization (CoA) support
For increased security, each subnet interface that will be receiving CoA requests must be configured with the set
allowaccess radius-acct command.
Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA support EAP and MAB 802.1x authentication.
The FortiSwitch unit supports two types of RADIUS CoA messages:
l CoA messages to change session authorization attributes (such as data filters and the session-timeout setting )
during an active session.
l Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are
unchanged, and the port stays up. For port-based authentication, only one session is deleted.
RADIUS CoA messages use the following Fortinet proprietary attribute:
Fortinet-Host-Port-AVPair 42 string
The format of the value is as follows:

Fortinet, Inc.
Attribute Value Description
Fortinet-Host-Port-AVPair action=bounce-port The FortiSwitch unit disconnects all sessions on a

port. The port goes down for 10 seconds and then
up again.
Fortinet-Host-Port-AVPair action=disable-port The FortiSwitch unit disconnects all session on a

port. The port goes down until the user resets it.
Fortinet-Host-Port-AVPair action=reauth-port The FortiSwitch unit forces the reauthentication

of the current session.
In addition, RADIUS CoA use the session-timeout attribute:
session-timeout <session_timeout_ The FortiSwitch unit disconnects a session after

value> the specified number of seconds of idleness. This
value must be more than 60 seconds. NOTE: To
use the session-timeout attribute, you must
enable the set radius-timeout-
overwrite command first.
The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages.
Error Cause Error Code Description
Unsupported Attribute 401 This error is a fatal error, which is sent if a request
contains an attribute that is not supported.
NAS Identification Mismatch 403 This error is a fatal error, which is sent if one or more
NAS-Identifier Attributes do not match the identity of
the NAS receiving the request.
Invalid Attribute Value 407 This error is a fatal error, which is sent if a CoA-Request
or Disconnect-Request message contains an attribute
with an unsupported value.
Session Context Not Found 503 This error is a fatal error if the session context identified
in the CoA-Request or Disconnect-Request message
does not exist on the NAS.
Configuring CoA and disconnect messages
Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS
server:
edit "mgmt"
set ip <address> <netmask>
set allowaccess <access_types>
set type physical
next
config user radius

Fortinet, Inc.
set radius-coa {enable | disable}
set radius-port <port_number>
set server <server_name_IPv4>
end

ip <address> <netmask> Enter the interface IP address and netmask.
allowaccess <access_types> Enter the types of management access permitted on this interface.
Valid types are as follows: http https ping snmp ssh telnet
radius-acct. Separate each type with a space. You must include
radius-acct to receive CoA and disconnect messages.
<RADIUS_server_name> Enter the name of the RADIUS server that will be sending CoA and
disconnect messages to the FortiSwitch unit. By default, the messages
use port 3799.
config user radius

radius-coa {enable | disable} Enable or disable whether the FortiSwitch unit will accept CoA and
disconnect messages. The default is disable.
radius-port <port_number> Enter the RADIUS port number. By default, the value is 0 for FortiOS,
which uses port 1812 for the FortiSwitch unit in FortiLink mode.
secret <secret_key> Enter the shared secret key for authentication with the RADIUS server.
There is no default.
server <server_name_IPv4> Enter the domain name or IPv4 address for the RADIUS server. There
is no default.
Example: RADIUS CoA
The following example uses the FortiOS CLI to enable the FortiSwitch unit to receive CoA and disconnect messages
from the specified RADIUS server:
edit default
set internal-allowaccess ping https http ssh snmp telnet radius-acct
next
end
config user radius
edit "Radius-188-200"
set radius-coa enable
set radius-port 0
set secret ENC
+2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoeZf
OQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hpCiVU
MiPOU6fSrj
set server "10.105.188.200"
next

Fortinet, Inc.
end
802.1x authentication deployment example
To control network access, you can configure 802.1x authentication from a FortiGate unit managing FortiSwitch units. A
supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the
network.
on the FortiSwitch unit. You also need a firewall policy on the FortiGate unit to allow traffic from the FortiSwitch unit to
the RADIUS server.
To create a firewall policy to allow the FortiSwitch unit to reach the RADIUS server:
config firewall policy

edit 1
set name "fortilink-to-radius"
set srcintf "fortilink"
set dstintf "accounting-server"
set action accept
set service "ALL"
set nat enable
end
To create a group for users who will be authenticated by 802.1x:
config user radius

edit "dot1x-radius"
set server "192.168.174.10"
set secret ENC ***
set radius-port 1812
config accounting-server
edit 1
set status enable
set server "192.168.174.10"
set secret ENC ***
set port 1813
next
end
next

Fortinet, Inc.
end
config user group

edit "radius users"
set member "dot1x-radius"
next
end
To create an 802.1x security policy:
You can create an 802.1x security policy using the FortiGate GUI by going to WiFi & Switch Controller > FortiSwitch
Security Policies and selecting Create New.
edit "802-1X-policy-default"
set security-mode 802.1X-mac-based
set user-group "dot1x-local"
set mac-auth-bypass enable
set eap-passthru enable
set guest-vlan enable
set guest-vlan-id "guest-VLAN"
set auth-fail-vlan enable
set auth-fail-vlan-id "auth-fail-VLAN"
set radius-timeout-overwrite disable
next
end
To configure the global 802.1x settings:
config switch-controller 802-1X-settings

set link-down-auth no-action
set reauth-period 90
set max-reauth-attempt 4
end
To apply an 802.1x security policy to a managed FortiSwitch port:
You can apply an 802.1x security policy to a managed FortiSwitch port using the FortiGate GUI by going to WiFi &
Switch Controller > FortiSwitch Ports.
edit S548DN4K16000360
config ports
edit "port1"
set dhcp-snoop-option82-trust enable
set port-security-policy "802-1X-policydefault"
next
end
Detailed deployment notes
l Using more than one security group (with the set security-groups command) per security profile is not
supported.
l CoA and single sign-on are supported only by the CLI in this release.

Fortinet, Inc.
l RADIUS CoA is supported in standalone mode. In addition, RADIUS CoA is supported in FortiLink mode when NAT
is disabled in the firewall policy (set nat disable under the config firewall policy command), and
the interfaces on the link between the FortiGate unit and FortiSwitch unit are assigned routable addresses other
than 169.254.1.x.
l The FortiSwitch unit supports using FortiAuthenticator, FortiConnect, Microsoft Network Policy Server (NPS),
Aruba ClearPass, and Cisco Identity Services Engine (ISE) as the RADIUS server for CoA and RSSO.
l Each RADIUS CoA server can support only one accounting manager in this release.
l RADIUS accounting/CoA/VLAN-by-name features are supported only with eap-passthru enable.
l Fortinet recommends a unique secret key for each accounting server.
l For CoA to correctly function with FortiAuthenticator or FortiConnect, you must include the User-Name attribute
(you can optionally include the Framed-IP-Address attribute) or the User-Name and Calling-Station-ID attributes in
the CoA request.
l To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the
802.1x-authenticated ports of your VLAN network for both port and MAC modes.
l Port-based basic statistics for RADIUS accounting messages are supported in the Accounting Stop request.
l By default, the accounting server is disabled. You must enable the accounting server with the set status
enable command.
l The default port for FortiAuthenticator single sign-on is 1813 for the FortiSwitch unit.
l In MAC-based authentication, the maximum number of client MAC addresses is 20. Each model has its own
maximum limit.
l Static MAC addresses and sticky MAC addresses are mechanisms for manual/local authorization; 802.1x is a
mechanism for protocol-based authorization. Do not mix them.
l Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.
l Starting in FortiSwitch 6.2.0, when 802.1x authentication is configured, the EAP pass-through mode (set eap-
passthru) is enabled by default.
l For information about the RADIUS attributes supported by FortiSwitchOS, refer to the “Supported attributes for
RADIUS CoA and RSSO” appendix in the FortiSwitchOS Administration Guide—Standalone Mode.
Security Fabric showing
This example shows one of the key components in the concept of Security Fabric: FortiSwitches in FortiLink. In the
FortiGate GUI, you can see the whole picture of the Security Fabric working for your network security.

Fortinet, Inc.
Sample topology
To show Security Fabric information:
1. Go to Security Fabric > Physical Topology.

2. To see the connection between FortiGates and managed FortiSwitches, hover the pointer over the icons to see
information about each network element.
Blocking intra-VLAN traffic
You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit. This prevents direct client-to-
client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client
traffic reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the
client by shifting the client's network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled.
Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified
VLAN. Use disable to allow normal traffic on the specified VLAN.

Fortinet, Inc.
1. Go to Network > Interfaces.

2. Select the interface and then select Edit.
3. In the Edit Interface form, enable Block intra-VLAN traffic under Network.

edit <VLAN name>
set switch-controller-access-vlan {enable | disable}
next
end
NOTE:
l IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled.
l Intra-VLAN traffic blocking is not supported when the FortiLink interface type is hardware switch.
l When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP
with the config system proxy-arp CLI command and configure a firewall policy. For example:
config system proxy-arp

edit 1
set interface "V100"
set ip 1.1.1.1
set end-ip 1.1.1.200
next
end
config firewall policy

edit 4
set name "Allow intra-VLAN traffic"
set srcintf "V100"
set dstintf "V100"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next

Fortinet, Inc.
end
Quarantines
Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit. Quarantined
MAC addresses are isolated from the rest of the network and LAN.
Quarantining MAC addresses
You can use the FortiGate GUI or CLI to quarantine a MAC address.
NOTE: If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP
address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.
In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.
1. Select the host to quarantine.
l Go to Security Fabric > Physical Topology , right-click on a host, and select Quarantine Host on FortiSwitch.
l Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
l Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on
FortiSwitch.
2. Select Accept to confirm that you want to quarantine the host.
NOTE: Previously, this feature used the config switch-controller quarantine CLI command.
There are two kinds of quarantines:
l Quarantine-by-VLAN sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN (starting
in FortiOS 6.0.0 and FortiSwitchOS 6.0.0).

Fortinet, Inc.
l Quarantine-by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit (starting
in FortiOS 6.4.0 and FortiSwitchOS 6.4.0).
By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware
version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was
disabled in the older configuration, it will be disabled after the upgrade.
You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are
only quarantined when the quarantine feature is enabled.
The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined
per quarantine entry.
Optionally, you can configure a traffic policy for quarantined devices to control how much bandwidth and burst they use
and which class of service (CoS) queue they are assigned to. Without a traffic policy, you cannot control how much
network resources quarantined devices use.
Quarantine-by-redirect is the default. If you are upgrading to FortiOS 6.4.0 or higher and already have a quarantine-by
VLAN configuration, the quarantine mode does not change during the upgrade.
If you have a quarantine-by-VLAN configuration and want to migrate to a quarantine-by-redirect configuration:
1. Disable quarantine.
2. Change the quarantine-mode to by-direct.
3. Remove the quarantine VLAN from the switch ports.
4. Enable quarantine.
To set up a quarantine in FortiOS:

set quarantine-mode {by-vlan | by-redirect}
end
config user quarantine

set quarantine enable
set traffic-policy <traffic_policy_name>
set firewall-groups <firewall_address_group>
config targets
edit <quarantine_entry_name>
config macs
edit <MAC_address_1>
set drop {enable | disable}
next
next
next
end
end
end

Fortinet, Inc.
Option Description
quarantine-mode {by-vlan | by-redirect} Select the quarantine mode:

l by-vlan sends quarantined device traffic to the FortiGate unit on a
separate quarantine VLAN.

l by-redirect redirects quarantined device traffic to a firewall
address group on the FortiGate unit. This mode is the default.
traffic-policy <traffic_policy_name> Optional. A name for the traffic policy that controls quarantined devices. If
you do add a traffic policy, you need to configure it with the config
switch-controller traffic-policy command.
firewall-groups <firewall_address_ Optional. By default, the firewall address group is
group> QuarantinedDevices. If you are using quarantine-by-redirect, you
must use the default firewall address group.
quarantine_entry_name A name for this quarantine entry.
description <string> Optional. A description of the MAC addresses being quarantined.
MAC_address_1, MAC_address_2, A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc

MAC_address_3
drop {enable | disable} Enable to drop quarantined device traffic. Disable to send quarantined
device traffic to the FortiGate unit.
For example:
set quarantine-mode by-redirect
end

set traffic-policy qtrafficp
set firewall-groups QuarantinedDevices
config targets
edit quarantine1
config macs
set description "infected by virus"
edit 00:00:00:aa:bb:cc
set drop disable
next
edit 00:11:22:33:44:55
set drop disable
next
edit 00:01:02:03:04:05
set drop disable
next
end
next
end
To configure a traffic policy for quarantined devices in FortiOS:
config switch-controller traffic-policy

edit <traffic_policy_name>

Fortinet, Inc.

set policer-status enable
set guaranteed-bandwidth <0-524287000>
set guaranteed-burst <0-4294967295>
set maximum-burst <0-4294967295>
set cos-queue <0-7>
end
Option Description
traffic-policy <traffic_policy_name> Enter a name for the traffic policy that controls quarantined devices.
description <string> Enter an optional description of the traffic policy.
policer-status enable Enable the policer configuration to control quarantined devices. It is

enabled by default.
guaranteed-bandwidth <0-524287000> Enter the guaranteed bandwidth in kbps. The maximum value is
524287000. The default value is 0.
guaranteed-burst <0-4294967295> Enter the guaranteed burst size in bytes. The maximum value is
4294967295. The default value is 0.
maximum-burst <0-4294967295> The maximum burst size is in bytes. The maximum value is 4294967295.
The default value is 0.
set cos-queue <0-7> Set the class of service for the VLAN traffic. Use the unset cos-queue
command to disable this setting.
For example:
config switch-controller traffic-policy
edit qtrafficp
set description "quarantined traffic policy"
set policer-status enable
set guaranteed-bandwidth 10000
set guaranteed-burst 10000
set maximum-burst 10000
unset cos-queue
end
Using quarantine with DHCP
When a device using DHCP is quarantined, the device becomes inaccessible until the DHCP is renewed. To avoid this
problem, enable the bounce-quarantined-link option, which shuts down the switch port where the quarantined device
was last seen and then brings it back up again. Bouncing the port when the device is quarantined and when the device is
released from quarantine causes the DHCP to be renewed so that the device is connected to the correct network. By
default, the bounce-quarantined-link option is disabled.
To bounce the switch port where a quarantined device was last seen:

set bounce-quarantined-link {enable | disable}
end

Fortinet, Inc.
Using quarantine with 802.1x MAC-based authentication
After a device is authorized with IEEE 802.1x MAC-based authentication, you can quarantine that device. If the device
was quarantined before 802.1x MAC-based authentication was enabled, the deviceʼs traffic remains in the quarantine
VLAN 4093 after 802.1x MAC-based authentication is enabled.
To use quarantines with IEEE 802.1x MAC-based authentication:
1. By default, detecting the quarantine VLAN is enabled on a global level on the managed FortiSwitch unit. You can
verify that quarantine-vlan is enabled with the following commands:
S448DF3X16000118 # config switch global
S448DF3X16000118 (global) # config port-security
S448DF3X16000118 (port-security) # get

link-down-auth : set-unauth
mab-reauth : disable
quarantine-vlan : enable
reauth-period : 60
max-reauth-attempt : 0
2. By default, 802.1x MAC-based authentication and quarantine VLAN detection are enabled on a port level on the
managed FortiSwitch unit. You can verify the settings for the port-security-mode and quarantine-vlan. For example:
S448DF3X16000118 (port17) # show switch interface port17

edit "port17"
set allowed-vlans 4093
set untagged-vlans 4093
set security-groups "group1"
set snmp-index 17
config port-security
set auth-fail-vlan disable
set framevid-apply enable
set guest-auth-delay 30
set guest-vlan disable
set open-auth disable
set port-security-mode 802.1X-mac-based
set quarantine-vlan enable
set auth-fail-vlanid 200
set guest-vlanid 100
end
next
end
3. On the FortiGate unit, quarantine a MAC address. For example:

edit "quarantine1"
config macs
edit 00:05:65:ad:15:03

Fortinet, Inc.
next
end
next
end
4. The FortiGate unit pushes the MAC-VLAN binding to the managed FortiSwitch unit. You can verify that the
managed FortiSwitch unit received the MAC-VLAN binding with the following command:
S448DF3X16000118 # show switch vlan 4093

config switch vlan
edit 4093
set description "qtn.FLNK10"
set dhcp-snooping enable
set access-vlan enable
config member-by-mac
edit 1
set mac 00:05:65:ad:15:03
next
end
next
end
5. The 802.1x session shows that the MAC address is quarantined in VLAN 4093. You can verify that the managed
FortiSwitch port has the quarantined MAC address. For example:
S448DF3X16000118 # diagnose switch 8 status port17
port17: Mode: mac-based (mac-by-pass enable)

Link: Link up
Port State: authorized: (
)
EAP pass-through mode : Enable
Quarantine VLAN (4093) detection : Enable
Native Vlan : 1
Allowed Vlan list: 1,4093
Untagged Vlan list: 1,4093
Guest VLAN :
Auth-Fail Vlan :
Switch sessions 3/480, Local port sessions:1/20

Client MAC Type Vlan Dynamic-Vlan
Quarantined
00:05:65:ad:15:03 802.1x 1 4093
Sessions info:
00:50:56:ad:51:81 Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=41
params:reAuth=1800
6. The MAC address table also shows the MAC address in VLAN 4093. You can verify the entries in the MAC address
table with the following commands:
S448DF3X16000118 # diagnose switch vlan assignment mac list

00:05:65:ad:15:03 VLAN: 4093 Installed: yes
Source: 802.1X-MAC-Radius
Description: port17
S448DF3X16000118 # diagnose switch mac list | grep "VLAN: 4093"

Fortinet, Inc.
MAC: 00:05:65:ad:15:03 VLAN: 4093 Port: port17(port-id 17)
Viewing quarantine entries
Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.
1. Go to Monitor > Quarantine Monitor.

2. Click Quarantined on FortiSwitch.The Quarantined on FortiSwitch button is only available if a device is detected
behind the FortiSwitch unit, which requires Device Detection to be enabled.
Use the following command to view the quarantine list of MAC addresses:
show user quarantine
For example:
show user quarantine

config targets
edit quarantine1
config macs
set description "infected by virus"
next
edit 00:11:22:33:44:55
next
edit 00:01:02:03:04:05
next
end
end
end
When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_
name>) and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The
quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.
Use the following command to view the quarantine VLAN:
show system interface qtn.<FortiLink_port_name>

Fortinet, Inc.
For example:
show system interface qtn.port7

edit "qtn.port7"
set vdom "vdom1"
set ip 10.254.254.254 255.255.255.0
set description "Quarantine VLAN"
set security-mode captive-portal
set replacemsg-override-group "auth-intf-qtn.port7"
set device-identification-active-scan enable
set snmp-index 34
set switch-controller-access-vlan enable
set color 6
set interface "port7"
set vlanid 4093
next
end
Use the following commands to view the quarantine DHCP server:

show system dhcp server
edit 2
set interface "qtn.port7"
config ip-range
edit 1
set start-ip 10.254.254.192
set end-ip 10.254.254.253
next
end
set timezone-option default
next
end
Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all
connected FortiSwitch ports:
show switch-controller managed-switch
For example:
show switch-controller managed-switch

edit "FS1D483Z15000036"
set fsw-wan1-peer "port7"
set version 1
set dynamic-capability 503
config ports
edit "port1"

Fortinet, Inc.
set vlan "vsw.port7"

set allowed-vlans "qtn.port7"
set untagged-vlans "qtn.port7"
next
edit "port2"
next
edit "port3"
next
...
end
end
Releasing MAC addresses from quarantine
1. Go to Monitor > Quarantine Monitor.

2. Click Quarantined on FortiSwitch.
3. Right-click on one of the entries and select Delete or Remove All.
4. Click OK to confirm your choice.
To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which
will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all
quarantined MAC addresses from quarantine.
To delete a single quarantined MAC address:

config targets
edit <quarantine_entry_name>
config macs
delete <MAC_address_1>
end
end
end

Fortinet, Inc.
To delete all MAC addresses in a quarantine entry:

config targets
delete <quarantine_entry_name>
end
end
To disable the quarantine feature:

set quarantine disable
end

Fortinet, Inc.
Optimizing the FortiSwitch network
Starting in FortiOS 6.4.2 with FortiSwitchOS 6.4.2, you can check your FortiSwitch network and get recommendations
on how to optimize it. If you agree with the configuration recommendations, you can accept them, and they are
automatically applied.
NOTE: The Security Rating feature is available only when VDOMs are disabled.
To optimize your FortiSwitch network:
1. Go to Security Fabric > Security Rating.

2. Select Run Now (under Report Details in the right pane) to generate the Security Rating report.
3. Select the Optimization section.
4. Under Failed, select + next to each item to see more details in the right pane.

Fortinet, Inc.
5. If you agree with a suggestion in the Recommendations section, select Apply for the change to be made.

Fortinet, Inc.
Configuring QoS with managed FortiSwitch units
Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.
NOTE: The FortiGate unit does not support QoS for hard or soft switch ports.
The FortiSwitch unit supports the following QoS configuration capabilities:
l Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound
QoS queue number.
l Providing eight egress queues on each port.
l Policing the maximum data rate of egress traffic on the interface.
l If you select weighted-random-early-detection for the drop-policy, you can enable explicit
congestion notification (ECN) marking to indicate that congestion is occurring without just dropping packets.
To configure the QoS for managed FortiSwitch units:
1. Configure a Dot1p map.
A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a
trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the
default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the
switch assigns a CoS value of zero.
NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to
trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch
will use the Dot1p value and mapping only if the packet contains no DSCP value.
config switch-controller qos dot1p-map

edit <Dot1p map name>
set priority-0 <queue number>
next
end
2. Configure a DSCP map. A DSCP map defines a mapping between IP precedence or DSCP values and the egress
queue values. For IP precedence, you have the following choices:
l network-control—Network control
l internetwork-control—Internetwork control
l critic-ecp—Critic and emergency call processing (ECP)
l flashoverride—Flash override
l flash—Flash
l immediate—Immediate

Fortinet, Inc.
l priority—Priority
l routine—Routine
config switch-controller qos ip-dscp-map

edit <DSCP map name>
configure map <map_name>
edit <entry name>
set cos-queue <COS queue number>
set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 |
AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF | CS6 | CS7}
set ip-precedence {network-control | internetwork-control | critic-ecp |
flashoverride | flash | immediate | priority | routine}
set value <DSCP raw value>
next
end
end
3. Configure the egress QoS policy. In a QoS policy, you set the scheduling mode for the policy and configure one or
more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:
o With strict scheduling, the queues are served in descending order (of queue number), so higher number
queues receive higher priority.
o In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each
queue before moving on to the next one.
o In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to
63.
config switch-controller qos queue-policy

edit <QoS egress policy name>
set schedule {strict | round-robin | weighted}
config cos-queue
edit queue-<number>
set min-rate <rate in kbps>
set max-rate <rate in kbps>
set drop-policy {taildrop | weighted-random-early-detection}
set ecn {enable | disable}
set weight <weight value>
next
end
next
end
4. Configure the overall policy that will be applied to the switch ports.
config switch-controller qos qos-policy

edit <QoS egress policy name>
set default-cos <default CoS value 0-7>
set trust-dot1p-map <Dot1p map name>
set trust-ip-dscp-map <DSCP map name>
set queue-policy <queue policy name>
next
end

Fortinet, Inc.
5. Configure each switch port.

edit <switch-id>
config ports
edit <port>
set qos-policy <CoS policy>
next
end
next
end
6. Check the QoS statistics on each switch port.
diagnose switch-controller switch-info qos-stats <FortiSwitch_serial_number> <port_name>
Configuring ECN for managed FortiSwitch devices
Explicit Congestion Notification (ECN) allows ECN enabled endpoints to notify each other when they are experiencing
congestion. It is supported on the following FortiSwitch models: FS-3032E, FS-3032D, FS-1048E, FS-1048D, FS-5xxD
series, and FS-4xxE series.
On the FortiGate unit that is managing the compatible FortiSwitch unit, ECN can be enabled for each class of service
(CoS) queue to enable packet marking to drop eligible packets. The command is only available when the dropping policy
is weighted random early detection. It is disabled by default.
To configure FortiSwitch to enable ECN packet marking to drop eligible packets:
config switch-controller qos queue-policy

edit "ECN_marking"
set schedule round-robin
set rate-by kbps
config cos-queue
edit "queue-0"
set drop-policy weighted-random-early-detection
set ecn enable
next
edit "queue-1"
next
edit "queue-2"
next
...
end
next
end

Fortinet, Inc.
Logging and monitoring

l FortiSwitch log settings on page 148
l Configuring FortiSwitch port mirroring on page 149
l Configuring SNMP on page 152
l Configuring sFlow on page 155
l Configuring flow tracking and export on page 156
l Configuring flow control and ingress pause metering on page 158
FortiSwitch log settings
You can export the logs of managed FortiSwitch units to the FortiGate unit or send FortiSwitch logs to a remote Syslog
server.
Exporting logs to FortiGate
You can enable and disable whether the managed FortiSwitch units export their logs to the FortiGate unit. The setting is
global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported
FortiSwitch logs.
To allow a level of filtering, the FortiGate unit sets the user field to “fortiswitch-syslog” for each entry.
Use the following CLI command syntax:
config switch-controller switch-log
set status {*enable | disable}
set severity {emergency | alert | critical | error | warning | notification | *information |
debug}
end
You can override the global log settings for a FortiSwitch unit, using the following commands:
edit <switch-id>
config switch-log
set local-override enable
At this point, you can configure the log settings that apply to this specific switch.
Sending logs to a remote Syslog server
Instead of exporting FortiSwitch logs to a FortiGate unit, you can send FortiSwitch logs to one or two remote Syslog
servers. After enabling this option, you can select the severity of log messages to send, whether to use comma-
separated values (CSVs), and the type of remote Syslog facility. By default, FortiSwitch logs are sent to port 514 of the
remote Syslog server.

Fortinet, Inc.
Use the following CLI command syntax to configure the default syslogd and syslogd2 settings:
config switch-controller remote-log
edit {syslogd | syslogd2}
set status {enable | *disable}
set server <IPv4_address_of_remote_syslog_server>
set port <remote_syslog_server_listening_port>
set severity {emergency | alert | critical | error | warning | notification |
*information | debug}
set csv {enable | *disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron |
authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 |
local4 | local5 | local6 | *local7}
next
end
You can override the default syslogd and syslogd2 settings for a specific FortiSwitch unit, using the following
commands:
config remote-log
edit {edit syslogd | syslogd2}
set server <IPv4_address_of_remote_syslog_server>
set port <remote_syslog_server_listening_port>
set severity {emergency | alert | critical | error | warning | notification |
*information | debug}
set csv {enable | *disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2
| local3 | local4 | local5 | local6 | *local7}
next
end
next
end
Configuring FortiSwitch port mirroring
The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same
FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for
external analysis and capture.
Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-
2 domains for analysis. You can have multiple RSPAN sessions but only one ERSPAN session.
In RSPAN mode, traffic is encapsulated in VLAN 4092. The FortiSwitch unit assigns the uplink port and the dst port. The
switching functionality is enabled on the dst interface when mirroring.
NOTE: RSPAN is supported on FSR-112D-POE and on platforms 2xx and higher.
In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By
focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount
of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which must be reachable by IPv4 ICMP
ping. If no IP address is specified, the traffic is not mirrored.

Fortinet, Inc.
NOTE: ERSPAN is supported on platforms 2xx and higher. ERSPAN cannot be used with the other FortiSwitch port-
mirroring method.
To configure FortiSwitch port-based mirroring:

config mirror
edit <mirror_name>
set status {active | inactive} // Required
set dst <port_name> // Required
set switching-packet {enable | disable}
set src-ingress <port_name>
set src-egress <port_name>
next
end
next
For example:
edit S524DF4K15000024
config mirror
edit 2
set status active
set dst port1
set switching-packet enable
set src-ingress port2 port3
set src-egress port4 port5
next
end
next
To configure FortiSwitch RSPAN:
config switch-controller traffic-sniffer

set mode rspan
config target-mac
edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address
end
config target-ip
edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address
end
config target-port
set in-ports <portx porty portz ...> // mirror any traffic sent to these ports
set out-ports <portx porty portz ...> // mirror any traffic sent from these ports
end
end
For example:
set mode rspan
config target-mac

Fortinet, Inc.
set description MACtarget1
end
config target-ip
edit 10.254.254.192
set description IPtarget1
end
config target-port
edit S524DF4K15000024
set description PortTargets1
set in-ports port5 port6 port7
set out-ports port10
end
end
To configure FortiSwitch ERSPAN:

set mode erspan-auto
set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent
config target-mac
edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent to this MAC address
end
config target-ip
edit <xxx.xxx.xxx.xxx> // mirror traffic sent to this IPv4 address
end
config target-port
set in-ports <portx porty portz ...> // mirror traffic sent to these ports
set out-ports <portx porty portz ...> // mirror traffic sent from these ports
end
end
For example:
set mode erspan-auto
set erspan-ip 10.254.254.254
config target-mac
set description MACtarget1
end
config target-ip
edit 10.254.254.192
set description IPtarget1
end
config target-port
edit S524DF4K15000024
set description PortTargets1
set in-ports port5 port6 port7
set out-ports port10
end
end

Fortinet, Inc.
To disable FortiSwitch port mirroring:

set mode none
end
Configuring SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.
The managed FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers
have read-only access to FortiSwitch system information through queries and can receive trap messages from the
managed FortiSwitch unit.
To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and
FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that
are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP
trap, event, and query messages sent by the FortiSwitch SNMP agent.
FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting
the FortiSwitch MIB File download link.
You configure SNMP on a global level so that all managed FortiSwitch units use the same settings. If you want one of
the FortiSwitch units to use different settings from the global settings, configure SNMP locally.
Configuring SNMP globally
To configure SNMP globally, configure the following settings:

1. Configure the SNMP system information.
2. Configure the SNMP community.
3. Configure the SNMP trap threshold values.
4. Configure the SNMP user.
To configure the SNMP system information globally:
config switch-controller snmp-sysinfo

set status enable
set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>
set description <system_description>
set contact-info <contact_information>
set location <FortiGate_location>
end
To configure the SNMP community globally:
config switch-controller snmp-community

edit <SNMP_community_ID>
set status enable
set query-v1-status enable
set query-v1-port <0-65535; the default is 161>

Fortinet, Inc.
set query-v2c-status enable

set query-v2c-port <0-65535; the default is 161>
set trap-v1-status enable
set trap-v1-lport <0-65535; the default is 162>
set trap-v1-rport <0-65535; the default is 162>
set trap-v2c-status enable
set trap-v2c-lport <0-65535; the default is 162>
set trap-v2c-rport <0-65535; the default is 162>
set events {cpu-high mem-low log-full intf-ip ent-conf-change}
config hosts
edit <host_entry_ID>
set ip <IPv4_address_of_the_SNMP_manager>
end
end
To configure the SNMP trap threshold values globally:
config switch-controller snmp-trap-threshold

set trap-high-cpu-threshold <percentage_value; the default is 80>
set trap-low-memory-threshold <percentage_value; the default is 80>
set trap-log-full-threshold <percentage_value; the default is 90>
end
To configure the SNMP user globally:
config switch-controller snmp-user

edit <SNMP_user_name>
set queries enable
set query-port <0-65535; the default is 161>
set security-level {auth-priv | auth-no-priv | no-auth-no-priv}
set auth-proto {md5 | sha}
set auth-pwd <password_for_authentication_protocol>
set priv-proto {aes | des}
set priv-pwd <password_for_encryption_protocol>
end
Configuring SNMP locally
To configure SNMP for a specific FortiSwitch unit, configure the following settings:
1. Configure the SNMP system information.
2. Configure the SNMP community.
3. Configure the SNMP trap threshold values.
4. Configure the SNMP user.
To configure the SNMP system information locally:

set override-snmp-sysinfo enable
config snmp-sysinfo
set status enable
set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>
set description <system_description>

Fortinet, Inc.
set location <FortiGate_location>

end
end
To configure the SNMP community locally:

set override-snmp-community enable
config snmp-community
edit <SNMP_community_ID>
set status enable
set query-v1-status enable
set query-v1-port <0-65535; the default is 161>
set query-v2c-status enable
set query-v2c-port <0-65535; the default is 161>
set trap-v1-status enable
set trap-v1-lport <0-65535; the default is 162>
set trap-v1-rport <0-65535; the default is 162>
set trap-v2c-status enable
set trap-v2c-lport <0-65535; the default is 162>
set trap-v2c-rport <0-65535; the default is 162>
set events {cpu-high mem-low log-full intf-ip ent-conf-change}
config hosts
edit <host_entry_ID>
set ip <IPv4_address_of_the_SNMP_manager>
end
end
To configure the SNMP trap threshold values locally:

set override-snmp-trap-threshold enable
config snmp-trap-threshold
set trap-high-cpu-threshold <percentage_value; the default is 80>
set trap-low-memory-threshold <percentage_value; the default is 80>
set trap-log-full-threshold <percentage_value; the default is 90>
end
end
To configure the SNMP user locally:

set override-snmp-user enable
config snmp-user
edit <SNMP_user_name>
set queries enable
set query-port <0-65535; the default is 161>
set security-level {auth-priv | auth-no-priv | no-auth-no-priv}
set auth-proto {md5 | sha}
set auth-pwd <password_for_authentication_protocol>
set priv-proto {aes | des}
set priv-pwd <password_for_encryption_protocol>
end
end

Fortinet, Inc.
Configuring sFlow
sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact
performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch
implements sFlow version 5 and supports trunks and VLANs.
NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.
sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined
intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on
network throughput, the information sent is only a sampling of the data.
The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled
packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow
datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to
indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software
vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.
sFlow can monitor network traffic in two ways:
l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample.
l Counter samples—You specify how often (in seconds) the network device sends interface counters.
Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is
0.0.0.0, and the port number is 6343.
config switch-controller sflow
collector-ip <x.x.x.x>
collector-port <port_number>
end
Use the following CLI commands to configure sFlow:

config ports
edit <port_name>
set sflow-sampler {disabled | enabled}
set sflow-sample-rate <0-99999>
set sflow-counter-interval <1-255>
next
next
end
For example:
config switch-controller sflow
collector-ip 1.2.3.4
collector-port 10
end

edit S524DF4K15000024
config ports
edit port5
set sflow-sampler enabled
set sflow-sample-rate 10
set sflow-counter-interval 60

Fortinet, Inc.
next
next
end
Configuring flow tracking and export
You can sample IP packets on managed FortiSwitch units and then export the data in NetFlow format or Internet
Protocol Flow Information Export (IPFIX) format. You can choose to sample on a single ingress or egress port, on all
FortiSwitch units, or on all FortiSwitch ingress ports.
When a new FortiSwitch unit or trunk port is added, the flow-tracking configuration is updated automatically based on
the specified sampling mode. When a FortiSwitch port becomes part of an ISL or ICL or is removed, the flow-tracking
configuration is updated automatically based on the specified sampling mode.
The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest
flow expires and is exported.
To configure flow tracking on managed FortiSwitch units:
config switch-controller flow-tracking

set sample-mode {local | perimeter | device-ingress}
set sample-rate <0-99999>
set format {netflow1 | netflow5 | netflow9 | ipfix}
set collector-ip <collector IP address>
set collector-port <0-65535; default is 0>
set transport {udp | tcp | sctp}
set level {vlan | ip | port | proto}
set filter <string>
set max-export-pkt-size <512-9216 bytes; default is 512>.
set timeout-general <60-604800 seconds; default is 3600>
set timeout-icmp <60-604800 seconds; default is 300>.
set timeout-max <60-604800 seconds; default is 604800>
set timeout-tcp <60-604800 seconds; default is 3600>
set timeout-tcp-fin <60-604800 seconds; default is 300>
set timeout-tcp-rst <60-604800 seconds; default is 120>
set timeout-udp <60-604800 seconds; default is 300>
end
Configure the sampling mode

You can set the sampling mode to local, perimeter, or device-ingress.
l The local mode samples packets on a specific FortiSwitch port.
l The perimeter mode samples packets on all FortiSwitch ports that receive data traffic, except for ISL and ICL ports.
For perimeter mode, you can also configure the sampling rate.
l The device-ingress mode samples packets on all FortiSwitch ports that receive data traffic for hop-by-hop tracking.
For device-ingress mode, you can also configure the sampling rate.
Configure the sampling rate
For perimeter or device-ingress sampling, you can set the sampling rate, which samples 1 out of the specified number
of packets. The default sampling rate is 1 out of 512 packets.
Configure the flow-tracking protocol

Fortinet, Inc.
You can set the format of exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX
sampling.
Configure collector IP address
The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.
Configure the transport protocol

You can set exported packets to use UDP, TCP, or SCTP for transport.
Configure the flow-tracking level
You can set the flow-tracking level to one of the following:
l vlan—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port,
protocol, Type of Service, and VLAN from the sample packet.
l ip—The FortiSwitch unit collects source IP address and destination IP address from the sample packet.
l port—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, and
protocol from the sample packet.
l proto—The FortiSwitch unit collects source IP address, destination IP address, and protocol from the sample
packet.
Configure the filter
Use the Berkeley Packet Filter to specify what packets to sample.
Configure the maximum exported packet size
You can set the maximum size of exported packets in the application level.
To remove flow reports from a managed FortiSwitch unit:
execute switch-controller switch-action flow-tracking {delete-flows-all | expire-flows-all}

<FortiSwitch_serial_number>
Expired flows are exported.
To view flow statistics for a managed FortiSwitch unit:
diagnose switch-controller switch-info flow-tracking statistics <FortiSwitch_serial_number>
To view raw flow records for a managed FortiSwitch unit:
diagnose switch-controller switch-info flow-tracking flows-raw <FortiSwitch_serial_number>
To view flow record data for a managed FortiSwitch unit:
diagnose switch-controller switch-info flow-tracking flows {number_of_records | all} {IP_

address | all} <FortiSwitch_serial_number> <FortiSwitch_port_name>
For example:
diagnose switch-controller switch-info flow-tracking flows 100 all S524DF4K15000024 port6

Fortinet, Inc.
Configuring flow control and ingress pause metering
Flow control allows you to configure a port to send or receive a “pause frame” (that is, a special packet that signals a
source to stop sending flows for a specific time interval because the buffer is full). By default, flow control is disabled on
all ports.
config ports
edit <port_name>
set flow-control {both | rx | tx | disable}
next
end
end
Parameters enable flow control to do the following:

l rx—receive pause control frames
l tx—transmit pause control frames
l both—transmit and receive pause control frames
If you enable flow control to transmit pause control frames or to transmit and receive pause control frames, you can also
use ingress pause metering to limit the input bandwidth of an ingress port. Because ingress pause metering stops the
traffic temporarily instead of dropping it, ingress pause metering can provide better performance than policing when the
port is connected to a server or end station. To use ingress pause metering, you need to set the ingress metering rate in
kilobits and set the percentage of the threshold for resuming traffic on the ingress port.
config ports
edit <port_name>
set flow-control {tx | both}
set pause-meter <128–2147483647; set to 0 to disable>
set pause-meter-resume {25% | 50% | 75%}
next
end
end
For example:
edit S424ENTF19000007
config ports
edit port29
set flow-control tx
set pause-meter 900
set pause-meter-resume 50%
next
end
end

Fortinet, Inc.
Operation and maintenance

l Managed FortiSwitch display on page 159
l FortiSwitch ports display on page 160
l FortiSwitch per-port device visibility on page 160
l Displaying, resetting, and restoring port statistics on page 161
l Network interface display on page 162
l Diagnostics and tools on page 162
l Data statistics on page 165
l Synchronizing the FortiGate unit with the managed FortiSwitch units on page 166
l Viewing and upgrading the FortiSwitch firmware version on page 166
l Registering FortiSwitch to FortiCloud on page 167
l Replacing a managed FortiSwitch unit on page 170
l Executing custom FortiSwitch scripts on page 175
l Resetting PoE-enabled ports on page 177
Managed FortiSwitch display
Go to WiFi & Switch Controller > Managed FortiSwitch to see all of the switches being managed by your FortiGate.
Select Topology from the drop-down menu in the upper right corner to see which devices are connected.
When the FortiLink is established successfully, the status is green (next to the FortiGate interface name and on the
FortiSwitch faceplate), and the link between the ports is a solid line.
If the link has gone down for some reason, the line will be dashed, and a broken link icon will appear. You can still edit
the FortiSwitch unit though and find more information about the status of the switch. The link to the FortiSwitch unit
might be down for a number of reasons; for example, a problem with the cable linking the two devices, firmware
versions being out of synch, and so on. You need to make sure the firmware running on the FortiSwitch unit is
compatible with the firmware running on the FortiGate unit.

Fortinet, Inc.
From the Managed FortiSwitch page, you can edit any of the managed FortiSwitch units, remove a FortiSwitch unit
from the configuration, refresh the display, connect to the CLI of a FortiSwitch unit, or deauthorize a FortiSwitch unit.
FortiSwitch ports display
The WiFi & Switch Controller > FortiSwitch Ports page displays port information about each of the managed switches.
The following figure shows the display for a FortiSwitch 248E-FPOE:
Select Faceplates to get the following information:

l active ports (green)
l PoE-enabled ports (blue rectangle)
l FortiLink port (link icon)
If you device has PoE, the Faceplates page displays the total power budget and the actual power currently allocated.
The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved
power (power available for additional devices on the POE ports).
Each entry in the port list displays the following information:
l Port status (red for down, green for up)
l Port name
l If the port is a member of a trunk
l Access mode
l Enabled features
l Native VLAN
l Allowed VLANs
l PoE status
l Device information
l DHCP snooping status
l Transceiver information
FortiSwitch per-port device visibility
In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each
device, the table displays the IP address of the device and the interface (FortiSwitch name and port).
From the CLI, the following command displays information about the host devices:

Fortinet, Inc.
diagnose switch-controller mac-cache show <switch-id>
Displaying, resetting, and restoring port statistics
For the following commands, if the managed FortiSwitch unit is not specified, the command is applied to all ports of all
managed FortiSwitch units.
To display port statistics of a managed FortiSwitch unit:
diagnose switch-controller switch-info port-stats <managed FortiSwitch device ID> <port_name>
For example:
FG100D3G15817028 (global) # diagnose switch-controller switch-info port-stats S524DF4K15000024
port8
Vdom: dmgmt-vdom
Vdom: roort
Vdom: root
S524DF4K15000024:
Port(port8) is Admin up, line protocol is down
Interface Type is Serial Gigabit Media Independent Interface(SGMII/SerDes)
Address is 08:5B:0E:F1:95:ED, loopback is not set
MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II
half-duplex, 0 Mb/s, link type is auto
input : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns
output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts
0 fragments, 0 undersizes, 0 collisions, 0 jabbers
Vdom: vdom-1
To reset the port statistics counters of a managed FortiSwitch unit:
For example:
FG100D3G15817028 (global) # diagnose switch-controller trigger reset-hardware-counters
S524DF4K15000024 1,3,port6-7
NOTE: This command is provided for debugging; accuracy is not guaranteed when the counters are reset. Resetting
the counters might have a negative effect on monitoring tools, such as SNMP and FortiGate. The statistics gathered
during the time when the counters are reset might be discarded.
To restore the port statistics counters of a managed FortiSwitch unit:
diagnose switch-controller trigger restore-hardware-counters <managed FortiSwitch device ID>

<port_name>
For example:

Fortinet, Inc.
FG100D3G15817028 (global) # diagnose switch-controller trigger restore-hardware-counters

S524DF4K15000024 port10-port11,internal
Network interface display
On the Network > Interfaces page, you can see the FortiGate interface connected to the FortiSwitch unit. The GUI
indicates Dedicated to FortiSwitch in the IP/Netmask field.
Diagnostics and tools
The Diagnostics and Tools form reports the general health of the FortiSwitch unit, displays details about the
FortiSwitch unit, and allows you to run diagnostic tests.

Fortinet, Inc.
To view the Diagnostics and Tools form:

2. Click on the FortiSwitch unit and then click Diagnostics and Tools.
From the Diagnostics and Tools form, you can do the following:
l Authorize or deauthorize the FortiSwitch.
l Upgrade the firmware running on the switch.
l Restart the FortiSwitch unit.
l Connect to CLI to run CLI commands.
l Show in List to return to the WiFi & Switch Controller > Managed FortiSwitch page.
l Go to the Edit Managed FortiSwitch form.
l Start or stop the LED Blink to identify a specific FortiSwitch unit.

Fortinet, Inc.
l Display a list of FortiSwitch ports and trunks and configuration details.

l Run a Cable Test on a selected port.
l View the Logs for the FortiSwitch unit.
You can also access the Diagnostics and Tools form from the Security Fabric > Physical Topology page.
Run LED Blink
When you have multiple FortiSwitch units and need to locate a specific switch, you can flash all port LEDs on and off for
a specified number of minutes.
To identify a specific FortiSwitch unit:

3. Select LED Blink > Start and then select 5 minutes, 15 minutes, 30 minutes, or 60 minutes.
4. After you locate the FortiSwitch unit, select LED Blink > Stop.
NOTE: For the 5xx switches, LED Blink flashes only the SFP port LEDs, instead of all the port LEDs.
Run Cable Test
NOTE: Running cable diagnostics on a port that has the link up interrupts the traffic for several seconds.
You can check the state of cables connected to a specific port. The following pair states are supported:
l Open
l Short
l Ok
l Open_Short
l Unknown
l Crosstalk
If no cable is connected to the specific port, the state is Open, and the cable length is 0 meters.
Using the GUI:

3. Select Cable Test.
4. Select a port.
5. Select Diagnose.
NOTE: There are some limitations for cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-
124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:
l Crosstalk cannot be detected.
l There is a 5-second delay before results are displayed.
l The value for the cable length is inaccurate.
l The results are inaccurate for open and short cables.

Fortinet, Inc.
Data statistics
This example shows a FortiLink scenario where the FortiGate acts as the switch controller that collects the data
statistics of managed FortiSwitch ports. This is counted by each FortiSwitch and concentrated in the controller.
Sample topology
To show data statistics using the GUI:

2. Select Configure Table.
3. Select Bytes, Errors and Packets to make them visible.
The related data statistic of each managed FortiSwitch port is shown.
To show data statistics using the CLI:
# diagnose switch-controller switch-info port-stats S248EPTF180XXXX

......

Interface Type is Gigabit Media Independent Interface(GMII)
Address is 70:4C:A5:E0:F3:8D, loopback is not set

Fortinet, Inc.
full-duplex, 1000 Mb/s, link type is manual

......
Synchronizing the FortiGate unit with the managed FortiSwitch

units
You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each
managed FortiSwitch unit.
Use the following command to synchronize the full configuration of a FortiGate unit with a managed FortiSwitch unit:
diagnose switch-controller trigger config-sync <FortiSwitch_serial_number>
Viewing and upgrading the FortiSwitch firmware version
You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch unit to a new firmware
version. The FortiGate unit will suggest an upgrade when a new version is available in FortiGuard.
Using the FortiGate web interface
To view the FortiSwitch firmware version:

2. In the main panel, select the FortiSwitch faceplate and click Edit.
3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.
To upgrade the firmware on multiple FortiSwitch units at the same time:

2. Select the faceplates of the FortiSwitch units that you want to upgrade.
3. Click Upgrade.The Upgrade FortiSwitches page opens.
4. Select FortiGuard or select Upload and then select the firmware file to upload. If you select FortiGuard, all
FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at
a time for upgrading.
5. Select Upgrade.
Using the CLI
Use the following command to stage a firmware image on all FortiSwitch units:
diagnose switch-controller switch-software stage all <image id>
Use the following command to upgrade the firmware image on one FortiSwitch unit:

Fortinet, Inc.
diagnose switch-controller switch-software upgrade <switch id> <image id>
Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:
set https-image-push enable
end
From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model
using a single execute command. The command includes the name of a firmware image file and all of the managed
FortiSwitch units compatible with that firmware image file are upgraded. For example:
execute switch-controller switch-software stage all <firmware-image-file>
You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.
execute switch-controller switch-action restart delay all
Registering FortiSwitch to FortiCloud
After authorizing a FortiSwitch, administrators can register the FortiSwitch to FortiCloud directly from the FortiOS GUI.
To register the FortiSwitch in the GUI:
1. Go to WiFi & Switch Controller > Managed FortiSwitch and ensure the Topology view is selected.
2. In the topology, right-click on an unregistered device and click Registration.

Fortinet, Inc.
3. Complete the device registration wizard:

a. Click Register to proceed.
b. Enter the FortiCloud account information and click Submit.
The registration information is submitted to FortiCare, and FortiOS attempts to collect the registration status
from FortiGuard. Since FortiGuard and FortiCare synchronize periodically, the registration status may not
update immediately (it may take up to a few hours).

Fortinet, Inc.
c. Click Close.
4. After a while, go back to WiFi & Switch Controller > Managed FortiSwitch.
5. Right-click on the device and click Registration. The device is shown as Registered to the corresponding
FortiCloud account.
To register the FortiSwitch in the CLI:
# diagnose forticare direct-registration product-registration -N S124DP3X15000000 -a xxxx@-

fortinet.com -p LDAP -T "CA" -R "other" -e 1
Account info:
contract_number=[] account_id=[xxxx@fortinet.com] password=[***]
reseller_id=0 reseller=[other]
first_name=[] last_name=[] company=[]
title=[] address=[] city=[]
state=[] state_code=[] country_code=0
post_code=[] phone=[] fax=[]
industry=[] industry_id=0 orgsize=[] orgsize_id=0
version=0 SN=[S124DP3X15000000] existing=1
Prepare to register product into this account.

Fortinet, Inc.

Registration successful
Replacing a managed FortiSwitch unit
If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same
FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces.
The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.
NOTE:
l Both FortiSwitch units must be of the same model.
l The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
l If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL
trunk.
l After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want
different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name.
At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
l If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch
to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the
FortiGate unit with the correct configuration.
To replace a managed FortiSwitch unit:
1. Unplug the failed FortiSwitch unit.

2. Plug in the replacement FortiSwitch unit.
3. Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed
FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version on page 166.
4. Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
5. Check the serial number of the replacement FortiSwitch unit.
6. From the FortiGate unit, go to WiFi & Switch Controller > Managed FortiSwitch.
7. Select the faceplate of the failed FortiSwitch unit.
8. Select Deauthorize.
9. Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.
NOTE: If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the
new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully
managed the FortiGate unit with the correct configuration.
10. If the failed FortiSwitch unit was part of a VDOM, enter the following commands:
config vdom
edit <VDOM_name>
execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_
FortiSwitch_serial_number>
For example:
config vdom
edit vdom_new

Fortinet, Inc.
execute replace-device fortiswitch S124DN3W16002025 S124DN3W16002026
If the failed FortiSwitch unit was not part of a VDOM, enter the following command:
execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_

FortiSwitch_serial_number>
An error is returned if the replacement FortiSwitch unit is authorized.

11. Authorize the replaced managed FortiSwitch unit.
12. Connect the rest of the cables required for the uplinks and downlinks for the MCLAG FortiSwitch units.
To rename the MCLAG-ICL trunk:
After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different
trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name.
Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches.
You need a maintenance window for the change.
1. Shut down the FortiLink interface on the FortiGate unit.
a. On the FortiGate unit, execute the show system interface command. For example:
FG3K2D3Z17800156 # show system interface root-lag

edit "root-lag"
set vdom "root"
set ip 10.105.60.254 255.255.255.0
set allowaccess ping capwap
set type aggregate
set member "port45" "port48"
config managed-device
b. Write down the member port information. In this example, port45 and port48 are the member ports.
c. Shut down the member ports with the config system interface, edit <member-port#>, set
status down, and end commands. For example:
FG3K2D3Z17800156 # config system interface

FG3K2D3Z17800156 (interface) # edit port48
FG3K2D3Z17800156 (port48) # set status down
FG3K2D3Z17800156 (port48) # next // repeat for each member port
FG3K2D3Z17800156 (port45) # set status down
FG3K2D3Z17800156 (port45) # end

Fortinet, Inc.
d. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For
example:
FG3K2D3Z17800156 # exec switch-controller get-conn-status

STACK-NAME: FortiSwitch-Stack-root-lag
SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2
FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1
2. Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.

a. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that
includes the set mclag-icl enable command in its configuration and write down the member ports and
configuration information. For example:
icl-sw1 # show switch trunk

config switch trunk
...
edit "D483Z17000282-0"
set auto-isl 1
set mclag-icl enable // look for this line
set members "port27" "port28" // note the member ports
next
end
b. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch
mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For
example:
icl-sw1 # show switch interface D483Z17000282-0

edit "D483Z17000282-0"
set native-vlan 4094
set allowed-vlans 1,100,2001-2060,4093
set stp-state disabled
set edge-port disabled
set snmp-index 57
next
end
icl-sw1 # diag switch mclag icl

D483Z17000282-0
icl-ports 27-28
egress-block-ports 3-4,7-12,47-48
interface-mac 70:4c:a5:86:6d:e5
lacp-serial-number FS1D483Z17000348
peer-mac 70:4c:a5:49:50:53

Fortinet, Inc.
peer-serial-number FS1D483Z17000282
Local uptime 0 days 1h:49m:24s
Peer uptime 0 days 1h:49m:17s
MCLAG-STP-mac 70:4c:a5:49:50:52
keepalive interval 1
keepalive timeout 60
Counters
received keepalive packets 4852
transmited keepalive packets 5293
received keepalive drop packets 20
receive keepalive miss 1
icl-sw1 # diagnose switch trunk sum D483Z17000282-0

Trunk Name Mode PSC MAC Status Up Time
________________ _________________________ ___________ _________________ ___
________ _________________________________
D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00
up(2/2) 0 days,0 hours,16 mins,4 secs
c. Shut down the ICL member ports using the config switch physical-port, edit <member
port#>, set status down, next, and end commands. For example:
icl-sw1 # config switch physical-port

icl-sw1 (physical-port) # edit port27
icl-sw1 (port27) # set status down
icl-sw1 (port27) # n // repeat for each ICL member port
icl-sw1 (port28) # set status down
icl-sw1 (port28) # next
icl-sw1 (physical-port) # end
d. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete
<mclag-icl-trunk-name>, and end commands. For example:
icl-sw1 # config switch trunk

icl-sw1 (trunk) # delete D483Z17000282-0
e. Use the show switch trunk command to verify that the trunk is deleted.
f. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the
set auto-isl 0 command in the configuration. For example:
icl-sw1 # config switch trunk
icl-sw1 (trunk) # edit MCLAG-ICL

new entry 'MCLAG-ICL' added
icl-sw1 (MCLAG-ICL) #set mode lacp-active
icl-sw1 (MCLAG-ICL) #set members "port27" "port28"
icl-sw1 (MCLAG-ICL) #set mclag-icl enable
icl-sw1 (MCLAG-ICL) # end

Fortinet, Inc.
g. Use the show switch trunk command to check the trunk configuration.
h. Start the trunk member ports by using the config switch physical-port, edit <member port#>,
set status up, next, and end commands. For example:
icl-sw1 # config switch physical-port

icl-sw1 (port27) # set status up
icl-sw1 (port27) # next // repeat for each trunk member port
icl-sw1 (port28) # set status up
icl-sw1 (port28) # end
NOTE: Follow steps 2a through 2h on both switches.

3. Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit
<interface-member-port>, set status up, next, and end commands. For example:
FG3K2D3Z17800156 # config system interface

FG3K2D3Z17800156 (port45) # set status up
FG3K2D3Z17800156 (port45) # next // repeat on all member ports
FG3K2D3Z17800156 (port48) # set status up
FG3K2D3Z17800156 (port48) # next
FG3K2D3Z17800156 (interface) # end
4. Check the configuration and status on both MCLAG-ICL switches

a. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk
summary <new-trunk-name> commands. For example:
icl-sw1 # show switch trunk
config switch trunk
<snip>
edit "MCLAG-ICL"
next
end
icl-sw1 # show switch interface MCLAG-ICL

edit "MCLAG-ICL"
set allowed-vlans 1,100,2001-2060,4093
set snmp-index 56
next
end

Fortinet, Inc.
icl-sw1 # diagnose switch mclag icl

MCLAG-ICL
icl-ports 27-28
egress-block-ports 3-4,7-12,47-48
interface-mac 70:4c:a5:86:6d:e5
lacp-serial-number FS1D483Z17000348
peer-mac 70:4c:a5:49:50:5
peer-serial-number FS1D483Z17000282
Local uptime 0 days 2h:11m:13s
Peer uptime 0 days 2h:11m: 7s
MCLAG-STP-mac 70:4c:a5:49:50:52
Counters
received keepalive packets 5838
transmited keepalive packets 6279
received keepalive drop packets 27
receive keepalive miss 1
icl-sw1 # diagnose switch trunk summary MCLAG-ICL
Trunk Name Mode PSC MAC Status Up Time

________________ _________________________ ___________ _________________ __
_________ _________________________________
MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up

(2/2) 0 days,1 hours,4 mins,57 secs
b. Compare the command results in step 4a with the command results in step 2b.
Executing custom FortiSwitch scripts
From the FortiGate unit, you can execute a custom script on a managed FortiSwitch unit. The custom script contains
generic FortiSwitch commands.
NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch unit.
Create a custom script
Use the following syntax to create a custom script from the FortiGate unit:
config switch-controller custom-command
edit <cmd-name>
set command "<FortiSwitch_command>"
end
NOTE: You need to use %0a to indicate a return.

Fortinet, Inc.
For example, use the custom script to set the STP max-age parameter on a managed FortiSwitch unit:
config switch-controller custom-command
edit "stp-age-10"
set command "config switch stp setting %0a set max-age 10 %0a end %0a"
end
Execute a custom script once
After you have created a custom script, you can manually execute it on any managed FortiSwitch unit. Because the
custom script is not bound to any switch, the FortiSwitch unit might reset some parameters when it is restarted.
Use the following syntax on the FortiGate unit to execute the custom script once on a specified managed FortiSwitch
unit:
execute switch-controller custom-command <cmd-name> <target-switch>
For example, you can execute the stp-age-10 script on the specified managed FortiSwitch unit:
execute switch-controller custom-command stp-age-10 S124DP3X15000118
Bind a custom script to a managed switch
If you want the custom script to be part of the managed switchʼs configuration, the custom script must be bound to the
managed switch. If any of the commands in the custom script are locally controlled by a switch, the commands might be
overwritten locally.
Use the following syntax to bind a custom script to a managed switch:
edit "<FortiSwitch_serial_number>"
config custom-command
edit <custom_script_entry>
set command-name "<name_of_custom_script>"
next
end
next
end
For example:
edit "S524DF4K15000024"
config custom-command
edit 1
set command-name "stp-age-10"
next
end
next
end

Fortinet, Inc.
Resetting PoE-enabled ports
If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more
PoE-enabled ports and select Reset PoE from the context menu.
You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of
interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the
context menu.

Fortinet, Inc.
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.
FortiSwitchOS - Administration Guide—Standalone
Mode
Version 6.4.3

FORTINET BLOG


NSE INSTITUTE
FORTIGUARD CENTER

FEEDBACK
October 29, 2020

FortiSwitchOS 6.4.3 Administration Guide—Standalone Mode
11-643-646830-20201029
TABLE OF CONTENTS
Change log 13
Introduction 14
Supported models 14
Whatʼs new in FortiSwitchOS 6.4.3 14
Feature matrix: FortiSwitchOS 6.4.3 17
Before you begin 24
How this guide is organized 24
Management ports 26
Models without a dedicated management port 26
Models with a dedicated management port 29
Remote access to the management port 31
Example configurations 32
Configuring administrator tasks 35
Setting the time and date 35
Configuring system banners 36
Configuring the temperature sensor 38
Upgrading the firmware 38
Verifying image integrity 40
Restore or upgrade the BIOS 40
Setting the boot partition 40
Backing up the system configuration 41
Remote authentication servers 41
RADIUS server 41
TACACS+ server 43
Configuring system administrators 44
Administrator profiles 45
Creating administrator profiles 45
Access control 46
Adding administrators 48
Monitoring administrators 49
Setting the default administrator password 49
Setting the password retries and lockout time 50
Setting the idle timeout 50
Configuring administrative logins 51
Using PKI 52
Configuring security checks 53
Syntax (for model FS-112D-POE) 53
Syntax (for all other FortiSwitch models) 54
Logging 55
Syslog server 56
Fault relay support 57
Using SSH and the Telnet client 57
FortiSwitchOS 6.4.3 Administration Guide—Standalone Mode 3

Fortinet, Inc.
Configuring SNMP 58
SNMP access 58
SNMP agent 59
SNMP community 59
Adding an SNMP v1/v2c community 59
Adding an SNMP v3 user 60
Global system and switch settings 61
Configuration file settings 61
SSL configuration 62
Configuration file revisions 63
IP conflict detection 64
Configuring IP conflict detection 64
Viewing IP conflict detection 64
Port flap guard 64
Retaining the triggered state 65
Configuring the port flap guard 65
Resetting a port 66
Viewing the port flap guard configuration 67
Link monitor 67
Configuring the link monitor 67
Unicast hashing 69
Cut-through switching mode 69
Enabling packet forwarding 69
ARP timeout value 69
Power over Ethernet configuration 70
Creating a schedule 71
Overlapping subnets 72
Configuring PTP transparent-clock mode 73
Configuring auto topology 74
Physical port settings 75
Configuring general port settings 75
Viewing port statistics 76
Configuring flow control, priority-based flow control, and ingress pause metering 77
Auto-module speed detection 78
Setting port speed (autonegotiation) 78
Viewing auto-module configuration 79
Link-layer discovery protocol 79
Configuring power over Ethernet on a port 79
Enabling or disabling PoE in the GUI 80
Configuring PoE in the CLI 80
Determining the PoE power capacity 80
Resetting the PoE power 81
Displaying PoE information 81
Energy-efficient Ethernet 81
Diagnostic monitoring interface module status 83

Fortinet, Inc.
Configuring split ports 84
Notes 84
Configuring a split port 85
Configuring QSFP low-power mode 87
Configuring physical port loopbacks 87
Layer-2 interfaces 88
Switched interfaces 88
Viewing interface configuration 88
Dynamic MAC address learning 89
Configuring dynamic MAC address learning 89
Changing when MAC addresses are deleted 89
Logging dynamic MAC address events 90
Using the learning-limit violation log 90
Persistent (sticky) MAC addresses 91
Static MAC addresses 92
Loop guard 93
Configuring loop guard 93
Viewing the loop guard configuration 94
VLANs and VLAN tagging 95
Native VLAN 95
Allowed VLAN list 95
Untagged VLAN list 96
Packet processing 96
Ingress port 96
Egress port 96
Configuring VLANs 97
Example 1 97
Purple flow 98
Blue flow 98
Example 2 98
Green flow 99
Blue flow 99
VLAN stacking (QinQ) 99
Spanning Tree Protocol 104
MSTP overview and terminology 104
Regions 104
IST 104
CST 105
Hop count and message age 105
STP port roles 105
STP loop protection 105
STP root guard 106
STP BPDU guard 106
MSTP configuration 107
Configuring STP settings 107
Configuring an MST instance 109

Fortinet, Inc.
Configuring an STP edge port 111
Configuring STP loop protection 111
Configuring STP root guard 112
Configuring STP BPDU guard 112
Interactions outside of the MSTP region 114
Viewing the MSTP configuration 114
Support for interoperation with per-VLAN RSTP (Rapid PVST+ or RPVST+) 114
Viewing the configuration 115
Link aggregation groups 116
Configuring the trunk and LAG ports 116
Example configuration 117
Checking the trunk configuration 118
MCLAG 119
Notes 119
Detecting a split-brain state 121
Viewing the configured trunk 121
Configuring an MCLAG with IGMP snooping 121
Multi-stage load balance 123
Configuring the trunk ports 124
Heartbeats 124
Configuring heartbeats 124
LLDP-MED 126
Configuration notes 126
LLDP global settings 127
Setting the asset tag 128
Configuring the location table 128
Configuring LLDP profiles 131
LLDP-MED network policies 131
Custom TLVs (organizationally specific TLVs) 131
802.1 TLVs 132
802.3 TLVs 132
Auto-ISL 132
Assigning a VLAN to a port in the LLDP profile 133
Configuring an LLDP profile for the port 134
Enabling LLDP on a port 135
Checking the LLDP configuration 135
Configuration deployment example 136
Checking LLDP details 138
LLDP OIDs 138
MAC/IP/protocol-based VLANs 140
Overview 140
MAC based 140
IP based 140
Protocol based 140

Fortinet, Inc.
Configuring MAC/IP/protocol-based VLANs 141
Checking the configuration 143
Mirroring 144
Configuring a SPAN mirror 146
Multiple mirror destination ports (MTPs) 147
Configuring an RSPAN mirror 149
Configuring an ERSPAN auto mirror 150
Configuring an ERSPAN manual mirror 151
Access control lists 153
ACL policy attributes 153
Configuring an ACL policy 154
Creating an ACL ingress policy 154
Creating an ACL egress policy 156
Creating an ACL prelookup policy 157
Creating or customizing a service 159
Creating a policer 159
Viewing counters 160
Clearing counters 160
Clearing unused classifiers 160
Configuration examples 161
Storm control 164
Configuring system-wide storm control 164
Configuring port-level storm control 165
Displaying the storm-control configuration 165
DHCP snooping 166
Configuring DHCP snooping 166
Set the system-wide DHCP-snooping options 166
Configure the VLAN settings 167
Configure the interface settings 169
Checking the DHCP-snooping configuration 170
Removing an entry from the DHCP-snooping binding database 171
IP source guard 172
Configuring IP source guard 172
1. Enable IP source guard 172
2. Configure IP source-guard static entries 173
3. Check the IP source-guard entries 173
4. Check the IP source-guard violation log 174
Dynamic ARP inspection 175
Configuring DAI 175
Checking ARP packets 176
IGMP snooping 177
Notes 177
Configuring IGMP snooping 179
Configuring the IGMP querier 183

Fortinet, Inc.
Configuring mRouter ports 184
MLD snooping 185
Notes 186
Configuring MLD snooping 186
Configuring the MLD querier 189
IPv6 router advertisement guard 190
Configuring IPv6 RA guard 190
Create an IPv6 access list 190
Create an IPv6 prefix list 191
Create an IPv6 RA-guard policy 192
Apply the IPv6 RA-guard policy 192
View available IPv6 RA-guard policies 193
Private VLANs 194
Creating and enabling a PVLAN 194
Configuring the PVLAN ports 195
Private VLAN example 195
Quality of service 197
Classification 198
Marking 198
Queuing 199
Determining the egress queue 199
Packets with DSCP and CoS values 199
Packets with a CoS value but no DSCP value 200
Packets with a DSCP value but no CoS value 200
Configuring FortiSwitch QoS 200
Configure an 802.1p map 200
Configure a DSCP map 201
Configure the QoS egress policy 202
Configure the egress drop mode 203
Configure the switch ports 204
Configure QoS on trunks 205
Configure QoS on VLANs 205
Configure CoS and DSCP markings 206
Checking the QoS statistics 206
Clearing and restoring QoS statistics 207
sFlow 208
About sFlow 208
Configuring sFlow 208
Checking the sFlow configuration 210
Feature licensing 211
About licenses 211
Configuring licenses 211
Layer-3 interfaces 213
Loopback interfaces 213
Configuring loopback interfaces 213

Fortinet, Inc.
Switch virtual interfaces 214
Configuring a switch virtual interface 214
Example SVI configuration 214
Viewing the SVI configuration 215
Layer-3 routing in hardware 215
Router activity 215
Equal cost multi-path (ECMP) routing 216
Configuring ECMP 216
Example ECMP configuration 216
Viewing ECMP configuration 218
Bidirectional forwarding detection 218
Configuring BFD 218
Viewing BFD configuration 219
Unicast reverse-path forwarding (uRPF) 219
Configuring uRPF 219
IP-MAC binding 220
Configuring IP-MAC binding 220
Viewing IP-MAC binding configuration 221
Virtual routing and forwarding 221
DHCP server and relay 224
Configuring a DHCP server 224
Configuring the IP address range 228
Excluding addresses in DHCP 228
Assigning IP settings to specific MAC addresses 228
Configuring DHCP custom options 229
Listing DHCP leases 229
Breaking DHCP leases 229
Detailed operation of a DHCP relay 230
Configuring a DHCP relay 230
OSPF routing 232
How OSPF works 232
Configuring OSPF 234
Check the OSPF configuration 237
RIP routing 240
Terminology 240
Configuring RIP routing 241
Checking the RIP configuration 249
VRRP 253
Configuring VRRP 253
Checking the VRRP configuration 255
BGP routing 256
Parts and terminology of BGP 256
BGP and IPv6 256
Role of routers in BGP networks 256

Fortinet, Inc.
Speaker routers 257
Peer routers or neighbors 257
Route reflectors 259
Confederations 260
Network Layer Reachability Information 261
BGP attributes 261
AS_PATH 262
MULTI_EXIT_DESC 262
COMMUNITY 263
NEXT_HOP 263
ATOMIC_AGGREGATE 263
ORIGIN 264
How BGP works 264
IBGP versus EBGP 265
BGP path determination: Which route to use 265
Decision phase 1 266
Aggregate routes and addresses 267
Troubleshooting BGP 268
Clearing routing table entries 268
Route flap 268
Holdtime timer 269
Dampening 269
BFD 270
Configuring BGP 270
Other BGP commands 271
Sample configurations 272
Configure system interfaces 272
Internal BGP 273
External BGP 274
PIM routing 276
Terminology 276
Configuring PIM 276
Checking the PIM configuration 277
IS-IS routing 278
Terminology 278
Configuring IS-IS 278
Configuring BFD for IS-IS 281
Checking the IS-IS configuration 281
Users and user groups 282
Users 282
User groups 283
MACsec 285
Creating the MACsec profile 285
Applying the MACsec profile to a port 288

Fortinet, Inc.
Viewing the MACsec details 288
Clearing or resetting the MACsec statistics 288
802.1x authentication 289
Dynamic VLAN assignment 290
MAC authentication bypass (MAB) 291
Configuring global settings 293
Configuring the 802.1x settings on an interface 295
Viewing the 802.1x details 297
Clearing port authorizations 298
Authenticating users with a RADIUS server 299
Example: RADIUS user group 302
Example: dynamic VLAN 306
Authenticating an admin user with RADIUS 307
RADIUS accounting and FortiGate RADIUS single sign-on 310
Configuring the RADIUS accounting server and FortiGate RADIUS single sign-on 310
Example: RADIUS accounting and single sign-on 312
RADIUS change of authorization (CoA) 312
Configuring CoA and disconnect messages 313
Example: RADIUS CoA 314
Viewing the CoA configuration 315
Use cases 315
Use case 1 315
Use case 2 316
Use case 3 317
Detailed deployment notes 318
TACACS 319
Administrative accounts 319
Configuring a TACACS admin account 319
User accounts 320
Configuring a user account 320
Configuring a user group 320
Troubleshooting and support 322
Dashboard 322
Operation mode 322
FortiSwitch Cloud 323
Bandwidth 324
Losses 325
Virtual wire 325
TFTP network port 326
Cable diagnostics 327
Selective packet sampling 328
Packet capture 328
Create a packet-capture profile 329
Start the packet capture 330
Pause or stop the packet capture 330

Fortinet, Inc.
Display or upload the packet capture 331
Delete the packet-capture file 331
Network monitoring 332
Directed mode 332
Survey mode 333
Network monitoring statistics 334
Flow tracking and export 335
Enabling packet sampling 335
Configuring flow export 335
Viewing the flow-export data 337
Deleting the flow-export data 337
Identifying a specific FortiSwitch unit 337
Deployment scenario 338
Working configuration for PC and phone for 802.1x authentication using MAC 338
Summary 338
A. Configure all devices 338
B. Authenticate phone using MAB 342
C. Authenticate the PC using EAP dot1x 344
Appendix: FortiSwitch-supported RFCs 346
BFD 346
BGP 346
DHCP 347
IP/IPv4 347
IP multicast 347
IPv6 347
IS-IS 348
MIB 348
OSPF 349
Other protocols 349
RADIUS 349
RIP 350
SNMP 350
Appendix: Supported attributes for RADIUS CoA and RSSO 351

Fortinet, Inc.
Change log
Change log
October 29, 2020 Initial release for FortiSwitchOS 6.4.3

Fortinet, Inc.
Introduction
Introduction
This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you
manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the
GUI) or the CLI.
If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Managed
by FortiOS 6.4.
l Supported models on page 14
l Whatʼs new in FortiSwitchOS 6.4.3 on page 14
l Feature matrix: FortiSwitchOS 6.4.3 on page 17
l Before you begin on page 24
l How this guide is organized on page 24
Supported models
This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series,
and F-series models.
Whatʼs new in FortiSwitchOS 6.4.3
Release 6.4.3 provides the following new features:

l You can now view the details of bidirectional forwarding detection (BFD) neighbors by going to Router > Monitor >
BFD Neighbor.
l You can now view the flow-export data by going to System > Flow Export > Monitor.
l All log entries can now viewed from the Log > Entries page; they can filtered by subtype, level, user, user interface,
action, and status. A new Delete All button allows you to delete all log entries.
l Packet capture is now supported in the GUI, as well as the CLI and REST API.
l You can now view or clear all access control list (ACL) counters by going to Switch > Monitor > ACL Counters.
l You can now check the VRRP status by going to Router > Monitor > VRRP.
l You can now configure the IGMP-snooping querier version 2 or 3. When the IGMP querier version 2 is configured,
the FortiSwitch unit will send IGMP queries version 2 when no external querier is present. When the IGMP querier
version 3 is configured, the FortiSwitch unit will send IGMP queries version 3 when no external querier is present.
l More services are available when configuring the classifier in the GUI for the egress and prelookup policies.
l Media Access Control security (MACsec) is now supported.
l You can now use the diagnose switch physical-ports qos-rates list [<list_of_ports>]
command to view the real-time egress QoS queue rates, including the data rate, line rate, and drop rate.

Fortinet, Inc.
Introduction
l When a neighboring router has a graceful restart, the FortiSwitch unit now enters the helper (neighbor) mode and
keeps the restarting router in the forwarding path for OSPF routing.
l OSPF database overflow protection is now supported.
l IPv6 support has been expanded. You can now use IPv6 addresses with BGP routing, IS-IS routing, and RIP
routing. Multicast Listener Discovery (MLD) snooping, MLD proxy, and MLD querier are now supported for IPv6
multicast traffic.
l IPv4 and IPv6 static routes now support virtual routing and forwarding (VRF).
l You can now view events that violate the IP source-guard settings with the IP source-guard violation log.
l You can now specify system banner messages in the CLI that will appear when users log in using either the CLI or
the GUI.
l You can now configure the maximum burst size allowed by storm control per port or per switch.
l You can use the new diagnose certificate {all | ca | local | remote} commands to verify
your system certificates.
The following REST API changes were made in this release:
l You can now use the current release version in the FortiSwitch REST API requests (https://<switch_IP_
address>/api/v<x.x.x>/) to get the latest (v6.4.3) schema content in the response. You can still use
FortiSwitch REST API requests with https://<switch_IP_address>/api/v2/ to get the older v2 schema
in the response.
l The monitor/switch/log endpoint is now monitor/system/log.
l The new cmdb/router/ripng endpoint supports RIP routing for IPv6 traffic.
l The new cmdb/switch.mld-snooping/globals endpoint supports MLD snooping.
l The cmdb/router/route-map endpoint now supports RIP routing for IPv6 traffic and IS-IS routing for IPv6
traffic.
l The cmdb/router/isis endpoint now supports IS-IS routing for IPv6 traffic.
l The cmdb/router/bgp endpoint now supports BGP routing for IPv6 traffic.
l The cmdb/system/global endpoint now supports specifying system banner messages that will appear when
users log in using either the CLI or the GUI.
l The cmdb/switch/physical-port endpoint and the cmdb/switch/storm-control endpoint now
support configuring the maximum burst size allowed by storm control.
The following CLI changes were made in this release:
l Under the config router ospf command, the set default-information-route-map command has
been removed.
l Under the config router isis command, the set default-information-route-map command has
been removed.
l Under the config switch vlan command, set igmp-fast-leave is now set igmp-snooping-
fast-leave.
l Under the config switch vlan command, set igmp-proxy is now set igmp-snooping-proxy.
l Under the config switch vlan command, set querier-addr is now set igmp-snooping-
querier-addr.
l Under the config switch vlan command, config igmp-static-group is now config igmp-
snooping-static-group.
l Under the config switch interface command, set igmps-flood-reports is now set igmp-
snooping-flood-reports.
l Under the config switch interface command, set igmps-flood-traffic is now set mcast-
snooping-flood-traffic.

Fortinet, Inc.
Introduction
l The set flood-unknown-multicast command moved from under config switch igmp-snooping
globals to under config switch global.
l The get switch igmp-snooping interface command was replaced with get switch igmp-
snooping status.
l The diagnose debug application igmp_snooping command is now diagnose debug
application mcast-snooping.
l Under the config router bgp command, set aspath-filter-list-in is now set filter-list-
in.
l Under the config router bgp command, set aspath-filter-list-out is now set filter-list-
out.
l Under the config router bgp command, log-neighbor-changes is now set neighbour-changes.
Refer to Feature matrix: FortiSwitchOS 6.4.3 on page 17 for details about the features supported on each FortiSwitch
model.

Fortinet, Inc.
Introduction
Feature matrix: FortiSwitchOS 6.4.3
The following table lists the FortiSwitch features in release 6.4.3 that are supported on each series of FortiSwitch
models. All features are available in release 6.4.3, unless otherwise stated.
Feature GUI 112D- FSR- 1xxE, 4xxE 200 500 1024D, 3032D,
supported POE 124D 1xxF Series, Series 1048D, 3032E
400 1048E
Series
Management and Configuration
CPLD software — — — — — — — 1024D, —

upgrade support for 1048D
OS
Firmware image — ✓ ✓ 148E, ✓ ✓ ✓ ✓ ✓

rotation (dual- 148E-POE
firmware image
support)
HTTP REST APIs — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

for configuration and
monitoring
Support for switch ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

SNMP OID
IP conflict detection ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
and notification
FortiSwitch Cloud ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
configuration
Auto topology — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
802.1x port mode ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
802.1x MAC-based ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
security mode
User-based (802.1x) ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
VLAN assignment
802.1x ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
enhancements,
including MAB
MAB — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
reauthentication
disabled
open-auth mode ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Fortinet, Inc.
Introduction
400 1048E
Series
Support of the Partial ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

RADIUS accounting
server
Support of RADIUS — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
CoA and disconnect
messages
EAP Pass-Through ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Network device — — ✓ — ✓ ✓ ✓ ✓ ✓
detection
IP-MAC binding ✓ — — — — — ✓ ✓ ✓
(IPv4)
sFlow (IPv4) ✓ ✓ ✓ — ✓ ✓ ✓ ✓ ✓
Flow export (IPv4) ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
ACL (IPv4) ✓ — ✓ ✓ ✓ ✓ ✓ ✓ ✓
Multistage ACL ✓ — — — — — ✓ ✓ ✓
(IPv4)
Multiple ingress ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
ACLs (IPv4)
Schedule for ACLs — — ✓ ✓ ✓ ✓ ✓ ✓ ✓

(IPv4)
DHCP snooping ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
DHCPv6 snooping ✓ — — — ✓ ✓ ✓ ✓ ✓
Allowed DHCP ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
server list
IP source guard ✓ — ✓ — ✓ ✓ — — —
(IPv4)
IP source-guard — — ✓ — ✓ ✓ — — —
violation log
Dynamic ARP ✓ — ✓ ✓ ✓ ✓ ✓ ✓ ✓
inspection (IPv4)
ARP timeout value — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Access VLANs — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
RMON group 1 — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Fortinet, Inc.
Introduction
400 1048E
Series
Reliable syslog — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Packet capture ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
MACsec (See Note — — — — — — ✓ — —

7.)
Layer 2
Link aggregation ✓ 8 8 8 8 8 24/48 24/48 24, 64

group size
(maximum number
of ports) (See Note
2.)
LAG min-max- — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
bundle
IPv6 RA guard — — — — ✓ ✓ ✓ ✓ ✓
IGMP snooping ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
IGMP proxy ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
IGMP querier — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
MLD snooping — — — — — — ✓ ✓ ✓
MLD proxy — — — — — — ✓ ✓ ✓
MLD querier — — — — — — ✓ ✓ ✓
LLDP-MED — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
LLDP-MED: ELIN ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
support
Per-port max for — — ✓ ✓ ✓ ✓ ✓ — —

learned MACs
MAC learning limit — — ✓ ✓ ✓ ✓ ✓ — —

(See Note 4.)
Learning limit — — ✓ ✓ ✓ ✓ ✓ — —
violation log (See
Note 4.)
set mac-violation- — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
timer
Sticky MAC ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Total MAC entries — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Fortinet, Inc.
Introduction
400 1048E
Series
MSTP instances — 0-15 0-15 0-15 0-15 0-15 0-32 0-32 0-32
STP root guard — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
STP BPDU guard ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Rapid PVST — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
interoperation
'forced-untagged' or — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
'force-tagged'
setting on switch
interfaces
Private VLANs ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
Multi-stage load — — — — — — — ✓ ✓
balancing
Priority-based flow — — — — — — ✓ ✓ ✓
control
Ingress pause — — — — ✓ ✓ ✓ ✓ 3032D

metering
Storm control ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Per-port storm ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
control
Global burst-size — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
control
MAC/IP/protocol- ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
based VLAN
assignment
Virtual wire ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
Loop guard ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Percentage rate ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
control
VLAN stacking — — ✓ — ✓ ✓ ✓ ✓ ✓
(QinQ)
VLAN mapping — — ✓ — ✓ ✓ ✓ ✓ ✓
SPAN ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Fortinet, Inc.
Introduction
400 1048E
Series
RSPAN and ✓ RSPAN ✓ — ✓ ✓ ✓ ✓ ✓

ERSPAN (IPv4)
Flow control — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Layer 3
Link monitor (IPv4) ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Static routing ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
(IPv4/IPv6)
Hardware routing ✓ — ✓ — ✓ ✓ ✓ ✓ ✓
offload (IPv4/IPv6)
Software routing ✓ ✓ — ✓ — — — — —
only (IPv4/IPv6)
OSPF (IPv4/IPv6) ✓ — — — ✓ ✓ ✓ ✓ ✓
(See Note 3.)
OSPF database — — — — ✓ ✓ ✓ ✓ ✓
overflow protection
(IPv4)
OSPF graceful — — — — ✓ ✓ ✓ ✓ ✓
restart (helper mode
only) (IPv4)
RIP (IPv4/IPv6) (See ✓ — — — ✓ ✓ ✓ ✓ ✓

Note 3.)
VRRP (IPv4/IPv6) ✓ — — — ✓ ✓ ✓ ✓ ✓
(See Note 3.)
BGP (IPv4/IPv6) — — — — — — ✓ ✓ ✓
(See Note 3.)
IS-IS (IPv4/IPv6) — — — — ✓ ✓ ✓ ✓ ✓
(See Note 3.)
PIM (IPv4) (See — — — — — — ✓ ✓ ✓

Note 3.)
Hardware-based — — — — — — ✓ ✓ ✓
ECMP (IPv4)
VRF (IPv4/IPv6) — — — — — — — ✓ ✓
Static BFD ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
(IPv4/IPv6)

Fortinet, Inc.
Introduction
400 1048E
Series
BFD for BGPv6 — — — — — — ✓ ✓ ✓
BFD for RIPng — — — — ✓ ✓ ✓ ✓ ✓
uRPF — — — — — — ✓ ✓ ✓
DHCP relay (IPv4) ✓ — ✓ ✓ ✓ ✓ ✓ ✓ ✓
DHCP server (IPv4) ✓ — — — ✓ 4xx ✓ ✓ ✓

only
High Availability
MCLAG Partial — — — ✓ ✓ ✓ ✓ ✓
(multichassis link
aggregation)
STP supported in — — — — ✓ ✓ ✓ ✓ ✓
MCLAGs
IGMP snooping in ✓ — — — ✓ ✓ ✓ ✓ ✓
MCLAG
Quality of Service
802.1p support, ✓ — ✓ ✓ ✓ ✓ ✓ ✓ ✓
including priority
queuing trunk and
WRED
QoS queue counters — — ✓ — ✓ ✓ ✓ ✓ ✓
QoS marking — — ✓ — ✓ ✓ ✓ ✓ ✓
(IPv4/IPv6)
Summary of ✓ — ✓ ✓ ✓ ✓ ✓ ✓ ✓
configured queue
mappings
Egress priority — — ✓ — ✓ ✓ ✓ ✓ ✓
tagging (IPv4/IPv6)
ECN (IPv4/IPv6) — — — — ✓ — ✓ ✓ ✓
Real-time egress — — — — — ✓ ✓ ✓ ✓
queue rates
Miscellaneous
PoE-pre-standard — ✓ ✓ FS-1xxE ✓ ✓ ✓ — —
detection (See Note POE
1.)

Fortinet, Inc.
Introduction
400 1048E
Series
PoE modes support: — ✓ ✓ FS-1xxE ✓ ✓ ✓ — —

first come, first POE
served or priority
based (PoE models)
Control of — ✓ ✓ — ✓ ✓ ✓ ✓ ✓
temperature alerts
Split port (See Note Partial — — — — — ✓ 1048E ✓

6.)
TDR (time-domain ✓ — ✓ ✓ ✓ ✓ ✓ — —
reflectometer)/cable
diagnostics support
Auto module max ✓ — — — — — ✓ ✓ —

speed detection and
notification
Monitor system — ✓ ✓ FS-124E- ✓ ✓ ✓ ✓ ✓

temperature POE, FS-
(threshold 124E-
configuration and FPOE, FS-
SNMP trap support) 148E, FS-
148E-POE
Cut-through — — — — — — — ✓ ✓
switching
Add CLI to show the — ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

details of port
statistics
Configuration of the — — — — — — ✓ 1048D, ✓

QSFP low-power 1048E
mode
Energy-efficient ✓ ✓ ✓ ✓ ✓ ✓ ✓ — —
Ethernet
PHY Forward Error — — — — — — — 1048E 3032E

Correction (see Note
5)
PTP transparent — — — — ✓ ✓ ✓ 1048E ✓

clock (IPv4/IPv6)

Fortinet, Inc.
Introduction
Notes
1. PoE features are applicable only to the model numbers with a POE or FPOE suffix.
2. 24-port LAG is applicable to 524D, 524-FPOE, 1024D, and 3032D models. 48-port LAG is applicable to 548D, 548-
FPOE, and 1048D models.
3. To use the dynamic layer-3 protocols, you must have an advanced features license.
4. The per-VLAN MAC learning limit and per-trunk MAC learning limit are not supported on the 448D/448D-
POE/448D-FPOE/248E-POE/248E-FPOE/248D series.
5. Supported only in 100G mode (clause 91).
6. On the 3032E, you can split one port at the full base speed, split one port into four sub-ports of 25 Gbps each
(100G QSFP only), or split one port into four sub-ports of 10 Gbps each (40G or 100G QSFP).
7. Supported on 5xxD 10G ports.
Before you begin
Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of
the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to
the FortiSwitch unit’s GUI and CLI.
How this guide is organized
This guide is organized into the following chapters:

l Management ports describes how to configure the management ports.
l Configuring administrator tasks describes how to configure the date and time, admin users, and remote
authentication servers.
l Configuring SNMP describes how to monitor hardware on your network.
l Global system and switch settings describes the initial configuration of your FortiSwitch unit.
l Physical port settings describes how to configure the physical ports.
l Layer-2 interfaces describes how to configure layer-2 interfaces.
l VLANs and VLAN tagging describes how to configure VLANs and describes the packet flow for VLAN tagged and
untagged packets.
l Spanning Tree Protocol describes how to configure MSTP.
l Link aggregation groups describes how to configure link aggregation groups.
l MCLAG describes how to configure MCLAG.
l Multi-stage load balance describes how to configure multi-stage load balancing on a set of FortiGate units.
l LLDP-MED describes how to configure LLDP-MED settings.
l MAC/IP/protocol-based VLANs describes how to configure MAC/IP/protocol-based VLANs.
l Mirroring describes how to configure port mirroring.
l Access control lists describes how to configure ACLs.
l Storm control describes how to configure storm control.
l DHCP snooping describes how to configure DHCP snooping.
l IP source guard describes how to configure IP source guard.

Fortinet, Inc.
Introduction
l Dynamic ARP inspection describes how to configure dynamic ARP inspection.

l IGMP snooping describes how to configure IGMP snooping.
l MLD snooping describes how to configure MLD snooping.
l Private VLANs describes how to create and manage private virtual local area networks (VLANs).
l Quality of service describes how to configure QoS.
l sFlow describes how to configure sFlow.
l Feature licensing describes feature licenses.
l Layer-3 interfaces describes how to configure routed ports, routed VLAN interfaces, switch virtual interfaces, and
related features.
l DHCP server and relay describes how to configure DHCP servers and relays.
l OSPF routing describes how to configure OSPF routing.
l RIP routing describes how to configure RIP routing.
l VRRP describes how to configure VRRP.
l BGP routing describes how to configure BGP routing.
l PIM routing describes how to configure PIM routing.
l IS-IS routing describes how to configure IS-IS routing.
l Users and user groups describes how to configure users and user groups.
l MACsec describes how to configure MACsec.
l 802.1x authentication describes how to configure 802.1x authentication (to RADIUS servers).
l TACACS describes how to configure TACACS authentication.
l Troubleshooting and support describes ways to gather more details and to solve problems.
l Deployment scenario describes an example configuration.
l Appendix: FortiSwitch-supported RFCs lists RFCs that are supported by FortiSwitchOS.

Fortinet, Inc.
Management ports
Management ports
This chapter describes how to configure management ports on the FortiSwitch unit.
The following topics are covered:
l Models without a dedicated management port on page 26
l Models with a dedicated management port on page 29
l Remote access to the management port on page 31
l Example configurations on page 32
Models without a dedicated management port
For FortiSwitch models without a dedicated management port, configure the internal interface as the management
port.
NOTE: For FortiSwitch models without a dedicated management port, the internal interface has a default VLAN ID of 1.
Using the GUI:
First start by editing the default internal interface’s configuration.

1. Go to System > Network > Interface > Physical, select Edit for the internal interface.

Fortinet, Inc.
Management ports
2. In the IP/Netmask field, enter the IP address and netmask.

3. Select the appropriate protocols to connect to the interface for administrative access.
4. Optional. Select Add IP to add a secondary IP address for the internal interface.
5. Select Update to save your changes.
Next, create a new interface to be used for management.

1. Go to System > Network > Interface > VLAN and select Add VLAN to create a management VLAN.

Fortinet, Inc.
Management ports
2. Give the interface an appropriate name.

3. Confirm that Interface is set to internal.
4. Set a VLAN ID.
7. Optional. Select Add IP to add a secondary IP address for this VLAN.
8. Select Add.
Using the CLI:

edit internal
set ip <IP_address_and_netmask>
set type physical
set secondary-IP enable
config secondaryip
edit <id>
next

Fortinet, Inc.
Management ports
end
next
edit <vlan name>
set interface internal
set vlanid <VLAN id>
config secondaryip
edit <id>
end
end
Models with a dedicated management port
For FortiSwitch models with a dedicated management port, configure the IP address and allowed access types for the
management port.
NOTE: For FortiSwitch models with a dedicated management port, the internal interface has a default VLAN identifier
of 4094.
Using the GUI:
1. Go to System > Network > Interface > Physical, select Edit for the mgmt interface.

Fortinet, Inc.
Management ports
2. In the ID field, enter a unique identifier from 1 to 65525.

5. Optional. You can select Remove if you want to delete the default secondary IP address or select Add IP to add a
secondary IP address for the management interface.
Using the CLI:

edit mgmt
set type physical
config secondaryip
edit <id>
next
end

Fortinet, Inc.
Management ports
next
edit internal
set type physical
end
end
Remote access to the management port
To provide remote access to the management port, configure a static route. Set the gateway address to the IP address
of the router.
Using the GUI:
1. Go to Router > Config > Static and select Add Route.
2. Enter an identifier. This is a unique number to identify the static route.

3. Select the Status checkbox if it is not selected.
4. Set the device to mgmt.
5. Set the gateway to the gateway router IP address.
6. Select Add.
Using the CLI:
config router static

edit 1
set device mgmt
set gateway <router IP address>
set status enable
end
end

Fortinet, Inc.
Management ports
Example configurations
In this example, the internal interface is used as an inbound management interface. Also, the FortiSwitch unit has a
default VLAN across all physical ports and its internal port.
Using the internal interface of a FortiSwitch-524D-FPOE
Syntax

edit internal
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https http ssh
set type physical
end
end

Fortinet, Inc.
Management ports
In this example, an out-of-band management interface is used as the dedicated management port. You can configure
the management port for local or remote access.
Out-of-band management on a FortiSwitch-1024D
Port 1 used as an Dedicated

Ethernet data port MGMT port
Local
Access
Router
(192.168.0.10)
Remote
Access
Option 1: management port with static IP

edit mgmt
set mode static
set ip 10.105.142.19 255.255.255.0
set allowaccess ping https http ssh snmp telnet
set type physical
next
edit internal
set type physical
end
end
// optional configuration to allow remote access to the management port

edit 1
set device mgmt
set gateway 192.168.0.10
set status enable
end
Option 2: management port with IP assigned by DHCP

edit mgmt
set mode dhcp
set defaultgw enable // allows remote access

Fortinet, Inc.
Management ports

set type physical
next
edit internal
set type physical
end

Fortinet, Inc.
Configuring administrator tasks
You can use the default “admin” account to configure administrator accounts, adjust system settings, upgrade firmware,
create backup files, and configure security features.
l Setting the time and date on page 35
l Configuring system banners on page 36
l Configuring the temperature sensor on page 38
l Setting the boot partition on page 40
l Upgrading the firmware on page 38
l Backing up the system configuration on page 41
l Remote authentication servers on page 41
l Configuring system administrators on page 44
l Configuring administrative logins on page 51
l Using PKI on page 52
l Configuring security checks on page 53
l Logging on page 55
l Fault relay support on page 57
l Using SSH and the Telnet client on page 57
Setting the time and date
For effective scheduling and logging, the system date and time must be accurate. You can either manually set the
system date and time or configure the system to automatically keep its time correct by synchronizing with a Network
Time Protocol (NTP) server.
NOTE: Some FortiSwitch models do not have a battery-backup real-time clock. For FortiSwitch models without a real-
time clock, the time is reset when the switch is rebooted. These models must be connected to an NTP server if you want
to maintain the correct system date and time.
The Network Time Protocol enables you to keep the system time synchronized with other network systems. This will
also ensure that logs and other time-sensitive settings are correct.
When the system time is synchronized, polling occurs every 2 minutes. When the system time is not synchronized but
the NTP server can be reached, polling is attempted every 2 seconds to synchronize quickly. If the NTP server cannot be
reached, polling occurs up to every 64 seconds. If DNS cannot resolve the host name, polling occurs up to every 60
seconds.
Starting in FortiSwitchOS 6.4.0, the default Sync Interval is 10 minutes. The polling interval is one-fifth of the configured
Sync Interval.

Fortinet, Inc.
To set the date and time:
1. Go to System > Dashboard.

2. Next to the System Time field, select Change.
3. Select your Time Zone.

4. Either select Manual Setting and enter the system date and time or select Synchronize with NTP Server. If you
select synchronization, you can either use the default FortiGuard server or specify a different server. You can also
set the Sync Interval.
5. Select Update.
If you use an NTP server, you can identify the IPv4 or IPv6 address for this self-originating traffic with the set
source-ip or set source-ip6 command. For example, you can set the source IPv4 address of NTP to be on the
DMZ1 port with an IP of 192.168.4.5:
config system ntp
set authentication enable
set ntpsyn enable
set syncinterval 5
set source-ip 192.168.4.5
end
Configuring system banners
You can specify system banner messages in the CLI that will appear when users log in using either the CLI or the GUI.
You can enter up to 2,048 characters for each system banner. Currently, only text is supported. By default, no system
banners are displayed.

Fortinet, Inc.
The GUI displays the pre-login banner before you enter your user name or password:
The GUI displays the post-login banner after you enter your user name and password and select Log In:
You cannot finish logging in until you select I Agree.

The CLI displays the pre-login banner before you enter your user name. The CLI displays the post-login banner after you
enter your password; you cannot finish logging in until you press a to accept the message.
To configure system banners:

set pre-login-banner "<string>"
set post-login-banner "<string>"
end
For example:
S548DF5018000776 # config system global
S548DF5018000776 (global) # set pre-login-banner "All systems will be unavailable,
> starting at midnight. Please exit all applications by then."
S548DF5018000776 (global) # set post-login-banner "Remember to exit before midnight."
S548DF5018000776 (global) # end
NOTE: For multi-line messages, just press the Return key between lines.

Fortinet, Inc.
Configuring the temperature sensor
If your FortiSwitch unit has a temperature sensor, you can set a warning and an alarm for when the system temperature
reaches specified temperatures. When these thresholds are exceeded, a log message and SNMP trap are generated.
The warning threshold must be lower than the alarm threshold.
Use the following commands to set warning and alarm thresholds:
config system snmp sysinfo
set status enable
set trap-temp-warning-threshold <temperature in degrees Celsius>
set trap-temp-alarm-threshold <temperature in degrees Celsius>
end
By default, the FortiSwitch unit generates an alert (in the form of an SNMP trap and a SYSLOG entry) every 30 minutes
when the temperature sensor exceeds its set threshold. You can change this interval with the following commands:
set alertd-relog enable
set alert-interval <1-1440 minutes>
end
Upgrading the firmware
Use these procedures to upgrade your FortiSwitch firmware.
Using the GUI
You can upgrade the firmware from the dashboard or from the system configuration page.
To upgrade the firmware from the dashboard:
2. Next to the Firmware Version field, select Update.
To upgrade the firmware from the system configuration page:
1. Go to System > Config > Firmware.

Fortinet, Inc.
2. Select Choose File and then navigate to the firmware image.
3. Select Apply.
Using the CLI
You can download a firmware image from an FTP server, from a FortiManager unit, or from a TFTP server. The
FortiSwitch unit reboots and then loads the new firmware.
execute restore image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>
[<username_str> <password_str>]
execute restore image management-station <version_int>
execute restore image tftp <filename_str> <server_ipv4>
The following example shows how to upload a configuration file from a TFTP server to the FortiSwitch unit and restart
the FortiSwitch unit with this configuration. The name of the configuration file on the TFTP server is backupconfig.
The IP address of the TFTP server is 192.168.1.23.
execute restore config tftp backupconfig 192.168.1.23
You can also load a firmware image from an FTP or TFTP server without restarting the FortiSwitch unit:
execute stage image ftp <string> <ftp server>[:ftp port]
execute stage image tftp <string> <ip>

Fortinet, Inc.
Verifying image integrity
To verify the integrity of the images in the primary and secondary (if applicable) flash partitions, use the following
commands:
execute verify image primary
execute verify image secondary
If the image is corrupted or missing, the command fails with a return code of -1.
For example:
Verifying the image in flash......100%

No issue found!

Bad/corrupted image found in flash!
Command fail. Return code -1
Restore or upgrade the BIOS
You can restore or upgrade the basic input/output system (BIOS) if needed. After a BIOS upgrade, passwords for all
FortiSwitch local users must be reconfigured using the config user local setting.
CAUTION: Only restore or upgrade the BIOS if Customer Support recommends it.
To upgrade or restore the BIOS from the CLI:
execute restore bios tftp <filename_str> <server_ipv4[:port_int]>
For example:
execute restore bios tftp PPC/FS-3032D/04000009/FS3D323Z14000004.bin 10.105.2.201
The example downloads the BIOS file from the TFTP server at the specified IPv4 address.
NOTE: If the BIOS upgrade fails, do not restart the FortiSwitch unit. Instead, try the CLI command again. If repeating
the CLI command does not work, the FortiSwitch unit might require a return merchandise authorization (RMA).
Setting the boot partition
You can specify the flash partition for the next reboot. The system can use the boot image from either the primary or the
secondary flash partition:
execute set-next-reboot <primary | secondary>
NOTE: You must disable image rotation before you can use the execute set-next-reboot command.

Fortinet, Inc.
If your FortiSwitch model has dual flash memory, you can use the primary and backup partitions for image rotation. By
default, this feature is enabled.
set image-rotation <enable | disable>
end
To list all of the flash partitions:

diagnose sys flash list
Backing up the system configuration
To back up the configuration from the dashboard:
2. Next to the System Configuration field, select Backup.
You can enter a password to encrypt the backup file. Passwords can be up to 15 characters in length.
Remote authentication servers
If you are using remote authentication for administrators or users, you need to configure one of the following:
l RADIUS server
l TACACS+ server
RADIUS server
The information you need to configure the system to use a RADIUS server includes:
l the RADIUS server’s domain name or IP address
l the RADIUS server’s shared secret key
The default port for RADIUS traffic is 1812. Some RADIUS servers use port 1645. You can configure the FortiSwitch
unit to use port 1645:
set radius-port 1645
end

Fortinet, Inc.
To configure RADIUS authentication with the GUI:
1. Go to System > Authentication > RADIUS and select Add Server.
2. Enter the following information and select Add.
Field Description
Name Enter a name to identify the RADIUS server on the FortiSwitch unit.
Primary Server Address Enter the domain name (such as fgt.example.com) or the IP address of the
RADIUS server.
Primary Server Secret Enter the server secret key, such as radiusSecret. This key can be a
maximum of 16 characters long.
This value must match the secret on the RADIUS primary server.
Secondary Server Optionally enter the domain name (such as fgt.example.com) or the IP
Name/IP address of the secondary RADIUS server.

Fortinet, Inc.
Field Description
Secondary Server Secret Optionally, enter the secondary server secret key, such as radiusSecret2.
This key can be a maximum of 16 characters long.
This value must match the secret on the RADIUS secondary server.
Authentication Scheme If you know the RADIUS server uses a specific authentication protocol,
select Specify Authentication Protocol and select the protocol from the list.
Otherwise, select Use Default Authentication Scheme. The default
authentication scheme will usually work.
NAS IP/Called Station ID Enter the IP address to be used as an attribute in RADIUS access requests.
The NAS IP address is a RADIUS setting or IP address of the FortiSwitch
interface used to talk to the RADIUS server, if not configured.
The Called Station ID is the same value as the NAS IP address but in text
format.
Include in every User When this option is enabled, this RADIUS server is automatically included in
Group all user groups. This option is useful if all users will be authenticating with
the remote RADIUS server.
To configure the FortiSwitch unit for RADIUS authentication, see 802.1x authentication on page 289.
TACACS+ server
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and
other networked computing devices using one or more centralized servers. TACACS+ allows a client to accept a user
name and password and send a query to a TACACS+ authentication server. The server host determines whether to
accept or deny the request and sends a response back that allows or denies the user access to the network.
TACACS+ offers fully encrypted packet bodies and supports both IP and AppleTalk protocols. TACACS+ uses TCP port
49, which is seen as more reliable than RADIUS’s UDP protocol.
To configure TACACS+ authentication using the GUI:
1. Go to System > Authentication > TACACS and select Add Server.

Fortinet, Inc.
2. Enter the following information and select Add.
Field Description
Name Enter a name to identify the TACACS server on the

FortiSwitch unit.
Server Address Enter the domain name (such as fgt.example.com) or the IP

address of the TACACS server.
Server Key Enter the server key for the TACACS server.
Authentication Type Select the authentication type to use for the TACACS+ server.
Auto tries PAP, MSCHAP, and CHAP (in that order).
To configure the FortiSwitch unit for TACACS+ authentication, see TACACS on page 319.
Configuring system administrators
In addition to the default “admin” account, you might want to set up other administrators with different levels of system
access.
l Administrator profiles on page 45
l Creating administrator profiles on page 45
l Access control on page 46
l Adding administrators on page 48
l Monitoring administrators on page 49
l Setting the default administrator password on page 49
l Setting the password retries and lockout time on page 50
l Setting the idle timeout on page 50

Fortinet, Inc.
Administrator profiles
Administer profiles define what the administrator user can do when logged into the FortiSwitch unit. When you set up an
administrator user account, you also assign an administrator profile, which dictates what the administrator user will see.
Depending on the nature of the administrator’s work, access level, or seniority, you can allow them to view and
configure as much, or as little, as required.
The super_admin administrator is the administrative account that the primary administrator should have to log into the
FortiSwitch unit. The profile cannot be deleted or modified to ensure there is always a method to administer the
FortiSwitch unit. This user profile has access to all components of the system, including the ability to add and remove
other system administrators. For some administrative functions, such as backing up and restoring the configuration
using SCP, super_admin access is required.
Creating administrator profiles
To configure administrator profiles, go to System > Admin > Profiles. You can only assign one profile to each
administrator user.
On the Add Profile page, you define the components of the FortiSwitch unit that will be available to view and/or edit.
For example, if you configure a profile so that the administrator can only access System Configuration, this admin will
not be able to change Network settings. For more detail about what is covered by each access control, see Access
control on page 46.
Using the GUI:
1. Go to System > Admin > Profiles and select Add Profile.

Fortinet, Inc.
2. Give the profile an appropriate name.

3. Set Access Control as required, selecting None, Read Only, or Read-Write for each line.
4. Select Add.
Using the CLI:
config system accprofile

edit <name>
set admingrp {none | read | read-write}
set loggrp {none | read | read-write}
set netgrp {none | read | read-write}
set routegrp {none | read | read-write}
set sysgrp {none | read | read-write}
end
end
Access control
The System Configuration access control applies to the following menus:

l System > Dashboard
l System > Network > DNS
l System > Network > Settings
l System > Config > SNMP > Communities
l System > Config > SNMP > Users
l System > Config > SNMP > Settings
l System > Config > Firmware
l System > Config > Backup
l System > Config > Revisions
l System > Config > Licenses
l System > Config > Time
l System > Config > SSL
l System > User > Definition
l System > User > Group
l System > Authentication > LDAP
l System > Authentication > RADIUS
l System > Authentication > TACACS
l System > Certificate > Local
l System > Certificate > Remote
l System > Certificate > Authorities
l System > Certificate > CRLs
The Network Configuration access control applies to the follow menus:
l System > Network > Interface > Physical
l System > Network > Interface > VLAN
l System > Network > Interface > Loopback

Fortinet, Inc.
l Switch > Port > Physical

l Switch > Port > Trunk
l Switch > Interface > Physical
l Switch > Interface > Trunk
l Switch > Interface > Port Security
l Switch > STP > Settings
l Switch > STP > Instances
l Switch > Flap Guard
l Switch > LLDP-MED > Profiles
l Switch > LLDP-MED > Settings
l Switch > POE
l Switch > sFlow
l Switch > Mirror
l Switch > VLAN
l Switch > Virtual Wires
l Switch > Storm Control
l Switch > MAC Entries
l Switch > IP-MAC Binding
l Switch > QoS > 802.1p
l Switch > QoS > IP/DSCP
l Switch > QoS > Egress Policy
l Switch > Monitor > Forwarding Table
l Switch > Monitor > Port Stats
l Switch > Monitor > Spanning Tree
l Switch > Monitor > Modules
l Switch > Monitor > LLDP
l Switch > Monitor > Loop Guard
l Switch > Monitor > Flap Guard
l Switch > Monitor > 802.1x Status
The Admin Users access control applies to the following menus:
l System > Admin > Administrators
l System > Admin > Profiles
l System > Admin > Monitor
l System > Admin > Settings
The Router Configuration access control applies to the following menus:
l Router > Config > OSPF > Settings
l Router > Config > OSPF > Areas
l Router > Config > OSPF > Networks
l Router > Config > OSPF > Interfaces
l Router > Config > RIP > Settings
l Router > Config > RIP > Distances
l Router > Config > RIP > Networks

Fortinet, Inc.
l Router > Config > RIP > Interfaces

l Router > Config > Static
l Router > Config > Interface
l Router > Config > Link Probes
l Router > Monitor > Routing
l Router > Monitor > Link
The Log & Report access control applies to the follow menus:
l Log > Event Log > Link
l Log > Event Log > POE
l Log > Event Log > Spanning Tree
l Log > Event Log > Switch
l Log > Event Log > Switch Controller
l Log > Event Log > System
l Log > Event Log > Router
l Log > Event Log > User
l Log > Config
Adding administrators
Only the default “admin” account can create a new administrator account. If required, you can add an additional account
with read-write access control to add new administrator accounts.
If you log in with an administrator account that does not have the super_admin admin profile, the administrators list will
show only the administrators for the current virtual domain.
When adding administrators, you are setting up the administrator’s user account. An administrator account comprises
an administrator’s basic settings as well as their access profile. The access profile is a definition of what the
administrator is capable of viewing and editing.
Follow one of these procedures to add an administrator.
Using the GUI:
1. Go to System > Admin > Administrators.

Fortinet, Inc.
2. Select Add Administrator.
3. Enter the administrator name.

4. Select the type of account. If you select Remote, the system can reference a RADIUS or TACACS+ server.
5. If you selected Remote, select the User Group the account will access, whether wildcards are accepted, and
whether the access profile group can be overridden.
6. Enter the password for the user. Passwords can be up to 64 characters in length.
7. Select Add.
Using the CLI:
config system admin

edit <admin_name>
set password <password>
set accprofile <profile_name>
end
Monitoring administrators
You can find out which administrators are logged in by looking at the System Information section of the Dashboard.
The Current Administrator row shows the administrators logged in and the total logged in. Selecting Details displays
the information for each administrator: where they are logging in from and how and when they logged in.
Setting the default administrator password
By default, your system has an administrator account set up with the user name admin and no password. On your first
login to the GUI or CLI of a new FortiSwitch unit, you must create a password. You are also forced to create a password
after resetting the FortiSwitch configuration to the factory default settings with the execute factory reset or
execute factoryresetfull command.

Fortinet, Inc.
To change the default password:
1. From the admin menu in the page banner, select Change Password.
2. Enter the new password in the Password and Confirm Password fields. Passwords can be up to 64 characters in
length.
3. Select Change.
Setting the password retries and lockout time
By default, the system includes a set number of three password retries, allowing the administrator a maximum of three
attempts to log into their account before they are locked out for a set amount of time (by default, 60 seconds).
The number of attempts can be set to an alternate value, as well as the default wait time before the administrator can
try to enter a password again. You can also change this value to make it more difficult to hack. Both settings are must be
configured with the CLI
To configure the lockout options:

set admin-lockout-threshold <failed_attempts>
set admin-lockout-duration <seconds>
end
For example, to set the lockout threshold to one attempt and the duration before the administrator can try again to log in
to five minutes, enter these commands:
set admin-lockout-threshold 1
set admin-lockout-duration 300
end
Setting the idle timeout
By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone
from using the GUI if the management PC is left unattended.
To change the idle timeout:
1. Go to System > Admin > Settings.

2. Enter the time in minutes in the Idle Timeout (Minutes) field.
3. Update other settings as required:
o TCP/UDP port values for HTTP, HTTPS, Telnet, SSH
o Display language

Fortinet, Inc.
4. Select Apply.
Configuring administrative logins
You can configure the RADIUS server to set the access profile. This process uses RADIUS vendor-specific attributes
(VSAs) passed to the FortiSwitch unit for authorization. The RADIUS access profile override is mainly used for
administrative logins.
Using the GUI:
1. Go to System > Admin > Administrators.

2. Select Add Administrator.
3. Select Remote.
4. In the Administrator field, enter a name for the RADIUS system administrator.
5. Select the user group.
6. Select Wildcard.
7. Select Accprofile Override.
8. Select Add.
Using the CLI:
The following code creates a RADIUS-system admin group with accprofile-override enabled:
config system admin
edit "RADIUS_Admins"
set remote-auth enable
set accprofile no_access
set wildcard enable

Fortinet, Inc.
set remote-group "RADIUS_Admins"

set accprofile-override enable
next
Ensure that the RADIUS server is configured to send the appropriate VSA.
To send an appropriate group membership and access profile, set VSA 1 and VSA 6, as in the following code:
VENDOR fortinet 12356
ATTRIBUTE Fortinet-Group-Name 1 <admin profile>
ATTRIBUTE Fortinet-Access-Profile 6 <access profile>
The value of VSA 1 must match the remote group, and VSA 6 must match a valid access profile.
Using PKI
You can use Public Key Infrastructure (PKI) to require administrators to provide a valid certificate when logging in with
HTTPS.
Use the following steps to configure PKI:
1. Configure a peer user.
2. Add the peer user to a user group.
3. Configure the administrator account.
4. Configure the global settings.
To configure a peer user:
config user peer

edit <peer_name>
set ca <name_of_certificate_authority>
next
end
For example:
config user peer
edit pki_peer_1
set ca Fortinet_CA
next
end
To add the peer user to a user group:
config user group

edit <group_name>
set member <peer_name>
next
end
For example:

Fortinet, Inc.
config user group

edit pki_group_1
set member pki_peer_1
next
end
To configure the administrator account:
config system admin

edit <admin_name>
set peer-auth enable
set peer-group <group_name>
next
end
For example:
config system admin
edit pki_admin_1
set peer-auth enable
set peer-group pki_group_1
next
end
To configure the global settings:
config system gobal

set admin-https-pki-required enable
set clt-cert-req enable
end
Configuring security checks
You can enable various security checks for incoming TCP/UDP packets. The packet is dropped if the system detects the
specified condition. Use the appropriate syntax for your FortiSwitch model:
l Syntax (for model FS-112D-POE) on page 53
l Syntax (for all other FortiSwitch models) on page 54
Syntax (for model FS-112D-POE)

config switch security-feature
set tcp-syn-data {enable | disable}
set tcp-udp-port-zero {enable | disable}
set tcp_flag_zero {enable | disable}
set tcp_flag_FUP {enable | disable}
set tcp_flag_SF {enable | disable}
set tcp_flag_SR {enable | disable}
set tcp_frag_ipv4_icmp {enable | disable}
set tcp_arp_mac_mismatch {enable | disable}

Fortinet, Inc.
tcp-syn-data TCP SYN packet contains additional data (possible DoS attack). disable
tcp-udp-port-zero TCP or UDP packet has source or destination port set to zero. disable
tcp_flag_zero TCP packet with all flags set to zero. disable
tcp_flag_FUP TCP packet with FIN, URG and PSH flag set. disable
tcp_flag_SF TCP packet with SYN and FIN flag set. disable
tcp_flag_SR TCP packet with SYN and RST flag set. disable
tcp_frag_ipv4_icmp Fragmented ICMPv4 packet. disable
tcp_arp_mac_mismatch ARP packet with MAC source address mismatch between the layer- 2 disable
header and the ARP packet payload.
Syntax (for all other FortiSwitch models)

set sip-eq-dip {enable | disable}
set tcp-flag {enable | disable}
set tcp-port-eq {enable | disable}
set tcp-flag-FUP {enable | disable}
set tcp-flag-SF {enable | disable}
set v4-first-frag {enable | disable}
set udp-port-eq {enable | disable}
set tcp-hdr-partial {enable | disable}
set macsa-eq-macda {enable | disable}
sip-eq-dip TCP packet with source IP equal to destination IP. disable
tcp_flag DoS attack checking for TCP flags. disable
tcp-port-eq TCP packet with source and destination TCP port equal. disable
tcp-flag-FUP TCP packet with FIN, URG, and PSH flags set, and sequence disable
number is zero.
tcp-flag-SF TCP packet with SYN and FIN flag set. disable
v4-first-frag DoS attack checking for IPv4 first fragment. disable
udp-port-eq IP packet with source and destination UDP port equal. disable
tcp-hdr-partial TCP packet with partial header. disable
macsa-eq-macda Packet with source MAC equal to destination MAC. disable

Fortinet, Inc.
Logging
FortiSwitchOS provides a robust logging environment that enables you to monitor, store, and report traffic information
and FortiSwitch events, including attempted log ins and hardware status. Depending on your requirements, you can log
to a number of different hosts.
To configure event logging using the GUI:
1. Go to Log > Config.
2. Under Event Type, select Enable.

3. Under Event Type, select the categories of events that you want logged.
4. Select Apply.
To configure event logging using the CLI:
config log eventfilter

set event {enable | disable}
set link {enable | disable}
set poe {enable | disable}
set router {enable | disable}
set spanning_tree {enable | disable}
set switch {enable | disable}
set switch_controller {enable | disable}
set system {enable | disable}
set user {enable | disable}
end
To view the event logs in the GUI:
1. Go to Log > Entries.

2. From the Subtype dropdown list, select the type of log entries to view.
3. From the Level dropdown list, select the severity of events to view.

Fortinet, Inc.
4. From the User dropdown list, select which user or process generated the log entry.
5. From the User Interface dropdown list, select the IP network service that applies to the log entry.
6. From the Action dropdown list, select the event to view.
7. From the Status dropdown list, select the event result to view.
To view the event logs in the CLI:
show log eventfilter
Syslog server
Sysog is an industry standard for collecting log messages for off-site storage. You can send logs to a single syslog
server. The syslog server can be configured in the GUI or CLI. Reliable syslog (RFC 6587) can be configured only in the
CLI.
To configure a syslog server in the GUI:
2. Under Syslog, select Enable.

3. Select the severity of events to log.
4. Enter the IP address or fully qualified domain name in the Server field.
5. Enter the port number that the syslog server will use. By default, port 514 is used.
6. Select Apply.
To configure a syslog server in the CLI:
config log syslogd setting

set status enable
set server <IP address or FQDN of the syslog server>
set port <port number that the syslog server will use for logging traffic>
set facility <facility used for remote syslog>
set source-ip <source IP address of the syslog server>

Fortinet, Inc.
end
For example, to set the source IP address of a syslog server to have an IP address of 192.168.4.5:
set status enable
end
To configure a reliable syslog server in the CLI:

set status enable
set server <IP address or FQDN of the syslog server>
set mode reliable
set port <port number that the syslog server will use for logging traffic>
set enc-algorithm {high | high-medium | low}
set certificate <certificate_used_to_communicate_with_syslog_server>
end
For example:
set status enable
set mode reliable
set port 6514 // This is the default port used for reliable syslog.
set enc-algorithm high-medium
set certificate "155-sub-client"
end
Fault relay support
Fault relays are normally closed relays. When the FSR-112D-POE loses power, the relay contact is in a closed state,
and the alarm circuit is triggered.
Using SSH and the Telnet client
Starting in FortiSwitchOS 6.2.0, you can use both IPv4 and IPv6 addresses with SSH and Telnet. If the IPv6 address is a
link-local address, you must specify an output interface using %. For example:
execute ssh admin@fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.
execute ssh admin@172.20.120.122
execute ssh 1002::21
execute ssh 12.345.6.78
execute telnet fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.
execute telnet 1002::21
execute telnet 12.345.6.78

Fortinet, Inc.
Configuring SNMP
Configuring SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.
The FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers have
read-only access to FortiSwitch system information through queries and can receive trap messages from the FortiSwitch
unit.
To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and
FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that
are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP
trap, event, and query messages sent by the FortiSwitch SNMP agent.
FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting
the FortiSwitch MIB File download link.
l SNMP access on page 58
l SNMP agent on page 59
l SNMP community on page 59
SNMP access
Ensure that the management VLAN has SNMP added to the access-profiles.
Using the GUI:
1. Go to System > Network > Interface > Physical.

2. Select Edit for the mgmt interface.
3. Select SNMP in the access section.
4. Select Update.
Using the CLI:

edit <name>
end
end
NOTE: Re-enter the existing allowed access types and add snmp to the list.

Fortinet, Inc.
Configuring SNMP
SNMP agent
Create the SNMP agent.
Using the GUI:
1. Go to System > Config > SNMP > Settings.

2. Select Agent Enabled.
3. Enter a descriptive name for the agent.
4. Enter the location of the FortiSwitch unit.
5. Enter a contact or administrator for the SNMP agent or FortiSwitch unit.
6. Select Apply.
Using the CLI:

set status enable
set description <description_of_FortiSwitch>
set location <FortiSwitch_location>
end
SNMP community
An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community,
devices can communicate by sending and receiving traps and other information. One device can belong to multiple
communities, such as one administrator terminal monitoring both a FortiGate SNMP and a FortiSwitch SNMP
community.
Add SNMP communities to your FortiSwitch unit so that SNMP managers can connect to view system information and
receive SNMP traps.
You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and
traps. Each community can be configured to monitor the FortiSwitch unit for a different set of events. You can also add
the IP addresses of up to eight SNMP managers for each community.
Adding an SNMP v1/v2c community
Using the GUI:
1. Go to System > Config > SNMP > Communities.

2. Select Add Community.
3. Enter a community name and identifier.
4. Select Add Host and enter the identifier, IP address and netmask, and interface for each host.
5. Select V1, V2C, or both and enter the port number that the SNMP managers in this community use for SNMP v1
and SNMP v2c queries to receive configuration information from the FortiSwitch unit.

Fortinet, Inc.
Configuring SNMP
6. Select V1, V2C, or both and enter the local and remote port numbers that the FortiSwitch unit uses to send SNMP
v1 and SNMP v2c traps to the SNMP managers in this community.
7. Select which events to report.
8. Select Add.
Using the CLI:
config system snmp community

edit <index_number>
set events <events_list>
set name <community_name>
set query-v1-port <port_number>
set query-v1-status {enable | disable}
set query-v2c-port <port_number>
set query-v2c-status {enable | disable}
set trap-v1-lport <port_number>
set trap-v1-rport <port_number>
set trap-v1-status {enable | disable}
set trap-v2c-lport <port_number>
set trap-v2c-rport <port_number>
set trap-v2c-status {enable | disable}
Adding an SNMP v3 user
Using the GUI:
1. Go to System > Config > SNMP > Users.

2. Select Add User.
3. Enter a user name.
4. Select a security level to specify the authentication and privacy settings.
5. Enter the port number that the SNMP managers in this community use to receive configuration information from
the FortiSwitch unit.
6. Make certain that Enable Queries is enabled.
7. Select Add.
Using the CLI:
config system snmp user

edit <index_number>
set queries enable
set query-port <port_number>
set security-level [auth-priv | auth-no-priv | no-auth-no-priv}
set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}
set auth-pwd <password>
set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}
set priv-pwd <password>
end

Fortinet, Inc.
Global system and switch settings

l Configuration file settings on page 61
l SSL configuration on page 62
l Configuration file revisions on page 63
l IP conflict detection on page 64
l Port flap guard on page 64
l Link monitor on page 67
l Unicast hashing on page 69
l Cut-through switching mode on page 69
l Enabling packet forwarding on page 69
l ARP timeout value on page 69
l Power over Ethernet configuration on page 70
l Creating a schedule on page 71
l Overlapping subnets on page 72
l Configuring PTP transparent-clock mode on page 73
l Configuring auto topology on page 74
Configuration file settings
You can set preferences for saving configuration files:

1. Go to System > Config > Backup.
2. Select one of the Configuration Save options:
l Automatically Save—The system automatically saves the configuration after each change.
l Manually Save—You must manually save configuration changes from the Backup link on the System >
Dashboard.
l Manually Save and Revert Upon Timeout—You must manually save configuration changes. The system
reverts to the saved configuration after a timeout. You can set the timeout using the CLI:
set cfg-revert-timeout <integer>
3. If you select Revision Backup on Logout, the FortiSwitch unit creates a configuration file each time a user logs out.
4. If you select Revision Backup on Upgrade, the FortiSwitch unit creates a configuration file before starting a
system upgrade.
5. Select Update.

Fortinet, Inc.
SSL configuration
You can set strong cryptography and select which certificates are used by the FortiSwitch unit.
Using the GUI:
1. Go to System > Config > SSL.

2. Select Strong Crypto to use strong cryptography for HTTPS and SSH access.
3. Select one of the 802.1x certificate options:
l Entrust_802.1x —This certificate is embedded in the firmware and is the same on every unit (not unique). It
has been signed by a public CA. This is the default certificate for 802.1x authentication.
l Fortinet_Factory —This certificate is embedded in the hardware at the factory and is unique to this unit. It has
been signed by a proper CA.

l Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It
has been signed by a proper CA.

l Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It
has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other
unit could use this same certificate to spoof the identity of this unit.
4. Select one of the 802.1x certificate authority (CA) options:
l Entrust_802.1x_CA—Select this CA if you are using 802.1x authentication.
l Entrust_802.1x_G2_CA—Select this CA if you want to use the Google Internet Authority G2.
l Entrust_802.1x_L1K_CA—Select this CA if you want to use http://ocsp.entrust.net.
l Fortinet_CA—Select this CA if you want to use the factory-installed certificate.
lFortinet_CA2—Select this CA if you want to use the factory-installed certificate.
5. Select one of the GUI HTTPS certificate options:
l Entrust_802.1x —This certificate is embedded in the firmware and is the same on every unit (not unique). It
has been signed by a public CA.

l Fortinet_Factory —This certificate is embedded in the hardware at the factory and is unique to this unit. It has
been signed by a proper CA.

l Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It
has been signed by a proper CA.

l Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It
has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other
unit could use this same certificate to spoof the identity of this unit.
6. Select Update.
Using the CLI:

set strong-crypto {enable | disable}
set 802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_
Firmware}
set 802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA
| Fortinet_CA | Fortinet_CA2}
set admin-server-cert {self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 |
Fortinet_Firmware}
end

Fortinet, Inc.
Configuration file revisions
You can select a configuration file revision to revert to.
Using the GUI:
1. Go to System > Config > Revisions.

The system displays a new page with an entry for each configuration file revision.
2. When you select a revision, the following commands are available:
l Deselect All—deselect all selected revisions.
l Delete—deletes the selected revision file.

l Revert—reverts the system configuration to the selected revision.
l Upload—uploads the selected revision file to your local machine.
3. If you select two revision files, you can select Diff to display the differences between the two files.
Using the CLI:
Use the following command to display the list of configuration file revisions:
execute revision list config
The FortiSwitch unit assigns a numerical ID to each configuration file. To display a particular configuration file contents,
use the following command and specify the ID of the configuration file:
execute revision show config id <ID number>
The following example displays the list of configuration file revisions:

# execute revision list config
ID TIME ADMIN FIRMWARE VERSION COMMENT

1 2015-08-31 11:11:00 admin V3.0.0-build117-REL0 Automatic backup (session expired)
2 1969-12-31 16:06:29 admin V3.0.0-build150-REL0 baseline
3 2015-08-31 15:19:31 admin V3.0.0-build150-REL0 baseline
4 2015-08-31 15:28:00 admin V3.0.0-build150-REL0 with admin timeout
The following example displays the configuration file contents for revision ID 62:
# execute revision show config id 62
#config-version=FS1D24-3.04-FW-build171-160201:opmode=0:vdom=0:user=admin
#conf_file_ver=1784779075679102577
#buildno=0171
#global_vdom=1
set admin-concurrent enable
...
(output truncated)

Fortinet, Inc.
IP conflict detection
IP conflicts can occur when two systems on the same network are using the same IP address. The FortiSwitch unit
monitors the network for conflicts and raises a system log message and an SNMP trap when it detects a conflict.
The IP conflict detection feature provides two methods to detect a conflict. The first method relies on a remote device to
send a broadcast ARP (Address Resolution Protocol) packet claiming ownership of a particular IP address. If the IP
address in the source field of that ARP packet matches any of the system interfaces associated with the receiving
FortiSwitch system, the system logs a message and raises an SNMP trap.
For the second method, the FortiSwitch unit actively broadcasts gratuitous ARP packets when any of the following
events occurs:
l System boot-up
l Interface status changes from down to up
l IP address change
If a system is using the same IP address, the FortiSwitch unit receives a reply to the gratuitous ARP. If it receives a
reply, the system logs a message.
Configuring IP conflict detection
IP conflict detection is enabled on a global basis. The default setting is enabled.
Using the GUI:
1. Go to Network > Settings.

2. Select Enable IP Conflict Detection.
3. Select Apply.
Using the CLI:

set detect-ip-conflict <enable|disable>
Viewing IP conflict detection
If the system detects an IP conflict, the system generates the following log message:
IP Conflict: conflict detected on system interface mgmt for IP address 10.10.10.1
Port flap guard
A flapping port is a port that changes status rapidly from up to down. A flapping port can create instability in protocols
such as STP. If a port is flapping, STP must continually recalculate the role for each port. Flap guard also prevents
unwanted access to the physical ports.

Fortinet, Inc.
The port flap guard detects how many times a port changes status during a specified number of seconds, and the
system shuts down the port if necessary. You can manually reset the port and restore it to the active state.
Retaining the triggered state
When the flap guard is triggered, the status for the port is shown as “triggered” in the output of the diagnose
flapguard status command. By default, rebooting the switch resets the state of the flap guard and removes the
“triggered” state. You can change the setting so that the triggered state remains after a switch is rebooting until the port
is reset. See Resetting a port on page 66.
Using the GUI:
1. Go to Switch > Flap Guard.
2. Select Retain Triggered State Across Reboot.

3. Select Update to save the change.
Using the CLI:

set flapguard-retain-trigger enable
end
Configuring the port flap guard
The port flap guard is configured and enabled on each port. The default setting is disabled.
The flap rate counts how many times a port changes status during a specified number of seconds. The range is 1 to 30
with a default setting of 5.
The flap duration is the number of seconds during which the flap rate is counted. The range is 5 to 300 seconds with a
default setting of 30 seconds.
The flap timeout (CLI only) is the number of minutes before the flap guard is reset. The range is 0 to 120 minutes. The
default setting of 0 means that there is no timeout.
NOTE:
l If a triggered port times out while the switch is in a down state, the port is initially in a triggered state until the switch
has fully booted up and calculated that the timeout has occurred.
l The following models do not store time across reboot; therefore, any triggered port is initially in a triggered state
until the switch has fully booted up—at which point the trigger is cleared:
o FS-1xxE
o FS-2xxD/E

Fortinet, Inc.
o FS-4xxD
o FS-4xxE
Using the GUI:
1. Go to Switch > Port > Physical.

2. Select a port.
3. Select Edit.
4. Under Flap Guard, select Enable.
5. Enter values for Flap Duration (Seconds) and Flap Rate.

6. Select Update to save the changes.
Using the CLI:

edit <port_name>
set flapguard {enabled | disabled}
set flap-rate <1-30>
set flap-duration <5-300 seconds>
set flap-timeout <0-120 minutes>
end
For example:
edit port10
set flapguard enabled
set flap-rate 15
set flap-duration 100
set flap-timeout 30
end
Resetting a port
After the flap guard detects that a port is changing status rapidly and the system shuts down the port, you can reset the
port and restore it to service.
Using the GUI:

2. Select the port that was shut down.

Fortinet, Inc.
3. Select Reset.
Using the CLI:
execute flapguard reset <port_name>
For example:
execute flapguard reset port15
Viewing the port flap guard configuration
Use the following command to check if the flap guard is enabled on a specific port:
show switch physical-port <port_name>
For example:
show switch physical-port port10
Use the following command to display the port flap guard information for all ports:
diagnose flapguard status
Link monitor
You can monitor the link to a server. The FortiSwitch unit sends periodic ping messages to test that the server is
available. In the CLI, you can use both IPv4 and IPv6 addresses.
Configuring the link monitor
Using the GUI:
1. Go to Router > Config > Link Probes.

2. Select Add Probe to create a new probe.
3. Enter an IP address for the Gateway IP.
4. Configure the other fields as required (see the table in this section for field descriptions).
5. Select Add to create the probe.
Using the CLI:
config system link-monitor

edit <link monitor name>
set addr-mode {ipv4 | ipv6}
set srcintf <string>
set protocol {arp | ping}
set gateway-ip <IPv4 address>
set gateway-ip6 <IPv6 address>

Fortinet, Inc.
set source-ip <IPv4 address>

set source-ip6 <IPv6 address>
set interval <integer>
set timeout <integer>
set failtime <integer>
set recoverytime <integer>
set update-static-route {enable | disable}
next
end
<link monitor Enter the link monitor name.

name>
addr-mode {ipv4 | Select whether to use IPv4 or IPv6 addresses. The default is IPv4 addresses.
ipv6}
srcintf <string> Interface where the monitor traffic is sent.
protocol {arp Protocols used to detect the server. Select ARP or ping.
| ping}
gateway-ip Gateway IPv4 address used to PING the server. This option is available only when
<IPv4 address> addr-mode is set to ipv4.
gateway-ip6 <IPv6 Gateway IPv6 address used to PING the server. This option is available only when
address> addr-mode is set to ipv6.
source-ip Source IPv4 address used in packet to the server. This option is available only when
<IPv4 address> addr-mode is set to ipv4.
source-ip6 <IPv6 Source IPv6 address used in packet to the server. This option is available only when
address> addr-mode is set to ipv6.
interval <integer> Detection interval in seconds. The range is 1-3600.
timeout <integer> Detect request timeout in seconds. The range is 1-255.
failtime <integer> Number of retry attempts before bringing the server down. The range is 1-10.
recoverytime Number of retry attempts before bringing the server up. The range is 1-10.
<integer>
update-static-route Enable or disable update static route. The default is enabled.

{enable | disable}
status {enable | Enable or disable link monitor administrative status. The default is enabled.
disable}

Fortinet, Inc.
Unicast hashing
You can configure the trunk hashing algorithm for unicast packets to use the source port:
set trunk-hash-unicast-src-port {enable | disable}
end
Cut-through switching mode
By default, all FortiSwitch models use the store-and-forward technique to forward packets. This technique waits until the
entire packet is received, verifies the content, and then forwards the packet.
The FS-1024D, FS-1048D, and FS-3032D models also have a cut-through switching mode to reduce latency. This
technique forwards the packet as soon as the switch receives it.
NOTE: For the FS-3032D model, the cut-through switching mode is not supported on split ports.
To change the switching mode for the main buffer for these three models, use the following commands:
set packet-buffer-mode {store-forward | cut-through}
end
NOTE: Changing the switching mode might stop traffic on all ports during the change.
Enabling packet forwarding
NOTE: These commands apply only to the 200 Series and 400 Series.
If you want to use layer-3 interfaces and IGMP snooping on certain FortiSwitch models, you must enable the forwarding
of reserved multicast packets and IPv6 neighbor-discovery packets to the CPU. These features are enabled by default.
set reserved-mcast-to-cpu {enable | disable}
set neighbor-discovery-to-cpu {enable | disable}
end
ARP timeout value
By default, ARP entries in the cache are removed after 300 seconds. Use the following commands to change the default
ARP timeout value:
set arp-timeout <seconds>
end

Fortinet, Inc.
For example, to set the ARP timeout to 1,000 seconds:

set arp-timeout 1000
end
Power over Ethernet configuration
Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet
cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example,
wireless access points, IP cameras, and VoIP phones).
PoE is only available on models with the POE suffix in the model number (for example, FS-108E-POE).
Using the GUI:
1. Go to Switch > POE.
2. Set the PoE power mode to priority based or first-come, first-served.

When power to PoE ports is allocated by priority, lower numbered ports have higher priority so that port 1 has the
highest priority. When more power is needed than is available, higher numbered ports are disabled first.
When power to PoE ports is allocated by first-come, first-served (FCFS), connected PoE devices receive power, but
new devices do not receive power if there is not enough power.
If both priority power allocation and FCFS power allocation are selected, the physical port setting takes precedence
over the global setting.

Fortinet, Inc.
3. Enable or disable PoE pre-standard detection.
PoE pre-standard detection is a global setting for the following FortiSwitch

models:
FSR-112D-POE, FS-548D-FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-
POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, and FS-124E-FPOE.
For the other FortiSwitch PoE models, PoE pre-standard detection is set on each
port.
4. Set the maximum power budget in Watts.

5. Enter the power in Watts to reserve in case of a spike in PoE consumption.
6. Enter the threshold (a specified percentage of the total power budget) above which an alarm event is generated.
If your FortiSwitch unit has a PoE sensor, you can set an alarm for when the current power budget exceeds a
specified percentage of the total power budget. When this threshold is exceeded, log messages and SNMP traps
are generated. The default threshold is 80 percent.
7. Select Update.
Using the CLI:

set poe-alarm-threshold <0-100 percent>
set poe-power-mode {first-come-first-serverved | priority}
set poe-guard-band <1-20 Watts>
set poe-pre-standard-detect {disable | enable}
set poe-power-budget <1-740 Watts>
end
Creating a schedule
Use schedules to control when policies are enforced. For example, you can use a schedule to control when an access
control list policy is enforced.
NOTE: If the status of an ACL policy is inactive, the schedule is ignored.
You can create a one-time schedule, a recurring schedule, or a group schedule:
l Use a one-time schedule when you want a policy enforced for a specified period.
l Use a recurring schedule when you want a policy enforced for specified hours and days every week.
l Use a group schedule to combine one-time schedules and recurring schedules.
To create a one-time schedule:
config system schedule onetime

edit <schedule_name>
set start <time_date>
set end <time_date>
end
For example:

Fortinet, Inc.
edit schedule1
set start 07:00 2019/03/22
set end 07:00 2019/03/29
end
To create a recurring schedule:
config system schedule recurring

set day {monday | tuesday | wednesday | thursday | friday | saturday | sunday}
set start <time>
set end <time>
end
For example:
edit schedule2
set day monday wednesday friday
set start 07:00
set end 08:00
end
To create a group schedule:
config system schedule group

edit <schedule_group_name>
set member <schedule_name1> <schedule_name2> ...
end
For example:
edit group1
set member schedule1 schedule2
end
Overlapping subnets
You can use the set allow-subnet-inteface command to allow two interfaces to include the same IP address
in the same subnet. The command applies only between the mgmt interface and an internal interface.
NOTE: Different interfaces cannot have overlapping IP addresses or subnets. The same IP address can be used on
different switches.
For example:
set admintimeout 480
set allow-subnet-overlap enable
set auto-isl enable
end

Fortinet, Inc.
edit "mgmt"
set ip 172.16.86.112 255.255.255.0
set type physical
set alias "test"
set snmp-index 27
next
edit "internal"
set ip 10.0.1.112 255.255.255.0
set allowaccess ping
set type physical
set alias "testing-2"
set snmp-index 26
next
end
Configuring PTP transparent-clock mode
Use Precision Time Protocol (PTP) transparent-clock mode to measure the overall path delay for packets in a network to
improve the time precision. There are two transparent-clock modes:
l End-to-end measures the path delay for the entire path
l Peer-to-peer measures the path delay between each pair of nodes
Use the following steps to configure PTP transparent-clock mode:
1. Configure the global PTP settings.
By default, PTP is disabled.
2. Enable the PTP policy.
By default, the PTP policy is disabled.
3. Apply the PTP policy to a port.
To configure the global PTP settings:
config switch ptp settings

end
To enable the PTP policy:
config switch ptp policy

next
end
To apply the PTP policy to a port:

edit <port_name>
set ptp-policy {default | <policy_name>}

Fortinet, Inc.
next
end
For example:
set mode transparent-e2e
end

edit default
set status enable
next
end

edit port12
set ptp-policy default
next
end
Configuring auto topology
Use the auto topology feature to automatically form an inter-switch link (ISL) between two switches. You need to enable
the feature and specify the mgmt-vlan. The mgmt-vlan is the VLAN to use for the native VLAN on ISL ports and the
native VLAN on the internal switch interface.
NOTE: Do not use the same VLAN for the mgmt-vlan and an existing switch virtual interface (SVI).
config switch auto-network
set mgmt-vlan <1-4094>
end
For example:
set mgmt-vlan 101
set status enable
end

edit "internal"
set native-vlan 101
set allowed-vlans 100-102,4094
set snmp-index 53
next
end

Fortinet, Inc.
Physical port settings
The following sections describe the configuration settings that are associated with FortiSwitch physical ports:
l Configuring general port settings on page 75
l Configuring flow control, priority-based flow control, and ingress pause metering on page 77
l Auto-module speed detection on page 78
l Setting port speed (autonegotiation) on page 78
l Configuring power over Ethernet on a port on page 79
l Energy-efficient Ethernet on page 81
l Diagnostic monitoring interface module status on page 83
l Configuring split ports on page 84
l Configuring QSFP low-power mode on page 87
l Configuring physical port loopbacks on page 87
Configuring general port settings
Using the GUI:

2. Select the port to update and then select Edit.
3. Enter an optional description of the port in the Description field.
4. Select Up or Down for the Administrative Status.
Using the CLI:

edit <port_name>
set status {up | down}
set max-frame-size <bytes_int>
end
General port settings include:

l status—Administrative status of the port
l description—Text description for the port
l max-frame-size—Maximum frame size in bytes (between 68 and 9216)
NOTE: For the eight models in the FS-1xxE series, the max-frame-size command is under the config switch
global command.

Fortinet, Inc.
Viewing port statistics
Using the GUI:
Go to Switch > Monitor > Port Stats.
To clear the statistics on all ports, select Select All and then select Reset Stats.
To clear the statistics on some of the ports, select the ports and then select Reset Stats.

Fortinet, Inc.
Using the CLI:
diagnose switch physical-ports port-stats list [<list_of_ports>]
For example:
diagnose switch physical-ports port-stats list 1,3,4-6
To clear all hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports:
diagnose switch physical-ports set-counter-zero [<list_of_ports>]
To restore hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports:
diagnose switch physical-ports set-counter-revert [<list_of_ports>]
Configuring flow control, priority-based flow control, and ingress

pause metering
Flow control allows you to configure a port to send or receive a “pause frame” (that is, a special packet that signals a
source to stop sending flows for a specific time interval because the buffer is full). By default, flow control is disabled on
all ports.
edit <port_name>
end
Parameters enable flow control to do the following:

l rx—receive pause control frames
l tx—transmit pause control frames
l both—transmit and receive pause control frames
Priority-based flow control allows you to avoid frame loss by stopping incoming traffic when a queue is congested.
After you enable priority-based flow control, you then configure whether a port sends or receives a priority-based control
frame:
edit <port_name>
set priority-based-flow-control enable
end
When priority-based flow control is disabled, 802.3 flow control can be used.
NOTE: Priority-based flow control does not support half-duplex speed. When FortiSwitch ports are set to autonegotiate
the port speed (the default), priority-based flow control is available if the FortiSwitch model supports it. Lossless buffer
management and traffic class mapping are not supported.

Fortinet, Inc.
If you enable flow control to transmit pause control frames (with the set flow-control tx command), you can
also use ingress pause metering to limit the input bandwidth of an ingress port. Because ingress pause metering stops
the traffic temporarily instead of dropping it, ingress pause metering can provide better performance than policing when
the port is connected to a server or end station. To use ingress pause metering, you need to set the ingress metering
rate in kilobits and set the percentage of the threshold for resuming traffic on the ingress port.
edit <port_name>
set flow-control tx
set pause-meter-rate <64–2147483647; set to 0 to disable>
set pause-resume {25% | 50% | 75%}
next
end
For example:
edit port29
set flow-control tx
set pause-meter-rate 900
set pause-resume 50%
next
end
Auto-module speed detection
When you enable auto-module speed detection, the system reads information from the module and sets the port speed
to the maximum speed that is advertised by the module. If the system encounters a problem when reading from the
module, it sets the default speed (default value is platform specific).
When auto-module sets the speed, the system creates a log entry noting this speed.
NOTE: Auto-speed detection is supported on 1/10G ports, but not on higher speed ports (such as 40G).
Setting port speed (autonegotiation)
By default, all of the FortiSwitch user ports are set to autonegotiate the port speed. You can also manually set the port
speed. The port speeds available differ, depending on the port and switch.
Using the GUI:
1. Go to Switch > Port > Physical and select the port.

2. Select Edit.
3. Select Auto-Negotiation or the appropriate port speed.
4. Select Update.

Fortinet, Inc.
Using the CLI:

edit <port>
set speed {1000auto | 100full | 100half | 10full | 10half | auto | 10000cr | 10000full |
10000sr | 1000full | auto-module}
end
Viewing auto-module configuration
Display the status of auto-module using following command:

edit port47
show
end
edit "port47"
set max-frame-size 16360
set speed 10000full
get
name : port47
description : (null)
flow-control : both
link-status : down
lldp-transmit : disable
max-frame-size : 16360
port-index : 47
speed : 10000full
status : up
end
Link-layer discovery protocol
The Fortinet data center switches support LLDP (transmission and reception). The link layer discovery protocol (LLDP) is
a vendor-neutral layer-2 protocol that enables devices on a layer-2 segment to discover information about each other.
For details, refer to LLDP-MED on page 126.
Configuring power over Ethernet on a port
You can enable PoE, configure dynamic guard band, and set the priority power allocation for a specific port.
The dynamic guard band is set automatically to the expected power of a port before turning on the port. So, when a PoE
device is plugged in, the dynamic guard band is set to the maximum power of the device type based on the AF or AT
mode. The AF mode DGB is 15.4 W, and the AT mode DGB is 36 W. When the FortiSwitch unit is fully loaded, the
dynamic guard band prevents a new PoE device from turning on.

Fortinet, Inc.
When power to PoE ports is allocated by priority, lower numbered ports have higher priority so that port 1 has the
highest priority. When more power is needed than is available, higher numbered ports are disabled first.
When power to PoE ports is allocated by first-come, first-served (FCFS), connected PoE devices receive power, but new
devices do not receive power if there is not enough power.
If both priority power allocation and FCFS power allocation are selected, the physical port setting takes precedence over
the global setting.
Enabling or disabling PoE in the GUI

2. Select a port and then select Edit.
3. For the POE Status, select Enable or Disable.
4. Select a power priority for the port. You can select High Priority, Critical Priority, or Low Priority. If there is not
enough power, power is allotted first to Critical Priority ports, then to High Priority ports, and then to Low Priority
ports.
5. Select Update.
Configuring PoE in the CLI

edit <port>
set poe-port-mode {IEEE802_3AF | IEEE802_3AT}
set poe-port-priority {critical-priority | high-priority | low-priority}
end
PoE pre-standard detection is a global setting for the following FortiSwitch models:
FSR-112D-POE, FS-548D-FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE,
FS-108E-POE, FS-108E-FPOE, FS-124E-POE, and FS-124E-FPOE.
For the other FortiSwitch PoE models, PoE pre-standard detection is set on each
port.
Determining the PoE power capacity
Using the GUI:
Go to Switch > Port > Physical. The Power column displays the power capacity for each PoE port.
Using the CLI:
get switch poe inline

Fortinet, Inc.
Resetting the PoE power
Using the GUI:

2. Select a port and then select POE Reset.
3. In the confirmation dialog box, select Reset.
Using the CLI:
execute poe-reset <port>
Displaying PoE information
Using the GUI:
Go to Switch > Port > Physical to see information about each PoE port. Hover over the traffic column to get specific
values.
Using the CLI:
diagnose switch poe status <port>
The following example displays the information for port 6:

diagnose switch poe status port6
Port(6) Power:4.20W, Power-Status: Delivering Power

Remote Power Device Type: IEEE802.3AT PD
Power Class: 4
Defined Max Power: 30.0W, Priority:3
Voltage: 54.00V
Current: 71mA
Energy-efficient Ethernet
When no data is being transferred through a port, energy-efficient Ethernet (EEE) puts the data link in sleep mode to
reduce the power consumption of the FortiSwitch unit. When data flows through the port, the port resumes using the
normal amount of power. EEE works over standard twisted-pair copper cables and supports 10 Mbps, 100 Mbps, 1 Gps,
and 10 Ge. EEE does not reduce bandwidth or throughput.

Fortinet, Inc.
If you are using the CLI, you can also specify the number of microseconds that circuits are turned off to save power and
the number of microseconds during which no data is transmitted while the circuits that were turned off are being
restarted.
In addition, you can use the LLDP 802.3 TLV to advertise the EEE configuration.
NOTE: EEE is not supported on SFP and QSFP modules.
Using the GUI:

3. Under Energy-Efficient Ethernet, select Enable.
4. To save your changes, select Update.
To check which ports have EEE enabled, go to Switch > Port > Physical. A green arrow in the EEE column indicates
that EEE is enabled for that port. A red arrow in the EEE column indicates that EEE is disabled for that port.
Using the CLI:
NOTE: When you change the eee-tx-wake-time value, the port resets, and the connection is lost briefly.
edit <port_name>
set energy-efficient-ethernet {enable | disable}
set eee-tx-idle-time <0-2560>
set eee-tx-wake-time <0-2560>
end
For example, to use EEE on port 7:

edit port7
set energy-efficient-ethernet enable
set eee-tx-idle-time 500
set ee-tx-wake-time 200
end
To check that EEE is enabled on port 7:

diagnose switch physical-ports eee-status port7
To check which ports have EEE enabled:

diagnose switch physical-ports eee-status
To advertise the EEE configuration in the LLDP 802.3 TLV:

config switch lldp profile
edit <profile_name>
set 802.3-tlvs eee-config
next
end

Fortinet, Inc.
To check that the EEE configuration is being advertised:

Diagnostic monitoring interface module status
With diagnostic monitoring interface (DMI), you can view the following information
l Module details (detail)
l Eeprom contents (eeprom)
l Module limits (limit)
l Module status (status)
l Summary information of all a port’s modules (summary)
Using the GUI:
Go to Switch > Monitor > Modules.
Using the CLI:
Use the following commands to enable or disable DMI status for the port. If you set the status to global, the port
setting will match the global setting:
edit <interface>
set dmi-status {disable | enable | global}
end
Use the get switch modules detail/status command to display DMI information:
FS108E3W14000720 # get switch modules detail port10
____________________________________________________________
Port(port10)
identifier SFP/SFP+
connector Unk (0x00)
transceiver 1000-Base-T
encoding 8B/10B
Length Decode Common
length_smf_1km N/A
length_cable 100 meter
SFP Specific
length_smf_100m N/A
length_50um_om2 N/A
length_62um_om1 N/A
length_50um_om3 N/A
vendor FINISAR CORP.
vendor_oid 0x009065
vendor_pn FCLF-8521-3
vendor_rev A
vendor_sn PBR1X35
manuf_date 06/20/2007

Fortinet, Inc.
The following is an example of the output for the switch modules status command:
FS108E3W14000720 # get switch modules status port9
____________________________________________________________
Port(port9)
alarm_flags 0x0040
warning_flags 0x0040
temperature 18.792969 C
voltage 3.315100 volts
laser_bias 0.750800 mAmps
tx_power -2.502637 dBm
rx_power -40.000000 dBm
options 0x000F ( TX_DISABLE TX_FAULT RX_LOSS TX_POWER_LEVEL1 )
options_status 0x000C ( RX_LOSS TX_POWER_LEVEL1 )
Configuring split ports
On FortiSwitch models that provide 40G QSFP (quad small form-factor pluggable) interfaces, you can install a breakout
cable to convert one 40G interface into four 10G interfaces.
Notes

o 3032D (ports 5 to 28 are splittable)
o 3032E (Ports can be split into 4 x 25G when configured in 100G QSFP28 mode or can be split into 4 x 10G
when configured in 40G QSFP mode. Use the set <port-name>-phy-mode disabled command to
disable some 100G ports to allow up to sixty-two 100G/25G/10G/1G ports.
o 524D, 524D-FPOE (ports 29 and 30 are splittable)
o 1048E (In the 4 x 100G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 25G, 4 x 10G, 4 x 1G, or 2 x
50G. Only two of the available ports can be split.)
o 1048E (In the 4 x 4 x 25G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 4 x 25G or 2 x 50G. All
four ports can be split, but ports 47 and 48 are disabled.)
o 1048E (In the 6 x 40G configuration, ports 49, 50, 51, 52, 53, 54 are splittable as 4 x 10G or 4 x 1G.)
only 10 QSFP ports can be split. This limitation applies to all of the models, but only the 3032D, the 3032E, and the
1048E models have enough ports to encounter this limit.
l Starting in FortiOS 6.2.0, splitting ports is supported in FortiLink mode (that is, the FortiSwitch unit managed by a
FortiGate unit).
l Starting in FortiSwitchOS 6.4.0, FC-FEC (cl74) is enabled as the default setting for ports that have been split to
4x25G. Use the following commands to change the setting:

edit <split_port_name>
set fec-state {cl74 | disabled}
end

Fortinet, Inc.
Configuring a split port
Use the following commands to configure a split port:

set port-configuration {default | disable-port54 | disable-port41-48 | 4x100G | 6x40G |
4x4x25G}
set {<port-name>-phy-mode <single-port| 4x25G | 4x10G | 4x1G | 2x50G}
...
(one entry for each port that supports split port)
end
The following settings are available:

l disable-port54—For 548D and 548D-FPOE, only port53 is splittable; port54 is unavailable.
l disable-port41-48—For 548D and 548D-FPOE, port41 to port48 are unavailable, but you can configure
port53 and port54 in split-mode.
l 4x100G—For 1048E, enable the maximum speed (100G) of ports 49 through 52. Ports 53 and 54 are disabled.
l 6x40G—For 1048E, enable the maximum speed (40G) of ports 49 through 54.
l 4x4x25G—For 1048E, enable the maximum speed (100G) of ports 49 through 52; each split port has a maximum
speed of 25G. Ports 47 and 48 are disabled.
l single-port—Use the port at the full base speed without splitting it.
l 4x25G—For 100G QSFP only, split one port into four subports of 25 Gbps each.
l 4x10G—For 40G or 100G QSFP only, split one port into four subports of 10Gbps each.
l 4x1G—For 40G or 100G QSFP only, split one port into four subports of 1 Gbps each.
l 2x50G—For 100G QSFP only, split one port into two subports of 50 Gbps each.
In the following example, a FortiSwitch 3032D model is configured with ports 10, 14, and 28 set to 4x10G:

Fortinet, Inc.
end
In the following example, a FortiSwitch 1048E model is configured so that each port is split into four subports of 25
Gbps each.
set port-configuration 4x4x25G
end
The system applies the configuration only after you enter the end command, displaying the following message:
This change will cause a ports to be added and removed, this will cause loss of configuration
on removed ports. The system will have to reboot to apply this change.
To configure one of the split ports, use the notation ".x" to specify the split port:
edit "port1"
set speed 40000full
next
edit "port2"
set speed 40000full
next
edit "port3"
set speed 40000full
next
edit "port4"
set speed 40000full
next
edit "port5.1"
set speed 10000full
next
edit "port5.2"
set speed 10000full
next
edit "port5.3"
set speed 10000full
next
edit "port5.4"
set speed 10000full
next
end

Fortinet, Inc.
Configuring QSFP low-power mode
On FortiSwitch models with QSFP (quad small form-factor pluggable) ports, you can enable or disable the low-power
mode with the following CLI commands:
edit <port_name>
set qsfp-low-power-mode {enabled | disabled}
end
For example:
edit port12
set qsfp-low-power-mode disabled
end
Configuring physical port loopbacks
You can use the CLI to loop a physical port back on itself, either locally or remotely:
l The local loopback is a physical-layer loopback. If the hardware does not support a physical-layer loopback, a MAC-
address loopback is used instead.
l The remote loopback is a physical-layer lineside loopback.
By default this feature is disabled.
To configure a physical port loopback:

edit <port_name>
set loopback {disable | local | remote}
next
end

Fortinet, Inc.
Layer-2 interfaces
Layer-2 interfaces

l Switched interfaces on page 88
l Dynamic MAC address learning on page 89
l Persistent (sticky) MAC addresses on page 91
l Static MAC addresses on page 92
l Loop guard on page 93
Switched interfaces
Default configuration will suffice for regular switch ports. By default, VLAN is set to 1, STP is enabled, and all other
optional capabilities are disabled.
You can configure optional capabilities such as Spanning Tree Protocol, sFlow , 802.1x authentication, and Private
VLANs. These capabilities are covered in subsequent sections of this document.
Using the GUI:
1. Go to Switch > Interface > Physical.

2. Select one or more interfaces to update and select Edit.
If you selected more than one port, the port names are displayed in the name field, separated by commas.
3. Enter new values as required for the Native VLAN and Allowed VLANs fields.
Using the CLI:

edit <port>
set native-vlan <vlan>
set allowed-vlans <vlan> [<vlan>] [<vlan> - <vlan>]
set untagged-vlans <vlan> [<vlan>] [<vlan> - <vlan>]
set edge-port {enabled | disabled}
Viewing interface configuration
Using the GUI:
Go to Switch > Interface > Physical.
Using the CLI:
show switch interface <port>

Fortinet, Inc.
Layer-2 interfaces
Display port settings using following command:

edit <port>
get
Dynamic MAC address learning
You can enable or disable dynamic MAC address learning on a port. The existing dynamic MAC entries are deleted
when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet
with an unknown MAC address (to drop or forward the packet).
You can limit the number of learned MAC addresses on an interface or VLAN. The limit ranges from 1 to 128. If the
learning limit is set to zero (the default), no limit exists. When the limit is exceeded, the FortiSwitch unit adds a warning
to the system log.
Configuring dynamic MAC address learning
Use the following CLI commands to configure dynamic MAC address learning:

edit <port>
set l2-learning (enable | disable)
set l2-unknown (drop | forward)
end
edit <port>
set learning-limit <0-128>
end
config switch vlan
edit <VLAN_ID>
set learning {enable | disable}
set learning-limit <0-128>
end
NOTE: If you enable 802.1x MAC-based authorization on a port, you cannot change the l2-learning setting.
Changing when MAC addresses are deleted
By default, each learned MAC address is deleted after 300 seconds. The value ranges from 10 to 1000,000 seconds.
Set the value to zero to not delete learned MAC addresses.
Use the following command to change this value:
end

Fortinet, Inc.
Layer-2 interfaces
Logging dynamic MAC address events
By default, dynamic MAC address events are not logged. When you enable logging for an interface, the following events
are logged:
l When a dynamic MAC address is learned
l When a dynamic MAC address is moved
l When a dynamic MAC address is deleted
NOTE: Some dynamic MAC address events might take a long time to be logged. If too many events happen within a
short period of time, some events might not be logged.
To enable the logging of dynamic MAC address events:

edit <interface_name>
set log-mac-event enable
end
To view the log entries:
execute log display
Using the learning-limit violation log
If you want to see the first MAC address that exceeded a learning limit for an interface or VLAN, you can enable the
learning-limit violation log for a FortiSwitch unit. Only one violation is recorded per interface or VLAN.
To enable or disable the learning-limit violation log, use the following commands. By default, the learning-limit violation
log is disabled. The most recent violation that occurred on each interface or VLAN is logged. After that, no more
violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are
displayed in the console.
NOTE: The set log-mac-limit-violations command is only displayed if your FortiSwitch model supports it.
end
To view the content of the learning-limit violation log, use one of the following commands:
l get switch mac-limit-violations all—to see the first MAC address that exceeded the learning limit
on any interface or VLAN. An asterisk by the interface name indicates that the interface-based learning limit was
exceeded. An asterisk by the VLAN identifier indicates the VLAN-based learning limit was exceeded.
l get switch mac-limit-violations interface <interface_name>—to see the first MAC address
that exceeded the learning limit on a specific interface
l get switch mac-limit-violations vlan <VLAN_ID>—to see the first MAC address that exceeded
the learning limit on a specific VLAN. This command is only displayed if your FortiSwitch model supports it.

Fortinet, Inc.
Layer-2 interfaces
To reset the learning-limit violation log, use one of the following commands:
l execute mac-limit-violation reset all—to clear all learning-limit violation logs
l execute mac-limit-violation reset interface <interface_name>—to clear the learning-limit
violation log for a specific interface
l execute mac-limit-violation reset vlan <VLAN_ID>—to clear the learning-limit violation log for a
specific VLAN
You can also specify how often the learning-limit violation log is reset, use the following commands:
set mac-violation-timer <0-1500>
end
For example:
set mac-violation-timer 60
end
Persistent (sticky) MAC addresses
You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes
down or up). By default, MAC addresses are not persistent.
NOTE:
l You cannot use persistent MAC addresses with 802.1x authentication.
l If you move a device within your network that has a sticky MAC address entry on the switch, remove the sticky MAC
address entry from the interface. If you move the device and do not clear the sticky MAC address from the original
port it was learned on, the new port will not learn the MAC address of the device.
Using the GUI:
1. Go to Switch > MAC Entries.

2. Select Add MAC Entry to create a new item.
3. Select an interface and enter a value for MAC Address and VLAN.
4. Select Sticky.
5. Select Add to create the MAC entry.
To delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:
1. Go to Switch > Monitor > Forwarding Table.
2. In the Unsaved sticky MACs on field, select an interface or select All.
3. Select Delete.

Fortinet, Inc.
Layer-2 interfaces
Using the CLI:
Use the following command to configure the persistence of MAC addresses on an interface:
edit <port>
set sticky-mac <enable | disable>
next
end
You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded
when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the
following command to save persistent MAC addresses for a specific interface or all interfaces:
execute sticky-mac save {all | interface <interface_name>}
Use the following command to delete the persistent MAC addresses instead of saving them in the FortiSwitch
configuration file:
execute sticky-mac delete-unsaved {all | interface <interface_name>}
Static MAC addresses
You can configure one or more static MAC addresses on an interface.
Using the GUI:
1. Go to Switch > MAC Entries.

2. Select Add MAC Entry to create a new item.
3. Select an interface and enter a value for MAC Address and VLAN.
4. Select Add to create the MAC entry.
Using the CLI:
config switch static-mac

edit <sequence_number>
set description <optional_string>
set interface <interface_name>
set mac <static_MAC_address>
set type {sticky | static}
set vlan-id <VLAN_ID>
end
For example:
edit 1
set description "first static MAC address"
set interface port10
set mac d6:dd:25:be:2c:43
set type static
set vlan-id 10

Fortinet, Inc.
Layer-2 interfaces
end
Loop guard
A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Loop guard helps to
prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any
downstream loops.
The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. Each port that has
loop guard enabled will periodically broadcast loop guard data packets (LGDP) packets to its network. If a broadcast
packet is subsequently received by the sending port, a loop exists downstream.
You can also have the port check for a high rate of MAC address moves per second, which indicates a physical loop only
when the rate exceeds the threshold for 6 consecutive seconds.
NOTE: If a port detects a loop, the system takes the port out of service to protect the overall network. The port returns
to service after a configured timeout duration. If the timeout value is zero, you must manually reset the port.
By default, loop guard is disabled on all ports. When loop guard is enabled, the default loop-guard-timeout is 45
minutes, and the default loop-guard-mac-move-threshold is 0, which means that the traditional loop guard is
used instead of the MAC-move loop guard.
Configuring loop guard
Using the GUI:
1. Go to Switch > Interface > Physical or Switch > Interface > Trunk.
2. Select one or more interfaces to update and then select Edit.
If you selected more than one port, the port names are displayed in the name field, separated by commas.
3. Select Enable Loop Guard.
Using the CLI:

edit port <number>
set loop-guard <enabled | disabled>
set loop-guard-timeout <0-120 minutes>
set loop-guard-mac-move-threshold <0-100 MAC address moves per second>
When loop guard takes a port out of service, the system creates the following log messages:
Loop Guard: loop detected on <port_name>. Shutting down <port_name>
Use the following command to reset a port that detected a loop:

execute loop-guard reset <port>

Fortinet, Inc.
Layer-2 interfaces
Viewing the loop guard configuration
Using the GUI:
Go to Switch > Interface > Physical and check the Loop Guard column.
Using the CLI:
diagnose loop-guard status

Fortinet, Inc.
VLANs and VLAN tagging
FortiSwitch ports process tagged and untagged Ethernet frames. Untagged frames do not carry any VLAN information.
Tagged frames include an additional header (the 802.1Q header) after the Source MAC address. This header includes a
VLAN ID. This allows the VLAN value to be transmitted between switches.
The FortiSwitch unit provides port parameters to configure and manage VLAN tagging.
l Native VLAN on page 95
l Allowed VLAN list on page 95
l Untagged VLAN list on page 96
l Packet processing on page 96
l Configuring VLANs on page 97
l Example 1 on page 97
l Example 2 on page 98
l VLAN stacking (QinQ) on page 99
Native VLAN
You can configure a native VLAN for each port. The native VLAN is like a default VLAN for untagged incoming packets.
Outgoing packets for the native VLAN are sent as untagged frames.
The native VLAN is assigned to any untagged packet arriving at an ingress port.
At an egress port, if the packet tag matches the native VLAN, the packet is sent out without the VLAN header.
Allowed VLAN list
The allowed VLAN list for each port specifies the VLAN tag values for which the port can transmit or receive packets.
For a tagged packet arriving at an ingress port, the tag value must match a VLAN on the allowed VLAN list or the native
VLAN.

Fortinet, Inc.
At an egress port, the packet tag must match the native VLAN or a VLAN on the allowed VLAN list.
Untagged VLAN list
The untagged VLAN list on a port specifies the VLAN tag values for which the port will transmit packets without the
VLAN tag. Any VLAN in the untagged VLAN list must also be a member of the allowed VLAN list.
The untagged VLAN list applies only to egress traffic on a port.
Packet processing
Ingress processing ensures that the port accepts only packets with allowed VLAN values (untagged packets are
assigned the native VLAN, which is implicitly allowed). At this point, all packets are now tagged with a valid VLAN.
The packet is sent to each egress port that can send the packet (because the packet tag value matches the native
VLAN or an Allowed VLAN on the port).
Ingress port
Untagged packet
l packet is tagged with the native VLAN and allowed to proceed
l the Allowed VLAN list is ignored
Tagged packet
l tag VLAN value must match an Allowed VLAN or the native VLAN
l packet retains the VLAN tag and is allowed to proceed
To control what types of frames are accepted by the port, use the following commands:
edit <interface>
set discard-mode <all-tagged | all-untagged | none>
end
all-tagged Tagged frames are discarded, and untagged frames can enter the switch.
all-untagged Untagged frames are discarded, and tagged frames can enter the switch.
none By default, all frames can enter the switch, and no frames are discarded.
Egress port
All packets that arrive at an egress port are tagged packets.

If the packet tag value is on the Allowed VLAN list, the packet is sent out with the existing tag.

Fortinet, Inc.
If the packet tag value is the native VLAN or on the Untagged VLAN list, the tag is stripped, and then the packet is sent
out.
Otherwise, the packet is dropped.
Configuring VLANs
Use the following steps to add VLANs to a physical port interface.
Using the GUI:

2. On the Physical Port Interfaces page, select a port and then select Edit.
3. Give the VLAN an appropriate name.
4. In the Native VLAN field, enter the identifier for the native VLAN of the port.
5. In the Allowed VLANs field, enter one or more identifiers for the allowed VLANs for the port. Separate multiple
numbers with commas without any space. For example, 2,4,8-10.
6. In the Untagged VLANs field, enter one or more identifiers for the untagged VLANs for the port. Separate multiple
numbers with commas without any space. For example, 2,4,8-10.
7. Select OK.
Using the CLI:

edit <port>
set native-vlan <vlan>
set allowed-vlans <vlan> [<vlan>] [<vlan> - <vlan>]
set untagged-vlans <vlan> [<vlan>] [<vlan> - <vlan>]
end
Example 1
Example flows for tagged and untagged packets.

Fortinet, Inc.
Purple flow
An untagged packet arriving at Port3 is assigned VLAN 100 (the native VLAN) and flows to all egress ports that will send
VLAN 100 (Port1 and Port4).
A tagged packet (VLAN 100) arriving at Port4 is allowed (VLAN 100 is allowed). The packet is sent out from Port1 and
Port3. On Port3, VLAN 100 is the native VLAN, so the packet is sent without a VLAN tag.
Blue flow
An untagged packet arriving at Port 4 is assigned VLAN 300 (the native VLAN). Then it flows out all ports that will send
Vlan300 (Port 3).
A tagged packet (VLAN 300) arriving at Port3 is allowed. The packet is sent to egress from Port4. VLAN 300 is the native
VLAN on Port4, so the packet is sent without a VLAN tag.
Example 2
Example of invalid tagged VLAN.

Fortinet, Inc.
Green flow
Between Port1 and Port2, packets are assigned to VLAN 1 at ingress, and then the tag is removed at egress.
Blue flow
Incoming on Port 3, a tagged packet with VLAN value 100 is allowed, because 100 is the Port 3 native VLAN (the
hardware VLAN table accepts a tagged or untagged match to a valid VLAN).
The packet will be sent on port1 and port4 (with packet tag 100).
VLAN stacking (QinQ)
VLAN stacking allows you to have multiple VLAN headers in an Ethernet frame. The value of the EtherType field
specifies where the VLAN header is placed in the Ethernet frame.
Use the VLAN TPID profile to specify the value of the EtherType field. The FortiSwitch unit supports a maximum of four
VLAN TPID profiles, including the default (0x8100). The default VLAN TPID profile (0x8100) cannot be deleted or
changed.
NOTE: The following FortiSwitch models support VLAN stacking:
124D, 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-
POE, 248E-FPOE, 524D, 524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E, 3032D, 3032E
NOTE: The following features are not supported with VLAN stacking:
l DHCP relay
l DHCP snooping
l IGMP snooping

Fortinet, Inc.
l IP source guard
l PVLAN
l STP
NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-
vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).
To configure VLAN stacking (asterisks indicate the default setting):

set vlan-tpid <default | string>
config qnq
set vlan-mapping-miss-drop {enable | *disable}
set add-inner <1-4095>
set edge-type customer
set priority {follow-c-tag | *follow-s-tag}
set remove-inner {enable | *disable}
set s-tag-priority <0-7>
config vlan-mapping
edit <id>
set match-c-vlan <1-4094>
set new-s-vlan <1-4094>
next
end
end
next
end
<interface_name> Enter the name of the interface. No default
vlan-tpid <default | string> Select which VLAN TPID profile to use. The default default
VLAN TPID profile has a value of 0x8100 and cannot be
deleted or changed.
This setting is only for service-provider VLANs (S-
VLANs).
NOTE: If you are not using the default VLAN TPID
profile, you must have already defined the VLAN TPID
profile with the config switch vlan-tpid
command.
config qnq
status {enable | *disable} Enable or disable VLAN stacking (QinQ) mode. disable
vlan-mapping-miss-drop If the QinQ mode is enabled, enable or disable whether disable

{enable | *disable} a packet is dropped if the VLAN ID in the packetʼs tag is
not defined in the vlan-mapping configuration.

Fortinet, Inc.
add-inner <1-4095> If the QinQ mode is enabled, add the inner tag for No default
untagged packets upon ingress.
edge-type customer If the QinQ mode is enabled, the edge type is set to customer
customer.
priority {follow-c-tag | *follow- If the QinQ mode is enabled, select whether to follow follow-s-tag
s-tag} the priority of the S-tag (service tag) or C-tag (customer
tag).
NOTE: This command is not available on the 224D-
FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D,
448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE
and 248E-FPOE models.
remove-inner {enable | If the QinQ mode is enabled, enable or disable whether disable
*disable} the inner tag is removed upon egress.
s-tag-priority <0-7> If packets follow the priority of the S-tag (service tag), 0
enter the priority value. This option is available only
when the priority is set to follow-s-tag.
NOTE: This command is not available on the 224D-
FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D,
448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE
and 248E-FPOE models.
<id> Enter a mapping entry identifier. No default
description <string> Enter a description of the mapping entry. No default
match-c-vlan <1-4094> Enter a matching customer (inner) VLAN. 0
new-s-vlan <1-4094> Enter a new service (outer) VLAN. No default

NOTE: The VLAN must be in the portʼs allowed VLAN
list.
This option is only available after you set the value for
match-c-vlan.
To configure VLAN mapping on an interface (asterisks indicate the default setting):

set vlan-mapping-miss-drop {enable | *disable}
config vlan-mapping
edit <id>
set direction ingress // ingress example
set action {add | replace}
next
edit <id>

Fortinet, Inc.
set direction egress // egress example

set match-s-vlan <1-4094>
set action {delete | replace}
next
end
next
end
vlan-tpid <default | string> Select which VLAN TPID profile to use. The default default
VLAN TPID profile has a value of 0x8100 and cannot be
deleted or changed.
This setting is only for service-provider VLANs (S-
VLANs).
NOTE: If you are not using the default VLAN TPID
profile, you must have already defined the VLAN TPID
profile with the config switch vlan-tpid
command.
vlan-mapping-miss-drop Enable or disable whether a packet is dropped if the disable

{enable | *disable} VLAN ID in the packetʼs tag is not defined in the vlan-
mapping configuration.
config vlan-mapping
<id> Enter an identifier for the VLAN mapping entry. No default
description <string> Enter a description of the VLAN mapping entry. No default
direction {egress | ingress} Select the ingress or egress direction. No default
match-s-vlan <1-4094> If the direction is set to egress, enter the service (outer) 0
VLAN to match.
match-c-vlan <1-4094> If the direction is set to ingress, enter the customer 0

(inner) VLAN to match.
action {add | delete | replace} Select what happens when the packet is matched: No default
- add—When the packet is matched, add the service
VLAN. You cannot set the action to add for the egress
direction.
- delete—When the packet is matched, delete the
service VLAN. You cannot set the action to delete
for the ingress direction.
- replace—When the packet is matched, replace the
customer VLAN or service VLAN.
This option is only available after you set a value for
match-c-vlan or match-s-vlan.
new-s-vlan <1-4094> Set the new service (outer) VLAN. No default

Fortinet, Inc.
This option is only available after you set the action to

add or replace for the ingress direction or after you
set the action to replace for the egress direction.
To configure the VLAN TPID profile:
config switch vlan-tpid

edit <VLAN_TPID_profile_name>
set ether-type <0x0001-0xfffe>
next
end
<VLAN_TPID_profile_name> Enter a name for the VLAN TPID profile name. No default
ether-type <0x0001-0xfffe> Enter a hexadecimal value for the EtherType field. 0x8100
To check the VLAN stacking (QinQ) configuration:
diagnose switch qnq dtag-cfg

Fortinet, Inc.
Spanning Tree Protocol
The FortiSwitch unit supports the following:

l Spanning Tree Protocol, a link-management protocol that ensures a loop-free layer-2 network topology
l Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q standard
l Per-VLAN Rapid Spanning Tree Protocol (also known as Rapid PVST or RPVST); RSTP is defined in the IEEE
802.1w standard
l MSTP overview and terminology on page 104
l MSTP configuration on page 107
l Interactions outside of the MSTP region on page 114
l Viewing the MSTP configuration on page 114
l Support for interoperation with per-VLAN RSTP (Rapid PVST+ or RPVST+) on page 114
MSTP overview and terminology
MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the
mapping of VLANs to instances is configurable).
MSTP is backward-compatible with STP and Rapid Spanning Tree Protocol (RSTP). A layer-2 network can contain
switches that are running MSTP, STP, or RSTP.
MSTP is built on RSTP, so it provides fast recovery from network faults and fast convergence times.
Regions
A region is a set of interconnected switches that have the same multiple spanning tree (MST) configuration (region
name, MST revision number, and VLAN-to-instance mapping). A network can have any number of regions. Regions are
independent of each other because the VLAN-to-instance mapping is different in each region.
The FortiSwitch unit supports 15 MST instances in a region. Multiple VLANs can be mapped to each MST instance.
Each switch in the region must have the identical mapping of VLANs to instances.
The MST region acts like a single bridge to adjacent MST regions and to non-MST STPs.
IST
Instance 0 is a special instance, called the internal spanning-tree instance (IST). IST is a spanning tree that connects all
of the MST switches in a region. All VLANs are assigned to the IST.

Fortinet, Inc.
IST is the only instance that exchanges bridge protocol data units (BPDUs). The MSTP BPDU contains information for
each MSTP instance (captured in an M-record). The M-records are added to the end of a regular RSTP BPDU. This
allows MSTP region to inter-operate with an RSTP switch.
CST
The common spanning tree (CST) interconnects the MST regions and all instances of STP or RSTP that are running in
the network.
Hop count and message age
MST does not use the BPDU message age within a region. The message-age and maximum-age fields in the BPDU are
propagated unchanged within the region.
Within the region, a hop-count mechanism is used to age out the BPDU. The IST root sends out BPDUs with the hop
count set to the maximum number of hops. The hop count is decremented each time the BPDU is forwarded. If the hop
count reaches zero, the switch discards the BPDU and ages out the information on the receiving port.
STP port roles
STP assigns a port role to each switch port. The role is based on configuration, topology, relative position of the port in
the topology, and other considerations. Based on the port role, the port either sends or receives STP BPDUs and
forwards or blocks the data traffic. Here is a brief summary of each STP port role:
l Designated—One designated port is elected per link (segment). The designated port is the port closest to the root
bridge. This port sends BPDUs on the link (segment) and forwards traffic towards the root bridge. In an STP
converged network, each designated port is in the STP forwarding state.
l Root—The bridge can have only one root port. The root port is the port that leads to the root bridge. In an STP
converged network, the root port is in the STP forwarding state.
l Alternate—Alternate ports lead to the root bridge but are not root ports. The alternate ports maintain the STP
blocking state.
l Backup—This is a special case when two or more ports of the same switch are connected together (either directly
or through shared media). In this case, one port is designated, and the remaining ports are backup (in the STP
blocking state).
STP loop protection
The STP loop-protection feature provides additional protection against layer-2 forwarding loops (STP loops). An STP
loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state.
A port remains in blocking state only if it continues to receive BPDU messages. If it stops receiving BPDUs (for example,
due to unidirectional link failure), the blocking port (alternate or backup port) becomes designated and transitions to a
forwarding state. In a redundant topology, this situation may create a loop.
If the loop-protection feature is enabled on a port, that port is forced to remain in blocking state, even if the port stops
receiving BPDU messages. It will not transition to forwarding state and does not forward any user traffic.

Fortinet, Inc.
The loop-protection feature is enabled on a per-port basis. Fortinet recommends that you enable loop protection on all
nondesignated ports (all root, alternate, and backup ports).
STP root guard
Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface,
superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates
in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of
traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic
through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can
create a perimeter around your existing paths to root to enforce the specified network topology.
STP BPDU guard
Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge
ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not
forwarded, and the network edge is enforced.

Fortinet, Inc.
MSTP configuration
MSTP configuration consists of the following steps:

1. Configure STP settings that are common to all MST instances.
2. Configure settings that are specific to each MST instance.
3. Configure loop-protection on all nondesignated ports.
Configuring STP settings
Some STP settings (region name and MST revision number) are common to all MST instances. Also, protocol timers
are common to all instances because only the IST sends out BPDUs.
Using the GUI:
1. Go to Switch > STP > Settings.

Fortinet, Inc.
2. Update the settings as described in the following table.

3. Select Update to save the settings.
Settings Guidelines
Disabled Disables MSTP for this switch.
Flood BPDU Packets Select this checkbox if you want the STP packets arriving at any port to
pass through the switch without being processed. If you do not select this
checkbox,STP packets arriving at any port are blocked.
This option is only available when MSTP is disabled.
Enabled Enables MSTP for this switch.
Name Region name. All switches in the MST region must have the identical
name.
Revision The MSTP revision number. All switches in the region must have the
same revision number.
The range of values is 0 to 65535.
Hello Time (Seconds) Hello time is how often (in seconds) that the switch sends out a BPDU.
Forward Time (Seconds) Forward time is how long (in seconds) a port will spend in the listening-
and-learning state before transitioning to forwarding state.
Max Age (Seconds) The maximum age before the switch considers the received
BPDU information on a port to be expired. Max-age is used when
interworking with switches outside the region.

Fortinet, Inc.
Settings Guidelines
Max Hops Maximum hops is used inside the MST region. Hop count is
decremented each time the BPDU is forwarded. If max-hops reaches
zero, the switch discards the BPDU and ages out the information on the
receiving port.
The range ange of values is 1 to 40.
Using the CLI:
config switch stp settings

set flood {enable | disable}
set forward-time <fseconds_int>
set hello-time <hseconds_int>
set max-age <age>
set max-hops <hops_int>
set mclag-stp-bpdu {both | single}
set name <name_str>
set revision <rev_int>
end
Configuring an MST instance
The STP topology is unique for each MST instance in the region. You can configure a different bridge priority and port
parameters for each instance.
Using the GUI:
1. Go to Switch > STP > Instances.
2. Select Add Instance to create a new MST instance or select an existing instance and then select Edit.

Fortinet, Inc.
3. Update the instance parameters as described in the following table.

4. Select Add or Update to save the settings.
Settings Guidelines
ID Instance identifier. The range is 0-32 for 5xx models and higher. For all
other models, the range is 0 - 15.
Priority Priority is a component of bridge ID. The switch with the lowest bridge ID
becomes the root switch for this MST instance.
Allowed values: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672,
32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.
VLAN Range The VLANs that map to this MST instance. You can specify individual
VLAN numbers or a range of numbers.
NOTE: Do not assign any VLAN to more than one MST instance.
Each VLAN number is in the range 1-4094.
Port Configuration
Name Port that will participate in this MST instance.
Cost The switch uses port cost to select designated ports. Port cost is added
to the received BPDU root cost in any BPDU sent on this port.
A lower value is preferred. The range of values is 1 to 200,000,000.
The default value depends on the interface speed:
- 10 Gigabit Ethernet: 2,000
- Gigabit Ethernet: 20,000
- Fast Ethernet: 200,000
- Ethernet: 2,000,000
Priority The switch uses port priority to choose among ports of the same cost.
The port with the lowest priority is put into forwarding state. The valid
values are: 0, 32, 64, 96, 128, 160, 192, and 224.
Using the CLI:
config switch stp instance

edit <instance number>
set priority <>
config stp-port
edit <port name>
set cost <>
set priority <>
next
set vlan-range <vlan range>
end

Fortinet, Inc.
Example:
edit "1"
set priority 8192
config stp-port
edit "port18"
set cost 0
set priority 128
next
edit "port19"
set cost 0
set priority 128
next
end
set vlan-range 5 7 11-20
end
Configuring an STP edge port
You can use the edge-port setting when a device connected to a FortiSwitch port is not an STP bridge. When this setting
is enabled, the FortiSwitch port immediately moves to a forwarding state rather than passing through listening and
learning states.
By default, STP (and edge port) is enabled on all ports.
Using the GUI:

3. Under Edge Port, select Enable.
4. Select OK to save the settings.
Using the CLI:

edit <port_name>
set edge-port <enabled | disabled>
next
end
Configuring STP loop protection
By default, STP loop protection is disabled on all ports.
Using the GUI:

3. Under Loop Guard, select Enable.

Fortinet, Inc.
Using the CLI:

edit <port_name>
set stp-loop-protection <enabled | disabled>
next
end
Configuring STP root guard
Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have
STP enabled to be able to use root guard.
Using the CLI:

edit <port_name>
set stp-root-guard <enable | disable>
next
end
For example, to enable root guard on port 20:

edit port20
set stp-root-guard enable
next
end
Configuring STP BPDU guard
There are three prerequisites for using BPDU guard:

l You must define the port as an edge port with the set edge-port enabled command.
l You must must enable STP on the switch interface with the set stp-state enabled command.
l You must enable STP on the global level with the set status enable command.
You can set how long the port will go down for when a BPDU is received for a maximum of 120 minutes. The default port
timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will
have manually reset the port.
Using the GUI:

3. Under Edge Port, select Enable and BPDU Guard.
4. In the Timeout (Minutes) field, enter how many minutes the port will go down for when a BPDU is received.

Fortinet, Inc.
To check if BPDU guard has been triggered and on which ports, go to Switch > Monitor > BPDU Guard.
Using the CLI:

edit <port_name>
set stp-bpdu-guard <enabled | disabled>
set stp-bpdu-guard-timeout <0-120>
next
end
For example, to enable BPDU guard on port 30 with a timeout value of 1 hour:
set status enable
end
edit port30
set edge-port enabled
set stp-bpdu-guard enabled
set stp-bpdu-guard-timeout 60
next
end
If you set the port timeout to 0, you will need to reset the port after it receives BPDUs and goes down. Use the following
command to reset the port:
execute bpdu-guard reset <port_name>
To check if BPDU guard has been triggered and on which ports, use the following command:
diagnose bpdu-guard display status
_________________ _______ _________ ___________ _____ __________________

Fortinet, Inc.
__FoRtI1LiNk0__ disabled - - - -
You can also check BPDU guard by going to the Monitor > BPDU Guard page.
Interactions outside of the MSTP region
A boundary port on an MST switch is a port that receives an STP (version 0) BPDU, an RSTP (version 2) BPDU, or a
BPDU from a different MST region.
If the port receives a version 0 BPDU, it will only send version 0 BPDUs on that port. Otherwise, it will send version 3
(MST) BPDUs because the RSTP switch will read this as an RSTP BPDU.
Viewing the MSTP configuration
To view the MSTP configuration details, use the following commands:

get switch stp instance
get switch stp settings
Use the following commands to display information about the MSTP instances in the network:
diagnose stp instance list
diagnose stp vlan list
diagnose stp mst-config list
Support for interoperation with per-VLAN RSTP (Rapid PVST+ or

RPVST+)
Starting in FortiSwitchOS 6.2.2, FortiSwitch units can now interoperate with a network that is running RPVST+. The
existing networkʼs configuration can be maintained while adding FortiSwitch units as an extended region.
When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain
works in two ways:
l If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region
duplicates instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+

Fortinet, Inc.
domain.
In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1
defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST
root bridge within MSTP region.
l If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN
1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected
RPVST+ domain are used only for consistency checks.
In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of
VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.
Viewing the configuration
Use one of the following commands to check your configuration and to diagnose any problems.
l diagnose stp instance list
If either rule is violated, the RPVST port is flagged with “IC” in the command output, and the port is in the Discard
state.
If the VLANs used by the RPVST+ domain are not all within the VLAN range configured on the RPVST port, an “MV”
flag is displayed in the command output. NOTE: Only the ports in instance 0 show this flag.
l diagnose stp rapid-pvst-port list
This command shows the status of one port or all ports. If any of the ports is in the “IC” state, the command output
gives the reason: VLAN priority inconsistent, VLAN configuration mismatch, or both.
l diagnose stp rapid-pvst-port clear
This command clears all flags and timers on the RPVST+ port.

Fortinet, Inc.
Link aggregation groups
This chapter provides information on how to configure a link aggregation group (LAG). For LAG control, the FortiSwitch
unit supports the industry-standard Link Aggregation Control Protocol (LACP). The FortiSwitch unit supports LACP in
active and passive modes. In active mode, you can optionally specify the minimum and maximum number of active
members in a trunk group.
You can also use the CLI to specify how an aggregator groups ports when the trunk is in LACP mode. Ports can be
grouped into the aggregator with the largest bandwidth or the aggregator with the most ports.
The FortiSwitch unit supports flap-guard protection for switch ports in a LAG.
l Configuring the trunk and LAG ports on page 116
l Checking the trunk configuration on page 118
Configuring the trunk and LAG ports
It is important to configure the trunk to prevent loops.
Using the GUI:
1. Go to Switch > Port > Trunk and select Add Trunk.

2. Give the trunk an appropriate name.
3. For the mode, select Static, LACP Active, LACP Passive, or Fortinet Trunk.
4. Add the required ports to the Included list.
5. Select Create.
Using the CLI:
config switch trunk

edit <trunk name>
set aggregator-mode {bandwidth | count}
set description <description_string>
set members <ports>
set mode {lacp-active | lacp-passive | static}
set member-withdrawal-behavior {block | forward}
set lacp-speed {fast | slow}
set bundle [enable|disable]
set min_bundle <integer>
set max_bundle <integer>

Fortinet, Inc.
set port-selection-criteria
{src-ip | src-mac | dst-ip |dst-mac | src-dst-ip |src-dst-mac}
end
end
Example configuration
The following is an example CLI configurations for trunk/LAG ports:
Trunk/LAG ports
1. Configure the trunk 1 interface and assign member ports as a LAG group:
config switch trunk

edit trunk1
set members "port1" "port2" "port3"
set description test
set mode lacp-passive
set port-selection-criteria src-dst-ip
end
2. Configure the switch ports to have native VLAN assignments and allow those VLANs on the port that will be the
uplink port:

edit port1
set native-vlan 1
next
edit port2
set native-vlan 2
next
edit port3
set native-vlan 3
next
edit port4
set native-vlan 4

Fortinet, Inc.
set allowed vlans 1 2 3

next
edit port5
set native-vlan 5
set allowed-vlans 1 2 3
end
end
3. Configure the trunk 2 interface and assign member ports as a LAG group:
config switch trunk

edit trunk2
set description test
set mode lacp-passive
set port-selection criteria src-dst-ip
end
end
Checking the trunk configuration
Using the GUI:
Go to Switch > Port > Trunk or Switch > Monitor > Trunks.
Using the CLI:
diagnose switch trunk list

Fortinet, Inc.
MCLAG
MCLAG
A link aggregation group (LAG) provides link-level redundancy. A multichassis LAG (MCLAG) provides node-level
redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either
switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the
delays associated with the Spanning Tree Protocol (STP).
l Notes on page 119
l Example configuration on page 120
l Detecting a split-brain state on page 121
l Viewing the configured trunk on page 121
l Configuring an MCLAG with IGMP snooping
Notes
l When min_bundle or max_bundle is combined with MCLAG, the bundle limit properties are applied only to the
local aggregate interface.
l Fortinet recommends that both peer switches be of the same hardware model and same software version.
Mismatched configurations might work but are unsupported.
l There is a maximum of two FortiSwitch models per MCLAG.
l The routing feature is not available within a MCLAG.
l Starting in FortiSwitchOS 3.6.4, by default, the MCLAG can use the STP.
l To use static MAC addresses within a MCLAG, you need to configure MAC addresses on both switches that form
the LAG.
l When you run an MCLAG, Fortinet recommends but does not require that peers use the same hardware and
software versions. Some hosts might not be dual-home supported when MCLAG peers have different hardware;
administrators need to size the layer-2 network to the MCLAG peer with the lowest capacity.

Fortinet, Inc.
MCLAG
The following is an example CLI configurations for a MCLAG:
1. Create a LAG by configuring the ports for each FortiSwitch unit:
config switch trunk

edit "MCLAG-ICL-trunk"
next
end
2. Set up the MCLAG:
config switch trunk

edit "first-mclag"
set mclag enable
set members "port2"
next
end
3. If you do not want the MCLAG to use the STP:

set mclag-stp-aware disabled
end

Fortinet, Inc.
MCLAG
Detecting a split-brain state
When the split-brain state occurs, one of switches in the MCLAG goes dormant. Any devices connected to the dormant
switch will lose network connectivity. The switch that goes dormant is the switch with the lowest numerical MAC address
between the two peers.
Starting in FortiSwitchOS 6.2.2, you can use the CLI to detect when an MCLAG is in a split-brain state when the
MCLAG ICL trunk is down. When the LACP is up again, the MCLAG trunk is reestablished. You can use this command
in both one-tier and two-tier MCLAG topologies.
By default, split-brain detection is disabled. To enable the detection of the split-brain state:
set mclag-split-brain-detect enable
end
NOTE:
l Enabling split-brain detection can cause some traffic loss while the LACP is renegotiated.
l You can configure only one mclag-split-brain-detect at a time on a tier one or tier two of a two-tier MCLAG
topology.
l Only one failure in a system is supported.
Viewing the configured trunk
Using the GUI:
Go to Switch > Monitor > Trunks.
Using the CLI:

diagnose switch mclag list
Configuring an MCLAG with IGMP snooping
For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware
enable command on all FortiSwitch units in the network topology and use the set igmp-snooping-flood-
reports enable command on each MCLAG core FortiSwitch unit. For example:
set mclag-igmpsnooping-aware enable
set max-reauth-attempt 3
end
end

Fortinet, Inc.
MCLAG
edit "D483Z15000094-0"
set allowed-vlans 1-4094
set edge-port disabled
set igmp-snooping-flood-reports enable
set snmp-index 58
next
end

Fortinet, Inc.
Multi-stage load balance
You can use a FortiSwitch unit to configure multi-stage load balancing on a set of FortiGate units. This capability allows
you to scale security processing while maintaining a simple basic architecture. This configuration is commonly referred
to a “firewall sandwich.”
Because the FortiGate unit provides session-aware analysis, the load distribution algorithm must be symmetric (traffic
for a given session, in both directions, must all traverse the same FortiGate unit).
For larger scale deployment, the topology uses multiple layers of load distribution to allow for far larger numbers of
FortiGate devices.
The hash at the first and second stages must be symmetric. The two stages must provide different hashing results.
l Configuring the trunk ports on page 124
l Heartbeats on page 124

Fortinet, Inc.
Configuring the trunk ports
Use the following commands to configure the trunk members and set the port-selection criteria:
config switch trunk
edit <trunk name>
set description <description_string>
set members <ports>
set mode {fortinet-trunk | lacp-active | lacp-passive | static}
set port-selection-criteria src-dst-ip-xor16
end
end
Heartbeats
When in Fortinet-trunk mode, Heartbeat capability is enabled. Heartbeat messages monitor the status of FortiGate
units. If one is unavailable, the FortiSwitch unit stops sending traffic to that FortiGate unit until the FortiGate unit
becomes available.
If you enable hb-verify, each received heartbeat frame will be validated to match the signature (transmit-port plus
switch serial number) and the following configured heartbeat parameters:
l hb-in-vlan
l hb-src-ip
l hb-dst-ip
l hb-src-upd-port
l hb-dst-udp-port
The destination MAC address of the heartbeat frame is set by default to 02:80:c2:00:00:02. You can change the value
to any MAC address that is not a broadcast or multicast MAC address.
Configuring heartbeats
Configure the heartbeat fields using trunk configuration commands, as shown in this section. By default, all of the
configurable values are set to zero, and hb-verify is disabled.
Set the mode to forti-hb and set the heartbeat loss limit to a value between 3 and 32.
The heartbeat will transmit at 1-second intervals on any link in the trunk that is up. This value is not configurable.
The heartbeat frame has configurable parameters for the layer-3 source and destination addresses and the layer-4
UDP ports. You must also specify the transmit and receive VLANs.
config switch trunk
edit hb-trunk
set mode fortinet-trunk
set members <port> [<port>] ... [<port>]
set hb-loss-limit <3-32>
set hb-out-vlan <int>
set hb-in-vlan <int>
set hb-src-ip <x.x.x.x>
set hb-dst-ip <x.x.x.x>

Fortinet, Inc.
set hb-src-udp-port <int>

set hb-dst-udp-port <int>
set hb-verify [ enable | disable ]
end
Use the following command to configure the destination MAC address:

set forti-trunk-dmac <mac address>
end
Example
The following example creates trunk tr1 with heartbeat capability:
config switch trunk

edit "tr1"
set hb-out-vlan 300
set hb-in-vlan 500
set hb-src-ip 10.105.7.200
set hb-dst-ip 10.105.7.199
set hb-src-udp-port 12345
set hb-dst-udp-port 54321
set hb-verify enable
next
end

Fortinet, Inc.
LLDP-MED
LLDP-MED
The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception
wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent
Fortinet data center switches support LLDP-MED (Media Endpoint Discovery), which is an enhancement of LLDP that
provides the following facilities:
l Auto-discovery of LAN policies (such as VLAN, layer-2 priority, and differentiated services settings), to enable plug-
and-play networking.
l Device location discovery to allow the creation of location databases and Enhanced 911 services for Voice over
Internet Protocol (VoIP).
l Extended and automated power management for power over Ethernet (PoE) endpoints.
l Inventory management, allowing network administrators to track their network devices, and determine their
characteristics (manufacturer, software and hardware versions, serial or asset number).
The switch will multicast LLDP packets to advertise its identity and capabilities. The switch receives the equivalent
Starting in FortiSwitch 6.2.0, you can use the CLI to configure the location table used by LLDP-MED for enhanced 911
emergency calls.
l Configuration notes on page 126
l LLDP global settings on page 127
l Configuring LLDP profiles on page 131
l Configuring an LLDP profile for the port on page 134
l Enabling LLDP on a port on page 135
l Checking the LLDP configuration on page 135
l Configuration deployment example on page 136
l Checking LLDP details on page 138
l LLDP OIDs on page 138
Configuration notes
NOTE: When 802.1x and LLDP turn on at the same port, switching between LLDP profiles requires a manual reset of all
authentication sessions.
Fortinet recommends LLDP-MED-capable phones.
The FortiSwitch unit functions as a Network Connectivity device (that is, NIC, switch, router, and gateway), and will only
support sending TLVs intended for Network Connectivity devices.
LLDP supports up to 16 neighbors per physical port.

Fortinet, Inc.
LLDP-MED
The FortiSwitch unit accepts and parses packets using the CDP (Cisco Discovery Protocol) and count CDP neighbors
towards the neighbor limit on a physical port. If neighbors exist, the FortiSwitch unit transmits CDP packets in addition
to LLDP.
With release 3.5.1, CDP is independently controllable through cdp-status on the physical port. The FortiSwitch unit no
longer requires a neighbor to trigger it to transmit CDP; it will transmit provided cdp-status is configured as tx-only or tx-
rx. The default configuration for CDP-status is disabled. It still uses values pulled from the lldp-profile to configure its
contents.
LLDP must be globally enabled in switch.lldp.settings for CDP to be transmitted or received:
NOTE: If a port is added into a virtual-wire (connects two ends of a controlled system using a radio frequency [RF]
medium), the FortiSwitch unit will disable the transmission and receipt of LLDP and CDP packets and remove all
neighbors from the port. This virtual-wire state is noted in the get switch lldp neighbor-summary command
output.
If the combination of configured TLVs exceeds the maximum frame size on a port, that frame cannot be sent.
LLDP global settings
Using the GUI:
1. Go to Switch > LLDP MED > Settings.

2. Select or clear Enable LLDP Transmit/Receive.
3. Select the management interface.
4. Enter a value in the Transmit Hold field.
5. Enter the number of seconds for the transmit interval.
6. Select or clear Fast Start. If you select Fast Start, enter the number of seconds.
7. Select Update.
Using the CLI:

set tx-hold <int>
set tx-interval <int>
set fast-start-interval <int>
set management-interface <layer-3 interface>
end
status Enable or disable
tx-hold Number of tx-intervals before the local LLDP data expires (that is, the
packet TTL (in seconds) is tx-hold times tx-interval). The
range for tx-hold is 1 to 16, and the default value is 4.
tx-interval Frequency of LLDP PDU transmission ranging from 5 to 4095 seconds

(default is 30).

Fortinet, Inc.
LLDP-MED
fast-start-interval How often the FortiSwitch unit transmits the first four LLDP packets
when a link comes up. The range is 2 to 5 seconds, and the default is 2
seconds.
Set this variable to zero to disable fast start.
management-interface Primary management interface advertised in LLDP and CDP PDUs.
Setting the asset tag
To help identify the unit, LLDP uses the asset tag, which can be at most 32 characters. It will be added to the LLDP-
MED inventory TLV (when that TLV is enabled):
set asset-tag <string>
end
Configuring the location table
Because mobile phones have no fixed addresses associated with them, calls to 911 need the location information
provided in emergency location identifier numbers (ELINs). You need to first configure the location table used by LLDP-
MED for enhanced 911 emergency calls and then configure the LLDP profile to use the location table.
Using the GUI:
1. Go to System > Locations.

2. Select Add Location.
3. Required. In the Name field, enter a unique name for the location entry.
4. In the ELIN Number field, enter the ELIN, which is a unique phone number. The value must be no more than 31-
characters long.
5. Enter the civic address.
a. In the Additional field, enter additional location information, for example, west wing.
b. In the Additional Code field, enter the additional country-specific code for the location. In Japan, use the Japan
Industry Standard (JIS) address code.
c. In the Block field, enter the neighborhood (Korea) or block
d. In the Branch Road field, enter the branch road name. This value is used when side streets do not have unique
names so that both the primary road and side street are used to identify the correct road
e. In the Building field, enter the name of the building (structure) if the address includes more than one building,
for example, Law Library.
f. In the City field, enter the city (Germany), township, or shi (Japan).
g. In the City Division field, enter the city division, borough, city district (Germany), ward, or chou (Japan).
h. Required. In the Country field, enter the two-letter ISO 3166 country code in capital ASCII letters, for example,
US, CA, DK, and DE.
i. In the Country Subdivision field, enter the national subdivision (such as state, canton, region, province, or
prefecture). In Canada, the subdivision is province. In Germany, the subdivision is state. In Japan, the
subdivision is metropolis. In Korea, the subdivision is province. In the United States, the subdivision is state.

Fortinet, Inc.
LLDP-MED
j. In the County field, enter the county (Canada, Germany, Korea, and United States), parish, gun (Japan), or
district (India).
k. In the Direction field, enter N, E, S, W, NE, NW, SE, or SW for the leading street direction.
l. In the Floor field, enter the floor number, for example, 4.
m. In the Landmark field, enter the nickname, landmark, or vanity address, for example, UC Berkeley.
n. In the Language field, enter the ISO 639 language code used for the address information.
o. In the Name field, enter the person or organization associated with the address, for example, Fortinet or
Textures Beauty Salon.
p. In the Number field, enter the street address, for example, 1560.
q. In the Number Suffix field, enter any modifier to the street address. For example, if the full street address is
1560A, enter 1560 for the number and A for the number suffix.
r. In the Place Type field, enter the type of place, for example, home, office, or street.
s. In the Post Office Box field, enter the post office box, for example, P.O. Box 1543. When the post-office-
box value is set, the street address components are replaced with this value.
t. In the Postal Community field, enter the postal community name, for example, Alviso. When the postal
community name is set, the civic community name is replaced by this value.
u. In the Primary Road field, enter the primary road or street name for the address.
v. In the Road Section field, enter the specific section or stretch of a primary road. This field is used when the
same street number appears more than once on the primary road.
w. In the Room field, enter the room number, for example, 7A.
x. In the Script field, enter the script used to present the address information, for example, Latn.
y. In the Seat field, enter the seat number in a stadium or theater or a cubicle number in an office or a booth in a
trade show.
z. In the Street field, enter the street (Canada, Germany, Korea, and United States).
aa. In the Street Name Post Mod field, enter an optional part of the street name that appears after the actual
street name. If the full street name is East End Avenue Extended, enter Extended.
ab. In the Street Name Pre Mod field, enter an optional part of the street name that appears before the actual
street name. If the full street name is Old North First Street, enter Old.
ac. In the Street Suffix field, enter the type of street, for example, Ave or Place. Valid values are listed in the
United States Postal Service Publication 28 [18], Appendix C.
ad. In the Sub Branch Road field, enter the name of a street that branches off of a branch road. This value is used
when the primary road, branch road, and subbranch road names are needed to identify the correct street.
ae. In the Trailing Str Suffix field, enter N, E, S, W, NE, NW, SE, or SW for the trailing street direction.
af. In the Unit field, enter the unit (apartment or suite), for example, Apt 27.
ag. In the ZIP field, enter the postal or zip code for the address, for example, 94089-1345.
6. Enter the GPS coordinates.
a. Required. In the Altitude field, enter the vertical height of a location in feet or meters. The format is +/-
floating-point number, for example, 117.47.
b. Select Feet or Meters for the unit of measurement for the altitude.
c. For the Datum drop-down list, select which map is used for the location: WGS84, NAD83, or NAD83/MLLW .
d. Required. In the Latitude field, enter the latitude. The format is floating point starting with +/- or ending with
N/S, for example, +/-16.67 or 16.67N.
e. Required. In the Longitude field, enter the longitude. The format is floating point starting with +/- or ending
with E/W, for example, +/-26.789 or 26.789E.
7. Select Add.

Fortinet, Inc.
LLDP-MED
Using the CLI:
config system location

edit <name>
config address-civic
set additional <string>
set additional-code <string>
set block <string>
set branch-road <string>
set building <string>
set city <string>
set city-division <string>
set country <string>
set country-subdivision <string>
set county <string>
set direction <string>
set floor <string>
set landmark <string>
set language <string>
set name <string>
set number <string>
set number-suffix <string>
set place-type <string>
set post-office-box <string>
set postal-community <string>
set primary-road <string>
set road-section <string>
set room <string>
set script <string>
set seat <string>
set street <string>
set street-name-post-mod <string>
set street-name-pre-mod <string>
set street-suffix <string>
set sub-branch-road <string>
set trailing-str-suffix <string>
set unit <string>
set zip <string>
end
config coordinates
set altitude <string>
set altitude-unit {f | m}
set datum {NAD83 | NAD83/MLLW | WGS84}
set latitude <string>
set longitude <string>
end
config elin-number
set elin-number <number>
end
For example:
edit Fortinet
set country "US"
set language "English"

Fortinet, Inc.
LLDP-MED
set county "Santa Clara"

set city "Sunnyvale"
set street "Kifer"
set street-suffix "Road"
set number "899"
set zip "94086"
set building "1"
set floor "1"
set seat "1293"
end
next
edit "Fortinet"
config elin-number
set elin-number "14082357700"
end
end
Configuring LLDP profiles
LLDP profile contains most of the port-specific configuration. Profiles are designed to provide a central point of
configuration for LLDP settings that are likely to be the same for multiple ports.
Two static LLDP profiles, default and default-auto-isl, are created automatically. They can be modified but not deleted.
The default-auto-isl profile always has auto-isl enabled and rejects any configurations that attempt to disable it.
LLDP-MED network policies
LLDP-MED network policies cannot be deleted or added. To use a policy, set the med-tlvs field to include network-
policy and the desired network policy to enabled. The VLAN values on the policy are cross-checked against the
VLAN native and untagged attributes for any interfaces that contain physical-ports using this profile. The cross-check
determines if the policy Type Length Value (TLV) should be sent (VLAN must be native or allowed) and if the TLV should
mark the VLAN as tagged or untagged (VLAN is native, or is in untagged). The network policy TLV is automatically
updated when either a switch interface changes VLAN configuration or a physical port is added to, or removed from, a
trunk.
The FortiSwitch unit supports the following LLDP-MED TLVs:
l Inventory Management TLVs
l Location Identification TLVs
l Network Policy TLV
l Power Management TLVs
Refer to the Configuration deployment example on page 136.
Custom TLVs (organizationally specific TLVs)
Custom TLVs are configured in their own subtable, available in each profile. They allow you to emulate the TLVs
defined in various specifications by using their OUI and subtype and ensuring that the data is formatted correctly. You
could also define a purely arbitrary custom TLV for some other vendor or for their company.

Fortinet, Inc.
LLDP-MED
The “name” value for each custom TLV is neither used by nor has an effect on LLDP; it simply differentiates between
custom TLV entries:
config custom-tlvs
edit <TLVname_str>
set information-string <hex-bytes>
set oui <hex-bytes>
set subtype <integer>
next
The OUI value for each TLV must be set to three bytes. If just one of those bytes is nonzero it is accepted; any value
other than "000" is valid. The subtype is optional and ranges from 0 (default) to 255. The information string can be 0 to
507 bytes, in hexadecimal notation.
The FortiSwitch unit does not check for conflicts either between custom TLV values or with standardized TLVs. That is,
other than ensuring that the OUI is nonzero, the FortiSwitch unit does not check the OUI, subtype (or data) values
entered in the CLI for conflicts with other Custom TLVs or with the OUI and subtypes of TLVs defined by the 802.1,
802.3, LLDP-MED, or other standards. While this behavior could cause LLDP protocol issues, it also allows a large
degree of flexibility were you to substitute a standard TLV that is not supported yet.
802.1 TLVs
The only 802.1 TLV that can be enabled or disabled is Port VLAN ID. This TLV sends the native VLAN of the port. This
value is updated when the native VLAN of the interface representing the physical port changes or if the physical port is
added to, or removed from, a trunk.
By default, no 802.1 TLVs are enabled.
802.3 TLVs
There are three 802.3 TLVs that can be enabled or disabled:

l Efficient Energy Ethernet Config—This TLV sends whether energy-efficient Ethernet is enabled on the port. If this
variable is changed, the sent value will reflect the updated value.
l PoE+ Classification—This TLV sends whether PoE power is enabled on the port. If this variable is changed, the
sent value will reflect the updated value.
l Maximum Frame Size—This TLV sends the max-frame-size value of the port. If this variable is changed, the sent
value will reflect the updated value.
By default, no 802.3 TLVs are enabled.
Auto-ISL
The auto-ISL configuration that was formerly in the switch physical-port command has been moved to the
switch lldp-profile command. All behavior and default values are unchanged.

Fortinet, Inc.
LLDP-MED
Assigning a VLAN to a port in the LLDP profile
You can configure the network policy of an LLDP profile to assign the specified VLAN to ports that use the LLDP profile.
The VLAN is added as though it were configured in the set allowed-vlans setting in the config switch
interface configuration.
This feature has the following requirements:
l The port cannot belong to a trunk or virtual wire.
l The port must have lldp-status set to rx-only, tx-only, or tx-rx.
l The port must have private-vlan set to disabled.
l LLDP must be enabled under the config switch lldp settings command.
l The set med-tlvs network-policy option must be set under the config switch lldp profile
configuration.
l The assign-vlan option must be enabled in the med-network-policy configuration under the config
switch lldp profile configuration.
l The VLAN assigned in the LLDP profile must be a valid VLAN.
Note:
l If the VLAN added to the interface by the LLDP profile is also listed under the set untagged-vlans
configuration in the config switch interface command, the VLAN is added as untagged.
l If the VLAN added to the interface by the LLDP profile is also the native VLAN of the port, no changes occur.
l The LLDP service determines the contents of the network-policy TLV being sent based on the current state of the
switch interface. If the LLDP VLAN assignment does not happen or the assigned VLAN is changed by another
configuration (such as the set untagged-vlans configuration in config switch interface), the LLDP
network policy TLVs being sent will reflect the actual state of the interface, not the configured value.
To specify a VLAN in the network policy of an LLDP profile:
edit <policy_type_name>
set status enable
set dscp <0-63>
set priority <0-7>
set vlan <0-4094>
next
For example:
edit default
set status enable
set vlan 15
set dscp 30
set priority 3
next

Fortinet, Inc.
LLDP-MED
Configuring an LLDP profile for the port
Configure an LLDP profile for the port. By default, the port uses the default LLDP profile.
Using the GUI:
1. Go to Switch > LLDP-MED > Profiles.

2. Select Add Profile.
3. Enter a name for your LLDP profile.
4. If needed, select Port VLAN ID.
5. If needed, select one or more of the 802.3 TLVs: Efficient Energy Ethernet Config, PoE+ Classification, and
Maximum Frame Size.
6. If needed, select Enable for Auto-ISL.
7. Enter the number of seconds for the Auto-ISL Hello Timer.
8. Enter the port group number for the Auto-ISL Port Group.
9. Enter the number of seconds for the Auto-ISL Receive Timeout.
10. If needed, select one or more of the MED TLVs: Inventory Management, Location Identification, Network Policy,
and Power Management.
11. Select Add.
Using the CLI:

edit <profile>
set 802.3-tlvs max-frame-size
set auto-isl {active | inactive}
set auto-mclag-icl {enable | disable}
set med-tlvs (inventory-management | location-identification | network-policy | power-
management)
config custom-tlvs
edit <TLVname_str>
set oui <hex-bytes>
next
edit address-civic
next
edit coordinates
next
edit elin-number

Fortinet, Inc.
LLDP-MED
next
edit <policy_type_name>
set assign-vlan {enable | disable}
set dscp <0-63>
set priority <0-7>
set vlan <0-4094>
next
end
Enabling LLDP on a port
To enable LLDP MED on a port, set the LLDP status to receive-only, transmit-only, or receive and transmit. The default
value is TX/RX.
Using the GUI:

2. Select a port and select Edit.
3. Select TX/RX, RX Only, TX Only, or Disable for the LLDP-MED status.
4. Select an LLDP profile.
5. Select Update.
Using the CLI:

edit <port>
set lldp-status (rx-only | tx-only | tx-rx | disable)
set lldp-profile <profile name>
next
end
Checking the LLDP configuration
View the LLDP configuration settings using the GUI:
1. Go to Switch > LLDP-MED > Settings.

2. Make any changes that are needed.
3. Select Update.
View the LLDP configuration settings using the CLI:
get switch lldp settings

status : enable
tx-hold : 4
tx-interval : 30

Fortinet, Inc.
LLDP-MED
fast-start-interval : 2
management-interface: internal
View the LLDP profiles using the GUI:
1. Go to Switch > LLDP-MED > Profiles.

2. Select a profile and then select Edit.
3. Make any changes that are needed.
4. Select Update.
View the LLDP profiles using the CLI:
get switch lldp profile

== [ default ]
name: default 802.1-tlvs: 802.3-tlvs: med-tlvs: inventory-management network-policy
== [ default-auto-isl ]
name: default-auto-isl 802.1-tlvs: 802.3-tlvs: med-tlvs:
Use the following commands to display the LLDP information about LLDP status or the layer-2 peers for this
FortiSwitch unit:
get switch lldp (auto-isl-status | neighbors-detail | neighbors-summary | profile | settings |
stats)
Configuration deployment example
To configure LLDP:
1. Configure LLDP global configuration settings using the config switch lldp settings command.
2. Create LLDP profiles using the config switch lldp profile command to configure Type Length Values
(TLVs) and other per-port settings.
3. Assign LLDP profiles to physical ports.
4. Apply VLAN to interface. (NOTE: LLDP profile values that are tied to VLANs will only be sent if the VLAN is
assigned on the switch interface.)
a. Configure the profile.
show switch lldp profile Forti670i

edit "Forti670i"
edit "voice"
set dscp 46
set priority 5
set status enable
set vlan 400
next
edit "guest-voice"
next
next

Fortinet, Inc.
LLDP-MED
next
next
set dscp 40
set priority 3
set status enable
set vlan 400
next
edit "video-signalling"
next
end
set med-tlvs inventory-management network-policy
next
end
b. Configure the interface.
show switch interface port4

edit "port4"
set snmp auto
next
end
c. Connect a phone with LLDP-MED capability to the interface. NOTE: Make certain the LLDP, Learning, and
DHCP features are enabled.
show switch physical-port port4

edit "port4"
set lldp-profile "Forti670i"
set speed auto
next
end
d. Verify.
show switch lldp neighbor-det port4
Neighbor learned on port port4 by LLDP protocol

Chassis ID: 10.105.251.40 (ip)
System Description:
V12.740.335.12.B
Port ID: 00:a8:59:d8:f1:f6 (mac)

Fortinet, Inc.
LLDP-MED

Power class: 1
Power requested: 0
Power allocated: 0
voice: VLAN: 400 (tagged), Priority: 5 DSCP: 46
voice-signaling: VLAN: 400 (tagged), Priority: 4 DSCP: 35
streaming-video: VLAN: 400 (tagged), Priority: 3 DSCP: 40
Checking LLDP details
Using the GUI:
Go to Switch > Monitor > LLDP.
LLDP OIDs
Starting in FortiSwitchOS 6.2.2, the following object identifiers (OIDs) are supported by the LLDP management
information base (MIB) file:
l .1.0.8802.1.1.2.1.1 (lldpConfiguration)
o lldpMessageTxInterval
o lldpMessageTxHoldMultiplier
o lldpReinitDelay
o lldpTxDelay
o lldpNotificationInterval
l .1.0.8802.1.1.2.1.4.1 (lldpRemoteSystemsData.lldpRemTable)
o lldpRemChassisIdSubtype
o lldpRemChassisId
o lldpRemPortSubtype
o lldpRemPortId
l lldpRemPortDesc
l lldpRemSysName
l lldpRemSysDesc
l lldpRemSysCapSupported
l lldpRemSysCapEnabled

Fortinet, Inc.
LLDP-MED
l .1.0.8802.1.1.2.1.4.2 (lldpRemoteSystemsData.lldpRemManAddrTable)
o lldpRemManAddrIfSubtype
o lldpRemManAddrIfId
o lldpRemManAddrOID

Fortinet, Inc.
MAC/IP/protocol-based VLANs
The FortiSwitch unit assigns VLANs to packets based on the incoming port or the VLAN tag in the packet. The
MAC/IP/protocol-based VLAN feature enables the assignment of VLANs based on specific fields in an ingress packet
(MAC address, IP address, or layer-2 protocol).
l Overview on page 140
l Configuring MAC/IP/protocol-based VLANs on page 141
l Checking the configuration on page 143
Overview
When a MAC/IP/protocol-based VLAN is assigned to a port, the default behavior is for egress packets with that
VLAN value to include the VLAN tag. Use the set untagged-vlans <vlan> configuration command to remove
the VLAN tag from egress packets. For an example of the command, see the Example configuration on page 142.
The MAC/IP/protocol-based VLAN feature assigns the VLAN based on MAC address, IP address, or layer-2 protocol.
MAC based
In MAC-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the originating
MAC address.
IP based
In IP-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the originating IP
address or IP subnet. IPv4 is supported with prefix masks from 1 to 32. IPv6 is also supported, depending on hardware
availability, with prefix lengths from 1 to 64.
Protocol based
In protocol-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the Ethernet
protocol value and the frame type (ethernet2, 802.3d/SNAP, LLC).

Fortinet, Inc.
Configuring MAC/IP/protocol-based VLANs
Note the following prerequisites:
l The VLAN must be created in the FortiSwitch unit

l The VLAN needs to be allowed on the ingress port
Using the GUI:
1. Go to Switch > VLAN.

2. Select Add VLAN for a new VLAN or select Edit for an existing VLAN.
3. To configure a MAC-based VLAN:
a. Select Add under Members by MAC Address.
b. Enter a description and the MAC address.
4. To configure an IP-based VLAN:
a. Select Add under Members by IP Address.
b. Enter a description and the IP address.
5. Select Add or Update to save the settings.
Using the CLI:
config switch vlan

edit <vlan-id>
edit <id>
set mac xx:xx:xx:xx:xx:xx
set description <128 byte string>
next
end
config member-by-ipv4
edit <id>
set address a.b.c.d/e #subnet mask must 1-32
next
end
edit <id>
set prefix xx:xx:xx:xx::/prefix #prefix must 1-64
next
end
config member-by-proto
edit <id>
set frametypes ethernet2 802.3d llc #default is all
set protocol 0xXXXX
next
end
next
end

Fortinet, Inc.
NOTE: There are hardware limits regarding how many MAC/IP/protocol-based VLANs that you can configure. If you try
to add entries beyond the limit, the CLI will reject the configuration:
l Editing an existing VLAN—when you enter next or end on the config member-by command
l Adding a new VLAN— when you enter next or end on the edit vlan command
l When VLANS are defined by config member-by-ipv4 or config member-by-ipv6 on some FortiSwitch
platforms (2xx and higher), matching ARP traffic is included in the assigned VLANs. For example, if the ARP target
IP address or the ARP sender IP address match the member-by-ipv4 or member-by-ipv6 IP address, those ARP
packets are included in the assigned VLANs.
The following example shows a CLI configuration for MAC-based VLAN where a VOIP phone and a PC share the same
switch port.
In this example, a unique VLAN is assigned to the voice traffic, and the PC traffic is on the default VLAN for the port.
1. The FortiSwitch Port 10 is connected to PC2 (a VOIP phone), with MAC address 00:21:cc:d2:76:72.
2. The phone also sends traffic from PC3 (MAC= 00:21:cc:d2:76:80).
3. Assign the PC3 traffic to the default VLAN (1) on port 10.
4. Assign the voice traffic to VLAN 100.
Configure the voice VLAN
config switch vlan

edit 100
edit 1
set description "pc2"

Fortinet, Inc.
set mac 00:21:cc:d2:76:72

next
end
end
end
Configure switch port 10

edit "port10"
# allow vlan=100 on this port
# treat this as untagged on egress
set untagged-vlans 100
set snmp-index 10
end
end
Checking the configuration
To view the MAC-based VLAN assignments, use the following command:

diagnose switch vlan assignment mac list sorted-by-mac
00:21:cc:d2:76:72 VLAN: 100 Installed: yes
Source: Configuration (entry 1)
Description: pc2

Fortinet, Inc.
Mirroring
Mirroring
Packet mirroring allows you to collect packets on specified ports and then send them to another port to be collected and
analyzed. All FortiSwitch models support switched port analyzer (SPAN) mode, which mirrors traffic to the specified
destination interface without encapsulation.
Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-
2 domains. You can have multiple RSPAN sessions but only one ERSPAN session. In RSPAN mode, traffic is
encapsulated in a VLAN. In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation
(GRE) headers.
NOTE:
l Some models support setting the mirror destination to “internal.” This is intended only for debugging purposes and
might prevent critical protocols from operating on ports being used as mirror sources.
l When there are multiple mirror sessions in the FS-108D-POE, FS-224D-POE, and FSR-112D-POE models, some
traffic might not be mirrored to the destination ports.
l Some destination ports are not listed because those models (FSR-112D-POE, FS-108E, FS-124E, FS-108E-POE,
FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE) do not support mirroring to the
software interface.
l You cannot select a destination interface for the ERSPAN auto mirror.
l In cases where the mirrored traffic is not unicast, or is flooded unicast, and the mirrored and non-mirrored packets
both leave the mirror “dst” port, the mirror-qos value is overridden by the QoS value of the non-mirrored packet.
l You can use the following commands to specify the quality of service (QoS) priority for mirrored packets on the
FortiSwitch unit doing the mirroring:

set mirror-qos <0-7>
end

Fortinet, Inc.
Mirroring
Some of the platform differences are listed in the following table:
112D- 108E, 124D, 248D, 424D, 448D, 424E, 424E- 524D, 1024D,
POE 108E- 224D- 248E- 424D- 448D- 424E- Fiber, 524D- 1048D,
FPO FPOE, FPOE, FPOE, FPOE, POE, 448E, FPOE, 3032D,
E, 224E, 248E- 424D- 448D- 424E- 448E- 548D, 3032E
108E- 224E- POE POE POE FPOE, POE, 548D-
POE, POE M426- 448E- FPOE,
124E, FPOE FPOE 1048E
124E-
FPO
E,
124E-
POE
“dst” Ports Ports Port or Port or Port or Port or Port or Port or Port or Port or
values only only trunk (no trunk (no trunk (no trunk (no trunk (no trunk (no trunk (no trunk (no
(can (can trunk trunk trunk trunk trunk trunk trunk trunk
be in be in member member member member member member member member
trunk) trunk) s) s) s) s) s) s) s) s)
Max. — — 32 32 32 32 32 32 32 32
sessions
(active or
inactive)
Max. 7 4 6 6 6 6 8 8 8 4
active
sessions
Max. 6 4 1 1 1 1 1 1 4 4
sessions
with src-
egress
Max. 6 4 1 1 1 1 1 4 4 4
sessions
with src-
ingress
Max. N/A N/A 3 3 3 3 3 3 3 3

sessions
when
one has
src-
ingress +
src-
egress
and the
rest are
src-
ingress

Fortinet, Inc.
Mirroring
112D- 108E, 124D, 248D, 424D, 448D, 424E, 424E- 524D, 1024D,
POE 108E- 224D- 248E- 424D- 448D- 424E- Fiber, 524D- 1048D,
FPO FPOE, FPOE, FPOE, FPOE, POE, 448E, FPOE, 3032D,
E, 224E, 248E- 424D- 448D- 424E- 448E- 548D, 3032E
108E- 224E- POE POE POE FPOE, POE, 548D-
POE, POE M426- 448E- FPOE,
124E, FPOE FPOE 1048E
124E-
FPO
E,
124E-
POE
VLAN N/A N/A Yes No Yes No Yes Yes Yes Yes
CFI and
priority
can be
configur
ed in
RSPAN
SPAN Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
support
RSPAN RSPA No Yes Yes Yes Yes Yes Yes Yes Yes
and N
ERSPAN
support
QoS No No No No No No Yes Yes Yes 3032D

support
The following topics are covered in this chapter:

l Configuring a SPAN mirror on page 146
l Configuring an RSPAN mirror on page 149
l Configuring an ERSPAN auto mirror on page 150
l Configuring an ERSPAN manual mirror on page 151
Configuring a SPAN mirror
NOTE: You can use virtual wire ports as ingress and egress mirror sources. Egress mirroring of virtual wire ports will
have an additional VLAN header on all mirrored traffic.
Using the GUI:
1. Go to Switch > Mirror.

2. Select Add Port Mirror.
3. Enter a name for the mirror.

Fortinet, Inc.
Mirroring
4. Select Enabled to make the mirror active.

5. Select a destination interface.
On FortiSwitch models that support RSPAN and ERSPAN, set the trunk or physical port that will act as a mirror.
The physical port cannot be part of a trunk.
On FortiSwitch models that do not support RSPAN and ERSPAN, set the physical port that will act as a mirror. The
physical port can be part of a trunk.
6. Select from the excluded ports which ports to include for ingress mirroring and egress mirroring.
NOTE: Only one active egress mirror session is allowed.
7. Select Packet Switching When Mirroring if the destination port is not a dedicated port. For example, enable this
option if you connect a laptop to the switch and you are running a packet sniffer along with the management
GUI on the laptop.
8. Select SPAN for the mode.
9. Select Create to create the mirror.
Using the CLI:
config switch mirror

edit <mirror session name>
set mode SPAN
set dst <interface>
set src-egress <interface_name>
set src-ingress <interface_name>
set status active
end
For example:
edit "m1"
set mode SPAN
set dst "port5"
set src-egress "port2"
set src-ingress "port3" "port4"
set status active
end
Multiple mirror destination ports (MTPs)
With some FortiSwitch models, you can configure multiple mirror destination ports with the following guidelines and
restrictions:
l Always set the destination port before setting the src-ingress or src-egress ports.
l Any port configured as a src-ingress or src-egress port in one mirror cannot be configured as a destination port in
another mirror.
l The total number of active sessions depends on your configuration.
l For switch models 124D, 124D-POE, 224D-FPOE, 248D, 248D-POE, 248D-FPOE, 224E, 224E-POE, 248E-POE,
248E-FPOE, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, and 448D-FPOE:
o For access control lists, you can use a mirror destination that does not have src-ingress or src-egress
configured or a mirror destination that has src-ingress or src-egress configured.

Fortinet, Inc.
Mirroring
l For switch models 524D, 524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E, 3032D, and 3032E:
o For access control lists, you can use a mirror destination that does not have src-ingress or src-egress
configured or a mirror destination that has src-ingress or src-egress configured.
l For switch model FSR-112D-POE:
o You can configure up to seven mirrors, each with a different destination port.
o Multiple ingress or egress ports can be mirrored to the same destination port.
o An ingress or egress port cannot be mirrored to more than one destination port.
These restrictions apply to active mirrors. If you try to activate an invalid mirror configuration, the system will display the
Hardware active mirror session limit reached. Please deactivate or delete another
active session to make room. error message.
The following example configuration is valid for FortiSwitch-3032D. This configuration includes three ingress ports, one
egress port, and four destination ports. The port3 ingress and egress ports are mirrored to multiple destinations.
edit "m1"
set mode SPAN
set dst "port16"
set status active
set src-ingress "port3" "port5" "port7"
next
edit "m2"
set mode SPAN
set dst "port22"
set status active
next
edit "m3"
set mode SPAN
set dst "port1"
set status active
set src-ingress "port3"
next
edit "m4"
set mode SPAN
set dst "port2"
set status active
set src-egress "port3"
end
The following example configuration includes three ingress ports, three egress ports and four destination ports. Each
ingress and egress port is mirrored to only one destination port.
edit "m1"
set mode SPAN
set dst "port1"
set status active
next
edit "m2"
set mode SPAN
set dst "port5"
set status active

Fortinet, Inc.
Mirroring
next
edit "m3"
set mode SPAN
set dst "port3"
set status active
next
edit "m4"
set mode SPAN
set dst "port4"
set status active
set src-egress "port6" "port8"
end
Configuring an RSPAN mirror
NOTE: RSPAN traffic crossing a switch on a VLAN configured with “RSPAN-VLAN” enabled will appear as unknown
unicast, multicast, or broadcast traffic. This traffic is not exempt from storm control and might be rate limited as a result.
To avoid this issue, you can dedicate a port or ports to RSPAN and then disable storm control on those ports. Non-
RSPAN VLANs can be used on those ports as well, but they will not be protected by storm control.
Using the GUI:

NOTE: The destination interface cannot be part of a trunk.
GUI on the laptop.
8. Select RSPAN for the mode.
9. In the VLAN ID field, enter the VLAN identifier for the RSPAN VLAN header.
10. In the TPID field, enter the tag protocol identifier (TPID) for the encapsulating VLAN header.
The default value, 0x8100, is for an IEEE 802.1Q-tagged frame.
11. In the Priority field, enter the class of service (CoS) bits in the RSPAN VLAN header.
NOTE: This option is not available on the 248D, 248D-POE, 248D-FPOE, 248E, 248E-POE, 248E-FPOE, 448D,
448D-POE, and 448D-FPOE models.
12. In the CFI/DEI field, enter the canonical format identifier (CFI) or drop eligible indicator (DEI) bit in the RSPAN
VLAN header.
NOTE: This option is not available on the 248D, 248D-POE, 248D-FPOE, 248E, 248E-POE, 248E-FPOE, 448D,
448D-POE, and 448D-FPOE models.

Fortinet, Inc.
Mirroring
Using the CLI:

set mode RSPAN
set dst <interface>
set encap-vlan-tpid <0x0001-0xfffe>
set encap-vlan-priority <0-7>
set encap-vlan-cfi <0-1>
set encap-vlan-id <1-4094>
set status active
end
Configuring an ERSPAN auto mirror
For an ERSPAN auto mirror, traffic on specified ports is mirrored to the specified destination interface using ERSPAN
encapsulation. The header contents are automatically configured; you only need to specify the ERSPAN collector
address.
Using the GUI:

6. Select ERSPAN Auto for the mode.
7. Enable Strip VLAN Tags from Mirrored Traffic if you want to remove VLAN tags from mirrored traffic.
8. In the Collector IP field, enter the IP address for the ERSPAN collector.
9. In the IPv4 TTL field, enter the IPv4 time-to-live (TTL) value in the ERSPAN IP header.
10. In the IPv4 TOS field, enter the type of service (ToS) value or enter the DSCP and ECN values in the ERSPAN IP
header.
11. In the GRE Protocol field, enter the protocol value in the ERSPAN GRE header.
12. In the TPID field, enter the TPID for the encapsulating VLAN header.
The default value, 0x8100, is for an IEEE 802.1Q-tagged frame.
13. In the Priority field, enter the CoS bits in the ERSPAN VLAN header.
14. In the CFI/DEI field, enter the CFI or DEI bit in the ERSPAN VLAN header.
Using the CLI:

set mode ERSPAN-auto

Fortinet, Inc.
Mirroring
set encap-gre-protocol <hexadecimal_integer>

set encap-ipv4-tos <hexadecimal_integer>
set encap-ipv4-ttl <0-255>
set erspan-collector-ip <0.0.0.1-255.255.255.255>
set strip-mirrored-traffic-tags {disable | enable}
set status active
end
Configuring an ERSPAN manual mirror
For an ERSPAN manual mirror, traffic on specified ports is mirrored to the specified destination interface using ERSPAN
encapsulation. You need to manually configure the header contents with layer-2 and layer-3 addresses.
Using the GUI:

NOTE: The destination interface cannot be part of a trunk.
GUI on the laptop.
8. Select ERSPAN Manual for the mode.
9. Enable Strip VLAN Tags from Mirrored Traffic if you want to remove VLAN tags from mirrored traffic.
10. Select Add ERSPAN Headers if you want to add the VLAN header to the encapsulated traffic.
11. In the Collector IP field, enter the IP address for the ERSPAN collector.
12. In the IPv4 Source Address field, enter the IPv4 source address in the ERSPAN IP header.
13. In the IPv4 TTL field, enter the IPv4 TTL value in the ERSPAN IP header.
14. In the IPv4 TOS field, enter the ToS value or enter the DSCP and ECN values in the ERSPAN IP header.
15. In the GRE Protocol field, enter the protocol value in the ERSPAN GRE header.
16. In the VLAN ID field, enter the VLAN identifier in the ERSPAN VLAN header.
This field is available only if Add ERSPAN Headers is selected.
17. In the TPID field, enter the TPID for the encapsulating VLAN header.
18. In the Priority field, enter the CoS bits in the ERSPAN VLAN header.
19. In the CFI/DEI field, enter the CFI or DEI bit in the ERSPAN VLAN header.

Fortinet, Inc.
Mirroring
20. In the Source MAC Address field, enter the source MAC address in the ERSPAN Ethernet header.
21. In the Destination MAC Address field, enter the MAC address of the next-hop or gateway on the path to the
ERSPAN collector IP address.
Using the CLI:

set mode ERSPAN-manual
set dst <interface>
set encap-ipv4-src IPv4_address>
set encap-mac-dst <MAC_address>
set encap-mac-src <MAC_address>
set encap-vlan {tagged | untagged}
set erspan-collector-ip <IPv4_address>
set status active
end

Fortinet, Inc.
Access control lists
You can use access control lists (ACLs) to configure policies for three different stages in the pipeline:
l Ingress stage for incoming traffic
l Prelookup stage for processing traffic
l Egress stage for outgoing traffic
l ACL policy attributes on page 153
l Configuring an ACL policy on page 154
l Configuration examples on page 161
NOTES
l Before FortiSwitchOS 6.0.0, you used the config switch acl policy command to configure ACL policies
only for the ingress stage. In FortiSwitchOS 6.0.0 and later, the config switch acl command has changed to
specify which stage is being configured. Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress
ACLs.
l The FS-1024D and FS-524D-FPOE models do not support all action options on the ingress policy.
l There are some limitations for ACL configuration on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-
o The layer-4 port range is limited and might not be available in FortiSwitchOS 6.4.0.
o For the FS-108E, FS-108E-FPOE, FS-108E-POE, FS-124E, FS-124E-FPOE, and FS-124E-POE models, 256
counters are supported for the ingress stage.
o For the FS-448E, FS-448E-FPOE, and FS-448E-POE models, 504 counters are supported only for the
prelookup stage.
o If a classifier was created with only layer-2 fields, layer-3 fields cannot be added later. If a classifier was
created with only layer-3 fields, layer-2 fields cannot be added later.
o You cannot use both drop and redirect actions in the same ACL policy.
o ACL configuration is not supported in FortiLink mode.
o Only the ingress policy can be configured.
l The set redirect command works differently for the following switch models:
o For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and
FS-148E-POE models, the egress VLAN membership is not necessary.
o For the FS-148F, FS-148F-POE, FS-148F-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE models, the
egress VLAN membership is necessary.
ACL policy attributes
Key attributes of a policy include:

l Interface. The interface(s) on which traffic arrives at the switch. The interface can be a port, a trunk, or all
interfaces. The policy applies to ingress traffic only (not egress traffic).

Fortinet, Inc.
l Classifier. The classifier identifies the packets that the policy will act on. Each packet can be classified based on
one or more criteria. Criteria include source and destination MAC address, VLAN id, source and destination
IP address, or service (layer 4 protocol id and port number).
l Marking involves setting bits in the packet header to indicate the priority of this packet.
l Actions. If a packet matches the classifier criteria for a given ACL, the following types of action may be applied to
the packet:
o allow or block the packet, redirect the packet, mirror the packet
o police the traffic
o mirror the packet to another port, interface, or trunk
o mirror the traffic
o CoS queue assignment
o outer VLAN tag assignment
o egress mask to filter packets
o specify a schedule when the ACL policy will be applied
o make the ACL policy active or inactive
The switch uses specialized TCAM memory to perform ACL matching.

NOTE: Each model of the FortiSwitch unit provides different ACL-related capabilities. When you configure the
ACL policy, the system will reject the request if the hardware cannot support it.
Configuring an ACL policy
You can configure ACL policies for each stage: ingress, egress, and prelookup.
NOTE: The order of the classifiers provided during group creation (or during an ACL update in a group when new
classifiers are added ) matter. Hardware resources are allocated as best fit at the time of creation, which can cause
some fragmentation and segmentation of hardware resources because not all classifiers are available at all times.
Because the availability of classifiers is order dependent, some allocations succeed or fail at different times. Rebooting
the switch or running the execute acl key-compaction <acl-stage><group-id> command can help
reduce the classifier resource fragmentation.
Creating an ACL ingress policy
Using the GUI:
1. Go to Switch > ACL > Ingress.

2. Select Add Ingress Policy.
3. Required. In the ID field, enter a unique number to identify this policy.
4. By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
5. Required. Select which interfaces the policy applies to or select the All Interface checkbox.
6. Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4 on page 163.
7. In the Description field, enter a description or other information about the policy. The description is limited to 63
characters.

Fortinet, Inc.
8. Configure the classifier.

a. Enter the VLAN identifier to be matched.
b. Enter the 802.1Q cost of service (CoS) value to match.
c. Enter the DSCP value to match.
d. Enter the Ethernet type to be matched.
e. Select the service type to be matched.
f. Enter the source MAC address to be matched.
g. Enter the destination MAC address to be matched.
h. Enter the source IP address and subnet mask to be matched.
i. Enter the destination IP address and subnet mask to be matched.
9. Configure the action.
a. Select the Count checkbox if you want to track the number of matching packets.
b. Select the Drop checkbox if you want to drop matching packets.
c. Select the Redirect Broadcast CPU checkbox if you want to redirect broadcast traffic to all ports including the
CPU.
d. Select the Redirect Broadcast No CPU checkbox if you want to redirect broadcast traffic to all ports excluding
the CPU.
e. In the CPU COS Queue field, enter the CPU CoS queue number. This CoS queue is only used if the packets
reach the CPU.
f. In the COS Queue field, enter the CoS queue number.
g. In the Remark COS field, enter the CoS marking value.
h. In the Outer VLAN Tag field, enter the outer VLAN tag.
i. In the Remark DSCP field, enter the DSCP marking value.
j. Select Egress Mask to configure which physical ports are included in the egress mask or select Redirect
Physical Port to redirect packets to the selected physical ports.
k. Select the physical ports to include in the egress mask or to redirect packets to.
l. Select which policer to use from the Policer drop-down list. To create a policer, see Creating a policer on page
159.
m. Select which redirect interface to use from the Redirect Interface drop-down list.
n. Select the name of the mirror to use collect packets to analyze.
10. Select OK to save the ingress policy.
Using the CLI:
config switch acl ingress

edit <policy_ID>
set group <group_ID>
set ingress-interface <port_name>
set ingress-interface-all {enable | disable}
set schedule <schedule_name>
set status {active | inactive}
config classifier
set src-mac <MAC_address>
set dst-mac <MAC_address>
set ether-type <integer>
set src-ip-prefix <IP_address> <mask>
set dst-ip-prefix <IP_address> <mask>

Fortinet, Inc.
set service <service_ID>

set cos <802.1Q CoS value to match>
set dscp <DSCP value to match>
end
config action
set cos-queue <0 - 7>
set cpu-cos-queue <integer>
set egress-mask {<physical_port_name> | internal}
set mirror <mirror_session>
set outer-vlan-tag <integer>
set policer <policer>
set redirect <interface_name>
set redirect-bcast-cpu {enable | disable}
set redirect-bcast-no-cpu {enable | disable}
set redirect-physical-port <list of physical ports to redirect>
set remark-cos <0-7>
set remark-dscp <0-63>
end
end
Creating an ACL egress policy
Using the GUI:
1. Go to Switch > ACL > Egress.

2. Select Add Egress Policy.
5. Select which interface the policy applies to.
characters.
b. Select the Drop checkbox if you want to drop matching packets.
c. In the Outer VLAN Tag field, enter the outer VLAN tag.

Fortinet, Inc.
d. In the Remark DSCP field, enter the DSCP marking value.

e. Select which policer to use from the Policer drop-down list. To create a policer, see Creating a policer on page
159.
f. Select which redirect interface to use from the Redirect Interface drop-down list.
g. Select the name of the mirror to use collect packets to analyze.
10. Select OK to save the egress policy.
Using the CLI:
config switch acl egress

edit <policy_ID>
set interface <port_name>
config classifier
end
config action
end
end
Creating an ACL prelookup policy
Using the GUI:
1. Go to Switch > ACL > Prelookup.

2. Select Add Prelookup Policy.
5. Select which interface the policy applies to.
characters.

Fortinet, Inc.

b. Select the Dropcheckbox if you want to drop matching packets.
c. In the Outer VLAN Tag field, enter the outer VLAN tag.
d. In the COS Queue field, enter the CoS queue number.
e. In the Remark COS field, enter the CoS marking value.
10. Select OK to save the prelookup policy.
Using the CLI:
config switch acl prelookup

edit <policy_ID>
config classifier
end
config action
set cos-queue <0-7>
end
end

Fortinet, Inc.
Creating or customizing a service
Optionally, you can create or customize a service. When you create an ACL policy (ingress, egress, or prelookup), you
select the service to use with the set service <service_ID> command under config classifier.
The FortiSwitch unit provides a set of pre-configured services that you can use. Use the following command to list the
services:
show switch acl service custom
To create or customize a service:
config switch acl service custom

edit <service name>
set comment <string>
set color <0-32>
set protocol {ICMP | IP | TCP/UDP/SCTP}
set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_
int>]
set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:
<srcportlow_int>-<srcporthigh_int>]
set udp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]
end
Creating a policer
Optionally, you can create a policer if you are defining ACLs to police different types of traffic. When you create an ACL
policy (ingress or egress), you select the policer to use with the set policer <policer> command under config
action.
Using the GUI:
1. Go to Switch > ACL > Policer.

2. Select Add Policer.
3. Required. In the ID field, enter a unique number to identify this policer.
4. In the Type drop-down list, select whether the policer is for egress or ingress policies.
5. In the Guaranteed Bandwidth field, enter the amount of bandwidth guaranteed (in Kbits/second) to be available for
traffic controlled by the policy.
6. In the Guaranteed Burst field, enter the guaranteed burst size in bytes.
7. In the Maximum Burst field, enter the maximum burst size in bytes
8. In the Description field, enter a description of the policer.
9. Select OK to save the policer.
Using the CLI:
config switch acl policer

edit <1-2048>
set guaranteed-bandwidth <bandwidth_value>
set guaranteed-burst <in_bytes>
set maximum-burst <in_bytes>

Fortinet, Inc.
set type {egress | ingress}

end
Each policy is assigned a unique policy ID that is automatically assigned. To view it, use the get switch acl
{egress | ingress | prelookup} command.
Viewing counters
NOTE: On the 4xxE platforms, the ACL byte counters for the prelookup stage are not available (they will always show
as 0 on the CLI). The packet counters are available.
You can use the GUI and CLI to view the counters associated with the ingress, egress, and prelookup policies.
Using the GUI:
Go to Switch > Monitor > ACL Counters.
Using the CLI:
get switch acl counters {all | egress | ingress | prelookup}
For example:
S524DF4K15000024 # get switch acl counters ingress
ingress:
ID Packets Bytes description
___________________________________________________________
0001 0 0 cnt_n_mirror13
Clearing counters
You can use the GUI or CLI to clear the counters associated with all policies or the counters associated with just ingress,
egress, or prelookup policies.
Using the GUI:
1. Go to Switch > Monitor > ACL Counters.

2. Select Ingress, Egress, Prelookup, or All to clear those counters.
Using the CLI:
execute acl clear-counter {all | egress | ingress | prelookup}
Clearing unused classifiers
Use the following command to clear the unused classifiers on ASIC hardware associated with ingress, egress,
prelookup, or all policies for a particular group:

Fortinet, Inc.
execute acl key-compaction {all | ingress | egress | prelookup} <group_ID>
NOTE: This command currently only works on the ingress policy.
Configuration examples
Example 1
In the following example, traffic from VLAN 3 is blocked to a specified destination IP subnet (10.10.0.0/16) but allowed
to all other destinations:
edit 1
config action
set count enable
set drop enable
end
config classifier
set dst-ip-prefix 10.10.0.0 255.255.0.0
set vlan-id 3
end
set ingress-interface-all enable
set status active
end
Example 2
In the following example, Server Message Block (SMB) traffic received on port 1 is mirrored to port 3. SMB protocol uses
port 445:
edit "SMB"
set tcp-portrange 445
next
end
config switch acl ingress # apply policy to port 1 ingress and send to port 3
edit 1
set description "cnt_n_mirror_smb"
set ingress-interface-all disable
set ingress-interface "port1"
set status active
config action
set count enable
set mirror mirror-1
end
config classifier
set service "SMB"
set src-ip-prefix 20.20.20.100 255.255.255.255
set dst-ip-prefix 100.100.100.0 255.255.255.0
end
next

Fortinet, Inc.
end
Example 3
The FortiSwitch unit can map different flows (for example, based on source and destination IP addresses) to specific
outgoing ports.
In the following example, flows are redirected (based on destination IP) to different outgoing ports, connected to
separate FortiDDOS appliances. This allows you to apply different FortiDDOS service profiles to different types of
traffic:
edit 1
config action
set count enable
set redirect "port3“
# use redirect to shift selected traffic to new destination

end
config classifier
set dst-ip-prefix 100.100.100.0 255.255.255.0
end
set description "cnt_n_mirror13"
set status active
next
edit 2
config action # apply policy to port 3 ingress and send to port 1
set count enable
set redirect "port1"
end
config classifier
set src-ip-prefix 100.100.100.0 255.255.255.0
end
set ingress-interface-all disable
set status inactive
next
end
edit 3
config action
set count enable
set redirect "port4“
# use redirect to shift selected traffic to new destination

end
config classifier
set dst-ip-prefix 20.20.20.0 255.255.255.0
end
set status active
next
edit 4
config action # apply policy to port 4 ingress and send to port 1
set count enable

Fortinet, Inc.
set redirect "port1"

end
config classifier
set src-ip-prefix 20.20.20.0 255.255.255.0
end
set status inactive
next
end
Example 4
In the following example, a recurring schedule is created and then used to control when the ACL policy is active:
edit schedule2
set day monday tuesday wednesday thursday friday saturday sunday
set start 07:00
set end 17:00
end
edit 1
config action
set remark-cos 1
set remark-dscp 23
end
config classifier
set src-mac 00:21:cc:d2:76:72
set dst-mac d6:dd:25:be:2c:43
end
set schedule schedule2
set status active
next
end

Fortinet, Inc.
Storm control
Storm control
Storm control protects a LAN from disruption by traffic storms, which stem from mistakes in network configuration or
denial-of-service attacks. A traffic storm, which can consist of broadcast, multicast, or unicast traffic, creates excessive
traffic on the LAN and degrades network performance.
By default, storm control is disabled on a FortiSwitch unit. When enabled, it measures the data rate (in packets-per-
second) for unknown unicast, unknown multicast, and broadcast traffic. You can enable and disable storm control for
each of these traffic types individually. If the traffic rate for any of the types exceeds the configured threshold, the
FortiSwitch unit drops the excess traffic.
By default, storm control configuration is global. Starting in FortiSwitchOS 6.2.0, you can configure storm control on a
port level.
Starting in FortSwitchOS 6.4.3, you can configure the maximum burst size allowed by storm control. Using the CLI, you
can select the burst-size level from 0 to 4 with the highest number for the highest maximum burst size allowed. The
maximum number of packets or bytes allowed for each burst-size level depends on the switch model.
NOTE: The burst-size level cannot be controlled on a port level for the FS-108E, FS-108E-POE, FS-108-FPOE, FS-
124E, FS-124E-POE, and FS-124E-FPOE models.
l Configuring system-wide storm control on page 164
l Configuring port-level storm control on page 165
l Displaying the storm-control configuration on page 165
Configuring system-wide storm control
If you set the rate to zero, the system drops all packets (for the enabled traffic types).
Using the GUI:
1. Go to Switch > Storm Control.

2. Select Restrict Traffic.
3. Select Broadcast, Unknown Unicast, and Unknown Multicast as required.
4. Select the action to take, either Drop Packets or Rate Limit.
5. If you selected Rate Limit, enter the number of packets per second.
Using the CLI:
config switch storm-control

set burst-size-level <0-4>
set rate [0 | 2-10000000]

Fortinet, Inc.
Storm control
set unknown-mcast {enable | disable}

end
Configuring port-level storm control
Using the GUI:

3. In the Storm Control area, select Configure Manually.
4. Select one or more of the packet types: Broadcast, Unknown Multicast, and Unknown Unicast.
5. Select the action to take, either Drop Packets or Rate Limit.
6. If you selected Rate Limit, enter the number of packets per second.
Using the CLI:

edit <port_name>
config storm-control
set rate [0 | 2-10000000]
end
end
Displaying the storm-control configuration
Use the following command to display the system-wide storm-control configuration:

get switch storm-control

Fortinet, Inc.
DHCP snooping
DHCP snooping
The DHCP-snooping feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and
unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP snooping filters
messages on untrusted ports by performing the following activities:
l Validating DHCP messages received from untrusted sources and filtering out invalid messages. For example, a
request to decline an DHCP offer or release a lease is ignored if the request is from a different interface than the
one that created the entry.
l Building and maintaining a DHCP snooping binding database, which contains information about untrusted hosts
with leased IP addresses.
Other security features like dynamic ARP inspection (DAI), a security feature that rejects invalid and malicious ARP
packets, also use information stored in the DHCP-snooping binding database.
In the FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You
indicate that a source is trusted by configuring the trust state of its connecting interface.
For additional security, you can specify in the CLI which DHCP servers that DHCP snooping will include in the allowed
server list.
l Configuring DHCP snooping on page 166
l Checking the DHCP-snooping configuration on page 170
l Removing an entry from the DHCP-snooping binding database on page 171
Configuring DHCP snooping
DHCP snooping is enabled per VLAN and, by default, DHCP snooping is disabled.
Configuring DHCP snooping consists of the following steps:
1. Set the system-wide DHCP-snooping options.
2. Configure the VLAN settings.
3. Configure the interface settings.
Set the system-wide DHCP-snooping options
Before you use DHCP snooping, you need to enable the trusted DHCP server list.
To set the system-wide DHCP-snooping options:

set dhcp-server-access-list {enable | disable}
end

Fortinet, Inc.
DHCP snooping
For example:
set dhcp-server-access-list enable
end
Including option-82 data
You can include option-82 data in the DHCP request. (DHCP option 82 provides additional security by enabling a
controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources.) You can select a fixed
format for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields.
The following is the fixed format for the option-82 Circuit ID field
Circuit-ID: vlan-mod-port
vlan - [ 2 bytes ]
mod - [ (1 Byte) -> Snoop - 1 , Relay - 0 ]
port - [ 1 byte ]
The following is the fixed format for the option-82 Remote ID field:
Remote-ID: mac [ 6 byte ]
If you want to select which values appear in the Circuit ID and Remote ID fields:
l For the Circuit ID field, you can include the interface description, host name, interface name, mode, and VLAN.
l For the Remote ID field, you can include the host name, IP address, and MAC address.
To configure the option-82 data:

set dhcp-option-format {ascii | legacy}
set dhcp-client-location {description | hostname | intfname | mode | vlan}
set dhcp-remote-id {hostname | ip | mac}
end
Configure the VLAN settings
Using the GUI:

2. Select Add VLAN.
3. Enter the VLAN identifier.
4. Enter a description for the new VLAN.
5. Under DHCP Snooping, select Enable.
6. If needed, select Verify Source MAC, Insert Option 82, and Dynamic ARP Inspection.
7. Under the DHCP Server Whitelist, select + to add the name and IP address of an approved DHCP server.
8. In the Members by MAC Address section, select Add to add a MAC address.
9. In the Members by IP Address section, select Add to add an IPv4 address and netmask.
10. To save your changes, select Add at the bottom of the page.

Fortinet, Inc.
DHCP snooping
Using the CLI:
config switch vlan

edit <vlan-id>
set dhcp-snooping-verify-mac {enable | disable>}
set dhcp-snooping-option82 {enable | disable}
set dhcp6-snooping enable
edit <id>
set mac XX:XX:XX:XX:XX:XX
next
end
edit <id>
set address a.b.c.d/e
set description <128-byte string>
next
end
config dhcp-server-access-list
edit <string>
set server-ip <xxx.xxx.xxx.xxx>
set server-ip6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>
next
end
next
end
NOTE: If you enable dhcp-snooping-verify-mac, the system will verify that the source MAC address in the
DHCP request from an untrusted port matches the client hardware address.
NOTE: If you enable dhcp-snooping-option82, the system inserts option-82 data into the DHCP messages for
this VLAN.
For example, to configure IPv4 DHCP snooping:
config switch vlan
edit 10
edit "list1"
set server-ip 100.1.0.2
next
end
next
end
For example, to configure IPv6 DHCP snooping:

config switch vlan
edit 10
edit "list1"
set server-ip6 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234
next

Fortinet, Inc.
DHCP snooping
end
next
end
Configure the interface settings
After you enable DHCP snooping on a VLAN, all interfaces are in an untrusted state by default, and DHCP snooping is
disabled on all untrusted interfaces. You must explicitly configure the trusted interfaces and enable DHCP snooping for
each interface.
In addition, you can set a limit for how many IP addresses are in the DHCP snooping binding database for each
interface by enabling the dhcp-snoop-learning-limit-check and setting the learning-limit. By default,
dhcp-snoop-learning-limit-check is disabled, and the number of entries for an untrusted ports is 5. You can
set the number of entries to 0. The maximum number of entries depends on which FortiSwitch unit you are using. For
example:
S548DN4K16000313 # show switch vlan 1
config switch vlan
edit 1
next
end
NOTE: If the FortiSwitch unit has already learned more IP addresses than the dhcp-snoop-learning-limit
before the limit is set, the configuration is rejected because the FortiSwitch unit cannot select which IP addresses
should be kept. If the FortiSwitch unit has learned fewer IP address or the same number of IP addresses as the dhcp-
snoop-learning-limit before the limit is set, the configuration is accepted.
NOTE: The per-VLAN learning limit is not supported on dual-chip platforms (448 series).
Using the GUI:
2. Select an interface.
3. Select Edit.
4. Select a Trusted or Untrusted interface for DHCP snooping.
5. If you want to accept DHCP messages with option-82 data from an untrusted interface, select the Option-82 Trust
check box.
6. Select OK.
Using the CLI:
config switch {interface | trunk}

edit <interface-name>
set native-vlan <VLAN-ID>
set dhcp-snoop-learning-limit-check {enable | disable}
set learning-limit <integer>
set dhcp-snoop-option82-trust {enable | disable}
next
end

Fortinet, Inc.
DHCP snooping
For example:
edit "port5"
set native-vlan 10
set dhcp-snooping untrusted
set dhcp-snoop-learning-limit-check enable
set dhcp-snoop-option82-trust enable
set snmp-index 5
next
end
Set dhcp-snooping to reflect the trust state of the interface. Where DHCP servers are located, you must configure
interfaces as trusted.
If you enable dhcp-snoop-option82-trust, the system accepts DHCP messages with option-82 data from an
untrusted interface.
Checking the DHCP-snooping configuration
Use the following command to view the detailed status of IPv4 and IPv6 DHCP-snooping VLANs and ports:
get switch dhcp-snooping database-summary
An entry in the DHCP snooping binding database that contains an * after the IP address indicates a temporary or
incomplete entry. For example:
08:00:27:13:16:51 2000 100.0.0.159* 10 4 port4
The DHCP server has not acknowledged this entry yet. If the DHCP server does not acknowledge the entry within 10
seconds, the entry is removed from the database. If the DHCP server does acknowledge the entry within 10 seconds,
the entry will be considered “complete” (that is, no * after the IP address), and a proper expiration time is assigned to it.
To view the details of the IPv4 and IPv6 DHCP-snooping client and server databases:
get switch dhcp-snooping status
To view the details of the IPv4 DHCP-snooping client database:
l Enter the following CLI command: get switch dhcp-snooping client-db-details

l Go to Switch > Monitor > DHCP Snooping > Clients.
To view the details of the IPv6 DHCP-snooping client database:
l Enter the following CLI command: get switch dhcp-snooping client6-db-details

l Go to Switch > Monitor > DHCP Snooping > Clients.

Fortinet, Inc.
DHCP snooping
To view the details of the IPv4 DHCP-snooping server database:
l Enter the following CLI command: get switch dhcp-snooping server-db-details

l Go to Switch > Monitor > DHCP Snooping > Servers.
To view the details of the IPv6 DHCP-snooping server database:
l Enter the following CLI command: get switch dhcp-snooping server6-db-details

l Go to Switch > Monitor > DHCP Snooping > Servers.
If the dhcp-server-access-list is enabled globally and the server is configured for the dhcp-server-access-list, the svr-list
column displays allowed for that server. If the dhcp-server-access-list is enabled globally and the server is not
configured in the dhcp-server-access-list, the svr-list column displays blocked for that server.
Removing an entry from the DHCP-snooping binding database
You can remove an IP address from the DHCP-snooping binding database by specifying the associated VLAN ID and
MAC address:
execute dhcp-snooping expire-client <1-4095> <xx:xx:xx:xx:xx:xx>
For example:
execute dhcp-snooping expire-client 100 01:23:45:67:89:01

Fortinet, Inc.
IP source guard
IP source guard
IP source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses.
Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.
IP source guard allows traffic from the following sources:
l Static entries—IP addresses that have been manually associated with MAC addresses.
l Dynamic entries—IP addresses that have been learned through DHCP snooping.
By default, IP source guard is disabled. You must enable it on each port that you want protected. If you enable IP source
guard and then disable it, all static and dynamic entries are removed for that interface.
There is a maximum of 2,048 IP source guard entries. When there is a conflict between static entries and dynamic
entries, static entries take precedence over dynamic entries.
The following FortiSwitch models support IP source guard:
FSR-124D, FS-224D-FPOE, FS-248D, FS-2xxE, FS-424D, FS-424D-POE, FS-424D-FPOE, FS-448D, FS-448D-POE,
and FS-448D-FPOE
NOTE: IP source guard does not work with VLAN translation.
Configuring IP source guard
Configuring IP source guard consists of the following steps:

1. Enable IP source guard.
2. Configure IP source guard by binding IPv4 addresses with MAC addresses
3. Check the IP source-guard entries.
4. Optional. Check the IP source-guard violation log.
1. Enable IP source guard
You must enable IP source guard before you can configure it.
To enable IP source guard:

edit <port_name>
end
For example:
edit port6

Fortinet, Inc.
IP source guard
end
2. Configure IP source-guard static entries
After you enable IP source guard, you can configure static entries by binding IPv4 addresses with MAC addresses. For
IP source-guard dynamic entries, you need to configure DHCP snooping. See DHCP snooping on page 166.
Using the GUI:
1. Go to Switch > IP Source Guard.

2. Select Configure for the interface that you want to add IP source guard to.
3. In the Description field, add a description of the configuration.
4. Select +.
5. Required. In the Name field, enter a name for the binding entry.
6. Required. In the IP address field, enter the IPv4 address to bind to the MAC address. Masks are not supported.
7. Required. In the MAC address field, enter the MAC address to bind to the IPv4 address.
8. Select Configure to save your configuration.
Using the CLI:
config switch ip-source-guard

edit <port_name>
edit <id>
next
end
next
end
For example:
edit port4
edit 1
set ip 172.168.20
set mac 00:21:cc:d2:76:72
next
end
next
end
3. Check the IP source-guard entries
After you configure IP source guard, you can check the database entries. Static entries are manually added by the
config switch ip-source-guard command. Dynamic entries are added by DHCP snooping.

Fortinet, Inc.
IP source guard
Using the GUI:
Go to Switch > Monitor > IP Source Guard.
Using the CLI:
diagnose switch ip-source-guard hardware entry list
4. Check the IP source-guard violation log
If you want to see events that violate the IP source-guard settings, enable the IP source-guard violation log.
The IP source-guard violation log contains a maximum of 128 entries with a maximum of 5 entries per port, even if more
violations have occurred. The maximum values cannot be changed.
To enable the IP source-guard violation log:

set log-source-guard-violations enable
set source-guard-violation-timer <1-1500 minutes>
end
To display all IP source-guard violations:
get switch ip-source-guard-violations all
To display IP source-guard violations for a specific switch interface:
get switch ip-source-guard-violations interface <interface_name>
To reset all IP source-guard violations:
execute source-guard-violation reset all
To reset IP source-guard violations for a specific switch interface:
execute source-guard-violation reset interface <interface_name>

Fortinet, Inc.
Dynamic ARP inspection
Dynamic ARP Inspection (DAI) prevents man-in-the-middle attacks and IP address spoofing by checking that packets
from untrusted ports have valid IP-MAC-address binding. To use DAI, you must first enable the DHCP snooping feature
and then enable DAI for each VLAN. See DHCP snooping on page 166.
l Configuring DAI on page 175
l Checking ARP packets on page 176
Configuring DAI
Configuring DAI consists of the following steps:

1. Enable DAI for each VLAN. By default, it is disabled.
2. Enable DAI for the switch interface. By default, all interfaces are in an untrusted state. You must explicitly configure
the trusted interfaces.
Enable DAI for each VLAN
Using the GUI:

2. Select Add VLAN.
5. Under DHCP Snooping, select Enable.
6. Select Dynamic ARP Inspection.
Using the CLI:
config switch vlan

edit <vlan-id>
set arp-inspection {enable | disable}
next
end

Fortinet, Inc.
Enable DAI for the switch interface
Using the GUI:

2. Select an interface and select Edit.
5. Select Untrusted or Trusted for DHCP Snooping.
6. Select OK.
Using the CLI:

set arp-inspection-trust <untrusted | trusted>
next
end
Checking ARP packets
Use the following command to see how many ARP packets have been dropped or forwarded:
#diagnose switch arp-inspection status
vlan 100 arp-request arp-reply

-----------------------------------------------------------------------
received 0 0
forwarded 0 0
dropped 0 0

Fortinet, Inc.
IGMP snooping
IGMP snooping
The FortiSwitch unit uses the information passed in IGMP messages to optimize the forwarding of IPv4 multicast traffic.
IGMP snooping allows the FortiSwitch unit to passively listen to the Internet Group Management Protocol (IGMP)
network traffic between hosts and routers. The switch uses this information to determine which ports are interested in
receiving each multicast feed. The FortiSwitch unit can reduce unnecessary multicast traffic on the LAN by pruning
multicast traffic from links that do not contain a multicast listener.
Essentially, IGMP snooping is a layer-2 optimization for the layer-3 IGMP.
The current version of IGMP is version 3, and the FortiSwitch unit is also compatible with IGMPv1 and IGMPv2.
Starting in FortiSwitchOS 6.4.3, you can configure the IGMP-snooping querier version 2 or 3. When the IGMP querier
version 2 is configured, the FortiSwitch unit will send IGMP queries version 2 when no external querier is present. When
the IGMP querier version 3 is configured, the FortiSwitch unit will send IGMP queries version 3 when no external querier
is present. The default IGMP querier version is 2.
Here is the basic IGMP snooping operation:
1. A host expresses interest in joining a multicast group. (Sends or responds to a join message).
2. The FortiSwitch unit creates an entry in the layer-2 forwarding table (or adds the hostʼs port to an existing entry).
The switch creates one table entry per VLAN per multicast group.
3. The FortiSwitch unit removes the entry when the last host leaves the group (or when the entry ages out).
In addition, you can configure the FortiSwitch unit to send periodic queries from all ports in a specific VLAN to request
IGMP reports. The FortiSwitch unit uses the IGMP reports to update the layer-2 forwarding table.
NOTE: If you want to use IGMP snooping with an MCLAG, see Configuring an MCLAG with IGMP snooping on page
121.
l Notes on page 177
l Configuring IGMP snooping on page 179
l Configuring the IGMP querier on page 183
l Configuring mRouter ports on page 184
Notes
l To make well-known multicast packets, such as mDNS, flood to all ports when IGMP snooping is enabled on FSR-
112D-POE, you need to make the following configuration change.
In 6.2.x through 6.4.2 GA:

config switch igmp-snooping globals
set flood-unknown-multicast
end

Fortinet, Inc.
IGMP snooping
In 6.4.3 GA and later:

set flood-unknown-multicast enable
end
l On the FS-100E series, IGMP snooping can be enabled on a maximum of 6 VLANs.

l Enabling the set flood-unknown-multicast command and then disabling it disrupts the forwarding of
unknown multicast traffic to mRouter ports for a short period, depending on the query interval, because the
mRouter ports need to be relearned.
l The IGMP groupʼs source address(es) in the IGMPv3 report are not considered.
l The IGMP snooping entries are added based on multicast group MAC addresses.
l When IGMP snooping is enabled on a VLAN on the FSR-112D-POE model:
o All IPv6 multicast and any non-IP multicast are forwarded to querier ports only instead of getting flooded on
the VLAN. The forwarding of IPv6 to the CPU is unchanged.
o IPv4 reserved multicast is flooded to the VLAN and not forwarded to the CPU, even if the CPU is part of the
VLAN.
o Unregistered IPv4 multicast is forwarded to querier ports only.
If IPv6 multicast and/or non-IP multicast is expected to be forwarded to any ports other than querier ports, the
mcast-snooping-flood-traffic setting can be enabled on the required ports.
l Starting with FortiSwitchOS 6.4.0, when an inter-switch link (ISL) is formed automatically, the igmp-snooping-
flood-reports and mcast-snooping-flood-traffic options are disabled by default.
l Proxy reporting is not supported for IGMPv3.
l Explicit host tracking is not supported.
l Immediate leave for IGMPv3 is not supported.
l IGMP snooping and MLD snooping share the same lookup table. Starting with FortiSwitchOS 6.2.2, the following
snooping table limits apply:
Platform Series Snooping Table Limit
108E and 124E 1022
112D 895
200 1022
400 1022
500 1022
1024 and 1048 1022
3032 1022
NOTE: Until FortiSwitchOS 3.5.1, the table limits were hardware only. The software limit for all platforms was 8192.

Fortinet, Inc.
IGMP snooping
Configuring IGMP snooping
Configuring IGMP snooping consists of the following major steps:

1. Configure IGMP snooping on a global level.
2. Optional. Enable IGMP-snooping options on the interfaces.
3. Configure IGMP snooping on the VLANs.
1. Configure IGMP snooping on a global level
By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300
seconds. This value can be in the range of 15-3,600 seconds. By default, flood-unknown-multicast is disabled,
and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-
multicast, unregistered multicast packets are forwarded to all ports in the VLAN.
Using the CLI:

end

end
For example:
set aging-time 500
end

end
2. Enable IGMP-snooping options on the interfaces
Optional. You can flood IGMP reports and flood multicast traffic on a specified switch interface. By default, these
options are disabled.
Using the GUI:
2. Select an interface.
3. Select Edit.
4. In the IGMP Snooping area, select Flood Reports, Flood Traffic, or both if needed.
5. Select OK.

Fortinet, Inc.
IGMP snooping
Using the CLI:

edit <port>
set native-vlan <vlan-id>
set igmp-snooping-flood-reports {enable | disable}
set mcast-snooping-flood-traffic {enable | disable}
next
end
For example:
edit port10
set native-vlan 30
set mcast-snooping-flood-traffic enable
next
edit port2
set native-vlan 30
next
edit port4
set native-vlan 30
next
edit port6
set native-vlan 30
next
edit port8
set native-vlan 30
next
end
Use the following command to clear the learned/configured multicast group from an interface:
execute clear switch igmp-snooping
3. Configure IGMP snooping on the VLANs
Enable IGMP snooping on a specified VLAN and configure IGMP static groups. By default, IGMP snooping is disabled.
You can define static groups for particular multicast addresses in a VLAN that has IGMP snooping enabled. You can
specify multiple ports in the static group, separated by a space. The trunk interface can also be included in a static
group. There are two restrictions for IGMP static groups:
l The range of multicast addresses (mcast-addr) from 224.0.0.1 to 224.0.0.255 cannot be used.

Fortinet, Inc.
IGMP snooping
l The VLAN must already be assigned as the native VLAN for a switch interface and be included in the range of
allowed VLANs for a switch interface. You can check the Physical Port Interfaces page to see which VLANs can be
used for IGMP static groups.
Starting in FortiSwitchOS 6.2.0, you can also use the CLI to enable IGMP proxy, which allows the VLAN to send IGMP
reports. After you enable igmp-snooping-proxy on a VLAN, it will start suppressing reports and leave messages.
For each multicast group, only one report is sent to the upstream interface. When a leave message is received, the
FortiSwitch unit will only send the leave message to the upstream interface when there are no more members left in the
multicast group. The FortiSwitch unit will also reply to generic queries and will send IGMP reports to the upstream
interface.
Using the GUI:

2. Select Add VLAN.
3. In the ID field, enter the VLAN identifier.
4. In the Description field, enter a description for the new VLAN.
5. In the IGMP Snooping area, select Enable.
6. Optionally, select IGMP Proxy.
7. In the IGMP Static Groups area, select + to add an IGMP static group.
NOTE: If the VLAN identifier that you entered in step 3 is not already assigned as the native VLAN for an interface
and is not included in the range of allowed VLANs for an interface, the + button does not work.
8. In the Name field, enter a name for the IGMP static group.
9. In the Multicast Address field, enter the multicast address.
10. Select the interfaces to include.
11. Select Add to create the new VLAN.
Using the CLI:
config switch vlan

edit <vlan-id>
set igmp-snooping {enable |disable}
set igmp-snooping-proxy {enable | disable}
set igmp-snooping-fast-leave {enable | disable}
config igmp-snooping-static-group
edit <group-name>
set mcast-addr <IPv4_multicast_address>
set members <interface_name1> <interface_name2>...
next
end
next
end
For example, to configure two static groups for the same VLAN:
config switch vlan
edit 30
set igmp-snooping enable
edit g239-1-1-1
set mcast-addr 239.1.1.1
set members port2 port5 port28

Fortinet, Inc.
IGMP snooping
next
edit g239-2-2-2
set mcast-addr 239.2.2.2
set members port5 port10 trunk-1
next
end
next
end
Check the IGMP-snooping configuration
Use the following commands to display information about IGMP snooping:

# get switch igmp-snooping {globals | group | static-group | status}
l globals: display the IGMP-snooping global configuration on the FortiSwitch unit

l group: display a list of learned multicast groups
l static-group: display the list of configured static groups
l status: display the status of IGMP-snooping VLANs and group
Go to Switch > Monitor > IGMP Snooping to see the learned multicast groups:
Use the following CLI command to see the learned multicast groups:
FS1D243Z13000023 # get switch igmp-snooping group
Number of Groups: 7
port of-port VLAN GROUP Age
(__port__9) 1 23 231.8.5.4 16
(__port__9) 1 23 231.8.5.5 16
(__port__9) 1 23 231.8.5.6 16
(__port__9) 1 23 231.8.5.7 16
(__port__9) 1 23 231.8.5.8 16
(__port__9) 1 23 231.8.5.9 16
(__port__9) 1 23 231.8.5.10 16
(__port__43) 3 23 querier 17
(__port__14) 8 --- flood-reports ---
(__port__10) 2 --- flood-traffic ---
Display the list of configured static groups:

Fortinet, Inc.
IGMP snooping
FS1D243Z13000023 # get switch igmp-snooping static-group
VLAN ID Group-Name Multicast-addr Member-interface
_______ ______________ _______________ _________________________
11 g239-1 239:1:1:1 port6 trunk-2
11 g239-11 239:2:2:11 port26 port48 trunk-2
40 g239-1 239:1:1:1 port5 port25 trunk-2
40 g239-2 239:2:2:2 port25 port26
Configuring the IGMP querier
To use the IGMP querier, you need to configure how often IGMP queries are sent and enable the IGMP querier for a
specific VLAN. Optionally, you can specify the address for the IGMP querier.
Use the following commands to specify how many seconds are between IGMP queries. The default is 120 seconds.
set query-interval <10-1200>
end
For example:
set aging-time 150
set query-interval 200
end
Use the following commands to enable the IGMP querier for a specific VLAN and specify the address that IGMP reports
are sent to:
config switch vlan
edit 100
set igmp-snooping {enable | disable}
set igmp-snooping-querier {enable | disable}
set igmp-snooping-querier-addr <IPv4_address>
set igmp-snooping-querier-version {2 | 3}
next
end
For example:
config switch vlan
edit 100
set igmp-snooping-querier enable
set igmp-snooping-querier-addr 1.2.3.4
set igmp-snooping-querier-version 3
next
end

Fortinet, Inc.
IGMP snooping
Configuring mRouter ports
Use the following commands to configure a FortiSwitch port as an mRouter port:

NOTE: These settings are not per-VLAN, so the port will act as a querier/mRouter port for all of its associated VLANs.
edit <port>
next
end

Fortinet, Inc.
MLD snooping
MLD snooping
The FortiSwitch unit uses the information passed in Multicast Listener Discovery (MLD) messages to optimize the
forwarding of IPv6 multicast traffic.
MLD snooping allows the FortiSwitch unit to passively listen to the MLD network traffic between hosts and multicast
routers. The switch uses this information to determine which hosts are interested in receiving each multicast feed. The
FortiSwitch unit can reduce unnecessary multicast traffic on the VLAN by pruning multicast traffic from links that do not
contain a multicast listener.
FortiSwitch MLD snooping supports MLD version 1. RFC 2710 describes MLD snooping; RFC 4605 describes MLD
proxy and MLD querier.
Here is the basic MLD-snooping operation:
1. A host expresses interest in joining a multicast group. (Sends or responds to a join message).
2. The FortiSwitch unit creates one table entry per VLAN per multicast group per port.
3. The FortiSwitch unit removes the entry when the last host leaves the group (or when the entry ages out).
In addition, you can configure the FortiSwitch unit to send periodic queries from all ports in a specific VLAN to request
MLD reports. The FortiSwitch unit uses the MLD reports to update the layer-2 forwarding table.
l Notes on page 186
l Configuring MLD snooping on page 186
l Configuring the MLD querier on page 189

Fortinet, Inc.
MLD snooping
Notes
l Enabling the set flood-unknown-multicast command and then disabling it disrupts the forwarding of
unknown multicast traffic to mRouter ports for a short period, depending on the query interval, because the
mRouter ports need to be relearned.
l The MLD-snooping entries are added based on multicast group IP addresses.
l IGMP snooping and MLD snooping share the same lookup table. The following snooping table limits apply:
Platform Series Snooping Table Limit
108E and 124E 1022
112D 895
400 1022
500 1022
1024 and 1048 1022
3032 1022
Configuring MLD snooping
Configuring MLD snooping consists of the following major steps:

1. Configure MLD snooping on a global level.
2. Optional. Enable MLD-snooping options on the interfaces.
3. Configure MLD snooping on the VLANs.
1. Configure MLD snooping on a global level
By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300
seconds. This value can be in the range of 15-3,600 seconds. By default, flood-unknown-multicast is disabled,
and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-
multicast, unregistered multicast packets are forwarded to all ports in the VLAN.
Using the CLI:
config switch mld-snooping globals

end

end
For example:

Fortinet, Inc.
MLD snooping
set aging-time 500

end

end
2. Enable MLD-snooping options on the interfaces
Optional. You can flood MLD reports and flood multicast traffic on a specified switch interface. By default, these options
are disabled.
Using the CLI:

edit <port>
set native-vlan <vlan-id>
set mld-snooping-flood-reports {enable | disable}
next
end
For example:
edit port10
set native-vlan 30
set mld-snooping-flood-reports enable
next
edit port2
set native-vlan 30
next
edit port4
set native-vlan 30
set mld-snooping-flood-reportsenable
next
edit port6
set native-vlan 30
next
edit port8
set native-vlan 30
next
end
Use the following command to clear the learned/configured multicast group from an interface:
execute clear switch mld-snooping

Fortinet, Inc.
MLD snooping
3. Configure MLD snooping on the VLANs
Enable MLD snooping on a specified VLAN and configure MLD static groups. By default, MLD snooping is disabled.
You can define static groups for particular multicast addresses in a VLAN that has MLD snooping enabled. You can
specify multiple ports in the static group, separated by a space. The trunk interface can also be included in a static
group. There are two restrictions for MLD static groups:
l The range of well-known IPv6 multicast addresses that cannot be used for static groups is FF00::/12.
l The VLAN must already be assigned as the native VLAN for a switch interface or be included in the range of
allowed VLANs for a switch interface. You can check the Physical Port Interfaces page to see which VLANs can be
used for MLD static groups.
You can also enable the MLD proxy, which allows the VLAN to send MLD reports. After you enable mld-snooping-
proxy on a VLAN, it will start suppressing reports and leave messages. For each multicast group, only one report is
sent to the upstream interface. When a leave message is received, the FortiSwitch unit will only send the leave
message to the upstream interface when there are no more members left in the multicast group. The FortiSwitch unit
will also reply to generic queries and will send MLD reports to the upstream interface. If mld-snooping-fast-
leave is disabled, the FortiSwitch unit sends a group-specific query (GSQ) when a leave message is received.
Using the CLI:
config switch vlan

edit <vlan-id>
set mld-snooping {enable |disable}
set mld-snooping-proxy {enable | disable}
config mld-snooping-static-group
edit <group-name>
set mcast-addr <IPv6_multicast_address>
next
end
next
end
For example:
config switch vlan
edit 30
set mld-snooping enable
edit g239-1-1-1
set mcast-addr FF3E::1
set members port2 port5 port28
next
end
next
end
Check the MLD-snooping configuration
Use the following commands to display information about MLD snooping:

# get switch mld-snooping {globals | group | static-group | status}

Fortinet, Inc.
MLD snooping
l globals: display the MLD-snooping global configuration on the FortiSwitch unit

l group: display a list of learned multicast groups
l static-group: display the list of configured static groups
l status: display the status of MLD-snooping VLANs and group
Configuring the MLD querier
To use the MLD querier, you need to configure how often MLD queries are sent and enable the MLD querier for a
specific VLAN. Optionally, you can specify the address for the MLD querier.
Use the following commands to specify how many seconds are between MLD queries. The default is 125 seconds.
end
For example:
set aging-time 150
end
Use the following commands to enable the MLD querier for a specific VLAN and specify the address that MLD reports
are sent to:
config switch vlan
edit 100
set mld-snooping {enable | disable}
set mld-snooping-querier {enable | disable}
set mld-snooping-querier-addr <IPv6_address>
next
end
For example:
config switch vlan
edit 100
set mld-snooping enable
set mld-snooping-querier enable
set mld-snooping-querier-addr fe80::a5b:eff:fef1:95e5
next
end

Fortinet, Inc.
IPv6 router advertisement guard
IPv6-enabled routers send router advertisement (RA) messages to neighboring hosts in the local network. To prevent
the spoofing of the RA messages, RA guard inspects RA messages to see if they meet the criteria contained in an RA-
guard policy. If the RA messages match the criteria in the policy, they are forwarded. If the RA messages do not match
the criteria in the policy, they are dropped.
The IPv6 RA-guard policy checks for the following criteria in each RA message:
l Whether it has been flagged with the M (managed address configuration) flag or O (other configuration) flag
l Whether the hop number is equal or more than the minimum hop limit
l Whether the hop number is equal or less than the maximum hop limit
l Whether the default router preference is set to high, medium, or low
l Whether the source IPv6 address matches an allowed address in an IPv6 access list (created with the config
router access-list6 command)
l Whether the IPv6 address prefix matches an allowed prefix in an IPv6 prefix list (created with the config
router prefix-list6 command)
l Whether the device is a host or a router. If the device is a host, all RA messages are dropped. If the device is a
router, the other criteria in the policy are checked.
IPv6 RA guard is supported on 2xx models and higher.
Configuring IPv6 RA guard
Configuring IPv6 RA guard consists of the following steps:

1. (Optional) Create lists of source IPv6 addresses and IPv6 address prefixes that are allowed in RA messages.
2. Create one or more IPv6 RA-guard policies.
3. Apply the IPv6 RA-guard policies to switch interfaces and VLANs.
Create an IPv6 access list
Create an IPv6 access list if you want to specify which source IPv6 address are allowed in RA messages. When no rule
in the IPv6 access list is matched, the RA messages are dropped.
To create an IPv6 access list:
config router access-list6

edit <name_of_IPv6_access_list>
set comments <string>
config rule
edit <rule_ID>
set action {deny | permit}
set prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}
set exact-match {enable | disable}
next

Fortinet, Inc.
end
end
For example:
edit accesslist1
set comments "IPv6 access list"
config rule
edit 1
set action permit
set prefix6 fe80::a5b:eff:fef1:95e5
set exact-match disable
next
end
end
Create an IPv6 prefix list
Create an IPv6 prefix list if you want to specify which IPv6 prefixes in the RA option type 3 are allowed in RA messages.
When no rule in the IPv6 prefix list is matched, the RA messages are dropped.
To create an IPv6 prefix list:
config router prefix-list6

edit <name_of_IPv6_prefix_list>
config rule
edit <rule_ID>
set prefix6 {<IPv6_prefix> | any}
set ge <0-128>
set le <0-128>
next
end
end
For example:
edit prefixlist1
set comments "IPv6 prefix list"
config rule
edit 1
set action permit
set prefix6 any
set ge 50
set le 50
next
end
end

Fortinet, Inc.
Create an IPv6 RA-guard policy
In the IPv6 RA-guard policy, you specify the criteria that RA messages must match before the RA messages are
forwarded.
To create an IPv6 RA-guard policy:
config switch raguard-policy

edit <RA-guard policy name>
set device-role {host | router}
set managed-flag {Off | On}
set other-flag {Off | On}
set max-hop-limit <0-255>
set min-hop-limit <0-255>
set max-router-preference {high | medium | low}
set match-src-addr <name_of_IPv6_access_list>
set match-prefix <name_of_IPv6_prefix_list>
next
end
For example:
edit RApolicy1
set device-role router
set managed-flag On
set other-flag On
set max-hop-limit 100
set min-hop-limit 5
set max-router-preference medium
set match-src-addr accesslist1
set match-prefix prefixlist1
next
end
Apply the IPv6 RA-guard policy
After you create an IPv6 RA-guard policy, you need to apply it to the appropriate switch ports or trunks and VLANs. You
can create and apply different policies to different VLANs.
To apply the IPv6 RA-guard policy:

config raguard
edit <ID>
set raguard-policy <name_of_RA_guard_policy>
set vlan-list <list_of_VLANs>
next
end
end
For example:

Fortinet, Inc.

config raguard
edit 1
set raguard-policy RApolicy1
set vlan-list 1
next
edit 2
set raguard-policy RApolicy2
set vlan-list 2-5
next
end
end
View available IPv6 RA-guard policies
Use the following command to list the available IPv6 RA-guard policies:
get switch raguard-policy
For example:
S524DF4K15000024 # get switch raguard-policy
== [ RApolicy1 ]
name: RApolicy1

Fortinet, Inc.
Private VLANs
Private VLANs
A private VLAN (PVLAN) divides the original VLAN (termed the primary VLAN) into sub-VLANs (secondary VLANs), while
retaining the existing IP subnet and layer-3 configuration. Unlike a regular VLAN, which is a single broadcast domain, a
PVLAN partitions one broadcast domain into multiple smaller broadcast subdomains.
After a PVLAN VLAN is configured, the primary VLAN forwards frames downstream to all secondary VLANs.
There are two main types of secondary VLANs:
l Isolated: Any switch ports associated with an isolated VLAN can reach the primary VLAN, but not any other
secondary VLAN. In addition, hosts associated with the same isolated VLAN cannot reach each other. Only one
isolated VLAN is allowed in one PVLAN domain.
l Community: Any switch ports associated with a common community VLAN can communicate with each other and
with the primary VLAN but not with any other secondary VLAN. You might have multiple distinct community VLANs
within one PVLAN domain.
There are mainly two types of ports in a PVLAN: promiscuous (P-Port) and host.
l Promiscuous Port (P-Port): The switch port connects to a router, firewall, or other common gateway device. This
port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a
type of a port that is allowed to send and receive frames from any other port on the VLAN.
l Host Ports further divides into two types – isolated port (I-Port) and community port (C-port).
l Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only
with P-Ports.
l Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port
communicates with P-Ports and ports on the same community VLAN.
l Creating and enabling a PVLAN on page 194
l Configuring the PVLAN ports on page 195
l Private VLAN example on page 195
Creating and enabling a PVLAN
Using the GUI:

2. Select Add VLAN to create a new PVLAN.
4. Enter a description for the new PVLAN.
5. Select Enabled to enable the new Private VLAN.
6. Enter a single VLAN identifier for the isolated subVLAN.
7. If needed, enter one VLAN identifier or multiple VLAN identifiers for a common community subVLAN.

Fortinet, Inc.
Private VLANs
Configuring the PVLAN ports
Using the GUI:

2. Select the port to configure.
3. Select Edit.
4. Select if the Private VLAN port is a promiscuous port or part of a sub-VLAN.
5. For a promiscuous port, select the primary VLAN identifier.
6. For a port that is part of a sub-VLAN, select the primary VLAN identifier and the sub-VLAN identifier.
7. Select OK.
Private VLAN example
1. Enable a PVLAN:
config switch vlan

edit 1000
set private-vlan enable
set isolated-vlan 101
set community-vlans 200-210
end
end
2. Configure the PVLAN ports:

edit "port2"
set private-vlan promiscuous
set primary-vlan 1000
next
edit "port3"
set private-vlan sub-vlan
set sub-vlan 200
next
edit "port7"
set sub-vlan 101
next
edit "port19"
set private-vlan promiscuous
next
edit "port20"
set sub-vlan 101

Fortinet, Inc.
Private VLANs
next
edit "port21"
set sub-vlan 101
end
end

Fortinet, Inc.
Quality of service
Quality of service
Quality of service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.
QoS involves the following elements:
l Classification is the process of determining the priority of a packet. This can be as simple as trusting the QoS
markings in the packet header when it is received and so accept the packet. Alternatively, it can hinge on criteria
(such as incoming port, VLAN, or service) that are defined by the network administrator.
l Marking involves setting bits in the packet header to indicate the priority of this packet.
l Queuing involves defining priority queues to ensure that packets marked as high priority take precedence over
those marked as lower priority. If network congestion becomes so severe that packet drops are inevitable, the
queuing process will also select the packets to drop.
The FortiSwitch unit supports the following QoS configuration capabilities:
l Mapping the IEEE 802.1p and layer-3 QoS values (Differentiated Services and IP Precedence) to an outbound
QoS queue number.
l Providing eight egress queues on each port.
l Policing the maximum data rate of egress traffic on the interface.
NOTE: There are some differences in QoS configuration on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E,
FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:
l You can configure only one dot1p-map per switch.
l You can configure only one ip-dscp-map per switch.
l You cannot set min-rate, min-rate-percent, drop-policy, or wred-slope under the config
switch qos qos-policy command.
l Under the config switch qos qos-policy command, the switch rounds the max-rate value to the
nearest multiple of 16 internally. If the rounding result is 0, max-rate is disabled internally.
l You cannot configure priority tagging on outgoing frames (egress-pri-tagging) under the config switch
qos dot1p-map command.
l You can configure only one QoS drop policy per switch. You can configure the QoS drop policy under the config
switch global command. You can specify random early detection (RED) with the set qos-drop-policy
random-early-detection command.
l You can set the QoS RED/WRED drop probability (qos-red-probability) under the config switch
global command. The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE
models support 0-100 percent. The FS-148E, FS-148E-POE, and FS-148E-FPOE models support 0-25 percent.
l Adaptive or active RED (ARED) and robust RED (RRED) are not supported.
l Classification on page 198
l Marking on page 198
l Queuing on page 199
l Determining the egress queue on page 199
l Configuring FortiSwitch QoS on page 200
l Checking the QoS statistics on page 206
l Clearing and restoring QoS statistics on page 207

Fortinet, Inc.
Quality of service
Classification
The IEEE 802.1p standard defines a class of service (CoS) value (ranging from 0-7) that is included in the Ethernet
frame. The Internet Protocol defines the layer-3 QoS values that are carried in the IP packet (Differentiated Services,
IP Precedence). The FortiSwitch unit provides configurable mappings from CoS or IP-DSCP values to egress queue
values.
Fortinet recommends that you do not enable trust for both Dot1p and DSCP at the same time on the same interface. If
you do want to trust both Dot1p and IP-DSCP, the switch uses the latter value (DSCP) to determine the queue. The
switch will use the Dot1p value and mapping only if the packet contains no DSCP value. For details, refer to
Determining the egress queue on page 199.
Marking
FortiSwitchOS supports two ways to indicate the priority of outgoing packets:

l CoS marking: The priority is set with the CoS value of the 802.1Q tag. The range of CoS values is 0-7.
l Differential service code point (DSCP) marking: The priority is set with the DSCP value in the IP header. The
range of DSCP values is 0-63.
You can use one of these methods or both methods.
Whether the CoS or DSCP values of inbound packets are remarked is subject to the classification by ACL rules for the
ingress interfaces. When CoS or DSCP marking take place, the outbound queuing is not impacted, meaning it is still
based on trust maps and the original CoS or DSCP values, as described in Determining the egress queue on page 199.
The following example shows how to use the CLI to configure an ACL policy to mark the CoS and DSCP values of
inbound packets to 4 and 48 on port1 when their CoS values are 2:
edit 10
config action
set count enable
set remark-cos 4
set remark-dscp 48
end
config classifier
set cos 2
end
set status active
next
end

Fortinet, Inc.
Quality of service
Queuing
Queuing determines how queued packets on an egress port are served. Each egress port supports eight queues, and
three scheduling modes are available:
l Strict Scheduling: The queues are served in descending order (of queue number), so higher number queues
receive higher priority. Queue7 has the highest priority, and queue0 has the lowest priority. The purpose of the
strict scheduling mode is to provide lower latency service to higher classes of traffic. However, if the interface
experiences congestion, the lower priority traffic could be starved.
l Simple Round Robin (RR): In round robin mode, the scheduler visits each backlogged queue, servicing a single
packet from each queue before moving on to the next one. The purpose of round robin scheduling is to provide fair
access to the egress port bandwidth.
l Weighted Round Robin (WRR): Each of the eight egress queues is assigned a weight value ranging from 0 to
63. The purpose of weighted round robin scheduling is to provide prioritized access to the egress port bandwidth,
such that queues with higher weight get more of the bandwidth, but lower priority traffic is not starved.
A drop policy determines what happens when a queue is full or exceeds a minimum threshold. Depending on your
switch model, you can select from one of two drop policies:
l The tail-drop drop policy is the default and is available on all platforms. When a queue is full, additional incoming
packets are dropped until there is space available in the queue.
l The random early detection (RED) drop policy is available on 124D, 2xx, and 4xxD models. When the queue
size exceeds the minimum threshold, packets are dropped at a constant rate until the queue is full. Using the RED
drop policy helps improve the throughput during network congestion.
l The weighted random early detection (WRED) drop policy is an advanced version of RED and is available on
4xxE, 5xx, 1xxx, and 3xxx models. When the queue size exceeds the threshold, the WRED slope controls the rate
at which packets are dropped until the queue is full. The drop rate increases when the queue buffer usage
increases. If you select weighted-random-early-detection in the CLI, you can enable explicit congestion
notification (ECN) marking to indicate that congestion is occurring without just dropping packets.
Determining the egress queue
To determine the egress queue value for the packet, the FortiSwitch unit uses the configured trust values (and
mappings) on the port and the QoS/CoS fields in the packet.
Packets with DSCP and CoS values
If the port is set to trust DSCP, the switch uses this value to find the queue assignment in the DSCP map for the port.
If the port is set to trust Dot1p and not to trust DSCP, the switch uses the packet’s CoS value to look up the queue
assignment in the Dot1p map for the port.
If the port is not set to trust Dot1p, the switch uses the default queue 0.

Fortinet, Inc.
Quality of service
Packets with a CoS value but no DSCP value
The switch ignores the trust DSCP value.

l If the port is set to trust Dot1p, the switch uses the packet’s CoS value to look up the queue assignment in the
Dot1p map for the port.
l If the port is not set to trust Dot1p, the switch uses the default queue 0.
Packets with a DSCP value but no CoS value
If the port is set to trust DSCP, the switch uses the packet’s DSCP value to look up the queue assignment in the DSCP
map for the port.
If the port is set to trust Dot1p but not to trust DSCP, the switch uses the default CoS value of the port to look up the
queue assignment in the Dot1p map for the port.
If the port is not set to trust Dot1p, the switch uses the default queue 0.
Configuring FortiSwitch QoS
FortiSwitch uses “queue-7” for network control and critical management traffic. To
avoid affecting critical network control and management traffic, do not
oversubscribe queue-7 or avoid using queue-7 for data traffic when configuring QoS.
This section provides procedures for the following configuration tasks:

l Configure an 802.1p map on page 200
l Configure a DSCP map on page 201
l Configure the QoS egress policy on page 202
l Configure the egress drop mode on page 203
l Configure the switch ports on page 204
l Configure QoS on trunks on page 205
l Configure QoS on VLANs on page 205
l Configure CoS and DSCP markings on page 206
Configure an 802.1p map
Using the GUI:
1. Go to Switch > QoS > 802.1p.

2. Select Add Map.
3. Enter the name of your 802.1p map.
4. Enter a description of your 802.1p map.
5. Select the queue number for each priority.
6. Select Add Map.

Fortinet, Inc.
Quality of service
Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to
queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.
Using the CLI:
You can configure an 802.1p map, which defines a mapping between IEEE 802.1p CoS values (from incoming packets
on a trusted interface) and the egress queue values.
If you want to enable priority tagging on outgoing frames, enable the egress-pri-tagging option. This option is
disabled by default.
NOTE: “Priority tagging” refers to adding a VLAN tag to untagged traffic with with VLAN 0 and a valid priority value. If
the port is configured to transmit packets with a valid VLAN, priority tagging is not applicable.
config switch qos dot1p-map
edit <dot1p map name>
set [priority-0|priority-1|priority-2|....priority-7] <queue number>
set egress-pri-tagging {disable | enable}
next
end
For example:
edit "test1"
set priority-0 queue-2
set egress-pri-tagging enable
next
end
queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.
Use the set default-cos command to set a different default CoS value, ranging from 0 to 7:
edit port1
set default-cos <0-7>
NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D,
424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.
Configure a DSCP map
A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values.

Fortinet, Inc.
Quality of service
Using the GUI:
1. Go to Switch > QoS > IP/DSCP.

2. Select Add Map.
3. Enter the name of your DCSP map.
4. Enter a description of your DCSP map.
5. Select which queue to configure.
6. Select the differentiated services to use.
7. Select the IP precedence to use.
8. Enter the raw values to use.
9. Select Add Map.
Using the CLI:
config switch qos ip-dscp-map

edit <ip-dscp map name>
config map
edit <entry-name1>
set diffserv [ [
AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 |
AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]
set ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash
Override | Flash, Immediate | Priority | Routine ]
set value <dscp raw value>
set cos-queue <queue number>
next
end
end
The following example defines a mapping for two of the DSCP values:

edit "m1"
config map
edit "e1"
set cos-queue 0
set ip-precedence Immediate
next
edit "e2"
set cos-queue 3
set value 13
next
end
next
end
Configure the QoS egress policy
In a QoS egress policy, you set the scheduling mode (Strict, Round Robin, or Weighted Round Robin) for the policy, and
configure one or more CoS queues.

Fortinet, Inc.
Quality of service
The QoS egress policy includes the following settings:

l min-rate (minimum rate in kbps) or min-rate-percent (minimum percentage)
l max-rate (maximum rate in kbps) or max-rate-percent (maximum percentage)
l drop policy: tail drop, RED, or WRED
l weight value (applicable if the policy schedule is weighted)
Using the GUI:
1. Go to Switch > QoS > Egress Policy.

2. Select Add Policy.
3. Enter the name of your QoS egress policy.
4. Select the scheduling mode to use.
5. For each queue, enter a description, select the drop policy to use, and enter the minimum rate in kbps, maximum
rate in kbps, weight value, and WRED slope.
6. Select Add.
Using the CLI:
config switch qos qos-policy

edit <policy_name>
set rate-by {kbps | percent}
config cos-queue
edit [queue-0 ... queue-7]
set max-rate <rate kbps>
set min-rate <rate kbps>
set max-rate-percent <percentage>
set min-rate-percent <percentage>
set weight <value>
set wred-slope <value>
next
end
next
end
Configure the egress drop mode
NOTE: The egress-drop-mode command is available only for the 1024/1048/3032/5xx series.
When there are too many packets going through the same egress port, you can choose whether packets are dropped on
ingress or egress.
Use the following commands to set the drop mode:
edit <port>
set egress-drop-mode <disabled | enabled>
end

Fortinet, Inc.
Quality of service
disabled Drop packets on ingress.
enabled Drop packets on egress.
NOTE: Because too many packets are going through the same egress port, you might want to use the pause frame for
flow control on the ingress side. To see the pause frame on ingress, enable the flow control “tx” on the ingress interface
and disable egress-drop-mode on the egress interface.
Configure the switch ports
You can configure the following QoS settings on a switch port or a trunk:
l trust dot1p values on ingress traffic and the dot1p map to use
l trust ip-dscp values on ingress traffic and the ip-dscp map to use. (NOTE: Trust the dot1p values or the ip-dscp
values but not both.)
l an egress policy for the interface
l a default CoS value (for packets with no CoS value)
If neither of the trust policies is configured on a port, the ingress traffic is mapped to queue 0 on the egress port.
If no egress policy is configured on a port, the FortiSwitch unit applies the default scheduling mode (that is, round-
robin).
Using the GUI:

2. Select the switch port to update and then select Edit.
3. Select the QoS egress policy in the QoS Policy drop-down list.
4. Select the 802.1p map in the Trust 802.1p drop-down list.
5. Select the DSCP map in the Trust IP-DSCP drop-down list.
6. Select OK.
Using the CLI:

edit <port>
set trust-dot1p-map <map-name>
set trust-ip-dscp-map <map-name>
set qos-policy < policy-name >
set default-cos <default cos value 0-7>
next
end

Fortinet, Inc.
Quality of service
Configure QoS on trunks
Configuring QoS on trunk interface follows the same configuration steps as for a switch port (configure a Dot1p/DSCP
map and an egress policy).
When you add a port to a trunk, the port inherits the QoS configuration of the trunk interface. A port member reverts to
the default QoS configuration when it is removed from the trunk interface.
Using the GUI:
1. Go to Switch > Interface > Trunk.

2. Select the trunk to update and then select Edit.
3. Select the QoS egress policy in the QoS Policy drop-down list.
4. Select the 802.1p map in the Trust 802.1p drop-down list.
5. Select the DSCP map in the Trust IP-DSCP drop-down list.
6. Select OK.
Using the CLI:
The following example shows QoS configuration on a trunk interface:

edit "tr1"
set snmp-index 56
set trust-dot1p-map "dot1p_map1"
set default-cos 1
set qos-policy "p1"
next
end
When you configure an egress QoS policy with rate control on a trunk interface, that rate control value is applied to each
port in the trunk interface. The FortiSwitch unit does not support an aggregate value for the whole trunk interface.
Configure QoS on VLANs
You can configure a CoS queue value for a VLAN by creating an ACL policy:

edit 1
config action
set cos-queue 7
set count enable
end
config classifier
set vlan-id 200
end
set status active
end

Fortinet, Inc.
Quality of service
Configure CoS and DSCP markings
You can classify a packet by matching the CoS value, DSCP value, or both CoS and DSCP values. You can also
configure the action to set the CoS marking value, DSCP marking value, or both.
edit <policy-id>
config classifier
end
config action
end
For example:
edit 1
config classifier
set src-mac 11:22:33:44:55:66
set cos 2
set dscp 10
end
config action
set count enable
set remark-cos 4
set remark-dscp 20
end
set ingress-interface port2
set status active
end
Checking the QoS statistics
To check the statistics for the QoS queues for all ports:
diagnose switch physical-ports qos-stats list
To check the statistics for the QoS queues for specific ports:
diagnose switch physical-ports qos-stats list <list_of_ports>
NOTE: The output differs depending on the FortiSwitch model.

To view the real-time egress QoS queue rates for specific ports:
diagnose switch physical-ports qos-rates list <list_of_ports>
To view the real-time egress QoS queue rates for all ports:
diagnose switch physical-ports qos-rates list
NOTE: To stop the output: press CTRL+c.

Fortinet, Inc.
Quality of service
Clearing and restoring QoS statistics
The diagnose switch physical-ports qos-stats clear command is supported only for the 1xxxD,
3xxxD, and 5xxD FortiSwitch models. The diagnose switch physical-ports qos-stats clear command
is not available for the 4xxD, 4xxD-POE, 4xxD-FPOE, 2xxD, 2xxD-POE, or 2xxD-FPOE FortiSwitch models.
To clear the statistics for the QoS queues for all ports:
diagnose switch physical-ports qos-stats clear
To clear the statistics for the QoS queues for specified ports:
diagnose switch physical-ports qos-stats clear <list_of_ports>
To reset the QoS counters to zero (applies to all applications except SNMP) for the specified ports:
diagnose switch physical-ports qos-stats set-qos-counter-zero [<port_list>]
To restore the QoS counters to the hardware values for the specified ports:
diagnose switch physical-ports qos-stats set-qos-counter-revert [<port_list>]
For example:
diagnose switch physical-ports qos-stats clear 1,3,4-6
diagnose switch physical-ports qos-stats set-qos-counter-zero 2,4,7-9
diagnose switch physical-ports qos-stats set-qos-counter-revert 1,3-5,7

Fortinet, Inc.
sFlow
sFlow
sFlow is a method of monitoring the traffic on your network to identify areas on the network that may impact
performance and throughput. With sFlow you can export truncated packets and interface counters. The FortiSwitch unit
implements sFlow version 5 and supports trunks and VLANs.
l About sFlow on page 208
l Configuring sFlow on page 208
l Checking the sFlow configuration on page 210
About sFlow
sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined
intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on
network throughput, the information sent is only a sampling of the data.
The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled
packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow
datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to
indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software
vendors.
Configuring sFlow
Configuration consists of the following steps:

1. Enable the sFlow agent.
2. Configure sampling information on the interfaces.
Configure sFlow agents
To configure an sFlow agent:

1. Set the IP address of the collector.
2. Set the collector port number, which is the destination port number in sFlow UDP packets. The default value is
6343.
Using the GUI:
1. Go to Switch > sFlow.

2. Select Enable.

Fortinet, Inc.
sFlow
3. Set the collector IP address and port number.

4. Select Apply to save the changes.
Using the CLI:
config system sflow

set collector-ip <ip/hostname>
set collector-port <port>
end
Configure the interfaces
To configure sFlow on a port:

l Enable sFlow on the port (CLI only).
l Set the sample rate (CLI only). An average of one out of count packets is randomly sampled. The rate ranges
from 0-99999; the default is 512.
l Set the direction for capturing the traffic (CLI only). sFlow can capture the ingress traffic (RX), the egress traffic
(TX), or both (the default).
l Set the polling interval, which defines how often the switch sends interface counters to the collector. The range of
values is 1-255 and default is 30.
Using the GUI:
1. Go to Switch > Interface > Physical or Switch > Interface > Physical.
2. Select one or more ports or a trunk to update and then select Edit.
3. In the sFlow area, select Polling Interval.
4. In the Interval (Seconds) field, enter the number of seconds to use for the polling interval.
5. Select OK to save the changes.
Using the CLI:

edit <port>
set packet-sampler {enabled | disabled}
set packet-sample-rate <count>
set sample-direction {rx | tx | both}
set sflow-counter-interval <interval>
next
end
For example:
edit "port20"
set packet-sampler enabled
set packet-sample-rate 4
set sflow-counter-interval 3
set snmp-index 58
next
end

Fortinet, Inc.
sFlow
NOTE: Ensure that you can use the exec command ping collector_ip_address to ping the collector from the
FortiSwitch unit. Then, use the built-in sniffer to trace sFlow packets (diag sniff packet <vlan_interface_
name> "udp port 6343").
Checking the sFlow configuration
Use the following command to display the sFlow configuration:

get system sflow

Fortinet, Inc.
Feature licensing
Feature licensing
Advanced features (such as dynamic routing protocols) require a feature license.

l About licenses on page 211
l Configuring licenses on page 211
About licenses
Each feature license is tied to the serial number of the FortiSwitch unit. Therefore, a feature license is valid on one
system.
Configuring licenses
Configuration consists of the following steps:

1. Check license status.
2. Add a license.
Checking the license status
Using the GUI:

2. Check which licenses are currently active.
They are listed in the Current License field of the System Information section.
Using the CLI:
execute license status
Adding a license
NOTE: Adding license keys causes the system to log you out.
Using the GUI:
1. Go to System > Config > Licenses.

2. Select Add License.

Fortinet, Inc.
Feature licensing
3. Enter your license key.

4. Select Add.
Using the CLI:
execute license add <key>
Removing a license
Using the GUI:
1. Go to System > Config > Licenses.

2. Select Delete for the license to remove
3. Select Delete to acknowledge the warning.
NOTE: Deleting license keys causes the system to log you out before rebooting. You will lose all configurations related
to the license.
Using the CLI:
execute license type <type> clear

Fortinet, Inc.
Layer-3 interfaces
Layer-3 interfaces
Fortinet data center switches support loopback interfaces and switch virtual interfaces (SVIs), both of which are
described in this chapter.
l Loopback interfaces on page 213
l Switch virtual interfaces on page 214
l Layer-3 routing in hardware on page 215
l Equal cost multi-path (ECMP) routing on page 216
l Bidirectional forwarding detection on page 218
l Unicast reverse-path forwarding (uRPF) on page 219
l IP-MAC binding on page 220
l Virtual routing and forwarding on page 221
Loopback interfaces
A loopback interface is a special virtual interface created in software that is not associated with any hardware interface.
Dynamic routing protocols typically use a loopback interface as a reliable IP interface for routing updates. You can
assign the loopback IP address to the router rather than the IP address of a specific hardware interface. Services (such
as Telnet) can access the router using the loopback IP address, which remains available independent of hardware
interfaces status.
No limit exists on the number of loopback interfaces you can create.
A loopback interface does not have an internal VLAN ID or a MAC addresses and always uses a /32 network mask.
Configuring loopback interfaces
Using the GUI:
1. Go to System > Network > Interface > Loopback.

2. Select Add Interface.
3. Enter a name for the loopback interface.
4. Select Static for the mode and then enter the IP address and netmask in the IP/Netmask field.
5. Select the protocols allowed to access the loopback interface.
6. Select the administration status.
7. Select Add.
Using the CLI:

edit "loopback"

Fortinet, Inc.
Layer-3 interfaces
set ip 172.168.20.1 255.255.255.255

set allowaccess ping https http ssh telnet
set type loopback
set snmp-index 28
next
end
Switch virtual interfaces
A switch virtual interface (or SVI) is a logical interface that is associated with a VLAN and supports routing and switching
protocols.
You can assign an IP address to the SVI to enable routing between VLANs. For example, SVIs can route between two
different VLANs connected to a switch (no need to connect through a layer-3 router).
Configuring a switch virtual interface
Using the GUI:
1. Go to System > Network > Interface > VLAN.

2. Select Add VLAN.
3. Enter a name for the interface.
4. Select internal from the Interface drop-down list.
5. Enter a VLAN identifier in the VLAN ID field.
6. Select Static for the mode and enter an IP address and netmask in the IP/Netmask field.
7. Select the administration status.
8. Select PING, SSH, and TELNET for the Access options.
9. Select Add.
Using the CLI:
Create a system interface. Give it an IP subnet and an associated VLAN:

edit <system interface name>
set ip <IP address and mask>
set vlanid <vlan>
set allowaccess ping ssh telnet
Example SVI configuration
The following is an example CLI configuration for SVI static routing.

In this configuration, Server-1 is connected to switch Port1, and Server-2 is connected to switch Port2. Port1 is a
member of VLAN 4000, and Port2 is a member of VLAN 2. Port1 is the gateway for Server-1, and port2 is the gateway
for Server-2.
NOTE: For simplicity, assume that both port1 and port are on same switch.

Fortinet, Inc.
Layer-3 interfaces
1. Configure the native VLANs for Port 1 and Port 2:

edit port1
edit port2
set native-vlan 2
end
2. Create L3 system interfaces that correspond to Port 1 (VLAN 4000) and Port 2 (VLAN 2):

edit vlan4000
set ip 192.168.11.1/24
set vlanid 4000
next
edit vlan2
set ip 192.168.10.1/24
set vlanid 2
end
Viewing the SVI configuration
Display the status of SVI configuration using following command:

show system interface [ <system interface name> ]
Layer-3 routing in hardware
In FortiSwitchOS 3.3.0 and later, some FortiSwitch models support hardware-based layer-3 forwarding.
For FortiSwitch models that support Equal Cost Multi-Path (ECMP) (see Feature matrix: FortiSwitchOS 6.4.3 on page
17), forwarding for all ECMP routes is performed in hardware.
For switch models that support hardware-based layer-3 forwarding but do not support ECMP, only one route to each
destination will be hardware-forwarded. If you configure multiple routes to the same destination, you can configure a
priority value for each route. Only the route with highest priority will be forwarded by the hardware. If no priority values
are assigned to the routes, the most recently configured route is forwarded by the hardware.
Router activity
Logging allows you to review all router activity.

NOTE: Router logs are available only on supported platforms if you have the advanced features license.

Fortinet, Inc.
Layer-3 interfaces
To enable router logging:

2. Under Event Logging, select Enable and Router.
3. Select Apply.
To view router logs:
1. Go to Log > Event Log > Router.

2. Select Download Router Log to review the entries offline.
Equal cost multi-path (ECMP) routing
ECMP is a forwarding mechanism that enables load-sharing of traffic to multiple paths of equal cost. An ECMP set is
formed when the routing table contains multiple next-hop address for the same destination with equal cost. Routes of
equal cost have the same preference and metric value. If there is an ECMP set for an active route, the switch uses a
hash algorithm to choose one of the next-hop addresses. As input to the hash, the switch uses one or more of the
following fields in the packet to be routed:
l Source IP
l Destination IP
l Input port
Configuring ECMP
The switch automatically uses ECMP to choose between equal-cost routes.

This configuration value is system-wide. The source IP address is the default value.
Notes and Restrictions
When you configure a static route with a gateway, the gateway must be in the same IP subnet as the device. Also, the
destination subnet cannot match any of device IP subnets in the switch.
When you configure a static route without a gateway, the destination subnet must be in the same IP subnet as the
device.
Using the CLI:
config system settings

set ip-ecmp-mode [ source-ip-based ] [ dst-ip-based ] [ port-based ]
end
Example ECMP configuration
The following is an example CLI configuration for ECMP forwarding.

Fortinet, Inc.
Layer-3 interfaces
In this configuration, ports 2 and 6 are routed ports. Interfaces I-RED and I-GREEN are routed VLAN interfaces. The
remaining ports in the switch are normal layer-2 ports.
1. Configure native VLANs for ports 2, 6, and 9. Also configure the “internal” interface to allow native VLANs for ports
2, 6, and 9:

edit port2
set native-vlan 10
edit port6
set native-vlan 20
edit port9
set native-vlan 30
edit internal
set allowed-vlans 10,20,30
end
2. Configure the system interfaces:

edit "internal"
set type physical
next
edit "i-blue"
set ip 1.1.1.1 255.255.255.0
set vlanid 10
next
edit "i-red"
set ip 172.16.11.1 255.255.255.0
set vlanid 20
next
edit "i-green"
set ip 172.168.13.1 255.255.255.0
set vlanid 30
next
end
3. Configure static routes. This code configures multiple next-hop gateways for the same network:

edit 1
set device "mgmt"
set status enable
next
edit 2
set device “i-red"
set dst 8.8.8.0/24
set status enable

Fortinet, Inc.
Layer-3 interfaces
next
edit 3
set device "i-green"
set dst 8.8.8.0/24
set status enable
next
Viewing ECMP configuration
Display the status of the ECMP configuration using following command:

show system interface [ <system interface name> ]
Bidirectional forwarding detection
FortiSwitchOS v3.4.2 and later supports static bidirectional forwarding detection (BFD), a point-to-point protocol to
detect faults in the datapath between the endpoints of an IETF-defined tunnel (such as IP, IP-in-IP, GRE, and
MPLS LSP/PW).
BFD defines demand mode and asynchronous mode operation. The FortiSwitch unit supports asynchronous mode. In
this mode, the systems periodically send BFD control packets to one another, and if a number of those packets in a row
are not received by the other system, the session is declared to be down.
BFD packets are transported using UDP/IP encapsulation and BFD control packets are identified using well-known UDP
destination port 3784 (NOTE: BFD echo packets are identified using 3785).
BFD packets are not visible to the intermediate nodes and are generated and processed by the tunnel end systems only.
Configuring BFD
Use the following steps to configure BFD:

1. Configure the following values in the system interface:
l Enable BFD : Set to enable or set to global to inherit the global configuration value.
Desired min TX interval: This is the minimum interval that the local system would like to use between
l
transmission of BFD control packets. Value range is 200 ms – 30,000 ms. Default value is 250.
l Required min RX interval: This is the minimum interval that the local system can support between receipt of
BFD control packets. If you set this value to zero, the remote system will not transmit BFD control packets.
The value range is 200 ms – 30000 ms. The default value is 250.
l Detect multi: This is the detection time multiplier. The negotiated transmit interval multiplied by this value is
the Detection Time for the receiving system. The value range is 1 – 20. The default is 3.
2. Enable BFD in the static router configuration.
Using the CLI:

edit <system interface name>
set bfd {enable| disable | global}

Fortinet, Inc.
Layer-3 interfaces
set bfd–desired-min-tx <number of ms>

set bfd-required-min-rx <number of ms>
set bfd-detect-multi [1…20]
next
edit 1
set bfd enable
set status enable
Viewing BFD configuration
Using the GUI:
Go to Router > Monitor > BFD Neighbor.
Using the CLI:
To display the status of BFD sessions:

get router info bfd neighbor [ <IP address of neighbor>]
OurAddr NeighAddr LD/RD State Int
192.168.15.2 192.168.15.1 1/4 UP vlan2000
192.168.16.2 192.168.16.1 2/2 UP vlan2001
To filter the command output:

get router info bfd neighbor [<BFD_local_IPv4_address>] [<BFD_peer_interface>]
Unicast reverse-path forwarding (uRPF)
RPF, also called anti-spoofing, prevents an IP packet from being forwarded if its source IP address does not belong to a
locally attached subnet (local interface) or is not part of the routing between the FortiSwitch unit and another source
(such as a static route, RIP, OSPF, or BGP).
In unicast RPF, the router not only looks up the destination information but it also looks up the source information to
ensure that it exists. If no source is found, that packet is dropped because the router assumes it is an error or an attack
on the network.
There are two uRPF modes:
l Strict—The packet must be received on the same interface that the router uses to forward the return packet. In this
mode, asymmetric routing paths in the network might cause legitimate traffic to be dropped.
l Loose—The routing table must include the source IP address of the packet. If you disable the src-check-
allow-default option, the packet is dropped if the source IP address is not found in the routing table. If you
enable the src-check-allow-default option, the packet is allowed even if the source IP address is not found
in the routing table, but the default route is found in the routing table.
Configuring uRPF
By default, uRPF is disabled. You must enable it on each interface that you want protected.

Fortinet, Inc.
Layer-3 interfaces

set src-check {disable | loose | strict}
set src-check-allow-default {enable | disable} // This option is available only when src-
check is set to loose.
end
IP-MAC binding
Use IP-MAC binding to prevent ARP spoofing.

The port accepts a packet only if the source IP address and source MAC address in the packet match an entry in the IP-
MAC binding table.
You can enable/disable IP-MAC binding for the whole switch, and you can override this global setting for each port.
Configuring IP-MAC binding
Use the following steps to configure IP-MAC binding:

1. Enable the IP-MAC binding global setting.
2. Create the IP-MAC bindings. You can activate each binding individually.
3. Set each port to follow the global setting. You can also override the global setting for individual ports by enabling or
disabling IP-MAC binding for the port.
Using the GUI:
Create the IP-MAC binding:

1. Go to Switch > IP MAC Binding.
2. Select Add IP MAC Binding to create a new binding.
3. Select Status.
4. Enter the IP address and netmask.
5. Enter the MAC address.
6. Select Add.
Using the CLI:

set ip-mac-binding [enable| disable]
config switch ip-mac-binding

edit 1
set ip <IP address and network mask>
set mac <MAC address>
set status (enable| disable)
next
end
edit <port>

Fortinet, Inc.
Layer-3 interfaces
set ip-mac-binding (enable| disable | global)

edit <trunk name>
set ip-mac-binding (enable| disable | global)
Notes
l For a switch port, the default IP-MAC binding value is disabled.

l When you configure a trunk, the trunk follows the global value by default. You can also explicitly enable or disable
IP-MAC binding for a trunk, as shown in the CLI configuration.
l When you add member ports to the trunk, all ports take on the trunk setting. If you later remove a port from the
trunk group, the port is reset to the default value (disabled).
l No duplicate entries are allowed in the mapping table.
l Rules are disabled by default. You need to explicitly enable each rule.
l The mapping table holds up to 1024 rules.
Viewing IP-MAC binding configuration
Display the status of IP-MAC binding using the following command:

show switch ip-mac-binding <entry number>
Virtual routing and forwarding
You can use the virtual routing and forwarding (VRF) feature to create multiple routing tables within the same router.
Use the following steps to configure VRF:
1. Create a VRF instance.
2. Assign the VRF instance to a switch virtual interface (SVI).
3. Assign theVRF instance to an IPv4 or IPv6 static route.
4. Check the VRF configuration.
1. Create a VRF instance
You create a VRF instance by assigning a name and an identifier.

l The VRF name cannot match any SVI name.
l The VRF identifier is a number in the range of 1-1023, except for 252, 253, 254, and 255. You cannot assign the
same VRF identifier to more than one VRF instance. After the VRF instance is created, the VRF identifier cannot
be changed.
config router vrf

edit <string>
set vrfid <VRF_ID>
end
For example:
config router vrf

Fortinet, Inc.
Layer-3 interfaces
edit vrfv4
set vrfid 1
next
edit vrfv6
set vrfid 2
next
end
2. Assign the VRF instance to a SVI
You assign the VRF instance to an SVI when you create the SVI. After the SVI is created, the VRF instance cannot be
changed or unset.
You can assign the same VRF instance to more than one SVI. The VRF instance cannot be assigned to an internal SVI.
set vrf <string>
end
For example:
edit v40
set vlanid 40
set vrf vrfv4
next
edit v50
set vlanid 50
set vrf vrfv4
next
end
3. Assign the VRF instance to a static route
You assign the VRF instance to an IPv4 or IPv6 static route when you create the static route. After the static route is
created, the VRF instance cannot be changed or unset.
You can assign the same VRF instance to more than one static route.
edit <seq-num>
set vrf <string>
end
config router static6

edit <seq-num>
set vrf <string>
end
For example:
edit 1
set device mgmt
set status enable
set vrf vrfv4

Fortinet, Inc.
Layer-3 interfaces
end

edit 2
set dst 5555::/64
set gateway 4000::2
set status enable
set vrf vrfv6
end
4. Check the VRF configuration
Use the following commands to check the VRF configuration:

l get router info routing-table all
l get router info6 routing-table

Fortinet, Inc.
DHCP server and relay
A DHCP server provides an address, from a defined address range, to a client on the network that requests it.
You can configure one or more DHCP servers on any FortiSwitch interface. A DHCP server dynamically assigns IP
addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP
addresses using DHCP.
You can configure a FortiSwitch interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to
an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have the appropriate
routing so that its response packets to the DHCP clients arrive at the unit.
NOTE:
l DHCP snooping and the DHCP server can be enabled at the same time.
l The DHCP server and DHCP relay cannot be enabled at the same time.
l Configuring a DHCP server on page 224
l Detailed operation of a DHCP relay on page 230
l Configuring a DHCP relay on page 230
Configuring a DHCP server
NOTE: The 4xx, 5xx, 1xxx, and 3xxx models support configuring DHCP servers. The following table lists the maximum
number of clients for the supported FortiSwitch models:
FortiSwitch models Maximum number of clients
4xx 15,000
5xx 20,000
1024D, 1048D, 3032D 30,000
1048E, 3032E 50,000
Using the GUI:
1. Go to System > DHCP.

2. Select Add DHCP Server.
3. Required. In the ID field, enter a number to identify the entry.
4. Select the Enable checkbox to make the DHCP server active.
5. Select the Auto-Configuration checkbox if you want the DHCP server to dynamically assign IP addresses to hosts
on the network connected to the interface.
6. Required. In the Netmask field, enter the netmask of the addresses that the DHCP server assigns.

Fortinet, Inc.
7. In the Interface drop-down list, select an interface. The DHCP server assigns IP configurations to clients connected
to this interface.
8. Required. In the Lease Time field, enter the lease time in seconds. The lease time determines the length of time
an IP address remains assigned to a client.
9. Required. In the Conflicted IP Timeout field, enter the number of seconds before a conflicted IP address is
removed from the DHCP range and is available to be reused.
10. In the Default Gateway field, enter the IP address of the default gateway that the DHCP server assigns to DHCP
clients.
11. In the Domain field, enter the domain name suffix for the IP addresses that the DHCP server assigns to the clients.
12. In the Next Server field, enter the IPv4 address of a server (for example, a TFTP sever) that DHCP clients can
download a boot file from.
13. In the Filename field, enter the name of the boot file on the TFTP server.
14. In the DNS Service Type drop-down list, select how DNS servers are assigned to DHCP clients.
o Select Default for clients to be assigned the FortiSwitch unitʼs configured DNS servers.
o Select Local to use the IP address of the DHCP server interface for the clientʼs DNS server IP address.
o Select Specify to enter IPv4 addresses for up to three DNS servers.
15. In the Controller 1, Controller 2, and Controller 3 fields, enter the IPv4 addresses for the WiFi access controllers.
16. In the NTP Service Type drop-down list, select how Network Time Protocol (NTP) servers are assigned to DHCP
clients.
o Select Default for clients to be assigned the FortiSwitch unitʼs configured NTP servers.
o Select Local to use the IP address of the DHCP server interface for the clientʼs NTP server IP address.
o Select Specify to enter the IPv4 address for up to three NTP servers.
17. In the WINS Server section, enter the IPv4 addresses for the Windows Internet Name Service (WINS) servers.
18. In the Timezone Mode drop-down list, select how the DHCP server sets the clientʼs time zone.
o Select Default for clients to be assigned the FortiSwitch unitʼs configured time zone.
o Select Disable for the DHCP server to not set the clientʼs time zone.
o Select Specify to choose which time zone is assigned to DHCP clients.
19. In the VCI area, select the Enable checkbox to enter the vendor class identifier (VCI) to match. When enabled, only
DHCP requests with a matching VCI are served.
20. In the IP Ranges section, you can configure the IP address range.
a. In the ID field, enter a unique number to identify the entry or use the default value.
b. Required. In the Start IP field, enter the start of the DHCP IP address range.
c. Required. In the End IP field, enter the end of the DHCP IP address range.
d. To add another IP address range, select Add IP Range.
21. In the Exclusion Ranges section, you can block a range of addresses that will not be included in the available
addresses for the connecting users.
a. Select Add Exclusion Range.
b. In the ID field, enter a number to identify the entry or use the default value.
c. In the Start IP field, enter the start of the IP address range that will not be assigned to clients.
d. In the End IP field, enter the end of the IP address range that will not be assigned to clients.
e. To add another exclusion range, select Add Exclusion Range.
22. In the Reserved Addresses section, you can reserve IP addresses for the DHCP server to use to assign IP
addresses to specific MAC addresses.
a. Select Add IP.

Fortinet, Inc.
c. In the Type drop-down list, select whether to match the IP address with the MAC address or DHCP option 82.
d. In the Action drop-down list, select how the DHCP server configures the client with the reserved MAC address.
Select Reserved for the DHCP server to assign the reserved IP address to the client with this MAC address.
Select Assign for the DHCP server to configure the client with this MAC address like any other client. Select
Block to prevent the DHCP server from assigning IP settings to the client with this MAC address.
e. In the Description field, enter a description of this entry.
f. In the IP field, enter the IPv4 address to be reserved for the MAC address. This value is required when the
action is Reserved and the type is MAC .
g. In the MAC field, enter the MAC address of the client that will get the reserved IP address. This value is
required when the type is MAC and the action is Assign or Block.
h. In the Circuit Type drop-down list, select whether the format of the Circuit ID is hexadecimal or string. This
option is only available when the type is Option-82.
i. In the Circuit ID field, enter the DHCP option-82 Circuit ID of the client that will get the reserved IP address.
The Circuit ID format is controlled by the Circuit Type setting. This value is required when the type is Option-
82.
j. In the Remote Type drop-down list, select whether the format of the Remote ID is hexadecimal or string. This
option is only available when the type is Option-82.
k. In the Remote ID field, enter the DHCP option-82 Remote ID of the client that will get the reserved IP address.
This value is required when the type is Option-82.
l. To add another reserved address, select Add IP.
23. In the Options section, you can add up to 30 DHCP custom options.
a. Select Add Option.
c. In the Type drop-down list, select the format of the DHCP option: fully qualified domain name (FQDN),
hexadecimal, IP address, or string.
d. In the Code field, select the DHCP option code. The range is 0-255.
e. In the Value field, enter the DHCP option value. This value is required when the type is set to FQDN, Hex, or
String.
f. In the IP field, enter the IP address. This value is required when the type is set to IP.
g. To add another DHCP custom option, select Add Option.
24. Select Add to save the new DHCP server.
Using the CLI:

edit <id>
set auto-configuration {enable | disable}
set conflicted-ip-timeout <integer>
set default-gateway <xxx.xxx.xxx.xxx>
set dns-server1 <xxx.xxx.xxx.xxx>
set dns-service {default | local | specify
set domain <string>
set filename <string>
set interface <string>
set lease-time <integer>
set netmask <xxx.xxx.xxx.xxx>
set next-server <xxx.xxx.xxx.xxx>
set ntp-server1 <xxx.xxx.xxx.xxx>

Fortinet, Inc.

set ntp-service {default | local | specify}
set tftp-server <xxx.xxx.xxx.xxx>
set timezone <00-75>
set timezone-option {default | disable | specify}
set vci-match {enable | disable}
set vci-string <VCI_strings>
set wifi-ac1 <xxx.xxx.xxx.xxx>
set wins-server1 <xxx.xxx.xxx.xxx>
next
end
For example:
edit 1
set domain "FortiswitchTest.com"
set filename "text1.conf"
set interface "svi10"
config ip-range
edit 1
set end-ip 50.50.0.10
next
end
set lease-time 360
set next-server 60.60.60.2
config options
edit 1
set value "dddd"
next
end
set tftp-server "1.2.3.4"
set timezone-option specify
set wifi-ac1 5.5.5.1
set wins-server1 6.6.6.1
set dns-server1 7.7.7.1
set ntp-server1 8.8.8.1
next
end

Fortinet, Inc.
Configuring the IP address range
By default, the FortiSwitch unit assigns an address range based on the address of the interface for the complete scope
of the address. For example, if the interface address is 172.20.120.230, the default range created is 172.20.120.231 to
172.20.120.254.
To configure the IP address range:

edit <id>
config ip-range
edit <id>
set end-ip <xxx.xxx.xxx.xxx>
set start-ip <xxx.xxx.xxx.xxx>
next
end
next
end
Excluding addresses in DHCP
If you have a large address range for the DHCP server, you can block a range of addresses that will not be included in
the available addresses for the connecting users.
To exclude addresses in DHCP:

edit <id>
config exclude-range
edit <id>
next
end
next
end
Assigning IP settings to specific MAC addresses
If you want the DHCP server to assign IP addresses to specific MAC addresses, you need to reserve the IP addresses.
To reserve IP addresses:

edit <id>
config reserved-address
edit <id>1
set action {assign | block | reserved}
set circuit-id {<string> | <hex>}
set circuit-id-type {hex | string}

Fortinet, Inc.
set mac <xx:xx:xx:xx:xx:xx>

set remote-id {<string> | <hex>}
set remote-id-type {hex | string}
set type {mac | option82}
next
end
next
end
Configuring DHCP custom options
The DHCP server maintains a table for the potential options. The FortiSwitch DHCP server supports up to a maximum
of 30 custom options.
To configure the DHCP custom options:

edit <id>
config options
edit <id>
set code <integer>
set ip <IP_addresses>
set type {fqdn | hex | ip | string}
set value <string>
next
end
next
end
Listing DHCP leases
The lease time determines the length of time an IP address remains assigned to a client. After the lease expires, the
address is released for allocation to the next client that requests an IP address. Use one of the following commands to
check the DHCP leases:
execute dhcp lease-list
execute dhcp lease-list <interface>
Breaking DHCP leases
If you need to end an IP address lease, you can break the lease. This is useful if you have limited addresses and longer
lease times when some leases are no longer necessary, for example, with corporate visitors. Use one of the following
commands to break the DHCP leases:
execute dhcp lease-clear all
execute dhcp lease-clear <xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...>

Fortinet, Inc.
Detailed operation of a DHCP relay
A DHCP relay operates as follows:

1. DHCP client C broadcasts a DHCP/BOOTP discover message on its subnet.
2. The relay agent examines the gateway IP address field in the DHCP/BOOTP message header. If the field has an IP
address of 0.0.0.0, the agent fills it with the relay agentʼs or routerʼs IP address and forwards the message to the
remote subnet of the DHCP server.
3. When DHCP server receives the message, it examines the gateway IP address field for a DHCP scope that can be
used by the DHCP server to supply an IP address lease.
4. If DHCP server has multiple DHCP scopes, the address in the gateway IP address field (GIADDR) identifies the
DHCP scope from which to offer an IP address lease.
5. DHCP server sends an IP address lease offer (DHCPOFFER) directly to the relay agent identified in the gateway IP
address (GIADDR) field.
6. The router then relays the address lease offer (DHCPOFFER) to the DHCP client.
NOTE:
l DHCP relay service supports up to 8 relay targets per interface.
l Each target is sent a copy of the DHCP message.
Configuring a DHCP relay
You can configure a DHCP relay on any layer-3 interface.
Using the GUI:

2. Select Edit for an interface.
3. Select Enabled under DHCP Relay.
4. Enter the IP addresses for the relay servers, separated by a space.
5. If you want to include Option-82 data, select Option-82.
6. Select Update.
Using the CLI:

set dhcp-relay-service (enable | disable)
set dhcp-relay-ip <ip-address1> [<ip-address2> ... <ip-address8>]
set dhcp-relay-option82 (enable | disable)
next
end
In the following example, the DHCP server has address 192.168.23.2:

edit "v15-p15"
set dhcp-relay-service enable

Fortinet, Inc.
set dhcp-relay-ip "192.168.23.2" -> the DHCP server address

set ip 192.168.15.1 255.255.255.0 -> the DHCP client subnet
set allowaccess ping ssh snmp telnet set snmp-index 53
set vlanid 15
set interface "internal"
next
end

Fortinet, Inc.
OSPF routing
OSPF routing
NOTE: You must have an advanced features license to use OSPF routing.
Open shortest path first (OSPF) is a link-state interior routing protocol that is widely used in large enterprise
organizations. OSPF provides routing within a single autonomous system (AS). This differs from BGP, which provides
routing between autonomous systems.
An OSPF AS can contain only one area, or it can consist of a group of areas connected to a backbone area. A router
connected to more than one area is an area border router (ABR). An autonomous system boundary router (ASBR) is
located between an OSPF autonomous system and a non-OSPF network. Routing information is contained in a link-
state database. Routing information is communicated between routers using link-state advertisements (LSAs).
The main benefit of OSPF is that it detects link failures in the network quickly and converges network traffic successfully
within seconds without any network loops. Also, OSPF has features to control which routes are propagated to contain
the size of the routing tables.
You can enable bidirectional forwarding detection (BFD) with OSPF. BFD is used to quickly locate hardware failures in
the network. Routers running BFD communicate with each other, and, if a timer runs out on a connection, that router is
declared to be down. BFD then communicates this information to OSPF, and the routing information is updated.
NOTE: OSPF MIBs are not supported in this release.
For additional information about OSPF routing, see the OSPF section of the FortiOS Administration Guide.
l How OSPF works on page 232
l Configuring OSPF on page 234
How OSPF works
Areas
An OSPF implementation consists of one or more areas. An area consists of a group of contiguous networks. If you
configure more than one area, Area Zero is always the backbone area. An ABR links one or more areas to the OSPF
backbone area.
The FortiSwitch unit supports different types of areas—stub areas, Not So Stubby areas (NSSA), and regular areas. A
stub area is an interface without a default route configured. NSSA is a type of stub area that can import AS external
routes and send them to the backbone but cannot receive AS external routes from the backbone or other areas. All other
areas are considered regular areas.
Adjacencies
When an OSPF router boots up, it sends OSPF Hello packets to find neighbors on the same network. Neighbors
exchange information, and the link-state databases of both neighbors are synchronized. At this point, these neighbors
are said to be adjacent.

Fortinet, Inc.
OSPF routing
For two OSPF routers to become neighbors, the following conditions must be met:
l The subnet number and subnet mask for the interface must match in both routers.
l The Hello interval and Dead interval values must match.
l The routers must have the same OSPF area ID.
l If authentication is used, they must pass authentication checks.
In OSPF, routing protocol packets are only passed between adjacent routers.
Route summarization
Using route summarization reduces the number of LSAs being sent between routers. OSPF offers two types of route
summarization:
l Between areas through an ABR. This method summarizes routes in the area configuration.
config area
edit <area_IPv4_address>
config range
edit <id>
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
next
end
next
end
l Between an OSPF AS and a non-OSPF network through an ASBR. This method summarizes external routes when
you redistribute them.
config summary-address
edit <id>
next
end
Graceful restart helper mode
Starting in FortiSwitchOS 6.4.3, the FortiSwitch unit enters the helper (neighbor) mode when a neighboring router sends
a grace LSA before it restarts. The FortiSwitch unit keeps the restarting router in the forwarding path for OSPF routing,
as long as there are no network topology changes. After the restarting router completes its graceful restart, the
FortiSwitch unit exits the helper mode.
This feature is always enabled.
Database overflow protection
When the OSPF link-state database is large, some routers do not have enough resources to store the complete link-
state database. To prevent database overflow, you can limit the number of AS-external-LSAs in the link-state database.
When the maximum number of AS-external-LSAs is reached, the router deletes all AS-external-LSAs that it originated
and stops originating AS-external-LSAs for the specified number of seconds.
By default, this feature is disabled.
Use the following commands to configure database overflow protection:
config router ospf

Fortinet, Inc.
OSPF routing
set database-overflow enable

set database-overflow-max-external-lsa <0-2147483647>
set database-overflow-time-to-recover <0-65535>
end
Configuring OSPF
Using the GUI:
1. Create a switch virtual interface. See Configuring a switch virtual interface on page 214.
2. Go to Router > Config > OSPF > Settings.
a. Enter a unique 32-bit number in dotted decimal format for the router identifier. NOTE: Without a router
identifier, OSPF routing will not work.
b. If you are going to advertise default routes within OSPF, configure the default route option and enter the
routing metric (cost) for other routing protocols.
c. If you want to redistribute non-OSPF routes, select Enabled under Connected, Static, RIP, BGP, or ISIS and
then enter the routing metric in the Metric field.
d. Select Update.
3. Got to Router > Config > OSPF > Areas and select Add OSPF Area.
a. Enter the area IP address.
b. Select if the area is a stub area, NSSA, or a regular area.
c. Select Add.
4. Go to Router > Config > OSPF > Networks and select Add Network.
a. Enter the network identifier.
b. Enter the IP address and netmask, separated with a space. Use an IP address that includes the switch virtual
interface.
c. Select the area that you created.
d. Select Add.
5. Go to Router > Config > OSPF > Interfaces and select Configure OSPF Interface.
a. Select the same type of authentication that you selected for the area.
b. If you want static bidirectional forwarding detection, select Enable or Global.
c. Enter the maximum transmission unit.
d. Enter the cost.
e. Enter the number of seconds between Hello packets being sent.
f. Enter the number of seconds that a Hello packet is not received before the OSPF router decides that a
neighbor has failed.
g. Select Add.
Using the CLI:
Configuring OSPF using IPv4 on the FortiSwitch unit includes the following major steps:
1. Enter the OSPF configuration mode.
2. Set the router identifier. Each router must have a unique 32-bit number. NOTE: Without a router identifier, OSPF
routing will not work.

Fortinet, Inc.
OSPF routing
3. Create an area. You must create at least one area.

4. Configure the network. Attach one or more networks to each area.
5. Configure an interface to a peer OSPF router.
6. Redistribute non-OSPF routes with route summarization. Advertise these non-OSPF routes within OSPF.
NOTE: You can also configure OSPF using IPv6 with the config router ospf6 command.
1. Enter the OSPF configuration mode
Enter the OSPF configuration mode to access all of the OSPF configuration commands:

# config router ospf
2. Set the router identifier
Each router within an area must have a unique 32-bit number. The router identifier is written in dotted decimal format,
but it is not an IPv4 address. NOTE: Without a router identifier, OSPF routing will not work.
set router-id <router-id>
For example:
# config router ospf
(ospf) # set router-id 1.1.1.2
3. Create an area
You must create at least one area. The area number is written in dotted decimal format (for example, configure area
100 as 0.0.0.100).
config area
edit <area number>
set shortcut (default | disable | enable)
set type {nssa | regular | stub}
end
For example:
(ospf) # config area
(area) # edit 0.0.0.4
(0.0.0.4) # set type nssa
4. Configure the network
Use this subcommand to identify the OSPF-enabled interfaces. The prefix length in the interface must be equal or
larger than the prefix length in the network statement.
config network
edit <network number>
set area <area>
set prefix <network prefix> <mask>
For example:
(ospf) # config network

Fortinet, Inc.
OSPF routing
(network) # edit 1
(1) # set area 0.0.0.4
(1) # set prefix 10.1.1.0 255.255.255.0
5. Configure the OSPF interface
Configure interface-related OSPF settings. Enter a descriptive name for the OSPF interface name.
config interface
edit <OSPF_interface_name>
set priority <1-255>
For example:
(ospf) # config interface
(ospf-interface) # edit oi1
(oi1) # set priority 255
NOTE: The following values must match for an adjacency to form:

l area type and number
l interface subnet and mask
l hello interval
l dead interval
6. Redistribute non-OSPF routes
Redistribute non-OSPF routes (directly connected or static routes) within OSPF:

config redistribute {bgp | connected | isis | rip | static}
set status enable
set metric <integer>
set metric-type {1 | 2}
end
Add route summarization:

edit <id>
next
end
For example:
(ospf) # config redistribute connected
(connected) # set status enable
(connected) # end
(ospf) # config summary-address

(summary-address) # edit 1
new entry '1' added
(1) # set prefix 10.1.0.0 255.255.0.0
(1) # next
(summary-address) # end

Fortinet, Inc.
OSPF routing
Check the OSPF configuration
The get router info ospf command has options to display different aspects of the OSPF configuration and
status. For example:
get router info ospf neighbor {<neighbor_ID> | all | detail | detail all | <interface_IP_
address>}
get router info ospf database {brief | self-originate | router | network | summary | asbr-
summary| external | nssa-external | opaque-link | opaque-area | opaque-as | max-age}
The following example shows a very simple OSPF network with one area. FortiSwitch 1 has one OSPF interface to
FortiSwitch 2:
Configure system interfaces
These are the same configuration steps as for static routing.
Switch 1

edit vlan10-p3
set ip 30.1.1.1 255.255.255.0
set vlanid 10
next
edit vlan40-p4
set ip 10.11.101.1 255.255.255.0
set vlanid 40
end
edit "port3"
set native-vlan 10

Fortinet, Inc.
OSPF routing
next
edit "port4"
set native-vlan 40
next
end
Switch 2

edit vlan20-p8
set ip 20.50.1.1 255.255.255.0
set vlanid 20
next
edit vlan40-p4
set ip 10.11.101.2 255.255.255.0
set vlanid 40
end
edit "port8"
set native-vlan 20
next
edit "port4"
set native-vlan 40
next
end
Configure the OSPF router
Configure OSPF with the following:

1. Set the router ID.
2. Create the area.
3. Create the network (set network prefix and associate with an area).
4. Configure the OSPF interface.
Switch 1
config router ospf
set router-id 10.11.101.1
config area
edit 0.0.0.0
next
end
config network
edit 1
set area 0.0.0.0
set prefix 10.11.101.0 255.255.255.0
next
end

Fortinet, Inc.
OSPF routing
config interface
edit "1"
set cost 100
set interface "vlan10"
set priority 100
next
end
config redistribute connected

set status enable
end
end
Switch 2
config router ospf

config area
edit 0.0.0.0
next
end
config network
edit 1
set area 0.0.0.0
set prefix 10.11.101.0 255.255.255.0
next
end
config interface
edit "1"
set cost 100
set priority 100
next
end

set status enable
end
end
Verify OSPF neighbors

get router info ospf neighbor all
Verify OSPF routes

get router info ospf route

Fortinet, Inc.
RIP routing
RIP routing
NOTE: You must have an advanced features license to use RIP routing.
The Routing Information Protocol (RIP) is a distance-vector routing protocol that works best in small networks that have
no more than 15 hops. Each router maintains a routing table by sending out its routing updates and by asking neighbors
for their routes. RIP is relatively simple to configure on FortiSwitch units but slow to respond to network outages. RIP
routing is better than static routing but less scalable than open shortest path first (OSPF) routing.
The FortiSwitch unit supports RIP version 1 and RIP version 2:
l RIP version 1 uses classful addressing and broadcasting to send out updates to router neighbors. It does not
support different sized subnets or classless inter-domain routing (CIDR) addressing.
l RIP version 2 supports classless routing and subnets of various sizes. Router authentication supports MD5 and
authentication keys. Version 2 uses multicasting to reduce network traffic.
RIP uses three timers:
l The update timer determines the interval between routing updates. The default setting is 30 seconds.
l The timeout timer is the maximum time that a route is considered reachable while no updates are received for the
route. The default setting is 180 seconds. The timeout timer setting should be at least three times longer than the
update timer setting.
l The garbage timer is the is the how long that the FortiSwitch unit advertises a route as being unreachable before
deleting the route from the routing table. The default setting is 120 seconds.
You can enable bidirectional forwarding detection (BFD) with RIP. BFD is used to quickly locate hardware failures in the
network. Routers running BFD communicate with each other, and, if a timer runs out on a connection, that router is
declared to be down. BFD then communicates this information to RIP, and the routing information is updated.
When you configure RIP routing, you can choose the strategy the access list uses to permit or deny IP addresses:
l Prefix—Specify the IP address and bit mask to allow or block.
l Wildcard—Specify the Cisco-style filter to allow or block.
For additional information about RIP routing, see the RIP section of the FortiOS Administration Guide.
l Terminology on page 240
l Configuring RIP routing on page 241
Terminology
Access list: A list of IP addresses and the action to take for each one. Access lists provide basic route and network
filtering.
Active RIP interface: Each RIP router sends and receives updates by actively communicating with its neighbors.
Keychain: A list of one or more authentication keys including its lifetime, which is how long each key is valid.

Fortinet, Inc.
RIP routing
Metric: RIP uses hop count as the metric for choosing the best route. A hop count of 1 represents a network that is
connected directly to the FortiSwitch unit. A hop count of 16 represents a network that cannot be reached.
Passive RIP interface: The RIP router listens to updates from other routers but does not send out updates. A passive
RIP interface reduces network traffic.
Prefix list: A more powerful prefix-based filtering mechanism. A prefix is an IP address and netmask.
Split horizon: A way to avoid routing loops.
Configuring RIP routing
NOTE: You must create a keychain first before you can use the MD5 authentication mode with RIP version 2.
To add a new keychain using the CLI:
config router key-chain

edit <keychain identifier>
next
end

Fortinet, Inc.
RIP routing
Using the GUI and the prefix strategy:
1. Create a switch virtual interface (SVI). See Configuring a switch virtual interface on page 214.
2. Go to Router > Config > RIP > Settings.
a. Select whether you want to use RIP version 1 or RIP version 2. RIP version 2 is the default.
b. If you want to use BFD, select Bidirectional Forwarding Detection.
c. If you want to use a default route, select Default Information Originate.
d. If you want to change the default timer values, enter the number of seconds in the Update, Timeout, and
Garbage fields.
e. If you want to redistribute non-RIP routes, select Enable under Connected, Static, OSPF, BGP, or ISIS.
l If you select Enable under Connected, enter the routing metric to use.
If you select Enable under Static, OSPF, BGP, or ISIS, select Override Metric if you do not want to use
l
the default routing metric and then enter the routing metric to use.
f. Enter the default routing metric to use for static routing, OSPF, BGP, and ISIS.

Fortinet, Inc.
RIP routing
3. Go to Router > Config > Access Lists and select Add Access List.
a. Enter an identifier with one or more alphabetic characters.

b. Enter an optional description of the access list.
c. Select Add.
d. Select Config Rules in the row for the access list that you just created.
e. Select Add Rule.

f. Enter an identifier (1-65535), select Deny or Permit to specify if the rule will block or allow the specified IP
addresses, and enter the prefix.
g. If you entered the complete IP address, select the Exact Match checkbox.
h. Select Add Rule if you want to add more rules.
i. After you have added all of the rules that you want in the access list, select Update to save the rules you
added.
4. Go to Router > Config > RIP > Distances and select Add RIP Distance.
a. Enter the distance identifier in the Distance ID field.

b. Enter the distance.

Fortinet, Inc.
RIP routing
c. Select the access list that you added in the previous step.
d. Enter the IP address and netmask, separated with a space or with a slash. For example, enter 1.2.3.4/5 or
1.2.3.4 248.0.0.0.
e. Select Add.
5. Go to Router > Config > RIP > Networks and select Add Network.
a. Enter a unique value to identify this network configuration.

b. Enter an IP address and netmask for your RIP network, separated with a slash, and select Add. For example,
enter 172.168.200.0/255.255.255.0. NOTE: Select an IP address for a network that includes all SVIs that you
want to use. You can configure multiple network ranges to cover all SVIs that will be using RIP routing.
6. Go to Router > Config > RIP > Interfaces and select Configure RIP for the appropriate interface.
a. If you want to change the RIP version used to send and receive routing updates, select from the Send Version
and Receive Version drop-down menus.
b. If you do not want to send RIP updates from this interface, select Passive Interface.
c. If you want to use authentication, select Text or MD5.
d. Select Add.

Fortinet, Inc.
RIP routing
Using the GUI and the wildcard strategy:
1. Create a switch virtual interface (SVI). See Configuring a switch virtual interface on page 214.
2. Go to Router > Config > RIP > Settings.
a. Select whether you want to use RIP version 1 or RIP version 2. RIP version 2 is the default.
b. If you want to use BFD, select Bidirectional Forwarding Detection.
c. If you want to use a default route, select Default Information Originate.
d. If you want to change the default timer values, enter the number of seconds in the Update, Timeout, and
Garbage fields.
e. If you want to redistribute non-RIP routes, select Enable under Connected, Static, OSPF, BGP, or ISIS.
l If you select Enable under Connected, enter the routing metric to use.
If you select Enable under Static, OSPF, BGP, or ISIS, select Override Metric if you do not want to use
l
the default routing metric and then enter the routing metric to use.
f. Enter the default routing metric to use for static routing, OSPF, BGP, and ISIS.

Fortinet, Inc.
RIP routing
3. Go to Router > Config > Access Lists and select Add Access List.
a. Enter an identifier with all digits (in the range of 1-99).

b. Enter an optional description of the access list.
c. Select Add.
d. Select Config Rules in the row for the access list that you just created.
e. Select Add Rule.

f. Enter an identifier (1-65535), select Deny or Permit to specify if the rule will block or allow the specified IP
addresses, and enter the Cisco-style wildcard filter.
g. Select Add Rule if you want to add more rules.
h. After you have added all of the rules that you want in the access list, select Update to save the rules you
added.
4. Go to Router > Config > RIP > Distances and select Add RIP Distance.
a. Enter the distance identifier in the Distance ID field.

b. Enter the distance.
c. Select the access list that you added in the previous step.

Fortinet, Inc.
RIP routing
d. Enter the IP address and netmask, separated with a space or with a slash. For example, enter 1.2.3.4/5 or
1.2.3.4 248.0.0.0.
e. Select Add.
5. Go to Router > Config > RIP > Networks and select Add Network.
a. Enter a unique value to identify this network configuration.

b. Enter an IP address and netmask for your RIP network, separated with a slash, and select Add. For example,
enter 172.168.200.0/255.255.255.0. NOTE: Select an IP address for a network that includes all SVIs that you
want to use. You can configure multiple network ranges to cover all SVIs that will be using RIP routing.
6. Go to Router > Config > RIP > Interfaces and select Configure RIP for the appropriate interface.
a. If you want to change the RIP version used to send and receive routing updates, select from the Send Version
and Receive Version drop-down menus.
b. If you do not want to send RIP updates from this interface, select Passive Interface.
c. If you want to use authentication, select Text or MD5.
d. Select Add.
Using the CLI for IPv4 traffic:
config router access-list

edit <access_list_name>
set comments <comments>
config rule
edit <rule_int>
set prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any}
set wildcard <IP_address>
end

Fortinet, Inc.
RIP routing
end
config router rip

set bfd {disable | enable}
set default-information-originate {disable | enable}
set garbage-timer <5-2147483647 seconds>
set timeout-timer <5-2147483647 seconds>
set update-timer <5-2147483647 seconds>
set default-metric <1-16>
config redistribute {bgp | connected | isis | ospf | static}
set metric <0-16>
end
config distance
edit <distance_ID>
set access-list <access_list_name>
set distance <1-255>
set prefix <IPv4_address> <netmask>
end
config network
edit <network identifier>
set prefix <IPv4_address> <netmask>
end
config interface
set auth-keychain <keychain_str>
set auth-mode {md5 | none |text}
set auth-string <password_str>
set receive-version {1 | 2 | both | global}
set send-version {1 | 2 | both | global}
end
end
end
Using the CLI for IPv6 traffic:

edit <access_list_name>
set comments <comments>
config rule
edit <rule_int>
end
end
config router ripng

set garbage-timer <5-2147483647 seconds>
set timeout-timer <5-2147483647 seconds>
set update-timer <5-2147483647 seconds>
set default-metric <1-16>
config redistribute {bgp | connected | isis | ospf6 | static}
set metric <0-16>

Fortinet, Inc.
RIP routing
end
config offset-list
edit <offset-list_name>
set access-list6 <access-list_name>
set direction {in | out}
set interface {in | out}
set offset <1-16>
end
config aggregate-address
edit <aggregate-address_entry_ID>
set prefix6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>
end
config interface
set passive {disable | enable}
set split-horizon-statsus {disable | enable}
set split-horizon {poisoned |regular}
end
end
end
Checking the RIP configuration
The get router info rip and get router info6 rip commands have options to display different aspects
of the RIP configuration and status. For example, there are options to display the RIP general information and the RIP
database:
get router info rip status
get router info6 rip status
get router info rip database
get router info6 rip database

Fortinet, Inc.
RIP routing
The following example shows a very simple RIP network:
Switch 1: Configure the switch interface

edit "port9"
next
edit "port7"
next
end
Switch 1: Configure the system interface

edit "vlan35"
set ip 170.38.65.1/24
set vlanid 35
next
edit "vlan85"
set ip 180.1.1.1/24
set vlanid 85
next
end

Fortinet, Inc.
RIP routing
Switch 1: Configure the RIP router; add authentication between FortiSwitch 1 and FortiSwitch 2
config router rip
config network
edit 1
set prefix 170.38.65.0/24
next
edit 2
set prefix 180.1.1.0/24
next
end
config interface
edit "vlan35"
set auth-mode text
set auth-string simplepw1
next
end
end
Switch 1: Add a static route and redistribute it

edit 1
set dst 39.3.2.0 255.255.255.0
set status enable
next
end
config router rip

config redistribute "static"
set status enable
next
end
Switch 2: Configure the switch interface

edit "port10"
next
edit "port25"
next
end
Switch 2: Configure the system interface

edit "vlan35"
set ip 170.38.65.2/24
set vlanid 35
next
edit "vlan70"

Fortinet, Inc.
RIP routing
set ip 128.8.2.1/16
set vlanid 70
next
end
Switch 2: Configure the RIP router; add authentication between FortiSwitch 1 and FortiSwitch 2
config router rip
config network
edit 1
set prefix 170.38.65.0/24
next
edit 2
set prefix 128.8.0.0/16
next
end
config interface
edit "vlan35"
set auth-mode text
next
end
end
Switch 2: Add a connected route and redistribute it

edit "port6"
next
end
edit "vlan25"
set ip 100.20.40.1/24
set vlanid 25
next
end
config router rip

config redistribute "connected"
set status enable
next
end

Fortinet, Inc.
VRRP
VRRP
NOTE: You must have an advanced features license to use VRRP.

The Virtual Router Redundancy Protocol (VRRP) uses virtual routers to control which physical routers are assigned to an
access network. A VRRP group consists of a master router and one or more backup routers that share a virtual IP
address. If the master router fails, the VRRP automatically assigns one of the backup routers without affecting network
traffic. When the failed router is functioning again, it becomes the master router again. VRRP provides this redundancy
without user intervention or additional configuration to any of the devices on the network.
To create a VRRP group, you need to create a VRRP virtual MAC address, which is a shared MAC address adopted by
the VRRP master. The VRRP virtual MAC address feature is disabled by default. You must enable the VRRP virtual
MAC address feature on all members of a VRRP group.
The VRRP master router sends VRRP advertisement messages to the backup routers. When the VRRP master router
fails to send advertisement messages, the backup router with the highest priority takes over as the master router.
l Configuring VRRP on page 253
l Checking the VRRP configuration on page 255
Configuring VRRP
Using the GUI:

2. Select Edit for the appropriate interface.
3. Select Add VRRP to add a virtual router.
l Enter the unique virtual router identifier.
l Enter the VRRP group number.
l Enter the priority. If the highest priority value of 255 is entered, the virtual router becomes the master router.
l Select Preempt if you want the router to preempt the master virtual router if the priority changes.
l Enter the source virtual IP address that will be shared across the VRRP group.
l Enter one or two IP addresses that the master router must track. The maximum number of IP addresses is
two. If these IP addresses cannot be reached by the master router, the priority of the master router changes to
0.
l Select Add VRRP to add each additional virtual router.
4. After filling in the fields for the virtual routers, select Update.
Using the CLI:

edit <VLAN name>
set ip <IP address> <netmask>

Fortinet, Inc.
VRRP
set vrrp-virtual-mac enable

config vrrp
edit <VRRP router identifier>
set adv-interval <seconds>
set preempt {enable | disable}
set priority <priority_number>
set start-time <seconds>
set version {2 | 3}
set vrdst <IPv4_address>
set vrgrp <VRRP_group_number>
set vrip <IPv4_address>
next
end
set snmp-index <index number>
set vlanid <VLAN identifier>
next
end
NOTE: You can also configure VRRP using IPv6 with the config ipv6 and config vrrrp6 commands under the
config system interface command.
Example of configuring VRRP using IPv4:

edit "vlan-8"
set ip 10.10.10.1 255.255.255.0
config vrrp
edit 5
set priority 255
set vrgrp 50
set vrip 11.1.1.100
next
edit 6
set priority 200
set vrgrp 50
set vrip 11.1.1.100
next
edit 7
set priority 150
set vrgrp 50
set vrip 11.1.1.100
next
end
set snmp-index 20
set vlanid 8
next
end

Fortinet, Inc.
VRRP
Checking the VRRP configuration
Using the GUI:
Go to Router > Config > Interface to see which interfaces have VRRP configured.
Go to Router > Monitor > VRRP to see the interface, source virtual IP address that is shared across the VRRP group,
MAC address for the interface, and virtual router identifier for each VRRP configuration, as shown in the following
figure.
Using the CLI:
get router info vrrp

Fortinet, Inc.
BGP routing
BGP routing
NOTE: You must have an advanced features license to use BGP routing.
Border Gateway Protocol (BGP) contains two distinct subsets: internal BGP (iBGP) and external BGP (eBGP). iBGP is
intended for use within your own networks. eBGP is used to connect many different networks together and is the main
routing protocol for the Internet backbone. FortiSwitch units support iBGP, and eBGP only for communities.
BGP was first used in 1989. The current version, BGP-4, was released in 1995 and is defined in RFC 1771. That RFC
has since been replaced by RFC 4271. The main benefits of BGP-4 are classless inter-domain routing and aggregate
routes. BGP is the only routing protocol to use TCP for a transport protocol. Other routing protocols use UDP.
BGP makes routing decisions based on path, network policies, and rulesets instead of the hop-count metric as RIP
does, or cost-factor metrics as OSPF does.
BGP-4+ supports IPv6. It was introduced in RFC 2858 and RFC 2545.
BGP is the routing protocol used on the Internet. It was designed to replace the old Exterior Gateway Protocol (EGP)
which had been around since 1982, and was very limited. BGP enabled more networks to take part in the Internet
backbone to effectively decentralize it and make the Internet more robust, and less dependent on a single ISP or
backbone network.
Parts and terminology of BGP
In a BGP network, there are some terms that need to be explained before going ahead. Some parts of BGP are not
explained here because they are common to other dynamic routing protocols. When determining your network topology,
note that the number of available or supported routes is not set by the configuration but depends on the available
memory on the FortiSwitch units.
BGP and IPv6
FortiSwitch units support IPv6 over BGP using the same config router bgp CLI command as IPv4 but different
subcommands.
The main CLI keywords have IPv6 equivalents that are identified by the “6” on the end of the keyword, such as config
network6 or set allowas-in6. For more information about IPv6 BGP keywords, see the FortiSwitchOS CLI
Reference.
Role of routers in BGP networks
Dynamic routing has a number of different roles that routers can fill. BGP has a number of custom roles that routers can
fill. These include speaker routers, peer routers or neighbors, and route reflectors.

Fortinet, Inc.
BGP routing
Speaker routers
Any router that is configured for BGP is considered a BGP speaker. This means that a speaker router advertises BGP
routes to its peers.
Any routers on the network that are not speaker routers are not treated as BGP routers.
Peer routers or neighbors
In a BGP network, all neighboring BGP routers or peer routers are routers that are connected to a FortiSwitch unit. A
FortiSwitch unit learns about all other routers through these peers.
You need to manually configure BGP peers on a FortiSwitch unit as neighbors. Otherwise, these routers are not seen as
peers but simply as other routers on the network that do not support BGP. Optionally, you can use MD5 authentication
to password-protect BGP sessions with those neighbors (see RFC 2385).
You can configure up to 1000 BGP neighbors on a FortiSwitch unit. You can clear all or some BGP neighbor connections
(sessions), using the execute router clear bgp CLI command.
For example, if you have 10 routes in the BGP routing table and you want to clear the specific route to IP address
10.10.10.1, enter the following CLI command:
execute router clear bgp ip 10.10.10.1
To remove all routes for AS number 650001, enter the following CLI command:
execute router clear bgp as 650001
To remove route flap dampening information for the 10.10.0.0/16 subnet, enter the following CLI command:
execute router clear bgp dampening 10.10.0.0/16
In the following diagram, Router A is directly connected to five other routers in a network that contains 12 routers. These
routers (the ones in the blue circle) are Router A’s peers or neighbors.
Router A and its five peer routers
As a minimum, when configuring BGP neighbors, you must enter their IP address and the AS number (remote-as). This
is all of the information the GUI allows you to enter for a neighbor.

Fortinet, Inc.
BGP routing
The following BGP commands are related to neighbors:

config router bgp
config neighbor
edit "<IPv4_IPv6_address>"
set advertisement-interval <0-600>
set allowas-in-enable {disable | enable}
set allowas-in <1-10>
set allowas-in-enable6 {disable | enable}
set allowas-in6 <1-10>
set attribute-unchanged {as-path | MED | next-hop}
set attribute-unchanged6 {as-path | MED | next-hop}
set activate {disable | enable}
set activate6 {disable | enable}
set capability-dynamic {disable | enable}
set capability-orf {both | none | receive | send}
set capability-orf6 {both | none | receive | send}
set capability-default-originate {disable | enable}
set capability-default-originate6 {disable | enable}
set dont-capability-negotiate {disable | enable}
set ebgp-enforce-multihop {disable | enable}
set ebgp-multihop-ttl <1-255>
set ebgp-ttl-security-hops <1-254>
set next-hop-self {disable | enable}
set next-hop-self6 {disable | enable}
set override-capability {disable | enable}
set remove-private-as {disable | enable}
set remove-private-as6 {disable | enable}
set route-reflector-client {disable | enable}
set route-reflector-client6 {disable | enable}
set route-server-client {disable | enable}
set route-server-client6 {disable | enable}
set shutdown {disable | enable}
set soft-reconfiguration {disable | enable}
set soft-reconfiguration6 {disable | enable}
set as-override {disable | enable}
set as-override6 {disable | enable}
set strict-capability-match {disable | enable}
set distribute-list-in <string>
set distribute-list-in6 <string>
set distribute-list-out <string>
set distribute-list-out6 <string>
set filter-list-in <string>
set filter-list-in6 <string>
set filter-list-out <string>
set filter-list-out6 <string>
set maximum-prefix <1-4294967295>
set maximum-prefix6 <1-4294967295>
set prefix-list-in <string>
set prefix-list-in6 <string>
set prefix-list-out <string>
set prefix-list-out6 <string>
set remote-as <MANDATORY_1-4294967295>
set route-map-in <string>

Fortinet, Inc.
BGP routing
set route-map-in6 <string>

set route-map-out <string>
set route-map-out6 <string>
set send-community {both | disable | extended | standard}
set send-community6 {both | disable | extended | standard}
set keep-alive-timer <0-65535>
set holdtime-timer <0, 3-65535>
set connect-timer <0-65535>
set unsuppress-map <string>
set unsuppress-map6 <string>
set update-source {interface_name}
set weight <0-65535>
end
end
end
Route reflectors
Route reflectors (RR) in BGP concentrate route updates so other routers only need to talk to the RRs to get all of the
updates. This results in smaller routing tables, fewer connections between routers, faster responses to network topology
changes, and less administration bandwidth. BGP RRs are defined in RFC 1966.
In a BGP RR configuration, the AS is divided into different clusters that each include client and reflector routers. The
client routers supply the reflector routers with the client’s route updates. The reflectors pass this information along to
other RRs and border routers. Only the reflectors need to be configured, not the clients, because the clients find the
closest reflector and communicate with it automatically. The reflectors communicate with each other as peers. A
FortiSwitch unit can be configured as either reflectors or clients.
Because RRs are processing more than the client routers, the reflectors should have more resources to handle the extra
workload.
Smaller networks running BGP typically do not require RRs. However, RRs are a useful feature for large companies,
where their AS may include 100 routers or more. For example, a full mesh 20 router configuration within an AS, there
would have to be 190 unique BGP sessions just for routing updates within the AS. The number of sessions jumps to 435
sessions for just 30 routers, or 4950 sessions for 100 routers. Based on these numbers, updating this many sessions will
quickly consume the limited bandwidth and processing resources of the routers involved.
The following diagram illustrates how RRs can improve the situation when only six routers are involved. The AS without
RRs requires 15 sessions between the routers. In the AS with RRs, the two RRs receive route updates from the reflector
clients (unlabeled routers in the diagram) in their cluster, as well as other RRs, and pass them on to the border router.
The RR configuration requires only six sessions. This example shows a reduction of 60% for the number of required
sessions.

Fortinet, Inc.
BGP routing
Required sessions within an AS with and without RRs
The BGP commands related to RRs include:

config router bgp
config neighbor
end
end
Confederations
Confederations were introduced to reduce the number of BGP advertisements on a segment of the network and reduce
the size of the routing tables. Confederations essentially break up an AS into smaller units. Confederations are defined
in RFC 3065 and RFC 1965.
Within a confederation, all routers communicate with each other in a full mesh arrangement. Communications between
confederations is more like inter-AS communications because many of the attributes are changed as they would be for
BGP communications leaving the AS, or eBGP.
Confederations are useful when merging ASs. Each AS being merged can easily become a confederation, which
requires few changes. Any additional permanent changes can then be implemented over time, as required. The
diagram below shows the group of ASs before merging and the corresponding confederations afterward, as part of the
single AS with the addition of a new border router. It should be noted that after merging, if the border router becomes a
route reflector, then each confederation only needs to communicate with one other router instead of five others.
Confederations and RRs perform similar functions: they both sub-divide large ASs for more efficient operation. They
differ in that route reflector clusters can include routers that are not members of a cluster, whereas routers in a
confederation must belong to that confederation. Also, confederations place their confederation numbers in the AS_
PATH attribute, making it easier to trace.

Fortinet, Inc.
BGP routing
NOTE: While confederations essentially create sub-ASs, all the confederations within an AS appear as a single AS to
external ASs.
Confederation related BGP commands include the following:
config router bgp
set confederation-identifier <peerid_integer>
end
Network Layer Reachability Information
Network Layer Reachability Information (NLRI) is unique to BGP-4. It is sent as part of the update messages sent
between BGP routers and contains information necessary to supernet, or aggregate route, information. The NLRI
includes the length and prefix that, when combined, are the address of the aggregated routes referred to.
There is only one NLRI entry per BGP update message.
BGP attributes
Each route in a BGP network has a set of attributes associated with it. These attributes define the route and are
modified, as required, along the route.
BGP can work well with mostly default settings, but if you're going to change settings you need to understand the roles
of each attribute and how they affect those settings.
The BGP attributes include the ones listed in the following table.
Attribute Description
AS_PATH A list of ASs a route has passed through. For more information, see AS_PATH on
page 262.
MULTI_EXIT_DESC (MED) Which router to use to exit an AS with more than one external connection. For
more information, see MULTI_EXIT_DESC on page 262.
COMMUNITY Used to apply attributes to a group of routes. For more information, see
COMMUNITY on page 263.
NEXT_HOP Where the IP packets should be forwarded to, like a gateway in static routing. For
more information, see NEXT_HOP on page 263.
ATOMIC_AGGREGATE Used when routes have been summarized to tell downstream routers not to de-
aggregate the route. For more information, see ATOMIC_AGGREGATE on page
263.
ORIGIN Used to determine if the route is from the local AS or not. For more information,
see ORIGIN on page 264.
LOCAL_PREF Used only within an AS to select the best route to a location (like MED).
Inbound policies on FortiSwitch units can change the NEXT-HOP, LOCAL-PREF, MED, and AS-PATH attributes of an
internal BGP (iBGP) route for its local route selection purposes. However, outbound policies on the device cannot affect
these attributes.

Fortinet, Inc.
BGP routing
AS_PATH
AS_PATH is the BGP attribute that keeps track of each AS that a route advertisement has passed through. AS_PATH is
used by confederations and by exterior BGP (EBGP) to help prevent routing loops. A router knows there is a loop if it
receives an AS_PATH with that router's AS in it. The diagram shows the route between Router A and Router B. The AS_
PATH from A to B would read 701,702,703 for each AS that the route passes through.
As of the beginning of 2010, the industry upgraded from 2-byte to 4-byte AS_PATHs. This upgrade was due to the
imminent exhaustion of 2-byte AS_PATH numbers. FortiOS supports 4-byte AS_PATHs in its BGP implementation.
AS_PATH of 701,702, 703 between routers A and B
The BGP commands related to AS_PATH include the following:

config router bgp
set bestpath-as-path-ignore {enable | disable}
end
MULTI_EXIT_DESC
BGP AS systems can have one or more routers that connect them to other ASs. For ASs with more than one connecting
router, the Multi-Exit Discriminator (MED) lists which router is best to use when leaving the AS. The MED is based on
attributes, such as delay. It is a recommendation only, as some networks may have different priorities.
BGP updates advertise the best path to a destination network. When a FortiSwitch unit receives a BGP update, the
FortiSwitch unit examines the MED attribute of potential routes to determine the best path to a destination network
before recording the path in the local FortiSwitch routing table.
FortiSwitch units have the option to treat any routes without an MED attribute as the worst possible routing choice. This
can be useful because a lack of MED information is a lack of routing information, which can be suspicious as a possible
hacking attempt or an attack on the network. At best, it signifies an unreliable route to select.
The BGP commands related to MED include the following:
config router bgp
set always-compare-med {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}

Fortinet, Inc.
BGP routing
set deterministic-med {enable | disable}

config neighbor
set attribute-unchanged [as-path] [med] [next-hop]
end
end
end
COMMUNITY
A community is a group of routes that have the same routing policies applied to them. This saves time and resources. A
community is defined by the COMMUNITY attribute of a BGP route.
A FortiSwitch unit can set the COMMUNITY attribute of a route to assign the route to predefined paths (see RFC 1997).
The FortiSwitch unit can examine the COMMUNITY attribute of learned routes to perform local filtering and/or
redistribution.
The BGP commands related to COMMUNITY include the following:
config router bgp
end
NEXT_HOP
The NEXT_HOP attribute says what IP address the packets should be forwarded to next. Each time the route is
advertised, this value is updated. The NEXT_HOP attribute is much like a gateway in static routing.
FortiSwitch units allow you to change the advertising of the FortiSwitch unit’s IP address (instead of the neighbor’s IP
address) in the NEXT_HOP information that is sent to IBGP peers. This is changed with the config neighbor, set
next-hop-self command.
The BGP commands related to NEXT_HOP include the following:
config router bgp
config neighbor
set attribute-unchanged [as-path] [med] [next-hop]
set next-hop-self {enable | disable}
next
end
end
ATOMIC_AGGREGATE
The ATOMIC_AGGREGATE attribute is used when routes have been summarized. It indicates which AS and which
router summarize the routes. It also tells downstream routers not to de-aggregate the route. Summarized routes are
routes with similar information that have been combined, or aggregated, into one route that is easier to send in updates
for. When it reaches its destination, the summarized routes are split back up into the individual routes.

Fortinet, Inc.
BGP routing
The FortiSwitch unit does not specifically set this attribute in the BGP router command, but it is used in the route map
command.
The CLI commands related to ATOMIC_AGGREGATE include the following:
config router route-map
edit <route_map_name>
set protocol bgp
config rule
edit <route_map_rule_id>
set set-aggregator-as <id_integer>
set set-aggregator-ip <address_ipv4>
set set-atomic-aggregate {enable | disable}
end
end
end
ORIGIN
The ORIGIN attribute records where the route came from. The options can be IBGP, EBGP, or incomplete. This
information is important because internal routes (IBGP) are, by default, higher priority than external routes (EBGP).
However, incomplete ORIGINs are the lowest priority of the three.
The CLI commands related to ORIGIN include the following:
edit <route_map_name>
set protocol bgp
config rule
edit <route_map_rule_id>
set match-origin {egp | igp | incomplete | none}
end
end
end
How BGP works
BGP is a link-state routing protocol and keeps link-state information about the status of each network link it has
connected. A BGP router receives information from its peer routers that have been defined as neighbors. BGP routers
listen for updates from these configured neighboring routers on TCP port 179.
A BGP router is a finite state machine with six various states for each connection. As two BGP routers discover each
other and establish a connection, they go from the idle state and through the various states until they reach the
established state. An error can cause the connection to drop and the state of the router to reset to either active or idle.
These errors can be caused by TCP port 179 not being open, a random TCP port above port 1023 not being open, the
peer address being incorrect, or the AS number being incorrect.
When BGP routers start a connection, they negotiate which (if any) optional features will be used, such as multiprotocol
extensions, that can include IPv6 and VPNs.

Fortinet, Inc.
BGP routing
IBGP versus EBGP
When you read about BGP, you often see EBGP or IBGP mentioned. These are both BGP routing, but BGP used in
different roles. Exterior BGP (EBGP) involves packets crossing multiple autonomous systems (ASs) and interior BGP
(IBGP) involves packets that stay within a single AS. For example, the AS_PATH attribute is only useful for EBGP where
routes pass through multiple ASs.
These two modes are important because some features of BGP are used only for one of EBGP or IBGP. For example,
confederations are used in EBGP and RRs are used only in IBGP. Also, routes learned from IBGP have priority over
routes learned from EBGP.
FortiSwitch units have some commands that are specific to EBGP, including the following:
l automatically resetting the session information to external peers if the connection goes down: set fast-
external-failover {enable | disable}
l setting an administrative distance for all routes learned from external peers (you must also configure local and
internal distances if this is set): set distance-external <distance_integer>
l enforcing EBGP multihops and their TTL (number of hops): set ebgp-enforce-multihop {enable |
disable} and set ebgp-multihop-ttl <seconds_integer>
BGP path determination: Which route to use
Firstly, recall that the number of available or supported routes is not set by the configuration but depends on the
available memory on the FortiSwitch unit. All learned routes and their attributes come into the BGP router in raw form.
Before routes are installed in the routing table or are advertised to other routers, three levels of decisions must be made.
The three phases of BGP best path determination do not change. However, some manufacturers have added more
information to the process, such as Cisco’s WEIGHT attribute, to allow an administrator to force one route’s selection
over another.
There is one Adj-RIB-IN and Adj-RIB-OUT for each configured neighbor. They are updated when the FortiSwitch unit
receives BGP updates or when the FortiSwitch unit sends out BGP updates.

Fortinet, Inc.
BGP routing
The three phases of a BGP routing decision
Decision phase 1
At this phase, the decision is to calculate how preferred each route and its NRLI are the Adjacent Routing Information
Base Incoming (Adj-RIBs-In) compared to the other routes. For internal routes (IBGP), policy information or LOCAL_
PREF is used. For external peer learned routes, it is based strictly on policy. These rules set up a list of which routes are
most preferred going into Phase 2.

Fortinet, Inc.
BGP routing
Decision phase 2
Phase 2 involves installing the best route to each destination into the local Routing Information Base (Loc-RIB).
Effectively, the Loc-RIB is the primary routing table. Each route from Phase 1 has their NEXT_HOP checked to ensure
the destination is reachable. If it is reachable, the AS_PATH is checked for loops. After that, routes are installed based
on the following decision process:
l If there is only one route to a location, it is installed.
l If there are multiple routes to the same location, use the most preferred route from Level 1.
l If there is a tie, break the tie based on the following, in descending order of importance: shortest AS_PATH,
smallest ORIGIN number, smallest MED, EBGP over IBGP, smallest metric or cost for reaching the NEXT_HOP,
BGP identifier, and lowest IP address.
Note that the new routes that are installed into the Loc-RIB are in addition to any existing routes in the table. Once
Phase 2 is completed, the Loc-RIB will consist of the best of both the new and older routes.
Decision phase 3
Phase 3 is route distribution or dissemination. This is the process of deciding which routes the router will advertise. If
there is any route aggregation or summarizing, it happens here. Also, any route filtering from route maps happens here.
Once Phase 3 is complete, an update can be sent out to update the neighbor of new routes.
Aggregate routes and addresses
BGP-4 allows classless routing, which uses netmasks as well as IP addresses. This classless routing allows the
configuration of aggregate routes by stating the address bits the aggregated addresses have in common.
The ATOMIC_AGGREGATE attribute informs routers that the route has been aggregated and should not be de-
aggregated. An associated AGGREGATOR attribute include the information about the router that did the aggregating
including its AS.
The BGP commands associated with aggregate routes and addresses are the following:
config router bgp
edit <aggr_addr_id>
set as-set {enable | disable}
set prefix <address_ipv4mask>
set summary-only {enable | disable}
end
end
config aggregate-address6
edit <aggr_addr_id>
set as-set {enable | disable}
set prefix6 <address_ipv6mask>
set summary-only {enable | disable}
end
end

Fortinet, Inc.
BGP routing
Troubleshooting BGP
There are some features in BGP that are used to deal with problems that may arise. Typically, the problems with a BGP
network that has been configured involve routes going offline frequently. This is called route flap and causes problems
for the routers using that route.
Clearing routing table entries
To see if a new route is being properly added to the routing table, you can clear all or some BGP neighbor connections
(sessions) using the execute router clear bgp command.
For example, if you have 10 routes in the BGP routing table and you want to clear the specific route to IP address
10.10.10.1, enter the following CLI command:
execute router clear bgp ip 10.10.10.1
To remove all routes for AS number 650001, enter the following CLI command:
execute router clear bgp as 650001
Route flap
When routers or hardware along a route go offline and back online that is called a route flap. Flapping is the term that is
used if these outages continue, especially if they occur frequently.
Route flap is a problem in BGP because each time a peer or a route goes down, all the peer routers that are connected
to that out-of-service router advertise the change in their routing tables. This creates a lot of administration traffic on the
network and the same traffic re-occurs when that router comes back online. If the problem is something like a faulty
network cable that wobbles online and offline every 10 seconds, there could easily be an overwhelming amount of
routing updates sent out unnecessarily.
Another possible reason for route flap occurs with multiple FortiSwitch units in HA mode. When an HA cluster fails over
to the secondary unit, other routers on the network may see the HA cluster as being offline, resulting in route flap. While
this does not occur often, or more than once at a time, it can still result in an interruption in traffic that is unpleasant for
network users. The easy solution for this problem is to increase the timers on the HA cluster, such as TTL timers, so
they do not expire during the failover process. Also, configuring graceful restart on the HA cluster helps with a smooth
failover.
The first method of dealing with route flap is to check your hardware. If a cable is loose or bad, it can easily be replaced
and eliminate the problem. If an interface on the router is bad, either avoid using that interface or swap in a functioning
router. If the power source is bad on a router, either replace the power supply or use a power conditioning backup power
supply. These quick and easy fixes can save you from configuring more complex BGP options. However, if the route flap
is from another source, configuring BGP to deal with the outages will ensure your network users uninterrupted service.
Some methods of dealing with route flap in BGP include:
l Holdtime timer
l Dampening
l BFD

Fortinet, Inc.
BGP routing
Holdtime timer
The first line of defense to a flapping route is the holdtime timer. This timer reduces how frequently a route going down
will cause a routing update to be broadcast.
After it is activated, the holdtime timer does not allow the FortiSwitch unit to accept any changes to that route for the
duration of the timer. If the route flaps five times during the timer period, only the first outage is recognized by the
FortiSwitch unit. For the duration of the other outages, there will not be changes because the FortiSwitch unit is
essentially treating this router as down. If the route is still flapping after the timer expires, it'll happen all over again.
Even if the route is not flapping (for example, if it goes down, comes up, and stays back up) the timer still counts down
and the route is ignored for the duration of the timer. In this situation, the route is seen as down longer than it really is
but there will be only the one set of route updates. This is not a problem in normal operation because updates are not
frequent.
Also, the potential for a route to be treated as down when it is really up can be viewed as a robustness feature. Typically,
you do not want most of your traffic being routed over an unreliable route. So if there is route flap going on, it is best to
avoid that route if you can. This is enforced by the holdtime timer.
How to configure the holdtime timer
There are three different route flapping situations that can occur: the route goes up and down frequently, the route goes
down and back up once over a long period of time, or the route goes down and stays down for a long period of time.
These can all be handled using the holdtime timer.
For example, your network has two routes that you want to set the timer for. One is your main route (to 10.12.101.4)
that all of your Internet traffic goes through, and it cannot be down for long if it is down. The second is a low speed
connection to a custom network that is used infrequently (to 10.13.101.4). The timer for the main route should be fairly
short (for example, 60 seconds). The second route timer can be left at the default because it is rarely used. In your BGP
configuration, this looks like the following:
config router bgp
config neighbor
edit 10.12.101.4
set holdtime-timer 60
next
edit 10.13.101.4
set holdtime-timer 180
next
end
end
Dampening
Dampening is a method that is used to limit the amount of network problems due to flapping routes. With dampening,
the flapping still occurs but the peer routers pay less and less attention to that route as it flaps more often. One flap
does not start dampening, but the second flap starts a timer where the router will not use that route because it is
considered unstable. If the route flaps again before the timer expires, the timer continues to increase. There is a period
of time called the reachability half-life, after which a route flap will be suppressed for only half the time. This half-life
comes into effect when a route has been stable for a while but not long enough to clear all the dampening completely.
For the flapping route to be included in the routing table again, the suppression time must expire.

Fortinet, Inc.
BGP routing
If the route flapping was temporary, you can clear the flapping or dampening from the FortiSwitch unit's cache by using
one of the execute router clear bgp CLI commands:
execute router clear bgp dampening {<ip_address> | <ip/netmask>}
For example, to remove route flap dampening information for the 10.10.0.0/16 subnet, enter the following CLI
command:
execute router clear bgp dampening 10.10.0.0/16
The BGP commands related to route dampening are the following:

config router bgp
set dampening {enable | disable}
set dampening-max-suppress-time <minutes_integer>
set dampening-reachability-half-life <minutes_integer>
set dampening-reuse <reuse_integer>
set dampening-suppress <limit_integer>
end
BFD
Bidirectional Forwarding Detection (BFD) is a protocol that you can use to quickly locate hardware failures in the
network. Routers running BFD communicate with each other and if a timer runs out on a connection then that router is
declared down. BFD then communicates this information to the routing protocol and the routing information is updated.
For more information about BFD, see Bidirectional forwarding detection on page 218.
Configuring BGP
Configuring BGP on the FortiSwitch unit includes the following major steps:
1. Enter the BGP configuration mode.
2. Set the autonomous system and router identifier.
3. Configure a BGP neighbor.
4. Redistribute non-BGP routes. Advertise these non-BGP routes within BGP.
1. Enter the BGP configuration mode
Enter the BGP configuration mode to access all of the BGP configuration commands:
# config router bgp
2. Set the autonomous system and router identifier
Set the autonomous system. For IBGP, the AS value needs to match the remote-as value in the neighbor router. For
EBGP, the AS value differs from the remote-as value in the neighbor router. You also need to specify a fixed router
identifier for the FortiSwitch unit. These two commands are mandatory.
# set as <AS number>
# set router-id <IP_address>

Fortinet, Inc.
BGP routing
3. Configure the BGP neighbors
Configure the BGP neighbors.

NOTE: For IBGP, if the IP address of the BGP neighbor is a loopback address, you must use the set update-
source cmd command to specify which interface address will be used as the source IP address in the outgoing BGP
packet.
config neighbor
edit "<IPv4_or_IPv6 address>"
set remote-as <1-4294967295>
end
4. Redistribute non-BGP routes
Redistribute non-BGP IPv4 or IPv6 routes within BGP:

config redistribute {connected | isis | ospf | rip | static}
set status enable
set route-map <string>
end
config redistribute6 {connected | isis | ospf | rip | static}

end
Other BGP commands
Clearing the BGP routes
Use the following commands to clear the BGP routes:

execute router clear bgp all
execute router clear bgp ip <IPv4_or_IPv6_address>
execute router clear bgp ipv6 <IPv4_or_IPv6_address>
execute router clear bgp as <AS_number>
execute router clear bgp dampening <IP_address>
Checking the BGP configuration
The get router info bgp and get router info6 bgp commands have options to display different aspects
of the BGP configuration and status.
For example:
get router info bgp neighbors
get router info bgp network
get router info6 bgp filter-list
get router info6 bgp route-map

Fortinet, Inc.
BGP routing
Changing the maximum number of paths for ECMP
If you are using equal-cost multi-path (ECMP) routing with the EBGP or IBGP, the maximum number of paths is 1 by
default. Use the following commands to change the default:
config router bgp
set maximum-paths-ebgp <1-64>
set maximum-paths-ibgp <1-64>
end
Sample configurations
Here is an example of a BGP routing configuration:
Configure system interfaces
Interface configuration for FortiSwitch 1:

edit mgmt
set ip 10.105.7.9 255.255.255.0
set type physical
next
edit internal
set type physical
next
edit vlan20-p2
set ip 192.168.2.100 255.255.255.0
set vlanid 20
next

Fortinet, Inc.
BGP routing
edit vlan40-p4
set ip 172.168.111.6 255.255.255.0
set vlanid 40
end
edit "port2"
set native-vlan 20
next
edit "port4"
set native-vlan 40
next
edit "internal"
set allowed-vlans 1,20, 40, 4094
next
end
Internal BGP
In this example, the two neighboring switches are in the same autonomous system.
Configuration for FortiSwitch 1:
config router bgp
set as 6500
config neighbor
edit "172.168.111.5"
set remote-as 6500
next
end
config network
edit 1
set prefix 192.168.2.0 255.255.255.0
next
end
end
end
end

config router bgp
set as 6500
config neighbor
edit "172.168.111.6"
set remote-as 6500
next
end
config network

Fortinet, Inc.
BGP routing
edit 1
set prefix 10.50.2.0 255.255.255.0
next
end
end
end
end
External BGP
In this example, the two neighboring switches are in separate autonomous systems.
config router bgp
set as 6500
config neighbor
edit "172.168.111.5"
set remote-as 7500
next
end
config network
edit 1
set prefix 192.168.2.0 255.255.255.0
next
end
end
end
end

config router bgp
set as 7500
config neighbor
edit "172.168.111.6"
set remote-as 6500
next
end
config network
edit 1
set prefix 10.50.2.0 255.255.255.0
next
end
end
end
end
Using the following command, you can check the BGP status on the local switch:

Fortinet, Inc.
BGP routing
# get router info bgp summary
To check the details about the BGP neighbors:

# get router info bgp neighbors
To check the routes learned by BGP, use the following command:

# get router info routing-table details

Fortinet, Inc.
PIM routing
PIM routing
NOTE: You must have an advanced features license to use PIM routing.
A FortiSwitch unit can operate as a Protocol Independent Multicast (PIM) version-4 router. FortiSwitchOS supports PIM
source-specific multicast (SSM) and version 3 of Internet Group Management Protocol (IGMP).
You can configure a FortiSwitch unit to support PIM using the config router multicast CLI command. When
PIM is enabled, the FortiSwitch unit allocates memory to manage mapping information. The FortiSwitch unit
communicates with neighboring PIM routers to acquire mapping information and, if required, processes the multicast
traffic associated with specific multicast groups.
NOTE:
l Access lists, prefix lists, and route maps are not supported.
l Bidirectional forwarding detection (BFD) is not supported.
l You cannot use PIM and the IGMP querier at the same time on the same switch virtual interface.
l PIM and IGMP snooping work independently.
l IPv6 is not supported.
l IGMP version-3 explicit membership tracking is not supported.
l SSM mapping is not supported.
l The multicast routing information base (MRIB) is not supported.
l The PIM management information base (MIB) is not supported.
l Configuring PIM on page 276
l Checking the PIM configuration on page 277
Terminology
PIM domain: A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at
least one Boot Strap Router (BSR) and a number of Rendezvous Points (RPs) and Designated Routers (DRs).
RP: An RP represents the root of a non-source-specific distribution tree to a multicast group.
Configuring PIM
To configure a PIM domain:
1. Determine the appropriate paths for multicast packets.

2. Make a note of the interfaces that will be PIM enabled. These interfaces can run a unicast routing protocol.

Fortinet, Inc.
PIM routing
3. If you want multicast packets to be handled by specific (static) rendezvous points (RPs), record the IP addresses of
the PIM-enabled interfaces on those RPs.
4. Enable PIM version 4 on all participating routers between the source and receivers. Use the config router
multicast command to set global operating parameters.
5. Configure the PIM routers that have good connections throughout the PIM domain to be candidate boot strap
routers (BSRs).
6. Configure one or more of the PIM routers to be candidate RPs.
7. If required, adjust the default settings of PIM-enabled interface(s).
To configure the source allowed for a multicast flow:
config router multicast-flow

edit <name>
config flows
edit <muliticast-flow_entry_identifier>
set group-addr <224-239.xxx.xxx.xxx>
set source-addr <IP_address>
end
end
To configure a FortiSwitch unit to support PIM:
config router multicast

set multicast-routing {disable | enable}
config interface
edit {interface_name | internal | mgmt}
set pim-mode ssm-mode
set hello-interval <1-180>
set dr-priority <1-4294967295>
set multicast-flow <string>
config igmp
set query-max-response-time <1-25>
end
end
Checking the PIM configuration
Use the following commands to check your PIM configuration:

get router info multicast config
get router info multicast igmp {groups | sources | querier | interface | join | parameters}
get router info multicast pim {neighbour | interface}

Fortinet, Inc.
IS-IS routing
IS-IS routing
NOTE: You must have an advanced features license to use IS-IS routing.
Intermediate System to Intermediate System Protocol (IS-IS) allows routing of ISO’s OSI protocol stack Connectionless
Network Service (CLNS). IS-IS is an Interior Gateway Protocol (IGP) that is not intended to be used between
Autonomous Systems (AS).
IS-IS is a link state protocol that is well-suited to smaller networks. It is in widespread use and has near universal
support on routing hardware. It is quick to configure and works well if there are no redundant paths. However, IS-IS
updates are sent out node-by-node, so it can be slow to find a path around network outages. IS-IS also lacks good
authentication, can not choose routes based on different quality-of-service methods, and can create network loops if
you are not careful. IS-IS uses Djikstra’s algorithm to find the best path, like OSPF.
While OSPF is more widely known, IS-IS is a viable alternative to OSPF in enterprise networks and ISP infrastructures,
largely due to its native support for IPv6 and its nondisruptive methods for splitting, merging, migrating, and
renumbering network areas.
l Configuring IS-IS on page 278
l Checking the IS-IS configuration on page 281
Terminology
TLV: IS-IS uses type-length-value (TLV) parameters to carry information in Link-State PDUs (LSPs). The TLV field
consists of one octet of type (T), one octet of length (L), and “L” octets of value (V).
Link-state PDU (LSP): The LSP contains information about each router in an area and its connected interfaces.
Complete sequence number PDU (CSNP): CSNPs contain a list of all LSPs in the current LSDB.
Authentication keychain: A keychain is a list of one or more authentication keys including the send and receive
lifetimes for each key. Keys are used for authenticating routing packets only during the specified lifetimes.
Configuring IS-IS
Configuring IS-IS on the FortiSwitch unit includes the following major steps:
1. Enter the IS-IS configuration mode.
2. Configure the interface.
3. Configure the network.
4. Redistribute non-IS-IS routes. Advertise these non-IS-IS routes within IS-IS.

Fortinet, Inc.
IS-IS routing
1. Enter the IS-IS configuration mode
Enter the IS-IS configuration mode to access all of the IS-IS configuration commands:
# config router isis
2. Configure the interface
Enable the status option for IPv4 traffic or the status6 option for IPv6 traffic on the specified interface:
config interface
edit <IS-IS interface name>
set auth-keychain-hello <string>
set auth-mode-hello {md5 | password}
set auth-password-hello <password>
set bfd {enable | disable}
set bfd6 {enable | disable}
set circuit-type {level-1 | level-1-2 | level-2}
set csnp-interval-l1 <1-65535 seconds>
set hello-interval-l1 <1-65535 seconds; 0 to use 1-second hold time>
set hello-multiplier-l1 <2-100>
set hello-padding {disable | enable}
set metric-l1 <1-63>
set priority-l1 <0-127>
set status6 {disable | enable}
set wide-metric-l1 <1-16777214>
end
3. Configure the network
Configure the IS-IS network:

config net
edit <identifier>
set <IS-IS net xx.xxxx. ... .xxxx.xx>
end
4. Redistribute non-IS-IS routes
Redistribute non-IS-IS routes within IS-IS for IPv4 traffic or for IPv6 traffic:
config redistribute {bgp | connected | ospf | rip | static}
set metric <0-4261412864>
set metric-type {external | internal}
set level {level-1 | level-1-2 | level-2}
set routemap <string>

Fortinet, Inc.
IS-IS routing
end
config redistribute6 {bgp6 | connected | ospf6 | ripng | static}

set metric <0-4261412864>
end
The following is an example of an IS-IS configuration for IPv4 traffic:

config router isis
set default-information-metric 60
config interface
edit "vlan100"
set circuit-type level-1
set priority-l1 80
set wide-metric-l1 200
next
edit "vlan102"
next
end
config net
edit 1
set net 49.0002.0000.0000.1048.00
next
end
set metric-style wide
set status enable
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "bgp"
end
end
end

config router isis
config interface
edit "vlan10"
next
end
config net
edit 1
set net 49.0000.0010.0100.1001.00
next
end
end
end

Fortinet, Inc.
IS-IS routing

end
end
end
config redistribute6 "connected"
end
config redistribute6 "static"
end
config redistribute6 "ospf6"
end
config redistribute6 "ripng"
end
end
Configuring BFD for IS-IS
You can use bidirectional forwarding detection (BFD) for the IS-IS routing protocol using IPv4 or IPv6 addresses:
config router isis
config interface
set bfd {enable| disable}
set bfd6 {enable| disable}
next
end
end
For example, if you want to enable IPv4 BFD on vlan100:

config router isis
config interface
edit "vlan100"
set bfd enable
next
end
end
Checking the IS-IS configuration
Use the following commands to check your IS-IS configuration:

get router info isis interface
get router info isis route
get router info isis summary
get router info isis topology
get router info6 isis interface
get router info6 isis route
get router info6 isis summary
get router info6 isis topology

Fortinet, Inc.
Users and user groups
The FortiSwitch unit provides authentication mechanisms to control user access to the system (based on the user group
associated with the user). The members of user groups are user accounts. Local users and peer users are defined on
the FortiSwitch unit. User accounts can also be defined on remote authentication servers.
This section describes how to configure local users and peer users and how to configure user groups. For information
about configuring the authentication servers, see Remote authentication servers on page 41.
l Users on page 282
l User groups on page 283
Users
A user account consists of a user name, password, and potentially other information, configured in a local user database
or on an external authentication server.
Users can access resources that require authentication only if they are members of an allowed user group.
Using the GUI:
1. Go to System > User > Definition.

2. Select Add User.
3. Enter the user name.
4. Select Enable to make the user account active.
5. Enter the password for the user account. Passwords can be up to 64 characters in length.
6. Select Add.
Using the CLI:
config user local

edit <user_name>
set ldap-server <server_name>
set passwd <password_string>
set radius-server <server_name>
set tacacs+-server <server_name>
set type <auth-type>
end

Fortinet, Inc.
Field Description
user_name Identifies the user
password_string A password for the local user. Passwords can be up to 64 characters

in length.
ldap-server <server_name> To authenticate this user using a password stored on a remote

authentication server, select the type of server and then select the
server from the list. You can select only a server that has already
been added to the FortiSwitch configuration.
radius-server <server_name> To authenticate this user using a password stored on a remote

tacacs+-server <server_name> To authenticate this user using a password stored on a remote

status Enable or disable this user.
User groups
A user group contains a list of local and remote users.

Security policies allow access to specified user groups only. This restricted access enforces Role Based Access Control
(RBAC) to your organization’s network and its resources. Users must be in a group and that group must be part of the
security policy.
Using the GUI:
1. Go to System > User > Group.

2. Select Add Group.
3. Enter the group name.
4. Select which available users will be members of the new user group.
5. Enable to make the user account active.
6. If you want to use an authentication server, select Add Server.
l Select the server name. If no server name is available, go to System > Authentication to add an
authentication server.
l Enter a group name or select Any.
7. Select Add Group.
Using the CLI:
config user group

edit <groupname>
set authtimeout <timeout>

Fortinet, Inc.
set group-type <grp_type>

set http-digest-realm <attribute>
set member <names>
config match
edit <match_id>
set group-name <gname_str>
set server-name <srvname_str>
end
end
The following table describes the parameters:
Field Description
groupname Identifies the user group.
authtimeout <timeout> Sets the authentication timeout for the user group. The range is 1 to
480 minutes. If this field is set to 0, the global authentication timeout
value is used.
group-type <grp_type> Enter the group type. <grp_type> determines the type of users and is
one of the following:
l firewall—FortiSwitch users defined in user local, user ldap,
or user radius
l fsso-service—Directory Service users
http-digest-realm <attribute> Enter the realm attribute for MD5-digest authentication.
member <names> Enter the names of users, peers, LDAP servers, or RADIUS servers
to add to the user group. Separate the names with spaces. To add or
remove names from the group, you must re-enter the whole list with
the additions or deletions required.
config match fields

<match_id> Enter an ID for the entry.
group-name <gname_str> Identifies the matching group on the remote authentication server.
server-name <srvname_str> Specifies the remote authentication server.

Fortinet, Inc.
MACsec
MACsec
Media Access Control security (MACsec) secures each switch-to-switch link by encrypting all network traffic within an
Ethernet LAN.
MACsec uses the static connectivity association key (CAK) mode. You specify the connectivity association key (CAK)
and the connectivity association name (CKN) for the pre-shared key in the MACsec profile and then apply the profile to a
switch port.
Notes:
l SNMP is not supported.

l The port-security-mode must be set to macsec for each interface that you want to apply MACsec to.
l The MACsec profile must be applied at the port level.
l For this release, FortiSwitchOS supports static CAK mode. Dynamic CAK mode and static secure association key
(SAK) mode are not supported.
To use MACsec:
1. Create a MACsec profile.

2. Apply the MACsec profile to a port.
3. View the MACsec details.
4. Optional. Clear or reset the MACsec statistics.
Creating the MACsec profile
To create a MACsec profile:
config switch macsec profile

edit <MACsec_profile_name>
set cipher_suite GCM_AES_128
set confident-offset {0 | 30 | 50}
set encrypt-traffic {enable | disable}
set include-macsec-sci {enable | disable}
set include-mka-icv-ind enable
set macsec-mode static-cak
set macsec-validate strict
set mka-priority <0-255>
set replay-protect {enable | disable}
set replay-window <0-16777215>
config mka-psk
edit <pre-shared key name>
set crypto-algAES_128_CMAC
set mka-cak <string>
set mka-ckn <string>
set status active

Fortinet, Inc.
MACsec
next
end
config traffic-policy
set security-policy must-secure
set status enable
next
end
next
end
<profile_name> Enter a name for the MACsec profile. No default
cipher_suite GCM_AES_128 Only the GCM-AES-128 cipher suite is available currently for GCM_AES_
encryption. 128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic 0
confidentiality offset. Selecting 0 means that all of the
MACsec traffic is encrypted. Selecting 30 or 50 bytes means
that the first 30 or 50 bytes of MACsec traffic are not
encrypted.
encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | Enable or disable whether to include the MACsec transmit enable
disable} secure channel identifier (SCI).
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) enable
indicator is always included.
macsec-mode static-cak The MACsec mode is always static connectivity association static-cak
key (CAK).
macsec-validate strict The MACsec validation is always strict. strict
mka-priority <0-255> Enter the MACsec MKA priority. 255
replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay disable
protection drops packets that arrive out of sequence,
depending on the replay-window value.
replay-window <0-16777215> Enter the number of packets for the MACsec replay window 32
size. If two packets arrive with the difference between their
packet identifiers more then the replay window size, the most
recent packet of the two is dropped. The range is 0-16777215
packets. Enter 0 to ensure that all packets arrive in order
without any repeats.
status {enable | disable} Enable or disable this MACsec profile. enable
config mka-psk Configure the MACsec MKA pre-shared key.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key No default
configuration.
crypto-alg AES_128_CMAC Only the AES_128_CMAC algorithm is available for encrypting AES_128_

Fortinet, Inc.
MACsec
the pre-shared key. CMAC
mka-cak <string> Enter the string of hexadecimal digits for the connectivity No default
association key (CAK). The string can be up to 32-bytes long.
mka-ckn <string> Enter the string of hexadecimal digits for the connectivity No default
association name (CKN). The string can be 1-byte to 64-bytes
long.
status active The status of the pre-shared key pair is always active. active
config traffic-policy Configure the MACsec traffic policy.
<traffic_policy_name> Enter a name for this MACsec traffic policy. No default
security-policy must-secure The policy must secure traffic for MACsec. must-secure
status enable The status of this MACsec traffic policy is always enabled. enable
For example:
edit "2"
set confident-offset 0
set encrypt-traffic enable
set include-macsec-sci enable
set mka-priority 199
config mka-psk
edit "2"
set crypto-alg AES_128_CMAC
set mka-cak "0123456789ABCDEF0123456789ABCDEE"
set mka-ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333436"
set status active
next
end
set replay-protect disable
set replay-window 32
set status enable
edit "2"
set status enable
next
end
next
end

Fortinet, Inc.
MACsec
Applying the MACsec profile to a port
To apply the MACsec profile to a port:

edit <port_name>
set port-security-mode macsec
set macsec-profile <MACsec_profile_name>
end
next
end
For example:
edit port49
set native-vlan 50
set auto-discovery-fortilink enable
set snmp-index 49
set port-security-mode macsec
set macsec-profile "macsec_profile1"
end
next
end
Viewing the MACsec details
You can view the MACsec status and the MACsec traffic statistics for a specific port:
l diagnose switch macsec status <port_name>
l diagnose switch macsec statistics <port_name>
You can view the creation and deletion of secure associations:
diagnose debug kernel level 8
Clearing or resetting the MACsec statistics
You can clear all MACsec statistics on a single interface:

execute macsec clearstat interface <interface_name>
You can reset the MACsec session on a single interface:

execute macsec reset interface <interface_name>
For example:
execute macsec clearstat interface port15
execute macsec reset interface port15

Fortinet, Inc.
802.1x authentication
To control network access, the FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port
on the switch must be authenticated by a RADIUS server to gain access to the network. The supplicant and the
authentication server communicate using the switch using EAP. The FortiSwitch unit supports EAP-PEAP, EAP-TTLS,
EAP-TLS, and EAP-MD5.
on the FortiSwitch unit.
The FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs
device. The switch provides network access only to devices that have successfully been authenticated.
The FortiSwitch unit supports up to 20 devices per port for 802.1x MAC-based authentication. System-wide, the
FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1x MAC-based authentication:
108 80
112 120
124/224/424/524/1024 240
148/248/448/548/1048 480
3032 320
You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond
to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the
user name and password for authentication.
Optionally, you can configure a guest VLAN for unauthorized users, a VLAN for users whose authentication was
unsuccessful, and a VLAN for users when the authentication server is unavailable.
When the authentication server is unavailable after the server timeout period expires:
l You can control how many seconds the authentication server tries to authenticate users for before assigning them
to the specified VLAN:

set port-security-mode {802.1X | 802.1X-mac-based}
set authserver-timeout-period <3-15 seconds>
set authserver-timeout-vlanid <1-4094>
end
set security-groups <security-group-name>
next
end
l You can control how often the server checks if the RADIUS server is available:

Fortinet, Inc.
config user radius

edit <RADIUS_user_name>
set link-monitor {enable | disable}
set link-monitor-interval <5-120 seconds>
next
end
When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow
network traffic to flow, even if there are configuration problems or authentication failures.
l Dynamic VLAN assignment on page 290
l MAC authentication bypass (MAB) on page 291
l Configuring global settings on page 293
l Configuring the 802.1x settings on an interface on page 295
l Viewing the 802.1x details on page 297
l Clearing port authorizations on page 298
l Authenticating users with a RADIUS server on page 299
l Authenticating an admin user with RADIUS on page 307
l RADIUS accounting and FortiGate RADIUS single sign-on on page 310
l RADIUS change of authorization (CoA) on page 312
l Use cases on page 315
l Detailed deployment notes on page 318
Dynamic VLAN assignment
You can configure the RADIUS server to return a VLAN in the authentication reply message:
1. On the FortiSwitch unit, select port-based authentication or MAC-based authentication and a security group.
2. On the RADIUS server, configure the attributes.
Using the GUI:

3. Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.
4. Select one or more security groups.

5. Select OK.

Fortinet, Inc.
Using the CLI:
To select port-based authentication and the security group on the FortiSwitch unit:
set port-security-mode 802.1X
end
end
The FortiSwitch unit will change the native VLAN of the port to that of the VLAN from the server.
To select MAC-based authentication and the security group on the FortiSwitch unit:
end
end
Here, the switch assigns the returned VLAN only to this userʼs MAC address. The native VLAN of the port remains
unchanged.
Use the following configuration command to view the MAC-based VLAN assignments:
diagnose switch vlan assignment mac list [sorted-by-mac | sorted-by-vlan]
Configure the following attributes in the RADIUS server:

l Tunnel-Private-Group-Id—VLAN ID or name (10)
l Tunnel-Medium-Type—IEEE-802 (6)
l Tunnel-Type—VLAN (13)
NOTE: If the Tunnel-Private-Group-Id attribute is set to the VLAN name, the same string must be specified in the set
description command under the config switch vlan command. For example:
config switch vlan
edit 100
set description "local_vlan"
next
end
MAC authentication bypass (MAB)
Devices such as network printers, cameras, and sensors might not support 802.1x authentication. If you enable the
MAB option on the port, the system will use the device MAC address as the user name and password for authentication.
MAB retries authentication three times before the device is assigned to a guest VLAN for unauthorized users. By
default, reauthentication is disabled. Use the following commands if you want to change the default behavior:

Fortinet, Inc.
set mab-reauth enable
end
You must provision the RADIUS server to authenticate the devices that use MAB, either by adding the MAC addresses
as regular users or by implementing additional logic to resolve the MAC addresses in a network inventory database.
The following flowchart shows the FortiSwitch 802.1x port-based authentication with MAB enabled:

Fortinet, Inc.
The following flowchart shows the FortiSwitch 802.1x MAC-based authentication with MAB enabled:
Configuring global settings
To select which 802.1x certificate and certificate authority that the FortiSwitch unit uses, see SSL configuration on page
62.
If a link goes down, you can select whether the impacted devices must reauthenticate. If reauthentication is
unnecessary, select Do Not Require Re-Authentication. To revert all devices to the unauthenticated state and force
each device to reauthenticate, select Require Re-Authentication.
MAB retries authentication before assigning a device to a guest VLAN for unauthorized users. MAB is disabled by
default in the CLI.

Fortinet, Inc.
The Re-Authentication Period (Minutes) field defines how often the device needs to reauthenticate (that is, if a session
remains active beyond this number of minutes, the system requires the device to reauthenticate). Set the value to 0 to
disable reauthentication.
If 802.1x authentication fails, the Maximum Re-Authentication Attempts field caps the number of attempts that the
system will initiate. Set the value to 0 to disable the reauthentication attempts.
Using the GUI:
1. Go to Switch > Interface > Port Security.
2. Select Require Reauthentication to revert all devices to the unauthenticated state if the link goes down or select
Do Not Require Reauthentication if reauthentication is unnecessary if the link goes down.
3. In the Re-Authentication Period (Minutes) field, enter the number of minutes before the system requires the device
to reauthenticate.
4. In the Maximum Re-Authentication Attempts field, enter the maximum number of times that the system tries to
reauthorize the session.
5. Select Update.
Using the CLI:

set link-down-auth {no-action | set-unauth}
set mab-reauth {enable | disable}
set max-reauth-attempt <0-15>
set reauth-period <0-1440>
end
NOTE: Changes to global settings only take effect when new 802.1x/MAB sessions are created.

Fortinet, Inc.
Configuring the 802.1x settings on an interface
Using the GUI:


Fortinet, Inc.
3. Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.
The Port Security section displays additional options.
4. Select MAC Auth Bypass.

5. Select EAP Pass-Through Mode.
NOTE: EAP Pass-Through Mode is enabled by default, which is the recommended setting. If the RADIUS
authentication server does not support EAP-TLS, the EAP Pass-Through Mode needs to be disabled.
6. Select Frame VLAN Apply to apply the EAP/MAB frame VLAN to the port native VLAN.
NOTE: For phone and PC configuration only, clear the checkbox to preserve the native VLAN when the data traffic
is expected to be untagged.
7. Select Open Authentication to enable open authentication (monitor mode) on this interface. Use the monitor mode
to test your system configuration for 802.1x authentication. You can use monitor mode to test port-based
authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. After you
enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.
8. Select Guest VLAN if you want to assign a VLAN to unauthorized users. If you select Guest VLAN, enter the guest
VLAN identifier in the Guest VLAN ID field and enter the number of seconds for an unauthorized user to have
access as a guest before authorization fails in the Guest Auth Delay field.
9. Select Auth Fail VLAN if you want to assign a VLAN to users who attempted to authenticate but failed to provide
valid credentials. If you select Auth Fail VLAN , enter the VLAN identifier in the Auth Fail VLAN ID field.
10. If you want to use the RADIUS-provided reauthentication time, select RADUS Session Timeout.

Fortinet, Inc.
11. If you are using port-based authentication or MAC-based authentication, select one or more security groups.
12. Select OK.
Using the CLI:

edit <port>
set port-security-mode {none | 802.1X | 802.1X-mac-based}
set framevid-apply {disable | enable}
set auth-fail-vlan {enable | disable}
set auth-fail-vlanid <vlanid>
set authserver-timeout-period <3-15>
set eap-passthru {enable | disable}
set guest-vlan {enable | disable}
set guest-vlanid <vlanid>
set mac-auth-bypass {enable | disable}
set radius-timeout-overwrite {enable | disable}
end
end
Viewing the 802.1x details
Using the GUI:
Go to Switch >Monitor > 802.1x Status.
Using the CLI:
Use the following command to show diagnostics on one or all ports:

diagnose switch 802-1x status [<port>]
port3 : Mode: port-based (MAC by-pass disable)

Link: Link up
Port State: authorized
Dynamic Authorized Vlan: 10
Native vlan: 10
Allowed vlan list: 1-10
Untagged vlan list:
Guest vlan:
AuthFail vlan:
Sessions info:
STA=00:24:9b:1b:20:65 Type=802.1X EAP PEAP state=AUTHENTICATED
port7 : Mode: mac-based (mac-by-pass disable)

Fortinet, Inc.
Link: Link up
Port State: authorized ( )
EAP pass-through mode : Enable
Native Vlan : 1
Allowed Vlan list: 1
Untagged Vlan list: 1
Guest VLAN :

0a:0a:0b:0b:0a:0a 802.1x 1 0
0a:0a:0b:0b:0a:09 802.1x 1 0
0a:0a:0b:0b:0a:08 802.1x 1 0
0a:0a:0b:0b:0a:07 802.1x 1 0
0a:0a:0b:0b:0a:06 802.1x 1 0
0a:0a:0b:0b:0a:05 802.1x 1 0
0a:0a:0b:0b:0a:04 802.1x 1 0
0a:0a:0b:0b:0a:03 802.1x 1 0
0a:0a:0b:0b:0a:02 802.1x 1 0
0a:0a:0b:0b:0a:01 802.1x 1 0
Sessions info:
0a:0a:0b:0b:0a:0a Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3 params:reAuth=3600
0a:0a:0b:0b:0a:09 Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3 params:reAuth=3600
0a:0a:0b:0b:0a:01 Type=802.1x,MD5,state=AUTHENTICATED,etime=2,eap_cnt=3
params:reAuth=3600h=120
Clearing port authorizations
Using the GUI:

2. Select one or more ports that you want to clear the authorization from.
3. Select Clear Auth.
Using the CLI:
execute 802-1x clear interface <port>

Fortinet, Inc.
Authenticating users with a RADIUS server
Using the GUI:
1. Define the RADIUS server:

a. Go to System > Authentication > RADIUS.
b. Select Add Server.
c. In the Name field, enter a name for the RADIUS server.

d. In the Primary Server Address field, enter the IP address for the RADIUS server.
e. In the Primary Server Secret field, enter a password to use as a RADIUS key.
f. Select Add.
2. Create a user group:
a. Go to System > User > Group.

Fortinet, Inc.
b. Select Add Group.
c. In the Name field, enter a name for the user group.

d. Select Add Server.
e. Select the name of the RADIUS server that you configured in step 1.
f. Select Add Group.
3. Configure the port security:
a. Go to Switch > Interface > Physical.
b. Select a port and then select Edit.
c. Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.

Fortinet, Inc.
d. Select the user group that you configured in step 2.
e. Select OK.
Using the CLI:
1. Define an IPv4 or IPv6 RADIUS server:
config user radius

edit <name>
set addr-mode ipv4
set server <IPv4_address>
set source-ip <ipv4_address>
set radius-port <radius_port_num>
set secret <server_password>
set auth-type {auto | chap | ms_chap | ms_chap_v2 | pap}
set nas-ip <IPv4_address>
set all-usergroup {enable | disable}
end
end
config user radius

edit <name>
set addr-mode ipv6
set server <IPv6_address>
set source-ip6 <ipv6_address>
set nas-ip6 <IPv6_address>
end
end
config user group

edit <name>
set member <list>
config match
edit 1

Fortinet, Inc.
set group-name <name>

set server-name <name>
end
end
end
end
3. Configure the switch interface for port-based or MAC-based 802.1x authentication:

edit <interface>
end
end
end

edit <interface>
end
end
end
Example: RADIUS user group
Using the GUI:

a. Go to System > Authentication > RADIUS.
b. Select Add Server.
c. In the Name field, enter FortiAuthenticator.
d. In the Primary Server Address field, enter 10.160.36.190.
e. In the Primary Server Secret field, enter
6rF7O4/Zf3p2TutNyeSjPbQc73QrS21wNDmNXd/rg9k6nTR6yMhBRsJGpArhle6UOCb7b8InM3nr
CeuVETr/a02LpILmIltBq5sUMCNqbR6zp2fS3r35Eyd3IIrzmve4Vusi52c1MrCqVhzzy2EfxkBr
x5FhcRQWxStvnVt4+dzLYbHZ.

Fortinet, Inc.
f. Select Add.
c. In the Name field, enter Radius_group.
d. Select Add Server.

Fortinet, Inc.
e. Select FortiAuthenticator as the authentication server.
f. Select Add Group.

a. Go to Switch > Interface > Physical.
b. Select the port1 row and then select Edit.
c. In the Allowed VLANs field, enter 1.

d. Select 802.1X.

Fortinet, Inc.
e. Select Radius_group.
f. Select OK.

Fortinet, Inc.
Using the CLI:
config user radius

edit "FortiAuthenticator"
set secret ENC
6rF7O4/Zf3p2TutNyeSjPbQc73QrS21wNDmNXd/rg9k6nTR6yMhBRsJGpArhle6UOCb7b8InM3
nrCeuVETr/a02LpILmIltBq5sUMCNqbR6zp2fS3r35Eyd3IIrzmve4Vusi52c1MrCqVhzzy2Ef
xkBrx5FhcRQWxStvnVt4+dzLYbHZ
set server “10.160.36.190”
set addr-mode ipv4
next
end
config user group

edit "Radius_group"
set member "FortiAuthenticator"
end
end

edit "port1"
set allowed-vlans 1
end
set security-groups "Radius_group"
end
end
Example: dynamic VLAN
To assign VLAN dynamically for a port on which a user is authenticated, configure the RADIUS server attributes to
return the VLAN ID when the user is authenticated. Assuming that the port security mode is set to 802.1X, the
FortiSwitch unit will change the native VLAN of the port to the value returned by the server.
Ensure that the following attributes are configured on the RADIUS server:
l Tunnel-Private-Group-Id <integer or string> (the VLAN ID or VLAN name)
l Tunnel-Medium-Type IEEE-802 (6)
l Tunnel-Type VLAN (13)
NOTE: If the Tunnel-Private-Group-Id is set to the VLAN name, the same string must be specified in the set
description command under the config switch vlan command.

Fortinet, Inc.
Authenticating an admin user with RADIUS
If you want to use a RADIUS server to authenticate administrators, you must configure the authentication before you
create the administrator accounts. Do the following:
1. Configure the FortiSwitch unit to access the RADIUS server.
2. Configure an administrator to authenticate with a RADIUS server and match the user secret to the RADIUS server
entry.
3. Create the RADIUS user group.
Using the GUI:
1. Create a RADIUS system admin group:

a. Go to System > Admin > Administrators.
b. Select Add Administrator.
c. In the Name field, enter RADIUS_Admins.
d. Select Remote.
e. For the user group, select Radius_group.
f. Select Wildcard.
g. For the admin profile, select super_admin.
h. Select Add.

Fortinet, Inc.
2. Create a user:
a. Go to System > User > Definition.
b. Select Add User.
c. In the User Name field, enter RADIUS1.
d. Select Password from the Type field.
e. In the Password field and Confirm Password field, enter
6rF7O4/Zf3p2TutNyeSjPbQc73QrS21wNDmNXd/rg9k6nTR6yMhBRsJGpArhle6UOCb7b8InM3nr
CeuVETr/a02LpILmIltBq5sUMCNqbR6zp2fS3r35Eyd3IIrzmve4Vusi52c1MrCqVhzzy2EfxkBr
x5FhcRQWxStvnVt4+dzLYbHZ.
f. Select Add.
c. In the Name field, enter RADIUS_Admins.

Fortinet, Inc.
d. Select RADIUS1 in the Available Users box and select the right arrow to move it to the Members box.
e. Select Add Group.
Using the CLI:
1. Create a RADIUS system admin group:
config system admin

set accprofile "super_admin"
set wildcard enable
next
end

Fortinet, Inc.
2. Create a user:
config user radius

edit "RADIUS1"
set secret ENC
6rF7O4/Zf3p2TutNyeSjPbQc73QrS21wNDmNXd/rg9k6nTR6yMhBRsJGpArhle6UOCb7b8InM3nrC
euVETr/a02LpILmIltBq5sUMCNqbR6zp2fS3r35Eyd3IIrzmve4Vusi52c1MrCqVhzzy2EfxkBrx5
FhcRQWxStvnVt4+dzLYbHZ
set addr-mode ipv4
next
end
config user group

set member "RADIUS1"
next
end
RADIUS accounting and FortiGate RADIUS single sign-on
NOTE: To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the
You can use your FortiSwitch unit for RADIUS single sign-on (RSSO) in two modes:
l Standalone mode
l FortiLink mode (FortiSwitch unit managed by FortiGate unit)
The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the
RADIUS accounting server to support FortiGate RADIUS single sign-on:
l START—The FortiSwitch unit has been successfully authenticated, and the session has started.
l STOP—The FortiSwitch session has ended.
l INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval
command.
l ON—The FortiSwitch unit will send this message when the switch is turned on.
l OFF—The FortiSwitch unit will send this message when the switch is shut down.
NOTE: Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA now support EAP and MAB 802.1x
authentication.
Configuring the RADIUS accounting server and FortiGate RADIUS single sign-on
Use the following commands to set up RADIUS accounting and enable a FortiSwitch unit to receive CoA and disconnect
messages from the RADIUS server:
config user radius
set acct-interim-interval <seconds>

Fortinet, Inc.
set server <domain_ipv4_ipv6>

set source-ip <ipv4_addr>
set source-ip6 <ipv6_addr>
config acct-server
edit <entry_ID>
set server <accounting_server>
next
end
next
end
disconnect messages to the FortiSwitch unit. By default, the
messages use port 3799.
acct-interim-interval <seconds> Enter the number of seconds between each interim accounting
message sent to the RADIUS server. The value range is 60-86400.
The default is 600.
addr-mode {ipv4 | ipv6} Select whether to connect to the RADIUS server with IPv4 or IPv6.
The default is IPv4.
secret <secret_key> Enter the shared secret key for authentication with the
RADIUS server.
server <domain_ipv4_ipv6> Enter the domain name, IPv4 address, or IPv6 address for the
RADIUS server. There is no default.
source-ip <ipv4_addr> If the addr-mode was set to ipv4, enter the IPv4 address of the
server that will be sending accounting messages. The default is
0.0.0.0.
source-ip6 <ipv6_addr> If the addr-mode was set to ipv6, enter the IPv6 address of the
server that will be sending accounting messages. There is no default.
<entry_ID> Enter the entry identifier. The value range is 0-20.
status {enable | disable} Enable or disable RADIUS accounting. The default is disable.
server <accounting_server> Enter the domain name, IPv4 address, or IPv6 address of the RADIUS
server that will be receiving the accounting messages. There is no
default value.
secret <secret_key> Enter the shared secret key for the RADIUS accounting server.
port <port_number> Enter the port number for the RADIUS accounting server to receive
accounting messages from the FortiSwitch unit. The default is 1813.

Fortinet, Inc.
Example: RADIUS accounting and single sign-on
Use the following commands to set up RADIUS accounting:

config user radius
edit "local-RADIUS"
set server 10.0.23.5
set addr-mode ipv4
set secret ENC
LE8xetYYGiE0bkQpBDdH6acilwkYROCos7XK2q5cNPhu8sUDW9/fvkgE+fVURgZGEzTsndt41gb+K+zV9m+
nXCnoUXqivzQdt1UNlMxgKXADnCpXuiY966aJsYigmW/AZ1IM5kweUxvuHK8eqJkkT0nl64c8DID/LMAcCT
x6JMapRCBS
set auth-type ms_chap_v2
set acct-interim-interval 1200
config acct-server
edit 1
set status enable
set secret ENC
LE8xetYYGiE0bkQpBDdH6acilwkYROCos7XK2q5cNPhu8sUDW9/fvkgE+fVURgZGEzTsndt41gb+K+
zV9m+nXCnoUXqivzQdt1UNlMxgKXADnCpXuiY966aJsYigmW/AZ1IM5kweUxvuHK8eqJkkT0nl64c8
DID/LMAcCTx6JMapRCBS
set port 1813
next
end
next
end
RADIUS change of authorization (CoA)
NOTE: For increased security, each subnet interface that will be receiving CoA requests must be configured with the
set allowaccess radius-acct command.
NOTE: Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA support EAP and MAB 802.1x authentication.
The FortiSwitch unit supports two types of RADIUS messages:
l CoA messages to change session authorization attributes (such as data filters and the session-timeout setting)
during an active session. To change the session timeout for an authenticated session, the CoA-Request message
needs to use the IEEE session-timeout attribute.
l Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are
unchanged, and the port stays up. For port-based authentication, only one session is deleted.
RADIUS CoA messages use the following Fortinet proprietary attribute:
Fortinet-Host-Port-AVPair 42 string

Fortinet, Inc.
The format of the value is as follows:
Fortinet-Host-Port-AVPair action=bounce-port The FortiSwitch unit disconnects all sessions on a

port. The port goes down for 10 seconds and then
up again.
Fortinet-Host-Port-AVPair action=disable-port The FortiSwitch unit disconnects all session on a

port. The port goes down until the user resets it.
Fortinet-Host-Port-AVPair action=reauth-port The FortiSwitch unit forces the reauthentication

of the current session.
In addition, RADIUS CoA uses the session-timeout attribute:
session-timeout <session_timeout_ The FortiSwitch unit disconnects a session after

value> the specified number of seconds of idleness. This
value must be more than 60 seconds. NOTE: To
use the session-timeout attribute, you must
enable the set radius-
timeoutoverwrite command first.
The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages:
Unsupported Attribute 401 This error is a fatal error, which is sent if a request contains
an attribute that is not supported.
NAS Identification 403 This error is a fatal error, which is sent if one or more NAS-
Mismatch Identifier Attributes do not match the identity of the NAS
receiving the request.
Invalid Attribute Value 407 This error is a fatal error, which is sent if a CoA-Request or
Disconnect-Request message contains an attribute with an
unsupported value.
Session Context Not Found 503 This error is a fatal error if the session context identified in
the CoA-Request or Disconnect-Request message does
not exist on the NAS.
Configuring CoA and disconnect messages
Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS
server:
edit "mgmt"
set ip <address> <netmask>
set type physical

Fortinet, Inc.
next
config user radius
set radius-port <port_number>
set server <server_name_ipv4_ipv6>
end
ip <address> <netmask> Enter the interface IP address and netmask.
allowaccess <access_types> Enter the types of management access permitted on this interface.
Valid types are as follows: http https ping snmp ssh
telnet radius-acct. Separate each type with a space. You must
include radius-acct to receive CoA and disconnect messages.
disconnect messages to the FortiSwitch unit. By default, the messages
use port 3799.
config user radius
radius-coa {enable | disable} Enable or disable whether the FortiSwitch unit will accept CoA and
disconnect messages. The default is disable.
radius-port <port_number> Enter the RADIUS port number. By default, the value is 1812.
secret <secret_key> Enter the shared secret key for authentication with the RADIUS server.
server <server_name_ipv4_ Enter the domain name, IPv4 address, or IPv6 address for the RADIUS
ipv6> server. There is no default.
addr-mode {ipv4 | ipv6} Select whether to connect to the RADIUS server with IPv4 or IPv6.
Example: RADIUS CoA
The following example enables the FortiSwitch unit to receive CoA and disconnect messages from the specified
RADIUS server:
edit "mgmt"
set ip 10.105.4.14 255.255.255.0
set allowaccess ping https http ssh snmp telnet radius-acct
set type physical
next
config user radius
edit "Radius-188-200"
set secret ENC
+2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoeZf

Fortinet, Inc.
OQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hpCiVU
MiPOU6fSrj
set server "10.105.188.200"
set addr-mode ipv4
next
end
Viewing the CoA configuration
Use the following command to check the CoA settings:

S524DF4K15000024 # diagnose user radius coa
90075.874 DAS: :radius_das_diag_handler:

RADIUS DAS Server List:
radius2:
Type: RADIUS_8021X, IP: 10.105.252.79,
Last CoA/DM Client IP Addr : 10.105.252.79
Disc Reqs : 2
Disc ACKs : 1
Disc NAKs : 1
CoA Reqs : 0
CoA ACKs : 0
CoA NAKs : 0
radius3:
Type: RADIUS_8021X, IP: 10.105.252.76,
Last CoA/DM Client IP Addr :
Disc Reqs : 0
Disc ACKs : 0
Disc NAKs : 0
CoA Reqs : 0
CoA ACKs : 0
CoA NAKs : 0
Use cases
Here are three use cases for 802.1x authentication.
Use case 1
In this use case, a Cisco phone uses MAB and uses LLDP-MED to assign the voice VLAN. A PC behind the Cisco phone
uses 802.1x authentication with or without dynamic VLAN assignment.
The following is an example configuration:
edit "lldp-cisco-104"
set 802.3-tlvs power-negotiation
edit "voice"

Fortinet, Inc.
set status enable

set vlan 104
next
next
end

edit "port1"
set lldp-profile "lldp-cisco-104"
next
end

edit "port1"
set native-vlan 20
set security-groups "CISEGRP"
set snmp-index 1
set mac-auth-bypass enable // Required. You need to enable MAB.
set port-security-mode 802.1X-mac-based // Required
end
next
end
Use case 2
In this use case, the Cisco phone uses 802.1x authentication and uses LLDP-MED to assign the voice VLAN. A PC
behind the Cisco phone uses 802.1x authentication without dynamic VLAN assignment.
RADIUS dynamic VLAN assignment for the voice VLAN must match the voice VLAN configured in the LLDP-MED profile
for Cisco phone 802.1x authentication.
edit "voice"
set status enable
set vlan 104
next
next
end

edit "port1"
next
end

Fortinet, Inc.
edit "port1"
set native-vlan 20
set snmp-index 1
set mac-auth-bypass disable // Optional
set eap-auto-untagged-vlans disable // Required. Needed to allow voice traffic with
voice VLAN tag at egress
end
next
end
Use case 3
In this use case, the Cisco phone uses 802.1x authentication and uses LLDP-MED to assign the voice VLAN. The PC
behind the Cisco phone uses 802.1x authentication with dynamic VLAN assignment.
RADIUS dynamic VLAN assignment for the voice VLAN has to match the voice VLAN configured in the LLDP-MED
profile for Cisco phone 802.1x authentication.
The VLAN ID from the RADIUS dynamic VLAN assignment for the PC has to be added in the untagged VLAN list on the
port.
edit "voice"
set status enable
set vlan 104
next
next
end

edit "port1"
next
end

edit "port1"
set native-vlan 20
set allowed-vlans 50 60 70 // Assume that VLANs 50, 60, and 70 are a part of the dynamic
VLANs configured on RADIUS for PCs in different groups.
set untagged-vlans 50 60 70
set snmp-index 1
set mac-auth-bypass disable // Optional

Fortinet, Inc.
set eap-auto-untagged-vlans disable // Required. Needed to allow voice traffic with

voice VLAN tag at egress
end
next
end
Detailed deployment notes
l Using more than one security group (with the set security-groups command) per security profile is not
supported.
l CoA and single sign-on are supported only by the CLI in this release.
l RADIUS CoA is supported in standalone mode and in non-NAT FortiLink mode.
l The FortiSwitch unit supports using FortiAuthenticator, FortiConnect, Microsoft Network Policy Server (NPS),
Aruba ClearPass, and Cisco Identity Services Engine (ISE) as the RADIUS server for CoA and RSSO.
l Each RADIUS CoA server can support only one accounting manager in this release.
l RADIUS accounting/CoA/VLAN-by-name features are supported only with eap-passthru enable.
l Fortinet recommends a unique secret key for each accounting server.
l For CoA to correctly function with FortiAuthenticator or FortiConnect, you must include the User-Name attribute
(you can optionally include the Framed-IP-Address attribute) or the User-Name and Calling-Station-ID attributes in
the CoA request.
l To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the
l Port-based basic statistics for RADIUS accounting messages are supported in the Accounting Stop request.
l By default, the accounting server is disabled. You must enable the accounting server with the set status
enable command.
l The default port for FortiAuthenticator single sign-on is 1813 for the FortiSwitch unit.
l In MAC-based authentication, the maximum number of client MAC addresses is 20. Each model has its own
maximum limit.
l Static MAC addresses and sticky MAC addresses are mechanisms for manual/local authorization; 802.1x is a
mechanism for protocol-based authorization. Do not mix them.
l Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.
l Starting in FortiSwitch 6.2.0, when 802.1x authentication is configured, the EAP pass-through mode (set eap-
passthru) is enabled by default.
l For information about RADIUS attributes supported by FortiSwitchOS, refer to the “Supported attributes for
RADIUS CoA and RSSO” appendix.
l The authentication and accounting server configuration must be in the same address mode within the same
member. The address mode is either IPv4 or IPv6, no matter what the address mode is in the FQDN or raw IP
address. The address mode cannot be mixed.
l When a client is authorized with the RADIUS timeout VLAN enabled, the client is placed in the authorization VLAN.
If the RADIUS server becomes unavailable afterward and the reauthentication timer expires for the session, the
device keeps the client in the authorization VLAN but the state changes from AUTHENTICATED to SERVER_
TIMEOUT.
l In general for 802.1x deployment, Fortinet suggests disabling STP in the 802.1x security ports. If STP is enabled
on the ports, the ports must be assigned to STP instances that belong to a dynamic VLAN, guest VLAN, or auth-fail
VLAN; otherwise, the network connectivity fails after the ports are authorized and assigned to a dynamic VLAN,
guest VLAN, or auth-fail VLAN.

Fortinet, Inc.
TACACS
TACACS
This chapter contains information on using Terminal Access Controller Access-Control System (TACACS+)
authentication with your FortiSwitch unit.
l Administrative accounts on page 319
l User accounts on page 320
l Example configuration on page 320
Administrative accounts
Administrative, or admin, accounts allow access to various aspects of the FortiSwitch configuration. The level of access
is determined by the admin profile that is assigned to the admin account.
See Configuring administrator tasks on page 35 for the steps to create an admin profile.
Configuring a TACACS admin account
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and
other network computing devices using one or more centralized servers. If you have configured TACACS+ support and
an administrator is required to authenticate using a TACACS+ server, the FortiSwitch unit contacts the TACACS+ server
for authentication.
Using the GUI:
1. Go to System > Admin > Administrators and select Add Administrator.

2. Give the administrator account an appropriate name.
3. Select Remote for the administrator type.
4. Select a user group for remote users.
5. Enable Wildcard.
6. Select an administrator profile.
7. Select Add.
Using the CLI:
config system admin

edit tacuser
set wildcard enable
set remote-group <group>
set accprofile <profile>
end
end

Fortinet, Inc.
TACACS
User accounts
User accounts identify a network user and determine what parts of the network the user is allowed to access.
Configuring a user account

config user tacacs+
edit <tacserver>
set authen-type {ascii | auto | chap | ms_chap | pap}
set authorization enable
set key <authorization_key>
set server <server>
end
end
Configuring a user group

config user group
edit <tacgroup>
set member <tacserver>
config match
edit 1
set server-name <server>
set group-name <group>
end
end
end
end
The following is an example configuration of a TACACS+ user account, with the CLI syntax shown to create it:
1. Configuring a TACACS user account for login authentication:
config user tacacs+

edit tacserver
set authen-type ascii
set key temporary
set server tacacs_server
end
2. Configuring a TACACS+user group:
config user group

edit tacgroup
set member tacserver
config match

Fortinet, Inc.
TACACS
edit 1
set server-name tacserver
set group-name tacgroup
end
end
end
end
3. Configuring a TACACS+ system admin user account:
config system admin

edit tacuser
set wildcard enable
set remote-group tacgroup
set accprofile noaccess
end
end

Fortinet, Inc.
Troubleshooting and support
The FortiSwitch unit provides various features for troubleshooting and support.
l Dashboard on page 322
l Virtual wire on page 325
l TFTP network port on page 326
l Cable diagnostics on page 327
l Selective packet sampling on page 328
l Packet capture on page 328
l Network monitoring on page 332
l Flow tracking and export on page 335
l Identifying a specific FortiSwitch unit on page 337
Dashboard
The dashboard displays your FortiSwitch management mode and shows the current values for the following:
l CPU
l RAM
l Temperature for FortiSwitch models that have temperature sensors
l PoE (on FortiSwitch PoE models)
l Bandwidth
l Losses
Operation mode
The Operation Mode field shows whether the FortiSwitch unit is managed by a FortiGate unit.
When the FortiSwitch unit is in FortiLink mode, a message is displayed above the dashboard, and the Operation Mode
is “Remote Management.”

Fortinet, Inc.
When the FortiSwitch unit is in standalone mode, the Operation Mode is “Local Management.”
Select Remote Management or Local Management to go to the Config > Management Mode page, where you can
switch between FortiLink mode and standalone mode.
FortiSwitch Cloud
The FortiSwitchCloud field shows whether the FortiSwitch unit is managed by FortiSwitch Cloud. A FortiSwitch unit
must be in standalone mode to be manged by FortiSwitch Cloud. For more details about using FortiSwitch Cloud, refer
to the FortiSwitch Cloud Administration Guide.
Select Connected to go to the System > FortiSwitchCloud page.
Select Enable and then select Advanced Settings to configure your FortiSwitch unit to be managed by FortiSwitch
Cloud.

Fortinet, Inc.
To switch to FortiSwitch Cloud management:
1. On the FortiSwitchCloud page, select Enable and then select Advanced Settings.
2. By default, the Name field is set to fortiswitch-dispatch.forticloud.com, the domain name for
FortiSwitch Cloud. No change is needed.
3. By default, the Port field is set to 443, the port number used to connect to FortiSwitch Cloud. No change is needed.
4. In the Interval (Seconds) field, enter the time in seconds allowed for domain name system (DNS) resolution. The
default is 15 seconds. The range of values is 3-300 seconds.
Bandwidth
The Bandwidth graphs show the inbound and outbound bandwidth for the entire FortiSwitch unit over a day and over a
week. The Average Per Interface bar chart shows the average bandwidth (inbound bandwidth plus outbound bandwidth)
for each interface over a day and over a week; only the interfaces with the highest bandwidth are displayed.

Fortinet, Inc.
Losses
The Losses graphs show the inbound errors, outbound errors, inbound drops, and outbound drops for the entire
FortiSwitch unit over a day and over a week.
Virtual wire
Some testing scenarios might require two ports to be wired 'back-to-back'. Instead of using a physical cable, you can
configure a virtual wire between two ports. The virtual wire forwards traffic from one port to the other port with minimal
filtering or modification of the packets.
Notes:
l ACL mirroring is not supported.
l You can select ports that are already ingress and egress mirror sources.
Using the GUI:
1. Go to Switch > Virtual Wires.

2. Select Add Virtual Wire to create a new virtual wire.

Fortinet, Inc.
3. Enter a name and select the ports for first member and second member.
4. Select Add to save the changes.
Using the CLI:
Use the following commands to configure a virtual wire:

config switch virtual-wire
edit <virtual-wire-name>
set first-member <port-name>
set second-member <port-name>
set vlan <vlan-id>
next
end
Virtual wire ports set a special Tag Protocol Identifier (TPID) in the VLAN header. The default value is 0xdee5, a value
that real network traffic never uses.
Use the following commands to configure a value for the TPID:
set virtual-wire-tpid <hex value from 0x0001 to 0xFFFE>
end
Use the following command to display the virtual wire configuration:

diagnose switch physical-ports virtual-wire list
port1(1) to port2(2) TPID: 0xdee5 VLAN: 4011

NOTE:
l Ports have ingress and egress VLAN filtering disabled. All traffic (including VLAN headers) is passed unchanged to
the peer. All egress traffic is untagged.
l Ports have L2 learning disabled.
l Ports have their egress limited to their peer and do no allow egress from any other ports.
l The system uses TCAM to force forwarding from a port to its peer.
l The TCAM prevents any copy-to-cpu or packet drops.
TFTP network port
When you power on the FortiSwitch unit, the BIOS performs basic device initialization. When this activity is complete,
and before the OS starts to boot, you can click any key to bring up the boot menu.
From the menu, click the "I" key to configure TFTP settings. With newer versions of the BIOS, you can specify the
network port (where you have connected your network cable). If you are not prompted to specify the network port, you
must connect your network cable to the default network port:

Fortinet, Inc.
l If the switch model has a WAN port, the WAN port is the network port.
l If the switch has no WAN port, the highest port number is the network port.
Cable diagnostics
NOTE: There are some limitations for cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-
l Crosstalk cannot be detected.
l There is a 5-second delay before results are displayed.
l The value for the cable length is inaccurate.
l The results are inaccurate for open and short cables.
You can check the state of cables connected to a specific port. The following pair states are supported:
l Open
l Short
l Ok
l Open_Short
l Unknown
l Crosstalk
If no cable is connected to the specific port, the state is Open, and the cable length is 0 meters.
For supported models, see Supported models on page 14.
Using the GUI:

2. Select Cable Diagnostic for the appropriate port.
3. Select Continue to start the cable diagnostics.
NOTE: Running cable diagnostics on a port that has the link up will interrupt the traffic for several seconds.
4. Select Back to Physical Ports to close the Cable Diagnostics window.
Using the CLI:
Use the following command to run a time domain reflectometry (TDR) diagnostic test on cables connected to a specific
port:
diagnose switch physical-ports cable-diag <physical port name>
NOTE: Running cable diagnostics on a port that has the link up will interrupt the traffic for several seconds.
For example:
# diagnose switch physical-ports cable-diag port1
port1: cable (4 pairs, length +/- 10 meters)

pair A Open, length 0 meters
pair B Open, length 0 meters
pair C Open, length 0 meters
pair D Open, length 0 meters

Fortinet, Inc.
Use the following command to check the medium dependent interface crossover (MDI-X) interface status for a specific
port:
diagnose switch physical-ports mdix-status <physical port name>
For example:
# diagnose switch physical-ports mdix-status port1
port1: MDIX(Crossover)
Selective packet sampling
NOTE: This feature is not supported on FS-3032.

During debugging, you might want to see whether a particular type of packet was received on an interface on the switch.
1. Set up an access control list (ACL) on the switch with the interface that you want to monitor. See Access control
lists on page 153. This ACL is the ingress interface.
2. Set up a mirror for the “internal” interface.
For example, if you want to monitor interface port17 for any IP packet (ether-type 0x800) with a destination subnet of
10.10.10/24 and a source subnet of 20.20.20/24, use the following commands.
# show switch acl ingress
edit 1
config action
set mirror "internal"
end
config classifier
set dst-ip-prefix 10.10.10.0 255.255.255.0
set ether-type 0x0800
set src-ip-prefix 20.20.20.0 255.255.255.0
end
set status active
next
end
To examine the packets that have been sampled in the example, use the following command:
# diagnose sniffer packet sp17 none 6
Packet capture
When troubleshooting networks, it helps to look inside the header of the packets. This helps to determine if the packets,
route, and destination are all what you expect. Packet capture is also called a network tap, packet sniffing, or logic
analyzing.

Fortinet, Inc.
To capture packets:
1. Create a packet-capture profile.

2. Start the packet capture.
3. Pause or stop the packet capture.
4. Display or upload the packet capture.
5. Delete the packet-capture file.
The maximum number of packet-capture profiles and the RAM disk size allotted for packet captures are different for the
various platforms:
Platform Maximum number of profiles RAM disk size in

MB
1xx 8 20
2xx 8 50
4xx 16 75
5xx 16 100
1xxx 16 100
3xxx 16 100
Create a packet-capture profile
To specify which packets to capture, define a filter and select a switch or system interface on which to capture the
packets. You cannot select both a switch interface and a system interface.
The filter uses flexible logic. For example, if you want packets using UDP port 1812 between hosts named forti1 and
either forti2 or forti3:
'udp and port 1812 and host forti1 and $ forti2 or forti3 $'
You can specify the number of packets to capture and the maximum packet length to be captured. The maximum
number of packets that can be captured depends on the RAM disk size.
Using the GUI:
1. Go to System > Packet Capture.

2. Select Add Packet Capture.
3. Enter a name for the packet-capture profile.
4. Select the switch or system interface that you want to capture packets on.
5. Enter how many packets to capture on the selected interface.
6. Enter the maximum packet length in bytes to capture on the interface.
7. If you want to use a filter to select which packets to capture, select the Filter checkbox.
a. If you want to filter by hosts, enter the IP addresses, separated with commas.
b. If you want to filter by ports, enter port numbers or ranges, separated with commas.
c. If you want to filter by VLANs, enter VLAN numbers, separated with commas.
d. If you want to filter by protocols, enter the numbers, separated with commas.

Fortinet, Inc.
8. Select Add.
Using the CLI:
config system sniffer-profile

edit <profile_name>
set filter {<string> | none}
set max-pkt-count <1-maximum>
set max-pkt-len <64-1534>
set switch-interface <switch_interface_name>
set system-interface <system_interface_name>
end
For example:
edit profile1
set filter none
set max-pkt-count 100
set max-pkt-len 100
set system-interface mgmt
end
Start the packet capture
After you create a packet-capture profile, you can start the packet capture.
Using the GUI:

2. Select .
Using the CLI:
execute system sniffer-profile start <profile-name>
For example:
execute system sniffer-profile start profile1
Pause or stop the packet capture
A packet capture continues to run until the max-pkt-cnt value is reached, or the packet capture is paused or stopped.
You can restart a paused packet capture.
Using the GUI:
Go to System > Packet Capture.
l To pause a running packet capture, select .

l To resume a paused packet capture, select .

Fortinet, Inc.
Using the CLI:
To pause a running packet capture:

execute system sniffer-profile pause <profile_name>
To restart a paused packet capture:

To stop a running packet capture:

execute system sniffer-profile stop <profile-name>
Display or upload the packet capture
You can display parsed information from the packet capture or upload the .pcap file to a TFTP or FTP server for further
analysis.
Using the GUI:
2. Select .
The .pcap file is saved in your Downloads folder.
Using the CLI:
To display the packet capture from a specific packet-capture profile:

get system sniffer-profile capture <profile_name>
To upload the .pcap file for a specific packet-capture profile to an FTP server:
execute system sniffer-profile upload ftp <profile_name> <packet_capture_file_name.pcap> <FTP_
server_IP_address:<optional_port>>
To upload the .pcap file for a specific packet-capture profile to a TFTP server:
execute system sniffer-profile upload tftp <profile_name> <packet_capture_file_name.pcap>
<TFTP_server_IP_address:<optional_port>>
Delete the packet-capture file
After you have examined the packet capture, you can manually delete the .pcap file. You can only delete the .pcap
after the packet capture is stopped. You cannot delete the .pcap file if the packet capture is paused or running. All
.pcap files are deleted when you power cycle the switch.
Using the GUI:
2. Select .
To delete all packet-capture files, select Select All and then select Delete.

Fortinet, Inc.
Using the CLI:
execute system sniffer-profile delete-capture <profile_name>
For example:
execute system sniffer-profile delete-capture profile1
Network monitoring
You can monitor specific unicast MAC addresses in directed mode, monitor all detected MAC addresses on a
FortiSwitch unit in survey mode, or do both. The FortiSwitch unit gives the directed mode a higher priority than survey
mode. The directed mode and survey mode are disabled by default.
NOTE: Network monitoring is not available on FSR-112D-POE.
Directed mode
In directed mode, you select which unicast MAC addresses that you want examined. The FortiSwitch unit detects
various fields of the packet—such as MAC address, IP address, VLAN, and user name—and stores the data in either of
two databases.
NOTE: You cannot specify broadcast or multicast MAC addresses.
The maximum number of MAC addresses that can be monitored depends on the FortiSwitch model.
Platform Series Maximum Number of MAC Addresses Maximum Number of Hosts

Monitored
1xx, 2xx 10 250
4xx, 5xx 20 1,024
10xx, 30xx 30 4,096
To find out how many network monitors are available, use the following command:
diagnose switch network-monitor cfg-stats
Network Monitor Configuration Statistics:

----------------------------------
Adds : 0
Deletes : 0
Free Entries : 20
To find out which network monitors are being used currently, use the following command:
diagnose switch network-monitor dump-monitors
Entry ID Monitor Type Monitor MAC Packet-count

=================================================================
1 directed-mode 00:01:02:03:04:05 10
2 directed-mode 10:01:02:03:04:05 0

Fortinet, Inc.
3 survey-mode 08:5b:0e:c1:07:65 419

4 survey-mode 08:5b:0e:4f:af:38 101
5 survey-mode 08:5b:0e:ce:59:40 2347
7 survey-mode 08:5b:0e:c1:07:65 0
9 survey-mode 08:5b:0e:ce:59:40 117
To start network monitoring, use the following commands:

config switch network-monitor settings
set status enable
end
To specify a single unicast MAC address (formatted like this: xx:xx:xx:xx:xx:xx) to be monitored, use the
following commands:
config switch network-monitor directed
edit <unused network monitor>
set monitor-mac <MAC address>
next
end
For example:
edit 1
set monitor-mac 00:25:00:61:64:6d
next
end
Survey mode
In survey mode, the FortiSwitch unit detects MAC addresses to monitor for a specified number of seconds. You can
specify network monitoring for 120 to 3,600 seconds. The default time is 120 seconds. The FortiSwitch unit detects
various fields of the packet—such as MAC address, IP address, VLAN, and user name—and stores the data in either of
two databases.
To start network monitoring in survey mode, use the following commands:
set status enable
set survey-mode enable
set survey-mode-interval <120-3600 seconds>
end
For example:
set status enable
set survey-mode-interval 480
end

Fortinet, Inc.
Network monitoring statistics
After you have enabled network monitoring, you can view the statistics for the number and types of packets.
To see the type of packets going to and from monitored MAC addresses, use the following command:
diagnose switch network-monitor parser-stats
Network Monitor Parser Statistics:

----------------------------------
Arp : 0
Ip : 1
Udp : 46
Tcp : 353
Dhcp : 0
Eapol : 0
Unsupported : 352
To see the number of packets going to and from monitored MAC addresses, use the following command:

=================================================================
1 directed-mode 00:01:02:03:04:05 10
2 directed-mode 10:01:02:03:04:05 0
3 survey-mode 08:5b:0e:c1:07:65 419
5 survey-mode 08:5b:0e:ce:59:40 2347
7 survey-mode 08:5b:0e:c1:07:65 0
9 survey-mode 08:5b:0e:ce:59:40 117
NOTE: The FortiSwitch unit creates an entry in the layer-3 database using the exact packet contents when they were
parsed. If the MAC address is then assigned to a different VLAN, this change might not be detected immediately. If
there is a discrepancy in the output for the diagnose switch network-monitor dump-l2-db and diagnose
switch network-monitor dump-l3-db commands, use the output with the more recent time stamp.
To see all detected devices from the layer-2 database, use the following command:
diagnose switch network-monitor dump-l2-db
mac 00:01:02:03:04:05 vlan 1

created 19 secs ago, last seen 16 secs ago
user JoE sources: eapol
To see all detected devices from the IP address database, use the following command:
mac 08:5b:0e:c1:07:65 ip 169.254.2.2 vlan 4094


Fortinet, Inc.
sources: arp ip
mac 00:10:20:30:40:50 ip 10.10.10.111 vlan 123
sources: arp ip
mac 00:11:22:33:44:55 ip 30.30.30.115 vlan 1
sources: dhcp arp ip
Flow tracking and export
NOTE:
l Flow export is supported on FortiSwitch models 2xx and higher.
l Layer-2 flows for NetFlow version 1 and NetFlow version 5 are not supported.
l For 2xxE models and higher, flow export uses psudorandom sampling (approximately 1 of x packets).
You can sample IP packets on a FortiSwitch unit and then export the data in NetFlow format or Internet Protocol Flow
Information Export (IPFIX) format.
To use flow export, you need to enable packet sampling and then configure the flow export.
Enabling packet sampling
To use flow export, you must first enable packet sampling for each switch port and trunk:
edit <interface>
set packet-sample-rate <0-99999>
end
Configuring flow export
Using the GUI:
1. Go to System > Flow Export > Configure.

2. Configure the collector.
a. Required. In the IP Address field, enter the IP address for the collector. When the value is “0.0.0.0” or blank,
the feature is disabled.
b. In the Port field, enter the port number for the collector. The default port for NetFlow is 2055; the default port
for IPFIX is 4739.
c. In the Transport field, select SCTP, TCP, or UDP for the transport of exported packets.
3. Configure the flow export options.
a. In the Format drop-down list, select the format of the exported flow data as NetFlow version 1, NetFlow
version 5, NetFlow version 9, or IPFIX sampling.
NOTE: When the export format is NetFlow version 5, the sample rate used in the exported packets is derived

Fortinet, Inc.
from the lowest port number where sampling is enabled. Fortinet recommends that administrators using
NetFlow version 5 set the sample rate consistently across all ports.
b. In the Identity field, enter a unique number to identify which FortiSwitch unit the data originates from. If the
identity is not specified, the “Burn in MAC” value is used instead (from the get system status command
output).
c. In the Level field, select the flow-tracking level from one of the following:
—When you select IP, the FortiSwitch unit collects the source IP address and destination IP address from the
sample packet.
—When you select MAC , the FortiSwitch unit collects the source MAC address and destination MAC address
from the sample packet.
—When you select Port, the FortiSwitch unit collects the source IP address, destination IP address, source
port, destination port, and protocol from the sample packet.
—When you select Protocol, the FortiSwitch unit collects the source IP address, destination IP address, and
protocol from the sample packet.
—When you select VLAN , the FortiSwitch unit collects the source IP address, destination IP address, source
port, destination port, protocol, and VLAN from the sample packet.
d. In the Max Export Packet Size (Bytes) field, enter the maximum size of exported packets in the application
level.
4. Configure the timeouts.
a. In the General field, enter the general timeout in seconds for the flow session.
b. In the ICMP field, enter the ICMP timeout for the flow session.
c. In the Max field, enter the maximum number of seconds before the flow session times out.
d. In the TCP field, enter the TCP timeout for the flow session.
e. In the TCP FIN field, enter the TCP FIN flag timeout for the flow session.
f. In the TCP RST field, enter the TCP RST flag timeout for the flow session.
g. In the UDP field, enter the UDP timeout for the flow session.
5. Configure the aggregates.
a. Select +.
c. Required. In the IP/Netmask field, enter the IPv4 address and mask to match. All matching sessions are
aggregated into the same flow.
d. To add another entry, select +.
6. Select Update.
Using the CLI:
config system flow-export

set collector-ip <IPv4_address>
set collector-port <port_number>
set identity <hexadecimal>
set level {ip | mac | port | proto | vlan}
set max-export-pkt-size <integer>
set timeout-general <integer>
set timeout-icmp <integer>
set timeout-max <integer>
set timeout-tcp <integer>
set timeout-tcp-fin <integer>
set timeout-tcp-rst <integer>
set timeout-udp <integer>

Fortinet, Inc.
set transport {sctp | tcp | udp}

config aggregates
edit <id>
set ip <IPv4_address_mask>
end
end
Viewing the flow-export data
Using the GUI:
Go to System > Flow Export > Monitor.
Using the CLI:
You can display the flow-export data or raw data for a specified number of records or for all records. You can also display
statistics for flow-export data.
get system flow-export-data flows {all | <count>} {ip | subnet | mac | all} <switch_interface_
name>
get system flow-export-data flows-raw {all | <count>} {ip | subnet | mac | all} <switch_
interface_name>
get system flow-export-data statistics
NOTE: Layer-2 flows for netflow1 and netflow5 are not supported. For the output of the get system flow-
export-data statistics command, the Incompatible Type field displays how many flows are not exported
because they are not supported.
Deleting the flow-export data
Use the following commands to delete or expire all flow-export data:

diagnose sys flow-export delete-flows-all
diagnose sys flow-export expire-flows-all
Identifying a specific FortiSwitch unit
When you have multiple FortiSwitch units and need to locate a specific switch, use the following command to flash all
port LEDs on and off for a specified number of minutes:
diagnose switch physical-ports led-flash <disable | time>
You can flash the port LEDs for 5, 15, 30, or 60 minutes. After you locate the FortiSwitch unit, you can use disable to
stop the LEDs from flashing.
NOTE: For the FS-5xx switches, the diagnose switch physical-ports led-flash command flashes only
the SFP port LEDs, instead of all the port LEDs.

Fortinet, Inc.
Deployment scenario
Deployment scenario
Working configuration for PC and phone for 802.1x authentication

using MAC
Summary
1. Configure all devices.

o PC
o Phone
o FortiSwitch
o FortiAuthenticator
o DHCP server
2. Authenticate phone using MAB and using LLDP-MED.

3. Authenticate PC using EAP 802.1x.
A. Configure all devices
I. Configure the PC, phone, FortiSwitch, FortiAuthenticator [RADIUS server], and DHCP
server)
Phone configuration (file: macmode_phone_pc_ping_work)
i. On the phone, enable the WAN port and leave the VLAN ID at the default to allow LLDP-Med (Policy)
designate for voice VLAN assignment.
ii. On the phone, enable the LAN port and assign the VLAN ID for data matching the RADIUS VLAN
assignment.
PC configuration
i. Install the supplicant software.

ii. Launch the supplicant software, type the user name and password, and enable DHCP on the interface.
FortiSwitch configuration
1. Configure the LLDP profile for voice.
# show switch lldp

edit "pexa" <<<<<<<<<<<<<<<<

Fortinet, Inc.
Deployment scenario

edit "voice"
set status enable
set vlan 21
next
edit "voice-signaling"
set status enable
set vlan 31
next
edit "guest-voice"
next
edit "quest-voice-signaling"
next
set status enable
set vlan 41
next
next
next
next
end
2. Apply the LLDL profile on a dot1x port.
# show switch physical-port port4

edit "pexa" <<<<<<<<<<<<<<<<

set lldp-profile "pexa"
set speed auto
next
end
3. Configure a user group.
# show user group

config user group
edit "Corp_Grp_10"
set member "FAC_LAB"
next
end
4. Configure the RADIUS server.
# show user radius

config user radius
edit "FAC_LAB" <<<<<<<<

set secret

Fortinet, Inc.
Deployment scenario
ENCW82jBg06XhKD/4Dugqm8QF2f7D1B4bfFdDSZaLUQPwZXv4F8zMc5sWHRl9suwmbmzNnAnyqPaarAYcSLuT
8kVjFSRO0znx+TXVWTqdSeLCpbMv
+HYFNOHMbYlfES8wTYYD40InCgrYr2johvr2vfa5KG4g8XMwKSIM0LurR//1WqT0fH
set server
next
end
5. Configure port security on the dot1x port.
a. Configure mac-mode port-security.

b. Add voice VLAN on allowed list (for example, 21).
c. Apply the security group.
Interface port4 configuration:
# show switch interface port4

edit "port4"
set allowed-vlans 20-21,31,41
set security-groups "Corp_Grp_10"
set snmp-index 4
configure port-security
set auth-fail-vlan disable
set guest-vlan disable
set guest-vlanid 30
end
RADIUS configuration
MAB Authentication:
l Add phone MAC address to MAB list.
802.1X Authentication
1. Create a local user.
2. Create a user group with "Attributes" and enable PEAP and MSChapv2.
DHCP configuration
1. On the DHCP server, configure a pool for phone and a pool for the PC.
!
ip dhcp pool PC
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 10.1.1.1
!
ip dhcp pool PC
network 20.1.1.0 255.255.255.0

Fortinet, Inc.
Deployment scenario
dns-server 20.1.1.5
2. Configure exclude lists for pools for both gateway and DNS.
ip dhcp excluded-address 20.1.1.1 20.1.1.1.5
<<<<gateway and dns server
ip dhcp excluded-address 10.1.1.1 10.1.1.1.5
<<<<gateway and dns server
!
ip dhcp pool PC
network 20.1.1.0 255.255.255.0
dns-server 20.1.1.5
3. Configure the switch port VLAN interface as a gateway for the phone.
# show run
Building configuration
Current configuration
!
interface vlan21 <<<<<<
ip address 20.1.1.1
end
4. Configure the switch port VLAN interface as a gateway for the PC.
# show run
!
interface vlan10 <<<<<<
ip address 10.1.1.1
end
5. Configure the l2 port and associate the voice VLAN.
# show run
!
interface GigabitEthernet g1/0/1 <<<<<<
switchport access vlan 21
switchport trunk encapsulation dot1q
switchport trunk all
switchport mode trunk
end
6. Configure the l2 port and associate the data VLAN.
# show run

Fortinet, Inc.
Deployment scenario
!
interface GigabitEthernet g1/0/2 <<<<<<
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk all
switchport mode trunk
end
II. Connect a link between the FortiSwitch unit and the DHCP server and assign
matching VLAN for the phone for both ports
III. Connect a link between the FortiSwitch unit and the DHCP server and assign a
matching VLAN for the PC for both ports
B. Authenticate phone using MAB
1. Connect the phone to the switch to authenticate with RADIUS through the MAB (mac-bypass).
2. Once authenticated:
a. On the FortiSwitch unit, verify that the port is authorized and that the voice VLAN is on the allowed list.
# diagnose switch 8 status
Signal 10 received - config reload scheduled
wrdapd_hostapd_dump_state_console Hostapd own address 90:6c:ac:18:6f:2f

dump_diag:1:
receive dump diagnostic 802_1x/MAB sessions. ifname :port4: dump_diag:1:
port4 : Mode: mac-based (mac-by-pass enable)

Link: Link up
Port State: authorized ( ) <<<<<<
Native Vlan : 1
Allowed Vlan list: 1,10,20-21,31,41 <<<<<<
Untagged Vlan list:
Guest VLAN:

68:f7:28:fb:c0:0f 802.1x 1 10
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<phone
Sessions info:
68:f7:28:fb:c0:0f Type=802.1x,PEAP,state=AUTHENTICATED
params:reAuth=3600
00:a8:59:d8:f1:f6 Type=MAB,,state=AUTHENTICATED
params: reAuth=3600
edited on: 2016-11-29 17:25
edited on: 2016-11-29 17:59

Fortinet, Inc.
Deployment scenario
b. On the FortiSwitch unit, verify that the lldp neighbor detail accurately reflects the phone and voice VLAN
designation.
Neighbor learned on port4 by LLDP protocol

Chassis ID: 20.1.1.10 (ip) <<<<<<<<<<

System Description
V12.740.335.12.B

Port ID: 00:a8:59:d8:f1:f6 (mac) <<<<<<<<<<<<<<<

Power class: 1
Power requested: 0
Power allocated: 0
voice: VLAN: 21 (tagged), Priority: 0 DSCP: 0 <<<<<<<<<<<<
voice-signaling: VLAN: 21 (tagged), Priority: 0 DSCP: 0
streaming-video: VLAN: 21 (tagged), Priority: 0 DSCP: 0
# Checking STA 00:a8:59:d8:f1:f6 inactivity:

Station has been active
c. On the phone, verify that the DHCP address is assigned.

d. On the DHCP server, check binding and ping from gateway to verify that the phone is reachable.
# show ip dhcp binding

IP address Client-ID/ Lease expiration Type
Hardware address
20.1.1.10 00a8.59d8.f1f6 Mar 20 1993 01:52 AM Automatic
#
#
#
# show ip dhcp binding
IP address Client-ID/ Lease expiration Type
Hardware address
10.1.1.7 0168.f728.fbc0.0f Mar 11 1993 01:54 AM Automatic <<<<<< pc
20.1.1.10 00a8.59d8.f1f6 Mar 20 1993 01:52 AM Automatic <<<<< phone

Fortinet, Inc.
Deployment scenario
# ping 10.1.1.7
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2
!!!!!
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
# ping 10.1.1.7

Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
!!!!!
# ping 10.1.1.7

!!!!!
# ping 20.1.1.10

!!!!!
#
C. Authenticate the PC using EAP dot1x
1. Connect the PC to the phone for EAP authentication and VLAN assignment (for data)
2. After authentication:
a. On the FortiSwitch unit, verify that the port is authorized and that the data VLAN assigned to dynamic has
been placed on the allowed list.
# diagnose switch 8 status

Signal 10 received - config reload scheduled
wrdapd_hostapd_dump_state_console Hostapd own address 90:6c:ac:18:6f:2f

dump_diag:1:
receive dump diagnostic 802_1x/MAB sessions. ifname :port4: dump_diag:1:
port4 : Mode: mac-based (mac-by-pass enable)

Link: Link up
Port State: authorized ( ) <<<<<<
Native Vlan : 1
Allowed Vlan list: 1,10,20-21,31,41
<<<<<<
Untagged Vlan list:
Guest VLAN:

68:f7:28:fb:c0:0f 802.1x 1 10
<<<<<<<<<<<<<<<<<<<<< PC

Fortinet, Inc.
Deployment scenario
00:a8:59:d8:f1:f6 MAB 1 0
Sessions info:
68:f7:28:fb:c0:0f Type=802.1x,PEAP,state=AUTHENTICATED
params:reAuth=3600
00:a8:59:d8:f1:f6 Type=MAB,,state=AUTHENTICATED
params:reAuth=3600
edited on: 2016-11-29 17:25
edited on: 2016-11-29 17:59
b. On the PC, verify that the DHCP address is assigned.

c. From the DHCP server, check the binding and a ping from gateway to verify that the PC is reachable.

Fortinet, Inc.
Appendix: FortiSwitch-supported RFCs
FortiSwitchOS supports the following RFCs:

l BFD on page 346
l BGP on page 346
l DHCP on page 347
l IP/IPv4 on page 347
l IP multicast on page 347
l IPv6 on page 347
l IS-IS on page 348
l MIB on page 348
l OSPF on page 349
l Other protocols on page 349
l RADIUS on page 349
l RIP on page 350
l SNMP on page 350
BFD
l RFC 5880: Bidirectional Forwarding Detection (BFD)

l RFC 5881: Bidirectional Forwarding Detection (BFD) for IPv4 and IPv6 (Single Hop)
l RFC 5882: Generic Application of Bidirectional Forwarding Detection (BFD)
BGP
l RFC 1771: A Border Gateway Protocol 4 (BGP-4)

l RFC 1965: Autonomous System Confederations for BGP
l RFC 1997: BGP Communities Attribute
l RFC 2545: Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing
l RFC 2796: BGP Route Reflection - An Alternative to Full Mesh IBGP
l RFC 2842: Capabilities Advertisement with BGP-4
l RFC 2858: Multiprotocol Extensions for BGP-4
l RFC 4271: A Border Gateway Protocol 4 (BGP-4)
l RFC 6286: Autonomous-System-Wide Unique BGP Identifier for BGP-4
l RFC 6608: Subcodes for BGP Finite State Machine Error
l RFC 6793: BGP Support for Four-Octet Autonomous System (AS) Number Space
l RFC 7606: Revised Error Handling for BGP UPDATE Messages

Fortinet, Inc.
l RFC 7607: Codification of AS 0 Processing

l RFC 7705: Autonomous System Migration Mechanisms and Their Effects on the BGP AS_PATH Attribute
l RFC 8212: Default External BGP (EBGP) Route Propagation Behavior without Policies
l RFC 8654: Extended Message Support for BGP
DHCP
l RFC 2131: Dynamic Host Configuration Protocol

l RFC 3046: DHCP Relay Agent Information Option
l RFC 7513: Source Address Validation Improvement (SAVI) Solution for DHCP
IP/IPv4
l RFC 3168: The Addition of Explicit Congestion Notification (ECN) to IP

l RFC 5227: IPv4 Address Conflict Detection
l RFC 5517: Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment
l RFC 7039: Source Address Validation Improvement (SAVI) Framework
IP multicast
l RFC 2710: Multicast Listener Discovery (MLD) for IPv6 (MLDv1)

l RFC 4541: Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery
(MLD) Snooping Switches
l RFC 4605: Internet Group Management Protocol (IGMP)/Multicast Listener Discovery (MLD)-Based Multicast
Forwarding (“IGMP/MLD Proxying”)
l RFC 4607: Source-Specific Multicast for IP
IPv6
l RFC 2464: Transmission of IPv6 Packets over Ethernet Networks: Transmission of IPv6 Packets over Ethernet
Networks
l RFC 2474: Definition of the Differentiated Services Field (DS Field) in the and IPv6 Headers (DSCP)
l RFC 2893: Transition Mechanisms for IPv6 Hosts and Routers
l RFC 4213: Basic Transition Mechanisms for IPv6 Hosts and Router
l RFC 4291: IP Version 6 Addressing Architecture
l RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification
l RFC 4861: Neighbor Discovery for IP version 6 (IPv6)

Fortinet, Inc.
l RFC 4862: IPv6 Stateless Address Auto configuration

l RFC 5095: Deprecation of Type 0 Routing Headers in IPv6
l RFC 6724: Default Address Selection for Internet Protocol Version 6 (IPv6)
l RFC 7113: Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)
l RFC 8200: Internet Protocol, Version 6 (IPv6) Specification
l RFC 8201: Path MTU Discovery for IP version 6
IS-IS
l RFC 1195: Use of OSI IS-IS for Routing in TCP/IP and Dual Environments
l RFC 5308: Routing IPv6 with IS-IS
MIB
l RFC 1213: Management Information Base for Network Management of TCP/IP-based internets: MIB-II
l RFC 1354: IP Forwarding Table MIB
l RFC 1493: Definitions of Managed Objects for Bridges
l RFC 1573: Evolution of the Interfaces Group of MIB-II
l RFC 1643: Definitions of Managed Objects for the Ethernet-like Interface Types
l RFC 1724: RIP Version 2 MIB Extension
l RFC 1850: OSPF Version 2 Management Information Base
l RFC 2233: The Interfaces Group MIB using SMIv2
l RFC 2618: RADIUS Authentication Client MIB
l RFC 2620: RADIUS Accounting Client MIB
l RFC 2674: Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN
Extensions
l RFC 2787: Definitions of Managed Objects for the Virtual Router Redundancy Protocol
l RFC 2819: Remote Network Monitoring Management Information Base
l RFC 2932: IPv4 Multicast Routing MIB
l RFC 2934: Protocol Independent Multicast MIB for IPv4
l RFC 3289: Management Information Base for the Differentiated Services Architecture
l RFC 3433: Entity Sensor Management Information Base
l RFC 3621: Power Ethernet MIB
l RFC 6933: Entity MIB (Version 4)

Fortinet, Inc.
OSPF
l RFC 1583: OSPF Version 2

l RFC 1765: OSPF Database Overflow
l RFC 2328: OSPF Version 2
l RFC 2370: The OSPF Opaque LSA Option
l RFC 2740: OSPF for IPv6
l RFC 3101: The OSPF Not-So-Stubby Area (NSSA) Option
l RFC 3137: OSPF Stub Router Advertisement
l RFC 3623: Graceful OSPF Restart
l RFC 5340: OSPF for IPv6
l RFC 5709: OSPFv2 HMAC-SHA Cryptographic Authentication
l RFC 6549: OSPFv2 Multi-Instance Extensions
l RFC 6845: OSPF Hybrid Broadcast and Point-to-Multipoint Interface Type
l RFC 6860: Hiding Transit-Only Networks in OSPF
l RFC 7474: Security Extension for OSPFv2 When Using Manual Key Management
l RFC 7503: OSPFv3 Autoconfiguration
l RFC 8042: OSPF Two-Part Metric
l RFC 8362: OSPFv3 Link State Advertisement (LSA) Extensibility
Other protocols
l RFC 854: Telnet Protocol Specification

l RFC 2030: Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI
l RFC 2362: Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification
l RFC 3176: InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks
l RFC 3768: Virtual Router Redundancy Protocol (VRRP)
l RFC 3954: Cisco Systems NetFlow Services Export Version 9
l RFC 5101: Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow
Information
l RFC 5798: Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6
RADIUS
l RFC 2865: Remote Authentication Dial In User Service (RADIUS)

l RFC 2866: RADIUS Accounting
l RFC 5176: Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)

Fortinet, Inc.
RIP
l RFC 1058: Routing Information Protocol

l RFC 2080: RIPng for IPv6
l RFC 2082: RIP-2 MD5 Authentication
l RFC 2453: RIP Version 2
l RFC 4822: RIPv2 Cryptographic Authentication
SNMP
l RFC 1157: A Simple Network Management Protocol (SNMP)

l RFC 2571: An Architecture for Describing SNMP Management Frameworks
l RFC 2572: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)
l RFC 2573: SNMP Applications
l RFC 2576: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network
Management Framework

Fortinet, Inc.
Appendix: Supported attributes for RADIUS CoA and RSSO
Appendix: Supported attributes for RADIUS CoA and

RSSO
Attributes sent from the FortiSwitch unit to the RADIUS server during 802.1x
authentication (Access-Request)
Attribute AVP Type Type Description
NAS-Identifier 32 text Host name of switch
User-Name 1 alphanumeric User name of supplicant or MAC address
EAP-Message 79 concat Include EAP content
Framed-MTU 12 integer Configurable (size of bytes). The range of

values is 600-1500. The default value is
1500.
NAS-Port-Id 87 text Port connected to supplicant
NAS-Port 5 integer Value of port ID; for example, 12 means

port12
NAS-Port-Type 61 enum Ethernet (15)
Calling-Station- 31 text MAC address of supplicant

ID
Message- 80 string The Message-Authenticator attribute is a

Authenticator checksum of the entire Access-Request
packet, containing the Type, ID, Length,
and Authenticator field; the shared secret is
used as the key.
Service-Type 6 enum Optional. The following settings are

available:
- administrative—The user granted access
to the administrative interface.
- authenticate-only—Authentication is
requested, and no authentication
information needs to be returned.
- call-check—This setting is used by the
NAS in an Access-Request packet or
Access-Accept packet to answer the call.
- callback-administrative—The user
disconnected, called back, and granted
access to the administrative interface.

Fortinet, Inc.
- callback-framed—The user disconnected

and called back and then used a Framed-
Protocol attribute.
- callback-login—The user disconnected
and called back.
- callback-nas-prompt—The user
disconnected and called back and then
provided a command prompt.
- framed—The user used a Framed-
Protocol attribute.
- login—The user should be connected to a
host.
- nas-prompt—The user provided a
command prompt on the NAS.
- none—Disable the Service-Type AVP.
- outbound—The user granted access to
outgoing devices.
The default is none for 802.1x
authentication. MAC Authentication Bypass
(MAB) always uses the call-check
setting, no matter what is configured.
Attributes sent from the RADIUS server to the FortiSwitch unit during 802.1x
authentication (Access-Accept)
User-Name 1 alphanumeric User name of

supplicant (MAC
address of host in
MAB)
Class 25 string Whatever the

server returns
Tunnel-Type 64 enum Optional. Set to 13

for VLAN.
Tunnel-Medium-Type 65 vsa Optional. Set to 6

for IEEE-802.
Tunnel-Private-Group-ID 81 text VLAN number or

VLAN name
Vendor-Specific 26 vsa Fortinet-Group-

Name

Fortinet, Inc.
Filter-Id 11 text Relayed from the

server
Session-Timeout 27 integer How many seconds

before the session
times out
RADIUS attributes in the Accounting Start message
Attribute AVP Type Description
Acct-Status-Type 40 1 for Start
Acct-Session-Id 44 802.1x or MAB session ID

generated by the switch. For
example: 0000004b
User-Name 1 Host login name or MAC

address. For example: host01
Acct-Multi- 50 For example, e81cba8e8146

Session-Id in MAC mode. This attribute
cannot be used in port mode.
The minimum value is 1; the
maximum value is 1.
NAS-Identifier 32 For example,

S148EP591900009 for the
host name of the switch.
Framed-IP- 8 This value is the host IP

Address address if is found in the
switch; otherwise, the switch
does not send this attribute.
For example: 100.1.0.3
NAS-Port-Id 87 This value is a text string that

identifies the port of the NAS
connected to the host. For
example: port48
NAS-Port 5 This value indicates the

physical port number of the
NAS. For example: 48
NAS-Port-Type 61 0 for asynchronous
Called-Station-Id 30 MAC address of the 802.1x

port. For example: E8-1C-BA-
8E-81-46

Fortinet, Inc.
Calling-Station- 31 MAC address of host. For

Id example: 00-12-01-00-00-01
Event- 55 Time when the event

Timestamp occurred. For example: May
31, 2019 12:25:03.00000000
Pacific Daylight Time
Filter-Id 11 Relayed from the server
Vendor-Specific 26 Fortinet-Group-Name.
Authentication fails if this
value does not match.
Class 25 Whatever the server returns
RADIUS attributes in the Accounting Interim Update message
Acct-Status-Type 40 3 for Interim-Update
Acct-Session-Id 44 802.1x or MAB session ID

generated by the switch. For
example: 0000004b
User-Name 1 Host login name or MAC

address. For example:
host01
Acct-Multi-Session-Id 50 For example, e81cba8e8146

in MAC mode. This attribute
cannot be used in port mode.
Acct-Link-Count 51 2 for two sessions on the

port. This attribute is only
valid for MAC mode.
NAS-Identifier 32 For example,

S148EP591900009 for the
host name of the switch.
Framed-IP-Address 8 This value is the host IP

address if is found in the
switch; otherwise, the switch
does not send this attribute.
For example: 100.1.0.3

Fortinet, Inc.
NAS-Port-Id 87 This value is a text string that

identifies the port of the NAS
connected to the host. For
example: port48
NAS-Port 5 This value indicates the

physical port number of the
NAS. For example: 48
NAS-Port-Type 61 15 for Ethernet
Called-Station-Id 30 MAC address of the 802.1x

port. For example: E8-1C-BA-
8E-81-46
Calling-Station-Id 31 MAC address of host. For

example: 00-12-01-00-00-01
Event-Timestamp 55 Time when the event

occurred. For example: May
31, 2019 12:25:03.00000000
Filter-Id 11 Eng-Group. If Filter-Id is

received during
authentication, it is included
in accounting.
Vendor-Specific 26 Fortinet-Group-Name.
Authentication fails if this
value does not match.
RADIUS attributes in the Accounting Stop message
Attribute AVP Description

Type
Acct-Status-Type 40 2 for Stop
Acct-Session-Id 44 802.1x or MAB session ID generated by the switch. For example: 0000004b
User-Name 1 Host login name or MAC address. For example: host01
Acct-Multi-Session-Id 50 For example, e81cba8e8146 in MAC mode. This attribute cannot be used in port
mode.
Acct-Link-Count 51 2 for two sessions on the port
NAS-Identifier 32 For example, S148EP591900009 for the host name of the switch.

Fortinet, Inc.
Attribute AVP Description

Type
Framed-IP-Address 8 This value is the host IP address if is found in the switch; otherwise, the switch does
not send this attribute. For example: 100.1.0.3
NAS-Port-Id 87 This value is a text string that identifies the port of the NAS connected to the host.
For example: port48
NAS-Port 5 This value indicates the physical port number of the NAS. For example: 48
NAS-Port-Type 61 15 for Ethernet
Called-Station-Id 30 MAC address of the 802.1x port. For example: E8-1C-BA-8E-81-46
Calling-Station-Id 31 MAC address of host. For example: 00-12-01-00-00-01
Acct-Input-Octets 42 3200
Acct-Output-Octets 43 16050448
Acct-Input-Packets 47 20
Acct-Output-Packets 48 93606
Acct-Terminate-Cause 49 6 for Admin-Reset
Event-Timestamp 55 Time when the event occurred. For example: May 31, 2019 12:25:03.00000000
Filter-Id 11 Eng-Group. If Filter-Id is received during authentication, it is included in accounting.
Vendor-Specific 26 Fortinet-Group-Name. Authentication fails if this value does not match.
RADIUS attributes in the Disconnect-Request message
Calling-Station-ID 31 MAC address of host
Framed-IP-Address 8 IP address of host
User-Name 1 Host login name
NAS-IP-Address 4 NAS IP address
The Message-Authenticator
attribute is a checksum of the
entire Access-Request
Message-
80 packet, containing the Type,
Authenticator
ID, Length, and Authenticator
field; the shared secret is
used as the key.

Fortinet, Inc.
Time when the event

Event-Timestamp 55
31, 2019 12:25:03.00000000
RADIUS attributes in the Disconnect-ACK message
Event-Timestamp 55 Time when the event

31, 2019 12:25:03.00000000
Message- 80 The Message-Authenticator

Authenticator attribute is a checksum of the
packet, containing the Type,
used as the key.
RADIUS attributes in the Disconnect-NAK message
NAS-Port 5 Port that the host is

connected to
Acct-Session-Id 44 802.1x or MAB session

identifier generated by the
switch
Error-Cause 101 Refer to the “Error-Cause

codes in RADIUS CoA-NAK
and Disconnect-NAK
messages” table in this
appendix for a listing of
error causes, error codes,
and descriptions.

Fortinet, Inc.
RADIUS attributes in the CoA-Request message (reauth-port)
Message-
Authenticator
used as the key.
Vendor-Specific 26 Fortinet-Group-Name
Time when the event

Event-Timestamp 55
31, 2019 12:25:03.00000000
RADIUS attributes in the CoA-Request message (disable-port)
NAS-IP-Address 4 NAS IP address
Message-
Authenticator
used as the key.
Time when the event

Event-Timestamp 55
31, 2019 12:25:03.00000000

Fortinet, Inc.
RADIUS attributes in the CoA-Request message (bounce-port)
Message-
Authenticator
used as the key.
Time when the event

Event-Timestamp 55
31, 2019 12:25:03.00000000
RADIUS attributes in the CoA-Request message (session-timeout)
NAS-Port 5 Port that the host is

connected to
Acct-Session-Id 44 802.1x or MAB session

identifier generated by the
switch

Fortinet, Inc.
RADIUS attributes in the CoA-ACK message
Time when the event

Event-Timestamp 55
31, 2019 12:25:03.00000000
Message-
Authenticator
used as the key.
RADIUS attributes in the CoA-NAK message
Refer to the “Error-Cause

codes in RADIUS CoA-NAK
and Disconnect-NAK
Error-Cause 101 messages” table in this
appendix for a listing of error
causes, error codes, and
descriptions.
Time when the event

Event-Timestamp 55
31, 2019 12:25:03.00000000
Message-
Authenticator
used as the key.
Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages
Unsupported Attribute 401 This error is a fatal error, which is sent if a request contains an
attribute that is not supported.

Fortinet, Inc.
NAS Identification Mismatch 403 This error is a fatal error, which is sent if one or more NAS-
Identifier Attributes do not match the identity of the NAS
receiving the request.
Invalid Attribute Value 407 This error is a fatal error, which is sent if a CoA-Request or
Disconnect-Request message contains an attribute with an
unsupported value.
Session Context Not Found 503 This error is a fatal error if the session context identified in the
CoA-Request or Disconnect-Request message does not exist
on the NAS.
Stop error codes for RADIUS accounting
Error Message Error Description

Code
ACCT_TERM_CAUSE_IDLE_TIMEOUT 4 The system has been idle for too long.
ACCT_TERM_CAUSE_USER_REQUEST 1 The user requested the service to be stopped.
ACCT_TERM_CAUSE_SESSION_TIMEOUT 5 The session has timed out.
ACCT_TERM_CAUSE_ADMIN_RESET 6 The administrator has reset the session or port.

Fortinet, Inc.
FortiSwitchOS - CLI Reference
Version 6.4.3

FORTINET BLOG


NSE INSTITUTE
FORTIGUARD CENTER

FEEDBACK
October 29, 2020

FortiSwitchOS 6.4.3 CLI Reference
11-643-646831-20201029
TABLE OF CONTENTS
Change log 13
Introduction 14
FortiSwitch models 14
How this guide is organized 14
Typographical conventions 14
CLI command syntax conventions 15
Entering configuration data 16
Entering text strings (names) 17
Entering numeric values 17
config 18
config log 18
config log custom-field 18
config log eventfilter 19
config log gui 20
config log memory filter 20
config log memory global-setting 21
config log memory setting 21
config log {syslogd | syslogd2 | syslogd3} filter 22
config log {syslogd | syslogd2 | syslogd3} setting 23
config router 25
config router access-list 25
config router access-list6 27
config router aspath-list 28
config router bgp 28
config router community-list 42
config router isis 43
config router key-chain 49
config router multicast 51
config router multicast-flow 52
config router ospf 52
config router ospf6 59
config router prefix-list 62
config router prefix-list6 63
config router rip 64
config router ripng 67
config router route-map 70
config router setting 73
config router static 74
config router static6 75
config router vrf 77
config switch 77
config switch acl egress 78
config switch acl ingress 80
config switch acl policer 83
config switch acl prelookup 84
FortiSwitchOS 6.4.3 CLI Reference 3

Fortinet, Inc.
config switch acl service custom 85
config switch acl settings 87
config switch auto-isl-port-group 87
config switch auto-network 88
config switch global 88
config switch igmp-snooping globals 93
config switch interface 94
config switch ip-mac-binding 103
config switch ip-source-guard 103
config switch lldp profile 104
config switch lldp settings 108
config switch macsec profile 109
config switch mirror 111
config switch mld-snooping globals 115
config switch network-monitor directed 115
config switch network-monitor settings 116
config switch phy-mode 117
config switch physical-port 119
config switch ptp policy 123
config switch ptp settings 123
config switch qos dot1p-map 124
config switch qos ip-dscp-map 125
config switch qos qos-policy 126
config switch quarantine 129
config switch raguard-policy 129
config switch security-feature 131
config switch static-mac 133
config switch storm-control 134
config switch stp instance 134
config switch stp settings 135
config switch trunk 136
config switch virtual-wire 139
config switch vlan 140
config switch vlan-tpid 146
config switch-controller global 147
config system 148
config system accprofile 149
config system admin 150
config system arp-table 152
config system bug-report 153
config system certificate ca 154
config system certificate crl 155
config system certificate local 155
config system certificate ocsp 157
config system certificate remote 157
config system console 158
config system dhcp server 158
config system dns 164
config system flow-export 165

Fortinet, Inc.
config system fsw-cloud 168
config system global 169
config system interface 176
config system ipv6-neighbor-cache 186
config system link-monitor 187
config system location 188
config system ntp 192
config system password-policy 193
config system schedule group 195
config system schedule onetime 195
config system schedule recurring 196
config system settings 197
config system sflow 198
config system sniffer-profile 198
config system snmp community 199
config system snmp sysinfo 201
config system snmp user 203
config user 204
config user group 204
config user ldap 206
config user local 207
config user peer 208
config user peergrp 210
config user radius 210
config user setting 214
config user tacacs+ 216
diagnose 217
diagnose bpdu-guard display status 220
diagnose certificate all 220
diagnose certificate ca 222
diagnose certificate local 222
diagnose certificate remote 223
diagnose debug application 223
diagnose debug authd 225
diagnose debug bfd 226
diagnose debug bgp 226
diagnose debug cli 226
diagnose debug config-error-log 227
diagnose debug console 227
diagnose debug crashlog 227
diagnose debug disable 228
diagnose debug enable 229
diagnose debug info 229
diagnose debug isis 229
diagnose debug kernel level 229
diagnose debug ospf 230

Fortinet, Inc.
diagnose debug ospf6 230
diagnose debug packet_test 230
diagnose debug pim 230
diagnose debug port-mac 231
diagnose debug report 232
diagnose debug reset 233
diagnose debug rip 233
diagnose debug ripng 233
diagnose debug static 233
diagnose debug unit_test 233
diagnose debug zebra 234
diagnose flapguard status 234
diagnose hardware 236
diagnose ip address 236
diagnose ip arp 237
diagnose ip route 238
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra} 240
diagnose ip router command 240
diagnose ip router fwd 241
diagnose ip router process show 241
diagnose ip router terminal-monitor 241
diagnose ip rtcache list 242
diagnose ip tcp 242
diagnose ip udp 242
diagnose ipv6 address 243
diagnose ipv6 devconf 244
diagnose ipv6 ipv6-tunnel 245
diagnose ipv6 neighbor-cache 245
diagnose ipv6 route 246
diagnose ipv6 sit-tunnel 247
diagnose log alertconsole 247
diagnose loop-guard status 249
diagnose option82-mapping relay 249
diagnose option82-mapping snooping 250
diagnose settings 250
diagnose sniffer packet 251
diagnose snmp 253
diagnose stp instance list 253
diagnose stp mst-config list 255
diagnose stp rapid-pvst-port 256
diagnose stp vlan list 256
diagnose switch 802-1x status 258
diagnose switch acl counter 259
diagnose switch acl hw-entry-index 260

Fortinet, Inc.
diagnose switch acl schedule 261
diagnose switch arp-inspection stats clear 261
diagnose switch cpuq 261
diagnose switch egress list 262
diagnose switch ip-mac-binding entry 263
diagnose switch ip-source-guard hardware entry filter 263
diagnose switch ip-source-guard hardware entry list 264
diagnose switch mac-address 264
diagnose switch macsec statistics 266
diagnose switch macsec status 266
diagnose switch managed-switch 266
diagnose switch mclag 266
diagnose switch mirror auto-config 267
diagnose switch mirror hardware status 268
diagnose switch modules 268
diagnose switch network-monitor 270
diagnose switch pdu-counters 271
diagnose switch physical-ports cable-diag 271
diagnose switch physical-ports datarate 272
diagnose switch physical-ports eee-status 272
diagnose switch physical-ports hw-counter 273
diagnose switch physical-ports io-stats 274
diagnose switch physical-ports led-flash 275
diagnose switch physical-ports linerate 275
diagnose switch physical-ports list 275
diagnose switch physical-ports mapping 276
diagnose switch physical-ports mdix-status 277
diagnose switch physical-ports port-stats 277
diagnose switch physical-ports qos-rates 278
diagnose switch physical-ports qos-stats 279
diagnose switch physical-ports queue-bandwidth-setting 280
diagnose switch physical-ports set-counter-revert 281
diagnose switch physical-ports set-counter-zero 281
diagnose switch physical-ports split-status 281
diagnose switch physical-ports stats 282
diagnose switch physical-ports summary 283
diagnose switch physical-ports virtual-wire list 283
diagnose switch poe status 283
diagnose switch ptp port add-link-delay 284
diagnose switch ptp port get-link-delay 284
diagnose switch qnq dtag-cfg 284
diagnose switch trunk list 285
diagnose switch trunk summary 287
diagnose switch vlan 287

Fortinet, Inc.
diagnose switch vlan-mapping egress hardware-entry 289
diagnose switch vlan-mapping ingress hardware-entry 290
diagnose sys checkused 290
diagnose sys cpuset 290
diagnose sys dayst-info 291
diagnose sys fan status 291
diagnose sys flash 291
diagnose sys flow-export 292
diagnose sys fsw-cloud-mgr 292
diagnose sys kill 292
diagnose sys link-monitor 293
diagnose sys mpstat 293
diagnose sys ntp status 294
diagnose sys pcb temp 294
diagnose sys process 294
diagnose sys psu status 294
diagnose sys top 295
diagnose sys vlan list 296
diagnose test application 296
diagnose test authserver 297
diagnose user radius coa 298
execute 299
execute 802-1x clear interface 300
execute acl clear-counter 301
execute acl key-compaction 301
execute backup config 302
execute backup full-config 303
execute backup memory 303
execute batch 304
execute bpdu-guard 305
execute cfg reload 305
execute cfg save 306
execute clear switch igmp-snooping 307
execute clear switch mld-snooping 307
execute clear system arp table 307
execute cli check-template-status 307
execute cli status-msg-only 307
execute date 308
execute dhcp lease-clear 308
execute dhcp lease-list 309
execute dhcp-snooping 309
execute disconnect-admin-session 310
execute factoryreset 310
execute factoryresetfull 310

Fortinet, Inc.
execute flapguard reset 311
execute interface dhcpclient-renew 311
execute interface dhcp6client-renew 311
execute interface pppoe-reconnect 312
execute license add 312
execute license enhanced-debugging 312
execute license status 313
execute log delete 313
execute log delete-all 313
execute log display 314
execute log filter 314
execute log-report reset 315
execute loop-guard reset 315
execute mac clear 315
execute mac-limit-violation reset 316
execute macsec clearstat interface 317
execute macsec reset interface 317
execute ping 317
execute ping-options 318
execute ping6 320
execute ping6-options 320
execute poe-reset 321
execute reboot 322
execute restore 322
execute revision 324
execute router clear bgp 324
execute router clear ospf 325
execute router tech-support 325
execute set-next-reboot 326
execute shutdown 326
execute source-guard-violation reset 327
execute ssh 327
execute stage 327
execute sticky-mac 328
execute switch-controller get-conn-status 328
execute system certificate ca 329
execute system certificate crl import auto 329
execute system certificate local export tftp 330
execute system certificate local generate 330
execute system certificate local import tftp 331
execute system certificate remote 332
execute system sniffer-profile delete-capture 332
execute system sniffer-profile pause 332
execute system sniffer-profile start 333

Fortinet, Inc.
execute system sniffer-profile stop 333
execute system sniffer-profile upload 333
execute telnet 334
execute time 334
execute traceroute 335
execute tracert6 336
execute upload config 336
execute verify image 337
get 338
get hardware cpu 340
get hardware memory 341
get hardware status 342
get log custom-field 342
get log eventfilter 342
get log gui 343
get log memory 343
get log syslogd 345
get log syslogd2 345
get log syslogd3 346
get router info bfd neighbor 347
get router info bgp 347
get router info gwdetect 348
get router info isis 348
get router info kernel 349
get router info multicast 349
get router info ospf 350
get router info rip 351
get router info routing-table 352
get router info vrrp 353
get router info6 bfd neighbor 354
get router info6 bgp 354
get router info6 isis 355
get router info6 kernel 355
get router info6 ospf 356
get router info6 rip 357
get router info6 routing-table 357
get router info6 vrrp 358
get switch acl 358
get switch dhcp-snooping 359
get switch flapguard settings 361
get switch global 361
get switch igmp-snooping 362
get switch interface 363
get switch ip-mac-binding 364

Fortinet, Inc.
get switch ip-source-guard 364
get switch ip-source-guard-violations 364
get switch lldp 364
get switch mac-limit-violations 365
get switch mirror status 366
get switch mld-snooping 367
get switch modules 368
get switch network-monitor 369
get switch phy-mode 370
get switch physical-port 370
get switch poe inline 370
get switch qos 371
get switch raguard-policy 372
get switch security-feature 372
get switch static-mac 373
get switch storm-control 373
get switch stp instance 374
get switch stp settings 374
get switch trunk 374
get switch virtual-wire 375
get switch vlan 375
get system accprofile 376
get system admin list 376
get system admin status 377
get system arp 378
get system arp-table 378
get system auto-update 378
get system bug-report 379
get system certificate 379
get system cmdb status 380
get system console 381
get system dns 382
get system flow-export 382
get system flow-export-data 383
get system fsw-cloud 383
get system fsw-cloud-mgr connection-info 384
get system global 385
get system info admin ssh 386
get system info admin status 386
get system interface physical 387
get system ipv6-neighbor-cache 387
get system link-monitor 387
get system location 388
get system ntp 388

Fortinet, Inc.
get system password-policy 389
get system performance firewall statistics 389
get system performance status 390
get system performance top 390
get system schedule group 391
get system schedule onetime 392
get system schedule recurring 392
get system settings 392
get system sflow 393
get system sniffer-profile capture 393
get system sniffer-profile summary 393
get system snmp sysinfo 394
get system source-ip status 394
get system startup-error-log 395
get system status 395
get test 396
get user group 396
get user ldap 397
get user local 397
get user radius 397
get user setting 398
get user tacacs+ 398
Appendix: FortiSwitch QoS template 400

Fortinet, Inc.
Change log
October 29, 2020 Initial version for FortiSwitchOS 6.4.3

Fortinet, Inc.
Introduction
This manual describes the command line interface (CLI) commands for FortiSwitchOS.
FortiSwitch models
This guide is applicable to all FortiSwitch models that are supported by FortiSwitchOS.
See the Release Notes for information about the software features supported on each of the models.
How this guide is organized
The chapters in this document describe the commands available for each of the top-level CLI commands:
l config—commands that allow you to configure various components of the FortiSwitch unit.
l diagnose—commands that help with troubleshooting.
l execute—commands that perform immediate operations.
l get—commands that provide information about FortiSwitch operation.
Typographical conventions
This document uses the following typographical conventions:
Convention Example
CLI input config system dns

set primary <address_ipv4>
end
CLI output FG T-602803030703 # get system setting

comments : (No default)
opmode : nat
Emphasis HTTP connections are not secure and can be intercepted by a third party.
File content <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>

<BODY><H4>You must authenticate to use this service.</H4>
Hyperlink Visit the Fortinet Technical Support web site:

https://support.fortinet.com/

Fortinet, Inc.
Introduction
Convention Example
Keyboard entry Type a name for the remote VPN peer or client, such as Central_Office_1.
Publication For details, see the FortiOS Administration Guide.
CLI command syntax conventions
This guide uses the following conventions to describe the syntax to use when entering commands in the Command Line
Interface (CLI).
Convention Description
Angle brackets < > A word constrained by data type. To define acceptable input, the angled brackets
contain a descriptive name followed by an underscore ( _ ) and suffix that
indicates the valid data type.
For example: <retries_int>
indicates that you should enter a number of retries, such as 5.
Data types include:

<xxx_name> A name referring to another part of the configuration, such as policy_A.
<xxx_index> An index number referring to another part of the configuration, such as 0 for the
first static route.
<xxx_pattern> A regular expression or word with wild cards that matches possible variations,
such as *@example.com to match all email addresses ending in
@example.com.
<xxx_fqdn> A fully qualified domain name (FQDN), such as mail.example.com.
<xxx_email> An email address, such as admin@mail.example.com.
<xxx_ipv4> An IPv4 address, such as 192.168.1.99.
<xxx_v4mask> A dotted decimal IPv4 netmask, such as 255.255.255.0.
<xxx_ipv4mask> A dotted decimal IPv4 address and netmask separated by a space, such as
192.168.1.99 255.255.255.0.
<xxx_ipv4/mask> A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash,
such as such as 192.168.1.99/24.
<xxx_ipv6> A colon( : )-delimited hexadecimal IPv6 address, such as

3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
<xxx_ipv6mask> An IPv6 netmask, such as /96.
<xxx_ipv6/mask> An IPv6 address and netmask separated by a space.

Fortinet, Inc.
Introduction
Convention Description
<xxx_int> An integer number that is not another data type, such as 15 for the number of
minutes.
<xxx_url> A uniform resource locator (URL) and its associated protocol and host name
prefix, which together form a uniform resource identifier (URI), such as
http://www.fortinet./com/.
Square brackets [ ] A non-required word or series of words. For example: [verbose {1 | 2 | 3}] indicates
that you can either omit or type both the verbose word and its accompanying
option, such as:
verbose 3
Curly braces { } A word or series of words that is constrained to a set of options delimited by either
vertical bars or spaces.
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].
Options delimited by vertical Mutually exclusive options. For example: {enable | disable}
bars | indicates that you must enter either enable or disable but must not enter
both.
Options delimited by spaces Non-mutually exclusive options. For example:

{http https ping snmp ssh telnet}
indicates that you may enter all or a subset of those options, in any order, in a
space-delimited list, such as: ping https ssh
NOTE: To change the options, you must re-type the entire list. For example, to
add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options, instead of
replacing it, or if the list is comma-delimited, the exception will be noted.
Entering configuration data
The switch configuration is stored as a series of configuration settings in the FortiSwitchOS configuration database. To
change the configuration, you can use the CLI to add, delete, or change configuration settings. These configuration
changes are stored in the configuration database as they are made.
Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed
options, or on/off (enable/disable).

Fortinet, Inc.
Introduction
Entering text strings (names)
Text strings are used to name entities in the configuration, such as an administrative user name. You can enter any
character in a text string with the following exceptions (to prevent cross-site scripting vulnerabilities):
l " (double quote)
l & (ampersand)
l ' (single quote)
l < (less than)
l < (greater than)
You can determine the limit to the number of characters that are allowed in a text string by determining how many
characters the CLI allows for a given name field. From the CLI, you can also use the tree command to view the
number of characters that are allowed. For example, firewall address names can contain up to 64 characters. From the
CLI, you can do the following to confirm that the firewall address name field allows 64 characters:
config firewall address
tree
-- [address] --*name (64)
|- subnet
|- type
|- start-ip
|- end-ip
|- fqdn (256)
|- cache-ttl (0,86400)
|- wildcard
|- comment (64 xss)
|- associated-interface (16)
+- color (0,32)
NOTE: The tree command output also shows the number of characters allowed for other firewall address name
settings. For example, the fully qualified domain name (fqdn) field can contain up to 256 characters.
Entering numeric values
Numeric values are used to configure various sizes, rates, numeric addresses, or other numeric values. For example, a
static routing priority of 10, a port number of 8080, or an IP address of 10.10.10.1. Numeric values can be entered as a
series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example, the IP
address 10.10.10.1) or, as in the case of MAC or IPv6 addresses, separated by colons (for example, the MAC address
00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (such as MAC addresses)
require hexadecimal numbers.
CLI help includes information about allowed numeric value ranges.The CLI prevents you from entering invalid numbers.

Fortinet, Inc.
config
Use the config commands to configure various components of the FortiSwitch unit:
l config log on page 18
l config router on page 25
l config switch on page 77
l config switch-controller global on page 147
l config system on page 148
l config user on page 204
config log
Use the config log commands to set the logging type, the logging severity level, and the logging location for the
system:
l config log custom-field on page 18
l config log eventfilter on page 19
l config log gui on page 20
l config log memory filter on page 20
l config log memory global-setting on page 21
l config log memory setting on page 21
l config log {syslogd | syslogd2 | syslogd3} filter on page 22
l config log {syslogd | syslogd2 | syslogd3} setting on page 23
config log custom-field
Use the following command to customize the log fields with a name and/or value. The custom name and/or value will
appear in the log message.
Syntax
edit <id>
set name <name>
set value <int>
end
<id > Enter the identification string for the custom log. No default

Fortinet, Inc.
config
name <name> Enter a name to identify the log. You can use letters, numbers, No default
(‘_‘), but no special characters such as the number symbol (#).
The name cannot exceed 16 characters.
value <int> Enter an integer value to associate with the log. No default
Example
This example shows how to configure a customized field for a log:

edit 1
set name "Vlan"
set value 3
end
Use this command to configure event logging.
Syntax
set event {enable | disable}
set router {enable | disable}
set system {enable | disable}
set user {enable | disable}
end
event {enable | disable} Log event messages. Must be enabled to make the enable
following fields available.
router {enable | disable} Log router activity messages. enable
system {enable | disable} Log system activity messages. enable
user {enable | disable} Log user activity messages. enable
Example
This example shows how to configure event logging:

set event enable
set router enable
set system enable
set user enable
end

Fortinet, Inc.
config
config log gui
Use this command to select the device from which logs are displayed in the Web-based manager.
Syntax
config log gui
set log-device memory
end
log-device memory Select the device from which logs are displayed in the memory
Web-based manager.
Currently, only logging to memory is available.
config log memory filter
Use this command to configure the filter for the memory buffer.
Syntax
set severity {alert | critical | debug | emergency | error |
information | notification | warning}
end
severity Select the logging severity level. The system logs all messages information
{alert | critical | debug | at and above the logging severity level you select. For
emergency | error | information | example, if you select error, the system logs error,
notification | warning} critical, alert and emergency level messages.
l emergency — The system is unusable.
l alert — Immediate action is required.
l critical — Functionality is affected.
l error — An erroneous condition exists and functionality
is probably affected.
l warning— Functionality might be affected.
l notification — Information about normal events.
l information — General information about system
operations.
l debug — Information used for diagnosing or debugging
the system.
Example
This example shows how to configure the memory log filter:

set severity alert

Fortinet, Inc.
config
end
config log memory global-setting
Use this command to configure log threshold warnings, as well as the maximum buffer lines, for the FortiSwitch system
memory.
The FortiSwitch system memory has a limited capacity and displays only the most recent log entries. Traffic logs are not
stored in the memory buffer, due to the high volume of traffic information. After all available memory is used, by default,
the system begins to overwrite the oldest log messages. All log entries are deleted when the system restarts.
Syntax
set full-final-warning-threshold <int>
set full-first-warning-threshold <int>
set full-second-warning-threshold <int>
set hourly-upload {disable | enable}
set max-size <int>
end
full-final-warning-threshold <int> Enter to configure the final warning before reaching the 95
threshold. You can enter a number between 3 and 100.
full-first-warning-threshold <int> Enter to configure the first warning before reaching the 75
threshold. You can enter a number between 1 and 98.
full-second-warning-threshold Enter to configure the second warning before reaching the 90

<int> threshold. You can enter a number between 2 and 99.
hourly-upload {disable | enable} Enter enable to have log uploads occur hourly. disable
max-size <int> Enter the maximum size of the memory buffer log, in bytes. 98304
Example
This example shows how to configure log threshold warnings and the maximum buffer lines:
set full-final-warning-threshold 45
set full-first-warning-threshold 25
set full-second-warning-threshold 45
set hourly-upload enable
set max-size 12288
end
config log memory setting
Use this command to configure log settings for logging to the system memory.

Fortinet, Inc.
config
The system memory has a limited capacity and only displays the most recent log entries. Traffic logs are not stored in
the memory buffer, due to the high volume of traffic information. After all available memory is used, by default, the
system begins to overwrite the oldest messages. All log entries are deleted when the system restarts.
Syntax
set diskfull overwrite
end
status {disable | enable} Enter enable to enable logging to system memory. disable
diskfull overwrite Overwrite the oldest log when the log device is full. No default
Example
This example shows how to configure log settings:

set status enable
set diskfull overwrite
end
config log {syslogd | syslogd2 | syslogd3} filter
Use this command to configure log filter options. Log filters define the types of log messages sent to each log location.
Syntax
config log {syslogd | syslogd2 | syslogd3} filter
set severity {alert | critical | debug | emergency | error |
information | notification | warning}
end
severity Select the logging severity level. The system logs all messages information
{alert | critical | debug | at and above the logging severity level you select. For example,
emergency | error | information | if you select error, the system logs error, critical,
notification | warning} alert and emergency level messages.
l error — An erroneous condition exists and functionality is
probably affected.
l information — General information about system

Fortinet, Inc.
config
operations.
l debug — Information used for diagnosing or debugging
the system.
status {enable | disable} Enable or disable remote syslog logging. disable
Example
This example shows how to configure log filter options:

config log syslogd filter
set severity information
end
config log {syslogd | syslogd2 | syslogd3} setting
Use this command to configure log settings for logging to the system memory.
The system memory has a limited capacity and only displays the most recent log entries. Traffic logs are not stored in
the memory buffer, due to the high volume of traffic information. After all available memory is used, by default, the
system begins to overwrite the oldest messages. All log entries are deleted when the system restarts.
Syntax
config log {syslogd | syslogd2 | syslogd3} setting
set enc-algorithm {disable | high | high-medium | low}
set certificate <certificate_name>
set server <server_name>
set mode {legacy-reliable | reliable | udp}
set csv {enable | disable}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel |
local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail |
news | ntp | syslog | user | uucp}
set source-ip <IPv4_address>
end
status {disable | enable} Enter enable to start logging to system memory. disable
enc-algorithm {disable | high | Set to high, high-medium, or low to specify which disable
high-medium | low} encryption algorithm that SSL communication uses for reliable
syslog. Set to disable if you do not want to use reliable
syslog.
certificate <certificate_name> Specify the certificate to use to communicate with the syslog No default
server.

Fortinet, Inc.
config
server <server_name> This field is available with status is set to enable. Enter the No default
address of the remote syslog server.
mode {legacy-reliable | reliable | Set to legacy-reliable to use RFC 3195 for reliable udp
udp} syslog. Set to reliable to use RFC 6587 for reliable syslog.
Set to udp to use syslog over UDP.
This field is available with status is set to enable. This field
was previously named reliable.
port <port_number> Set the port number that the server listens to. 514
If the mode is set to reliable, the default port is 514. If the
mode is set to legacy-reliable, the default port is 601. If
the mode is set to udp, the default port is 6514.
This field is available with status is set to enable.
csv {enable | disable} Enable or disable comma-separated values. disable

This field is available with status is set to enable.
set facility {alert | audit | auth | This field is available with status is set to enable. Select local7
authpriv | clock | cron | daemon | the facility for remote syslog:
ftp | kernel | local0 | local1 | local2 l alert—Use the log alert.
| local3 | local4 | local5 | local6 | l audit—Use the log audit.
local7 | lpr | mail | news | ntp | l auth—Use the security/authorization messages.
syslog | user | uucp} l authpriv—Use the private security/authorization
messages.
l clock—Use the clock daemon.
l cron—Use the clock daemon.
l daemon—Use the system daemon.
l ftp—Use the FTP daemon.
l kernel—Use kernel messages.
l local0—Reserved for local use.
l local5— Reserved for local use.
l local6— Reserved for local use.
l lpr—Use the line printer subsystem.
l mail—Use the mail system.
l news—Use the network news subsystem.
l ntp—Use the NTP system.
l syslog—Use memssages generated internally by the
syslog daemon.
l user—Use random user-level messages.
l uucp—Use the network news subsystem.

Fortinet, Inc.
config
source-ip <IPv4_address> This field is available with status is set to enable. Enter the 0.0.0.0
source IPv4 address of the syslog.
Example
This example shows how to configure log settings:

set status enable
set server "1.2.3.4"
set port 5
end
config router
Use the config router commands to configure options related to routing protocols and packet forwarding:
l config router access-list on page 25
l config router access-list6 on page 27
l config router aspath-list on page 28
l config router bgp on page 28
l config router community-list on page 42
l config router isis on page 43
l config router key-chain on page 49
l config router multicast on page 51
l config router multicast-flow on page 52
l config router ospf on page 52
l config router ospf6 on page 59
l config router prefix-list on page 62
l config router prefix-list6 on page 63
l config router rip on page 64
l config router ripng on page 67
l config router route-map on page 70
l config router setting on page 73
l config router static on page 74
l config router static6 on page 75
l config router vrf on page 77
Use this command to configure an IPv4 access list. An access list is a list of IP addresses and the action to take for each
one. Access lists provide basic route and network filtering.

Fortinet, Inc.
config
Syntax
edit <list_str>
set comments <comment_str>
config rule
edit <rule_int>
set wildcard <IP_address>
end
end
<list_str> Enter the name of the access list. No default

l If the name is a number in the range of 1-99, you can
define Cisco-style wildcard filter criteria with the set

wildcard <ip> command.
l If the name has at least one alphabetic character, you can
set the prefix to define regular filter criteria using the set
prefix {<xxx.xxx.xxx.xxx>
<xxx.xxx.xxx.xxx> | any} command.
comments <comment_str> Enter a descriptive comment. No default
config rule Configure the access-list rule.
<rule_int> The rule identifier. No default
action {deny | permit} Set whether the rule allows or denies the IPv4 address. permit
prefix {<xxx.xxx.xxx.xxx> Set the prefix to define regular filter criteria, such as any or any
<xxx.xxx.xxx.xxx> | any} subnets.
NOTE: The access list name must contain at least one
alphabetic character.
wildcard <IP_address> Define Cisco-style wildcard filter criteria. No default

NOTE: The access list name must be a digit in the range of 1-
99. Strings are not supported.
exact-match {enable | disable} Set whether the rule looks for an exact match with the value in disable
the prefix field.
Example
This example shows how to configure an access list:

edit mylist
set comments "access list for RIP 1"
config rule
edit 1
set action permit
set prefix xxx.xx.xx.xx xxx.xxx.xxx.x
end

Fortinet, Inc.
config
end
Use this command to configure an IPv6 access list. An access list is a list of IP addresses and the action to take for each
one. Access lists provide basic route and network filtering.
Syntax
edit <name_of_IPv6_access_list>
config rule
edit <rule_ID>
next
end
end
<name_of_IPv6_access_list> Enter the name of the IPv6 access list. No default
comments <string> Enter a descriptive comment. No default
config rule Configure the IPv6 access-list rule.
<rule_ID> The rule identifier. No default
action {deny | permit} Set whether the rule allows or denies the IPv6 address. permit
prefix6 Set the IPv6 prefix to define regular filter criteria, such any
{<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> as any or X:X::X:X/M.
| any}
exact-match {enable | disable} Set whether the rule looks for an exact match with the disable
value in the prefix field.
Example
This example shows how to configure an IPv6 access list:

edit accesslist1
set comments "IPv6 access list"
config rule
edit 1
set action permit
set prefix6 fe80::a5b:eff:fef1:95e5
set exact-match disable
next
end
end

Fortinet, Inc.
config
config router aspath-list
Use this command to set or unset Border Gateway Protocol (BGP) AS-path list parameters. By default, BGP uses an
ordered list of Autonomous System (AS) numbers to describe the route that a packet takes to reach its destination. A list
of these AS numbers is called the AS path. You can filter BGP routes using AS path lists.
Use the config router aspath-list command to define an access list that examines the AS_PATH attributes
of BGP routes to match routes. Each entry in the list defines a rule for matching and selecting routes based on the
setting of the AS_PATH attribute.
Syntax
config router aspath-list
edit <AS_path_list_name>
config rule
edit <rule_identifier>
set regexp <string>
end
end
<AS_path_list_name> Enter the name of the AS path list. No default
config rule Configure the AS path list rule.
<rule_identifier> Enter a rule identifier. No default
action {deny | permit} Set whether to permit or deny route-based operations, based on No default
the routeʼs AS_PATH attribute.
regexp <string> Specify the regular expression that will be compared to the AS_ No default
PATH attribute (for example, ^730$). The value is used to match
AS numbers. Enclose a complex regular expression value within
double-quotation marks.
config router bgp
Use this command to configure Border Gateway Protocol version-4 (BGP-4) routing parameters. BGP can be used to
perform Classless Interdomain Routing (CIDR) and to route traffic between different autonomous systems or domains
using an alternative route if a link between a FortiSwitch unit and a BGP peer (such as an ISP router) fails.
The following RFCs are supported:
l RFC1771—A Border Gateway Protocol 4 (BGP-4)
l RFC1965—Autonomous System Confederations for BGP
l RFC1997—BGP Communities Attribute
l RFC2545—Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing
l RFC2796—BGP Route Reflection An alternative to full mesh IBGP
l RFC2858—Multiprotocol Extensions for BGP-4
l RFC2842—Capabilities Advertisement with BGP-4
l RFC2439—BGP Route Flap Damping

Fortinet, Inc.
config
Syntax
config router bgp
set as <MANDATORY_router_AS_number>
set router-id <MANDATORY_IP_address>
set keepalive-timer <0-65535>
set always-compare-med {disable | enable}
set bestpath-as-path-ignore {disable | enable}
set bestpath-cmp-confed-aspath {disable | enable}
set bestpath-cmp-routerid {disable | enable}
set bestpath-med-confed {disable | enable}
set bestpath-med-missing-as-worst {disable | enable}
set client-to-client-reflection {disable | enable}
set dampening {disable | enable}
set dampening-reachability-half-life <1-45>
set dampening-reuse <1-20000>
set dampening-suppress <1-20000>
set dampening-max-suppress-time <1-255>
set deterministic-med {disable | enable}
set enforce-first-as {disable | enable}
set fast-external-failover {disable | enable}
set log-neighbour-changes {disable | enable}
set cluster-id <IP_address>
set confederation-identifier <1-4294967295>
set default-local-preference <0-4294967295>
set scan-time <5-60>
set maximum-paths-ebgp <1-64>
set bestpath-aspath-multipath-relax {disable | enable}
set maximum-paths-ibgp <1-64>
set distance-external <1-255>
set distance-internal <1-255>
set distance-local <1-255>
set graceful-stalepath-time <1-3600>
config admin-distance
edit <identifier>
set neighbour-prefix <IP_address_netmask>
set route-list <string>
end
edit <identifier>
set as-set {disable | enable}
set prefix <IPv4_address_netmask>
set summary-only {disable | enable}
end
config aggregate-address6
edit <identifier>
set as-set {disable | enable}
set summary-only {disable | enable}
end
config neighbor
set advertisement-interval <0-600>
set allowas-in-enable {disable | enable}
set allowas-in <1-10>

Fortinet, Inc.
config
set allowas-in-enable6 {disable | enable}

set allowas-in6 <1-10>
set attribute-unchanged {as-path | MED | next-hop}
set activate {disable | enable}
set activate6 {disable | enable}
set capability-dynamic {disable | enable}
set capability-orf {both | none | receive | send}
set capability-orf6 {both | none | receive | send}
set capability-default-originate {disable | enable}
set capability-default-originate6 {disable | enable}
set dont-capability-negotiate {disable | enable}
set ebgp-enforce-multihop {disable | enable}
set ebgp-multihop-ttl <1-255>
set ebgp-ttl-security-hops <1-254>
set next-hop-self {disable | enable}
set override-capability {disable | enable}
set remove-private-as {disable | enable}
set remove-private-as6 {disable | enable}
set shutdown {disable | enable}
set soft-reconfiguration {disable | enable}
set soft-reconfiguration6 {disable | enable}
set as-override {disable | enable}
set as-override6 {disable | enable}
set strict-capability-match {disable | enable}
set distribute-list-in <string>
set distribute-list-in6 <string>
set distribute-list-out <string>
set distribute-list-out6 <string>
set filter-list-in <string>
set filter-list-in6 <string>
set filter-list-out <string>
set filter-list-out6 <string>
set maximum-prefix <1-4294967295>
set maximum-prefix6 <1-4294967295>
set prefix-list-in <string>
set prefix-list-in6 <string>
set prefix-list-out <string>
set prefix-list-out6 <string>
set remote-as <MANDATORY_1-4294967295>
set route-map-in <string>
set route-map-in6 <string>
set route-map-out <string>
set route-map-out6 <string>
set keep-alive-timer <0-65535>

Fortinet, Inc.
config
set connect-timer <0-65535>

set unsuppress-map <string>
set unsuppress-map6 <string>
set update-source {interface_name}
set weight <0-65535>
end
config network
edit <identifier>
set backdoor {disable | enable}
end
config network6
edit <identifier>
set backdoor {disable | enable}
set prefix6 <IPv6_address_netmask>
end
config redistribute {connected | isis | ospf | rip | static}
end
config redistribute6 {connected | isis | ospf | rip | static}
end
end
as <MANDATORY_router_AS_ Mandatory. Enter an integer to specify the local 0

number> autonomous system (AS) number of the
FortiSwitch unit. The range is from 1 to 4 294 967
295. A value of 0 disables BGP (disabled by
default).
router-id <MANDATORY_IP_ Mandatory. Specify a fixed identifier for the 0.0.0.0

address> FortiSwitch unit. A value of 0.0.0.0 is not allowed.
keepalive-timer <0-65535> How often (in seconds) the router sends out 60
keepalive messages to neighbor routers to
maintain those sessions.
holdtime-timer <0, 3-65535> How long (in seconds) the router will wait for a 180
keepalive message before declaring a router
offline. A shorter time will find an off-line router
faster.
always-compare-med {disable | Always compare Multi-Exit Discriminator (MED). disable

enable}

Fortinet, Inc.
config
bestpath-as-path-ignore {disable | AS_PATH is the BGP attribute that keeps track of disable
enable} each AS that a route advertisement has passed
through; it helps prevent routing loops. Enable this
option if you want BGP to not use the best AS
path. Disable this option if you want BGP to use
the best AS path.
bestpath-cmp-confed-aspath {disable Enable or disable the comparison of the AS_ disable

| enable} CONFED_SEQUENCE attribute, which defines an
ordered list of AS numbers representing a path
from the FortiSwitch unit through autonomous
systems within the local confederation.
bestpath-cmp-routerid {disable | Compare router ID for identical external BGP disable

enable} (EBGP) paths.
bestpath-med-confed {disable | Compare MED among confederation paths. disable

enable}
bestpath-med-missing-as-worst Enable or disable (by default) treating any disable

{disable | enable} confederation path with a missing MED metric as
the least preferred path.
client-to-client-reflection {disable | Enable (by default) or disable client-to-client route enable

enable} reflection between internal BGP (IBGP) peers.
dampening {disable | enable} Enable or disable (by default) route-flap disable

dampening on all BGP routes. A flapping route is
unstable and continually transitions down and up
(see RFC 2439).
dampening-reachability-half-life <1- If you enable dampening, set the maximum time 15

45> that a route can be suppressed (in minutes). A
route can continue to accumulate penalties while it
is suppressed. However, the route cannot be
suppressed longer than the maximum time.
dampening-reuse <1-20000> If you enable dampening, set a dampening reuse 750

limit based on the number of accumulated
penalties. If the penalty assigned to a flapping
route decreases enough to fall below the specified
limit, the route is not suppressed.
dampening-suppress <1-20000> If you enable dampening, set a dampening- 2000

suppression limit based on the number of
accumulated penalties. A route is suppressed (not
advertised) when its penalty exceeds the specified
limit.

Fortinet, Inc.
config
dampening-max-suppress-time <1- If you enable dampening, set the maximum time 60

255> that a route can be suppressed. A route can
continue to accumulate penalties while it is
suppressed. However, the route cannot be
suppressed longer than the maximum time.
deterministic-med {disable | enable} Enforce deterministic comparison of MED. disable
enforce-first-as {disable | enable} Enforce first AS for EBGP routes. disable
fast-external-failover {disable | Reset peer BGP session if link goes down. enable
enable}
log-neighbour-changes {disable | Enable or disable logging of BGP neighborʼs enable

enable} changes.
cluster-id <IP_address> Route reflector cluster ID. 0.0.0.0
confederation-identifier <1- Confederation identifier. 0

4294967295>
default-local-preference <0- Default local preference. 100

4294967295>
scan-time <5-60> Background scanner interval (seconds). 60
maximum-paths-ebgp <1-64> Set the maximum number of paths for equal-cost 1

multi-path (ECMP) routing using the External
Border Gateway Protocol (EBGP).
bestpath-aspath-multipath-relax Enable or disable load sharing across routes that disable

{disable | enable} are the same length but have different
autonomous system (AS) paths.
maximum-paths-ibgp <1-64> Set the maximum number of paths for equal-cost 1

multi-path (ECMP) routing using the Internal
Border Gateway Protocol (IBGP).
distance-external <1-255> Distance for routes external to the AS. 20
distance-internal <1-255> Distance for routes internal to the AS. 200
distance-local <1-255> Distance for routes local to the AS. 200
graceful-stalepath-time <1-3600> Time to hold stale paths of restarting neighbor 360

(sec).
config admin-distance Configure administrative distance modifications.
<identifier> Enter an identifier to set administrative distance No default

modifications for BGP routes.
distance <1-255> Set the administrative distance to apply. 0

Fortinet, Inc.
config
neighbour-prefix <IP_address_ Neighbor address prefix. Enter the class IP 0.0.0.0 0.0.0.0
netmask> address and netmask with correction.
route-list <string> The access list of routes this distance will be No default
applied to.
config aggregate-address Configure the table of BGP IPv4 aggregate addresses.
<identifier> Enter a BGP aggregate entry in the routing table. No default

When you aggregate routes, routing becomes less
precise because path details are not readily
available for routing purposes. The aggregate
address represents addresses in several
autonomous systems. Aggregation reduces the
length of the network mask until it masks only the
bits that are common to all of the addresses being
summarized.
as-set {disable | enable} Enable or disable the generation of an unordered disable

list of AS numbers to include in the path
information.
prefix <IPv4_address_netmask> Aggregate IPv4 prefix. The prefix 0.0.0.0 0.0.0.0 is No default
not allowed.
summary-only {disable | enable} Enable or disable filtering more specific routes disable
from updates.
config aggregate-address6 Configure the table of BGP IPv6 aggregate addresses.
<identifier> Enter a BGP aggregate entry in the routing table. No default

When you aggregate routes, routing becomes less
precise because path details are not readily
available for routing purposes. The aggregate
address represents addresses in several
autonomous systems. Aggregation reduces the
length of the network mask until it masks only the
bits that are common to all of the addresses being
summarized.
as-set {disable | enable} Enable or disable the generation of an unordered disable

list of AS numbers to include in the path
information.
prefix6 <IPv6_address_netmask> Aggregate IPv6 prefix. No default
summary-only {disable | enable} Enable or disable filtering more specific routes disable
from updates.
config neighbor Configure the BGP neighbor table.

Fortinet, Inc.
config
<IPv4_IPv6_address> Enter the IPv4 or IPv6 address of the BGP No default

neighbor.
advertisement-interval <0-600> Set the minimum amount of time (in seconds) that 30
the FortiSwitch unit waits before sending a BGP
routing update to the BGP neighbor.
allowas-in-enable {disable | enable} Enable to allow my AS-in-AS path (for IPv4). disable
allowas-in <1-10> If you enable allowas-in-enable, set the No default

maximum number of occurrences of my AS
numbers allowed (for IPv4).
allowas-in-enable6 {disable | enable} Enable to allow my AS-in-AS path (for IPv6). disable
allowas-in6 <1-10> If you enable allowas-in-enable6, set the No default

maximum number of occurrences of my AS
numbers allowed (for IPv6).
attribute-unchanged {as-path | MED | Propagate unchanged BGP attributes to the BGP No default
next-hop} neighbor using one of the following methods (for
IPv4):
l To advertise unchanged next-hop attributes,
select as-path.
l To advertise unchanged MULTI_EXIT_DISC
attributes, select med.

l To keep the next-hop attribute as is, select
next-hop.
l An empty set (default) is a supported value.
attribute-unchanged6 {as-path | MED | Propagate unchanged BGP attributes to the BGP No default
next-hop} neighbor using one of the following methods (for
IPv6):
l To advertise unchanged next-hop attributes,
select as-path.
l To advertise unchanged MULTI_EXIT_DISC
attributes, select med.

l To keep the next-hop attribute as is, select
next-hop.
l An empty set (default) is a supported value.
activate {disable | enable} Enable address family IPv4 for this neighbor. enable
activate6 {disable | enable} Enable address family IPv6 for this neighbor. enable
bfd {disable | enable} Enable BFD for this neighbor. disable
capability-dynamic {disable | enable} Advertise dynamic capability to this neighbor. disable
capability-orf {both | none | receive | Enable advertising of Outbound Routing Filter none
send} (ORF) prefix-list capability to the BGP neighbor
using one of the following methods (for IPv4):

Fortinet, Inc.
config
l none: disable the advertising of ORF prefix-

list capability.
l receive: enable receive capability.
l send: enable send capability.
l both: enable send and receive capability.
capability-orf6 {both | none | receive | Enable advertising of ORF prefix-list capability to none
send} the BGP neighbor using one of the following
methods (for IPv6):
l none: disable the advertising of ORF prefix-
list capability.
l receive: enable receive capability.
l send: enable send capability.
l both: enable send and receive capability.
capability-default-originate {disable | Advertise the default IPv4 route to this neighbor. disable
enable}
capability-default-originate6 {disable | Advertise the default IPv6 route to this neighbor. disable
enable}
dont-capability-negotiate {disable | Do not negotiate capabilities with this neighbor. disable

enable}
ebgp-enforce-multihop {disable | Enable or disable the allowance of multi-hop disable

enable} EBGP neighbors.
ebgp-multihop-ttl <1-255> If you enable ebgp-enforce-multihop, 255

define a TTL value for BGP packets sent to the
BGP neighbor.
ebgp-ttl-security-hops <1-254> If you enable ebgp-enforce-multihop, specify the 0

maximum number of hops to the EBGP peer.
next-hop-self {disable | enable} Enable or disable IPv4 next-hop calculation for this disable
neighbor.
next-hop-self6 {disable | enable} Enable or disable IPv6 next-hop calculation for this disable
neighbor.
override-capability {disable | enable} Enable or disable the overriding of the result of the disable
capability negotiation.
passive {disable | enable} Enable or disable sending of open messages to disable

this neighbor.
remove-private-as {disable | enable} Enable or disable the removal of the private AS disable
number from the IPv4 outbound updates.
remove-private-as6 {disable | enable} Enable or disable the removal of the private AS disable
number from the IPv6 outbound updates.

Fortinet, Inc.
config
route-reflector-client {disable | enable} Enable or disable the IPv4 AS route reflector disable
client.
route-reflector-client6 {disable | Enable or disable the IPv6 AS route reflector disable

enable} client.
route-server-client {disable | enable} Enable or disable the IPv4 AS route server client. disable
route-server-client6 {disable | enable} Enable or disable the IPv6 AS route server client. disable
shutdown {disable | enable} Enable or disable the shutting down of this disable
neighbor.
soft-reconfiguration {disable | enable} Enable or disable the allowance of IPv4 inbound disable
soft reconfiguration.
soft-reconfiguration6 {disable | Enable or disable the allowance of IPv6 inbound disable

enable} soft reconfiguration.
as-override {disable | enable} Enable or disable the replacement of the peer AS disable
with own AS for IPv4.
as-override6 {disable | enable} Enable or disable the replacement of the peer AS disable
with own AS for IPv6.
strict-capability-match {disable | Enable or disable strict capability matching. disable

enable}
description <string> Enter a description of this neighbor. No default
distribute-list-in <string> Limit route updates from the BGP neighbor based No default
on the Network Layer Reachability Information
(NLRI) prefixes defined in the specified IPv4
access list. You must create the access list before
it can be selected here. See config router access-
list on page 25.
distribute-list-in6 <string> Limit route updates from the BGP neighbor based No default
(NLRI) prefixes defined in the specified IPv6
access list. You must create the access list before
it can be selected here. See config router access-
list6 on page 27.
distribute-list-out <string> Limit route updates to the BGP neighbor based on No default
the NLRI defined in the specified IPv4 access list.
You must create the access list before it can be
selected here. See config router access-list on
page 25.

Fortinet, Inc.
config
distribute-list-out6 <string> Limit route updates to the BGP neighbor based on No default
the NLRI defined in the specified IPv6 access list.
You must create the access list before it can be
selected here. See config router access-list6 on
page 27.
filter-list-in <string> BGP AS path filter for IPv4 inbound routes. You No default
must create the AS path list before it can be
selected here. See config router aspath-list on
page 28.
filter-list-in6 <string> BGP AS path filter for IPv6 inbound routes. You No default
page 28.
filter-list-out <string> BGP AS path filter for IPv4 outbound routes. You No default
page 28.
filter-list-out6 <string> BGP AS path filter for IPv6 outbound routes. You No default
page 28.
interface <interface_name> Set the interface. No default
maximum-prefix <1-4294967295> Enter the maximum number of IPv4 prefixes to unset

accept from this peer.
maximum-prefix6 <1-4294967295> Enter the maximum number of IPv6 prefixes to unset

accept from this peer.
prefix-list-in <string> Limit route updates from a BGP neighbor based No default
(NLRI) in the specified IPv4 prefix list. The prefix
list defines the NLRI prefix and length advertised
in a route. You must create the prefix list before it
can be selected here. See config router prefix-list
on page 62.
prefix-list-in6 <string> Limit route updates from a BGP neighbor based No default
(NLRI) in the specified IPv6 prefix list. The prefix
can be selected here. See config router prefix-list6
on page 63.

Fortinet, Inc.
config
prefix-list-out <string> Limit route updates to a BGP neighbor based on No default

the NLRI in the specified IPv4 prefix list. The prefix
can be selected here. See config router prefix-list
on page 62.
prefix-list-out6 <string> Limit route updates to a BGP neighbor based on No default

the NLRI in the specified IPv6 prefix list. The prefix
can be selected here. See config router prefix-list6
on page 63.
remote-as <MANDATORY_1- Mandatory. Adds a BGP neighbor to the 0

4294967295> FortiSwitch configuration and sets the AS number
of the neighbor. If the number is identical to the
AS number of the FortiSwitch unit, the FortiSwitch
unit communicates with the neighbor using
internal BGP (IBGP). Otherwise, the neighbor is
an external peer, and the FortiSwitch unit uses
EBGP to communicate with the neighbor.
route-map-in <string> Limit route updates or change the attributes of No default

route updates from the BGP neighbor according to
the specified IPv4 route map. You must create the
route map before it can be selected here. See
config router route-map on page 70.
route-map-in6 <string> Limit route updates or change the attributes of No default

route updates from the BGP neighbor according to
route-map-out <string> Limit route updates or change the attributes of No default

route updates to the BGP neighbor according to
route-map-out6 <string> Limit route updates or change the attributes of No default

route updates to the BGP neighbor according to
send-community {both | disable | Enable sending the COMMUNITY attribute to the both
extended | standard} BGP neighbor using one of the following methods
(for IPv4):

Fortinet, Inc.
config
l standard: advertise standard capabilities

l extended: advertise extended capabilities
l both: advertise extended and standard
capabilities (default)
l disable: disable the advertising of the
COMMUNITY attribute
send-community6 {both | disable | Enable sending the COMMUNITY attribute to the both
extended | standard} BGP neighbor using one of the following methods
(for IPv6):
l standard: advertise standard capabilities
l extended: advertise extended capabilities
l both: advertise extended and standard
capabilities (default)
l disable: disable the advertising of the
COMMUNITY attribute
keep-alive-timer <0-65535> How often (in seconds) the router sends out No default
keepalive messages to neighbor routers to
maintain those sessions.
holdtime-timer <0, 3-65535> How long (in seconds) the router will wait for a No default
keepalive message before declaring a router
offline. A shorter time will find an off-line router
faster.
connect-timer <0-65535> Interval (in seconds) for connect timer. No default
unsuppress-map <string> Specify the name of the IPv4 route map to No default
selectively unsuppress suppressed routes. You
must create the route map before it can be
selected here. See config router route-map on
page 70.
unsuppress-map6 <string> Specify the name of the IPv6 route map to No default
selectively unsuppress suppressed routes. You
page 70.
update-source {interface_name} Interface to use as source IP/IPv6 address of TCP No default

connections.
weight <0-65535> Neighbor weight. No default
config network Configure the BGP IPv4 network table.
<identifier> Enter an identifier. No default
backdoor {disable | enable} Enable route as backdoor. disable

Fortinet, Inc.
config
prefix <IPv4_address_netmask> Set the network IPv4 prefix. Use the class IPv4 0.0.0.0 0.0.0.0
address and netmask with correction.
route-map <string> Specify the name of the route map. See config No default
router route-map on page 70.
config network6 Configure the BGP IPv6 network table.
<identifier> Enter an identifier. No default
backdoor {disable | enable} Enable route as backdoor. disable
prefix <IPv6_address_netmask> Set the network IPv6 prefix. Use the class IPv6 No default
address and netmask with correction.
route-map <string> Specify the name of the route map. See config No default
router route-map on page 70.
config redistribute {connected | Configure the BGP IPv4 redistribute table.

isis | ospf | rip | static}
status {disable | enable} You can enable BGP to provide connectivity disable
between connected, static, RIP, and/or OSPF
IPv4 routes. BGP redistributes the routes from one
protocol to another. When a large internetwork is
divided into multiple routing domains, use the
subcommand to redistribute routes to the various
domains.
route-map <string> Specify the name of the route map that identifies No default
the routes to redistribute. If a route map is not
specified, all routes are redistributed to BGP. You
page 70.
config redistribute6 {connected | Configure the BGP IPv6 redistribute table.

status {disable | enable} You can enable BGP to provide connectivity disable
between connected, static, RIP, and/or OSPF
IPv6 routes. BGP redistributes the routes from one
protocol to another. When a large internetwork is
divided into multiple routing domains, use the
subcommand to redistribute routes to the various
domains.
route-map <string> Specify the name of the route map that identifies No default
the routes to redistribute. If a route map is not
specified, all routes are redistributed to BGP. You
page 70.

Fortinet, Inc.
config
Example
This example shows how to configure internal BGP routing:

config router bgp
set as 6500
config neighbor
edit "172.168.111.5"
set remote-as 6500
next
end
config network
edit 1
set prefix 192.168.2.0 255.255.255.0
next
end
end
end
end
config router community-list
Use this command to identify BGP routes according to their COMMUNITY attributes (see RFC 1997). Each entry in the
community list defines a rule for matching and selecting routes based on the setting of the COMMUNITY attribute.
Syntax
config router community-list
edit <community_list_name>
set type {expanded | standard}
config rule
edit <rule_identifier>
set regexp <regular_expression>
set match <community_number | internet | local-AS | no-advertise | no-export>
end
end
<community_list_name> Enter a name for the community list. No default

NOTE: If the community list name is a number in the range of 1-
99, the type is set to standard by default. If the community list
name is a number greather than 99, the type is set to
expanded by default.
type {expanded | standard} Specify the type of community to match. standard
NOTE: This field is valid only when the community list name is
not numeric.
config rule Configure the community list rule.

Fortinet, Inc.
config
<rule_identifier> Enter a rule identifier. No default
action {deny | permit} Permit or deny route-based operations, based on the routeʼs No default
COMMUNITY attribute.
regexp <regular_expression> If you select an expanded community, specify an ordered list of No default
COMMUNITY attributes as a regular expression. The value or
values are used to match a community. Enclose a complex
regular expression value within double-quotation marks.
match <community_number | If you select a standard community, specify the criteria for No default
internet | local-AS | no- matching a reserved community:
advertise | no-export> l Use decimal notation to match one or more COMMUNITY
attributes having the syntax AA:NN, where AA represents an

AS, and NN is the community identifier. Delimit complex
expressions with double-quotation marks (for example,
“123:234 345:456”).
l To match all routes in the Internet community, type
internet.
l To match all routes in the LOCAL_AS community, type
local-AS. Matched routes are not advertised locally.

l To select all routes in the NO_ADVERTISE community, type
no-advertise. Matched routes are not advertised.

l To select all routes in the NO_EXPORT community, type
no-export. Matched routes are not advertised to EBGP

peers. If a confederation is configured, the routes are
advertised within the confederation.
config router isis
Intermediate System to Intermediate System Protocol (IS-IS) allows routing of ISO’s OSI protocol stack Connectionless
Network Service (CLNS). IS-IS is an Interior Gateway Protocol (IGP) that is not intended to be used between
Autonomous Systems (AS).
Syntax
config router isis
set auth-keychain-area <string>
set auth-keychain-domain <string>
set auth-mode-area {md5 | password}
set auth-mode-domain {md5 | password}
set auth-password-area <password>
set auth-password-domain <password>
set auth-sendonly-area {enable | disable}
set auth-sendonly-domain {enable | disable}
set default-information-level {level-1 | level-1-2 | level-2}
set default-information-level6 {level-1 | level-1-2 | level-2}
set default-information-metric <0-4261412864>
set default-information-metric6 <0-4261412864>
set default-information-originate {always | disable | enable}

Fortinet, Inc.
config
set default-information-originate6 {always | disable | enable}

set ignore-attached-bit {disable | enable}
set is-type {level-1 | level-1-2 | level-2-only}
set lsp-gen-interval-l1 <1-120>
set lsp-gen-interval-l2 <1-120>
set lsp-refresh-interval <1-65535>
set max-lsp-lifetime <350-65535>
set metric-style {narrow | transition | wide}
set overload-bit {disable | enable}
set redistribute-l1 {disable | enable}
set redistribute-l1-list <string>
set redistribute6-l1 {disable | enable}
set redistribute6-l1-list <string>
set router-id <IP_address>
set spf-interval-exp-l1 <1-120>
set spf-interval-exp-l2 <1-120>
config interface
set auth-keychain-hello <string>
set auth-mode-hello {md5 | password}
set auth-password-hello <password>
set bfd6 {enable | disable}
set circuit-type {level-1 | level-1-2 | level-2}
set hello-padding {disable | enable}
set status6 {disable | enable}
end
config net
edit <identifier>
set <IS-IS net xx.xxxx. ... .xxxx.xx>
end
config redistribute {bgp | connected | ospf | rip | static}
set metric <0-4261412864>
set metric-type {external | internal}
end
config redistribute6 {bgp6 | connected | ospf6 | ripng | static}
set metric <0-4261412864>

Fortinet, Inc.
config

end
edit <summary address entry identifier>
set prefix <IPv4 address and netmask>
end
config summary-address6
edit <summary address entry identifier>
set prefix6 <IPv6 address and netmask>
end
end
auth-keychain-area <string> IS-IS area (level-1) authentication keychain. This command is No default
applicable when the areaʼs authentication mode is md5.
auth-keychain-domain <string> IS-IS domain (level-2) authentication key-chain. This command No default
is applicable when domainʼs auth mode is md5.
auth-mode-area {md5 | IS-IS area (level-1) authentication mode. password

password}
auth-mode-domain {md5 | IS-IS domain (level-2) authentication mode. password

password}
auth-password-area <password> IS-IS area (level-1) authentication password. This command is No default
applicable when areaʼs authentication mode is password.
auth-password-domain IS-IS domain (level-2) authentication password. This command No default

<password> is applicable when domainʼs authentication mode is
password.
auth-sendonly-area {enable | IS-IS area (level-1) authentication send-only. disable
disable}
auth-sendonly-domain {enable | IS-IS domain (level-2) authentication send-only. disable

disable}
default-information-level {level-1 Distribute default IPv4 route into levelʼs link-state packet (LSP). level-2
| level-1-2 | level-2}
default-information-level6 {level- Distribute default IPv6 route into levelʼs LSP. level-2
1 | level-1-2 | level-2}
default-information-metric <0- Default IPv4 information metric. 10

4261412864>
default-information-metric6 <0- Default IPv6 information metric. 10

4261412864>
default-information-originate Enable or disable the generation of an IPv4 default route. disable

{always | disable | enable}

Fortinet, Inc.
config
default-information-originate6 Enable or disable the generation of an IPv6 default route. disable

{always | disable | enable}
ignore-attached-bit {disable | Ignore attached bit on incoming level-1 LSP. disable

enable}
is-type {level-1 | level-1-2 | level- Set the IS-IS level to use: level-1-2
2-only} l level-1: intra-area
l level-1-2: both intra-area and inter-area
l level-2-only: inter-area
log-neighbour-changes {disable | Enable logging of IS-IS neighborʼs changes enable

enable}
lsp-gen-interval-l1 <1-120> Minimum interval for level-1 LSP regenerating. 1
lsp-gen-interval-l2 <1-120> Minimum interval for level-2 LSP regenerating. 1
lsp-refresh-interval <1-65535> LSP refresh time in seconds. 900
max-lsp-lifetime <350-65535> Maximum LSP lifetime in seconds. 1200
metric-style {narrow | transition | Use old-style (ISO 10589) or new-style packet formats. narrow
wide} l narrow: Use the old style of TLVs with narrow metric
(default)
l transition: Send and accept both styles of TLVs
during the transition.

l wide: Use the new style of TLVs to carry a wider metric.
overload-bit {disable | enable} Signal other routers not to use this bit in shortest-path-first disable
(SPF).
redistribute-l1 {disable | enable} Redistribute level-1 IPv4 routes into level 2. enable
redistribute-l1-list <string> Access-list for redistributing level-1 IPv4 routes to level 2. No default
redistribute6-l1 {disable | enable} Redistribute level-1 IPv6 routes into level 2. enable
redistribute6-l1-list <string> Access-list for redistributing level-1 IPv6 routes to level 2. No default
router-id <IP_address> Router identifier. 0.0.0.0
spf-interval-exp-l1 <1-120> Level-1 SPF minimum calculation delay in seconds. 1
spf-interval-exp-l2 <1-120> Level-2 SPF minimum calculation delay in seconds. 1
config interface Configure the IS-IS interface.
<IS-IS interface name> Select the IS-IS interface name to configure. No default
auth-keychain-hello <string> Hello protocol data unit (PDU) authentication keychain. This No default
command is applicable when the hello packetʼs authentication
mode is md5.
auth-mode-hello {md5 | Hello PDU authentication mode. password

password}

Fortinet, Inc.
config
auth-password-hello <password> Hello PDU authentication password. This command is No default

applicable when hello's authentication mode is password.
bfd {enable | disable} Enable or disable bidirectional forwarding detection (BFD) for disable
IPv4 traffic.
bfd6 {enable | disable} Enable or disable BFD for IPv6 traffic. disable
circuit-type {level-1 | level-1-2 | Set the IS-IS circuit type to use for this interface: level-1-2
level-2} l level-1: intra-area
csnp-interval-l1 <1-65535> Level-1 complete sequence number PDU (CSNP) interval, in 10

number of seconds.
csnp-interval-l2 <1-6553> Level-2 CSNP interval, in number of seconds. 10
hello-interval-l1 <1-65535> Level-1 hello packet interval, in number of seconds. Use 0 for a 10
1-second hold time.
hello-interval-l2 <1-65535> Level-2 hello packet interval, in number of seconds. Use 0 for a 10
1-second hold time.
hello-multiplier-l1 <2-100> Level-1 multiplier for hello packet holding time. 3
hello-multiplier-l2 <2-100> Level-2 multiplier for hello packet holding time. 3
hello-padding {disable | enable} Enable padding to IS-IS hello packets. enable
metric-l1 <1-63> Level-1 metric for interface. 10
metric-l2 <1-63> Level-2 metric for interface. 10
passive {disable | enable} Set this interface as passive. disable
priority-l1 <0-127> Level-1 priority. 64
priority-l2 <0-127> Level-2 priority. 64
status {disable | enable} Enable or disable the interface for IS-IS for IPv4 traffic. enable
status6 {disable | enable} Enable or disable the interface for IS-IS for IPv6 traffic. enable
wide-metric-l1 <1-16777214> Level-1 wide metric for interface. 10
wide-metric-l2 <1-16777214> Level-2 wide metric for interface. 10
config net Configure the IS-IS network.
<identifier> An integer identifier; 0 is the lowest available identifier. No default
<IS-IS net xx.xxxx. ... .xxxx.xx> Set the IS-IS network. No default
config redistribute {bgp | Configure the IS-IS redistribute IPv4 protocols.

connected | ospf | rip | static}

Fortinet, Inc.
config
status {disable | enable} Enable or disable the redistribution of routes from other routing disable
protocols using IS-IS.
metric <0-4261412864> Redistribution metric. 10
metric-type {external | internal} Select external or internal for the metric type. external
level {level-1 | level-1-2 | level-2} Set the IS-IS level to use for redistributing routes: level1-2
l level-1: intra-area
routemap <string> Enter the route map name. You must create the route map No default
before selecting it. See config router route-map on page 70.
config redistribute6 {bgp6 | Configure the IS-IS redistribute IPv6 protocols.

connected | ospf6 | ripng |
static}
status {disable | enable} Enable or disable the redistribution of routes from other routing disable
protocols using IS-IS.
metric <0-4261412864> Redistribution metric. 10
level {level-1 | level-1-2 | level-2} Set the IS-IS level to use for redistributing routes: level1-2
routemap <string> Enter the route map name. You must create the route map No default
before selecting it. See config router route-map on page 70.
config summary-address Configure the summarizing IPv4 address ranges in the IS-IS routing table.
<summary address entry Enter the summary address entry ID. The value range is 0- No default
identifier> 4294967295.
level {level-1 | level-1-2 | level-2} Set the IS-IS level to use for the summary database: level-2
prefix <IPv4 address and Set the IPv4 address and netmask for the prefix. No default
netmask>
config summary-address6 Configure the summarizing IPv6 address ranges in the IS-IS routing table.
<summary address entry Enter the summary address entry ID. The value range is 0- No default
identifier> 4294967295.
level {level-1 | level-1-2 | level-2} Set the IS-IS level to use for the summary database: level-2

Fortinet, Inc.
config
prefix6 <IPv6 address and Set the IPv6 address and netmask for the prefix. No default
netmask>
Example

config router isis
set default-information-metric 60
config interface
edit "vlan100"
set priority-l1 80
set wide-metric-l1 200
next
edit "vlan102"
next
end
config net
edit 1
set net 49.0002.0000.0000.1048.00
next
end
set metric-style wide
set status enable
end
end
end
end
end
end
Use this command to configure a keychain. A keychain is a list of one or more authentication keys including its lifetime,
which is how long each key is valid. Use keys with overlapping lifetimes to prevent the failure of routing updates.
Syntax
edit <keychain_name>
config key
edit <keychain_int>
set key-string <key_str>
set accept-lifetime <START> <END>
set send-lifetime <START> <END>

Fortinet, Inc.
config
end
end
end
<keychain_name> Enter a name for your keychain. No default
config key Configure the key.
<keychain_int> Enter the keychain identifier. No default
key-string <key_str> Enter a password string for the key. No default
accept-lifetime <START> <END> Enter the lifetime of a received authentication key. START and No default
END use the format of HH:MM:SS DAY MONTH YEAR where:
l HH:MM:SS is the time of day then the lifetime starts in
hours, minutes, and seconds.

l DAY is the day of the month to start. The range is 1-31.
l MONTH is the month of the year to start. The range is 1-
12.
l YEAR is the year to start. The range is 1993-2035.
END can also be set to infinite or <duration>, which is the

number of seconds that the key is valid. the range of
<duration> is 1-2147483646.
send-lifetime <START> <END> Enter the lifetime of a sent authentication key. START and No default
END use the format of HH:MM:SS DAY MONTH YEAR where:
l HH:MM:SS is the time of day then the lifetime starts in
hours, minutes, and seconds.

l DAY is the day of the month to start. The range is 1-31.
l MONTH is the month of the year to start. The range is 1-
12.
l YEAR is the year to start. The range is 1993-2035.
END can also be set to infinite or <duration>, which is the

number of seconds that the key is valid. the range of
<duration> is 1-2147483646.
Example
This example shows how to add a key to a new keychain:

edit keychain1
config key
edit 1
set key-string 1234567890
set accept-lifetime 01:02:03 1 8 2017 infinite
set send-lifetime 01:02:03 1 8 2017 infinite
end
end

Fortinet, Inc.
config
A FortiSwitch unit can operate as a Protocol Independent Multicast (PIM) version-4 router. FortiSwitchOS supports PIM
source-specific multicast (SSM) and version 3 of Internet Group Management Protocol (IGMP).
You can configure a FortiSwitch unit to support PIM using the config router multicast CLI command. When
PIM is enabled, the FortiSwitch unit allocates memory to manage mapping information. The FortiSwitch unit
communicates with neighboring PIM routers to acquire mapping information and, if required, processes the multicast
traffic associated with specific multicast groups.
Syntax
set multicast-routing {disable | enable}
config interface
edit {interface_name | internal | mgmt}
set pim-mode ssm-mode
set hello-interval <1-180>
set dr-priority <1-4294967295>
set multicast-flow <string>
config igmp
set query-max-response-time <1-25>
end
end
multicast-routing {disable | Enable or disable multicast routing. disable

enable}
{interface_name | internal | Set which interface to configure for multicast routing. No default
mgmt}
pim-mode ssm-mode Set the PIM operation mode to SSM mode. ssm-mode
hello-interval <1-180> Specify the amount of time that the FortiSwitch unit waits 30
between sending hello messages to neighboring PIM routers.
dr-priority <1-4294967295> Assign a priority to the FortiSwitch unit Designated Router (DR) 1
candidacy. The value is compared to that of other DR
interfaces connected to the same network segment, and the
router having the highest DR priority is selected to be the DR. If
two DR priority values are the same, the interface having the
highest IP address is selected.
multicast-flow <string> Connect the named multicast flow to this interface. You must No default
create the multicast flow before it can be selected here. See
config router multicast-flow on page 52.
config igmp Configure the multicast-flow entries.
query-interval <1-65535> Set the interval between queries to IGMP hosts (in seconds). 125
query-max-response-time <1- Set the maximum time to wait for an IGMP query response (in 10
25> seconds).

Fortinet, Inc.
config
Use this command to configure the source allowed for a multicast flow when using PIM-SM or PIM-SSM.
Syntax
edit <name>
config flows
edit <muliticast-flow_entry_identifier>
set group-addr <224-239.xxx.xxx.xxx>
set source-addr <IP_address>
end
end
<name> Name of the multicast flow. No default
<string> Enter an optional description of the multicast flow. No default
<muliticast-flow_entry_ Enter the multicast-flow entry identifier. No default

identifier>
group-addr <224- Enter the multicast group address (IPv4). 0.0.0.0

239.xxx.xxx.xxx>
source-addr <IP_address> Enter an IP address for the multicast source (IPv4). 0.0.0.0
config router ospf
Use this command to configure OSPF routing for IPv4.

Syntax
config router ospf
set router-id <router_ipv4>
set abr-type {cisco | ibm | shortcut | standard}
set database-overflow {enable | disable}
set database-overflow-max-external-lsa <integer>
set database-overflow-time-to-recover <integer>
set distance-external <external_int>
set distance-inter-area <inter_int>
set distance-intra-area <intra_int>
set default-information-originate {always | disable | enable}
set default-information-metric <metric_int>
set default-information-metric-type {1 | 2}
set distance <distance_int>
set rfc1583-compatible {disable | enable}
set spf-timers <delay_int> <hold_int>
set passive-interface <name_str>

Fortinet, Inc.
config
config area
edit <area_ipv4>
set shortcut {default | disable | enable}
set type {nssa | regular | stub}
set default-cost <cost_int>
set stub-type {no-summary | summary}
set nssa-translator-role {always | candidate | never}
config filter-list
edit <filter_int>
set list <list_str>
end
end
config range
edit <range_int>
set advertise {enable | disable}
set substitute <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
set substitute-status {enable | disable}
end
end
config virtual-link
edit <virtual_int>
set authentication {md5 | none | text}
set dead-interval <dead_int>
set hello-interval <hello_int>
set peer <peer_ipv4>
set retransmit-interval <retransmit_int>
set transmit-delay <transmit_int>
config md5-keys
edit <key_ID>
set key <MD5_key>
next
end
next
end
next
end
config interface
edit <interface_str>
set authentication {md5 | none | text}
set cost <cost_int>
set mtu <mtu_int>
set mtu-ignore {disable | enable}
set priority <pritority_int>
config md5-keys
edit <key_ID>
set key <MD5_key>
next
end
next
end

Fortinet, Inc.
config
config network
edit <network_int>
set area <area_ipv4>
set prefix <xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx>
end
end
edit <summary_int>
set tag <tag_int>
next
end
config distribute-list
edit <distribute_int>
set access-list <access_str>
set protocol {bgp | connected | isis | rip | static}
next
end
config redistribute {bgp | connected | isis | rip | static}
set metric <metric_int>
set routemap <routemap_str>
set metric-type {1 | 2}
set tag <0-2147483647>
end
end
router-id <router_ipv4> Required. Enter the IPv4 address of the OSPF router. No default
abr-type {cisco | ibm | shortcut | Enter the area border router (ABR) type. Set abr-type to cisco
standard} cisco or ibm to allow routes through nonbackbone area when
links to the backbone are down. For more information about this
option, see RFC 3509, Alternative Implementations of OSPF
Area Border Routers.
database-overflow {enable | Enable or disable protection against link-state database disable

disable} overflow.
database-overflow-max- Set the maximum number of external link-state advertisements 10000

external-lsa <integer> (LSAs) that are allowed in the link-state database. The value
range is 0-2147483647. This option is available only if
database-overflow is enabled.
database-overflow-time-to- Set the number of seconds before the router originates any 300
recover <integer> external LSAs. The value range is 0-65535 seconds. This option
is available only if database-overflow is enabled.
distance-external <external_ Set the OSPF route administrative external distance. The value No default
int> range is from 0 to 255.
distance-inter-area <inter_int> Set the OSPF route administrative inter-area distance. The No default
value range is from 0 to 255.

Fortinet, Inc.
config
distance-intra-area <intra_int> Set the OSPF route administrative intra-area distance. The No default
value range is from 0 to 255.
default-information-originate Enable or disable the generation of the default route into all disable
{always | disable | enable} external routing capable areas using the metric specified by the
default-information-metric value and the metric type
specified by the default-information-metric-type
value. Set the value to always for the default to always be
advertised, even when the routing table contains no default.
default-information-metric Set the metric value for the default route. The value range is 10
<metric_int> from 1 to 16777214.
default-information-metric-type Set the metric type for the default route. 2

{1 | 2}
distance <distance_int> Set the OSPF route administrative distance. The value range is 110
from 1 to 255.
rfc1583-compatible {disable | Enable or disable RFC1583 compatibility. disable

enable}
spf-timers <delay_int> <hold_ Set the number of seconds before the shortest path first (SPF) is 5 10
int> calculated and the number of seconds between consecutive
SPF calculations. The range for each value is from 0 to 600.
log-neighbour-changes {disable Enable or disable the logging of changes to the OSPF neighbor. enable
| enable}
passive-interface <name_str> Select which interface to set to passive mode. No default

NOTE: You need to add the interface prefix under the config
network command (under config router ospf).
config area Configure the OSPF area.
<area_ipv4> Enter the IP address for the area. No default
shortcut {default | disable | Enable or disable whether shortcuts are allowed in the area. default
enable}
type {nssa | regular | stub} Set the area type. regular

NOTE: This field is not applicable for the backbone area
(0.0.0.0), which is set to regular type by default.
default-cost <cost_int> If the area type is stub or not-so-stubby area (NSSA), set the 1
cost of default-summary LSAs announced to stubby areas. The
value range is 0-2147483647.
stub-type {no-summary | If the area type is stub or NSSA, set whether inter-area summary
summary} summaries can be used.
nssa-translator-role {always | If the area type is NSSA, set the type of NSSA translator role. candidate
candidate | never}

Fortinet, Inc.
config
config filter-list Configure the OSPF area filter list.
<filter_int> Enter the filter list identifier. No default
direction {in | out} Set the direction to or from the area for the prefix list and access out
list.
list <list_str> Enter the access-list name or prefix-list name for the area. No default
config range Configure the OSPF area range.
<range_int> Enter the range list identifier. No default
advertise {enable | disable} Enable or disable the advertise status. If this option is set to enable
disable, the intra area paths from this range are not
advertised in other areas.
prefix <xxx.xxx.xxx.xxx> Enter the summary prefix. 0.0.0.0 0.0.0.0

<xxx.xxx.xxx.xxx>
substitute <xxx.xxx.xxx.xxx> Enter the substitute prefix. 0.0.0.0 0.0.0.0

<xxx.xxx.xxx.xxx>
substitute-status {enable | Enable or disable whether the substitute prefix is used instead of disable
disable} the prefix.
config virtual-link Configure the OSPF virtual link.
<virtual_int> Enter the virtual-link identifier. No default
authentication {md5 | none | Set the authentication type. none

text}
dead-interval <dead_int> Enter the dead interval. 40
hello-interval <hello_int> Enter the hello interval. 10
peer <peer_ipv4> Enter the IP address of the virtual link neighbor. 0.0.0.0
retransmit-interval <retransmit_ Set the time between retransmitting lost link-state 5

int> advertisement packets.
transmit-delay <transmit_int> Enter the link-state packet transmit delay. 1
config md5-keys These commands are applicable only when the virtual-link authentication
field is set to md5.
<key_ID> Enter the MD5 key identifier. No default
<MD5_key> Enter a string up to 16 characters. No default
config interface Configure the OSPF interface.
<interface_str> Enter the OSPF interface name. No default
authentication {md5 | none | Set the authentication type for OSPF packets. none
text}

Fortinet, Inc.
config
bfd {disable | enable} Enable or disable BFD on this interface. disable
cost <cost_int> Enter the link cost on this interface. The value range is 0-65535. 10
Set this option to 0 for auto-cost.
mtu <mtu_int> Enter the maximum transmission unit (MTU) size in bytes for the Not set
database description packets. The value range is 576-65535.
mtu-ignore {disable | enable} Set whether to use the MTU size. disable
priority <priority_int> Set the router priority for this interface. the router with the 1
highest priority is more eligible to become the designated router.
Setting the option to 0 makes the router ineligible to become the
designated router. The value range is 0-255.
retransmit-interval <retransmit_ Set the time between retransmitting lost link-state 5

int> advertisement packets.
transmit-delay <transmit_int> Enter the link-state transmit delay. 1
config md5-keys Use these commands to add MD5 keys for the OSPF interface. These commands
are applicable only when the interface authentication field is set to md5.
<key_ID> Enter the MD5 key identifier. No default
<MD5_key> Enter a string up to 16 characters. No default
config network Use these commands to enable or disable OSPF on an IP network.
<network_int> Enter the network identifier. No default
<area_ipv4> Enter the IPv4 address for the area. No default
prefix <xxx.xxx.xxx.xxx> Enter the IPv4 address and netmask. No default

<xxx.xxx.xxx.xxx>
config summary-address Configure the aggregate address for redistributed routes.
<summary_int> Enter the identifier for the summary address. No default
prefix <xxx.xxx.xxx.xxx> Enter the IPv4 address and netmask. No default

<xxx.xxx.xxx.xxx>
set tag <tag_int> Enter the tag value. The range is 0-2147483647. 0
config distribute-list Confgure the redistribute routes filter.
<distribute_int> Enter the distribute list identifier. No default
access-list <access_str> Enter the access list name. No default
protocol {bgp | connected | isis | Set the protocol type. connected

rip | static}

Fortinet, Inc.
config
config redistribute {bgp | Use these commands for the redistribute configuration.
connected | isis | rip |
static}
redistribute {bgp | connected | Set the type of network to redistribute. No default

isis | rip | static}
status {disable | enable} Enable or disable the redistribution. disable
metric <metric_int> Enter the metric for redistributed routes. 10
routemap <routemap_str> Enter the route map name to filter the redistributed routes. No default
metric-type {1 | 2} Set the metric type of redistributed routes. 2
tag <0-2147483647> Set the tag value. No default
Example
This example shows how to set the router identifier, create an area, configure the OSPF interface, create the network
(set the network prefix and associate with an area), configure the IPv4 address summary, and redistribute the routes:
config router ospf
config area
edit 0.0.0.0
next
edit 0.0.0.1
next
end
config interface
edit "ospf_1"
next
edit "ospf_2"
next
end
config network
edit 1
set area 0.0.0.1
set prefix 20.1.1.0 255.255.255.0
next
edit 2
set area 0.0.0.0
set prefix 10.1.1.0 255.255.255.0
next
end
edit 1
set prefix 40.1.0.0 255.255.0.0

Fortinet, Inc.
config
next
end

set status enable
end
end
config router ospf6
Use this command to configure open shortest path first (OSPF) routing for IPv6.
Syntax
config router ospf6
set router-id <router_ipv4>
set spf-timers <delay_int> <hold_int> <max_int>
set log-neighbor-changes {disable | enable}
config area
edit <area_ipv4>
set type {regular | stub}
set stub-type {summary | no-summary}
config filter-list
edit <filter_int>
set list <list_str>
next
end
config range
edit <range_int>
set advertise {enable | disable}
set prefix <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>
next
end
next
end
config interface
set area-id <Required_IPv4_address>
set cost <cost_int>
set priority <pritority_int>
next
end
config redistribute {connected | static}

Fortinet, Inc.
config
end
end
router-id <router_ipv4> Required. Enter the IPv4 address of the OSPF No default
router.
spf-timers <delay_int> <hold_int> <max_int> Set the number of milliseconds to delay before the 5 10 10
shortest path first (SPF) is calculated, the initial
number of milliseconds between consecutive SPF
calculations, and the maximum number of
milliseconds between consecutive SPF
calculations. The range for each value is from 0 to
600.
log-neighbor-changes {disable | enable} Enable or disable the logging of changes to the enable
OSPF neighbor
config area Configure the OSPF6 area.
<area_ipv4> Enter the IPv4 address for the area. No default
type {regular | stub} Set the area type to regular or stub. regular
stub-type {summary | no-summary} If the type is set to stub, set the stub type to summary
summary or no summary.
config filter-list Configure the OSPF6 area filter list.
<filter_int> Enter the filter list identifier. No default
direction {in | out} Set the direction to or from the area for the prefix out
list and access list.
list <list_str> Enter the IPv6 access-list name or IPv6 prefix-list No default
name for the area.
config range Configure the OSPF6 area range.
<range_int> Enter the range list identifier. No default
advertise {enable | disable} Enable or disable the advertise status. If this option enable
is set to disable, the intra-area paths from this
range are not advertised in other areas.
prefix Required. Enter the IPv6 prefix. No default

<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>
config interface Configure the OSPF6 interface.
<interface_str> Enter the OSPF interface name. No default
area-id <IPv4_address> Required. Enter the IPv4 address of the area. none
bfd {disable | enable} Enable or disable bidirectional forwarding detection disable

(BFD).

Fortinet, Inc.
config
cost <cost_int> Enter the link cost on this interface. The value 10
range is 0-65535.
passive {disable | enable} Enable or disable the passive interface. disable
priority <priority_int> Set the router priority for this interface. the router 1
with the highest priority is more eligible to become
the designated router. Setting the option to 0
makes the router ineligible to become the
designated router. The value range is 0-255.
retransmit-interval <retransmit_int> Enter the time between retransmitting lost link- 5

state advertisement packets.
status {enable | disable} Enable or disable the IPv6 OSPF routing on this enable
interface.
transmit-delay <transmit_int> Enter the link-state transmit delay. 1
config redistribute {connected | static} Use these commands for the redistribute configuration.
status {disable | enable} Enable or disable the redistribution. disable
routemap <routemap_str> Enter the route map name to filter the redistributed No default
routes.
Example
This example shows how to set the router identifier, create an area, configure the OSPF interface, and redistribute the
routes:
config router ospf6
config area
edit 0.0.0.1
config filter-list
edit 1
set direction in
set list access1
next
end
config range
edit 1
set advertise disable
set prefix 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234/96
next
end
end
config interface
edit vlan35
set area 0.0.0.1

Fortinet, Inc.
config
set cost 100

set priority 100
set status enable
next
end
set status enable
end
end
config router prefix-list
Use this command to configure IPv4 prefix-based filtering.
Syntax
config router prefix-list
edit <list_int>
set comments <comment_str>
config rule
edit <rule_int)
set ge <ge_int>
set le <le_int>
end
end
end
<list_int> Enter the prefix list identifier. No default
comments <comment_str> Enter a descriptive comment. No default
config rule Configure the prefix-list rule.
<rule_int> Enter the rule identifier. No default
action {deny | permit} Set the action to deny or permit. permit
prefix {<xxx.xxx.xxx.xxx> Set the prefix to define regular filter criteria, such as any or 0.0.0.0 0.0.0.0
<xxx.xxx.xxx.xxx> | any} subnets.
ge <ge_int> Enter the minimum IPv4 prefix length to be matched. The No default
value range is between 0 and 32. The prefix list is used if the
prefix length is greater than or equal to this value.
le <le_int> Enter the maximum IPv4 prefix length to be matched. The No default
value range is between 0 and 32. The prefix list is used if the
prefix length is less than or equal to this value.

Fortinet, Inc.
config
Use this command to configure IPv6 prefix-based filtering.
Syntax
edit <name_of_IPv6_prefix_list>
config rule
edit <rule_ID>
set prefix6 {<IPv6_prefix> | any}
set ge <0-128>
set le <0-128>
next
end
end
<name_of_IPv6_prefix_list> Enter the name of the IPv6 prefix list. No default
comments <string> Enter a descriptive comment. No default
config rule Configure the IPv6 prefix list rule.
<rule_ID> Enter the rule identifier. No default
action {deny | permit} Set the action to deny or permit. permit
prefix6 {<IPv6_prefix> | any} Enter the IPV6 prefix to match or any. No default
ge <0-128> Enter the minimum IPv6 prefix length to be matched. The IPv6 No default
prefix list is used if the prefix length is greater than or equal to
this value.
le <0-128> Enter the maximum IPv6 prefix length to be matched. The IPv6 No default
prefix list is used if the prefix length is less than or equal to this
value.
Example
This example shows how to specify which IPv6 prefixes are allowed in RA messages:
edit "r4"
config rule
edit 1
set action deny
set prefix6 "2001:4:4:4::4/64"
set ge 65
set le 128
next
edit 2
set action permit
set prefix6 "any"

Fortinet, Inc.
config
next
end
next
end
config router rip
Use these commands to configure RIP routing with IPv4 addresses.

Syntax
config router rip
set default-metric <defaultmetric_int>
set garbage-timer <garbage_int>
set passive-interface <name_str>
set timeout-timer <timeout_int>
set update-timer <update_int>
set version {1 | 2}
config distance
edit <distanceid_int>
set access-list <access_string>
set distance <distance_int>
end
set interface <interface_str>
set listname <listname_str>
end
config interface
set auth-keychain <keychain_str>
set auth-mode {md5 | none |text}
set auth-string <password_str>
set receive-version {1 | 2 | both | global}
set send-version {1 | 2 | both | global}
set split-horizon-status {disable | enable}
set split-horizon {poisoned | regular}
end
config neighbor
edit <neighbor_int>
set <neighbor_ipv4>
end
config network
edit <network_int>
end
config offset-list
edit <offsetlist_int>
set access-list <accesslist_str>

Fortinet, Inc.
config

set offset <offset_int>
end
config redistribute {bgp | connected | isis | ospf | static}
end
end
bfd {disable | enable} Enable or disable BFD. disable
default-information-originate Enable or disable whether a default route is advertised. disable

{disable | enable}
default-metric <defaultmetric_ Enter the default metric for redistributed routes. This setting 1
int> does not affect connected routes. The range of values is 1-16.
Use the config redistribute connected or config
offset-list command to set the metric value for connected
routes.
garbage-timer <garbage_int> Enter the number of seconds before a route is removed from 120
the routing table. The range of values is 5-2147483647.
passive-interface <name_str> Specify which interface to set to passive mode. No default

You need to add the interface prefix under config network
(under config router rip).
timeout-timer <timeout_int> Enter the number of seconds before a route is no longer valid. 180
The route is not removed from the routing table until the
neighboring RIP routers are notified that the route has been
dropped. The range of values is 5-2147483647.
update-timer <update_int> Enter the number of seconds between when the complete 30
routing table is sent to neighboring RIP routers. The range of
values is 5-2147483647.
version {1 | 2} Set the RIP version for receiving and sending RIP packets. 2
config distance Set the admin distance based on the route prefix and RIP neighbor IP.
<distanceid_int> Enter the distance identifier. No default
access-list <access_string> Enter the access list to match RIP routes. No default
distance <distance_int> Enter the RIP admin distance. The value range is from 1 to 255. 120
prefix <xxx.xxx.xxx.xxx> Enter the RIP neighbor IP prefix. Enter 0.0.0.0/0 to match all 0.0.0.0 0.0.0.0
<xxx.xxx.xxx.xxx> RIP neighbors.
config distribute-list Filter networks from routing updates.

Fortinet, Inc.
config
direction {in | out} Set the list direction. out
interface <interface_str> Enter the RIP interface name for the distribute list. No default
listname <listname_str> Enter the access or prefix list name. No default
status {disable | enable} Enable or disable whether the distribute list is used. disable
config interface RIP interface configuration.
<interface_str> Enter the interface name. No default
auth-keychain <keychain_str> Enter the name of the keychain to use for this interface. No default
auth-mode {md5 | none | text} Set the authentication mode used for packets. none
RIP version 1 does not use authentication. If auth-mode is set

to md5 or text for RIP version 1, routing updates are ignored.
NOTE: You must create a keychain first before you can use the
MD5 authentication mode with RIP version 2.
auth-string <password_str> If the auth-mode is set to text, enter a password that is less No default
than 16 characters long.
receive-version {1 | 2 | both | Set which version of RIP packets are accepted on this interface. global
global} Setting this option to both accepts RIP version 1 and 2. Setting
this option to global uses the global RIP version. This setting
overrides the global RIP version setting.
send-version {1 | 2 | both | Set which version of RIP packets are sent for this interface. global
global} Setting this option to both sends RIP version 1 and 2. Setting
this option to global uses the global RIP version. This setting
overrides the global RIP version setting.
split-horizon-status {disable | Enable or disable split horizon. enable

enable}
split-horizon {poisoned | regular} Set the split-horizon type. regular
config neighbor Specify a neighbor router. These commands are required only when OSPF runs on
nonbroadcast media..
<neighbor_int> Enter a RIP neighbor identifier. No default
<neighbor_ipv4> Enter an IP address for a RIP neighbor. Use this command if a 0.0.0.0
RIP neighbor does not accept multicast packets.
config network Enable RIP routing on an IP network.
<network_int> Enter a network identifier. No default
prefix <xxx.xxx.xxx.xxx> Enter the prefix. No default

<xxx.xxx.xxx.xxx>

Fortinet, Inc.
config
config offset-list Configure the offset list to modify the RIP metric.
<offsetlist_int> Enter the offset list identifier. No default
<accesslist_str> Enter the name of the access list. No default
interface {in | out} Set whether to filter incoming or outgoing packets. No default
offset <offset_int> Enter the offset for incoming and outgoing metrics to routes 0
learned using RIP. The value range is between 1 and 16.
status {disable | enable} Enable or disable whether the offset list is used. enable
config redistribute {bgp | Redistribute configuration.

connected | isis | ospf |
static}
redistribute {bgp | connected | Redistribute routes so that they are included in RIP routing. No default
isis | ospf | staticc}
status {disable | enable} Enable or disable whether the routes are redistributed. disable
metric <metric_int> Enter the metric of the redistributed routes. The value range is 0
between 0 and 16.
routemap <routemap_str> Enter the route map name to filter the redistributed routes. No default
Example
This example shows how to configure the RIP router and add authentication:
config router rip
config network
edit 1
set prefix 170.38.65.0/24
next
edit 2
set prefix 128.8.0.0/16
next
end
config interface
edit "vlan35"
set auth-mode text
next
end
end
config router ripng
Use these commands to configure RIP routing with IPv6 addresses.


Fortinet, Inc.
config
Syntax
config router ripng
set default-metric <defaultmetric_int>
set garbage-timer <garbage_int>
set timeout-timer <timeout_int>
set update-timer <update_int>
edit <aggregate-address_entry_ID_int>
set prefix6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>
end
set interface <interface_str>
set listname <listname_str>
end
config interface
set split-horizon-status {disable | enable}
set split-horizon {poisoned | regular}
end
config offset-list
edit <offsetlist_int>
set access-list6 <accesslist_str>
set offset <offset_int>
end
config redistribute {bgp | connected | isis | ospf6 | static}
end
end
bfd {disable | enable} Enable or disable BFD. disable
default-information-originate {disable | Enable or disable whether a default route is disable

enable} advertised.
default-metric <defaultmetric_int> Enter the default metric for redistributed routes. 1

This setting does not affect connected routes. Use
the config redistribute connected
command to set the metric value for connected
routes. The range of values is 1-16.

Fortinet, Inc.
config
garbage-timer <garbage_int> Enter the number of seconds before a route is 120

removed from the routing table after it is no longer
valid. The range of values is 5-2147483647.
timeout-timer <timeout_int> Enter the number of seconds before a route is no 180

longer valid. The route is not removed from the
routing table until the garbage timer expires. The
range of values is 5-2147483647.
update-timer <update_int> Enter the number of seconds between when the 30

complete routing table is sent to neighboring RIP
routers. The range of values is 5-2147483647.
config aggregate-address Set the aggregate RIPng route announcement.
<aggregate-address_entry_ID_int> Enter the identifier for the aggregate-address entry. No default
prefix6 Enter the IPv6 prefix. No default

<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>
config distribute-list Filter networks in routing updates.
interface <interface_str> Enter the RIP interface name for the distribute list. No default
listname <listname_str> Enter the IPv6 access or prefix list name. No default
status {disable | enable} Enable or disable whether the distribute list is used. enable
config interface RIPng interface configuration.
<interface_str> Enter the interface name. No default
passive {disable | enable} Enable or disable whether to suppress routing disable

updates on an interface.
split-horizon-status {disable | enable} Enable or disable split horizon. enable
split-horizon {poisoned | regular} Set the split-horizon type. regular
config offset-list Configure the offset list to modify the RIPng metric.
<offsetlist_int> Enter the offset list identifier. No default
access-list6 <accesslist_str> Enter the name of the IPv6 access list. No default
interface {in | out} Set the interface to which the offset-list will be No default
applied.
offset <offset_int> Enter the offset for incoming and outgoing metrics 0
to routes learned using RIP. The value range is
between 1 and 16.

Fortinet, Inc.
config
status {disable | enable} Enable or disable whether the offset list is used. enable
config redistribute {bgp | connected | Redistribute configuration.

isis | ospf6 | static}
status {disable | enable} Enable or disable whether the routes are disable
redistributed.
metric <metric_int> Enter the metric of the redistributed routes. The 0

value range is between 0 and 16.
routemap <routemap_str> Enter the route map name to filter the redistributed No default
routes.
Use this command to configure a route map for BGP, IS-IS, OSPF, or RIP routing.
NOTE: You must have an advanced features license to use BGP, IS-IS, OSPF, or RIP routing.
Syntax
edit <routemap_str>
set comments <comments_str>
set protocol {bgp | isis | isis6 | ospf | ospf6 | rip | ripng | zebra}
config rule
edit <rule_int>
set match-as-path <string>
set match-community <string>
set match-interface {<interface_str> | internal | mgmt}
set match-ip-address <address_str>
set match-ip6-address <access-list6 or prefix-list6>
set match-ip-nexthop <nexthop_str>
set match-metric <metric_int>
set match-origin {egp | igp | incomplete | none}
set match-tag <tag_int>
set set-aggregator-as <1-4294967295>
set set-aggregator-ip <IPv4_address>
set set-aspath <1-4294967295>
set set-atomic-aggregate {enable | disable}
set set-community-delete <string>
set set-community <community>
set set-extcommunity-rt <community>
set set-extcommunity-soo <community>
set set-ip-nexthop <class_ipv4>
set set-ip6-nexthop <IPv6_address>
set set-ip6-nexthop-local <IPv6_address>
set set-local-preference <1-4294967295>
set set-metric <setmetric_int>
set set-metric-type {1 | 2}
set set-origin {egp | igp | incomplete | none}

Fortinet, Inc.
config
set set-originator-id <IP_address>

set set-tag <settag_int>
set set-weight <0-2147483647>
end
end
end
<routemap_str> Enter the name for the individual route map. No default
comments <comments_str> Enter a descriptive comment. No default
protocol {bgp | isis | isis6 | ospf | ospf6 | rip Mandatory. Set the protocol to BGP, IS-IS, No default
| ripng | zebra} OSPF (IPv4 or IPv6), RIP (IPv4 or IPv6), or the
core router daemon.
config rule Configure the route-map rule.
<rule_int> Enter the rule identifier. No default
action {deny | permit} Set whether the rule permits or denies routes permit
that match this rule.
match-as-path <string> Match the BGP Autonomous System (AS) path No default
list.
match-community <string> Match the BGP community list. No default
match-interface {<interface_str> | internal Set which interface will be matched. No default

| mgmt}
match-ip-address <address_str> Match the IPv4 address permitted by the IPv4 No default

access list or IPv4 prefix list.
match-ip6-address <access-list6 or Match the IPv6 address permitted by the IPv6 No default

prefix-list6> access list or IPv6 prefix list.
match-ip-nexthop <nexthop_str> Match the next-hop IP address passed by the No default

access list or prefix list.
match-metric <metric_int> Enter the metric to be matched for 0

redistributed routes. The value range is 0-
2147483647.
match-origin {egp | igp | incomplete | Match the BGP origin code: none
none} l egp—Set the value to the NLRI learned
from the Exterior Gateway Protocol

(EGP).
l igp—Set the value to the NLRI learned
from a protocol internal to the originating

AS.
l incomplete—Match routes that were
learned some other way (for example,

through redistribution).
l none—Disable the matching of BGP
routes based on the origin of the route.

Fortinet, Inc.
config
match-tag <tag_int> Enter the tag to be matched. The value range 0

is 0-2147483647.
set-aggregator-as <1-4294967295> Set the BGP aggregator AS. No default
set-aggregator-ip <IPv4_address> Set the IPv4 address for the BGP aggregator. 0.0.0.0
This option is visible only when set-

aggregator-as is set.
set-aspath <1-4294967295> Prepend the BGP AS path attribute. Use No default

quotation marks for repeating numbers, for
example: "1 1 2"
set-atomic-aggregate {enable | disable} Enable or disable the BGP atomic aggregate disable
attribute.
set-community-delete <string> Delete communities matching the community No default

list.
set-community <community> Set the BGP community attribute: No default

l Use decimal notation to set a specific
COMMUNITY attribute for the route. The

value has the syntax AA:NN, where AA
represents an AS, and NN is the
community identifier. Delimit complex
expressions with double-quotation marks
(for example, "123:234 345:456").
l To make the route part of the Internet
community, select internet.

l To make the route part of the LOCAL_AS
community, select local-AS.

l To make the route part of the NO_
ADVERTISE community, select no-

advertise.
l To make the route part of the NO_
EXPORT community, select no-export.
set-extcommunity-rt <community> Set the Route-Target extended community: No default

AA:NN
set-extcommunity-soo <community> Set the Site-of-Origin extended community: No default

AA:NN
set-ip-nexthop <class_ipv4> Enter the IPv4 address of the next hop. 0.0.0.0
set-ip6-nexthop <IPv6_address> Enter the IPv6 global address of the next hop. No default
set-ip6-nexthop-local <IPv6_address> Enter the IPv6 local address of the next hop. No default
set-local-preference <1-4294967295> Set the BGP local-preference path attribute. 0

Fortinet, Inc.
config
set-metric <setmetric_int> Enter the route metric value. The value range 0
is 0-2147483647.
set-metric-type {1 | 2} Set the metric type to external-type1 or external-type1

external-type2.
set-origin {egp | igp | incomplete | none} Set the BGP origin code: none
l egp—Set the value to the NLRI learned
from the Exterior Gateway Protocol

(EGP).
l igp—Set the value to the NLRI learned
from a protocol internal to the originating

AS.
l incomplete—If not egp or igp.
l none—Disable the ORIGIN attribute.
set-originator-id <IP_address> Set the BGP originator ID attribute. 0.0.0.0
set-tag <settag_int> Enter the route tag value. The value range is 0
0-2147483647.
set-weight <0-2147483647> Set the BGP weight for the routing table. 0
Example
This example shows how to configure the RIP router and add authentication:
edit myroutemap
set comments "route map for RIP routing"
set protocol rip
config rule
edit 1
set action permit
set match-interface internal
set match-metric 12
set match-tag 36
set set-ip-nexthop 128.8.0.0
set auth-mode text
set set-metric 48
set set-tag 72
end
end
config router setting
Use this command to filter incoming protocol routes in RIB. You can filter protocol routes so that they are not added in
the RIB routing table.
NOTE: You must have an advanced features license to use OSPF or RIP routing.

Fortinet, Inc.
config
Syntax
config filter-list
edit <routemap_int>
set protocol {any | bgp | connected | isis | ospf | rip | static}
set route-map <routemap_str>
end
end
<routemap_int> Enter a route map identifier. No default
protocol {any | bgp | connected | The protocol routes for which the filter will be applied. connected
route-map <routemap_str> Enter the route map name. Only a route map created with the No default
protocol set to zebra can be applied here.
Example
This example shows how to filter incoming protocol routes in RIB:

config filter-list
edit 2
set protocol ospf
set route-map myroutemap
end
end
Use this command to add, edit, or delete static routes for IPv4 traffic.
You add static routes to manually control traffic exiting the FortiSwitch unit. You configure routes by specifying
destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are the
next-hop routers to which traffic that matches the destination addresses in the route are forwarded.
Syntax
set blackhole {enable | disable}
set comment <comment_str>
set device <interface_name>
set dst <destination-address_IPv4mask>
set dynamic-gateway {enable | disable}
set gateway <gateway-address_IPv4>
set vrf <string>
end

Fortinet, Inc.
config
<sequence_number> Enter a sequence number for the static route. No default
bfd {enable | disable} Enable or disable Bidirectional Forwarding for the route disable
gateway.
blackhole {enable | disable} Enable or disable dropping all packets that match this route. disable
comment <comment_str> Optionally enter a descriptive comment. No default
device <interface_name> Enter the name of the interface through which to route traffic. No default
Enter ‘?’ to see a list of interfaces.
distance <1-255> Enter the administrative distance for the route. The range is an 10
integer from 1-255.
dst <destination-address_ Enter the destination IPv4 address and network mask for this 0.0.0.0 0.0.0.0
IPv4mask> route. You can enter 0.0.0.0/0 to create a new static
default route.
dynamic-gateway {enable | When enabled, the route gateway IP is obtained using DHCP disable
disable} running on the provided routeʼs device interface.
gateway <gateway-address_ Enter the IPv4 address of the next-hop router to which traffic is No default
IPv4> forwarded.
status {enable | disable} Enable this setting for the route to be added to the routing enable
table.
vrf <string> Assign the specified virtual routing and forwarding (VRF) No default
instance to this static route.
After the static route is created, the VRF instance cannot be
changed or unset.
Example
This example shows how to configure a static route:

edit 1
set status enable
end
end
Use this command to add, edit, or delete static routes for IPv6 traffic.
You add static routes to manually control traffic exiting the FortiSwitch unit. You configure routes by specifying
destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are the
next-hop routers to which traffic that matches the destination addresses in the route are forwarded.

Fortinet, Inc.
config
Syntax
set blackhole {enable | disable}
set comment <comment_str>
set device <interface_name>
set dst <destination-address_IPv6mask>
set gateway <gateway-address_IPv6>
set vrf <string>
end
The dst and gateway fields are required when blackhole is disabled. When
blackhole is enabled, the dst field is required. All other fields are optional.
<sequence_number> Enter a sequence number for the static route. No default
bfd {enable | disable} Enable or disable bidirectional forwarding detection (BFD) for disable
the gateway.
blackhole {enable | disable} Enable or disable dropping all packets that match this route. disable
comment <comment_str> Optionally enter a descriptive comment. No default
device <interface_name> Enter the name of the interface through which to route traffic. No default
Enter ‘?’ to see a list of interfaces.
distance <1-255> Enter the administrative distance for the route. The range is an 10
integer from 1-255.
dst <destination-address_ Enter the destination IPv6 address and network mask for this ::/0
IPv6mask> route.
gateway <gateway-address_ Enter the IPv6 address of the next-hop router to which traffic is ::
IPv6> forwarded.
status {enable | disable} Enable this setting for the route to be added to the routing enable
table.
vrf <string> Assign the specified virtual routing and forwarding (VRF) No default
instance to this static route.
After the static route is created, the VRF instance cannot be
changed or unset.
Example
This example shows how to configure a static route for IPv6 traffic:

Fortinet, Inc.
config
edit 1
set dst 5555::/64
set gateway 4000::2
set status enable
end
end
config router vrf
Use these commands to create virtual routing and forwarding (VRF) instances.
Syntax
config router vrf
edit <VRF_name>
set vrfid <integer>
end
<VRF_name> Enter the name of the VRF instance. No default

The name cannot match the name of any switch virtual
interface (SVI).
vrfid <integer> Set the VRF identifier. The range of values is 1-1023. 0
You cannot use 252, 253, 254, or 255. After the VRF instance
is created, the VRF ID cannot be changed.
Example
This example shows how to configure two VRF instances:

config router vrf
edit vrfv4
set vrfid 1
next
edit vrfv6
set vrfid 2
next
end
config switch
Use the config switch commands to configure options related to switching functionality:
l config switch acl egress on page 78
l config switch acl ingress on page 80
l config switch acl policer on page 83
l config switch acl prelookup on page 84
l config switch acl service custom on page 85

Fortinet, Inc.
config
l config switch acl settings on page 87

l config switch auto-isl-port-group on page 87
l config switch auto-network on page 88
l config switch global on page 88
l config switch igmp-snooping globals on page 93
l config switch interface on page 94
l config switch ip-mac-binding on page 103
l config switch ip-source-guard on page 103
l config switch lldp profile on page 104
l config switch lldp settings on page 108
l config switch macsec profile on page 109
l config switch mirror on page 111
l config switch mld-snooping globals on page 115
l config switch network-monitor directed on page 115
l config switch network-monitor settings on page 116
l config switch phy-mode on page 117
l config switch physical-port on page 119
l config switch ptp policy on page 123
l config switch ptp settings on page 123
l config switch qos dot1p-map on page 124
l config switch qos ip-dscp-map on page 125
l config switch qos qos-policy on page 126
l config switch quarantine on page 129
l config switch raguard-policy on page 129
l config switch security-feature on page 131
l config switch static-mac on page 133
l config switch storm-control on page 134
l config switch stp instance on page 134
l config switch stp settings on page 135
l config switch trunk on page 136
l config switch virtual-wire on page 139
l config switch vlan on page 140
l config switch vlan-tpid on page 146
Use this command to configure an access control list (ACL) for an egress policy.
Syntax
edit <policy_ID>
config classifier

Fortinet, Inc.
config

end
config action
end
end
<policy-id> Enter the unique ID number of this policy. No default
description <string> Enter a description or other information about the policy. No default
The description is limited to 63 characters. Enclose the
string in single quotes to enter special characters or spaces.
interface <port_name> Interface that the policy applies to. No default
schedule <schedule_name> Select a schedule for when the ACL policy will be enforced. No default
The schedule must have been defined already with the
config system schedule command.
status {active | inactive} Make the egress ACL policy active or inactive. active
config classifier
cos <802.1Q CoS value to Enter the 802.1Q CoS value to match. No default
match>
dscp <DSCP value to match> Enter the DSCP value to match. No default
dst-ip-prefix <IP_address> Destination IP address and subnet mask to be matched. 0.0.0.0 0.0.0.0
<mask>
dst-mac <MAC_address> Destination MAC address to be matched. 00:00:00:00:00:00
ether-type <integer> Ethernet type to be matched. 0x0000
service <service_ID> Service type to be matched. No default
src-ip-prefix <IP_address> Source IP address and subnet mask to be matched. 0.0.0.0 0.0.0.0
<mask>
src-mac <MAC_address> Source MAC address to be matched. 00:00:00:00:00:00
vlan-id <VLAN_ID> VLAN identifier to be matched. 0

Fortinet, Inc.
config
config action
count {enable | disable} Enable or disable the count action. disable
drop {enable | disable} Enable or disable the drop action. disable
mirror <mirror_session> Mirror session name. No default
outer-vlan-tag <integer> Outer VLAN tag. 0
policer <policer> Identifier of the policer to associate with this policy. To 0

create a policer, see config switch acl policer on page 83.
redirect <interface_name> Redirect interface name. No default
remark-dscp <0-63> Set the DSCP marking value. No default
Use this command to configure an ACL for an ingress policy. Starting in FortiSwitchOS 6.2.0, you can create groups for
multiple ingress ACLs.
Syntax
edit <policy-id>
set group <group_ID>
set ingress-interface <port > [<port > ... <port >]
set ingress-interface-all {enable | disable}
config classifier
set src-mac <mac>
set dst-mac <mac>
set src-ip-prefix <IP address> <mask>
set dst-ip-prefix <IP address> <mask>
set service <service-id>
set vlan-id <vlan-id>
end
config action
set cos-queue <0 - 7>
set cpu-cos-queue <integer>
set egress-mask {<physical_port_name> | internal}
set redirect-bcast-cpu {enable | disable}

Fortinet, Inc.
config
set redirect-bcast-no-cpu {enable | disable}

set redirect-physical-port <list of physical ports to redirect>
end
end
group <group_ID> Enter the group identifier of the policy. The range of group 1
identifiers varies among the different platforms.
Starting in FortiSwitchOS 6.2.0, you can create groups for
multiple ingress ACLs.
ingress-interface <port > [<port > If ingress-interface-all is disabled, enter the interface list to No default
... <port >] which the policy is bound on the ingress.
ingress-interface-all If enabled, policy is bound to all interfaces. disable

{enable | disable}
status {active | inactive} Make the ingress ACL policy active or inactive. active
config classifier
match>
src-mac Enter the source MAC address to be matched. 00:00:00:00:00:00
dst-mac Enter the destination MAC address to be matched. 00:00:00:00:00:00
ether-type Enter the Ethernet type to be matched. 0x0000
src-ip-prefix Enter the source IP address and subnet mask to be 0.0.0.0 0.0.0.0
matched.
dst-ip-prefix Enter the destination IP address and subnet mask to be 0.0.0.0 0.0.0.0
matched.
service Enter the service type to be matched. No default
vlan-id Enter the VLAN identifier to be matched. 0
config action
cos-queue <0 - 7> CoS queue number (0 - 7). 0

Fortinet, Inc.
config
count Enable or disable the count action. disable
cpu-cos-queue <integer> CPU CoS queue number. This CoS queue is only used if the disabled
packets reach the CPU. Enter set cpu-cos-queue ? to
see the value range.
drop Enable or disable the drop action. disable
egress-mask {<physical_port_ List of physical ports to be configured in egress mask. No default

name> | internal}
mirror <mirror_session> Mirror session name. No default
outer-vlan-tag Outer VLAN tag. 4093
policer Identifier of the policer to associate with this policy. To 1

create a policer, see config switch acl policer on page 83.
redirect <interface_name> Redirect interface name. No default
redirect-bcast-cpu Redirect broadcast to all ports including the CPU. disable
redirect-bcast-no-cpu Redirect broadcast to all ports excluding the CPU. disable
redirect-physical-port List of ports to redirect the packet. No default
remark-cos <0-7> Set the CoS marking value. The range is 0-7. No default
remark-dscp <0-63> Set the DSCP marking value. The range is 0-63. No default
Examples
In the following example, traffic from VLAN 3 is blocked to a specified destination IP subnet (10.10.0.0/16) but allowed
to all other destinations:
edit 1
config action
set count enable
set drop enable
end
config classifier
set dst-ip-prefix 10.10.0.0 255.255.0.0
set vlan-id 3
end
set status inactive
next
edit 2
config classifier
set vlan-id 3
end
set status active
next
end

Fortinet, Inc.
config
In the following example, packets are classified by matching both the CoS and DSCP values. Both the CoS and DSCP
marking values are set:
edit 1
config classifier
set src-mac 11:22:33:aa:bb:cc
set cos 2
set dscp 10
end
config action
set count enable
set remark-cos 4
set remark-dscp 20
end
set ingress-interface port2
set status active
end
Use this command to configure an ACL policer for egress or ingress policies.
Syntax
edit <policer index>
set guaranteed-bandwidth <bandwidth_value>
set guaranteed-burst <in_bytes>
set maximum-burst <in_bytes>
set type {egress | ingress}
end
<policer index> Enter the index for this ACL policer No default
description <string> Enter a text description for the policer. No default
guaranteed-bandwidth Enter the amount of bandwidth guaranteed to be available for 0

<bandwidth_value> traffic controlled by the policy. The value range is 0 to 16 776
000 Kbits/second.
guaranteed-burst <in_bytes> Guaranteed burst size in bytes (max value = 4294967295) 0
maximum-burst <in_bytes> Maximum burst size in bytes (max value = 4294967295) 0
type {egress | ingress} Specify whether the policer is for egress or ingress policies. ingress
Example
This example shows how to configure an ACL policer for egress policies.

edit 1

Fortinet, Inc.
config
set description policer1

set guaranteed-bandwidth 8776000
set guaranteed-burst 858993459
set maximum-burst 4294967295
set type egress
end
Use this command to configure an ACL for a lookup policy.
Syntax
edit <policy_ID>
config classifier
end
config action
set cos-queue <0-7>
end
end
interface <port_name> Interface that the policy applies to. No default
status {active | inactive} Make the prelookup ACL policy active or inactive. active

Fortinet, Inc.
config
config classifier
match>
dst-ip-prefix <IP_address> Destination IP address and subnet mask to be matched. 0.0.0.0 0.0.0.0
<mask>
dst-mac <MAC_address> Destination MAC address to be matched. 00:00:00:00:00:00
ether-type <integer> Ethernet type to be matched. 0x0000
service <service_ID> Service type to be matched. No default
src-ip-prefix <IP_address> Source IP address and subnet mask to be matched. 0.0.0.0 0.0.0.0
<mask>
src-mac <MAC_address> Source MAC address to be matched. 00:00:00:00:00:00
vlan-id <VLAN_ID> VLAN identifier to be matched. 0
config action
count {enable | disable} Enable or disable the count action. disable
cos-queue <0-7> CPU CoS queue number (20-29). Only if packets reach to No default
CPU. The value range is 20-29.
drop {enable | disable} Enable or disable the drop action. disable
outer-vlan-tag <integer> Outer VLAN tag. 0
remark-cos <0-7> Set the CoS marking value. The range is 0-7. No default
Use this command to customize one of the ACL services.
Syntax
edit <service name>
set comment <string>
set color <0-32>
set protocol {ICMP | IP | TCP/UDP/SCTP}
set icmptype <0-255>
set icmpcode <0-255>
set protocol-number <IP protocol number>
set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_
int>]
set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]
set udp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]
end
end

Fortinet, Inc.
config
<service name> Enter the name of this custom service. No default
comment <string> Add comments for the custom service. No default
color <0-32> Set the icon color to use in the Web-based manager. A value 0
of zero sets the default color (1).
protocol {ICMP | IP | Select the protocol used by the service. TCP/UDP/SCTP

TCP/UDP/SCTP} These protocols are available when explicit-proxy is enabled.
icmptype <0-255> If you set the protocol to ICMP, set the ICMP type. 0
icmpcode <0-255> If you set the protocol to ICMP, set the ICMP code. 0
protocol-number For an IP service, enter the IP protocol number. 0
sctp-portrange For SCTP services, enter the destination and source port No default
ranges.
tcp-portrange For TCP services, enter the destination and source port No default
ranges.
udp-portrange For UDP services, enter the destination and source port No default
ranges.
Notes:
l srcport_low and srcport_high can be omitted if the value pair is 1-65535
l dstport_high can be omitted if dstport_low is equal to dstport_high
l srcport_low and srcport_high can be omitted if the value pair is 1-65535
l dstport_high can be omitted if dstport_low is equal to dstport_high
Example
In the following example, Server Message Block (SMB) traffic received on port 1 is mirrored to port 3. SMB protocol uses
port 445:
edit "SMB"
set tcp-portrange 445
next
end
edit 1
set description "cnt_n_mirror_smb"
config action
set count enable
set mirror "port3"
end
config classifier
set service "SMB"
set src-ip-prefix 20.20.20.100 255.255.255.255
set dst-ip-prefix 100.100.100.0 255.255.255.0
end
next

Fortinet, Inc.
config
end
config switch acl settings
Use this command to configure the global ACL settings
Syntax
set density-mode {disable | enable}
set trunk-load-balance {disable | enable}
end
density-mode Enable or disable density mode. disable
trunk-load-balance Enable or disable trunk-load-balancing for ACL actions. enable
Example
The following example configures the global ACL settings:

set density-mode enable
set trunk-load-balance enable
end
Use this command to create a multi-tiered MCLAG trunk when the FortiSwitch unit is managed by a FortiGate unit.
Syntax
edit <trunk_name>
set members <one or more ports>
end
Example
The following example creates two trunks for a multi-tiered MCLAG:

edit "mclag-core1"
next
edit "mclag-core2"
end

Fortinet, Inc.
config
Use this command to automatically form an inter-switch link (ISL) between two switches.
Syntax
set mgmt-vlan <1-4094>
end
mgmt-vlan <1-4094> Set the VLAN to use for the native VLAN on ISL ports and the 4094
native VLAN on the internal switch interface.
status {enable | disable} Enable or disable whether an ISL is automatically formed disable
between two switches.
Example
The following example enables the automatic formation of an ISL between two switches:
set mgmt-vlan 200
set status enable
end
Use this command to configure system-wide FortiSwitch settings.
Syntax
set auto-fortilink-discovery {enable | disable}
set auto-stp-priority {enable | disable}
set dhcp-snooping-database-export {disable | enable}
set dmi-global-all {enable | disable}
set flapguard-retain-trigger {enable | disable}
set fortilink-heartbeat-timeout <0-300>
set fortilink-p2p-tpid <interger>
set fortilink-vlan-optimization {enable | disable}
set forti-trunk-dmac <xx:xx:xx:xx:xx:xx>
set ip-mac-binding {enable | disable}
set log-source-guard-violations {enable | disable}
set loop-guard-tx-interval <0-30>
set mac-aging-interval <seconds>
set mac-violation-timer <integer>

Fortinet, Inc.
config
set
max-path-in-ecmp-group <integer>
set
mclag-igmpsnooping-aware {enable | disable}
set
mclag-peer-info-timeout <integer>
set
mclag-port-base <integer>
set
mclag-split-brain-detect {enable | disable}
set
mclag-stp-aware {enable | disable}
set
mirror-qos <0-7>
set
name <string>
set
neighbor-discovery-to-cpu {enable | disable}
set
packet-buffer-mode {store-forward | cut-through}
set
poe-alarm-threshold <threshold (percent of total power budget) above which an alarm
event is generated>
set poe-guard-band <integer>
set poe-power-budget <integer>
set poe-power-mode {first-come-first-served | priority}
set qos-drop-policy {random-early-detection | taildrop}
set qos-red-probability <integer>
set reserved-mcast-to-cpu {enable | disable}
set source-guard-violation-timer <integer>
set trunk-hash-mode {default| enhanced}
set trunk-hash-unicast-src-port {enable | disable}
set trunk-hash-unkunicast-src-dst {enable | disable}
set virtual-wire-tpid <0x0001-0xfffe>
set link-down-auth {no-action | set-unauth}
set mab-reauth {enable | disable}
set max-reauth-attempt <0-15>
set quarantine-vlan {enable | disable}
set reauth-period <1-1440>
set tx-period <12-60>
end
end
auto-fortilink-discovery Enable or disable the capability for the FortiGate unit to enable
{enable | disable} automatically discover the FortiLink interface on the switch.
auto-isl {enable | disable} Enable or disable the capability to automatically form an enable

inter-switch LAG.
auto-isl-port-group <0-9> Set the ISL port group. The range is 0-9. 0
auto-stp-priority Enable or disable the automatic assigned STP switch enable

{enable | disable} priortiy.
dhcp-snooping-database-export Enable or disable whether the DHCP snooping database is disable

{disable | enable} exported to file.
dmi-global-all {enable | disable} Enable or disable DMI globally. enable
flapguard-retain-trigger Enable this setting to keep the “triggered” status in the disable
{enable | disable} output of the diagnose flapguard status command
after a switch has been rebooted until the port has been
reset with the execute flapguard reset <port_
name> command.

Fortinet, Inc.
config
Disable this setting to reset the “triggered” status when the

switch is rebooted.
flood-unknown-multicast Enable or disable whether to flood the VLAN with unknown disable
{enable | disable} multicast messages.
fortilink-heartbeat-timeout <0- Set how long before the FortiLink heartbeat times out. Set 60
300> the value to 0 to disable the FortiLink heartbeat.
fortilink-p2p-tpid <interger> Set the FortiLink point-to-point TPID value. The range of 0x8100
values is 0x0001 to 0xfffe.
This command is only available in FortiLink mode.
fortilink-vlan-optimization Enable or disable FortiLink VLAN optimization. disable

{enable | disable}
forti-trunk-dmac Enter the destination MAC address to be used for FortiTrunk 02:80:c2:00:00:02
<xx:xx:xx:xx:xx:xx> heartbeat packets.
ip-mac-binding {enable | disable} Enable or disable IP-MAC binding for the switch disable
log-mac-limit-violations {enable | Enable or disable the logging of layer-2 learning limit disable
disable} violations for an interface or VLAN. The most recent violation
that occurred on each interface or VLAN is logged. After that,
no more violations are logged until the log is reset for the
triggered interface or VLAN. Only the most recent 128
violations are displayed in the console.
NOTE: This command is only displayed if your FortiSwitch
model supports it.
log-source-guard-violations Enable or disable logs for source guard violations on a disable

{enable | disable} system-wide level.
loop-guard-tx-interval <0-30> Enter the loop guard transmit interval. Value range is 1-30. 3
The units is seconds.
mac-aging-interval <seconds> Specify how often the learning-limit violation log is reset. 300
The range is 10 to 1,000,000 seconds. Set to 0 to disable.
mac-violation-timer <integer> How long (in minutes) violations of the layer-2 learning limit 0
are kept in the log. The value range is 0-1500. Set to 0 to
disable the timer.
max-frame-size <bytes_int> Set the maximum frame size. The range is 68 to 16360. 9216
NOTE: For non-1xxE FortiSwitch units, this command is
under the config switch physical-port command.
max-path-in-ecmp-group Set the maximum path in one ECMP group. 8

<integer>
mclag-igmpsnooping-aware Enable this option to synchronize both query ports and group disable
{enable | disable} entries across peer MCLAG trunks. This option can be used
in standalone mode and in FortiLink mode.

Fortinet, Inc.
config
NOTE: For IGMP snooping to work correctly in an MCLAG,

you need to use the set mclag-igmpsnooping-aware
enable command on all FortiSwitch units in the network
topology and use the set igmps-flood-reports
enable command on each MCLAG core FortiSwitch unit.
mclag-peer-info-timeout Enter the MCLAG peer info timeout. The value range is 30 to 30
<integer> 600 seconds.
mclag-port-base <integer> Set the MCLAG port base. 0
mclag-split-brain-detect {enable Enable or disable the detection of the MCLAG split-brain disable
| disable} state.
mclag-stp-aware {enable | Enable or disable whether the STP can be used within the enable
disable} MCLAG.
mirror-qos <0-7> Enter the quality of service (QoS) priority for packets 0
mirrored by this FortiSwitch unit. Applies only to the FS-
524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-
1048E, and FS-3032D models.
name <string> Enter a name for the switch. No default
neighbor-discovery-to-cpu Enable or disable the forwarding of reserved multicast enable

{enable | disable} packets to the CPU. Applies only to the 200 Series and 400
Series.
packet-buffer-mode {store- Set the switching mode to store-and-forward or cut-through store-forward

forward | cut-through} for the main buffer of the FS-1024D, FS-1048D, or FS-
3032D model.
poe-alarm-threshold <threshold Enter the threshold (a specified percentage of the total 80

(percent of total power budget) power budget) above which an alarm event is generated.
above which an alarm event is
generated>
poe-guard-band <integer> Enter the power (W) to reserve in case of a spike in PoE 19
consumption.
poe-power-budget <integer> Set or override the maximum power budget. 400
poe-power-mode {first-come- Set the PoE power mode to priority based or first-come, first- priority
first-served | priority} served.
poe-pre-standard-detect Enable or disable PoE pre-standard detection. enable

{disable | enable} NOTE: PoE pre-standard detection is a global setting for the
following FortiSwitch models: FSR-112D-POE, FS-548D-
FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-
108E-POE, FS-108E-FPOE, FS-124E-POE, and FS-124E-
FPOE. For the other FortiSwitch PoE models, PoE pre-
standard detection is set on each port.

Fortinet, Inc.
config
qos-drop-policy {random-early- Set the CoS queue drop policy. taildrop

detection | taildrop} l taildrop — When the queue is full, new packets are
dropped.
l random-early-detection — As the queue fills, the
probability increases that packets will be dropped.

NOTE: This command is available only for the FS-108E, FS-
108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-
124E-FPOE, FS-148E, and FS-148E-POE models.
qos-red-probability <integer> Set the QoS RED/WRED drop probability. The FS-108E, FS- 12
108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, and
FS-124E-FPOE models support 0-100 percent. The FS-
148E, FS-148E-POE, and FS-148E-FPOE models support 0-
25 percent.
NOTE: This command is available only for the FS-108E, FS-
reserved-mcast-to-cpu {enable | Enable or disable the forwarding of IPv6 neighbor-discovery enable

disable} packets to the CPU. Applies only to the 200 Series and 400
Series.
source-guard-violation-timer Enter the number of minutes for a global timeout for source 0
<intebger> guard violations. The range of values is 0-1500. Set this
option to 0 to disable it.
This command is only available when log-source-
guard-violations is enabled.
trunk-hash-mode Set the trunk hash mode to default or enhanced default
{default| enhanced}
trunk-hash-unicast-src-port Enable or disable whether the trunk hashing algorithm for disable
{enable | disable} unicast packets uses the source port.
trunk-hash-unkunicast-src-dst Enable or disable trunk hash for unknown unicast src-dst. enable
{enable | disable}
virtual-wire-tpid <0x0001-0xfffe> TPID value used by virtual-wires. The value range is from 0xdee5
0x0001 to 0xfffe.
Choose a value unlikely to be seen as a TPID or ethertype in
your network.
link-down-auth If a link goes down, this setting determines if the affected set-unauth
devices needs to reauthenticate.
l set-unauth — revert all devices to the un-
authenticated state. Each device will need to

reauthenticate.
l no-action — if reauthenication is not required.

Fortinet, Inc.
config
mab-reauth {enable | disable} Enable or disable whether MAB retries authentication before disable
assigning a device to a guest VLAN for unauthorized users.
max-reauth-attempt If 802.1x authentication fails, this setting caps the number of 3

attempts that the system will initiate. The range is from 0 to
15 where "0" disables the reauthentication attempts.
quarantine-vlan {enable | Enable or disable quarantine VLAN detection. Enable this enable
disable} setting to use quarantines with 802.1x MAC-based
authentication in FortiLink mode.
reauth-period Defines how often the device needs to reauthenticate. If a 60

session remains active beyond this number of minutes, the
system requires the device to reauthenticate.
tx-period <12-60> Specify how many seconds are allowed for the 802.1x 30
reauthentication before it times out.
Example
The following example configures system-wide FortiSwitch settings:

set auto-isl enable
set dhcp-snooping-database-export enable
set dmi-global-all enable
set ip-mac-binding enable
set loop-guard-tx-interval 15
set max-path-in-ecmp-group 4
set mclag-peer-info-timeout 300
set poe-alarm-threshold 40
set poe-power-mode first-come-first-served
set poe-guard-band 10
set poe-pre-standard-detect enable
set poe-power-budget 200
set trunk-hash-mode enhanced
set trunk-hash-unkunicast-src-dst enable
end
Use this command to configure global settings for IGMP snooping on the FortiSwitch unit.
Syntax
set aging-time <integer>
set leave-response-timeout <integer>
end

Fortinet, Inc.
config
aging-time <integer> The maximum number of seconds to retain a multicast 300

snooping entry for which no packets have been seen (15-
3600).
leave-response-timeout Enter the maximum number of seconds that the switch waits 10
<integer> after sending a group-specific query in response to the leave
message. The range of values is 1-20.
query-interval <10-1200> Enter the maximum number of seconds between IGMP 120
queries.
Example
The following example configures global settings for IGMP snooping on the FortiSwitch unit:
set aging-time 150
set leave-response-timeout 15
end
Use this command to configure FortiSwitch features on an interface.

NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-
vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).
Command
set allowed-vlans {vlan1 vlan2 ...}
set arp-inspection-trust {trusted | untrusted}
set auto-discovery-fortilink {enable | disable}
set auto-discovery-fortilink-packet-interval <3-300>
set default-cos <0-7>
set discard-mode {all-tagged | all-untagged | none}
set dhcp-snoop-learning-limit-check {disable | enable}
set dhcp-snooping-option82-trust {enable | disable}
set edge-port {enabled | disabled}
set igmp-snooping-flood-reports {enable | disable}
set mld-snooping-flood-reports {enable | disable}
set ip-mac-binding {enable | disable | global}
set ip-source-guard {enable | disable}
set learning-limit <1 - 128>
set log-mac-event {enable | disable}
set loop-guard {enabled | disabled}
set loop-guard-timeout <0-120>
set loop-guard-mac-move-threshold <0-100>

Fortinet, Inc.
config
set native-vlan <vlan_int>

set packet-sampler {enabled | disabled}
set sample-direction {both | rx |tx}
set private-vlan {disabled | promiscuous sub-vlan}
set ptp-policy {<string> | default}
set qos-policy {<string> | default}
set rpvst-port {enabled | disabled}
set sflow-counter-interval <0-255>
set snmp-index <integer>
set sticky-mac {disable | enable}
set stp-bpdu-guard {disabled | enabled}
set stp-loop-protection {enabled | disabled}
set stp-root-guard {disabled | enabled}
set trust-dot1p-map <string>
set trust-ip-dscp-map <string>
set untagged-vlans {vlan1 vlan2 ...}
set vlan-mapping-miss-drop {enable | disable}
set port-security-mode {none | 802.1X | 802.1X-mac-based | macsec}
set auth-fail-vlan {enable | disable}
set auth-fail-vlanid <VLAN_id>
set authserver-timeout-period <3-15>
set eap-auto-untagged-vlans {enable | disable}
set eap-passthru {disable | enable}
set framevid-apply {disable | enable}
set guest-vlan {enable | disable}
set guest-vlanid <VLAN_id>
set mab-eapol-request <0-10>
set mac-auth-bypass {enable | disable}
set macsec-profile <MACsec_profile_name>
set quarantine-vlan {enable | disable}
set radius-timeout-overwrite {enable | disable}
next
end
config raguard
edit <ID>
set raguard-policy <name_of_RA_guard_policy>
set vlan-list <list_of_VLANs>
next
end
config qnq
set add-inner <1-4095>
set edge-type customer
set priority {follow-c-tag | follow-s-tag}
set remove-inner {enable | disable}
set s-tag-priority <0-7>
set vlan-mapping-miss-drop {enable | disable}
config vlan-mapping

Fortinet, Inc.
config
edit <id>
next
end
end
config vlan-mapping
edit <id>
set direction {egress | ingress}
set match-s-vlan <1-4094>
set action {add | delete | replace}
next
end
next
end
allowed-vlans Enter the names of the VLANs permitted on this interface. No default
{vlan1 vlan2 ...}
arp-inspection-trust Set the interface to trusted or untrusted. untrusted

{trusted | untrusted}
auto-discovery- Enable or disable automatically discovery of the port used for FortiLink. disable
fortilink
{enable | disable}
auto-discovery- Enter the FortiLink packet interval for automatic discovery. The value 5
fortilink-packet- range is 3 to 300 seconds.
interval <3-300>
default-cos <0-7> Set the default CoS value for untagged packets. Integer in the range of 0 0
to 7.
The configured default CoS only applies if you also set trust-dot1p-
map on the interface.
NOTE: The set default-cos command is not available on the
following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE,
424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-
POE, and 248E-FPOE.
description <string> Enter a description of the interface. No default
discard-mode {all- Set the discard mode for this interface. none
tagged | all-untagged
| none}
dhcp-snooping Set the interface to trusted or untrusted. untrusted

{trusted | untrusted}

Fortinet, Inc.
config
dhcp-snoop-learning- Enable or disable whether there is a limit for how many IP addresses are disable
limit-check {disable | in the DHCP snooping binding database for this interface.
enable}
dhcp-snooping- Enable or disable (allow/disallow) DHCP packets with option-82 on an disable

option82-trust untrusted interface.
{enable | disable}
edge-port Enable if the port does not have another switch connected to it. disable
{enabled | disabled}
igmp-snooping-flood- Enable or disable whether to flood IGMP-snooping reports to this disable

reports interface.
{enable | disable} NOTE: For IGMP snooping to work correctly in an MCLAG, you need to
use the set mclag-igmpsnooping-aware enable command on
all FortiSwitch units in the network topology and use the set igmp-
snooping-flood-reports enable command on each MCLAG
core FortiSwitch unit.
mcast-snooping- Enable or disable whether to flood multicast traffic to this interface. disable
flood-traffic
{enable | disable}
mld-snooping-flood- Enable or disable whether to flood MLD-snooping reports to this interface. disable
reports {enable |
disable}
ip-mac-binding Enable or disable IP-MAC binding for this interface. Set the value to disable
{enable | disable 'global', the interface inherits the global ip-mac-binding configuration
| global} value.
ip-source-guard Enable or disable IP source guard for this interface. After you enable this disable
{enable | disable} feature, use the config switch ip-source-guard command to
configure it.
learning-limit <1 - Limit the number of dynamic MAC addresses on this port. The value 0
128> range is between 0 and 128 (0 = no limit).
NOTE: You cannot set the learning-limit on the internal interface.
log-mac-event Enable or disable the logging of dynamic MAC address events. disable
{enable | disable}
loop-guard Enable or disable loop guard for this interface. disabled

loop-guard-timeout After enabling loop guard, set the number of minutes before loop guard 45
<0-120> resets. Setting this value to 0 means that there is no timeout.
loop-guard-mac- After enabling loop guard, set the number of MAC address moves per 0
move-threshold <0- second for this interface. The threshold must be exceeded for 6
100> consecutive seconds to trigger loop guard.

Fortinet, Inc.
config
native-vlan <vlan_ Enter the native (untagged) VLAN for this interface. 1
int>
packet-sampler Enable or disable packet sampling for flow export. disabled

sample-direction Set the sFlow sample direction to monitor received traffic (rx), monitor both
{both | rx |tx} transmitted traffic (tx), or monitor both.
This option is only available when the packet-sampler is enabled.
packet-sample-rate If packet-sampler is set to enabled, you can change the packet sample 512
<0-99999> rate.
private-vlan {disabled Enable private VLAN functionality. disabled

| promiscuous | sub- NOTE: Private VLANs are not supported on the FortiSwitch-28C.
vlan}
ptp-policy {<string> | Enter the name of the Precision Time Protocol (PTP) policy. default
default}
qos-policy {<string> | Enter the name of the QoS egress CoS queue policy. default
default}
rpvst-port {enabled | Enable or disable whether this interface interoperates with per-VLAN disabled
disabled} spanning tree (PVST).
security-groups Enter the security group name if you are using port-based authentication No default
<security-group- or MAC-based authentication.
name>
sflow-counter-interval Set the polling interval for the sFlow sampler counter. Set to 0 to disable 0
<0-255> polling.
snmp-index <integer> Enter the SNMP index for this interface. Default is the
port number
sticky-mac {disable | Enable or disable whether dynamically learned MAC addresses are disable
enable} persistent when the status of a FortiSwitch port changes (goes down or
up).
stp-bpdu-guard Enable or disable STP BPDU guard protection. To use STP BPDU guard disabled
{disabled | enabled} on this interface, you must enable stp-state and edge-port.
stp-loop-protection Enable or disable STP loop protection on this interface. disabled

stp-root-guard Enable or disable STP root guard protection. To use STP root guard, you disabled
{disabled | enabled} must enable stp-state.
stp-state Enable or disable Spanning Tree Protocol (STP) on this interface. enabled
trust-dot1p-map Whether to trust the dot1p CoS value in the incoming packets. Specify a No default
map to map the CoS value to an egress queue value.

Fortinet, Inc.
config
trust-ip-dscp-map Whether to trust the DSCP QoS value in the incoming packets. Specify a No default
map to map the DSCP value to an egress queue value.
untagged-vlans Select the allowed-vlans to be transmitted without VLAN tags No default
vlan-mapping-miss- Enable or disable whether a packet is dropped if the VLAN ID in the disable
drop {enable | packetʼs tag is not defined in the vlan-mapping configuration.
disable}
vlan-tpid <default | Select which VLAN TPID profile to use. The default VLAN TPID profile default
string> has a value of 0x8100 and cannot be deleted or changed.
NOTE: If you are not using the default VLAN TPID profile, you must have
already defined the VLAN TPID profile with the config switch
vlan-tpid command.
port-security-mode Set the security mode for the port. none

{none | 802.1X | l 802.1X—Use this setting for port-based authentication.
802.1X-mac-based | l 802.1Xmac-based—Use this setting for MAC-based
macsec} authentication.
l macsec—Use this setting for MACsec.
If you change the security mode from none, you must set the security
group with the set security-groups command.
auth-fail-vlan {enable When enabled, the system assigns the auth-fail-vlanid to users disable
| disable} who attempted to authenticate but failed to provide valid credentials.
auth-fail-vlanid Enter the VLAN identifier that the system assigns to users who attempted 200
<VLAN_id> to authenticate but failed to provide valid credentials. This field is
mandatory when auth-fail-vlan is enabled.
authserver-timeout- Enter the number of seconds before the authentication server stops trying 3
period <3-15> to authenticate users.
authserver-timeout- Enable or disable whether users are assigned to the specified VLAN when disable
vlan {enable | disable} the authentication server times out.
authserver-timeout- Enter the VLAN identifier that the system assigns to users when the 300
vlanid <1-4094> authentication server times out. This field is mandatory when
authserver-timeout-vlan is enabled.
eap-auto-untagged- Enable to allow voice traffic with voice VLAN tag at egress. enable
vlans {enable |
disable}
eap-passthru {disable Enable or disable the EAP pass-through mode. enable

| enable}
framevid-apply Enable or disable the capability to apply the EAP/MAB frame VLAN to the enable
{disable | enable} port native VLAN.

Fortinet, Inc.
config
NOTE: For phone and PC configuration only, disable framevid-apply

to preserve the native VLAN when the data traffic is expected to be
untagged.
guest-auth-delay If a device does not attempt to authenticate within this timeframe (in 5
<integer> seconds), the guest VLAN is assigned.
guest-vlan {enable | When enabled, the system assigns the guest-vlanid to unauthorized disable
disable} users.
guest-vlanid <VLAN_ VLAN identifier. Mandatory field when guest VLAN is enabled. 100
id>
mab-eapol-request Set how many EAP packets are sent to trigger EAP authentication for 3
<0-10> “silent supplicants” (such as end devices running Windows 7) that send
non-EAP packets when they wake up from sleep mode.
To disable this feature, set mab-eapol-request to 0 or disable mac-
auth-bypass.
mac-auth-bypass Enable or disable MAC auth bypass. disable
{enable | disable}
macsec-profile If you set the port-security-mode to macsec, specify which No default

<MACsec_profile_ MACsec profile to use. Use the config switch macsec profile
name> command to create a MACsec profile.
open-auth {enable | Enable or disable open authentication (monitor mode) on this interface. disable
disable}
quarantine-vlan Enable or disable quarantine VLAN detection. Enable this setting to use enable
{enable | disable} quarantines with 802.1x MAC-based authentication in FortiLink mode.
radius-timeout- Enable this option to use the value of the session-timeout attribute. The disable
overwrite {enable | session-timeout attribute specifies how many seconds of idleness are
disable} allowed before the FortiSwitch unit disconnects a session. The value
must be more than 60 seconds.
config raguard
<ID> Enter an identifier for the IPv6 RA-guard configuration. No default
raguard-policy Enter the name of the RA-guard policy to use for this interface. No default
<name_of_RA_ The RA-guard policy must be created (with the config switch
guard_policy> raguard-policy command) before it is applied to an interface.
vlan-list <list_of_ Enter a VLAN or a range of VLANs to apply this policy to. Use less than All allowed
VLANs> 4,096 characters for the vlan-list value. Separate the VLANs and VLAN VLANs on this
ranges with commans, for example: port
1,3-4,6,7,9-100
config qnq

Fortinet, Inc.
config
status {enable | Enable or disable VLAN stacking (QinQ) mode. disable

disable}
add-inner <1-4095> If the QinQ mode is enabled, add the inner tag for untagged packets upon No default
ingress.
edge-type customer If the QinQ mode is enabled, the edge type is set to customer. customer
priority {follow-c-tag | If the QinQ mode is enabled, select whether to follow the priority of the S- follow-s-tag
follow-s-tag} tag (service tag) or C-tag (customer tag).
NOTE: This command is not available on the 224D-FPOE, 248D, 424D,
424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-
POE, 248E-POE and 248E-FPOE models.
remove-inner {enable If the QinQ mode is enabled, enable or disable whether the inner tag is disable
| disable} removed upon egress.
s-tag-priority <0-7> If packets follow the priority of the S-tag (service tag), enter the priority 0
value. This option is available only when the priority is set to follow-s-
tag.
NOTE: This command is not available on the 224D-FPOE, 248D, 424D,
424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-
POE, 248E-POE and 248E-FPOE models.
vlan-mapping-miss- If the QinQ mode is enabled, enable or disable whether a packet is disable
drop {enable | dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-
disable} mapping configuration.
<id> Enter a mapping entry identifier. No default
description <string> Enter a description of the mapping entry. No default
match-c-vlan <1- Enter a matching customer (inner) VLAN. 0

4094>
new-s-vlan <1-4094> Enter a new service (outer) VLAN. No default

NOTE: The VLAN must be in the portʼs allowed VLAN list.
This option is only available after you set the value for match-c-vlan.
config vlan-mapping (not available when QinQ is enabled)
<id> Enter an identifier for the VLAN mapping entry. No default
description <string> Enter a description of the VLAN mapping entry. No default
direction {egress | Select the ingress or egress direction. No default

ingress}
match-s-vlan <1- If the direction is set to egress, enter the service (outer) VLAN to match. 0
4094>
match-c-vlan <1- If the direction is set to ingress, enter the customer (inner) VLAN to 0
4094> match.

Fortinet, Inc.
config
action {add | delete | Select what happens when the packet is matched: No default
replace} l add—When the packet is matched, add the service VLAN. You
cannot set the action to add for the egress direction.

l delete—When the packet is matched, delete the service VLAN.
You cannot set the action to delete for the ingress direction.
l replace—When the packet is matched, replace the customer
VLAN or service VLAN.

This option is only available after you set a value for match-c-vlan or
match-s-vlan.
new-s-vlan <1-4094> Set the new service (outer) VLAN. No default
This option is only available after you set the action to add or replace
for the ingress direction or after you set the action to replace for the
egress direction.
Example
The following example shows QoS configuration on a trunk interface:

edit "tr1"
set snmp-index 56
set trust-dot1p-map "dot1p_map1"
set default-cos 1
set qos-policy "p1"
next
end
The following example shows how to configure 802.1x authentication:

edit "port11"
set native-vlan 200
set snmp-index 11
set auth-fail-vlan enable
set authserver-timeout-period 4
set authserver-timeout-vlan enable
set authserver-timeout-vlanid 300
set eap-auto-untagged-vlans enable
set framevid-apply enable
set guest-vlan enable
set guest-vlanid 401
set mab-eapol-request 0
set mac-auth-bypass disable
set open-auth disable
set quarantine-vlan enable
set radius-timeout-overwrite enable
end

Fortinet, Inc.
config
set security-groups "radius1grp"

next
end
Use IP-MAC binding to prevent ARP spoofing.

The port accepts a packet only if the source IP address and source MAC address in the packet match an entry in the IP-
MAC binding table.
You can enable or disable IP-MAC binding for the whole switch, and you can override this global setting for each port.
Syntax
edit <sequence_int>
set ip <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
next
end
<sequence_int> Enter a sequence number for the IP-MAC binding entry. No default
ip <xxx.xxx.xxx.xxx> Enter the source IP address and network mask for this rule. 0.0.0.0 0.0.0.0
<xxx.xxx.xxx.xxx>
mac <xx:xx:xx:xx:xx:xx> Enter the MAC address for this rule. 00:00:00:00:00:00
status {enable | disable} Enable or disable the IP-MAC binding. disable
Example
The following example configures the IP-MAC binding for the FortiSwitch unit:
edit 1
set ip 172.168.20.1 255.255.255.255
set mac 00:21:cc:d2:76:72
set status enable
next
end
Use this command to configure IP source guard for a port by binding IPv4 addresses to MAC addresses.
Syntax
edit <port_name>

Fortinet, Inc.
config
edit <id>
next
end
next
end
<port_name> Enter the name of the port. No default
<id> Enter a unique integer to create a new entry. No default
ip <xxx.xxx.xxx.xxx> Required. Enter the IPv4 address to bind to the MAC 0.0.0.0
address. Masks are not supported.
mac <XX:XX:XX:XX:XX:XX> Required. Enter the MAC address to bind to the IPv4 00:00:00:00:00:00
address.
Example
The following example binds an IPv4 address to a MAC address so that traffic from that IP address will be allowed on
port4:
edit port4
edit 1
set ip 172.168.20
set mac 00:21:cc:d2:76:72
next
end
next
end
Use this command to configure LLDP profile settings. The LLDP profile contains most of the port-specific configuration.
Profiles are designed to provide a central point of configuration for LLDP settings that are likely to be the same for
multiple ports.
There are two static LLDP profiles: default and default-auto-isl. These profiles are created automatically.
They can be modified but cannot be deleted. The default-auto-isl profile always has auto-isl enabled, and
rejects any configurations which attempt to disable it.
Syntax
edit <profile>
set 802.3-tlvs {eee-config | max-frame-size | power-negotiation}

Fortinet, Inc.
config

set auto-mclag-icl {enable | disable}
set med-tlvs (inventory-management | location-identification | network-policy | power-
management)
config custom-tlvs
edit <TLVname_str>
set oui <hex-bytes>
next
edit address-civic
next
edit coordinates
next
edit elin-number
next
edit {guest-voice | guest-voice-signaling | softphone-voice |
streaming-video | video-conferencing | video-signaling |
voice | voice-signaling}
set assign-vlan {enable | disable}
set dscp <0 - 63>
set priority <0 - 7>
set vlan <0 - 4094>
next
end
profile Enter a name for the LLDP profile. No default
802.1-tlvs The only 802.1 TLV that can be enabled or disabled is no TLV enabled
port-vlan-id. This TLV will send the native VLAN of
the port. If the value is changed, the sent value will reflect
the updated value.
802.3-tlvs {eee-config | max- Set which 802.3 TLVs are enabled: no TLV enabled
frame-size | power- l eee-config—Use this TLV to send the energy-
negotiation} efficient Ethernet (EEE) status of the port.

l max-frame-size—This TLV will send the
maximum frame size value of the port. If the value is

changed, the sent value reflects the updated value.
l power-negotiation—Use this TLV to send the
power over Ethernet (PoE) classification of the port.
auto-isl Enable or disable the auto ISL capability. Disabled

Fortinet, Inc.
config
auto-isl-hello-timer <1-30> Enter a value (in seconds) for the hello timer. The range is 1 3
to 30.
auto-isl-port-group <0-9> Enter a value for the port group. The range is 0 to 9. 0
auto-isl-receive-timeout Enter a value (in seconds) for the receive timeout. The 9
range is 3 to 90.
auto-mclag-icl {enable | Enable or disable the MCLAG inter-chassis link. disable

disable}
med-tlvs (inventory- Enable the inventory-management TLVs, location- inventory-

management | location- identification TLVs, network-policy TLVs, and/or power- management
identification | network-policy management TLVs. network-policy
| power-management) location-identification
config custom-tlvs
<TLVname_str> Enter the TLV name. No default
information-string Organizationally defined information string. Enter up to 507 No default

bytes in hexadecimal notation.
oui Organizationally unique identifier. Enter 3 hexadecimal 000000

bytes (000000 - FFFFFF). At least one byte must have a
non-zero value.
subtype Organizationally defined subtype. Enter an integer in the 0

range of 0 to 255.
address-civic Civic address and postal information. No default
status {enable | disable} Enable the status to transmit the type-length-value (TLV) if disable
the LLDP-MED profile has been enabled on a port.
sys-location-id <string> Use the specified location entry that was already entered No default
with the config system location command.
coordinates Coordinates of the location. No default
elin-number Emergency location identifier number (ELIN). No default

Fortinet, Inc.
config
{guest-voice | guest-voice- Enter one of the policy type names. No default

signaling | softphone-voice |
streaming-video | video-
conferencing | video-signaling
| voice | voice-signaling}
status {enable | disable} Enable or disable the policy for the policy type. disable
assign-vlan {enable | disable} Enable or disable whether the VLAN is added as one of the disable
allowed-vlans for this port.
dscp <0-63> DSCP value to send. 0
priority <0-7> CoS priority value to send. 0
vlan <0-4094> VLAN value to send. 0

Setting this option to 0 will advertise the network policy as
priority tagged, rather than VLAN tagged. Priority tagged
network policies are always transmitted, whereas VLAN
tagged are only transmitted if the VLAN is present on the
switch interface sending the LLDP packet.
NOTE: LLDP-MED network policies cannot be deleted or added. To use a policy, the med-tlvs field must include
network-policy, and you must set the policy to enabled. The VLAN values on the policy are cross-checked
against the VLAN native, allowed, and untagged attributes for any interfaces that contain physical-ports using this
profile. The cross-check determines if the policy TLV should be sent (VLAN must be native or allowed), and if the TLV
should mark the VLAN as tagged or untagged (VLAN is native, or is in untagged). The network policy TLV is
automatically updated when a switch interface changes VLAN configuration, or if a physical port is added to, or removed
from, a trunk.
Example
The following example configures an LLDP-MED profile:

edit "Forti670i"
edit "voice"
set dscp 46
set priority 5
set status enable
set vlan 400
next
edit "guest-voice"
next
next
next
next

Fortinet, Inc.
config
set dscp 40
set priority 3
set status enable
set vlan 400
next
next
end
next
end
Configure the global LLDP settings.
Syntax
set status {enable| disable}
set tx-hold <1-16>
set tx-interval <5-4095>
set fast-start-interval <0 or 2-5>
set management-interface (internal | <string>)
set device-detection {enable | disable}
end
status Enable or disable Enabled
tx-hold Number of tx-intervals before the local LLDP data 4

expires. Therefore, the packet TTL (in seconds) is tx-
hold times tx-interval. The range for tx-hold is 1 to 16.
tx-interval How often the FortiSwitch transmits the LLDP PDU. The 30
range is 5 to 4095 seconds.
fast-start-interval How often the FortiSwitch transmits the first 4 LLDP 2

packets when a link comes up. The range is 2 to 5
seconds.
Set this variable to zero to disable fast start.
management-interface Primary management interface to be advertised in mgmt or internal,

LLDP and CDP PDUs. depending on
FortiSwitch model.
device-detection {enable | Enable or disable whether LLDP neighbor devices are disable
disable} dynamically detected.
This option is available only in FortiLink mode.
Example
The following example configures the global LLDP settings:

Fortinet, Inc.
config

set status enable
set tx-hold 8
set tx-interval 2000
set fast-start-interval 3
set management-interface internal
end
Use these commands to configure a Media Access Control security (MACsec) profile.
Syntax
edit <profile_name>
set confident-offset {0 | 30 | 50}
set encrypt-traffic {enable | disable}
set include-macsec-sci {enable | disable}
set mka-priority <0-255>
set replay-protect {enable | disable}
set replay-window <0-16777215>
config mka-psk
edit <pre-shared key name>
set mka-cak <string>
set mka-ckn <string>
set status active
next
end
set status enable
next
end
next
end
<profile_name> Enter a name for the MACsec profile. No default
cipher_suite GCM_AES_128 Only the GCM-AES-128 cipher suite is available currently for GCM_AES_
encryption. 128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic 0
confidentiality offset. Selecting 0 means that all of the
MACsec traffic is encrypted. Selecting 30 or 50 bytes means

Fortinet, Inc.
config
that the first 30 or 50 bytes of MACsec traffic are not

encrypted.
encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | Enable or disable whether to include the MACsec transmit enable
disable} secure channel identifier (SCI).
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) enable
indicator is always included.
macsec-mode static-cak The MACsec mode is always static connectivity association static-cak
key (CAK).
macsec-validate strict The MACsec validation is always strict. strict
mka-priority <0-255> Enter the MACsec MKA priority. 255
replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay disable
protection drops packets that arrive out of sequence,
depending on the replay-window value.
replay-window <0-16777215> Enter the number of packets for the MACsec replay window 32
size. If two packets arrive with the difference between their
packet identifiers more then the replay window size, the most
recent packet of the two is dropped. The range is 0-16777215
packets. Enter 0 to ensure that all packets arrive in order
without any repeats.
status {enable | disable} Enable or disable this MACsec profile. enable
config mka-psk Configure the MACsec MKA pre-shared key.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key No default
configuration.
crypto-alg AES_128_CMAC Only the AES_128_CMAC algorithm is available for encrypting AES_128_
the pre-shared key. CMAC
mka-cak <string> Enter the string of hexadecimal digits for the connectivity No default
association key (CAK). The string can be up to 32-bytes long.
mka-ckn <string> Enter the string of hexadecimal digits for the connectivity No default
association name (CKN). The string can be 1-byte to 64-bytes
long.
status active The status of the pre-shared key pair is always active. active
config traffic-policy Configure the MACsec traffic policy.
<traffic_policy_name> Enter a name for this MACsec traffic policy. No default
security-policy must-secure The policy must secure traffic for MACsec. must-secure
status enable The status of this MACsec traffic policy is always enabled. enable

Fortinet, Inc.
config
Example
This example configures a MACsec profile.

edit "2"
set confident-offset 0
set encrypt-traffic enable
set include-macsec-sci enable
set mka-priority 199
config mka-psk
edit "2"
set mka-cak "0123456789ABCDEF0123456789ABCDEE"
set mka-ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333436"
set status active
next
end
set replay-protect disable
set replay-window 32
set status enable
edit "2"
set status enable
next
end
next
end
Use these commands to configure the packet mirror. Packet mirroring allows you to collect packets on specified ports
and then send them to another port to be collected and analyzed.
Syntax
set dst <interface>
set encap-ipv4-src <IPv4_address>
set encap-mac-dst <MAC_address>
set encap-mac-src <MAC_address>
set encap-vlan {tagged | untagged}

Fortinet, Inc.
config
set erspan-collector-ip <IPv4_address>

set mode {ERSPAN-auto | ERSPAN-manual | RSPAN | SPAN}
set rspan-ip <IPv4_address>
end
<mirror session name> Enter the name of the mirror session to edit (or enter a new No default
mirror session name).
dst <interface> Required when the mode is set to ERSPAN-manual, No default

RSPAN (when the switch is not in FortiLink mode), or
SPAN.
On FortiSwitch models that support RSPAN and ERSPAN,
set the trunk or physical port that will act as a mirror. The
physical port cannot be part of a trunk.
On FortiSwitch models that do not support RSPAN and
ERSPAN, set the physical port that will act as a mirror. The
physical port can be part of a trunk.
encap-gre-protocol Set the protocol value in the ERSPAN GRE header. 0x88be
<hexadecimal_integer> This option is available when the mode is ERSPAN-auto or
ERSPAN-manual.
encap-ipv4-src <IPv4_address> Required when the mode is set to ERSPAN-manual and 0.0.0.0
the status is active.
Set the IPv4 source address in the ERSPAN IP header. The
range is 0.0.0.1-255.255.255.254.
This option is available when the mode is ERSPAN-
manual.
encap-ipv4-tos <hexadecimal_ Set the type of service (ToS) value or enter the DSCP and 0x00
integer> ECN values in the ERSPAN IP header.
This option is available when the mode is ERSPAN-auto or
ERSPAN-manual.
encap-ipv4-ttl <0-255> Set the IPv4 time-to-live (TTL) value in the ERSPAN 16
IP header.
This option is available when the mode is ERSPAN-auto or
ERSPAN-manual.
encap-mac-dst <MAC_address> Required when the mode is set to ERSPAN-manual and 00:00:00:00:00:00
Set the MAC address of the next-hop or gateway on the
path to the ERSPAN collector IP address. The range is
00:00:00:00:00:01-FF:FF:FF:FF:FF:FF.

Fortinet, Inc.
config
This option is available only when the mode is ERSPAN-

manual.
encap-mac-src <MAC_address> Required when the mode is set to ERSPAN-manual and 00:00:00:00:00:00
Set the source MAC address in the ERSPAN Ethernet
header. The range is 00:00:00:00:00:01-
FF:FF:FF:FF:FF:FE.
This option is available when the mode is ERSPAN-
manual.
encap-vlan {tagged | untagged} Set the status of ERSPAN encapsulation headers to tagged untagged
or untagged to control whether the VLAN header is added
to the encapsulated traffic.
This option is available if the mode is ERSPAN-manual.
encap-vlan-cfi <0-1> Set the canonical format identifier (CFI) or drop eligible 0
indicator (DEI) bit in the ERSPAN or RSPAN VLAN header.
This option is available when the mode is RSPAN or
ERSPAN-auto. This option is available for the ERSPAN-
manual mode if encap-vlan is set to tagged.
When the mode is RSPAN, this option is not available on
the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE,
248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.
encap-vlan-id <1-4094> Set the VLAN identifier in the ERSPAN or RSPAN VLAN 1
header.
This option is available when the mode is RSPAN. This
option is available for the ERSPAN-manual mode if
encap-vlan is set to tagged.
encap-vlan-priority <0-7> Set the class of service (CoS) bits in the ERSPAN or 0
RSPAN VLAN header.
When the mode is RSPAN, this option is not available on
the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE,
248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.
encap-vlan-tpid <0x0001-0xfffe> Set the tag protocol identifier (TPID) for the encapsulating 0x8100
VLAN header. The default value, 0x8100, is for an IEEE
802.1Q-tagged frame.
erspan-collector-ip <IPv4_ Required when the status is active and the mode is set to 0.0.0.0
address> ERSPAN-auto or ERSPAN-manual.

Fortinet, Inc.
config
Set the IPv4 address for the ERSPAN collector. The range
is 0.0.0.1-255.255.255.255.
This option is available only when the mode is ERSPAN-
auto or ERSPAN-manual.
mode {ERSPAN-auto | ERSPAN- Select the mirroring mode: SPAN

manual | RSPAN | SPAN} l ERSPAN-auto—Mirror traffic to the specified
destination interface using ERSPAN encapsulation.

The header contents are automatically configured.
l ERSPAN-manual—Mirror traffic to the specified
destination interface using ERSPAN encapsulation.

The header contents are manually configured.
l RSPAN—Mirror traffic to the specified destination
interface using RSPAN encapsulation.

l SPAN—Mirror traffic to the specified destination
interface without encapsulation.

SPAN is supported on all FortiSwitch models. RSPAN and
ERSPAN are supported on 124D, 224D-FPOE, 248D,
424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-
FPOE, 224E, 224E-POE, 248E-POE, 248E-FPOE, 524D,
524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E,
3032D, and 3032E.
rspan-ip <IPv4_address> Required when the mode is RSPAN, the status is active, 0.0.0.0
and the switch is in FortiLink mode.
Enter the destination IP address for the RSPAN collector.
The range is 0.0.0.1-255.255.255.255.
This option is available only when the mode is RSPAN and
the switch is in FortiLink mode.
src-egress <interface_name> Optional. Set the source egress physical ports that will be No default
mirrored. Only one active egress mirror session is allowed.
src-ingress <interface_name> Optional. Specify the source ingress physical ports that will No default
be mirrored.
status {active | inactive} Set the mirror session to active or inactive. inactive
strip-mirrored-traffic-tags {disable Enable or disable the removal of VLAN tags from mirrored disable
| enable} traffic.
This option is available if the mode is ERSPAN-auto or
ERSPAN-manual.
switching-packet Enable or disable the switching functionality on the dst disable

{enable | disable} interface when mirroring.
Example
The following example configures a port mirror:


Fortinet, Inc.
config
edit "m1"
set mode SPAN
set dst "port5"
set src-egress "port2" "port3"
set status active
end
Use this command to configure global settings for Multicast Listener Discovery (MLD) snooping on the FortiSwitch unit.
Syntax
set aging-time <integer>
set leave-response-timeout <integer>
end
aging-time <integer> The maximum number of seconds to retain a multicast snooping 300
entry for which no packets have been seen (15-3600).
leave-response-timeout Enter the maximum number of seconds that the switch waits after 10
<integer> sending a group-specific query in response to the leave message.
The range of values is 1-20.
query-interval <10-1200> Enter the maximum number of seconds between MLD queries. 125
Example
The following example configures the global settings for MLD snooping on the FortiSwitch unit:
set aging-time 150
set leave-response-timeout 15
end
Use this command to configure a static entry for network monitoring on the FortiSwitch unit.
Syntax
edit <unused network monitor>
set monitor-mac <xx:xx:xx:xx:xx:xx>
end

Fortinet, Inc.
config
<unused network monitor> Enter the number of an unused network monitor. No default
monitor-mac Enter the MAC address to be monitored. 00:00:00:00:00:00

<xx:xx:xx:xx:xx:xx>
Example
The following example specifies a MAC address to be monitored:

edit 1
set monitor-mac 00:25:00:61:64:6d
next
end
Use this command to configure global settings for network monitoring on the FortiSwitch unit.
Syntax
set db-aging-interval <integer>
set survey-mode {disable | enable}
set survey-mode-interval <integer>
end
db-aging-interval <integer> Enter the network monitor database aging interval. The value 3600
range is 3600-86400 seconds. Set the option to 0 to disable it.
status {disable | enable} Enable or disable the network monitor. disable
survey-mode {disable | enable} Enable or disable the network monitor survey mode. disable
survey-mode-interval <integer> Enter the duration for which a network monitor is programmed 120
in hardware in the survey mode. The value range is 120-3600
seconds.
Example
The following example starts network monitoring in survey mode:

set status enable
set survey-mode-interval 480
end

Fortinet, Inc.
config
On FortiSwitch models that provide 40G QSFP (quad small form-factor pluggable) interfaces, you can install a breakout
cable to convert one 40G interface into four 10G interfaces. Use this command to configure split ports.
Notes

o 3032D (ports 5 to 28 are splittable)
o 3032E (Ports can be split into 4 x 25G when configured in 100G QSFP28 mode or can be split into 4 x 10G
when configured in 40G QSFP mode. Use the set <port-name>-phy-mode disabled command to
disable some 100G ports to allow up to sixty 25G, 10G, or 1G ports.)
o 1048E (In the 4 x 100G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 25G, 4 x 10G, 4 x 1G, or 2 x
50G. Only two of the available ports can be split.)
o 1048E (In the 4 x 4 x 25G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 4 x 25G or 2 x 50G. All
four ports can be split, but ports 47 and 48 are disabled.)
o 1048E (In the 6 x 40G configuration, ports 49, 50, 51, 52, 53, 54 are splittable as 4 x 10G or 4 x 1G.)
only 10 QSFP ports can be split. This limitation applies to all of the models, but only the 3032D and the 1048E
models have enough ports to encounter this limit.
l Starting in FortiOS 6.2.0, splitting ports is supported in FortiLink mode (that is, the FortiSwitch unit managed by a
FortiGate unit).
l Starting in FortiSwitchOS 6.4.0, FC-FEC (cl74) is enabled as the default setting for ports that have been split to
4x25G. Use the following commands to change the setting:
edit <split_port_name>
set fec-state {cl74 | disabled}
end
Syntax
set port-configuration {default | disable-port54 | disable-port41-48 | 4x100G | 6x40G |
4x4x25G}
set {<port-name>-phy-mode <single-port| 4x25G | 4x10G | 4x1G | 2x50G}
...
end
port-configuration {default | For 548D and 548D-FPOE, set this option to disable- default
disable-port54 | disable-port41- port54 if only port 53 is splittable and port 54 is unavailable.
48 | 4x100G | 6x40G | 4x4x25G} For 548D and 548D-FPOE, set this option to disable-
port41-48 if ports 41 to 48 are unavailable, but ports 53 and
54 are splittable.

Fortinet, Inc.
config
For 1048E, set this option to 4x100G to enable the maximum

speed (100G) of ports 49 through 52. Ports 53 and 54 are
disabled.
For 1048E, set this option to 6x40G to enable the maximum
speed (40G) of ports 49 through 54.
For 1048E, set this option to 4x4x25G to enable the
maximum speed (25G) of ports 49 through 52. Ports 47 and 48
are disabled.
port<number>-phy-mode {<port- Use one entry for each port that supports split ports. 1x40G
name>-phy-mode <single-port| Set this option to single-port to use the port at the full
4x25G | 4x10G | 4x1G | 2x50G} base speed without splitting it.
For 100G QSFP only, set this option to 4x25G to split one port
into four subports of 25 Gbps each.
For 40G or 100G QSFP only, set this option to 4x10G to split
one port into four subports of 10Gbps each.
For 40G or 100G QSFP only, set this option to 4x1G to split
one port into four subports of 1 Gbps each.
For 100G QSFP only, set this option to 2x50G to split one port
into two subports of 50 Gbps each.
Example
In the following example, a FortiSwitch 3032D is configured with ports 10, 14, and 28 set to 4x10G:
end

Fortinet, Inc.
config
In the following example, a FortiSwitch 1048E model is configured so that each port is split into four subports of 25
Gbps each.
set port-configuration 4x4x25G
end
Use this command to configure a physical port.
Syntax
edit <port_name>
set cdp-status {disable | rx-only | tx-only | tx-rx}
set description <description_str>
set dmi-status {disable | enable | global}
set egress-drop-mode {disabled | enabled}
set energy-efficient-ethernet {enable | disable}
set eee-tx-idle-time <integer>
set eee-tx-wake-time <integer>
set flapguard {enabled | disabled}
set flap-duration <5-300>
set flap-rate <1-30>
set flap-timeout <0-120>
set flow-control {tx | rx | both | disable}
set pause-meter-rate <integer>
set pause-resume {25% | 50% | 75%}
set l2-learning {enable | disable}
set lldp-profile <profile name>
set lldp-status {tx-only | rx-only | tx-rx | disable}
set loopback {disable | local | remote}
set poe-port-mode {IEEE802_3AF | IEEE802_3AT}
set poe-port-priority {critical-priority | high-priority | low-priority}
set priority-based-flow-control {enable | disable}
set qsfp-low-power-mode {enabled | disabled}
set speed <speed_str>
set storm-control-mode {disabled | global | override}
set rate [0 | 2-10000000]
end

Fortinet, Inc.
config
<port_name> Enter the port name. No default
cdp-status {disable | rx-only | tx- Set the CDP transmit and receive status (LLDP must be disable
only | tx-rx} enabled in LLDP settings).
l disable disables CDP transmit and receive.
l rx-only enables CDP as receive only.
l tx-only enables CDP as transmit only.
l tx-rx enables CDP transmit and receive.
description <description_str> Optionally enter a description. No default
dmi-status Enable or disable DMI access. Set to global to use the global

global switch setting.
egress-drop-mode {disabled | Enable or disable egress drop. enabled

enabled>
energy-efficient-ethernet {enable Enable or disable energy-efficient Ethernet. disable

| disable}
eee-tx-idle-time <integer> Enter the number of microseconds that circuits are turned off 60
to save power. The range is 0-2560 microseconds. This option
is available only if energy-efficient-ethernet is enabled.
eee-tx-wake-time <integer> Enter the number of microseconds during which no data is 30

transmitted while the circuits that were turned off are being
restarted. The range is 0-2560 microseconds. This option is
available only if energy-efficient-ethernet is enabled.
flapguard {enabled | disabled} Enable or disable flap guard for this port. disabled
flap-duration <5-300> After enabling the port flap guard, set the number of seconds 30
during which the flap rate is counted.
flap-rate <1-30> After enabling the port flap guard, set how many times that a 5
portʼs status changes during a specified number of seconds
before the flap guard is triggered.
flap-timeout <0-120> After enabling the port flap guard, set the number of minutes 0
before flap guard resets. Setting this value to 0 means that
there is no timeout.
flow-control {tx | rx | both Set flow control: disable

| disable} l tx — enable transmit pause only
l rx — enable receive pause only
l both — enable both transmit and receive pause
l disable — disable flow control
pause-meter-rate <integer> Enter the number of kilobits for the ingress metering rate. The 0
range is 64 to 2147483647. Set to 0 to disable. Available if
flow-control is set to tx.

Fortinet, Inc.
config
pause-resume {25% | 50% | 75%} Enter the percentage of the threshold to resume traffic to the 75%
ingress port. Available if flow-control is set to tx and
pause-meter-rate is set to a nonzero value.
l2-learning Enable or disable dynamic IP learning for this interface enabled
lldp-profile Enter the LLDP profile name for this port. default
lldp-status Set LLDP status for this port: tx-rx

l tx-only — enable transmit only
l rx-only — enable receive only
l tx-rx — enable both transmit and receive
l disable — disable LLDP
loopback {disable | local | Set whether the physical port loops back on itself, either locally disable
remote} or remotely:
l Select local for a physical-layer loopback. If the
hardware does not support a physical-layer loopback, a

MAC-address loopback is used instead.
l Select remote for a physical-layer lineside loopback.
max-frame-size <bytes_int> Set the maximum frame size. The range is 68 to 16360. 9216
NOTE: For the eight models in the 1xxE series, this command
is under the config switch global command.
poe-port-mode {IEEE802_3AF | Set the PoE port mode to IEEE802.3AFor IEEE802.3AT. IEEE802_3AT
IEEE802_3AT}
poe-port-priority {critical-priority | Set the port priority. If there is not enough power, power is low-priority
high-priority | low-priority} alloted first to critical-priority ports, then to high-priority ports,
and then to low-priority ports.
poe-pre-standard-detect {disable Enable or disable PoE pre-standard detection. enable

| enable} NOTE: PoE pre-standard detection is a global setting for the
following FortiSwitch models: FSR-112D-POE, FS-548D-
FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-
108E-POE, FS-108E-FPOE, FS-124E-POE, and FS-124E-
FPOE. For the other FortiSwitch PoE models, PoE pre-
standard detection is set on each port.
poe-status {enable | disable} Enable Power over Ethernet. This option is only available with enable
the FortiSwitch-324B-POE.
priority-based-flow-control Enable priority-based flow control to avoid frame loss by disable

{enable | disable} stopping incoming traffic when a queue is congested. When
priority-based flow control is disabled, 802.3 flow control can
be used.
qsfp-low-power-mode {enabled | Enable or disable the low-power mode on FortiSwitch models disabled
disabled} with QSFP (quad small form-factor pluggable) ports.

Fortinet, Inc.
config
speed <speed_str> Set the speed of this port. Values depend on the switch model auto
and port. For example:
l 1000auto—Auto-negotiation (1 Gbps full-duplex only).
l 100full—100 Mbps full-duplex.
l 100half—100 Mbps half-duplex.
l 10full—10 Mbps full-duplex.
l 10half—10 Mbps half-duplex.
l auto—Auto-negotiation.
l 10000cr—10 Gbps copper interface.
l 10000full—10 Gbps full-duplex.
l 10000sr—10 Gbps SFI interface.
l 1000full—1 Gbps full-duplex.
l auto-module—Maximum speed supported by module.
status {down | up} Set the administrative status of this interface: up or down. up
storm-control-mode {disabled | By default, you configure storm control on a system-wide level. global
global | override} Set this option to override if you want to configure storm
control on a per-port level using the config storm-
control command, which is only available when the
storm-control-mode is set to override. Set this option
to disabled to deactivate port-level storm-control
configuration.
broadcast {enable | disable} Enable or disable storm control for broadcast traffic. disable
burst-size-level <0-4> Set the burst-size level for storm control. Use a higher number 0
to handle bursty traffic. The maximum number of packets or
bytes allowed for each burst-size level depends on the switch
model.
NOTE: This command is not available for the FS-108E, FS-
108E-POE, FS-108-FPOE, FS-124E, FS-124E-POE, and FS-
124E-FPOE models.
rate [0 | 2-10000000] Specify the rate as packets-per-second. If you set the rate to 500
zero, the system drops all packets (for the enabled traffic
types).
unknown-multicast Enable or disable storm control for unknown multicast traffic. disable
{enable | disable}
unknown-unicast Enable or disable storm control for unknown unicast traffic. disable
{enable | disable}
Example
In the following example, port 4 is configured:


Fortinet, Inc.
config
edit "port4"
set lldp-profile "Forti670i"
set speed auto
next
end
Use this command to configure the Precision Time Protocol (PTP) policy.
Syntax
next
end
{default | <policy_name>} Enter the name of the PTP policy or ue the default PTP No default
policy.
status {enable | disable} Enable or disable the PTP policy. The PTP policy will not disable
take effect until the mode is set under the config
switch ptp settings command.
Example
edit "newptp"
set status enable
next
end
Use this command to configure the Precision Time Protocol (PTP) global settings.
Syntax
end
mode {disable | transparent-e2e | Enable or disable the PTP mode: disable

transparent-p2p} l disable—Disable the PTP mode. The packets are
forwarded without changes to the correction field.

l transparent-e2e—Enable the end-to-end

Fortinet, Inc.
config
transparent clock.
l transparent-p2p—Enable the peer-to-peer
transparent clock.
Example
set mode transparent-e2e
end
Use this command to configure a dot1p map. A dot1p map defines a mapping between IEEE 802.1p CoS values (from
incoming packets on a trusted interface) and the egress queue values. For an example, see Appendix: FortiSwitch QoS
template on page 400.
NOTE: You can configure only one dot1p map per switch on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E,
FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.
Syntax
edit <dot1p map name>
set [priority-0|priority-1|priority-2|...priority-7] <queue number>
set egress-pri-tagging {disable | enable}
next
end
<dot1p map name> Enter the name of a dot1p map. No default
<text> Enter a description of the dot1p map. No default
[priority-0|priority-1|priority-2|...priority- Set the priority of each queue. queue-0

7] <queue number>
egress-pri-tagging {disable | enable} Enable or disable priority tagging on outgoing frames. disable
NOTE: This command is not available on the FS-108E,
FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE,
FS-124E-FPOE, FS-148E, and FS-148E-POE models.
Example
edit "test1"

Fortinet, Inc.
config

set egress-pri-tagging enable
next
end
queue 0.
If an incoming packet contains no CoS value, the switch assigns a CoS value of zero. Use the set default-cos
<interface> command to configure a different default CoS value. The valid range is from 0 to 7. The configured
default CoS only applies if you also set trust-dot1p-map on the interface.
Use this command to configure a DSCP map. A DSCP map defines a mapping between IP Precedence or Differentiated
Services Code Point (DSCP) values and the egress queue values. For an example, see Appendix: FortiSwitch QoS
template on page 400.
NOTE: You can configure only one DSCP map per switch on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E,
FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.
Syntax
edit <ip-dscp map name>
config map
edit <entry-name>
set diffserv [ [
AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 |
AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]
set ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash
Override | Flash, Immediate | Priority | Routine ]
set value <dscp raw value>
set cos-queue <queue number>
next
end
next
end
<ip-dscp map name> Enter the name of a DSCP map. No default
<text> Enter a description of the DSCP map. No default
<entry-name> Enter a unique integer to create a new entry. No default

Fortinet, Inc.
config
diffserv [ [ AF11 | AF12 | AF13 | Set the differentiated service. No default

AF21 | AF22 | AF23 | AF31 |
AF32 | AF33 | AF41 | AF42 |
AF43 | CS0 | CS1 | CS2 | CS3 |
CS4 | CS5 | CS6 | CS7 | EF ]
ip-precedence [ Network Control Set the IP precedence. No default

| Internetwork Control |
Critic/ECP | Flash Override |
Flash, Immediate | Priority |
Routine ]
value <dscp raw value> enter the raw value of DSCP (0-63). No default
cos-queue <queue number> Enter the CoS queue number. 0
Example
The following example defines a mapping for two of the DSCP values:

edit "m1"
config map
edit "e1"
set cos-queue 0
set ip-precedence Immediate
next
edit "e2"
set cos-queue 3
set value 13
next
end
next
end
Values that are not explicitly included in the map will follow the default mapping, which assigns queue 0 for all
DSCP values.
Use this command to configure QoS policies. For an example, see Appendix: FortiSwitch QoS template on page 400.
In a QoS policy, you set the scheduling mode (Strict, Round Robin, Weighted Round Robin) for the policy, and configure
one or more CoS queues.
Syntax
edit <policy_name>
set rate-by {kbps | percent}
config cos-queue

Fortinet, Inc.
config
edit [queue-0 ... queue-7]

set max-rate <rate kbps>
set min-rate <rate kbps>
set max-rate-percent <percentage>
set min-rate-percent <percentage>
set weight <value>
set wred-slope <value>
next
end
next
end
<policy_name> Enter the name of the QoS policy. No default
rate-by {kbps | percent} Set whether the CoS queue rate is measured in kbps or by kbps
percentage.
schedule {strict | round-robin | Set the CoS queue scheduling. round-robin

weighted} l strict—The queues are served in descending order (of
queue number), so higher number queues receive higher

priority. The purpose of the strict scheduling mode is to
provide lower latency service to higher classes of traffic.
However, if the interface experiences congestion, the
lower priority traffic could be starved.
l round-robin— In round robin mode, the scheduler visits
each backlogged queue, servicing a single packet from

each queue before moving on to the next one. The
purpose of round robin scheduling is to provide fair access
to the egress port bandwidth.
l weighted— Each of the eight egress queues is assigned a
weight value ranging from 0 to 63. The purpose of

weighted round robin scheduling is to provide prioritized
access to the egress port bandwidth, such that queues
with higher weight get more of the bandwidth, but lower
priority traffic is not starved.
[queue-0 ... queue-7] Set the CoS queue to update. No default
description <text> Enter a description of the CoS queue. No default
drop-policy {taildrop | weighted- Set the CoS queue drop policy. taildrop
random-early-detection} l taildrop—When the queue is full, new packets are
dropped.
l weighted-random-early-detection—When the queue
reaches the packet-dropping threshold, packets start

getting dropped randomly based on the probability defined
in the wred-slope setting.
NOTE: For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-
124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-

Fortinet, Inc.
config
POE models, set the CoS queue drop policy under the config
switch global command.
set ecn {enable | disable} If you select random early detection in the CLI, you can enable disable
explicit congestion notification (ECN) marking to indicate that
congestion is occuring without just dropping packets. If you
disable this option, the normal queue drop policy applies.
max-rate <rate kbps> If you set the rate-by to kbps, enter the maximum rate in kbps. 0
Set the value to 0 to disable.
POE models, the switch rounds the max-rate value to the
nearest multiple of 16 internally. If the rounding result is 0,
max-rate is disabled internally.
min-rate <rate kbps> If you set the rate-by to kbps, enter the minimum rate in kbps. 0
Set the value to 0 to disable.
NOTE: This command is not available on the FS-108E, FS-
max-rate-percent <percentage> If you set the rate-by to percent, enter the maximum rate as a 0
percentage of the link speed.
min-rate-percent <percentage> If you set the rate-by to percent, enter the minimum rate as a 0
percentage of the link speed.
NOTE: This command is not available on the FS-108E, FS-
weight <value> Enter the weight of weighted round robin scheduling. 1

(applicable if the policy schedule is weighted )
wred-slope <value> Enter the slope of WRED drop probability. 45

POE models, set the QoS RED/WRED drop probability under
the config switch global command.
Example
The following example defines a QoS policy for queue 0:

edit policy1
set rate-by kbps
set schedule weighted
config cos-queue
edit queue-0
set description "QoS policy for queue 0"
set drop-policy weighted-random-early-detection
set max-rate 20

Fortinet, Inc.
config
set min-rate 10
set weight 5
set wred-slope 15
end
end
config switch quarantine
NOTE: This command is available only in FortiLink mode.

Us this command to specify which MAC addresses to quarantine on the FortiSwitch unit.
Syntax
config switch quarantine
edit <MAC_address_to_quarantine>
set cos-queue <0-7>
set policer <integer>
end
<MAC_address_to_quarantine> Enter the MAC address to quarantine. No default
cos-queue <0-7> Set the class-of-service queue for the quarantined device No default
traffic. Use the unset cos-queue command to disable this
setting.
description <string> Enter an optional description of the quarantined MAC address. No default
drop {enable | disable} Enable or disable whether quarantined device traffic is disable
dropped.
policer <integer> Set the ACL policer for the quarantined device traffic. 0
Use this command to specify the criteria that router advertisement (RA) messages must match before the RA messages
are forwarded. If the RA messages match the criteria in the RA-guard policy, they are forwarded. If the RA messages do
not match the criteria in the RA-guard policy, they are dropped.
IPv6 RA guard is supported on 2xx models and higher.
Syntax
edit <RA-guard policy name>
set device-role {host | router}
set managed-flag {Off | On}
set other-flag {Off | On}
set max-hop-limit <0-255>
set min-hop-limit <0-255>

Fortinet, Inc.
config
set max-router-preference {high | medium | low}

set match-src-addr <name_of_IPv6_access_list>
set match-prefix <name_of_IPv6_prefix_list>
next
end
<RA-guard policy name> Enter the name of the RA-guard policy. No default
device-role {host | router} Set whether this policy applies to hosts or routers. If this option host
is set to host, all RA messages are dropped. If this option is
set to router, the policy checks the other specified criteria.
managed-flag {Off | On} Set to On for the policy to accept RA messages that are No default
flagged with the M (managed address configuration) flag; if the
RA messages are not flagged, they are dropped.
Set to Off for the policy to accept RA messages that arenot
flagged with the M flag; if the RA messages are flagged, they
are dropped.
If this option is not set, the policy skips this check.
other-flag {Off | On} Set to On for the policy to accept RA messages that are No default
flagged with the O (other configuration) flag; if the RA
messages are not flagged, they are dropped.
Set to Off for the policy to accept RA messages that arenot
flagged with the O flag; if the RA messages are flagged, they
are dropped.
max-hop-limit <0-255> Enter the maximum hop number for the policy to accept RA 0
messages with a hop number equal or less than this value.
min-hop-limit <0-255> Enter the minimum hop number for the policy to accept RA 0
messages with a hop number equal or more than this value.
max-router-preference {high | Set the default router preference for the policy to accept RA No default
medium | low} messages with the router preference equal or less than this
setting. When the router preference of RA messages is not set
as high, medium, or low, RA guard acts as if the router
preference was set to medium.
match-src-addr <name_of_IPv6_ Enter the name of the IPv6 access list for the policy to check if No default
access_list> the source IPv6 address of the RA message matches an
allowed address. The IPv6 access list must be created (with
the config router access-list6 command) before it
is used in a policy.

Fortinet, Inc.
config
match-prefix <name_of_IPv6_ Enter the name of the IPv6 prefix list for the policy to check if No default
prefix_list> the IPv6 address prefix of the RA message matches an allowed
prefix. The IPv6 prefix list must be created (with the config
router prefix-list6 command) before it is used in a
policy.
Example
The following example creates an IPv6 RA-guard policy:

edit RApolicy1
set device-role router
set managed-flag On
set other-flag On
set max-hop-limit 100
set min-hop-limit 5
set max-router-preference medium
set match-src-addr accesslist1
set match-prefix prefixlist1
next
end
Use this command to configure security checks for incoming TCP/UDP packets. The packet is dropped if the system
detects the specified condition.
Syntax (for models FS108D-POE, FS112D-POE, FS224D-POE)

set tcp-syn-data {enable | disable}
set tcp-udp-port-zero {enable | disable}
set tcp_flag_zero {enable | disable}
set tcp_flag_FUP {enable | disable}
set tcp_flag_SF {enable | disable}
set tcp_flag_SR {enable | disable}
set tcp_frag_ipv4_icmp {enable | disable}
set tcp_arp_mac_mismatch {enable | disable}
end
tcp-syn-data TCP SYN packet contains additional data (possible DoS attack). disable
tcp-udp-port-zero TCP or UDP packet has source or destination port set to zero. disable
tcp_flag_zero TCP packet with all flags set to zero. disable
tcp_flag_FUP TCP packet with FIN, URG and PSH flag set. disable

Fortinet, Inc.
config
tcp_flag_SF TCP packet with SYN and FIN flag set. disable
tcp_flag_SR TCP packet with SYN and RST flag set. disable
tcp_frag_ipv4_icmp Fragmented ICMPv4 packet. disable
tcp_arp_mac_mismatch ARP packet with MAC source address mismatch between the Layer 2 disable
header and the ARP packet payload.
Syntax (for all other models)

set sip-eq-dip {enable | disable}
set tcp-flag {enable | disable}
set tcp-port-eq {enable | disable}
set tcp-flag-FUP {enable | disable}
set tcp-flag-SF {enable | disable}
set v4-first-frag {enable | disable}
set udp-port-eq {enable | disable}
set tcp-hdr-partial {enable | disable}
set macsa-eq-macda {enable | disable}
set allow-mcast-sa {enable | disable}
set allow-sa-mac-all-zero {enable | disable}
end
sip-eq-dip TCP packet with a source IP address equal to the destination IP disable
address.
tcp_flag DoS attack checking for TCP flags. disable
tcp-port-eq TCP packet with source and destination TCP ports equal. disable
tcp-flag-FUP TCP packet with FIN, URG and PSH flags set, and sequence number disable
is zero.
tcp-flag-SF TCP packet with SYN and FIN flag set. disable
v4-first-frag DoS attack checking for IPv4 first fragment. disable
udp-port-eq IP packet with source and destination UDP ports equal. disable
tcp-hdr-partial TCP packet with partial header. disable
macsa-eq-macda Packet with source MAC address equal to destination MAC address. disable
allow-mcast-sa Ethernet packet whose source MAC address is multicast. enable
allow-sa-mac-all-zero Ethernet packet whose source MAC address is all zeros. enable
Example
The following example configures security checks for incoming TCP/UDP packets:

set sip-eq-di enable

Fortinet, Inc.
config
set tcp-flag enable

set tcp-port-eq enable
set tcp-flag-FUP enable
set tcp-flag-SF enable
set v4-first-frag enable
set udp-port-eq enable
set tcp-hdr-partial enable
set macsa-eq-macda enable
set allow-mcast-sa disable
set allow-sa-mac-all-zero disable
end
Use this command to configure one (or more) static MAC address on an interface.
Syntax
edit <sequence number>
set description <optional_string>
set mac <static_MAC_address>
set type {sticky | static}
set vlan-id <1-4095>
end
<sequence number> Enter a sequence number. No default
description <optional_string> Optional. Enter a description of the static MAC address. No default
interface <interface_name> Enter the interface name. No default
mac <static_MAC_address> Enter the static MAC address. 00:00:00:00:00:00
type {sticky | static} Set the MAC address as a persistent (sticky) addres or a static
static address.
vlan-id <1-4095> Enter the VLAN identifier. 1
Example
edit 1
set description "first static MAC address"
set interface port10
set mac d6:dd:25:be:2c:43
set type static
set vlan-id 10
end

Fortinet, Inc.
config
Use this command to configure storm control.
Syntax
set rate [0 | 2-10000000]
end
broadcast {enable | disable} Enable or disable storm control for broadcast traffic. disable
burst-size-level <0-4> Set the burst-size level for storm control. Use a higher 0
number to handle bursty traffic. The maximum number of
packets or bytes allowed for each burst-size level
depends on the switch model.
rate [0 | 2-10000000] Specify the rate as packets-per-second. If you set the 500
rate to zero, the system drops all packets (for the enabled
traffic types).
unknown-multicast {enable | disable} Enable or disable storm control for unknown multicast disable
traffic.
unknown-unicast {enable | disable} Enable or disable storm control for unknown unicast disable
traffic.
Example
set broadcast enable
set burst-size-level 2
set rate 1000
set unknown-multicast enable
set unknown-unicast enable
end
Use this command to configure an STP instance.
Syntax
edit <instance_id>
set priority <priority_int>
set vlan-range <vlan_map>
config stp-port

Fortinet, Inc.
config
edit <port name>

set cost <cost_int>
set priority <priority_int>
end
end
<instance_id> Enter an instance identifier. The range is 0-32 for 5xx models No default
and higher. For all other models, the range is 0 - 15.
priority <priority_int> Set the STP priority. The acceptable priority values are 0, 32768
12288, 16384, 20480, 24576, 28672, 32768, 36864, 4096,
40960, 45056, 49152, 53248, 57344, 61440, and 8192.
vlan-range <vlan_map> Enter the VLANs to which STP applies. <vlan_map> is a No default
comma-separated list of VLAN IDs or VLAN ID ranges, for
example “1,3-4,6,7,9-100” .
config stp-port
<port name> Enter the name of the port. No default
cost <cost_int> Enter the cost of using this interface. Use set cost ? for 0
suggested cost values based on link speed.
priority <priority_int> Enter the priority of this interface. Use set priority ? to 128
list the acceptable priority values.
Example
edit "1"
set priority 8192
config stp-port
edit "port18"
set cost 0
set priority 128
next
edit "port19"
set cost 0
set priority 128
next
end
set vlan-range 5 7 11-20
end
Use this command to configure STP settings.
Syntax
set flood {enable | disable}

Fortinet, Inc.
config
set forward-time <fseconds_int>

set hello-time <hseconds_int>
set max-age <age>
set max-hops <hops_int>
set mclag-stp-bpdu {both | single}
set name <name_str>
set revision <rev_int>
end
flood {enable | disable} Set to enable if you want the STP packets arriving at any port disable
to pass through the switch without being processed. Set to
disable if you want to block STP packets arriving at any port.
This command is available only when status is set to
disable.
forward-time <fseconds_int> Enter the forwarding delay in seconds. Range 4 to 30. 15
hello-time <hseconds_int> Enter the hello time in seconds. Range 1 to 10. 2
max-age <age> Enter the maximum age. Range 6 to 40. 20
max-hops <hops_int> Enter the maximum number of hops. Range 1 to 40. 20
mclag-stp-bpdu {both | single} Set to both to allow both core switches of an MCLAG to both
transmit STP BPDUs. Set to single to prevent both core
switches of an MCLAG from transmitting STP BPDUs.
name <name_str> Enter a string value for the name. No default
revision <rev_int> Range 0 to 65535. 0
status {enable | disable} Enable or disable status report. enable
Example
set forward-time 15
set hello-time 5
set max-age 20
set max-hops 20
set name "region1"
set revision 1
set status enable
end
config switch trunk
Use this command to configure link aggregation.
Syntax
config switch trunk

Fortinet, Inc.
config
edit <trunk name>

set aggregator-mode {bandwidth | count}
set auto-isl <integer>
set bundle [enable|disable]
set min_bundle <integer>
set max_bundle <integer>
set fortilink <integer>
set isl-fortilink <integer>
set lacp-speed {slow | fast}
set mclag {disable | enable}
set mclag-icl {disable | enable}
set members <intf1 ... intfn>
set mode {fortinet-trunk | lacp-active | lacp-passive | static}
set port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-
mac}
end
<trunk name> Enter a name for the trunk. No default
aggregator-mode {bandwidth | Select how an aggregator groups ports when the trunk is in bandwidth
count} LACP mode. Select bandwidth to group ports into the
aggregator with the largest bandwidth. Select count to group
ports into the aggregator with the most ports.
auto-isl <integer> Automatically forms an ISL-encapsulated trunk, up to the 0

specified maximum size.
bundle [enable|disable] Enable or disable bundling disable
min_bundle Set the minimum size of the bundle. This option is available 1
only when bundle has been enabled.
max_bundle Set the maximum size of the bundle. This option is available 24
only when bundle has been enabled.
description <description_str> Optionally, enter a description. No default
fortilink <integer> Set the FortiLink trunk. 0
isl-fortilink <integer> Set the ISL FortiLink trunk. 0
lacp-speed {slow | fast} Select fast to send an LACP message every second. Select slow
slow to send an LACP message every 30 seconds.
mclag {disable | enable} Enable or disable multichassis LAG (MCLAG). disable
mclag-icl {disable | enable} Enable or disable the MCLAG inter-chassis link (ICL). disable
member-withdrawal-behavior Select how the port behaves after it withdraws because of loss- block
{block | forward} of-control packets.
members <intf1 ... intfn> Enter the names of the interfaces that belong to this trunk. No default
Separate the names with spaces.

Fortinet, Inc.
config
mode {fortinet-trunk | lacp-active Select the link aggregation mode: static

| lacp-passive | static} l fortinet-trunk — use heartbeat packets to detect
whether trunk members are available.
l lacp-active — use active LACP 802.3ad aggregation
l lacp-passive — use passive LACP 802.3ad
aggregation
l static — use static aggregation, ignoring and not
sending control messages
port-selection-criteria {src-ip | Select the port selection criteria: src-dst-ip

src-mac | dst-ip | dst-mac | src- l src-ip — source IP address
dst-ip | src-dst-mac} l src-mac — source MAC address
l dst-ip — destination IP address
l dst-mac — destination MAC address
l src-dst-ip — both source and destination IP
addresses
l src-dst-mac — both source and destination
MAC addresses
Heartbeat Trunk
When you set the trunk mode to fortinet-trunk, the following configuration fields are available:
config switch trunk
edit hb-trunk
set port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-
mac}
set members <port> [<port>] ... [<port>]
set max-miss-heartbeats <3-32>
set hb-out-vlan <int>
set hb-in-vlan <int>
set hb-src-ip <x.x.x.x>
set hb-dst-ip <x.x.x.x>
set hb-src-udp-port <int>
set hb-dst-udp-port <int>
set hb-verify {enable | disable}
end
port-selection-criteria {src-ip | src- Select the port selection criteria: src-dst-ip

mac | dst-ip | dst-mac | src-dst-ip | l src-ip — source IP address
src-dst-mac} l src-mac — source MAC address
l dst-ip — destination IP address
l dst-mac — destination MAC address
l src-dst-ip — both source and destination IP
addresses

Fortinet, Inc.
config
l src-dst-mac — both source and destination

MAC addresses
members <port> [<port>] ... Enter the names of the ports that belong to this trunk. No default
[<port>] Separate the names with spaces.
member-withdrawal-behavior Set the port behavior after it withdraws because of the loss of block
{block | forward} control packets.
max-miss-heartbeats <3-32> Enter the maximum number of heartbeat messages that can 10
be lost before the FortiGate is deemed to be unavailable. Set a
value between 3 and 32.
hb-out-vlan Enter the outgoing VLAN value. 0
hb-in-vlan Enter the incoming VLAN value. 0
hb-src-ip Enter the source IP address for the heartbeat packet. 0.0.0.0
hb-dst-ip Enter the destination IP address for the heartbeat packet. 0.0.0.0
hb-src-udp-port Enter the source UDP port value for the heartbeat packet. 0
hb-dst-udp-port Enter the destination UDP port value for the heartbeat packet. 0
hb-verify Enable or disable heartbeat packet verification. disable
Example
The following example creates trunk tr1 with heartbeat capability:

config switch trunk
edit "tr1"
set hb-out-vlan 300
set hb-in-vlan 500
set hb-src-ip 10.105.7.200
set hb-dst-ip 10.105.7.199
set hb-src-udp-port 12345
set hb-dst-udp-port 54321
set hb-verify enable
next
end
Use this command to forward traffic between two ports with minimal filtering or packet modifications. The VLAN setting
is optional.
NOTE: Virtual-wire ports will not be able to transmit or receive packets from other members of the VLAN or other virtual-
wires that use the same VLAN. The VLAN should not have complex configurations such as private VLAN.

Fortinet, Inc.
config
Syntax
edit <id>
set first-member <port>
set second-member <port>
set vlan <1-4095>
next
end
first-member <port> first member in the virtual-wire pair No default
second-member <port> second member in the virtual-wire pair No default
vlan <1-4095> VLAN used. The VLAN can be shared between virtual-wires 4011
and non-virtual-wire ports
Example
The following example creates a virtual wire between ports 7 and 8:

edit 1
set first-member "port7"
set second-member "port8"
set vlan 70
next
end
config switch vlan
Use this command to configure VLANs.
Syntax
config switch vlan
edit <vlan id>
set access-vlan {enable | disable}
set cos-queue <0-7>
set dhcp-snooping {enable | disable}
set dhcp-snooping-verify-mac {enable | disable}
set dhcp-snooping-option82 {enable | disable}
set arp-inspection {enable | disable}
set dhcp6-snooping {enable | disable}
set igmp-snooping {enable | disable}
set igmp-snooping-querier {enable | disable}
set igmp-snooping-querier-addr <IPv4_address>
set igmp-snooping-querier-version {2|3}
set igmp-snooping-fast-leave {enable | disable}
set igmp-snooping-proxy {enable | disable}

Fortinet, Inc.
config
set learning {enable | disable}

set learning-limit <integer>
set mld-snooping {enable | disable}
set mld-snooping-fast-leave {enable | disable}
set mld-snooping-querier {enable | disable}
set mld-snooping-querier-addr <IPv6_address>
set mld-snooping-proxy {enable | disable}
set policer <integer>
set private-vlan {enable | disable}
set isolated-vlan <integer>
set community-vlans <vlan_map>
set rspan-mode {enable | disable}
edit <group_name>
set mcast-addr <IPv4_address>
end
edit <group_name>
set mcast-addr <IPv6_address>
end
end
<vlan id> Enter a VLAN identifier. No default
access-vlan {enable | disable} Set to enable to block FortiSwitch port-to-port traffic on this disable
VLAN while allowing traffic to and from the FortiGate unit. Set
to disable to allow normal VLAN traffic.
cos-queue <0-7> Specify which class of service (CoS) queue is used for traffic on No default
this VLAN or use the unset cos-queue command to
disable this setting.
This command is available only in in FortiLink mode.

If the Tunnel-Private-Group-Id attribute on the RADIUS server
was set to the VLAN name, set the description to the same
string. For example:
set description "newvlan"
dhcp-snooping {enable | disable} Enable or disable IPv4 DHCP snooping for this VLAN. disable
dhcp-snooping-verify-mac Enable or disable whether to verify the source MAC address. disable

{enable | disable} This field is available only if dhcp-snooping is enabled.
dhcp-snooping-option82 Enable or disable whether to insert option-82 fields. This field disable
{enable | disable} is available only if dhcp-snooping is enabled.

Fortinet, Inc.
config
arp-inspection {enable | disable} Enable or disable dynamic ARP inspection. disable
dhcp6-snooping {enable | Enable or disable IPv6 DHCP snooping for this VLAN. disable
disable}
igmp-snooping {enable | disable} Enable or disable IGMP snooping on the VLAN. disable
igmp-snooping-fast-leave Enable or disable IGMP-snooping fast leave on this VLAN. This enable
{enable | disable} field is only available if igmp-snooping is enabled.
igmp-snooping-querier Enable or disable whether periodic IGMP-snooping queries are disable

{enable | disable} sent to get IGMP reports. This field is only available if igmp-
snooping is enabled.
igmp-snooping-querier-addr Optional. Enter the IPv4 address for the IGMP-snooping 0.0.0.0
<IPv4_address> querier. This field if only available if igmp-snooping and
igmp-snooping-querier are enabled.
igmp-snooping-querier-version Select whether to use the IGMP-snooping querier version 2 or 2
{2|3} version 3.
igmp-snooping proxy {enable | Enable or disable the IGMP-snooping proxy on this VLAN. disable
disable} When the IGMP-snooping proxy is enabled, this VLAN sends
IGMP reports. This field is only available if igmp-snooping
is enabled.
learning {enable | disable} Enable or disable layer-2 learning on this VLAN. enable
learning-limit <integer> Limit the number of dynamic MAC addresses on this VLAN. 0
The per-VLAN MAC address learning limit is between 1 and
128. Set the value to 0 for no limit.
mld-snooping {enable | disable} Enable or disable Multicast Listener Discovery (MLD) snooping disable
for the this VLAN.
mld-snooping-fast-leave {enable Enable or disable MLD-snooping fast leave on this VLAN. This enable
| disable} field is only available if mld-snooping is enabled.
mld-snooping-querier {enable Enable or disable whether periodic MLD-snooping queries are disable
| disable} sent to get MLD reports. This field is only available if mld-
snooping is enabled.
mld-snooping-querier-addr Optional. Enter the IPv6 address for the MLD-snooping ::
<IPv6_address> querier. This field if only available if mld-snooping is
enabled.
mld-snooping-proxy {enable Enable or disable the MLD-snooping proxy on this VLAN. When disable
| disable} the MLD-snooping proxy is enabled, this VLAN sends MLD
reports. This field is only available if mld-snooping is
enabled.
policer <integer> Set the policer for the traffic on this VLAN. 0
This command is available only in in FortiLink mode.

Fortinet, Inc.
config
private-vlan {enable | disable} Set to enable if this is a private VLAN. disable
isolated-vlan <integer> (Valid if private VLAN is enabled) Enter the isolated VLAN. 0
community-vlans <vlan_map> (Valid if private VLAN is enabled) Enter the communities within No default
this private VLAN. Enter single VLANs or ranges of VLANS
separated by commas without white space. For example: 1,3-
4,6,7,9-100
rspan-mode {enable | disable} Enable or disable port mirroring using the remote switch port disable
analyzer (RSPAN) on this VLAN.
<group_name> Enter the IGMP static group name. No default
mcast-addr <IPv4_address> Enter the IPv4 multicast address for the IGMP static group. 0.0.0.0
members <interface_name1> Enter the interfaces that belong to the IGMP static group. No default
<interface_name2>...
<group_name> Enter the MLD static group name. No default
mcast-addr <IPv6_address> Enter the IPv6 multicast address for the MLD static group. No default
members <interface_name1> Enter the interfaces that belong to the MLD static group. No default
<interface_name2>...
config member-by
Use this command to assign VLANs based on specific fields in the packet (source MAC address, source IP address, or
layer-2 protocol).
config switch vlan
edit <vlan id>
edit <id>
set mac XX:XX:XX:XX:XX:XX
next
end
edit <id>
set address a.b.c.d/e
next
end
edit <id>
set prefix xx:xx:xx:xx::/prefix
next
end

Fortinet, Inc.
config
edit <id>
set frametypes {ethernet2 | 802.3d | llc}
set protocol <6-digit hex value>
end
edit <id> For a new entry, enter an unused ID. No default
mac XX:XX:XX:XX:XX:XX Enter a MAC address. If the source MAC address of an 00:00:00:00:00:00

incoming packet matches this value, the associated VLAN
will be assigned to the packet.
description Enter up to 128 characters. No default
address a.b.c.d/e Enter an IPv4 address and network mask. If the source 0.0.0.0 0.0.0.0
IP address of an incoming packet matches this value, the
associated VLAN will be assigned to the packet. The subnet
mask must be a value in the range of 1-32.
prefix xx:xx:xx:xx::/prefix Enter an IPv6 prefix. If the source IP address of an incoming ::/0
packet matches this value, the associated VLAN will be
assigned to the packet. The /prefix must in the range of 1-
64.
frametypes {ethernet2 | 802.3d | Enter one or more Ethernet frame type. Set this value to ethernet2 802.3d
llc} llc for logical link control. Set this value to 802.3d for llc
802.3d and SNAP.
protocol <6-digit hex value> Enter an Ethernet protocol value If the frametype and 0x0000
Ethernet protocol value of an incoming packet matches
these values, the associated VLAN will be assigned to the
packet. The value range is 0-65535.
Example
The following example configures a VLAN:

config switch vlan
edit 100

Fortinet, Inc.
config
edit 1
set description "pc2"
set mac 00:21:cc:d2:76:72
next
end
end
end
The following example configures the IGMP-snooping querier:

config switch vlan
edit 100
set igmp-snooping-querier enable
set igmp-snooping-querier-addr 1.2.3.4
set igmp-snooping-querier-version 3
next
end
Use this command to create a list of DHCP servers that DHCP snooping will include in the allowed server list. This list is
used only if the set dhcp-server-access-list command has been enabled; see config system global on page
169.
config switch vlan
edit <vlan id>
edit <string>
set server-ip <xxx.xxx.xxx.xxx>
set server-ip6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>
next
end
next
end
edit <vlan id> Enter a VLAN identifier. No default
dhcp-snooping enable Enable for IPv4 DHCP snooping. disable

The config dhcp-server-access-list
command is available only after DHCP snooping (IPv4
or IPv6) has been enabled for that VLAN.
dhcp6-snooping enable Enable for IPv6 DHCP snooping. disable

The config dhcp-server-access-list
command is available only after DHCP snooping (IPv4
or IPv6) has been enabled for that VLAN.
edit <string> Enter name of DHCP server access list No default

Fortinet, Inc.
config
server-ip <xxx.xxx.xxx.xxx> If you enabled IPv4 DHCP snooping, enter Class A, B, 0.0.0.0
or C IPv4 address for the DHCP server.
server-ip6 If you enabled IPv6 DHCP snooping, enter the IPv6 No default
<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> address for the DHCP server.
Example
The following example configures IPv4 DHCP snooping to include the specified DHCP server in the allowed server list:
config switch vlan
edit 100
edit "DHCPserver1"
set server-ip 128.8.0.0
next
end
next
end
The following example configures IPv6 DHCP snooping to include the specified DHCP server in the allowed server list:
config switch vlan
edit 100
edit "DHCPserver1"
set server-ip6 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234
next
end
next
end
Use this command to configure the VLAN TPID profile for VLAN stacking (QinQ). Each VLAN TPID profile contains one
value for the EtherType field.
The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). The default VLAN
TPID profile (0x8100) cannot be deleted or changed.
To configure VLAN stacking and to select which VLAN TPID profile to use, see config switch interface on page 94.
Syntax
edit <VLAN_TPID_profile_name>
set ether-type <0x0001-0xfffe>
next
end

Fortinet, Inc.
config
<VLAN_TPID_profile_name> Enter a name for the VLAN TPID profile name. No default
ether-type <0x0001-0xfffe> Enter a hexadecimal value for the EtherType field. 0x8100
Use this command to configure system-wide switch options in FortiLink mode.
Syntax
set ac-data-port <1024-49150>
set ac-dhcp-option-code <integer>
set ac-discovery-mc-addr <Class-D IPv4 address>
set ac-discovery-type {broadcast | dhcp | multicast | static}
set ac-port <1024-49150>
set echo-interval <1-600>
set location <string>
set name <string>
set max-discoveries <0-64>
set max-retransmit <0-64>
config ac-list
edit <id>
next
end
end
ac-data-port <1024-49150> Set the switch-controller control port. Valid values are 1024- 15250
49150.
ac-dhcp-option-code <integer> Set the DHCP option code for CAPUTP AC. 138
ac-discovery-mc-addr <Class-D Set the discovery multicast address. 224.0.1.140

IPv4 address>
ac-discovery-type {broadcast | Select the AC discovery type: broadcast discovery, DHCP broadcast
dhcp | multicast | static} discovery, multicast discovery, or static configuration.
ac-port <1024-49150> Set the switch-controller control port. 5246
echo-interval <1-600> Set the number of seconds before SWTP sends an echo 30
request after joining AC.
location <string> Enter the location. No default
name <string> Enter a name for the configuration. No default

Fortinet, Inc.
config
max-discoveries <0-64> Set the maximum number of discovery request messages for 3
every round.
max-retransmit <0-64> Set the maximum number of retransmissions for the tunnel 6
packet.
ac-list Create a list of IPv4 addresses for AC static discovery. No default.

This command is only available when the ac-discovery-
type is set to static.
<id> Enter a unique integer to create a new entry. No default.
ipv4-address <IPv4_address> Enter a Class A, B, or C IPv4 address in the following format: No default.
xxx.xxx.xxx.xxx
Example
The following example configures static discovery to find the IP address of the FortiGate unit (switch controller) that
manages the FortiSwitch unit:
set ac-discovery-type static
config ac-list
edit 1
next
end
end
config system
Use the config system commands to configure options related to the overall operation of the FortiSwitch unit:
l config system accprofile on page 149
l config system admin on page 150
l config system arp-table on page 152
l config system bug-report on page 153
l config system certificate ca on page 154
l config system certificate crl on page 155
l config system certificate local on page 155
l config system certificate ocsp on page 157
l config system certificate remote on page 157
l config system console on page 158
l config system dhcp server on page 158
l config system dns on page 164
l config system flow-export on page 165
l config system fsw-cloud on page 168

Fortinet, Inc.
config
l config system global on page 169

l config system interface on page 176
l config system ipv6-neighbor-cache on page 186
l config system link-monitor on page 187
l config system location on page 188
l config system ntp on page 192
l config system password-policy on page 193
l config system schedule group on page 195
l config system schedule onetime on page 195
l config system schedule recurring on page 196
l config system settings on page 197
l config system sflow on page 198
l config system sniffer-profile on page 198
l config system snmp community on page 199
l config system snmp sysinfo on page 201
l config system snmp user on page 203
Use this command to add access profile groups that control administrator access to FortiSwitch features. Each
FortiSwitch administrator account must include an access profile. You can create access profiles that deny access, allow
read only, or allow both read and write access to FortiSwitch features.
Syntax
edit <profile-name>
set admingrp {none | read | read-write}
set loggrp {none | read | read-write}
set netgrp {none | read | read-write}
set routegrp {none | read | read-write}
set sysgrp {none | read | read-write}
end
<profile-name> Enter the name for the profile. No default
admingrp {none | read | read- Set the access permission for admingrp. none
write}
loggrp {none | read | read-write} Set the access permission for loggrp. none
netgrp {none | read | read-write} Set the access permission for netgrp. none
routegrp {none | read | read-write} Set the access permission for routegrp. none
sysgrp {none | read | read-write} Set the access permission for sysgrp. none

Fortinet, Inc.
config
Example
This example shows how to configure an access profile with just read-only permission:
edit profile1
set admingrp read
set loggrp read
set netgrp read
set routegrp read
set sysgrp read
end
config system admin
Use the default admin account or an account with system configuration read and write privileges to add new
administrator accounts and control their permission levels. Each administrator account except the default admin must
include an access profile. You cannot delete the default super admin account or change the access profile (super_
admin). In addition, there is also an access profile that allows read-only super admin privileges, super_admin_readonly.
The super_admin_readonly profile cannot be deleted or changed, similar to the super_admin profile. This read-only
super-admin may be used in a situation where it is necessary to troubleshoot a customer configuration without making
changes.
You can authenticate administrators using a password stored on the FortiSwitch unit or you can use a RADIUS server to
perform authentication. When you use RADIUS authentication, you can authenticate specific administrators or you can
allow any account on the RADIUS server to access the FortiSwitch unit as an administrator.
Syntax
config system admin
edit <admin_name>
set accprofile <profile-name>
set accprofile-override {enable | disable}
set allow-remove-admin-session {enable | disable}
set comments <comments_string>
set gui-detail-panel-location {bottom | ide | side}
set {ip6-trusthost1 | ip6-trusthost2 | ip6-trusthost3 |
ip6-trusthost4 | ip6-tru sthost5 | ip6-trusthost6 |
ip6-trusthost7 | ip6-trusthost8 | ip6-trusthost9 |
ip6-trusthost10} <address_ipv6mask>
set password <admin_password>
set peer-auth {disable | enable}
set peer-group <peer-grp>
set remote-auth {enable | disable}
set remote-group <name>
set wildcard {enable | disable}
set schedule <schedule-name>
set ssh-public-key1 "<key-type> <key-value>"
set {trusthost1 | trusthost2 | trusthost3 | trusthost4 |
trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9
| trusthost10} <address_ipv4mask>
end
end

Fortinet, Inc.
config
<admin_name> Enter the name for the admin account. No default
accprofile <profile-name> Enter the name of the access profile to assign to this No default
administrator account. Access profiles control
administrator access to FortiSwitch features.
accprofile-override {enable | disable} Enable or disable whether the remote authentication disable
server can override the accesss profile.
allow-remove-admin-session {enable | Allow admin session to be removed by privileged admin disable

disable} users
comments Enter the last name, first name, email address, phone No default
<comments_string> number, mobile phone number, and pager number for
this administrator. Separate each attribute with a
comma, and enclose the string in double-quotes. The
total length of the string can be up to 128 characters.
(Optional)
gui-detail-panel-location Choose the position of the log detail window. bottom

{bottom | hide | side}
{ip6-trusthost1 | ip6-trusthost2 | Any IPv6 address and netmask from which the ::/0
ip6-trusthost3 | ip6-trusthost4 | administrator can connect to the FortiSwitch unit.
ip6-trusthost5 | ip6-trusthost6 | If you want the administrator to be able to access the
ip6-trusthost7 | ip6-trusthost8 | system from any address, set the trusted hosts to ::/0.
ip6-trusthost9 | ip6-trusthost10}
<address_ipv6mask>
password Enter the password for this administrator. It can be up to No default

<admin_password> 256 characters in length.
peer-auth {disable | enable} Set to enable peer certificate authentication (for HTTPS disable
admin access).
peer-group <peer-grp> Name of peer group defined under config user No default
peergrp or user group defined under config user
group. Used for peer certificate authentication (for
HTTPS admin access). This option is available only when
peer-auth has been enabled.
remote-auth Enable or disable authentication of this administrator disable
{enable | disable} using a remote RADIUS, LDAP, or TACACS+ server.
remote-group <name> Enter the administrator user group name, if you are using No default
RADIUS, LDAP, or TACACS+ authentication.
This is available only when remote-auth is enabled.
wildcard {enable | disable} Enable or disable wildcard RADIUS authentication. This disable
option is available only when remote-auth is enabled.

Fortinet, Inc.
config
schedule <schedule-name> Restrict times that an administrator can log in. Defined in No default
config firewall schedule. No default indicates
that the administrator can log in at any time.
ssh-public-key1 "<key-type> You can specify the public keys of up to three SSH No default
<key-value>" clients. These clients are authenticated without being
asked for the administrator password. You must create
ssh-public-key2 "<key-type> the public-private key pair in the SSH client application. No default
<key-value>"
<key type> is ssh-dss for a DSA key or ssh-rsa
ssh-public-key3 "<key-type> for an RSA key. No default
<key-value>" <key-value> is the public key string of the SSH client.
{trusthost1 | trusthost2 | Any IPv4 address or subnet address and netmask from 0.0.0.0
trusthost3 | trusthost4 | which the administrator can connect to the system. 0.0.0.0
trusthost5 | trusthost6 | If you want the administrator to be able to access the
trusthost7 | trusthost8 | system from any address, set the trusted hosts to 0.0.0.0
and the netmask to 0.0.0.0.
trusthost9 | trusthost10}
<address_ipv4mask>
Example
The following example creates a RADIUS system admin group:

config system admin
set accprofile "super_admin"
set wildcard enable
next
end
config system arp-table
Use this command to manually add ARP table entries to the FortiSwitch unit. ARP table entries consist of a interface
name, an IP address, and a MAC address.
Syntax
edit <table_value>
set interface {<string> | internal | mgmt}
set ip <address_ipv4>
set mac <mac_address>
end

Fortinet, Inc.
config
<table_value> Enter the identification number for the table. No default
interface {<string> | internal | Enter the interface to associate with this ARP entry No default
mgmt}
ip <address_ipv4> Enter the IP address of the ARP entry. 0.0.0.0
mac <mac_address> Enter the MAC address of the device entered in the table, in 00:00:00:00:00:00
the form of xx:xx:xx:xx:xx:xx.
Example
This example shows how to add an entry to an ARP table:

edit 1
set ip 172.168.20.1
set mac 00:21:cc:d2:76:72
end
config system bug-report
Use this command to configure a custom email relay for sending problem reports to Fortinet customer support.
Syntax
set auth {no | yes}
set mailto <email_address>
set password <password>
set server <servername>
set username <name>
set username-smtp <account_name>
end
auth {no | yes} Enter yes if the SMTP server requires authentication or no
no if it does not.
mailto <email_address> The email address for bug reports. fortiswitch@fortinet.com
password <password> If the SMTP server requires authentication, enter the No default
required password.
server <servername> The SMTP server to use for sending bug report email. fortinet.com
username <name> A valid user name on the specified SMTP server. bug_report
username-smtp <account_ A valid user name for authentication on the specified bug_report
name> SMTP server.

Fortinet, Inc.
config
Example
This example shows how to configure a custom email relay:

set auth yes
set mailto techdocs@fortinet.com
set password 123abc
set server fortinet.com
set username techdocs
set username-smtp techdocs
end
config system certificate ca
Use this command to configure CA certificates.

FortiSwitch includes a reserved entry named Fortinet_CA. You cannot modify this entry.
Syntax
config system certificate ca
edit <name>
set ca <certificate>
set scep-url <string>
next
end
name Enter the name of the certificate. No default
certificate PEM format CA certificate. Paste the contents of a CA No default

certificate file between quotation marks as shown in the
example.
set scep-url Full URL (such as http://www.test.com) No default
Example
# config system certificate ca
# get
== [ Fortinet_CA ]
== [ OracleSSLCA ]
== [ ca ]
FortiCore-VM # config system certificate ca
FortiCore-VM (ca) # edit ca-new
FortiCore-VM (ca-new) # set certificate "-----BEGIN CERTIFICATE-----
> MIID0TCCArmgAwIBAgIJAKr1/WtE48FeMA0GCSqGSIb3DQEBCwUAMGgxEzARBgoJ
> kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG
> EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0Eg
> MTAeFw0xNDA0MzAxNDE4MDhaFw0zNDA0MzAxNDE4MDhaMGgxEzARBgoJkiaJk/Is
> ZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJVUzEQ
> MA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0EgMTCCASIw
> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQQzsB9Uc37VuIyt5xJxcYYkc6K

Fortinet, Inc.
config
> XpYihHgskTQp6YYB4XHVimouHafMYyoFsnenrcgf2NGFDvi9l9x9mnL77920JqGr
> LijieMiFEyP1nhGW8C6nJjkSsXLbgZNh9u6U+0oAbspsFRwdHDZOI7gIHSJ2zuiY
> CkMAvjw9TN44Q4IFCvSIf7mfzZgBH7AW1sbgznqnAJsWQhQGTpxZAxubItesyduD
> vj8tz9eb5u8JO3iQ/LYhMspNnxcpTFdaLn2v82NAFTtCrZdCd7aLj1DM0DPEX7Nw
> V/rt/l+tlscglYyEoUnlPYuSQN0Q6Aj5i1GcKPvnFS0Oy9lGY1lT1vZJ4F0CAwEA
> AaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
> edJiQpuHMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3DQEBCwUA
> A4IBAQCq5KUHQNg51uh1pxKMXQ98ADj2bNzQbswdAFslPow8tTZIBMwhdrq02ZHC
> XPyp2IHxfv+G+pMV1JFtdR0fy8ivilMNyjObEGh1Ss3kvvU7d1z3XwPxqpNcwDqs
> 1K6RRg4zpNWCFPcliAkPDsDbaN1B6A6zJXqOpGgzwocU3dZbPe5sYLgkWZO2/8MI
> eAEk7zoU1ZPSZiu5HghPafKuE1HYshvsak090tRgC6VLvaSLoNZlwR0GuFVGdewH
> 4jR1HpENH7QiLCB1NGCoJgDi3qiFosw3M2+0ExevE1afj2Usm4oZir+Uty0rvR8D
> 03RHH8yYbZ9rw0kuwTkJEo3bYDxH
> -----END CERTIFICATE-----"
config system certificate crl
Use this command to configure the certificate revocation list.
Syntax
config system certificate crl
edit <name>
set crl <crl>
set http-url <string>
set ldap-server <LDAP>
set scep-cert <certificate>
end
name Name of the certificate revocation list No default
crl PEM format CRL. Paste the contents of a CRL file between No default
quotation marks.
http-url URL of HTTP server for CRL update No default
ldap-server LDAP server No default
scep-cert Local certificate used for CRL update using SCEP Fortinet_
Factory
scep-url URL of CA server for CRL update using SCEP No default
config system certificate local
Use this command to manage local certificates. FortiSwitch includes a reserved entry named “Factory”. You cannot
modify this entry.

Fortinet, Inc.
config
Syntax
edit <name>
set password <passwd>
set private-key <key>
next
end
name Enter the name of the certificate. No default
comments Optional administrator note. No default
password Password that was used to encrypt the file. The FortiCore *
system uses the password to decrypt and install the certificate.
private-key Paste the contents of a key file between quotation marks as No default
shown in the example.
scep-url URL of SCEP server No default
Example
# config system certificate local
# get
== [ Factory ]
== [ csr_name_test ]
# show
edit "csr_name_test"
t7e4fiX6Sd6T5426Gg/HQXRH41mBwGmjKdBSHUbVUZTka2FtD1oLMWE2mTq1c9GMUz0DokPfoqxkjkmja5mWv4/w
A5XdQ00lQmTeMZK/X5OSFmSS
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5/vf1VQB/28CAggA
MBQGCCqGSIb3DQMHBAgZorM0zlnPNASCAViZk4wTZYYMPl0e7NwyxqvLND3LxUaV
UG1XpUSPfnUP4YgrV2d0Uijclj5M7MS341cMVKZ7G1pS/6jvxUr0NamQv4j7JsJ0
t3G7LMkzcTiep26GUCy55Qt+iob7lh0iiKa+4uPOq/Mzy+84AWnRNLfIhevHPsYb
rk4UbwNOFb0ZD9i06+UrFLsRGmtp/vlDyBgAoBojKxB/4j0G299QamnzPz4qneBc
HtPqTMPELyqtT6w4cmnwp6Ti2OOAr9c44mKdyyAVZKie+Iu/4pSVBNSfuC+jjtmC
k8OrCrG14NwrhbTY9zEnGxBRR1NMTEBBTqAQNYWtjUEQVjmY1GAJA3/oBQe7l8C/
G/IUVvc/aaqMvsKSNfDpgZaudTDe1Wxi1792ADGh7zslls+ykH9nmqh7BPfm30Nv
f8O1hXgq01Lvo4v1xdC0w5oAeCyGlbTY5ZnXJFm0HCp0kA==
-----END ENCRYPTED PRIVATE KEY-----
"
set csr "-----BEGIN CERTIFICATE REQUEST-----
MIIBNzCB4gIBADBqMQswCQYDVQQIEwJjYTESMBAGA1UEBxMJc3Vubnl2YWxlMREw
DwYDVQQKEwhmb3J0aW5ldDENMAsGA1UECxMEZmFkYzEQMA4GA1UEAxMHZXhhbXBs
ZTETMBEGCSqGSIb3DQEJARYEcm9vdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDK
XH/MC1KTkkZJiQDFb6IXHLYsSVbJzF0K30s3CVmKZvJQSBnmV8aq3fJjN281rrFT
iUovVdBzwCF5jKbxsrPLAgMBAAGgEzARBgNVHRMxChMIQ0E6RkFMU0UwDQYJKoZI
hvcNAQEFBQADQQB96NU+xjds83/6VRSzsyxeVxAGVD7F9Npuji8r/MpxPiMT0PQM
G8Wg//26ZqpwjuPq2V1+7QU4MDk3B5VUJSEF

Fortinet, Inc.
config
-----END CERTIFICATE REQUEST-----

"
config system certificate ocsp
Use this command to configure the OCSP server certificate.
Syntax
set cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA |
Fortinet_CA | Fortinet_CA2}
set unavail-action {ignore | revoke}
set url <string>
end
cert {<string> | Entrust_802.1x_ Enter the name of the certificate or select one of the listed No default
CA | Entrust_802.1x_G2_CA | certificates.
Entrust_802.1x_L1K_CA |
Fortinet_CA | Fortinet_CA2}
unavail-action {ignore | revoke} Set if the FortiSwitch should ignore the OCSP check or revoke revoke
the certificate if the server is unavailable.
url <string> Enter the URL for the OCSP server. No default
Example
This example shows how to configure the OCSP server certificate:

set cert Fortinet_CA
set unavail-action ignore
set url https://www.fortinet.com
end
config system certificate remote
Use this command to install remote certificates. The remote certificates are public certificates without a private key.
config system certificate remote
edit <name>
set remote "<cert>"
end
name Name for the certificate No default
remote "<cert>" PEM-format certificate No default

Fortinet, Inc.
config
config system console
Use this command to set the console command mode, the number of lines displayed by the console, and the baud rate.
Syntax
set baudrate <speed>
set mode {batch | line}
set output {standard | more}
end
baudrate <speed> Set the console port baudrate. Select one of 9600, 19200, 115200
38400, 57600, or 115200.
mode {batch | line} Set the console mode to line or batch. Used for autotesting line
only.
output {standard | more} Set console output to standard (no pause) or more (pause after more
each screen is full and resume when a key is pressed).
This setting applies to show or get commands only.
Example
This example shows how to configure the console:

set baudrate 57600
set mode batch
set output standard
end
Use this command to configure DHCP servers.
Syntax
edit <id>
set auto-configuration {enable | disable}
set conflicted-ip-timeout <integer>
set default-gateway <xxx.xxx.xxx.xxx>
set dns-service {default | local | specify
set domain <string>
set filename <string>
set interface <string>
set lease-time <integer>

Fortinet, Inc.
config
set netmask <xxx.xxx.xxx.xxx>

set next-server <xxx.xxx.xxx.xxx>
set ntp-service {default | local | specify}
set tftp-server <xxx.xxx.xxx.xxx>
set timezone <00-75>
set timezone-option {default | disable | specify}
set vci-match {enable | disable}
set vci-string <VCI_strings>
edit <id>
next
end
config ip-range
edit <id>
next
end
config options
edit <id>
set code <integer>
set ip <IP_addresses>
set type {fqdn | hex | ip | string}
set value <string>
next
end
edit <id>
set action {assign | block | reserved}
set circuit-id {<string> | <hex>}
set circuit-id-type {hex | string}
set remote-id {<string> | <hex>}
set remote-id-type {hex | string}
set type {mac | option82}
next
end
next
end
<id> Enter the identifier. No default

Fortinet, Inc.
config
auto-configuration {enable | Enable or disable automatic configuration. enable

disable} Auto configuration allows the DHCP server to
dynamically assign IP addresses to hosts on
the network connected to the interface
conflicted-ip-timeout <integer> Enter the number of seconds before a 1800

conflicted IP address is removed from the
DHCP range and is available to be reused.
The range is 60-8640000 seconds.
default-gateway Enter the IP address of the default gateway 0.0.0.0

<xxx.xxx.xxx.xxx> that the DHCP server assigns to DHCP
clients.
dns-server1 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the DNS server 1. 0.0.0.0
This option is only available when dns-
service is set to specify.
dns-service {default | local | Select how DNS servers are assigned to specify
specify} DHCP clients. Select local to use the
IP address of the DHCP server interface for
the clientʼs DNS server IP address. Select
default for clients to be assigned the
FortiSwitch unitʼs configured DNS servers.
Select specify to enter the IPv4 address for
up to three DNS servers.
domain <string> Enter the domain name suffix for the IP No default
addresses that the DHCP server assigns to
the clients.
filename <string> Enter the name of the boot file on the TFTP No default
server.
interface <string> Enter the name of the interface. The DHCP No default
server can assign IP configurations to clients
connected to this interface.
lease-time <integer> The lease time determines the length of time 604800
an IP address remains assigned to a client.
After the lease expires, the address is
released for allocation to the next client that
requests an IP address.

Fortinet, Inc.
config
Enter the lease time in seconds. The range is

300-8640000. The default lease time is seven
days.
netmask <xxx.xxx.xxx.xxx> Enter the netmask of the addresses that the 0.0.0.0
DHCP server assigns.
next-server <xxx.xxx.xxx.xxx> Enter the IPv4 address of a server (for 0.0.0.0

example, a TFTP sever) that DHCP clients
can download a boot file from.
ntp-server1 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the NTP server 1. 0.0.0.0
This option is only available when ntp-
ntp-service {default | local | Select how Network Time Protocol (NTP) specify
specify} servers are assigned to DHCP clients. Select
local to use the IP address of the DHCP
server interface for the clientʼs NTP server
IP address. Select default for clients to be
assigned the FortiSwitch unitʼs configured
NTP servers. Select specify to enter the
IPv4 address for up to three NTP servers.
status {enable | disable} Enable or disable this DHCP configuration. enable
tftp-server <string> You can configure multiple Trivial File No default

Transfer Protocol (TFTP) servers for a
Dynamic Host Configuration Protocol (DHCP)
server. For example, you may want to
configure a main TFTP server and a backup
TFTP server.
Enter the hostname or IP address of each
TFTP server in quotes. Separate multiple
server entries with spaces.
timezone <00-75> Enter the time zone to be assigned to DHCP (GMT+12:00)Eniwetok,Kwajalein)

clients. This option is only available if
timezone-option is set to specify.

Fortinet, Inc.
config
timezone-option {default | Select how the DHCP server sets the clientʼs disable
disable | specify} time zone. Select disable for the DHCP
server to not set the clientʼs time zone. Select
default for clients to be assigned the
FortiSwitch unitʼs configured time zone.
Select specify to enter the time zone to be
assigned to DHCP clients.
vci-match {enable | disable} Enable or disable vendor class identifier (VCI) disable
matching. When enabled, only DHCP
requests with a matching VCI are served.
vci-string <VCI_strings> Enter one or more VCI strings. This option is No default
only available if vci-match is set to
enable.
wifi-ac1 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the WiFi Access 0.0.0.0
Controller 1 (DHCP option 138, RFC 5417).
wins-server1 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the WINS server 1. 0.0.0.0
wins-server2 <xxx.xxx.xxx.xxx> Enter the IPv4 address for the WINS server 2. 0.0.0.0
end-ip <xxx.xxx.xxx.xxx> Enter the end of the IP address range that will 0.0.0.0
not be assigned to clients.
start-ip <xxx.xxx.xxx.xxx> Enter the start of the IP address range that will 0.0.0.0
not be assigned to clients.
config ip-range
end-ip <xxx.xxx.xxx.xxx> Enter the end of the DHCP IP address range. 0.0.0.0
start-ip <xxx.xxx.xxx.xxx> Enter the start of the DHCP IP address range. 0.0.0.0
config options
code <integer> Select the DHCP option code. The range is 0- 9

255.
ip <IP_addresses> If type is set to ip, enter the IP addresses. No default

Fortinet, Inc.
config
type {fqdn | hex | ip | string} Select the format of the DHCP option: fully hex
qualified domain name, hexadecimal,
IP address, or string.
value <string> Enter the DHCP option value. This option is No default
available when type is set to fqdn, hex, or
string.
action {assign | block | Select how the DHCP server configures the reserved
reserved} client with the reserved MAC address. Select
assign for the DHCP server to configure the
client with this MAC address like any other
client. Select block to prevent the DHCP
server from assigning IP settings to the client
with this MAC address. Select reserved for
the DHCP server to assign the reserved IP
address to the client with this MAC address.
circuit-id {<string> | <hex>} Enter the DHCP option-82 Circuit ID of the No default
client that will get the reserved IP address.
The circuit-id format is controlled by the
circuit-id-type setting. This option is
only available when type is set to
option82.
circuit-id-type {hex | string} Select whether the format of circuit-id is string
hexadecimal or string. This option is only
available when type is set to option82.
description <string> Enter a description of this entry. No default
ip <xxx.xxx.xxx.xxx> Enter the IPv4 address to be reserved for the 0.0.0.0

MAC address. This option is only available
when action is set to reserved.
mac <xx:xx:xx:xx:xx:xx>. Enter the MAC address of the client that will 00:00:00:00:00:00
get the reserved IP address. This option is
only available when type is set to mac.
remote-id {<string> | <hex>} Enter the DHCP option-82 Remote ID of the No default
client that will get the reserved IP address.
This option is only available when type is set
to option82.
remote-id-type {hex | string} Select whether the format of remote-id is string

hexadecimal or string. This option is only
available when type is set to option82.

Fortinet, Inc.
config
type {mac | option82} Select whether to match the IP address with mac
the MAC address or DHCP option 82.
Example
This example shows how to configure a DHCP server:

edit 1
set domain "FortiswitchTest.com"
set filename "text1.conf"
set interface "svi10"
config ip-range
edit 1
set end-ip 50.50.0.10
next
end
set lease-time 360
set next-server 60.60.60.2
config options
edit 1
set value "dddd"
next
end
set tftp-server "1.2.3.4"
set timezone-option specify
next
end
config system dns
Use this command to set the DNS server addresses. Several FortiSwitch functions, including sending email alerts and
URL blocking, use DNS.
Syntax
config system dns
set cache-notfound-responses {enable | disable}

Fortinet, Inc.
config
set dns-cache-limit <integer>

set dns-cache-ttl <int>
set domain <domain_name>
set ip6-primary <dns_ipv6>
set ip6-secondary <dns_ip6>
set primary <dns_ipv4>
set secondary <dns_ip4>
end
cache-notfound-responses Enable to cache NOTFOUND responses from the DNS server. disable
{enable | disable}
dns-cache-limit <integer> Set maximum number of entries in the DNS cache. 5000
dns-cache-ttl <int> Enter the duration, in seconds, that the DNS cache retains 1800
information.
domain <domain_name> Set the local domain name (optional). No default
ip6-primary <dns_ipv6> Enter the primary IPv6 DNS server IP address. ::
ip6-secondary <dns_ip6> Enter the secondary IPv6 DNS server IP address. ::
primary <dns_ipv4> Enter the primary DNS server IP address. 0.0.0.0
secondary <dns_ip4> Enter the secondary DNS IP server address. 0.0.0.0
source-ip <ipv4_addr> Enter the IP address for communications to DNS server. 0.0.0.0
Example
This example shows how to set the DNS server addresses:

config system dns
set cache-notfound-responses enable
set dns-cache-limit 2000
set dns-cache-ttl 900
set domain fortinet.com
set primary 172.91.112.53
set secondary 172.91.112.52
end
You can sample IP packets on a FortiSwitch unit and then export the data in NetFlow format or Internet Protocol Flow
Information Export (IPFIX) format.
NOTE:
l Flow export is supported on FortiSwitch models 2xx and higher.
l To use flow export, you must first enable packet sampling for each switch port and trunk:

Fortinet, Inc.
config
edit <interface>
end
Syntax
set collector-ip <IPv4_address>
set collector-port <port_number>
set identity <hexadecimal>
set level {ip | mac | port | proto | vlan}
set max-export-pkt-size <integer>
set timeout-general <integer>
set timeout-icmp <integer>
set timeout-max <integer>
set timeout-tcp <integer>
set timeout-tcp-fin <integer>
set timeout-tcp-rst <integer>
set timeout-udp <integer>
set transport {sctp | tcp | udp}
config aggregates
edit <id>
set ip <IPv4_address_mask>
end
end
collector-ip <IPv4_address> Enter the IP address for the collector. 0.0.0.0
The default is 0.0.0.0. Setting the value to “0.0.0.0” or “”

disables this feature. The format is xxx.xxx.xxx.xxx.
collector-port <port_number> Enter the port number for the collector. 0
The range of values is 0-65535. The default port for NetFlow is

2055; the default port for IPFIX is 4739.
format {netflow1 | netflow5 | You can set the format of the exported flow data as NetFlow netflow9
netflow9 | ipfix} version 1, NetFlow version 5, NetFlow version 9, or IPFIX
sampling.
NOTE: When the export format is NetFlow version 5, the

sample rate used in the exported packets is derived from the
lowest port number where sampling is enabled. Fortinet
recommends that administrators using NetFlow version 5 set
the sample rate consistently across all ports.

Fortinet, Inc.
config
identity <hexadecimal> Required. Enter a unique number to identify which FortiSwitch 0x00000000
unit the data originates from. The range of values is
0x00000000-0xFFFFFFFF. If identity is not specified, the
“Burn in MAC” value is used instead (see get system
status).
level {ip | mac | port | proto | vlan} You can set the flow-tracking level to one of the following: - ip
ip—The FortiSwitch unit collects the source IP address and
destination IP address from the sample packet.
l mac—The FortiSwitch unit collects the source MAC
address and destination MAC address from the sample

packet.
l port—The FortiSwitch unit collects the source IP
address, destination IP address, source port, destination

port, and protocol from the sample packet.
l proto—The FortiSwitch unit collects the source IP
address, destination IP address, and protocol from the

sample packet.
l vlan—The FortiSwitch unit collects the source IP
address, destination IP address, source port, destination

port, protocol, and VLAN from the sample packet.
max-export-pkt-size <integer> Set the maximum size in bytes of exported packets in the 512
application level. The range of values is 512-9216.
timeout-general <integer> Set the general timeout in seconds for the flow session. The 3600
range of values is 60-604800.
timeout-icmp <integer> Set the ICMP timeout for the flow session. The range of values 300
is 60-604800.
timeout-max <integer> Set the maximum number of seconds before the flow session 604800
times out. The range of values is 60-604800.
timeout-tcp <integer> Set the TCP timeout for the flow session. The range of values 3600
is 60-604800.
timeout-tcp-fin <integer> Set the TCP FIN flag timeout for the flow session. The range 300
of values is 60-604800.
timeout-tcp-rst <integer> Set the TCP RST flag timeout for the flow session. The range 120
of values is 60-604800.
timeout-udp <integer> Set the UDP timeout for the flow session. The range of values 300
is 60-604800.
transport {sctp | tcp | udp} You can set exported packets to use UDP, TCP, or SCTP for udp
transport.
<IPv4_address_mask> Enter the IPv4 address and mask to match. All matching No default
sessions are aggregated into the same flow.

Fortinet, Inc.
config
Example
This example shows how to configure flow export:

set collector-ip 169.254.3.1
set collector-port 5
set format ipfix
set level ip
set transport tcp
end
config system fsw-cloud
Use this command to configure the FortiSwitch Cloud. The FortiSwitch Cloud allows you to quickly check the status and
to configure multiple FortiSwitch units through a single management portal.
NOTE: To use the FortiSwitch Cloud, you must have a Cloud Management license, and your FortiSwitch unit must be
in standalone mode, connected to the Internet, and the system time must be accurate. To set the time on your
FortiSwitch unit, see config system ntp on page 192.
Syntax
set name <string>
end
interval <integer> The time in seconds allowed for domain name system 45
(DNS) resolution. The value range is 3-300 seconds.
name <string> The domain name for the FortiSwitch Cloud. fortiswitch-
dispatch.forticloud.com
port <port_number> Port number used to connect to the FortiSwitch Cloud. 443
status {enable | disable} Whether the FortiSwitch Cloud is enabled or disabled. disable
Example
This example shows how to configure the FortiSwitch Cloud:

set interval 150
set name fortiswitch-dispatch.forticloud.com
set port 443
set status enable
end

Fortinet, Inc.
config
Use this command to configure global settings that affect various FortiSwitch systems and configurations.
Syntax
set 802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA
| Fortinet_CA | Fortinet_CA2}
set 802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_
Firmware}
set admin-concurrent {enable | disable}
set admin-https-pki-required {enable | disable}
set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | tlsv1-3}
set admin-lockout-duration <time_int>
set admin-lockout-threshold <failed_int>
set admin-port <port_number>
set admin-scp {enable | disable}
set admin-server-cert {self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 |
Fortinet_Firmware}
set admin-sport <port_number>
set admin-ssh-grace-time <time_int>
set admin-ssh-port <port_number>
set admin-ssh-v1 {enable | disable}
set admin-telnet-port <port_number>
set admintimeout <admin_timeout_minutes>
set alertd-relog {enable | disable}
set alert-interval <1-1440 minutes>
set allow-subnet-overlap {enable | disable}
set arp-timeout <seconds>
set asset-tag <string>
set cfg-save {automatic | manual | revert}
set clt-cert-req {enable | disable}
set csr-ca-attribute {enable | disable}
set daily-restart {enable | disable}
set detect_ip_conflict {enable | disable}
set dhcp-client-location {description | hostname | intfname | mode | vlan}
set dhcp-option-format {ascii | legacy}
set dhcp-remote-id {hostname | ip | mac}
set dhcp-server-access-list {enable | disable}
set dhcp-snoop-client-req {drop-untrusted | forward-untrusted}
set dhcps-db-exp <number_of_seconds>
set dhcps-db-per-port-learn-limit <number_of_entries>
set dst {enable | disable}
set hostname <unithostname>
set image-rotation {enable | disable}
set ip-conflict-ignore-default {enable | disable}
set ipv6-accept-dad <0 | 1 | 2>
set ipv6-all-forwarding {enable | disable}
set kernel-crashlog {enable | disable}
set kernel-devicelog {enable | disable}
set l3-host-expiry {enable | disable}
set language <language>
set ldapconntimeout <ldaptimeout_msec>
set post-login-banner "<string>"
set pre-login-banner "<string>"

Fortinet, Inc.
config
set private-data-encryption {enable | disable}

set radius-coa-port <port_number>
set radius-port <radius_port>
set remoteauthtimeout <timeout_sec>
set revision-backup-on-logout {enable | disable}
set revision-backup-on-upgrade {enable | disable}
set strong-crypto {enable | disable}
set switch-mgmt-mode {fortilink | local}
set tcp-mss-min <48-10000>
set tcp6-mss-min<48-10000>
set timezone <timezone_number>
end
802.1x-ca-certificate {Entrust_ Set the CA certificate for port security (802.1x): Entrust_802.1x_CA
802.1x_CA | Entrust_802.1x_ l Entrust_802.1x_CA—Select this CA if you are
G2_CA | Entrust_802.1x_L1K_ using 802.1x authentication.

CA | Fortinet_CA | Fortinet_ l Entrust_802.1x_G2_CA—Select this CA if you
CA2} want to use the Google Internet Authority G2.

l Entrust_802.1x_L1K_CA—Select this CA if you
want to use http://ocsp.entrust.net.

l Fortinet_CA—Select this CA if you want to use the
factory-installed certificate.
l Fortinet_CA2—Select this CA if you want to use
the factory-installed certificate.
802.1x-certificate {Entrust_ Set the certificate for port security (802.1x): Entrust_802.1x
802.1x | Fortinet_Factory | l Entrust_802.1x—This certificate is embedded in
Fortinet_Factory2 | Fortinet_ the firmware and is the same on every unit (not
Firmware} unique). It has been signed by a public CA. This is the
default certificate for 802.1x authentication.
l Fortinet_Factory—This certificate is embedded
in the hardware at the factory and is unique to this unit.

It has been signed by a proper CA.
l Fortinet_Factory2—This certificate is
embedded in the hardware at the factory and is unique

to this unit. It has been signed by a proper CA.
l Fortinet_Firmware—This certificate is
embedded in the firmware and is the same on every

unit (not unique). It has been signed by a proper CA. It
is not recommended to use it for server-type
functionality since any other unit could use this same
certificate to spoof the identity of this unit.
admin-concurrent Enable to enforce concurrent administrator logins. When enable

{enable | disable} enabled, the FortiSwitch restricts concurrent access from
the same admin user name but on different IP addresses.
Use policy-auth-concurrent for firewall
authenticated users.

Fortinet, Inc.
config
admin-https-pki-required Enable to allow user to log in by providing a valid certificate disable

{enable | disable} if PKI is enabled for HTTPS administrative access. The
default setting of disable allows admin users to log in by
providing a valid certificate or password.
admin-https-ssl-versions {tlsv1- Set the allowed SSL/TLS versions for Web administration. tlsv1-1 tlsv1-2 tlsv1-
0 | tlsv1-1 | tlsv1-2 | tlsv1-3} 3
admin-lockout-duration <time_ Set the administration account’s lockout duration in 60

int> seconds for the firewall. Repeated failed login attempts will
enable the lockout. Use admin-lockout-threshold to set the
number of failed attempts that will trigger the lockout.
admin-lockout-threshold Set the threshold, or number of failed attempts, before the 3

<failed_int> account is locked out for the admin-lockout-duration.
admin-port <port_number> Enter the port to use for HTTP administrative access. 80
admin-scp {enable | disable} Enable to allow system configuration download by the disable

secure copy (SCP) protocol.
admin-server-cert Select the administration HTTPS server certificate to use: Fortinet_Firmware

l self-sign—Use a self-signed security certificate.
{self-sign | Entrust_802.1x |
Fortinet_Factory | Fortinet_ Self-signed certificates are free and will encrypt the
Factory2 | Fortinet_Firmware} data just as securely as a purchased certificate. Self-
signed certificates, however, are not likely to be
recognized by the CA certificate store so will be
considered by any checks against that store as invalid.
l Entrust_802.1x—This certificate is embedded in
the firmware and is the same on every unit (not

unique). It has been signed by a public CA.
l Fortinet_Factory—This certificate is embedded
in the hardware at the factory and is unique to this unit.

It has been signed by a proper CA.
l Fortinet_Factory2—This certificate is
embedded in the hardware at the factory and is unique

to this unit. It has been signed by a proper CA.
l Fortinet_Firmware—This certificate is
embedded in the firmware and is the same on every

unit (not unique). It has been signed by a proper CA. It
is not recommended to use it for server-type
functionality since any other unit could use this same
certificate to spoof the identity of this unit.
admin-sport <port_number> Enter the port to use for HTTPS administrative access. 443
admin-ssh-grace-time Enter the maximum time permitted between making an 120

<time_int> SSH connection to the FortiSwitch and authenticating.
Range is 10 to 3600 seconds.

Fortinet, Inc.
config
admin-ssh-port <port_number> Enter the port to use for SSH administrative access. 22
admin-ssh-v1 {enable | disable} Enable compatibility with SSH v1.0. disable
admin-telnet-port Enter the port to use for telnet administrative access. 23

<port_number>
admintimeout <admin_ Set the number of minutes before an idle administrator 5

timeout_minutes> times out. This controls the amount of inactive time before
the administrator must log in again. The maximum
admintimeout interval is 480 minutes (8 hours).
To improve security, keep the idle timeout at the default
value of 5 minutes.
alertd-relog {enable | disable} Enable or disable re-logs when a sensor exceeds its disable
threshold.
alert-interval NOTE: This command is only available after the alertd- 30

relog option has been enabled.
Set how often an alert is generated for temperature sensors
when they exceed their set thresholds.
allow-subnet-overlap {enable | Use this command to allow two interfaces to include the disable
disable} same IP address in the same subnet. The command
applies only between the mgmt interface and an internal
interface.
Note: Different interfaces cannot have overlapping IP
addresses or subnets.
Caution: For advanced users only. Use this only for
existing network configurations that cannot be changed to
eliminate IP address overlapping.
arp-timeout <seconds> Set the number of seconds before dynamic ARP entries are 300
removed from the cache.
asset-tag LLDP uses the asset tag to help identify the unit. The asset No default
tag can be up to 32 characters, and will be added to the
LLDP-MED inventory TLV (when that TLV is enabled).
cfg-save {automatic | Set the method for saving the FortiSwitch system automatic
manual | revert} configuration and enter into runtime-only configuration
mode. Methods for saving the configuration are:
l automatic automatically save the configuration after
every change.
l manual manually save the configuration using the
execute acl key-compaction on page 301 command.

l revert manually save the current configuration and
then revert to that saved configuration after cfg-

revert-timeout expires.
Switching to automatic mode disconnects your session.

Fortinet, Inc.
config
This command is used as part of the runtime-only

configuration mode.
clt-cert-req {enable | disable} Enable or disable the requirement to have a client disable
certificate to log in to the GUI.
csr-ca-attribute Enable to use the CA attribute in your certificate. Some CA enable

{enable | disable} servers reject CSRs that have the CA attribute.
daily-restart {enable | disable} Enable to restart the FortiSwitch every day. disable

The time of the restart is controlled by restart-time.
detect_ip_conflict {enable | Enable the Detect IP Conflict feature. enable

disable}
dhcp-client-location Select which parameters to include to describe the client intfname vlan mode
{description | hostname | location. Separate multiple parameters with a space.
intfname | mode | vlan} l description—Include the interface description.
l hostname—Include the host name.
l intfname—Include the interface name.
l mode—Include the mode.
l vlan—Include the VLAN.
dhcp-option-format {ascii | Select the format for the DHCP string: ascii
legacy} l ascii—This format allows the user to choose the values
for the circuit-id and remote-id fields.

l legacy—This format generates a predefined fixed
format for the circuit-id and remote-id fields.
dhcp-remote-id {hostname | ip | Select which parameters to include in the remote-id field: mac
mac} l hostname—Include the host name.
l ip—Include the IP address.
l mac—Include the MAC address.
dhcp-server-access-list {enable Set to disable for DHCP snooping to allow any DHCP disable
| disable} server from trusted interfaces. Set to enable for DHCP
snooping to allow only DHCP servers that are included in
the allowed server list.
dhcp-snoop-client-req {drop- Select which transmission mode to use for broadcasting forward-untrusted
untrusted | forward-untrusted} client DHCP packets:
l drop-untrusted—Client packets are broadcasted on
trusted ports in the VLAN.

l forward-untrusted—By default, client packets are
broadcasted on all ports in the VLAN.
dhcps-db-exp <number_of_ Set the number of seconds for a DHCP-snooping server 86400
seconds> database entry to be kept.The range of values is 300-
259200.

Fortinet, Inc.
config
dhcps-db-per-port-learn-limit Set the maximum number of DHCP server entries that are 64
<number_of_entries> learned per interface. The range of values is 0-1024.
dst {enable | disable} Enable or disable daylight saving time. enable

If you enable daylight saving time, the FortiSwitch unit
adjusts the system time when the time zone changes to
daylight saving time and back to standard time.
hostname <unithostname> Enter a name to identify this FortiSwitch unit. A hostname FortiSwitch serial
can only include letters, numbers, hyphens, and underlines. number.
No spaces are allowed.
While the hostname can be longer than 16 characters, if it
is longer than 16 characters it will be truncated and end with
a “~” to indicate it has been truncated. This shortened
hostname will be displayed in the CLI, and other locations
the hostname is used.
Some models support hostnames up to 35 characters.
By default the hostname of your system is its serial number
which includes the model.
image-rotation {enable | Enable or disable the rotation of the partition used to enable
disable} upgrade the FortiSwitch image.
ip-conflict-ignore-default Enable or disable IP conflict detection for the default IP enable

{enable | disable} address.
ipv6-accept-dad <0 | 1 | 2> Specify whether to accept IPv6 duplicat address detection 1
(DAD). Set to 0 to disable DAD. Set to 1 to enable DAD. Set
to 2 to enable DAD and disable IPv6 operation if a MAC-
based duplicate link-local address is found.
ipv6-all-forwarding {enable | Enable or disable IPv6 forwarding. enable

disable
kernel-crashlog {enable | Enable or disable whether to log a kernel crash. enable

disable}
kernel-devicelog {enable | Enable or disable the capture of kernel device messages to enable
disable} the log.
l3-host-expiry {enable | disable} Enable or disable layer-3 host expiry. disable
language <language> Set the display language. You can set <language> to one english
of english, french, japanese, korean,
portuguese, spanish, simch (Simplified Chinese) or
trach (Traditional Chinese).
ldapconntimeout LDAP connection timeout in msec 500
<ldaptimeout_msec>
post-login-banner "<string>" Enter a message for the system post-login banner. No default

Fortinet, Inc.
config
pre-login-banner "<string>" Enter a message for the system pre-login banner. No default
private-data-encryption {enable Enable or disable private data encryption using an AES 128- disable
| disable} bit key.
radius-coa-port <port_number> Set the port number to be used for the RADIUS change of 3799
authorization (CoA).
radius-port <radius_port> Change the default RADIUS port. The default port for 1812
RADIUS traffic is 1812. If your RADIUS server is using port
1645 you can use the CLI to change the default RADIUS
port on your system.
remoteauthtimeout The number of seconds that the FortiSwitch waits for 5

<timeout_sec> responses from remote RADIUS, LDAP, or TACACS+
authentication servers. The range is 0 to 300 seconds, 0
means no timeout.
To improve security keep the remote authentication
timeout at the default value of 5 seconds. However, if a
RADIUS request needs to traverse multiple hops or several
RADIUS requests are made, the default timeout of 5
seconds may not be long enough to receive a response.
revision-backup-on-logout Enable or disable backing up the latest configuration enable

{disable | enable} revision when the administrator logs out of the CLI or Web
GUI.
revision-backup-on-upgrade Enable or disable backing up the latest configuration enable

{enable | disable} revision when the administrator starts an upgrade.
strong-crypto {enable | disable} Strong encryption and only allow strong ciphers (AES, disable
3DES) and digest (SHA1) for HTTPS/SSH admin access.
When strong encryption is enabled, HTTPS is supported by
the following web browsers: Netscape 7.2, Netscape 8.0,
Firefox, and Microsoft Internet Explorer 7.0 (beta).
NOTE: Microsoft Internet Explorer 5.0 and 6.0 are not
supported in strong encryption.
switch-mgmt-mode {fortilink | Determines whether the switch is being managed locally, or local
local} managed by a FortiGate through a FortiLink connection.
tcp-mss-min <48-10000> Enter the minimum allowed TCP MSS value in bytes. 48
tcp6-mss-min <48-10000> Enter the minimum allowed TCP MSS value in bytes. 48
timezone <timezone_number> The number corresponding to your time zone from 00 to 72. 00
Press ? to list time zones and their numbers. Choose the
time zone for the FortiSwitch from the list and enter the
correct number.
Example
This example shows how to set your private data encryption key:

Fortinet, Inc.
config
S548DN5018000535 # config system global
S548DN5018000535 (global) # set private-data-encryption enable
S548DN5018000535 (global) # end

Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdefabcdef0123456789
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdefabcdef0123456789
Your private data encryption key is accepted.
This example shows how to set the lockout threshold to one attempt and the duration before the administrator can try
again to log in to five minutes:
set admin-lockout-threshold 1
set admin-lockout-duration 300
end
Use this command to edit the configuration of an interface.
If you enter a name string in the edit command that is not the name of a physical interface,
the command creates a VLAN subinterface.
Syntax
set alias <name_string>
set bfd {enable | disable | global}
set bfd-desired-min-tx <interval_msec>
set bfd-detect-mult <multiplier>
set bfd-required-min-rx <interval_msec>
set dhcp-relay-service {enable | disable}
set dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}
set dhcp-relay-option82 {enable | disable}
set dhcp-vendor-specific-option <string>
set external {enable | disable)
set fail-detect {enable | disable}
set fail-detect-option {link-down | detectserver}
set fail-alert-method {link-d own | link-failed-signal}
set fail-alert-interfaces {port1 port2 ...}
set icmp-redirect {enable | disable}
set ip <interface_ipv4mask>
set log {enable | disable}
set mode <static | dhcp>
set dhcp-client-identifier <client_name_str>

Fortinet, Inc.
config

set defaultgw {enable | disable}
set dns-server-override {enable | disable}
set mtu-override {enable | disable}
set secondary-IP {enable | disable}
set snmp-index <integer>
set src-check {disable | loose | strict}
set src-check-allow-default {enable | disable}
set type {loopback | vlan}
set vlanid <id_number>
set vrf <string>
set vrrp-virtual-mac {enable | disable}
config ipv6
set ip6-address <ipv6_netmask>
set ip6-allowaccess <access_types>
set autoconf {disable | enable}
set ip6-unknown-mcast-to-cpu {disable | enable}
set ip6-mode {dhcp | static}
set ip6-dns-server-override {disable | enable}
set dhcp6-information-request {disable | enable}
set ip6-send-adv {disable | enable}
set ip6-manage-flag {disable | enable}
set ip6-other-flag {disable | enable}
set ip6-max-interval <4-1800>
set ip6-min-interval <3-1350>
set ip6-link-mtu <integer>
set ip6-reachable-time <0-3600000>
set ip6-retrans-time <0-2147483647>
set ip6-default-life <0-9000>
set ip6-hop-limit <0-255>
set vrip6_link_local {enable | disable}
set vrrp-virtual-mac6 {enable | disable}
config ip6-extra-address
edit <prefix_ipv6>
end
config ip6-prefix-list
edit <prefix_ipv6>
set autonomous-flag {disable | enable}
set onlink-flag {disable | enable}
set preferred-life-time <0-2147483647>
set valid-life-time <0-2147483647>
end
end
config secondaryip
edit <id>
config vrrp
edit <VRID_int>
set adv-interval <seconds_int>
set priority <prio_int>
set start-time <seconds_int>
set version {2 | 3}
set vrdst <ipv4_addr>

Fortinet, Inc.
config
set vrgrp <integer>

set vrip <ipv4_addr>
A VLAN cannot have the same name as a zone or a virtual domain.
<interface_name> Edit an existing interface or create a new VLAN interface. No default
allowaccess <access_types> Enter the types of management access permitted on this Varies for each
interface or secondary IP address. Valid types are: interface.
http https ping radius-acct snmp ssh telnet.
Separate each type with a space.
To add or remove an option from the list, retype the complete
list as required.
alias <name_string> Enter an alias name for the interface. Once configured, the No default.
alias will be displayed with the interface name to make it
easier to distinguish. The alias can be a maximum of 25
characters. This option is only available when interface type is
physical.
bfd {enable | disable | global} The status of bidirectional forwarding detection (bfd) on this global
interface:
l enable — enable BFD and ignore global BFD
configuration.
l disable — disable BFD on this interface.
l global — use the BFD configuration in system
settings for the virtual domain to which this interface

belongs.
bfd-desired-min-tx <interval_ Enter the minimum desired interval for the BFD transmit 50
msec> interval. Valid range is from 1 to 100 000 msec. This option is
available only when bfd is enabled.
bfd-detect-mult <multiplier> Select the BFD detection multiplier. This option is available 3
only when bfd is enabled.
bfd-required-min-rx <interval_ Enter the minimum required interface for the BFD receive 50
msec> interval. Valid range is from 1 to 100 000 msec. This is
available only when bfd is enabled.
description <text> Optionally, enter up to 63 characters to describe this interface. No default
dhcp-relay-service {enable | Enable to provide DHCP relay service on this interface. The disable
disable} DHCP type relayed depends on the setting of dhcp-relay-
type.
There must be no other DHCP server of the same type (regular
or ipsec) configured on this interface.

Fortinet, Inc.
config
dhcp-relay-ip <dhcp_relay1_ Set DHCP relay IP addresses. You can specify up to eight No default
ipv4> {... <dhcp_relay8_ipv4>} DHCP relay servers for DHCP coverage of subnets. Replies
from all DHCP servers are forwarded back to the client. The
client responds to the offer it wants to accept.
Do not set dhcp-relay-ip to 0.0.0.0. This option is
available only when dhcp-relay-service is enabled.
dhcp-relay-option82 {enable | Enable to allow option-82 insertion in the DHCP relay. This disable
disable} option is available only when dhcp-relay-service is
enabled.
dhcp-vendor-specific-option Set the value for DHCP vendor-specific option 43. No default
<string>
external {enable | disable) Enable to indicate that an interface is an external interface disable
connected to an external network. This option is used for SIP
NAT when the config VoIP profile SIP contact-
fixup option is disabled.
fail-detect {enable | disable} Enable interface failure detection. disable
fail-detect-option {link-down Select whether the system detects interface failure by port link-down
| detectserver} detection (link-down) or ping server (detectserver).
This option is available only when fail-detect is enabled.
fail-alert-method Select the signal that the system uses to signal the link failure: link-down
{link-down | link-failed-signal} Link Down or Link Failed. This option is available only when
fail-detect is enabled.
fail-alert-interfaces {port1 port2 Select the interfaces to which failure detection applies. This No default
...} option is available only when fail-detect is enabled.
icmp-redirect {enable | disable} Disable to stop ICMP redirect from sending from this interface. enable
ICMP redirect messages are sent by a router to notify the
original sender of packets that there is a better route available.
interface <interface_name> Enter the name of the interface. This option is available ony internal
when vlanid is set.
ip <interface_ipv4mask> Enter the interface IP address and netmask. This option is not Varies for each
available if mode is set to dhcp. You can set the IP and interface.
netmask, but they are not displayed. This is only available in
NAT/Route mode. The IP address cannot be on the same
subnet as any other interface.
log {enable | disable} Enable or disable traffic logging of connections to this disable
interface. Traffic will be logged only when it is on an
administrative port. All other traffic will not be logged. Enabling
this setting may reduce system performance, and is normally
used only for troubleshooting.
mode <interface_mode> Configure the connection mode for the interface as one of: static

Fortinet, Inc.
config
l static — configure a static IP address for the interface.

l dhcp — configure the interface to receive its IP address
from an external DHCP server.
dhcp-client-identifier Override the default DHCP client identifier used by this No default
interface. The DHCP client identifier is used by DHCP to
identify individual DHCP clients (in this case individual
interfaces). By default, the DHCP client identifier for each
interface is created based on the model name and the
interface MAC address. In some cases, you might want to
specify your own DHCP client identifier using this command.
This option is available only when the mode is set to dhcp.
distance <1-255> Enter the distance of learned routes. 5

This command is available only when mode is set to dhcp.
defaultgw {enable | disable} Enable to get the gateway IP address from the DHCP server. disable
This option is available only when the mode is set to dhcp.
dns-server-override {enable | Disable to prevent this interface from using DNS server enable
disable} addresses it acquires by DHCP. This option is available only
when the mode is set to dhcp.
mtu-override {enable | disable} Select enable to use custom MTU size instead of default disable
(1 500). This is available only for physical interfaces and some
tunnel interfaces (not IPsec). If you change the MTU size, you
must reboot the FortiSwitch to update the MTU values of the
VLANs on this interface. Some models support MTU sizes
larger than the standard 1 500 bytes.
secondary-IP {enable | disable} Enable to add a secondary IP address to the interface. This disable
option must be enabled before configuring a secondary IP
address. When disabled, the Web-based manager interface
displays only the option to enable secondary IP.
snmp-index <integer> Configure the SNMP index
src-check {disable | loose | strict} Set to disable if you do not want to use unicast reverse-path disable
forwarding (uRPF).
Set to strict to ensure that the packet was received on the
same interface that the router uses to forward the return
packet.
Set to loose to ensure that the routing table includes the
source IP address of the packet.

Fortinet, Inc.
config
src-check-allow-default {enable | If you disable the src-default-route-check option, the disable

disable} packet is dropped if the source IP address is not found in the
routing table. If you enable the src-default-route-
check option, the packet is allowed even if the source IP
address is not found in the routing table, but the default route
is found in the routing table.
This option is available only when src-check is set to
loose.
status {down | up} Start or stop the interface. If the interface is stopped, it does up(down for
not accept or send packets. If you stop a physical interface, VLANs)
associated virtual interfaces such as VLAN interfaces will also
stop.
type {loopback | vlan} Enter the type of interface. NOTE: Some types are read only vlan
and are set automatically by hardware.
l loopback — a virtual interface that is always up. This
interface’s status and link status are not affected by

external changes. It is primarily used for blackhole routing
- dropping all packets that match this route. This route is
advertised to neighbors through dynamic routing protocols
as any other static route. loopback interfaces have no
dhcp settings, no forwarding, no mode, or dns settings.
You can create a loopback interface from the CLI or Web-
based manager.
l vlan — a virtual LAN interface. This is the type of
interface created by default on any existing physical

interface. VLANs increase the number of network
interfaces beyond the physical connections on the
system. VLANs cannot be configured on a switch mode
interface in Transparent mode.
vlanid <id_number> Enter a VLAN ID that matches the VLAN ID of the packets to No default
be received by this VLAN subinterface. The VLAN ID can be
any number between 1 and 4094, as 0 and 4095 are reserved,
but it must match the VLAN ID added by the IEEE 802.1Q-
compliant router on the other end of the connection. Two
VLAN subinterfaces added to the same physical interface
cannot have the same VLAN ID. However, you can add two or
more VLAN subinterfaces with the same VLAN ID to different
physical interfaces, and you can add more multiple VLANs with
different VLAN IDs to the same physical interface. This is
available only when editing an interface with a type of VLAN.
vrf <string> Assign this virtual routing and forwarding (VRF) instance to a No default
switch virtual interface (SVI).

Fortinet, Inc.
config
After the SVI is created, the VRF instance cannot be changed

or unset. The VRF instance cannot be assigned to an internal
SVI.
vrrp-virtual-mac Enable VRRP virtual MAC addresses for the IPv4 VRRP disable
{enable | disable} routers added to this interface.See RFC 5798 for information
about the VRRP virtual MAC addresses.
config ipv6
Configure IPv6 settings for the interface.
Syntax
config ipv6
set ip6-address <ipv6_netmask>
set ip6-allowaccess <access_types>
set autoconf {disable | enable}
set ip6-unknown-mcast-to-cpu {disable | enable}
set ip6-mode {dhcp | static}
set ip6-dns-server-override {disable | enable}
set dhcp6-information-request {disable | enable}
set ip6-send-adv {disable | enable}
set ip6-manage-flag {disable | enable}
set ip6-other-flag {disable | enable}
set ip6-max-interval <4-1800>
set ip6-min-interval <3-1350>
set ip6-link-mtu <integer>
set ip6-reachable-time <0-3600000>
set ip6-retrans-time <0-2147483647>
set ip6-default-life <0-9000>
set ip6-hop-limit <0-255>
set vrip6_link_local {enable | disable}
set vrrp-virtual-mac6 {enable | disable}
config ip6-extra-address
edit <prefix_ipv6>
end
edit <prefix_ipv6>
set autonomous-flag {disable | enable}
set onlink-flag {disable | enable}
set preferred-life-time <0-2147483647>
set valid-life-time <0-2147483647>
end
end
end

Fortinet, Inc.
config
ip6-address <ipv6_netmask> The interface IPv6 address and netmask. The format for IPv6 ::/0
addresses and netmasks is described in RFC 3513.
This command is only available in NAT/Route mode.
ip6-allowaccess <access_types> Enter the types of management access permitted on this IPv6 Varies for each
interface. Valid types are: fgfm, http, https, ping, interface.
snmp, ssh, and telnet. Separate the types with spaces. If
you want to add or remove an option from the list, retype the
list as required.
autoconf {disable | enable} Enable or disable the automatic address configuration. disable
ip6-unknown-mcast-to-cpu Enable or disable the sending of unknown multicast addresses disable

{disable | enable} to the CPU.
ip6-mode {dhcp | static} Set the addressing mode to be static or DHCP. static
DHCP addressing mode is available only when autoconf is
disabled.
ip6-dns-server-override {disable | Enable or disable using the DNS server acquired by DHCP. enable
enable} This command is available only when the ip6-mode is set to
dhcp.
dhcp6-information-request Enable or disable the DHCPv6 infomation request. disable

{disable | enable}
ip6-send-adv {disable | enable} Enable or disable the sending of the IPv6 router disable
advertisement.
This command is only available when autoconf is disabled.
ip6-manage-flag {disable | Enable or disable the sending of the IPv6 managed flag. disable
enable}
ip6-other-flag {disable | enable} Enable or disable the sending of the IPv6 other flag. disable
ip6-max-interval <4-1800> Specify the maximum number of seconds before the RA is 600
sent.
ip6-min-interval <3-1350> Specify the minium number of seconds before the RA is sent. 198
ip6-link-mtu <integer> Specify the IPv6 link maximum transmission unit. 0
ip6-reachable-time <0-3600000> Specify the IPv6 reachable time in milliseconds. 0
ip6-retrans-time <0- Specify the IPv6 retransmit time in milliseconds. 0

2147483647>
ip6-default-life <0-9000> Specify the IPv6 default life in seconds. 1800
ip6-hop-limit <0-255> Specify the maximum number of IPv6 hops. 0

Fortinet, Inc.
config
vrip6_link_local {enable | Enter the link-local IPv6 address of virtual router. No default
disable}
vrrp-virtual-mac6 {enable | Enable VRRP virtual MAC addresses for the IPv6 VRRP disable
disable} routers added to this interface. See RFC 5798 for information
about the VRRP virtual MAC addresses.
config ip6-extra-addr
<prefix_ipv6> IPv6 address prefix. Configure addditonal IPv6 prefixes for this No default
IPv6 interface.
<prefix_ipv6> IPv6 advertised prefix list. Configure which IPv6 prefixes are No default
advertised..
autonomous-flag {disable | Enable or disable the autonomous flag. enable

enable}
onlink-flag {disable | enable} Enable or disable the onlink flag. disable
preferred-life-time <0- Specify the preferred lifetime in seconds for the advertised 604800
2147483647> IPv6 prefix.
valid-life-time <0-2147483647> Specify the valid lifetime in seconds for the advertised IPv6 2592000
prefix.
config secondaryip
Configure a second IP address for the interface.
Syntax
config secondaryip
edit <id>
end
end
<id> Identifier. No default
ip <IP_address_and_netmask> Enter the IP address and netmask. 0.0.0.0 0.0.0.0
allowaccess <access_types> Enter the types of management access permitted on this No default
interface or secondary IP address. Valid types are:
http https ping radius-acct snmp ssh telnet.

Fortinet, Inc.
config
Separate each type with a space.

To add or remove an option from the list, retype the complete
list as required.
config vrrp
Add one or more VRRP virtual routers to a interface. For information about VRRP, see RFC 5798.
Syntax
config vrrp
edit <VRID_int>
set adv-interval <seconds_int>
set priority <prio_int>
set start-time <seconds_int>
set version {2 | 3}
set vrdst <ipv4_addr>
set vrgrp <integer>
set vrip <ipv4_addr>
end
<VRID_int> VRRP virtual router ID (1 to 255). Identifies the VRRP virtual None
router.
adv-interval <seconds_int> VRRP advertisement interval (1-255 seconds). 1
preempt {enable | disable} Enable or disable VRRP preempt mode. In preempt mode a enable
higher priority backup system can preempt a lower priority
master system.
priority <prio_int> Priority of this virtual router (1-255). The VRRP virtual router on 100
a network with the highest priority becomes the master.
start-time <seconds_int> The startup time of this virtual router (1-255 seconds). The 3
startup time is the maximum time that the backup system
waits between receiving advertisement messages from the
master system.
status {enable | disable} Enable or disable this virtual router. enable
version {2 | 3} Set the VRRP version to VRRP version 2 or VRRP version 3. 2
vrdst <ipv4_addr> Monitor the route to this destination. 0.0.0.0

Fortinet, Inc.
config
vrgrp <integer> VRRP group identifier. The value range is 1-65535. 0
vrip <ipv4_addr> IP address of the virtual router. 0.0.0.0
Example
This example shows how to configure VRRP:

edit "vlan-8"
set ip 10.10.10.1 255.255.255.0
config vrrp
edit 5
set priority 255
set vrgrp 50
set vrip 11.1.1.100
next
edit 6
set priority 200
set vrgrp 50
set vrip 11.1.1.100
next
edit 7
set priority 150
set vrgrp 50
set vrip 11.1.1.100
next
end
set snmp-index 20
set vlanid 8
next
end
config system ipv6-neighbor-cache
Use this command to configure the IPv6 neighbor cache table:

edit <id>
set interface {<string> | internal | mgmt}
set ipv6 <IPv6_address>
set mac <MAC_address>
end
interface <interface_name> Required. Enter the interface. No default

Fortinet, Inc.
config
ipv6 <IPv6_address> Enter the IPv6 addresss in the following format: ::
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
mac <MAC_address> Enter the MAC address in the following format: 00:00:00:00:00:00
xx:xx:xx:xx:xx:xx
Example
This example shows how to configure an entry in the IPv6 neighbor cache table.
edit id
set ipv6 e80::a5b:eff:fef1:95e4
set mac 00:21:cc:d2:76:72
end
Use this command to configure the link health monitor.

edit <link monitor name>
set srcintf <string>
set protocol {arp | ping}
set gateway-ip <IPv4 address>
set gateway-ip6 <IPv6 address>
set source-ip <IPv4 address>
set source-ip6 <IPv6 address>
set timeout <integer>
set failtime <integer>
set recoverytime <integer>
set update-static-route {enable | disable}
next
end
<link monitor name> Enter the link monitor name. No default
addr-mode {ipv4 | ipv6} Select whether to use IPv4 or IPv6 addresses. ipv4
srcintf <string> Interface where the monitor traffic is sent. No default
protocol {arp | ping} Protocols used to detect the server. Select ARP or ping. arp

Fortinet, Inc.
config
gateway-ip Gateway IPv4 address used to PING the server. This option is 0.0.0.0
<IPv4 address> available only when addr-mode is set to ipv4.
gateway-ip6 <IPv6 Gateway IPv6 address used to PING the server. This option is No default
address> available only when addr-mode is set to ipv6.
source-ip Source IPv4 address used in packet to the server. This option is 0.0.0.0
<IPv4 address> available only when addr-mode is set to ipv4.
source-ip6 <IPv6 Source IPv6 address used in packet to the server. This option is No default
address> available only when addr-mode is set to ipv6.
interval <integer> Detection interval in seconds. The range is 1-3600. 5
timeout <integer> Detect request timeout in seconds. The range is 1-255. 1
failtime <integer> Number of retry attempts before bringing server down. The range is 5
1-10.
recoverytime <integer> Number of retry attempts before bringing server up. The range is 1- 5
10.
update-static-route Enable or disable update static route. enable

{enable | disable}
status {enable | Enable or disable link monitor administrative status. enable

disable}
Use this command to configure the location table used by LLDP-MED for enhanced 911 emergency calls.
edit <name>
set additional <string>
set additional-code <string>
set block <string>
set branch-road <string>
set building <string>
set city <string>
set city-division <string>
set country <string>
set country-subdivision <string>
set county <string>
set direction <string>
set floor <string>
set landmark <string>
set language <string>
set name <string>
set number <string>
set number-suffix <string>
set place-type <string>
set post-office-box <string>
set postal-community <string>

Fortinet, Inc.
config
set primary-road <string>

set road-section <string>
set room <string>
set script <string>
set seat <string>
set street <string>
set street-name-post-mod <string>
set street-name-pre-mod <string>
set street-suffix <string>
set sub-branch-road <string>
set trailing-str-suffix <string>
set unit <string>
set zip <string>
end
config coordinates
set altitude <string>
set altitude-unit {f | m}
set datum {NAD83 | NAD83/MLLW | WGS84}
set latitude <string>
set longitude <string>
end
config elin-number
set elin-number <number>
end
<name> Enter a unique name for the location entry. No default
additional <string> Enter additional location information, for example, west No default
wing.
additional-code <string> Enter the additional country-specific code for the No default
location. In Japan, use the Japan Industry Standard (JIS)
address code.
block <string> Enter the neighborhood (Korea) or block. No default
branch-road <string> Enter the branch road name. This value is used when No default
side streets do not have unique names so that both the
primary road and side street are used to identify the
correct road.
building <string> Enter the name of the building (structure) if the address No default
includes more than one building, for example, Law
Library.
city <string> Enter the city (Germany), township, or shi (Japan). No default
city-division <string> Enter the city division, borough, city district (Germany), No default
ward, or chou (Japan).
country <string> Enter the two-letter ISO 3166 country code in capital No default
ASCII letters, for example, US, CA, DK, and DE.

Fortinet, Inc.
config
country-subdivision <string> Enter the national subdivision (such as state, canton, No default
region, province, or prefecture). In Canada, the
subdivision is province. In Germany, the subdivision is
state. In Japan, the subdivision is metropolis. In Korea,
the subdivision is province. In the United States, the
subdivision is state.
county <string> Enter the county (Canada, Germany, Korea, and United No default
States), parish, gun (Japan), or district (India).
direction <string> Enter N, E, S, W, NE, NW, SE, or SW for the leading No default
street direction.
floor <string> Enter the floor number, for example, 4. No default
landmark <string> Enter the nickname, landmark, or vanity address, for No default
example, UC Berkeley.
language <string> Enter the ISO 639 language code used for the address No default
information.
name <string> Enter the person or organization associated with the No default
address, for example, Fortinet or Textures Beauty Salon.
number <string> Enter the street address, for example, 1560. No default
number-suffix <string> Enter any modifier to the street address. For example, if No default
the full street address is 1560A, enter 1560 for the
number and A for the number-suffix.
place-type <string> Enter the type of place, for example, home, office, or No default
street.
post-office-box <string> Enter the post office box, for example, P.O. Box 1543. No default
When the post-office-box value is set, the street address
components are replaced with this value.
postal-community <string> Enter the postal community name, for example, Alviso. No default
When the postal-community name is set, the civic
community name is replaced by this value.
primary-road <string> Enter the primary road or street name for the address. No default
road-section <string> Enter the specific section or stretch of a primary road. No default
This field is used when the same street number appears
more than once on the primary road.
room <string> Enter the room number, for example, 7A. No default
script <string> Enter the script used to present the address information, No default
for example, Latn.
seat <string> Enter the seat number in a stadium or theater or a No default

cubicle number in an office or a booth in a trade show.

Fortinet, Inc.
config
street <string> Enter the street (Canada, Germany, Korea, and United No default
States).
street-name-post-mod <string> Enter an optional part of the street name that appears No default
after the actual street name. If the full street name is
East End Avenue Extended, the street-name-
post-mod is Extended.
street-name-pre-mod <string> Enter an optional part of the street name that appears No default
before the actual street name. If the full street name is
Old North First Street, the street-name-pre-
mod is Old.
street-suffix <string> Enter the type of street, for example, Ave or Place. Valid No default
values are listed in the United States Postal Service
Publication 28 [18], Appendix C.
sub-branch-road <string> Enter the name of a street that branches off of a branch No default
road. This value is used when the primary road, branch
road, and subbranch road names are needed to identify
the correct street.
trailing-str-suffix <string> Enter N, E, S, W, NE, NW, SE, or SW for the trailing No default
street direction.
unit <string> Enter the unit (apartment or suite), for example, Apt 27. No default
zip <string> Enter the postal or zip code for the address, for example, No default
94089-1345.
config coordinates
altitude <string> Enter the vertical height of a location using the altitude- No default
unit to specify the unit used. The format is +/- floating
point number, for example, 117.47.
altitude-unit {f | m} Select whether the altitude is measured in m (meters) or m

f (floors).
datum {NAD83 | NAD83/MLLW | Select which map is used for the location: WGS84, WGS84
WGS84} NAD83, or NAD83/MLLW.
latitude <string> Enter the latitude. The format is floating point starting No default
with +/- or ending with N/S, for example, +/-16.67 or
16.67N.
longitude <string> Enter the longitude. The format is floating point starting No default
with +/- or ending with E/W, for example, +/-26.789 or
26.789E.
config elin-number
elin-number <number> Enter the emergency location identification number No default

(ELIN), which is a unique phone number. The value is a
10 to 20 byte numerical string.

Fortinet, Inc.
config
Example
This example shows how to configure the location table for Fortinet.
edit Fortinet
set country "US"
set language "English"
set county "Santa Clara"
set city "Sunnyvale"
set street "Kifer"
set street-suffix "Road"
set number "899"
set zip "94086"
set building "1"
set floor "1"
set seat "1293"
end
next
edit "Fortinet"
config elin-number
set elin-number "14082357700"
end
end
config system ntp
Use this command to configure Network Time Protocol (NTP) servers.
Syntax
config system ntp
set allow-unsync-source {enable | disable}
set authentication {enable | disable}
set log-time-adjustments {enable | disable}
set ntpsync {enable | disable}
set syncinterval <interval_int>
config ntpserver
edit <serverid_int>
set authentication {enable | disable}
set key <string>
set key-id <integer>
set ntpv3 {enable | disable}
set server {<ipv4_addr>| <ipv6_addr>}
end
end
allow-unsync-source {enable | Enable or disable whether an unsynchronized NTP server disable

disable} source is allowed.

Fortinet, Inc.
config
authentication {enable | diable} Enable or disable authentication. disable
log-time-adjustments {enable | Enable or disable whether FortiSwitch logs when NTP adjusts enable
disable} the system time.
ntpsync {enable | disable} Enable or disable whether the system time is synchronized with enable
the NTP server.
source-ip <ipv4_addr> Enter the source IPv4 address for communication with the NTP 0.0.0.0
server.
source-ip6 <ipv6_addr> Enter the source IPv6 address for communication with the NTP No default
server.
syncinterval <interval_int> Enter the interval in minutes between contacting the NTP 10
server to synchronize time. The range is from 1 to 1,440
minutes.
This option is availabe only when ntpsync is enabled.
<serverid_int> Enter the number for this NTP server entry. No default
authentication {enable | diable} Enable or disable authentication. If you enable authenication disable
and use the NTPv3 protocol, MD5 authentication is used. If
you enable authentication and use the NTPv4 protocol, SHA1
authentication is used.
key <string> If authentication is enabled, enter a key for authentication. No default
key-id <integer> If authentication is enabled, enter a key identifier for 0

authentication.
ntpv3 {enable | disable} Enable this option to use the NTPv3 protocol. Disable this disable
option to use the NTPv4 protocol.
server {<ipv4_addr> | <ipv6_ Enter the IPv4 or IPv6 address for this NTP server. No default
addr>}
Example
This example shows how to configure an NTP server:

config system ntp
set authentication enable
set ntpsyn enable
set syncinterval 5
end
config system password-policy
Use this command to configure higher security requirements for administrator passwords and IPsec VPN pre-shared
keys.

Fortinet, Inc.
config
Syntax
set status enable
set apply-to [admin-password ipsec-preshared-key]
set change-4-characters {enable | disable}
set minimum-length <chars>
set min-lower-case-letter <num_int>
set min-upper-case-letter <num_int>
set min-non-alphanumeric <num_int>
set min-number <num_int>
set expire-status {enable | disable}
set expire-day <num_int>
end
status enable Enable password policy. The password policy cannot be enable
disabled.
apply-to [admin-password ipsec- Select where the policy applies: administrator passwords or admin-password
preshared-key] IPSec preshared keys. This option is available only when
status is enabled.
change-4-characters Enable to require the new password to differ from the old disable
{enable | disable} password by at least four characters. This option is available
only when status is enabled.
minimum-length <chars> Set the minimum length of password in characters. Range 8 to 8

32. This option is available only when status is enabled.
min-lower-case-letter Enter the minimum number of required lower case letters in 0

<num_int> every password. This option is available only when status is
enabled.
min-upper-case-letter Enter the minimum number of required upper case letters in 0

<num_int> every password. This option is available only when status is
enabled.
min-non-alphanumeric <num_ Enter the minimum number of required non-alphanumeric 0

int> characters in every password. This option is available only
when status is enabled.
min-number <num_int> Enter the minimum number of number characters required in 0

every password. This option is available only when status is
enabled.
expire-status {enable | disable} Enable to have passwords expire. This option is available only enable
when status is enabled.
expire-day <num_int> Enter the number of days before the current password is 90
expired and the user will be required to change their password.
This option is available only when status is enabled and
expire-status is enabled.

Fortinet, Inc.
config
Example
This example shows how to configure a password policy for administrator passwords:
set status enable
set apply-to admin-password
set change-4-characters enable
set minimum-length 10
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 30
end
Use this command to define a schedule group. A schedule group can contain both one-time schedules and recurring
schedules. To create one-time and recurring schedules, see config system schedule onetime on page 195 and config
system schedule recurring on page 196.
Syntax
edit <schedule_group_name>
set member <schedule_name1> <schedule_name2> ...
end
<schedule_group_name> Enter the name of the schedule group. No default
member <schedule_name1> Enter the names of the schedules to include. Separate No default
<schedule_name2> ... multiple names with a space.
The schedules must already be defined with the config system
schedule onetime or config system schedule recurring
command.
Example
This example shows how to create a schedule group:

edit group1
set member schedule1 schedule2
end
Use this command to define a one-time schedule for when a policy will be enforced.

Fortinet, Inc.
config
Syntax
set start <time_date>
set end <time_date>
end
<schedule_name> Enter the name of the schedule. No default
start <time_date> Enter the start time and date for the schedule 00:00 1900/01/01
in the following format: hh:mm yyyy/mm/dd
end <time_date> Enter the end time and date for the schedule in 00:00 1900/01/01
the following format: hh:mm yyyy/mm/dd
Example
This example shows how to create a one-time schedule:

edit schedule1
set start 07:00 2019/03/22
set end 07:00 2019/03/29
end
Use this command to define a schedule for specified hours every week.
Syntax
set day {monday | tuesday | wednesday | thursday | friday | saturday | sunday}
set start <time>
set end <time>
end
<schedule_name> Enter the name of the schedule. No default
day {monday | tuesday | wednesday | Enter one or more days for the ACL to be monday tuesday
thursday | friday | saturday | sunday} enforced. Separate days with a space. wednesday thursday
friday
start <time> Enter the start time for the schedule in the 24:00
following format: hh:mm
end <time> Enter the end time for the schedule in the 24:00
following format: hh:mm

Fortinet, Inc.
config
Example
This example shows how to create a recurring schedule:

edit schedule2
set day monday wednesday friday
set start 07:00
set end 08:00
end
Use this comand to configure equal cost multi-path (ECMP) routing.

ECMP is a forwarding mechanism that enables load-sharing of traffic to multiple paths of equal cost. An ECMP set is
formed when the routing table contains multiple next-hop address for the same destination with equal cost. Routes of
equal cost have the same preference and metric value. If there is an ECMP set for an active route, the switch uses a
hash algorithm to choose one of the next-hop addresses. As input to the hash, the switch uses one or more of the
following fields in the packet to be routed:
l Source IP
l Destination IP
l Input port
Syntax
set ip-ecmp-mode {source-ip-based | dst-ip-based | port-based}
end
ip-ecmp-mode {source-ip-based | Select the IPv4 ECMP mode: source-ip-

dst-ip-based | port-based} l dst-ip-based — Select the next hop based on the based
destination IP address.
l port-based — Select the next hop based on the
TCP/UDP port.
l source-ip-based — Select the next hop based on the
source IP address.
Example
This example shows how to configure ECMP:

set ip-ecmp-mode port-based
end

Fortinet, Inc.
config
config system sflow
Use this command to add or change the IP address and UDP port that FortiSwitch sFlow agents use to send sFlow
datagrams to an sFlow collector.
sFlow is a network monitoring protocol described in http://www.sflow.org. FortiSwitch implements sFlow version 5. You
can configure one or more FortiSwitch interfaces as sFlow agents that monitor network traffic and send sFlow
datagrams containing information about traffic flow to an sFlow collector.
sFlow is normally used to provide an overall traffic flow picture of your network. You would usually operate sFlow agents
on switches, routers, and firewall on your network, collect traffic data from all of them and use a collector to show traffic
flows and patterns.
Syntax
config system sflow
set collector-ip <collector_ipv4>
set collector_port <port_int>
end
collector-ip <collector_ipv4> The sFlow agents send sFlow datagrams to the sFlow collector 0.0.0.0
at this IP address.
collector_port <port_int> The UDP port number used for sending sFlow datagrams. 6343
Change this setting only if required by your sFlow collector or
your network configuration. The value range is 0-65535.
Example
This example shows how to configure sFlow:

config system sflow
set collector-ip 20.20.20.0
set collector_port 200
end
Use this command to define a packet-capture profile to select which packets to examine. To start, stop, and pause the
packet capture, see the execute system sniffer-profile commands.
Syntax
edit <profile_name>
set filter {<string> | none}
set max-pkt-count <1-maximum>
set max-pkt-len <64-1534>
set switch-interface <switch_interface_name>
set system-interface <system_interface_name>
end

Fortinet, Inc.
config
<profile_name> The name of the packet-capture profile. No default
filter {<string> | none} Enter none or enter the filter for selecting which packets to none
capture. For example, if you want packets using UDP port
1812 between hosts named forti1 and either forti2 or
forti3:
'udp and port 1812 and host forti1 and $

forti2 or forti3 $'
max-pkt-count <1-maximum> Enter how many packets to be captured on the selected 4000
interface. The maximum number of packets that can be
captured differs according to platform. See the FortiSwitchOS
Adminstration Guide for details.
max-pkt-len <64-1534> Enter the maximum packet length in bytes to be captured on 128
the interface.
switch-interface <switch_ Enter the switch interface name that you want to capture No default
interface_name> packets on. You cannot select both a switch interface and a
system interface.
system-interface <system_ Enter the system interface name that you want to capture No default
interface_name> packets on. You cannot select both a switch interface and a
system interface.
Example
This example shows how to create a packet-capture profile:

edit profile1
set filter none
set max-pkt-count 100
set max-pkt-len 100
set system-interface mgmt
end
Use this command to configure SNMP communities on your FortiSwitch unit. You add SNMP communities so that
SNMP managers can connect to the system to view system information and receive SNMP traps. SNMP traps are
triggered when system events occur.
You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and
traps. Each community can be configured to monitor the system for a different set of events. You can also the add IP
addresses of up to 8 SNMP managers for each community.

Fortinet, Inc.
config
Whey you configure an SNMP manager, ensure that you list it as a host in a
community on the FortiSwitch that it will be monitoring. Otherwise, the SNMP
monitor will not receive any traps from that FortiSwitch unit, and will not be able to
query it.
Syntax
edit <index_number>
set events <events_list>
set name <community_name>
set query-v1-port <port_number>
set query-v1-status {enable | disable}
set query-v2c-port <port_number>
set query-v2c-status {enable | disable}
set trap-v1-lport <port_number>
set trap-v1-rport <port_number>
set trap-v1-status {enable | disable}
set trap-v2c-lport <port_number>
set trap-v2c-rport <port_number>
set trap-v2c-status {enable | disable}
config hosts
edit <host_number>
set interface <if_name>
set ip <address_ipv4>
set source-ip <address_ipv4/mask>
end
config hosts6
edit <host_number>
set interface <if_name>
set ip6 <address_ipv6>
set source-ip6 <address_ipv6>
end
end
<index_number> Enter the index number of the community in the SNMP No default
communities table. Enter an unused index number to create a new
SNMP community.
events <events_list> Enable the events for which the system should send traps to the All events
SNMP managers in this community. enabled.
name <community_name> Enter the name of the SNMP community. No default
query-v1-port <port_number> Enter the SNMP v1 query port number used for SNMP manager 161
queries.
query-v1-status Enable or disable SNMP v1 queries for this SNMP community. enable
{enable | disable}

Fortinet, Inc.
config
query-v2c-port <port_number> Enter the SNMP v2c query port number used for SNMP manager 161
queries.
query-v2c-status Enable or disable SNMP v2c queries for this SNMP community. enable
{enable | disable}
status {enable | disable} Enable or disable the SNMP community. enable
trap-v1-lport <port_number> Enter the SNMP v1 local port number used for sending traps to the 162
SNMP managers.
trap-v1-rport <port_number> Enter the SNMP v1 remote port number used for sending traps to 162
the SNMP managers.
trap-v1-status {enable | disable} Enable or disable SNMP v1 traps for this SNMP community. enable
trap-v2c-lport <port_number> Enter the SNMP v2c local port number used for sending traps to 162
the SNMP managers.
trap-v2c-rport <port_number> Enter the SNMP v2c remote port number used for sending traps to 162
the SNMP managers.
trap-v2c-status Enable or disable SNMP v2c traps for this SNMP community. enable
{enable | disable}
config hosts and hosts6

<host_number> Enter the index number of the host in the table. Enter an unused No Default
index number to create a new host.
interface <if_name> Enter the name of the FortiSwitch interface to which the SNMP No default
manager connects.
ip <address_ipv4> Enter the IPv4 IP address of the SNMP manager (for hosts). 0.0.0.0
ip6 <address_ipv6> Enter the IPv6 IP address of the SNMP manager (for hosts6). ::
source-ip <address_ipv4/mask> Enter the source IPv4 IP address for SNMP traps sent by the 0.0.0.0/
FortiSwitch (for hosts). 0.0.0.0
source-ip6 <address_ipv6> Enter the source IPv6 IP address for SNMP traps sent by the ::
FortiSwitch (for hosts6).
Use this command to enable the FortiSwitch SNMP agent and to enter basic system information used by the SNMP
agent. Enter information about the system to identify it. When your SNMP manager receives traps from this FortiSwitch
unit, you will know which system sent the information. Some SNMP traps indicate high CPU usage, log full, or low
memory.
Syntax
set contact-info <info_str>
set description <description>

Fortinet, Inc.
config
set engine-id <engine-id_str>

set location <location>
set trap-high-cpu-threshold <percentage>
set trap-log-full-threshold <percentage>
set trap-low-memory-threshold <percentage>
set trap-temp-alarm-threshold <temperature in degrees Celsius>
set trap-temp-warning-threshold <temperature in degrees Celsius>
end
contact-info <info_str> Add the contact information for the person responsible for this No default
FortiSwitch unit. The contact information can be up to 35
characters long.
description <description> Add a name or description of the system. The description can No default
be up to 35 characters long.
engine-id <engine-id_str> Each SNMP engine maintains a value, snmpEngineID, which No default
uniquely identifies the SNMP engine. This value is included in
each message sent to or from the SNMP engine. In FortiOS,
the snmpEngineID is composed of two parts:
l Fortinet prefix 0x8000304404
l the optional engine-id string, 24 characters maximum,
defined in this command

Optionally, enter an engine-id value.
location <location> Describe the physical location of the system. The system No default
location description can be up to 35 characters long.
status {enable | disable} Enable or disable the FortiSwitch SNMP agent. disable
trap-high-cpu-threshold Enter the percentage of CPU used that will trigger the 80
<percentage> threshold SNMP trap for the high-cpu.
There is some smoothing of the high CPU trap to ensure the
CPU usage is constant rather than a momentary spike. This
feature prevents frequent and unnecessary traps.
trap-log-full-threshold Enter the percentage of disk space used that will trigger the 90
<percentage> threshold SNMP trap for the log-full.
trap-low-memory-threshold Enter the percentage of memory used that will be the threshold 80
<percentage> SNMP trap for the low-memory.
trap-temp-alarm-threshold Set an alarm for when the system temperature reaches the 60
<temperature in degrees specified temperature.
Celsius>
trap-temp-warning-threshold Set a warning for when the system temperature reaches the 50
<temperature in degrees specified temperature. The warning threshold must be lower
Celsius> than the alarm threshold.

Fortinet, Inc.
config
Example
This example shows how to set a warning and an alarm for specified system temperatures:
set status enable
set trap-temp-alarm-threshold 80
set trap-temp-warning-threshold 70
end
Use this command to configure an SNMP user including which SNMP events the user wants to be notified about, which
hosts will be notified, and if queries are enabled which port to listen on for them.
FortiSwitchOS implements the user security model of RFC 3414. You can require the user to authenticate with a
password and you can use encryption to protect the communication with the user.
Syntax
edit <user_name>
set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}
set auth-pwd <password>
set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}
set priv-pwd <password>
set queries {enable | disable}
set query-port <port_int>
set security-level {no-auth-no-priv | auth-no-priv | auth-priv}
end
<user_name> Edit or add selected user. No default
auth-proto {md5 | sha1 | sha224 | Select the authentication protocol. sha1

sha256 | sha384 | sha512} l md5—HMAC-MD5-96 authentication protocol
l sha1—HMAC-SHA-1 authentication protocol
This option is available only when security-level is set to

auth-priv or auth-no-priv.
auth-pwd <password> Enter the password for the authentication protocol. This option No default
is available only when security-level is set to auth-
priv or auth-no-priv.
priv-proto {aes128 | aes192 | Select the encryption protocol. aes128
aes192c | aes256 | aes256c | l aes128—CFB128-AES-128 symmetric encryption
des} protocol
l aes192—CFB128-AES-192 symmetric encryption

Fortinet, Inc.
config
protocol
l aes192c—CFB128-AES-192-C symmetric encryption
protocol (required for certain clients)
l aes256—CFB128-AES-256 symmetric encryption
protocol
l aes256c—CFB128-AES-256-C symmetric encryption
protocol (required for certain clients)

l des—CBC-DES symmetric encryption protocol
This option is available only when security-level is set to

auth-priv.
priv-pwd <password> Enter the password for the encryption protocol. This option is No default
available only when security-level is set to auth-priv.
queries {enable | disable} Enable or disable SNMP v3 queries for this user. Queries are enable
used to determine the status of SNMP variables.
query-port <port_int> Enter the number of the port used for SNMP v3 queries. If 161
multiple versions of SNMP are being supported, each version
should listen on a different port.
security-level {no-auth-no-priv | Set the security level to one of: no-auth-no-priv

auth-no-priv | auth-priv} l no-auth-no-priv—no authentication or privacy
l auth-no-priv—authentication but no privacy
l auth-priv—authentication and privacy
config user
The config user commands provide configuration of user accounts and user groups for firewall policy
authentication, administrator authentication, and some types of VPN authentication:
l config user group on page 204
l config user ldap on page 206
l config user local on page 207
l config user peer on page 208
l config user peergrp on page 210
l config user radius on page 210
l config user setting on page 214
l config user tacacs+ on page 216
config user group
Use this command to add or edit user groups.

Fortinet, Inc.
config
Syntax
config user group
edit <group_name>
set group-type <grp_type>
set authtimeout <timeout>
set http-digest-realm <attribute>
set member <names>
config match
edit <match_id>
set group-name <gname_str>
set server-name <srvname_str>
end
end
<group_name> Enter a new name to create a new group or enter an existing No default
group name to edit that group.
group-type <grp_type> Enter the group type. <grp_type> determines the type of firewall
users and is one of the following:
l firewall - FortiSwitch users defined in user local,
user ldap or user radius
l fsso-service - Directory Service users
authtimeout <timeout> Set the authentication timeout for the user group, range 1 to 0
480 minutes. If set to 0, the global authentication timeout value
is used.
http-digest-realm <attribute> Enter the realm attribute for MD5-digest authentication No default
member <names> Enter the names of users, peers, LDAP servers, or RADIUS No default
servers to add to the user group.
Separate the names with spaces.
To add or remove names from the group you must re-enter the
whole list with the additions or deletions required.
config match
<match_id> Enter an ID for the entry. No default
group-name <gname_str> The name of the matching group on the remote authentication No default
server. Specify the user group names on the authentication
servers that are members of this FortiSwitch user group. If no
matches are specified, all users on the server can authenticate.
server-name <srvname_str> The name of the remote authentication server. No default
Example
This example shows how to create a user group:

config user group
edit "Radius_group"
set member "FortiAuthenticator"
end

Fortinet, Inc.
config
end
config user ldap
Use this command to add or edit the definition of an LDAP server for user authentication.
To authenticate with the FortiSwitch unit, the user enters a user name and password. The system sends this user name
and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated
with the FortiSwitch unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiSwitch
unit.
Syntax
config user ldap
edit <server_name>
set cnid <id>
set dn <dname>
set group-member-check {user-attr | group-object}
set member-attr <attr_name>
set port <number>
set server <domain>
set type <auth_type>
set username <ldap_username>
set password <ldap_passwd>
set password-expiry-warning {disable | enable}
set password-renewal {disable | enable}
set secure <auth_port>
end
<server_name> Enter a name to identify the LDAP server. No default

Enter a new name to create a new server definition or enter an
existing server name to edit that server definition.
cnid <id> Enter the common name identifier for the LDAP server. The cn
common name identifier for most LDAP servers is cn. However
some servers use other common name identifiers such as uid.
Maximum 20 characters.
dn <dname> Enter the distinguished name used to look up entries on the No default
LDAP server. It reflects the hierarchy of LDAP database object
classes above the Common Name Identifier. The FortiSwitch
passes this distinguished name unchanged to the server.
You must provide a dn value if type is simple.
Maximum 512 characters.
group-member-check {user- Select the group membership checking method: user-attr

attr | group-object} user attribute or group object.
member-attr <attr_name> An attribute of the group that is used to authenticate users. No default

Fortinet, Inc.
config
port <number> Enter the port number for communication with the LDAP 389
server.
server <domain> Enter the LDAP server domain name or IP address. No default
type <auth_type> Enter the authentication type for LDAP searches. One of: simple
anonymous, regular or simple
See the notes following the table for additional information.
username <ldap_username> This field is available only if type is regular. For regular No default
authentication, you need a user name and password. See your
server administrator for more information.
password <ldap_passwd> This field is available only if type is regular. For regular No default
authentication, you need a user name and password. See your
server administrator for more information.
password-expiry-warning {disable Enable or disable password expiry warnings. disable

| enable}
password-renewal {disable | Enable or disable online password renewal. disable

enable}
secure <auth_port>{disable | Select the port to be used in authentication: disable

starttls | ldaps} l disable — port 389
l ldaps — port 636
l starttls — port 389
Notes on Authentication Type
The following are the authentication types for LDAP searches:

l anonymous—bind using anonymous user search
l regular—bind using user name and password and then search
l simple—simple password authentication without search
You can use simple authentication if the user records are all under one dn that you know. If the users are under more
than one dn, use the anonymous or regular type, which can search the entire LDAP database for the required user
name.
If your LDAP server requires authentication to perform searches, use the regular type and provide values for
username and password.
config user local
Use this command to add local user names and configure user authentication for the system. To add authentication by
LDAP or RADIUS server you must first add servers using the config user ldap and config user radius
commands.
Syntax
config user local

Fortinet, Inc.
config
edit <user_name>
set ldap-server <server_name>
set passwd <password_str>
set radius-server <server_name>
set tacacs+-server <server_name>
set type <auth-type>
end
<user_name> Enter the user name. Enter a new name to create a new user No default
account or enter an existing user name to edit that account.
ldap-server <server_name> Enter the name of the LDAP server with which the user must No default
authenticate. You can only select an LDAP server that has
been added to the list of LDAP servers. This option is available
when type is set to ldap.
passwd <password_str> Enter the password with which the user must authenticate. No default
Passwords at least 6 characters long provide better security
than shorter passwords. This option is available when type is
set to password.
radius-server <server_name> Enter the name of the RADIUS server with which the user must No default
authenticate. You can only select a RADIUS server that has
been added to the list of RADIUS servers. This option is
available when type is set to radius.
tacacs+-server <server_name> Enter the name of the TACACS+ server with which the user No default
must authenticate. This option is available when type is set to
tacacs+.
status {enable | disable} Enter enable to allow the local user to authenticate with the enable
FortiSwitch unit.
type <auth-type> Enter one of the following to specify how this user’s password No default
is verified:
l ldap: The LDAP server specified in ldap-server verifies
the password.
l password: The system verifies the password against the
value of the password.

l radius: The RADIUS server specified in radius-server
verifies the password.

l tacacs+: The TACACS+ server specified in
tacacs+-server verifies the password.
config user peer
Use this command to configure a peer user.

Fortinet, Inc.
config
Syntax
config user peer
edit <peer_name>
set ca {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA |
Fortinet_CA2}
set cn <string>
set cn-type {FQDN | email | ipv4 | ipv6 | string}
set ldap-mode {password | principal-name}
set ldap-password <password>
set ldap-server <string>
set ldap-username <string>
set mandatory-ca-verify {enable | disable}
set passwd <password>
set subject <string>
set two-factor {enable |disable}
next
end
<peer_name> Enter the name of the peer user. No default
ca {Entrust_802.1x_CA | Entrust_ Select a certificate authority (CA) for the peer certificate. No default
802.1x_G2_CA | Entrust_
802.1x_L1K_CA | Fortinet_CA |
Fortinet_CA2}
cn <string> Enter the common name for the peer certificate. No default
cn-type {FQDN | email | ipv4 | Enter the type of common name for the peer certificate: fully string
ipv6 | string} qualified domain name, email address, IPv4 address, IPv6
address, or a text description.
ldap-mode {password | principal- Select whether the peer LDAP requires a password or an email password
name} address. The password is specified with the set ldap-
password command.
ldap-password <password> Enter the password for the peer LDAP. No default
This option is available only when the ldap-mode is set to
password.
ldap-server <string> Enter the name of the LDAP server used for checking access No default
permission.
ldap-username <string> Enter the user name for the LDAP server. No default
mandatory-ca-verify {enable | Enable or disable whether there is mandatory CA verification. disable

disable}
passwd <password> Enter the user password for two-factor authentication. No default
This option is available only when two-factor is enabled.
subject <string> Enter any limitations on the peer certificate name. No default
two-factor {enable |disable} Enable or disable two-factor authentication. When this option is disable
enabled, the certificate and password are required. Specify the
password in the set passwd command.

Fortinet, Inc.
config
config user peergrp
Use this command to configure a peer user group.
Syntax
config user peergrp
edit <peer_group_name>
set member <list_of_peer_names>
next
end
<peer_group_name> Enter a name for the new peer group. No default
<list_of_peer_names> Enter one of more peer users. Separate the names with a No default
space. The peer users must already be configured with the
config user peer command before they are added to a
peer user group.
config user radius
Use this command to add or edit the information used for RADIUS authentication.
The default port for RADIUS traffic is 1812. If your RADIUS server is using a different port you can change the default
RADIUS port. You may set a different port for each of your RADIUS servers. The maximum number of remote RADIUS
servers that can be configured for authentication is 10.
The RADIUS server is provided with more information to make authentication decisions, based on values in server,
nas-ip, and the config user group subcommand config match. Attributes include:
l NAS-IP-Address — RADIUS setting or IPv4 address of FortiSwitch interface used to talk to RADIUS server, if not
configured
l NAS-IPv6-Address — RADIUS setting or IPv6 address of FortiSwitch interface used to talk to RADIUS server, if
not configured
l NAS-Port — physical interface number of the traffic that triggered the authentication
l Called-Station-ID — same value as NAS-IP Address but in text format
l Fortinet-Vdom-Name — name of VDOM of the traffic that triggered the authentication
l NAS-Identifier — configured hostname in non-HA mode; HA cluster group name in HA mode
l Acct-Session-ID — unique ID identifying the authentication session
l Connect-Info — identifies the service for which the authentication is being performed (web-auth, vpn-ipsec, vpn-
pptp, vpn-l2tp, vpn-ssl, admin-login, test)
You can select an alternative authentication method for each server. These include CHAP, PAP, MS-CHAP, and MS-
CHAP-v2.
Syntax
config user radius
edit <RADIUS_user_name>
set acct-fast-framedip-detect <integer>

Fortinet, Inc.
config
set acct-interim-interval <integer>

set addr-mode {ipv4 | ipv6)
set frame-mtu-size <integer>
set link-monitor-interval <5-120>
set nas-ip <use_ip>
set nas-ip6 <ipv6_addr>
set server <domain_ipv4_ipv6>
set service-type {administrative | authenticate-only | call-check | callback-
administrative | callback-framed | callback-login | callback-nas-prompt | framed |
login | nas-prompt | outbound}
config acct-server
edit <accounting_server_ID>
set server <accounting_server>
set secret <accounting_server_secret>
set port <accounting_server_port>
next
end
end
<server_name> Enter a name of the RADIUS user group. Enter a new name to No default
create a new group definition or enter an existing group name
to edit that group definition.
acct-fast-framedip-detect Enter the number of seconds allowed for the first-time 2

<integer> detection of the Framed-IP-Address attribute from DHCP
snooping. The range is 2-600 seconds.
acct-interim-interval <integer> Enter the number of seconds between each interim accounting 600
message sent to the RADIUS server. The value range is 60-
86400.
addr-mode {ipv4 | ipv6) Select whether to connect to the RADIUS server with IPv4 or ipv4
IPv6. NOTE: If you select ipv4, you must use an IPv4
address for the set server command. If you select ipv6,
you must use an IPv6 address for the set server
command.
all-usergroup {enable | disable} Enable to automatically include this RADIUS server in all user disable
groups.
auth-type {auto | chap | ms_chap Select the authentication method for this RADIUS server. auto auto
| ms_chap_v2 | pap} uses pap, ms_chap_v2, and chap.
frame-mtu-size <integer> Enter the maximum frame size in octets used to advertise to 1500
the authentication server. The range is 600-1500.

Fortinet, Inc.
config
link-monitor {enable | disable} Enable or disable whether this server sends periodic ping disable
messages to the RADIUS server to test if it is available.
link-monitor-interval <5-120> Enter how often (in seconds) the server checks if the RADIUS 15
server is available.
nas-ip <use_ip> IPv4 address used as NAS-IP-Address and Called-Station-ID No default

attribute in RADIUS access requests. RADIUS setting or IPv4
address of FortiGate interface used to talk with RADIUS
server, if not configured.
This option is available when the addr-mode is set to ipv4.
nas-ip6 <ipv6_addr> IPv6 address used as NAS-IPv6-Address and Called-Station-ID No default

attribute in RADIUS access requests. RADIUS setting or IPv6
address of FortiGate interface used to talk with RADIUS
server, if not configured.
radius-coa {enable | disable} Enable or disable whether this server will use RADIUS change disable
of authorization (CoA).
radius-port <radius_port_num> Change the default RADIUS port for this server. Range is 0- 1812
65535
secret <server_password> Enter the RADIUS server shared secret. The server secret key No default
should be a maximum of 16 characters in length.
server <domain_ipv4_ipv6> Enter the RADIUS server domain name, IPv4 address, or IPv6 No default
address. NOTE: If you selected ipv4 for addr-mode, you
must use an IPv4 address for the set server command. If
you selected ipv6 for addr-mode, you must use an IPv6
address for the set server command.
source-ip <ipv4_addr> Enter the source IPv4 address for communicating to the 0.0.0.0
RADIUS server.
source-ip6 <ipv6_addr> Enter the source IPv6 address for communicating to the No default
RADIUS server.
config acct-server
<accounting_server_ID> Enter the identifier for the accounting server. The value range No default
is 0-4294967295.
status {enable | disable} Enable or disable RADIUS accounting. disable
secret <accounting_server_ Enter the shared secret key for the RADIUS accounting server. *
secret>

Fortinet, Inc.
config
server <accounting_server> Enter the RADIUS server domain name, IPv4 address, or IPv6 No default
address of the RADIUS server that will be receiving the
accounting messages.
service-type {administrative | Select the Service-Type value. Separate multiple values with a none
authenticate-only | call-check | space.
callback-administrative |
callback-framed | callback-login |
callback-nas-prompt | framed |
login | nas-prompt | outbound}
port <accounting_server_port> Enter the port number for the RADIUS accounting server to 1813
receive accounting messages from the FortiSwitch unit.
Notes on context timeout
The number of seconds that a user context entry can remain in the user context list without the system receiving a
communication session from the carrier end point. If a user context entry is not being looked up, then the user must no
longer be connected to the network.
This timeout is only required if the system doesn’t receive the RADIUS Stop record. However, even if the accounting
system does send RADIUS Stop records this timeout should be set in case the FortiSwitch misses a Stop record.
The default user context entry timeout is 28800 seconds (8 hours). You can keep this timeout relatively high because its
not usually a problem to have a long list, but entries that are no longer used should be removed regularly.
You might want to reduce this timeout if the accounting server does not send RADIUS Stop records. Also if customer IP
addresses change often you might want to set this timeout lower so that out of date entries are removed from the list.
If this timeout is too low the FortiSwitch could remove user context entries for users who are still connected.
Dynamic Flag values
l none — Disable writing event log messages for dynamic profile events.
l accounting-event — Enable to write an event log message when the system does not find the expected
information in a RADIUS Record. For example, if a RADIUS record contains more than the expected number of
addresses.
l accounting-stop-missed — Enable to write an event log message whenever a user context entry timeout
expires indicating that the system removed an entry from the user context list without receiving a RADIUS Stop
message.
l context-missing — Enable to write an event log message whenever a user context creation timeout expires
indicating that the system was not able to match a communication session because a matching entry was not
found in the user context list.
l profile-missing — Enable to write an event log message whenever the system cannot find a profile group
name in a RADIUS start message that matches the name of a profile group added to the system.
l protocol-error — Enable to write an event log message if RADIUS protocol errors occur. For example, if a
RADIUS record contains a RADIUS secret that does not match the one added to the dynamic profile.
l radiusd-other — Enable to write event log messages for other events. The event is described in the log
message. For example, write a log message if the memory limit for the user context list is reached and the oldest
entries in the table have been dropped.

Fortinet, Inc.
config
Example
This example shows how to connect to a RADIUS server using IPv4:

config user radius
edit "local-RADIUS"
set addr-mode ipv4
set secret djfhde;rkjfkrekdfjeke
set auth-type ms_chap_v2
config acct-server
edit 1
set status enable
set port 1813
next
end
next
end
This example shows how to connect to a RADIUS server using IPv6:

config user radius
edit "radius"
config acct-server
edit 1
set status enable
set server "ipv6local"
next
end
set server "ipv6local"
set service-type login callback-nas-prompt
set addr-mode ipv6
set nas-ip6 4001:1:2::1
set source-ip6 4001:1:2::1
next
end
config user setting
Use this command to change user authorization settings.
Syntax
config user setting
set auth-blackout-time <blackout_time_int>
set auth-cert <cert_name>
set auth-http-basic {disable | enable}

Fortinet, Inc.
config
set auth-invalid-max <int>

set auth-multi-group {enable | disable}
set auth-secure-http {enable | disable}
set auth-type {ftp | http | https | telnet}
set auth-timeout <auth_timeout_minutes>
set auth-timeout-type {idle-timeout | hard-timeout | new-session}
config auth-ports
edit <auth-table-entry-id>
set port <port_int>
set type {ftp | http | https | telnet}
end
end
auth-blackout-time <blackout_ When a firewall authentication attempt fails 5 times within one 0
time_int> minute the IP address that is the source of the authentication
attempts is denied access for the <blackout_time_int>
period in seconds. The range is 0 to 3600 seconds.
auth-cert <cert_name> HTTPS server certificate for policy authentication. Fortinet_ self-sign
Factory, Fortinet_Firmware (if applicable to your FortiSwitch),
and self-sign are built-in certificates but others will be listed as
you add them.
auth-http-basic {disable | enable} Enable or disable support for HTTP basic authentication for disable
identity-based firewall policies. HTTP basic authentication
usually causes a browser to display a pop-up authentication
window instead of displaying an authentication web page.
Some basic web browsers, for example, web browsers on
mobile devices, may only support HTTP basic authentication.
auth-invalid-max <int> Enter the maximum number of failed authentication attempts 5

to allow before the client is blocked. Range: 1-100.
auth-multi-group This option can be disabled if the Active Directory structure is enable
{enable | disable} setup such that users belong to only 1 group for purpose of
firewall authentication.
auth-secure-http Enable to have http user authentication redirected to secure disable

{enable | disable} channel - https.
auth-type {ftp | http | https | Set the user authentication protocol support for firewall policy No Default
telnet} authentication. User controls which protocols should support
the authentication challenge.
auth-timeout <auth_timeout_ Set the number of minutes before the firewall user 5
minutes> authentication timeout requires the user to authenticate again.
The maximum authtimeout interval is 480 minutes (8 hours).
To improve security, keep the authentication timeout at the
default value of 5 minutes.
auth-timeout-type {idle-timeout | Set the type of authentication timeout. idle-timeout — idle-timeout

hard-timeout | new-session} applies only to idle session hard-timeout — applies to all
sessions new-session — applies only to new sessions

Fortinet, Inc.
config
config auth-ports
<auth-table-entry-id> Create an entry in the authentication port table if you are using No Default
non-standard ports.
port <port_int> Specify the authentication port. Range 1 to 65535. 1024
type {ftp | http | https | telnet} Specify the protocol to which port applies. http
config user tacacs+
Use this command to add or edit the information used for TACACS+ authentication.
Syntax
config user tacacs+
edit <user name>
set authen-type {ascii | auto | chap | mschap | pap}
set authorization {enable | disable}
set key <passwd>
set port <port number>
set server <domain>
end
<user name> Enter the name of the user. No default
authen-type{ascii | auto | chap | Set the authentication type. Auto will use PAP, MSCHAP, and auto
mschap | pap} CHAP (in that order).
authorization {disable | enable} Enable TACACS+ authorization (service=fortigate) disable
key <passwd> Password value for the server. *
port <port_int> Specify the authentication port. Range 1 to 65535. 49
server <domain> Specify the domain name of the server No default
source-ip <ipv4_addr> Set the source IP address. 0.0.0.0
Example
This example shows how to configure a TACACS user account for login authentication:
config user tacacs+
edit tacserver
set authen-type ascii
set key temporary
set server tacacs_server
end

Fortinet, Inc.
diagnose
Use the diagnose commands to help with troubleshooting:

l diagnose bpdu-guard display status on page 220
l diagnose certificate all on page 220
l diagnose certificate ca on page 222
l diagnose certificate local on page 222
l diagnose certificate remote on page 223
l diagnose debug application on page 223
l diagnose debug authd on page 225
l diagnose debug bfd on page 226
l diagnose debug bgp on page 226
l diagnose debug cli on page 226
l diagnose debug config-error-log on page 227
l diagnose debug console on page 227
l diagnose debug crashlog on page 227
l diagnose debug disable on page 228
l diagnose debug enable on page 229
l diagnose debug info on page 229
l diagnose debug isis on page 229
l diagnose debug kernel level on page 229
l diagnose debug ospf on page 230
l diagnose debug ospf6 on page 230
l diagnose debug packet_test on page 230
l diagnose debug pim on page 230
l diagnose debug port-mac on page 231
l diagnose debug report on page 232
l diagnose debug reset on page 233
l diagnose debug rip on page 233
l diagnose debug ripng on page 233
l diagnose debug static on page 233
l diagnose debug unit_test on page 233
l diagnose debug zebra on page 234
l diagnose flapguard status on page 234
l diagnose hardware on page 236
l diagnose ip address on page 236
l diagnose ip arp on page 237
l diagnose ip route on page 238
l diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra} on page 240
l diagnose ip router command on page 240
l diagnose ip router fwd on page 241
l diagnose ip router process show on page 241

Fortinet, Inc.
diagnose
l diagnose ip router terminal-monitor on page 241

l diagnose ip rtcache list on page 242
l diagnose ip tcp on page 242
l diagnose ip udp on page 242
l diagnose ipv6 address on page 243
l diagnose ipv6 devconf on page 244
l diagnose ipv6 ipv6-tunnel on page 245
l diagnose ipv6 neighbor-cache on page 245
l diagnose ipv6 route on page 246
l diagnose ipv6 sit-tunnel on page 247
l diagnose log alertconsole on page 247
l diagnose loop-guard status on page 249
l diagnose option82-mapping relay on page 249
l diagnose option82-mapping snooping on page 250
l diagnose settings on page 250
l diagnose sniffer packet on page 251
l diagnose snmp on page 253
l diagnose stp instance list on page 253
l diagnose stp mst-config list on page 255
l diagnose stp rapid-pvst-port on page 256
l diagnose stp vlan list on page 256
l diagnose switch 802-1x status on page 258
l diagnose switch acl counter on page 259
l diagnose switch acl hw-entry-index on page 260
l diagnose switch acl schedule on page 261
l diagnose switch arp-inspection stats clear on page 261
l diagnose switch cpuq on page 261
l diagnose switch egress list on page 262
l diagnose switch ip-mac-binding entry on page 263
l diagnose switch ip-source-guard hardware entry filter on page 263
l diagnose switch ip-source-guard hardware entry list on page 264
l diagnose switch mac-address on page 264
l diagnose switch macsec statistics on page 266
l diagnose switch macsec status on page 266
l diagnose switch managed-switch on page 266
l diagnose switch mclag on page 266
l diagnose switch mirror auto-config on page 267
l diagnose switch mirror hardware status on page 268
l diagnose switch modules on page 268
l diagnose switch network-monitor on page 270
l diagnose switch pdu-counters on page 271
l diagnose switch physical-ports cable-diag on page 271
l diagnose switch physical-ports datarate on page 272
l diagnose switch physical-ports eee-status on page 272
l diagnose switch physical-ports hw-counter on page 273

Fortinet, Inc.
diagnose
l diagnose switch physical-ports io-stats on page 274

l diagnose switch physical-ports led-flash on page 275
l diagnose switch physical-ports linerate on page 275
l diagnose switch physical-ports list on page 275
l diagnose switch physical-ports mdix-status on page 277
l diagnose switch physical-ports port-stats on page 277
l diagnose switch physical-ports qos-rates on page 278
l diagnose switch physical-ports qos-stats on page 279
l diagnose switch physical-ports set-counter-revert on page 281
l diagnose switch physical-ports summary on page 283
l diagnose switch physical-ports cable-diag on page 271
l diagnose switch poe status on page 283
l diagnose switch cpuq on page 261
l diagnose switch ptp port get-link-delay on page 284
l diagnose switch qnq dtag-cfg on page 284
l diagnose switch trunk list on page 285
l diagnose switch trunk summary on page 287
l diagnose switch vlan on page 287
l diagnose switch vlan-mapping egress hardware-entry on page 289
l diagnose switch vlan-mapping ingress hardware-entry on page 290
l diagnose sys checkused on page 290
l diagnose sys cpuset on page 290
l diagnose sys dayst-info on page 291
l diagnose sys fan status on page 291
l diagnose sys flash on page 291
l diagnose sys flow-export on page 292
l diagnose sys fsw-cloud-mgr on page 292
l diagnose sys kill on page 292
l diagnose sys link-monitor on page 293
l diagnose sys mpstat on page 293
l diagnose sys ntp status on page 294
l diagnose sys pcb temp on page 294
l diagnose sys process on page 294
l diagnose sys psu status on page 294
l diagnose sys top on page 295
l diagnose sys vlan list on page 296
l diagnose test application on page 296
l diagnose test authserver on page 297
l diagnose user radius coa on page 298

Fortinet, Inc.
diagnose
Use this command to display the status of the spanning tree protocol (STP) bridge protocol data unit (BPDU) guard:
To configure STP BPDU guard, see config switch interface on page 94.
Example output

_________________ _______ _________ ___________ _____ _______________
diagnose certificate all
Use this command to verify all system certificates:

diagnose certificate all

Fortinet, Inc.
diagnose
Example output
S548DF5018000776 # diagnose certificate all
Certificate Authority
----------------------------------------------------------------------------
Name : Fortinet_802.1x_CA
Fingerprint(MD5) : AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB
Serial Number : 04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f
Integrality : Passed
Timeliness : Valid (Expires on 2028-10-22 12:00:00 GMT)
Name : Fortinet_CA
Fingerprint(MD5) : 85:A9:7C:FC:85:D6:2D:8B:9F:18:0A:8B:50:29:04:A9
Serial Number : da:f6:36:b4:43:d4:a5:8b
Name : Fortinet_CA2
Name : Fortinet_fsw_cloud_CA
Local
----------------------------------------------------------------------------
Name : Fortinet_802.1x
Fingerprint(MD5) : 0C:7B:E2:32:85:D0:05:DA:CA:16:15:86:82:D7:28:63
Serial Number : 0d:b1:1b:bc:13:51:13:23:18:64:23:55:cd:db:3b:fe
Key-pair : Passed
Name : Fortinet_Factory
Fingerprint(MD5) : B1:92:9D:7B:63:4B:9D:F7:57:FF:E6:59:AE:C2:21:2A
Serial Number : 19:c1:ea
Key-pair : Passed
Name : Fortinet_Factory2
Fingerprint(MD5) : F8:E4:51:61:B6:F0:98:FA:43:1F:4C:FD:C1:5D:B2:62
Serial Number : 19:c1:ec
Key-pair : Passed
Name : Fortinet_Firmware

Fortinet, Inc.
diagnose
Fingerprint(MD5) : A3:09:DB:D7:31:CA:7C:A6:CD:03:B1:91:FB:D7:13:23
Serial Number : 41:1d:d5
Key-pair : Passed
Remote
----------------------------------------------------------------------------
diagnose certificate ca
Use this command to verify CA certificates:

diagnose certificate ca
Example output
S548DF5018000776 # diagnose certificate ca
Name : Fortinet_802.1x_CA
Name : Fortinet_CA
Name : Fortinet_CA2
Name : Fortinet_fsw_cloud_CA
diagnose certificate local
Use this command to verify local certificates:

diagnose certificate local

Fortinet, Inc.
diagnose
Example output
S548DF5018000776 # diagnose certificate local
Name : Fortinet_802.1x
Fingerprint(MD5) : 0C:7B:E2:32:85:D0:05:DA:CA:16:15:86:82:D7:28:63
Serial Number : 0d:b1:1b:bc:13:51:13:23:18:64:23:55:cd:db:3b:fe
Key-pair : Passed
Name : Fortinet_Factory
Fingerprint(MD5) : B1:92:9D:7B:63:4B:9D:F7:57:FF:E6:59:AE:C2:21:2A
Serial Number : 19:c1:ea
Key-pair : Passed
Name : Fortinet_Factory2
Fingerprint(MD5) : F8:E4:51:61:B6:F0:98:FA:43:1F:4C:FD:C1:5D:B2:62
Serial Number : 19:c1:ec
Key-pair : Passed
Name : Fortinet_Firmware
Fingerprint(MD5) : A3:09:DB:D7:31:CA:7C:A6:CD:03:B1:91:FB:D7:13:23
Serial Number : 41:1d:d5
Key-pair : Passed
diagnose certificate remote
Use this command to verify remote certificates:

diagnose certificate remote
diagnose debug application
Use this command to set the debug level for application daemons. Some applications must be set to level 8 or higher to
enable output for other diagnose debug commands. If you do not specify the debugging level, the current debugging
level is returned.
diagnose debug application <application> [<debugging_level>]
The following applications are supported:

l alertd — Monitor and alert daemon
l authd — Authentication control daemon

Fortinet, Inc.
diagnose
l bfdd — Bidirectional forwarding detection (BFD) daemon

l bgpd — Border Gateway Protocol (BGP) daemon
l ctrld — General FortiSwitch control daemon
l cu_swtpd — Switch-controller CAPWAP control daemon
l dhcp6c— DHCPv6 client module
l dhcpc — DHCP client module
l dhcprelay — DHCP relay daemon
l dnsproxy — DNS proxy module
l eap_proxy — EAP proxy daemon
l flcmdd — FortiLink command daemon
l fnbamd — FortiGate nonblocking authentication daemon
l fortilinkd — FortiLink daemon
l fpmd — Hardware routing daemon
l fsmgr — FortiSwitch Cloud daemon
l gui — GUI service
l httpsd — HTTP and HTTPS daemon
l ipconflictd — IP conflict detection daemon
l isisd — Intermediate System to Intermediate System Protocol (IS-IS) daemon
l l2d — Daemon for layer-2 features
l l2dbg — Daemon for hardware-related operations needed by layer 2
l l3 — Layer-3 debugging
l lacpd — Link Aggregation Control Protocol (LACP) daemon
l libswitchd — FortiSwitch library daemon
l link-monitor — Link monitor daemon
l lldpmedd — Link Layer Discovery Protocol-Media Endpoint Discovery (LLPD-MED) daemon
l mcast-snooping — Multicast-snooping debugging
l miglogd — Logging daemon
l ntpd — Network Time Protocol (NTP) daemon
l nwmcfgd — Daemon for network-monitoring configuration
l nwmonitord — Packet-handling and parsing daemon for network monitoring
l ospfd — Open shortest path first (OSPF) routing daemon
l pimd — Protocol Independent Multicast (PIM) daemon
l portspeedd — Port speed daemon
l radius_das — RADIUS CoA daemon
l radiusd — RADIUS daemon
l radvd — Router advertisement daemon
l ripd — Routing Information Protocol (RIP) routing daemon
l router-launcher — Daemon for launching the routing system
l rsyslogd — Remote SYSLOG daemon
l sflowd — sFlow daemon
l snmpd — Simple Network Managment Protocol (SNMP) daemon
l sshd — Secure Sockets Shell (SSH) daemon
l stpd — Spanning Tree Protocol (STP) daemon
l switch-launcher — Daemon for launching the FortiSwitch system
l trunkd — Trunk daemon

Fortinet, Inc.
diagnose
l vrrpd — Virtual Router Redundancy Protocol (VRRP) daemon

l wiredap — Daemon for 802.1x port-based authentication
l wpa_supp—MACsec Key Agreement (MKA) MACsec daemon
l zebra — Core router daemon
Example output
S524DF4K15000024 # diagnose debug application flgd
flgd debug level is 8 (0x8)
diagnose debug authd
Use these commands to manage the authentication daemon:

diagnose debug authd clear
diagnose debug authd fsso clear-logons
diagnose debug authd fsso filter clear
diagnose debug authd fsso filter group <group_name>
diagnose debug authd fsso filter server <FSSO_agent_name>
diagnose debug authd fsso filter source <IPv4_address> <IPv4_address>
diagnose debug authd fsso filter user <user_name>
diagnose debug authd fsso list
diagnose debug authd fsso refresh-groups
diagnose debug authd fsso refresh-logons
diagnose debug authd fsso server-status
diagnose debug authd fsso summary
clear Delete internal data structures and keepalive

sessions.
fsso clear-logons Delete Fortinet Single Sign on (FSSO) logon

information.
fsso filter clear Delete all FSSO filters.
fsso filter group <group_name> List only the logons by the specified FSSO group.
fsso filter server <FSSO_agent_name> List only the logons for the specified FSSO agent.
fsso filter source <IPv4_address> <IPv4_address> List only the logons for the specified range of IPv4
addresses.
fsso filter user <user_name> List only the logons by the specified user.
fsso list Display the current FSSO logons.
fsso refresh-groups Refresh the FSSO group mappings.
fsso refresh-logons Synchronize the FSSO logon database.

Fortinet, Inc.
diagnose
fsso server-status Display the status of the FSSO agent connection.
fsso summary Display a summary of current FSSO logons.
Example output
diag debug authd fsso server-status
Server Name Connection Status Version

----------- ----------------- -------
fsso connected FSSO 5.0.0237
diagnose debug authd fsso list

IP: 10.1.1.5 User: ADM_FWCHECK Groups: FW_OPERATORS/ADMINISTRATORS
diagnose debug bfd
Use this command to enable, show, or disable the debugging level for bidirectional forwarding detection (BFD):
diagnose debug bfd {all | appl | fsm | net | show | zebra } {enable | disable}
diagnose debug bgp
Use this command to enable, show, or disable the debugging level for Border Gateway Protocol (BGP) routing:
diagnose debug bgp {all | appl | as4 | flowspec | keepalives | neighbor-events | nht | normal
| show | updates | zebra} {enable | disable}
diagnose debug cli
Use this command to set or find the debug level for the CLI:
diagnose debug cli [<0-8>]
Example output
S524DF4K15000024 # diagnose debug cli
Cli debug level is 8

Fortinet, Inc.
diagnose
diagnose debug config-error-log
Use this command to display information about the configuration error log:
diagnose debug config-error-log {clear | read}
clear Clear the configuration error log.
fsso Display configuration errors on the console.
diagnose debug console
Use these commands to display information about the console:

diagnose debug console no-user-log-msg {enable | disable}
diagnose debug console send <AT command>
diagnose debug console timestamp {enable | disable}
no-user-log-msg {enable | disable} Enable or disable the display of user log messages on the console.
send <AT command> Send out the specified modem AT command.
timestamp {enable | disable} Enable or disable the time stamp.
diagnose debug crashlog
Use this command to display or erase the crash log:

diagnose debug crashlog {clear | get | kill-with-crashlog <process_ID> | read}
clear Clear the crash log.
get Display the crash log on the console.
kill-with-crashlog <process_ID> End the daemon using the specified process ID.
read Display the crash log on the console in a readable format.

Fortinet, Inc.
diagnose
Example output
S524DF4K15000024 # diagnose debug crashlog get
Rk9SVP94nDK0NLPUNTTSNTZUMDSzMjCwMjVXSErOjc9IzEvJSY3PTM8tKI5Pzk2x
UvB1dgwO0Q1xdPJx1Q32jHK1MjQwMuECCCAjA0NzXQNLXQMzBUOgZgMrQ0uFkoxU
hezMnJzUFIWUxNTc/DyFzGIF/aTMPP301JKSSiuF4pLEktJiW4MKAy6AAELWb2gF
dIKJKUn6AQIIVb+JmZWpCUn6AQIIWb+RlYGxlbExSfoBAghZv7GVqamVEWn+Bwgg
ZP0mVgYWwCAkST9AAKHqNzQHxR8p+gECCFW/MdALhiToN+ICCCA0/WZWxqTpBwgg
ZP3AwDMGJkGS3A8QQKj6TYBJwIIk/QABhKbfBBiFJLkfIIDQ9JtaGZNivxEXQAAh
6zcDxb8RafEHEECo+oH+NyAt/QMEEKp+UP41Ikk/QADB9ZuD8r+RpRXQIOL1GxsY
cAEEEKoJphakpgCAAELWbwgKQQPSQhAggFD1A3OAMWkhABBAaPotrUxIsx8ggJD1
A0sgU1JzMEAAIesHZl8jICJJP0AAIesHpgBz0koAAy6AAELWb24FTgQk6QcIIFT9
JkD3k5KCDLgAAghNPzD+SbMfIIBQ9ZsaAyshkvQDBBCyfqDlwEKYtBIIIIBQ9QOj
0IS08AcIIDT9ZqSlHyMugABC1W8EDH/SakCAAELVD8w/JMY/QAAh6wcWH0bAJECS
foAAguu3UDAwtzIClmCklB+gEggggJBNsLQCV8MkuQAggND0A+sA0lIQQACh6jcC
1mGklYAAAYSkH1gCGZkCnUCSfoAAQtUPKgFJsx8ggFD1mwBzEGklGEAAoek3AUYi
...
S548DF5018000776 # diagnose debug crashlog read
1: 2020-03-13 11:54:15 the killed daemon is /bin/fsmgrd: status=0x0

8: 2020-03-16 11:59:48 restart_reason=SYSTEM SHUTDOWN
diagnose debug disable
Use this command to disable debugging output:

diagnose debug disable

Fortinet, Inc.
diagnose
diagnose debug enable
Use this command to enable debugging output:

diagnose debug enable
diagnose debug info
Use this command to display the debugging level:

diagnose debug info
Example output
S524DF4K15000024 # diagnose debug info

debug output: enable
console timestamp: disable
console no user log message: disable
fsmgr debug level: 16 (0x10)
CLI debug level: 8
diagnose debug isis
Use this command to enable, show, or disable the debugging level for Intermediate System to Intermediate System
Protocol (IS-IS) routing:
diagnose debug isis {adj-packets | all | appl | bfd | events | flooding | lsp-gen | lsp-sched
| packet-dump | route-events | show | snp-packets | spf-events | tx-queue | update-
packets} {enable | disable}
diagnose debug kernel level
Use this command to display or set the debugging level for the kernel:
diagnose debug kernel level [<integer>]
Example output
S524DF4K15000024 # diagnose debug kernel level
Kernel debug level is 0

Fortinet, Inc.
diagnose
diagnose debug ospf
Use this command to enable, show, or disable the debugging level for open shortest path first (OSPF) routing for IPv4
traffic:
diagnose debug ospf {all | appl | event | ism-debug | lsa-debug | nsm-debug | nssa | packet-
debug | show | zebra-debug} {enable | disable}
diagnose debug ospf6
Use this command to enable or disable the debugging level for open shortest path first (OSPF) routing for IPv6 traffic:
diagnose debug ospf6 {abr | all | appl | asbr | border-routers | flooding | interface | lsa |
lsa-debug | message | neighbor | packet-debug | route | route-debug | spf | zebra}
{enable | disable}
diagnose debug packet_test
Use this command to display a report about the specified port for technical support:
diagnose debug packet_test <port_ID>
Example output
S524DF4K15000024 # diagnose debug packet_test 30
RX: port:0(tx port 30) len:0

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RX: port:0(tx port 30) len:0

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Send: 2, Recv: 2
diagnose debug pim
Use this command to enable, show, or disable the debugging level for Protocol Independent Multicast (PIM) routing:
diagnose debug pim {all | appl | events | igmp-events | igmp-packets | igmp-trace | mroute |
packet-dump | packets | show | static | trace | zebra} {enable | disable}

Fortinet, Inc.
diagnose
diagnose debug port-mac
NOTE: This command is available only on FortiSwitch units that have the split-port feature available.
Use this command to display the mapping between MAC addresses and ports:
diagnose debug port-mac {check-mac | list}
check-mac Check to see if the specified MAC address is valid.
list List the mapping between MAC addresses and ports.
Example output
S524DF4K15000024 # diagnose debug port-mac check-mac 08:5b:0e:f1:95:e4

Input MAC address 08:5b:0e:f1:95:e4 found in range
08:5b:0e:e5:4f:d6--08:5b:0e:f1:9b:a4
90:6c:ac:30:19:22--90:6c:ac:7b:d6:d0
Allocated split-port MAC for port 32 is 00:00:00:00:00:00.
S524DF4K15000024 # diagnose debug port-mac list

Base MAC: 08:5b:0e:f1:95:e4
Port Name Port # Split Port Idx MAC

==================================================================================
port1 1 0 08:5b:0e:f1:95:e6
port2 2 0 08:5b:0e:f1:95:e7
port3 3 0 08:5b:0e:f1:95:e8
port4 4 0 08:5b:0e:f1:95:e9
port5 5 0 08:5b:0e:f1:95:ea
port6 6 0 08:5b:0e:f1:95:eb
port7 7 0 08:5b:0e:f1:95:ec
port8 8 0 08:5b:0e:f1:95:ed
port9 9 0 08:5b:0e:f1:95:ee
port10 10 0 08:5b:0e:f1:95:ef
port11 11 0 08:5b:0e:f1:95:f0
port12 12 0 08:5b:0e:f1:95:f1
port13 13 0 08:5b:0e:f1:95:f2
port14 14 0 08:5b:0e:f1:95:f3
port15 15 0 08:5b:0e:f1:95:f4
port16 16 0 08:5b:0e:f1:95:f5
port17 17 0 08:5b:0e:f1:95:f6
port18 18 0 08:5b:0e:f1:95:f7
port19 19 0 08:5b:0e:f1:95:f8
port20 20 0 08:5b:0e:f1:95:f9
port21 21 0 08:5b:0e:f1:95:fa
port22 22 0 08:5b:0e:f1:95:fb
port23 23 0 08:5b:0e:f1:95:fc
port24 24 0 08:5b:0e:f1:95:fd
port25 25 0 08:5b:0e:f1:95:fe
port26 26 0 08:5b:0e:f1:95:ff

Fortinet, Inc.
diagnose
port27 27 0 08:5b:0e:f1:96:00
port28 28 0 08:5b:0e:f1:96:01
port29 29 0 08:5b:0e:f1:96:02
port30 30 0 08:5b:0e:f1:96:03
internal 31 0 08:5b:0e:f1:95:e4
diagnose debug report
Use this command to display a detailed debugging report for technical support:
diagnose debug report
Example output
S524DF4K15000024 # diagnose debug report
Version: FortiSwitch-524D-FPOE v3.6.3,build0390,171020 (GA)

Serial-Number: S524DF4K15000024
BIOS version: 04000013
System Part-Number: P18045-04
Burn in MAC: 08:5b:0e:f1:95:e4
Hostname: S524DF4K15000024
Distribution: International
Branch point: 390
System time: Tue Jan 6 13:53:02 1970
----------------------------------------------------------------
Serial Number: S524DF4K15000024 Diagnose output
----------------------------------------------------------------
### get system status
CPU states: 0% user 4% system 0% nice 96% idle

Memory states: 10% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes
Uptime: 5 days, 21 hours, 53 minutes
### get system performance status

edit "mgmt"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh
set type physical
set snmp-index 33
next
edit "internal"
set type physical
set snmp-index 32
next
end

Fortinet, Inc.
diagnose
### show system interface
### show router static
### diagnose ip address list

...'
diagnose debug reset
Use this command to reset all debugging levels to the default levels:
diagnose debug reset
diagnose debug rip
Use this command to enable, show, or disable the debugging level for IPv4 Routing Information Protocol (RIP) routing:
diagnose debug rip {all | appl | events | packet-rx | packet-tx | show | zebra} {enable |
disable}
diagnose debug ripng
Use this command to enable, show, or disable the debugging level for IPv6 Routing Information Protocol (RIP) routing:
diagnose debug ripng {all | appl | events | packet-rx | packet-tx | show | zebra} {enable |
disable}
diagnose debug static
Use this command to enable or disable the debugging level for static routes:
diagnose debug static {all | appl} {enable | disable}
diagnose debug unit_test
Use this command to enable or disable the debugging of unit tests:

diagnose debug unit_test {enable | disable}

Fortinet, Inc.
diagnose
Example output
S524DF4K15000024 # diagnose debug unit_test enable

libsw_unit_test argc 2
cmd =0
diagnose debug zebra
Use this command to enable, show, or disable the debugging level for the core router daemon:
diagnose debug zebra {all | appl | events | fpm | kernel | packet-rx | packet-rx-detail |
packet-tx | packet-tx-detail | rib | rib-queue | show} {enable | disable}
Use this command to get flap-guard information for all switch ports:
Example output
S524DF4K15000024 # diagnose flapguard status
Portname State Status Timeout(m) flap-rate flap-

duration flaps/duration Last-Event
_________________ _______ _________ ___________ _________ ___________
_ ______________ ___________
port1 disabled - - 5 30
0 -
0 -
0 -
0 -
0 -
0 -
0 -
0 -
port9 enabled - 0 5 30

Fortinet, Inc.
diagnose
0 -
0 -
0 -
0 -
0 -
0 -
0 -
0 -
0 -
0 -
port19 enabled - 30 15 10
0 -
0 -
0 -
0 -
0 -
0 -
0 -
0 -
0 -
0 -
0 -
port30.1 disabled - - 5 30
0 -
0 -
0 -
0 -

Fortinet, Inc.
diagnose
diagnose hardware
Use these commands to diagnose the hardware. You must be logged in as a super user for these commands.
diagnose hardware certificate
diagnose hardware ioport {byte <value> | long <arguments> | word <arguments>}
diagnose hardware switchinfo {l3-ecmp-table | l3-egress-table | l3-host-table | l3-intf-table
| l3-summary | l3-v6-host-table | routing-table | v6-routing-table}
diagnose hardware sysinfo {bootenv | cpu | interrupts | iomem | memory | slab}
certificate Verify which certificates are present on the FortiSwitch unit and
that all installed certificates are valid.
ioport {byte <value> | long Read and write data using the input/output port.
<arguments> | word <arguments>}
switchinfo {l3-ecmp-table | l3-egress- Get information about the FortiSwtich hardware.

table | l3-host-table | l3-intf-table | l3-
summary | l3-v6-host-table | routing-
table | v6-routing-table}
sysinfo {bootenv | cpu | interrupts | Get system information.

iomem | memory | slab}
Example output
S548DF5018000776 # diagnose hardware certificate

Checking Fortinet_CA.cer integrality ........Passed
Checking Fortinet_Factory.cer integrality ........Passed
Checking Fortinet_Factory.cer key-pair integrality ........Passed
Checking Fortinet_Factory.cer Serial-No. ........Passed
Checking Fortinet_Factory.cer timeliness ........Passed
Checking Fortinet_Factory.key integrality ........Passed
Checking Fortinet_CA2.cer integrality ........Passed
Checking Fortinet_Factory2.cer integrality ........Passed
Checking Fortinet_Factory2.cer key-pair integrality ........Passed
Checking Fortinet_Factory2.cer Serial-No. ........Passed
Checking Fortinet_Factory2.cer timeliness ........Passed
Checking Fortinet_Factory2.key integrality ........Passed
diagnose ip address
Use these commands to manage IP addresses:

diagnose ip address add <interface_name> <IPv4_address> <IP_network_mask>
diagnose ip address delete <interface_name> <IPv4_address>
diagnose ip address flush
diagnose ip address list

Fortinet, Inc.
diagnose
add <interface_name> <IPv4_ Add an IPv4 address to the specified interface.

address> <IP_network_mask>
delete <interface_name> <IPv4_ Delete an IPv4 address from the specified interface.
address>
flush Delete all IP addresses.
list List all IP addresses and which interfaces they are assigned to.
Example output
S524DF4K15000024 # diagnose ip address list
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=1 devname=lo

IP=192.168.1.99->192.168.1.99/255.255.255.0 index=2 devname=mgmt
IP=10.105.19.3->10.105.19.3/255.255.252.0 index=2 devname=mgmt
IP=170.38.65.1->170.38.65.1/255.255.255.0 index=71 devname=vlan35
IP=180.1.1.1->180.1.1.1/255.255.255.0 index=72 devname=vlan85
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=73 devname=int1
IP=10.10.10.1->10.10.10.1/255.255.255.0 index=74 devname=vlan-8
IP=11.1.1.100->11.1.1.100/255.255.255.255 index=74 devname=vlan-8
diagnose ip arp
Use these commands to manage the Address Resolution Protocol (ARP) table:
diagnose ip arp add <interface_name> <IPv4_address> <MAC_address>
diagnose ip arp delete <interface_name> <IPv4_address>
diagnose ip arp flush <interface_name>
diagnose ip arp list
arp add <interface_name> <IPv4_ Add an Address Resolution Protocol (ARP) entry for the IP address
address> on the specified interface.
arp delete <interface_name> Delete an Address Resolution Protocol (ARP) entry for the
<IPv4_address> IP address on the specified interface.
arp flush <interface_name> Delete the ARP table for the specified interface.
arp list Display the ARP table.
Example output
S524DF4K15000024 # diagnose ip arp list
index=2 ifname=mgmt 10.105.16.1 90:6c:ac:15:2f:94 state=00000002 use=117606 confirm=537

Fortinet, Inc.
diagnose
update=67371 ref=1
index=70 ifname=internal 192.168.0.10 state=00000001 use=24 confirm=178601 update=124 ref=1
index=74 ifname=vlan-8 11.1.1.100 00:00:5e:00:01:05 (proxy)
diagnose ip route
Use these commands to manage static routes and the routing table:
diagnose ip route add <interface_name> <IPv4_address> <IP_network_mask>
diagnose ip route delete <interface_name> <IPv4_address>
diagnose ip route flush
diagnose ip route list [<arguments>]
diagnose ip route verify <interface_name> <IPv4_address> <IP_network_mask>
add <interface_name> <IPv4_ Add a static route to the specified interface.

delete <interface_name> <IPv4_ Delete a static route from the specified interface.
address>
flush Delete the routing table.
list [<arguments>] Display the routing table.
verify <interface_name> <IPv4_ Verify a static route on the specified interface.

Example output
S524DF4K15000024 # diagnose ip route list
tab=254 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy-

y=10.105.16.1 dev=2(mgmt)
y=0.0.0.0 dev=74(vlan-8)
y=0.0.0.0 dev=2(mgmt)
y=180.1.1.2 dev=72(vlan85)
y=0.0.0.0 dev=71(vlan35)
y=0.0.0.0 dev=72(vlan85)
tab=254 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.0/24 pref=192.168.1.99
gwy=0.0.0.0 dev=2(mgmt)
y=0.0.0.0 dev=74(vlan-8)
y=0.0.0.0 dev=74(vlan-8)

Fortinet, Inc.
diagnose

y=0.0.0.0 dev=74(vlan-8)
y=0.0.0.0 dev=2(mgmt)
y=0.0.0.0 dev=2(mgmt)
y=0.0.0.0 dev=74(vlan-8)
y=0.0.0.0 dev=1(lo)
y=0.0.0.0 dev=73(int1)
y=0.0.0.0 dev=1(lo)
y=0.0.0.0 dev=73(int1)
y=0.0.0.0 dev=1(lo)
y=0.0.0.0 dev=73(int1)
gwy=0.0.0.0 dev=1(lo)
gwy=0.0.0.0 dev=73(int1)
y=0.0.0.0 dev=71(vlan35)
y=0.0.0.0 dev=71(vlan35)
gwy=0.0.0.0 dev=71(vlan35)
y=0.0.0.0 dev=72(vlan85)
y=0.0.0.0 dev=72(vlan85)
y=0.0.0.0 dev=72(vlan85)

Fortinet, Inc.
diagnose
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng |
static | zebra}
Use these commands to display statistics for bidirectional forwarding detection (BFD), Border Gateway Protocol (BGP)
routing, Intermediate System to Intermediate System Protocol (IS-IS) routing, open shortest path first (OSPF) routing
for IPv4 traffic, OSPF routing for IPv6 traffic, Protocol Independent Multicast (PIM) routing, Routing Information
Protocol (RIP) routing for IPv4 traffic, RIP routing for IPv6 traffic, static routes, and core routing daemon:
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | | ripng | static | zebra}
cpu-usage
diagnose ip router {bfd | bgp | isis | ospf | ospf6 | pim | rip | ripng | static | zebra}
crash-backtrace-clear
crash-backtrace-read
diagnose ip router zebra fpm-counters clear
diagnose ip router zebra fpm-counters show
memory-usageripng |
work-queues
cpu-usage Display statistics for CPU usage.
crash-backtrace-clear Delete the crash-backtrace information.
crash-backtrace-read Display the crash-backtrace information.
fpm-counters clear Erase the hardware offload counters.
fpm-counters show Display the hardware offload counters.
memory-usage Display statistics for memory usage.
work-queues Display information about work queues.
diagnose ip router command
Use these commands to send commands to various daemons in enable mode (cmd) or in configure terminal mode
(cmd-conf-term).:
diagnose ip router command bfd {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command bgp {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command isis {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command ospf {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command ospf6 {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command pim {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command rip {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command static {cmd <arguments>| cmd-conf-term <arguments>}
diagnose ip router command zebra {cmd <arguments>| cmd-conf-term <arguments>}

Fortinet, Inc.
diagnose
diagnose ip router fwd
Use these commands for debugging layer-3 forwarding:

diagnose ip router fwd l3-clear-stats
diagnose ip router fwd l3-disable-ip-tracing
diagnose ip router fwd l3-ecmp
diagnose ip router fwd l3-egress
diagnose ip router fwd l3-enable-ip-tracing <IP_address>
diagnose ip router fwd l3-enable-ip-tracing6 <IPv6_address>
diagnose ip router fwd l3-intf
diagnose ip router fwd l3-stats
l3-clear-stats Delete layer-3 statistics.
l3-disable-ip-tracing Disable IP tracing.
l3-ecmp Display information about equal cost multi-path (ECMP)

routing.
l3-egress Display layer-3 egress information.
l3-enable-ip-tracing <IP_address> Enable IPv4 host tracing
l3-enable-ip-tracing6 <IPv6_address> Enable IPv6 host tracing.
l3-intf Display information about layer-3 interfaces.
l3-stats Display layer-3 statistics.
diagnose ip router process show
Use this command to display information about the process launch of the core routing daemon, static routing daemon,
BGD daemon, OSPF (IPv4 and IPv6) daemons, BFD daemon, RIP daemon, IS-IS daemon, and PIM daemon:
diagnose ip router process show
diagnose ip router terminal-monitor
Use this command to enable or disable the display of router information on the terminal:
diagnose ip router terminal-monitor {enable | disable}

Fortinet, Inc.
diagnose
diagnose ip rtcache list
Use this command to list the routing cache:

diagnose ip rtcache list
diagnose ip tcp
Use this command to list or clear the TCP sockets:

diagnose ip tcp {list | flush}
Example
S524DF4K15000024 # diagnose ip tcp list
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
0: 00000000:03E8 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 3099 1

e647d300 100 0 0 10 -1
1: 00000000:0A29 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 1587 1
e647c000 100 0 0 10 -1
2: 00000000:0A2A 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 3338 1
e647dc80 100 0 0 10 -1
3: 00000000:03EB 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 3103 1
e647d7c0 100 0 0 10 -1
...
diagnose ip udp
Use this command to list or clear the UDP sockets:

diagnose ip udp {list | flush}
Example
S524DF4K15000024 # diagnose ip udp list

sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
ref pointer drops
24: 00000000:E818 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4097
2 e69e38c0 0
53: 00000000:0035 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1972
2 e6029440 0
67: 00000000:0043 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 964 2
e5fd2d80 0
67: 00000000:0043 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 963 2
e5fd2b40 0

Fortinet, Inc.
diagnose
68: 00000000:0044 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1961

2 e6029200 0
181: 00000000:90B5 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0
7681206 2 e6b94b40 0
350: 00000000:C15E 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3301
2 e69e2b40 0
370: 0100007F:1972 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1793
2 e6028fc0 0
404: 00000000:B994 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 112
2 e5fd2000 0
415: 00000000:859F 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0
11905 2 e5fd38c0 0
415: 00000000:C99F 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3113
2 e6029d40 0
450: 00000000:E9C2 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 157
2 e5fd2480 0
520: 00000000:0208 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 2196
2 e5fd3680 0
546: 00000000:CA22 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 2156
2 e5fd3440 0
549: 00000000:9225 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 2057
2 e5fd2fc0 0
653: 00000000:AE8D 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 775
2 e5fd2900 0
654: 00000000:B68E 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1977
2 e6029b00 0
688: 00000000:12B0 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3321
2 e69e2fc0 0
712: 00000000:0EC8 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3320
2 e69e2d80 0
713: 00000000:0EC9 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3322
2 e69e3200 0
763: 00000000:92FB 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0
9848617 2 e6ad7200 0
788: 0100007F:0714 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3224
2 e69e2240 0
805: 0100007F:A725 0100007F:0714 01 00000000:00000000 00:00000000 00000000 0 0 3292
2 e69e2900 0
882: 00000000:8372 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1974
2 e60298c0 0
972: 00000000:B7CC 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 3260
2 e69e26c0 0
981: 00000000:EBD5 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0
39752 2 e69e3b00 0
990: 00000000:BBDE 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4357
2 e69e3d40 0
diagnose ipv6 address
Use these commands to manage IPv6 addresses:

diagnose ipv6 address add <interface_name> <IPv6_address>
diagnose ipv6 address anycast <arguments>
diagnose ipv6 address delete <interface_name> <IPv6_address>

Fortinet, Inc.
diagnose
diagnose ipv6 address flush

diagnose ipv6 address list
diagnose ipv6 address multicast <interface_name> <IPv6_address>
add <interface_name> <IPv6_ Add an IPv6 address to the specified interface. Use the following
address> format for the IPv6 address:
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx
anycast <arguments> Add an IPv6 anycast address.
delete <interface_name> <IPv4_ Delete an IPv6 address from the specified interface. Use the
address> following format for the IPv6 address:
flush Delete all IPv6 addresses.
list List all IPv6 addresses and which interfaces they are assigned to.
multicast <interface_name> Add an IPv6 multicast address to the specified interface. Use the
<IPv6_address> following format for the IPv6 address:
Example output
S524DF4K15000024 # diagnose ipv6 address list
dev=1 devname=lo flag=P scope=254 prefix=128 addr=::1 prefered=-1 valid=-1

dev=2 devname=mgmt flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e4 prefered=-1 valid=-
1
dev=70 devname=internal flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1
valid=-1
dev=71 devname=vlan35 flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 val-
id=-1
dev=72 devname=vlan85 flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 val-
id=-1
dev=74 devname=vlan-8 flag=P scope=253 prefix=64 addr=fe80::a5b:eff:fef1:95e5 prefered=-1 val-
id=-1
diagnose ipv6 devconf
Use these commands to configure IPv6 devices:

diagnose ipv6 address devconf accept-dad {0 | 1 | 2}
diagnose ipv6 address devconf disable_ipv6 {0 | 1 }
accept-dad {0 | 1 | 2} Configure the detection of duplicate IPv6 address:

Fortinet, Inc.
diagnose
l 0 — disable duplicate address detection.

l 1 — enable duplicate address detection.
l 2 — enable duplicate address detection and disable IPv6
operation if duplicate MAC-based link-local addresses are found.
disable_ipv6 {0 | 1 } Configure IPv6 operation:

l 0 — enable IPv6 operation.
l 1 — disableIPv6 operation.
diagnose ipv6 ipv6-tunnel
Use these commands to manage IPv6 tunnels:

diagnose ipv6 ipv6-tunnel add <tunnel_name> <interface_name> <source_IPv6_address>
<destination_IPv6_address>
diagnose ipv6 ipv6-tunnel delete <tunnel_name>
diagnose ipv6 ipv6-tunnel list
add <tunnel_name> <interface_ Create a tunnel between two IPv6 addresses on the specified
name> <source_IPv6_address> interface. Use the following format for the IPv6 addresses:
<destination_IPv6_address> xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
delete <tunnel_name> Delete the specified IPv6 tunnel.
delete <interface_name> <IPv4_ List all IPv6 tunnels.

address>
Example output
S524DF4K15000024 # diagnose ipv6 ipv6-tunnel list
sys_list_tunnel6:233 not implemented
diagnose ipv6 neighbor-cache
Use these commands to manage the IPv6 Address Resolution Protocol (ARP) table:
diagnose ipv6 neighbor-cache add <interface_name> <IPv6_address> <MAC_address>
diagnose ipv6 neighbor-cache delete <interface_name> <IPv4_address>
diagnose ipv6 neighbor-cache flush <interface_name>
diagnose ipv6 neighbor-cache list

Fortinet, Inc.
diagnose
add <interface_name> <IPv6_ Add an ARP entry for the IPv6 address on the specified interface.
address>
delete <interface_name> <IPv6_ Delete an ARP entry for the IPv6 address on the specified
address> interface.
flush <interface_name> Delete the ARP table for the specified interface.
list Display the ARP table.
Example output
S524DF4K15000024 # diagnose ipv6 neighbor-cache list
ifindex=1 ifname=lo :: 00:00:00:00:00:00 state=00000040 use=1096280 confirm=1102281 update-

e=1096280 ref=6
diagnose ipv6 route
Use these commands to manage the IPv6 routing table:

diagnose ipv6 route flush
diagnose ipv6 route list
flush Delete the routing table.
list Display the routing table.
Example output
S524DF4K15000024 # diagnose ipv6 route list
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:::1/128 gwy::: prio=0

type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e4/128 gwy::: prio=0
type=01 protocol=kernel flag=00000000 oif=70(internal) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=74(vlan-8) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=71(vlan35) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=72(vlan85) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=2(mgmt) dst:fe80::/64 prio=100
type=01 protocol=boot flag=00000000 oif=70(internal) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=74(vlan-8) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=71(vlan35) dst:ff00::/8 prio=100

Fortinet, Inc.
diagnose
type=01 protocol=boot flag=00000000 oif=72(vlan85) dst:ff00::/8 prio=100

type=01 protocol=boot flag=00000000 oif=2(mgmt) dst:ff00::/8 prio=100
type=07 protocol=kernel flag=00000000 oif=73(int1) prio=ffffffff
diagnose ipv6 sit-tunnel
Use these commands to manage IPv4 tunnels:

diagnose ipv6 sit-tunnel add <tunnel_name> <interface_name> <source_IPv4_address>
<destination_IPv4_address>
diagnose ipv6 sit-tunnel delete <tunnel_name>
diagnose ipv6 sit-tunnel list
add <tunnel_name> <interface_ Create a tunnel between two IPv4 addresses on the specified
name> <source_IPv4_address> interface. Use the following format for the IPv4 addresses:
<destination_IPv4_address> XXX.XXX.XXX.XXX
delete <tunnel_name> Delete the specified IPv4 tunnel.
delete <interface_name> <IPv4_ List all IPv4 tunnels.

address>
Example output
S524DF4K15000024 # diagnose ipv6 sit-tunnel list
sys_list_tunnel6:263 not implemented
diagnose log alertconsole
Use the following commands to manage alert console messages:

diagnose log alertconsole clear
diagnose log alertconsole fgd-retrieve
diagnose log alertconsole list
diagnose log alertconsole test
clear Clear alert console messages.
fgd-retrieve Retrieve FortiGuard alert console messages.
list List current alert console messages.
test Generate alert console messages.

Fortinet, Inc.
diagnose
Example output
S524DF4K15000024 # diagnose log alertconsole list
There are 50 alert console messages:

2017-10-10 13:26:07 Administrator acmin login failed
2017-10-09 15:41:32 Firmware upgraded by admin
2017-09-28 07:45:38 Administrator ERROR: Class:0; Subclass:10000; Ope login failed
2017-09-19 15:21:16 Administrator [3~[3~[3~ login failed
2017-09-12 16:29:22 Administrator get test dnsproxy ? login failed
2017-09-11 15:49:17 Administrator get router prefix-list login failed
2017-09-06 08:37:44 Firmware upgraded by FortiCloud
2017-09-05 16:49:54 Administrator R 1 login failed
2017-08-31 16:56:35 Administrator O 1 login failed
2017-08-31 16:53:34 Administrator R u 1 login failed
2017-08-31 16:20:29 Administrator cinfcon login failed
2017-08-25 13:26:49 Administrator sdmin login failed
2017-08-24 11:00:46 Administrator conconfig login failed
2017-08-21 09:16:13 Firmware upgraded by unknown
2017-08-21 08:58:20 System shutdown (factory default)
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart
1969-12-31 17:00:07 System restart

Fortinet, Inc.
diagnose
Use this command to display which ports have loop guard enabled:
To enable loop guard on a port, see config switch interface on page 94.
Example output
S524DF4K15000024 # diagnose loop-guard status
Portname State Status Timeout(m) MAC-Move Count Last-Event

_________________ _______ _________ __________ ________ _____ __________________
port1 disabled - - - - -
port12 enabled - 45 0 0 -
port21 enabled - 45 50 0 -
port30.1 disabled - - - - -
G100D3G15817028 disabled - - - - -
diagnose option82-mapping relay
Use this command to display the option-82 setting for DHCP relay for each valid system interface:

Fortinet, Inc.
diagnose
diagnose option82-mapping relay <valid_system_interface>
Example output
S524DF4K15000024 # diagnose option82-mapping relay internal
Interface Name Remote-ID(hex) Circuit-ID(hex)

internal 085B0EF195E5 00000000
diagnose option82-mapping snooping
Use this command to display the option-82 settings for DHCP snooping for a specific VLAN and FortiSwitch interface:
diagnose option82-mapping snooping <VLAN_ID> <valid_switch_interface>
Example output
S524DF4K15000024 # diagnose option82-mapping snooping 100 port2
Interface Name Remote-ID(hex) Circuit-ID(hex)

port2 085B0EF195E5 00640102
diagnose settings
Use these commands to manage diagnostic settings:

diagnose settings info
diagnose settings reset
info List all diagnostic settings.
reset Reset all diagnostic settings to their default settings.
Example output
S524DF4K15000024 # diagnose settings info
debug output: disable

console timestamp: disable
console no user log message: disable
fsmgr debug level: 16 (0x10)
CLI debug level: 3

Fortinet, Inc.
diagnose
diagnose sniffer packet
Use this command to examine packets received on a specific interface:

diagnose sniffer packet <interface_name | any> <logical_filter | none> <verbose | 1-6>
<sniffer_count> <timestamp_format>
<interface_name | any> Enter the name of a network interface or enter any to examine packets
received on all interfaces.
<logical_filter | none> Enter a logical filter or none. Use the following format for the filter:
'[[src|dst] host<IP_address>] [[src|dst] host<IP_
address>] [[arp|ip|gre|esp|udp|tcp] [port_
number]] [[arp|ip|gre|esp|udp|tcp] [port_
number]]'
For example, to examine UDP packets received at port 1812 from host
forti1 and host forti2 or forti3:
'udp and port 1812 and host forti1 and $ forti2
or forti3 $'
To examine TCP packets between two PCs through port 80:
diag sniffer packet internal 'host 192.168.0.130
and 192.168.0.1 and tcp port 80' 1
To examine packets with the RST flag set:
diagnose sniffer packet internal "tcp[13] & 4 !=
0"
To examine packets with the destination MAC address of
00:09:0f:89:10:ea:
diagnose sniffer packet internal "(ether
[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"
<verbose | 1-6> Set the level of detail for the results:

l verbose — Display all details.
l 1 — Include the packet header.
l 2 — Include the packet header and IP address data.
l 3 — Include the packet header and Ethernet address data (if
available).
l 4— Include the packet header and interface name.
l 5 — Include the packet header, interface name, and IP address
data.
l 6 — Include the packet header, interface name, and Ethernet
address data (if available).
<sniffer_count> Enter the number of packets to examine.

Fortinet, Inc.
diagnose
<timestamp_format> Enter a for UTC time (yyyy-mm-dd hh:mm:ss.ms) or enter the

number of minutes and seconds after the start of the packet
examination (ss.ms).
Example output
S524DF4K15000024 # diagnose sniffer packet any

interfaces=[any]
filters=[none]
0.977537 arp who-has 192.168.0.10 tell 192.168.1.99
0.977755 127.0.0.1 -> 0.0.0.0: icmp: type-#20
1.057565 224.0.0.18 -> 33.5.255.1: ip-proto-10 (frag 65392:4294967276@1336+)
1.057578 802.1Q vlan#8 P0 -- 224.0.0.18 -> 33.5.255.1: ip-proto-10 (frag
65392:4294967276@1336+)
1.113131 arp who-has 10.105.16.1 tell 10.105.19.8
1.977047 arp who-has 192.168.0.10 tell 192.168.1.99
1.990059 127.0.0.1 -> 0.0.0.0: icmp: type-#20
...
S524DF4K15000024 # diagnose sniffer packet internal none verbose

interfaces=[internal]
filters=[none]
pcap_lookupnet: internal: no IPv4 address assigned
0.840645 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18: ip-proto-112 20
1.113149 arp who-has 192.168.0.10 tell 192.168.1.99
1.850162 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18: ip-proto-112 20
2.109899 arp who-has 192.168.0.10 tell 192.168.1.99
2.859653 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18: ip-proto-112 20
3.109412 arp who-has 192.168.0.10 tell 192.168.1.99
3.869169 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18: ip-proto-112 20
4.128948 arp who-has 192.168.0.10 tell 192.168.1.99
...
S524DF4K15000024 # diagnose sniffer packet internal none 3 10 a

interfaces=[internal]
filters=[none]
pcap_lookupnet: internal: no IPv4 address assigned
2017-10-11 16:09:42.393816 arp who-has 192.168.0.10 tell 192.168.1.99
0x0000 ffff ffff ffff 085b 0ef1 95e5 0806 0001 .......[........
0x0010 0800 0604 0001 085b 0ef1 95e5 c0a8 0163 .......[.......c
0x0020 0000 0000 0000 c0a8 000a ..........
2017-10-11 16:09:42.483785 802.1Q vlan#8 P0 -- 10.10.10.1 -> 224.0.0.18: ip-proto-112 20

0x0000 0100 5e00 0012 0000 5e00 0105 8100 0008 ..^.....^.......
0x0010 0800 45c0 0028 8fec 0000 ff70 369c 0a0a ..E..(.....p6...
0x0020 0a01 e000 0012 2105 ff01 0001 d392 0b01 ......!.........
0x0030 0164 0000 0000 0000 0000 .d........
...

Fortinet, Inc.
diagnose
diagnose snmp
Use these commands to display SNMP information:

diagnose snmp ip frags
diagnose snmp trap send
ip frags Display fragmentation and reassembly information
trap send Generate a trap event and send it to the SNMP daemon.
Example output
S524DF4K15000024 # diagnose snmp ip frags
ReasmTimeout = 0
ReasmReqds = 0
ReasmOKs = 0
ReasmFails = 0
FragOKs = 0
FragFails = 0
FragCreates = 0
diagnose stp instance list
Use this command to display information about Multiple Spanning Tree Protocol (MSTP) instances:
diagnose stp instance list <STP_ID> <port_number>
To create an STP instance, see config switch stp instance on page 134.
<STP_ID> Enter the STP identifier. If you enter a higher number than the valid
range, the results for all STP instances are displayed. If no STP
identifier is specified, results for all STP instances are displayed.
<port_number> Enter the port number. If no port number is specified, results for all
physical ports are displayed.
Example output
S524DF4K15000024 # diagnose stp instance list 0

Fortinet, Inc.
diagnose
Instance ID 0 (CST)
Config Priority 32768
Bridge MAC 085b0ef195e4, MD5 Digest 40d5eca178c657835c83bbcb16723192
Root MAC 085b0ef195e4, Priority 32768, Path Cost 0, Remaining Hops 20

(This bridge is the root)
Regional Root MAC 085b0ef195e4, Priority 32768, Path Cost 0

(This bridge is the regional root)
Active Times Forward Time 15, Max Age 20, Remaining Hops 20
TCN Events Triggered 1 (1d 0h 19m 56s ago), Received 0 (1d 0h 19m 56s ago)
Port Speed Cost Priority Role State

HelloTime Flags
________________ ______ _________ _________ ___________ __________ ________
_ ______________
port1 - 200000000 128 DISABLED DISCARDING 2

EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED

Fortinet, Inc.
diagnose

EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
EN ED
internal 1G 20000 128 DESIGNATED FORWARDING 2
ED
Mclag-icl-trunk - 200000000 128 DISABLED DISCARDING 2
ED
first-mclag - 200000000 128 DISABLED DISCARDING 2
EN ED
Flags: EN(STP enable), ED(Edge), LP(Loop Protection), RG(Root Guard Triggered), BG

(BPDU Guard Triggered)
diagnose stp mst-config list
Use this command to display the MSTP configuration:

diagnose snmp mst-config list
To configure an MSTP instance, see config switch stp settings on page 135.

Fortinet, Inc.
diagnose
Example output
S524DF4K15000024 # diagnose stp mst-config list
MST Configuration Identification Information
Unit: primary
MST Configuration Name: region1
MST Configuration Revision: 1
MST Configuration Digest: ac36177f50283cd4b83821d8ab26de62
Instance ID Mapped VLANs Priority

____________________________________________________
0 32768
1 8192
diagnose stp rapid-pvst-port
Use these commands to diagnose the interoperation with per-VLAN RSTP (Rapid PVST+ or RPVST+):
diagnose stp rapid-pvst-port clear [<port_name>]
diagnose stp rapid-pvst-port list [<port_name>]
clear [<port_name>] Clear all flags and timers on the RPVST+ port.
list [<port_name>] Show the status of one port or all ports. If any of the ports is in the “IC”
state, the command output gives the reason: VLAN priority
inconsistent, VLAN configuration mismatch, or both.
diagnose stp vlan list
Use this command to display the MSTP information for a specific VLAN:
diagnose stp vlan list <VLAN_ID>
<VLAN_ID> Enter the VLAN identifier. The value range is 1-4095.
Example output
S524DF4K15000024 # diagnose stp vlan list 10

Fortinet, Inc.
diagnose
Instance ID : 0
Switch Priority : 32768
Root MAC Address : 085b0ef195e4

Root Priority: 32768
Root Pathcost: 0
Regional Root MAC Address : 085b0ef195e4
Regional Root Priority: 32768
Regional Root Path Cost: 0
Remaining Hops: 20
This Bridge MAC Address : 085b0ef195e4
This bridge is the root
Port Speed Cost Priority Role State Edge

STP-Status Loop Protection
________________ ______ _________ _________ ___________ __________ ____ ___
_______ ________
port1 - 200000000 128 DISABLED DISCARDING YES

ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO

Fortinet, Inc.
diagnose

ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
ENABLED NO
internal 1G 20000 128 DESIGNATED FORWARDING YES
DISABLED NO
diagnose switch 802-1x status
Use this command to display the status of a port using IEEE 802.1x authentication:
diagnose switch 802-1x status [<port_name>]
[<port_name>] Enter the port name. If the port is not specified, the status of all 802.1x-
authenticated ports is returned. In the output, the value in the “Traffic-
Vlan” column is the VLAN where the client was successfully
authenticated.
To enable IEEE 802.1x authentication on a port, see config switch interface on page 94.

Fortinet, Inc.
diagnose
Example output
S548DF4K15000195 # diagnose switch 802-1x status
port3 : Mode: mac-based (mac-by-pass disable)

Link: Link up
Port State: authorized: ( )
EAP pass-through : Enable
EAP auto-untagged-vlans : Disable
Quarantine VLAN (4093) detection : Enable
Native Vlan : 10
Allowed Vlan list: 10,15
Untagged Vlan list: 10
Guest VLAN :
Auth-Fail Vlan :
Switch sessions 2/240, Local port sessions:2/20

Client MAC Type Traffic-Vlan Dynamic-Vlan
94:10:3e:b9:12:65 802.1x 10 0
cc:5a:53:5f:d5:16 802.1x 10 15
Sessions info:
94:10:3e:b9:12:65 Type=802.1x,TLS,state=AUTHENTICATED,etime=0,eap_cnt=8 params:reAuth=3600
cc:5a:53:5f:d5:16 Type=802.1x,TLS,state=AUTHENTICATED,etime=0,eap_cnt=7 params:reAuth=3600
diagnose switch acl counter
Use these commands to display information about access control lists (ACLs):
diagnose switch acl counter all
diagnose switch acl counter app <name>
diagnose switch acl counter id <policy_ID>
diagnose switch acl counter list-apps
all List all applications using ACL counters.
app <name> List ACL counters for this application.
id <policy_ID> List the ACL counter for this ACL policy identifier.
list-apps List application names that use ACL counters.
Example output
S524DF4K15000024 # diagnose switch acl counter list-apps
Application Policy ID Range

_______________________________________________
loop-gaurd (2049-2049)

Fortinet, Inc.
diagnose
l3-arp-req (2050-2050)
l3-arp-reply (2051-2051)
dst-mac (2052-2052)
bfd-single-hop (2053-2053)
bfd-multi-hop (2054-2054)
ospf (2055-2055)
rip (2056-2056)
mclag (2057-2057)
mclag-l3-arp-req (2058-2058)
mclag-l3-arp-reply (2059-2059)
mclag-bfd-single-hop (2060-2060)
mclag-bfd-multi-hop (2061-2061)
mclag-ospf (2062-2062)
mclag-rip (2063-2063)
fortilink (2064-2064)
fortilink-1 (2065-2065)
mclag-fortilink (2066-2066)
mclag-icl (2067-2067)
mac-sa-mcast (2068-2068)
forti-trunk (2069-2069)
vwire (2304-2367)
vwire-acl (2368-133503)
dhcp-snooping (133504-141695)
arp-snooping (141696-145792)
access-vlan (145793-149889)
network-monitor (149890-149930)
diagnose switch acl hw-entry-index
NOTE: This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-
Use this command to find the hardware mapping for the specified ACL policy identifier:
diagnose switch acl hw-entry-index <id>
<id> Enter the ACL policy identifier.
Example output
S124EP4N17000016 # diagnose switch acl hw-entry-index 1
ID HW-INDEX AGG CNTR-IDX

_________________________________________
000001 896 n 7

Fortinet, Inc.
diagnose
diagnose switch acl schedule
Use this command to list ACL policies with a schedule:

diagnose switch acl schedule egress
diagnose switch acl schedule ingress
diagnose switch acl schedule prelookup
egress List all ACL egress policies with a schedule.
ingress List all ACL ingress policies with a schedule.
prelookup List all ACL prelookup policies with a schedule.
Example output
S524DF4K15000024 # diagnose switch acl schedule ingress

ACL Ingress Name
1 In Schedule
diagnose switch arp-inspection stats clear
Use this command to delete dynamic ARP inspection statistics:

diagnose switch arp-inspection stats clear <VLAN_ID>
<VLAN_ID> Enter a single VLAN identifier or a range of VLAN identifiers separated

by commas. For example: 1,3-4,6,7,9-100
To enable dynamic ARP inspection on a VLAN, see config switch vlan on page 140.
diagnose switch cpuq
NOTES:
l Be careful about changing the CPU queue rate because the change is made directly to the hardware.
l After the switch is rebooted, the CPU queue rate returns to the default value.
l For the FS-108E and FS-124E families, the configured CPU queue rate has a 16-kbps granularity. Use the
diagnose switch cpuq show command to see the actual queue rate.
l For the FS-108E and FS-124E families, the CPU queue rate is more accurate with larger packets.
Use this command to display the CPU queue rate on the FSR-112D-POE, FS-1xxE, FS-2xx, FS-4xx, FS-5xx, FS-1xxx,
and FS-3xxx families:
diagnose switch cpuq show

Fortinet, Inc.
diagnose
Use this command to change the CPU queue rate on the FSR-112D-POE, FS-2xx, FS-4xx, FS-5xx, FS-1xxx, and FS-
3xxx families:
diagnose switch cpuq rate <queue_number> <new_pps_rate>
Use this command to change the CPU queue rate on the FS-108E and FS-124E families:
diagnose switch cpuq rate <queue_number> <new_Kbps_rate>
show Display the CPU queue rate for all queues.
rate <queue_number> <new_pps_rate> Change the CPU queue rate for the specified queue to the new
packets-per-second (PPS) rate.
diagnose switch cpuq rate <queue_ Change the CPU queue rate for the specified queue to the new Kbps
number> <new_Kbps_rate> rate.
Example output (FS-548)
NOTE: The number of queues, queue classifications, and default CPU queue rates can differ among the FortiSwitch
platforms.
S548DF5018000776 # diagnose switch cpuq show
Queue | Rate(pps)
----------------------
17 2000 (MIRROR/SFLOW)
18 500 (L3_DEST_MISS)
19 5000 (ARP_REQ)
20 10000 (DEFAULT)
21 1000 (NHOP)
22 8000 (DHCP/OSPF/BFD/RIP/IGMP/FORTLINK_VLAN)
23 6000 (ARP_REPLY)
24 5000 (FORTILINK/MCLAG)
25 1500 (BPDU/LOOPGUARD)
diagnose switch egress list
Use this command to display the port egress map:

diagnose switch egress list <port_name>
<port_name> Enter the port name.
Example output
S524DF4K15000024 # diagnose switch egress list port1
Switch Interface Egress Map, primary-Channel

Fortinet, Inc.
diagnose
Port Map: Name(Id):
port1(1) port2(2) port3(3)

port10(10) port11(11) port12(12)
port13(13) port14(14) port15(15)
port16(16) port17(17) port18(18)
port19(19) port20(20) port21(21)
port22(22) port23(23) port24(24)
port25(25) port26(26) port27(27)
port28(28) port29(29) port30(30)
internal(31)
cpu0(31)
Source Interface Destination Ports

________________ ___________________________________
port1 1-6,9-31
diagnose switch ip-mac-binding entry
Use this command to display the counters for an IP-MAC binding entry:
diagnose switch ip-mac-binding entry <entry_ID>
<entry_ID> Enter an IP-MAC binding entry identifier.
To enable IP-MAC binding, see config switch global on page 88.
Example output
S524DF4K15000024 # diagnose switch ip-mac-binding entry 1
Binding Entry: 1
Binding IP: 1.20.168.172 255.255.255.255
Binding MAC: 00:21:CC:D2:76:72
Status: Enabled
Statistic:
Permit packets: 0x00
Drop packets: 0x00
-----------------------------------------------------
diagnose switch ip-source-guard hardware entry filter
Use these commands to select which IP source-guard entries to display:

diagnose switch ip-source-guard hardware entry filter clear
diagnose switch ip-source-guard hardware entry filter interface <interface_name>

Fortinet, Inc.
diagnose
diagnose switch ip-source-guard hardware entry filter ip <IPv4_address>

diagnose switch ip-source-guard hardware entry filter mac <MAC_address>
diagnose switch ip-source-guard hardware entry filter print
clear Remove the current filter.
interface <port_name> Display entries for the specified port.
ip <IPv4_address> Display entries for the specified IPv4 address.
mac <MAC_address> <mask> Delete entries for the specified MAC address and mask.
print Display the current filter.
Use this command to display all IP source-guard entries. Static entries were manually added by the config switch
ip-source-guard command. Dynamic entries were added by DHCP snooping.
diagnose switch mac-address
Use these commands to manage the MAC address table:

diagnose switch mac-address delete {all | entry <xx:xx:xx:xx:xx:xx>}
diagnose switch mac-address filter clear
diagnose switch mac-address filter flags <flag bit pattern>
diagnose switch mac-address filter port-id-map <port-ID list>
diagnose switch mac-address filter show
diagnose switch mac-address filter trunk-id-map <trunk-ID list>
diagnose switch mac-address filter vlan-map <VLAN_list>
diagnose switch mac-address list
diagnose switch mac-address switch-port-macs-db
delete {all | entry Delete all MAC address entries or a specific MAC address entry.
<xx:xx:xx:xx:xx:xx>}
filter clear Delete the filter for the MAC address table list.
filter flags <flag bit pattern> Specify the flag bit pattern to match. Use this pattern to mask
important bits. This value is hexadecimal.
filter port-id-map <port-ID list> List the port identifiers to display MAC addresses for. Separate the
port identifiers with commas. For example: 1,3,5-17,19
filter show Display the filter for the MAC address table list.

Fortinet, Inc.
diagnose
filter trunk-id-map <trunk-ID list> List the trunk identifiers to display MAC addresses for. Separate the
trunk identifiers with commas. For example: 1,2-4,77
filter vlan-map <VLAN_list> List the VLAN identifiers to display MAC addresses for. Separate the
VLAN identifiers with commans. For example: 1,2-4,77
list List the MAC address entries and the total number of entries.
switch-port-macs-db List which MAC addresses are assigned to local ports.
Example output
S524DF4K15000024 # diagnose switch mac-address filter show
flag bit pattern: 0x00000000

flag bit Mask: 0x00000000
vlan map: 0-4095
port-id map: 1,64
trunk-id map: 0-127
S524DF4K15000024 # diagnose switch mac-address list
MAC: 08:5b:0e:f1:95:e5 VLAN: 4094 Port: internal(port-id 31)

Flags: 0x00010460 [ static hit src-hit native ]
MAC: d6:dd:25:be:2c:43 VLAN: 1 Port: port1(port-id 1)

Flags: 0x00000020 [ static ]
Total Displayed: 2
S524DF4K15000024 # diagnose switch mac-address switch-port-macs-db
Total MACs : 30
MAC-1 : 08:5b:0e:f1:95:e6
MAC-2 : 08:5b:0e:f1:95:e8
MAC-3 : 08:5b:0e:f1:95:ea
MAC-4 : 08:5b:0e:f1:95:ec
MAC-5 : 08:5b:0e:f1:95:ee
MAC-6 : 08:5b:0e:f1:95:f0
MAC-7 : 08:5b:0e:f1:95:f2
MAC-8 : 08:5b:0e:f1:95:f4
MAC-9 : 08:5b:0e:f1:95:f6
MAC-10 : 08:5b:0e:f1:95:f8
MAC-11 : 08:5b:0e:f1:95:fa
MAC-12 : 08:5b:0e:f1:95:fc
MAC-13 : 08:5b:0e:f1:95:fe
MAC-14 : 08:5b:0e:f1:96:00
MAC-15 : 08:5b:0e:f1:96:02
MAC-16 : 08:5b:0e:f1:95:e7
MAC-17 : 08:5b:0e:f1:95:e9
MAC-18 : 08:5b:0e:f1:95:eb
MAC-19 : 08:5b:0e:f1:95:ed

Fortinet, Inc.
diagnose
MAC-20 : 08:5b:0e:f1:95:ef
MAC-21 : 08:5b:0e:f1:95:f1
MAC-22 : 08:5b:0e:f1:95:f3
MAC-23 : 08:5b:0e:f1:95:f5
MAC-24 : 08:5b:0e:f1:95:f7
MAC-25 : 08:5b:0e:f1:95:f9
MAC-26 : 08:5b:0e:f1:95:fb
MAC-27 : 08:5b:0e:f1:95:fd
MAC-28 : 08:5b:0e:f1:95:ff
MAC-29 : 08:5b:0e:f1:96:01
MAC-30 : 08:5b:0e:f1:96:03
diagnose switch macsec statistics
Use this command to display MACsec traffic statistics for the specified port. If no port is specified, statistics for all ports
are returned.
diagnose switch macsec statistics [<port_name>]
diagnose switch macsec status
Use this command to display the MACsec status of the specified port. If no port is specified, the status for all ports is
returned.
diagnose switch macsec status [<port_name>]
diagnose switch managed-switch
Use this command to display information about the FortiSwitch unit when it is managed by a FortiGate unit:
diagnose switch managed-switch dump xlate-vlan
diagnose switch mclag
Use these commands to manage information about MCLAGs:

diagnose switch mclag clear-stats {all | icl | mclag <trunk_name>}
diagnose switch mclag list <trunk_name>
clear-stats {all | icl | mclag} Delete statistics for all MCLAGs, delete MCLAG ICLs, or delete the
statistics for the MCLAG with the specified trunk.

Fortinet, Inc.
diagnose
icl List all inter-chassis links (ICLs).
list <trunk_name> Display statistics for the MCLAG with the specified trunk.
To set up an MCLAG, see config switch trunk on page 136.
Example output
S524DF4K15000024 # diagnose switch mclag icl
MCLAG-ICL-trunk
icl-ports port15 port16
egress-block-ports none
interface-mac 08:5b:0e:f1:95:e5
lacp-serial-number S524DF4K15000024
peer-info N/A
Counters
diagnose switch mirror auto-config
Use these commands to manage switch mirroring using ERSPAN encapsulation with automatically configured header
contents:
diagnose switch mirror auto-config restart
diagnose switch mirror auto-config status
restart Restart the ERSPAN mirroring daemon.
status Display the status of the ERSPAN mirroring.
Example output
S524DF4K15000024 # diagnose switch mirror auto-config status

Session name:
Last update: never
Error msg:
State: None
Flags: 0x00000000 ()
Config:
Last good config update: never
Route Lookup:
Last good route update: never

Fortinet, Inc.
diagnose
Collector IP: 0.0.0.0

Nexthop IP: 0.0.0.0
SVI name:
SVI devindex: 0
SVI source MAC: 00:00:00:00:00:00
SVI VLAN: 0
SVI source IP: 0.0.0.0
Nexthop ARP resolution:

Last good ARP update: never
Nexthop MAC: 00:00:00:00:00:00
Switching table resolution:

Last good update: never
L2 result: MAC: 00:00:00:00:00:00 VLAN: 0
port-id: 0 Flags: 0x00000000
Switch interface:
Switch interface VLAN 0: untagged
Hardware updates:
Last good update: never
Last failed update: never
Last update return: 0:Success.
Resolved/Running state:
Last entered: never
Last left: never
diagnose switch mirror hardware status
Use this command to display information about the driver-level and hardware-level switch mirroring:
diagnose switch mirror hardware status
Example output
S524DF4K15000024 # diagnose switch mirror hardware status
[flink.sniffer]===========================
Installed : no ( inactive)
diagnose switch modules
Use these commands to display information about physical layer (PHY) modules:
diagnose switch modules eeprom <physical_port_name>
diagnose switch modules state-machine <physical_port_name>

Fortinet, Inc.
diagnose
eeprom Display fragmentation and reassembly information
trap send Generate a trap event and send it to the SNMP daemon.
Example output
S524DF4K15000024 # diagnose switch modules state-machine port10
DMI Status
----------------------------------
monitor_interval 10 minutes
next_monitor_in 0:44
dmi_trace 0
alarm_trap_enabled 0
num_ports 30
mod_pres 0x0000000000000000
mod_rxlos 0x0000000000000000
state_runs 62380
state_transitions 6
Module Summary | | Alarm - Warning Flags |

DMI | Module |Temp | Vcc |TxBia|TxPwr|RxPwr|
port | curr state | prev state | -IC | Type | State |Hi|Lo|Hi|Lo|Hi|Lo|Hi|Lo|Hi|Lo|
----------------------------------------------------------------------------------
1 | INVALID | INVALID | 0-0 | NONE |INVALID|..|..|..|..|..|..|..|..|..|..|
25 | EMPTY | EMPTY | 0-0 | NONE |EMPTY |..|..|..|..|..|..|..|..|..|..|

Fortinet, Inc.
diagnose

diagnose switch network-monitor
Use these commands to manage information produced by network monitoring:

diagnose switch network-monitor cfg-stats
diagnose switch network-monitor clear-db
diagnose switch network-monitor parser-stats
cfg-stats Display network-monitoring configuration statistics.
clear-db Delete all network-monitoring database entries.
dump-l2-db List all detected devices from the layer-2 database.
dump-l3-db List all detected devices from the layer-3 database.
dump-monitors List the monitors used for survey-mode network monitoring.
parser-stats List the network-monitoring parser statistics.
Example output
S524DF4K15000024 # diagnose switch network-monitor cfg-stats

Network Monitor Configuration Statistics:
----------------------------------
Adds : 1
Deletes : 0
Free Entries : 19
S524DF4K15000024 # diagnose switch network-monitor dump-monitors

=================================================================
1 directed-mode 00:25:00:61:64:6d 0
2 survey-mode 08:5b:0e:f1:95:e5 0
5 survey-mode 00:00:5e:00:01:05 0
7 survey-mode 00:21:cc:d2:76:72 0
S524DF4K15000024 # diagnose switch network-monitor parser-stats

Network Monitor Parser Statistics:
----------------------------------
Arp : 0
Ip : 0
Udp : 0

Fortinet, Inc.
diagnose
Tcp : 0
Dhcp : 0
Eapol : 0
Unsupported : 0
diagnose switch pdu-counters
Use these commands to manage information from switch packet PDU counters:
diagnose switch pdu-counters clear
diagnose switch pdu-counters list
clear Clear switch packet PDU counters.
list List nonzero switch packet PDU counters.
Example output
S548DN5018000377 # diagnose switch pdu-counters list

primary CPU counters:
packet receive error : 0
Non-zero port counters:
port1:
IGMP Membership Report : 45
IGMP Membership Leave : 3
IGMPv3 Membership Report : 69002
port13:
IGMP Query packet : 50794
port47:
LACP packet : 15474
STP packet : 237919
LLDP packet : 168194
IGMP Query packet : 50757
port48:
LACP packet : 15475
STP packet : 6
LLDP packet : 168192
port51:
diagnose switch physical-ports cable-diag
Use this command to display the results of a time-domain reflectometer (TDR) diagnostic test on the specified port.

Fortinet, Inc.
diagnose
diagnose switch physical-ports cable-diag <port_name>
Example output
S524DF4K15000024 # diagnose switch physical-ports cable-diag port1

port1: cable (4 pairs, length +/- 10 meters)
pair A Open, length 0 meters
pair B Open, length 0 meters
pair C Open, length 0 meters
pair D Open, length 0 meters
diagnose switch physical-ports datarate
Use this command to display the number of packets received and transmitted on the specified ports as well as the data
rate. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.
diagnose switch physical-ports datarate [<port_list>]
Example output
S524DF4K15000024 # diagnose switch physical-ports datarate 1,3,4-6

Rate Display Mode: DATA_RATE
Port | TX Packets | TX Rate || RX Packets | RX Rate |
----------------------------------------------------------------------------------
port1 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps |
port3 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps |
port4 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps |
port5 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps |
port6 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps |
----------------------------------------------------------------------------------
| 0.0000 Mbps || | 0.0000 Mbps |
ctrl-c to stop
Use this command to display whether the specified port has energy-efficient Ethernet (EEE) enabled. If the port is not
specified, the status of all ports is displayed.
diagnose switch physical-ports eee-status [<port_name>]
Example output
S524DF4K15000024 # diagnose switch physical-ports eee-status port9
Portname State RX-LPI-Status TX-LPI-Status TX(ms) RX(ms) TX-Resolved(ms) RX-Resolved

(ms)

Fortinet, Inc.
diagnose
----------------------------------------------------------------------------------------------
----
port9 Enabled Inactive Inactive 0 0 0
0
diagnose switch physical-ports hw-counter
Use these commands to display information about counters:

diagnose switch physical-ports hw-counter add {rx | tx} <counter_id>
<counter|counter|counter...>
diagnose switch physical-ports hw-counter clear {rx | tx} <counter_id>
diagnose switch physical-ports hw-counter info
diagnose switch physical-ports hw-counter remove {rx | tx} <counter_id>
diagnose switch physical-ports hw-counter search <port_name> <interval_seconds>
diagnose switch physical-ports hw-counter search-cancel
diagnose switch physical-ports hw-counter search-results
diagnose switch physical-ports hw-counter show {rx | tx | all} <port_name>
hw-counter add {rx | tx} <counter_id> Add trigger flags to a specified counter.
hw-counter clear {rx | tx} <counter_ Clear a specific counter.

id>
hw-counter info Display the supported trigger flags (RX and TX).
hw-counter remove {rx | tx} <counter_ Remove trigger flags from the specified counters.
id> <counter|counter|counter...>
hw-counter search <port_name> Retrieve the data for the specified triggers on a specified port
<interval_seconds> within the interval in seconds.
hw-counter search-cancel Cancel the currently running search.
hw-counter search-results Display the last search results.
hw-counter show {rx | tx | all} <port_ Show all trigger flags and statistics on a specified port.
name>
Example output
S524DF4K15000024 # diagnose switch physical-ports hw-counter show all port9

----------------------------------------------------------------------------------
| Counter Statistics (port:9)
----------------------------------------------------------------------------------
|Type|Counter ID| Value | Trigger Flags Enabled
----------------------------------------------------------------------------------

Fortinet, Inc.
diagnose
| Rx | 0| 0|RIPD4 RIPD6 RDISC RPORTD PDISC

| | | | RFILDR RDROP VLANDR
----------------------------------------------------------------------------------
| Rx | 1| 0|IMBP
----------------------------------------------------------------------------------
| Rx | 2| 0|RIMDR
----------------------------------------------------------------------------------
| Tx | 0| 0|TGIP6 TGIPMC6
----------------------------------------------------------------------------------
| Tx | 1| 0|TIPD6 TIPMCD6
----------------------------------------------------------------------------------
| Tx | 2| 0|TGIPMC6
----------------------------------------------------------------------------------
| Tx | 3| 0|TPKTD
----------------------------------------------------------------------------------
| Tx | 4| 0|TGIP4 TGIP6
----------------------------------------------------------------------------------
| Tx | 5| 0|TIPMCD4 TIPMCD6
----------------------------------------------------------------------------------
| Tx | 6| 0|THIGIG2
----------------------------------------------------------------------------------
diagnose switch physical-ports io-stats
Use these commands to display information about input/output packet statistics:

diagnose switch physical-ports io-stats clear-local <port_list>
diagnose switch physical-ports io-stats cumulative
diagnose switch physical-ports io-stats list [<port_list>]
io-stats clear-local <port_list> Delete the statistics for input and output packets for the specified
ports. Use commas to separate ports. For example: 1,3,4-6
io-stats cumulative Display the cumulative statistics for input and output packets for all
ports.
io-stats list [<port_list>] List the statistics for input and output packets for the specified ports.
If the ports are not specified, the statistics for all ports are displayed.
Example output
S524DF4K15000024 # diagnose switch physical-ports io-stats cumulative

Cumulative IO Stats:
RX PacketsBpdu 69035
RX PacketsL3RxCpu 1020
RX PacketsRxAll 112157
RX PacketsFlpOrIGMP 39831
----------------------------------------------------------------------------------

Fortinet, Inc.
diagnose
diagnose switch physical-ports led-flash
Use this command to flash all port LEDs on and off for a specified number of minutes so that a particular switch can be
identified. Valid times are 5, 15, 30, or 60 minutes. Use disable to stop the LEDs from flashing.
diagnose switch physical-ports led-flash disable
diagnose switch physical-ports led-flash {5 | 15 | 30 | 60}
diagnose switch physical-ports linerate
Use this command to display the number of packets received and transmitted on the specified ports as well as the line
rate. Use commas to separate ports. If the ports are not specified, the statistics for all ports are displayed.
diagnose switch physical-ports linerate [<port_list>]
Example output
S524DF4K15000024 # diagnose switch physical-ports linerate 1,3,4-6

Rate Display Mode: LINE_RATE
Port | TX Packets | TX Rate || RX Packets | RX Rate |
----------------------------------------------------------------------------------
port1 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps |
port3 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps |
port4 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps |
port5 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps |
port6 | 0 | 0.0000 Mbps || 0 | 0.0000 Mbps |
----------------------------------------------------------------------------------
| 0.0000 Mbps || | 0.0000 Mbps |
ctrl-c to stop
diagnose switch physical-ports list
Use this command to display the details for the specified port. If the port is not specified, the details for all ports are
displayed.
diagnose switch physical-ports list [<port_name>]
Example output
S524DF4K15000024 # diagnose switch physical-ports list port1

diagn
Interface Type is Serial Gigabit Media Independent Interface(SGMII/SerDes)
Address is 08:5B:0E:F1:95:E6, loopback is not set
half-duplex, 0 Mb/s, link type is auto

Fortinet, Inc.
diagnose

diagnose switch physical-ports mapping
Use this command to display which drivers are associated with which ports:
diagnose switch physical-ports mapping
Example output
S524DF4K15000024 # diagnose switch physical-ports mapping

Unmapped port IDs:
Userspace | Driver
Port Name PortID | Unit Port Driver Name
-------------------- ------ | ------ ------ ----------------
port1 1 | 0 2 ge1
port2 2 | 0 1 ge0
port3 3 | 0 3 ge2
port4 4 | 0 4 ge3
port5 5 | 0 6 ge5
port6 6 | 0 5 ge4
port7 7 | 0 7 ge6
port8 8 | 0 8 ge7
port9 9 | 0 10 ge9
port10 10 | 0 9 ge8
port11 11 | 0 11 ge10
port12 12 | 0 12 ge11
port13 13 | 0 14 ge13
port14 14 | 0 13 ge12
port15 15 | 0 15 ge14
port16 16 | 0 16 ge15
port17 17 | 0 18 ge17
port18 18 | 0 17 ge16
port19 19 | 0 19 ge18
port20 20 | 0 20 ge19
port21 21 | 0 22 ge21
port22 22 | 0 21 ge20
port23 23 | 0 23 ge22
port24 24 | 0 24 ge23
port25 25 | 0 42 xe0
port26 26 | 0 43 xe1
port27 27 | 0 44 xe2
port28 28 | 0 45 xe3
port29 29 | 0 46 xe4
port30 30 | 0 50 xe8
internal 31 | 0 0 cpu0

Fortinet, Inc.
diagnose
diagnose switch physical-ports mdix-status
Use this command to display whether a specified port is a medium-dependent interface crossover (MDIX) port:
diagnose switch physical-ports mdix-status <port_name>
Example output
S524DF4K15000024 # diagnose switch physical-ports mdix-status port1

port1: MDIX(Crossover)
diagnose switch physical-ports port-stats
Use these commands to list port statistics for the specified ports or list port statistics that are not zero. Use commas to
separate ports. If the ports are not specified, the statistics for all ports are displayed.
diagnose switch physical-ports port-stats [<port_list> | non-zero]
Example output
S524DF4K15000024 # diagnose switch physical-ports port-stats 1
port1 Port Stats:
Rx Bytes: 0
Rx Packets: 0
Rx Unicasts: 0
Rx NUnicasts: 0
Rx Multicasts: 0
Rx Broadcasts: 0
Rx Discards: 0
Rx Errors: 0
Rx Oversize: 0
Rx Pauses: 0
Rx IPMC Dropped: 0
Rx 64 Octets Packets: 0
Rx 65-127 Octets Packets: 0
Rx 1024-1518 OctetsPackets: 0
Rx L3 Packets: 0
Tx Bytes: 0
Tx Packets: 0
Tx Unicasts: 0

Fortinet, Inc.
diagnose
Tx NUnicasts: 0
Tx Multicasts: 0
Tx Broadcasts: 0
Tx Discards: 0
Tx Errors: 0
Tx Oversize: 0
Tx Pauses: 0
Tx IPMC Dropped: 0
Tx 64 Octets Packets: 0
Tx 65-127 Octets Packets: 0
Fragments: 0
Undersize: 0
Jabbers: 0
Collisions: 0
CRC Alignment Errors: 0
IPMC Bridged: 0
IPMC Routed: 0
----------------------------------------------------------------------------------
diagnose switch physical-ports qos-rates
Use these commands to display real-time egress QoS queue rates, including the data rate, line rate, and drop rate:
diagnose switch physical-ports qos-rates clear <port_list>
diagnose switch physical-ports qos-rates list [<port_list>]
diagnose switch physical-ports qos-rates non-zero
qos-rates clear <port_list> Delete the QoS statistics for the specified ports. If the ports are not
specified, the statistics for all ports are deleted.
qos-rates list [<port_list>] Display the real-time egress QoS queue rates for the specified ports. If
the ports are not specified, the rates for all ports are displayed. Press
Ctrl+c to stop the output.
qos-stats non-zero Display only the real-time egress QoS queue rates that are not zero.
Press Ctrl+c to stop the output.

Fortinet, Inc.
diagnose
Example output
S548DF5018000776 # diagnose switch physical-ports qos-rates non-zero
---------------------------- ---------------------------------------------
---------------------------- ---------------------------------------------
--------------------------- ---------------------------------------------
ctrl-c to
port6 QoS Rates:
queue | PPS | data(Mbps) | line(Mbps) | drop (PPS) | drop(Mbps) |

---------------------------------------------------------------------------
7 | 0.0000 | 0.0000 | 0.0000 | 0.0000 | 0.0000 |
---------------------------- ---------------------------------------------
port28 QoS Rates:

---------------------------------------------------------------------------
7 | 0.8466 | 0.0008 | 0.0010 | 0.0000 | 0.0000 |
---------------------------- ---------------------------------------------
internal QoS Rates:

---------------------------------------------------------------------------
25 | 0.8472 | 0.0009 | 0.0010 | 0.0000 | 0.0000 |
---------------------------- ---------------------------------------------
ctrl-c to stop
^C
diagnose switch physical-ports qos-stats
Use these commands to display QoS statistics:

diagnose switch physical-ports qos-stats clear <port_list>
diagnose switch physical-ports qos-stats list [<port_list>]
diagnose switch physical-ports qos-stats non-zero
diagnose switch physical-ports qos-stats set-qos-counter-revert [<port_list>]
diagnose switch physical-ports qos-stats set-qos-counter-zero [<port_list>]
qos-stats clear [<port_list>] Delete the QoS statistics for the specified ports. If the ports are not
specified, the statistics for all ports are deleted.
qos-stats list [<port_list>] Display the QoS statistics for the specified ports. If the ports are not
specified, the statistics for all ports are displayed.
qos-stats non-zero List only QoS statistics that are not zero.

Fortinet, Inc.
diagnose
qos-stats set-qos-counter-revert Restore QoS counters to direct hardware values for the specified
[<port_list> ] ports. Use commas to separate ports. If the ports are not specified,
the command affects all ports.
qos-stats set-qos-counter-zero Clear QoS counters (applies to all applications except SNMP) for the
[<port_list>] specified ports. Use commas to separate ports. If the ports are not
specified, the command affects all ports.
Example output
S524DF4K15000024 # diagnose switch physical-ports qos-stats list 1
port1 QoS Stats:
queue | unicast pkts | unicast bytes | multicast pkts | multicast bytes

----------------------------------------------------------------------------------
0 | 0 | 0 | 0 | 0
1 | 0 | 0 | 0 | 0
2 | 0 | 0 | 0 | 0
3 | 0 | 0 | 0 | 0
4 | 0 | 0 | 0 | 0
5 | 0 | 0 | 0 | 0
6 | 0 | 0 | 0 | 0
7 | 0 | 0 | 0 | 0
queue | ucast drop pkts | ucast drop bytes | mcast drop pkts | mcast drop bytes
----------------------------------------------------------------------------------
0 | 0 | 0 | 0 | 0
1 | 0 | 0 | 0 | 0
2 | 0 | 0 | 0 | 0
3 | 0 | 0 | 0 | 0
4 | 0 | 0 | 0 | 0
5 | 0 | 0 | 0 | 0
6 | 0 | 0 | 0 | 0
7 | 0 | 0 | 0 | 0
----------------------------------------------------------------------------------
diagnose switch physical-ports queue-bandwidth-setting
Use these commands to display the bandwidth setting (kbps or percentage) for the egress queues. If the ports are not
specified, the bandwidth setting for all egress queues are displayed.
diagnose switch physical-ports queue-bandwidth-setting [<port_list>]
Example output
S524DF4K15000024 # diagnose switch physical-ports queue-bandwidth-setting port23

Fortinet, Inc.
diagnose
port23 cosq bandwidth setting: (0: disabled)
port | q | KbpsMin | KbpsMax

-------+---+----------+----------+
port23 | 0 | 0 | 0
port23 | 1 | 0 | 0
port23 | 2 | 0 | 0
port23 | 3 | 0 | 0
port23 | 4 | 0 | 0
port23 | 5 | 0 | 0
port23 | 6 | 0 | 0
port23 | 7 | 0 | 0
diagnose switch physical-ports set-counter-revert
Use this command to restore hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports.
Use commas to separate ports. If the ports are not specified, the command affects all ports.
diagnose switch physical-ports set-counter-revert [<port_list>]
diagnose switch physical-ports set-counter-zero
Use this command to clear all hardware counters (except for QoS, SNMP, and web GUI counters) on the specified ports.
Use commas to separate ports. If the ports are not specified, the command affects all ports.
diagnose switch physical-ports set-counter-zero [<port_list>]
diagnose switch physical-ports split-status
Use this command to display information about split ports:

diagnose switch physical-ports split-status
Example output
S524DF4K15000024 # diagnose switch physical-ports split-status

Port Name Split Phy Name Port Index Child Index
---------------- ----- ---------------- ---------------- ----------
port29 No - 29 -
port30.1 Yes port30 30 0

Fortinet, Inc.
diagnose
diagnose switch physical-ports stats
Use these commands to display counter statistics:

diagnose switch physical-ports stats clear-local <port_list>
diagnose switch physical-ports stats list [<port_list>]
diagnose switch physical-ports stats non-zero
stats clear-local <port_list> Delete the statistics for received and transmitted packets for the
specified ports for only the local session. Use commas to separate
ports. For example: 1,3,4-6
stats list [<port_list>] List the statistics for received and transmitted packets for the specified
ports. Use commas to separate ports. If the ports are not specified, the
statistics for all ports are displayed.
stats non-zero List the statistics for counters that are not zero.
Example output
S524DF4K15000024 # diagnose switch physical-ports stats list

Port | TX Packets | TX bytes || RX Packets | RX Bytes | RX L3 Packets |
----------------------------------------------------------------------------------
port1 | 0 | 0 || 0 | 0 | 0 |
port2 | 0 | 0 || 0 | 0 | 0 |
port3 | 0 | 0 || 0 | 0 | 0 |
port4 | 0 | 0 || 0 | 0 | 0 |
port5 | 0 | 0 || 0 | 0 | 0 |
port6 | 0 | 0 || 0 | 0 | 0 |
port7 | 0 | 0 || 0 | 0 | 0 |
port8 | 0 | 0 || 0 | 0 | 0 |
port9 | 0 | 0 || 0 | 0 | 0 |
port10 | 0 | 0 || 0 | 0 | 0 |
port11 | 0 | 0 || 0 | 0 | 0 |
port12 | 0 | 0 || 0 | 0 | 0 |
port13 | 0 | 0 || 0 | 0 | 0 |
port14 | 0 | 0 || 0 | 0 | 0 |
port15 | 0 | 0 || 0 | 0 | 0 |
port16 | 0 | 0 || 0 | 0 | 0 |
port17 | 0 | 0 || 0 | 0 | 0 |
port18 | 0 | 0 || 0 | 0 | 0 |
port19 | 0 | 0 || 0 | 0 | 0 |
port20 | 0 | 0 || 0 | 0 | 0 |
port21 | 0 | 0 || 0 | 0 | 0 |
port22 | 0 | 0 || 0 | 0 | 0 |
port23 | 0 | 0 || 0 | 0 | 0 |
port24 | 0 | 0 || 0 | 0 | 0 |
port25 | 0 | 0 || 0 | 0 | 0 |
port26 | 0 | 0 || 0 | 0 | 0 |
port27 | 0 | 0 || 0 | 0 | 0 |
port28 | 0 | 0 || 0 | 0 | 0 |
port29 | 0 | 0 || 0 | 0 | 0 |

Fortinet, Inc.
diagnose
port30 | 0 | 0 || 0 | 0 | 0 |
internal | 393 | 9343000 || 0 | 0 | 0 |
diagnose switch physical-ports summary
Use this command to display a summary about the specified physcial port. If the port is not specified, summaries for all
ports are displayed.
diagnose switch physical-ports summary [<port_name>]
Example output
S524DF4K15000024 # diagnose switch physical-ports summary port1
Portname Status Tpid Vlan Duplex Speed Flags Discard

__________ ______ ____ ____ ______ _____ __________ _________
port1 down 8100 1 half - , , none
Flags: QS(802.1Q) QE(802.1Q-in-Q,external) QI(802.1Q-in-Q,internal)

TS(static trunk) TF(forti trunk) TL(lacp trunk); MD(mirror dst)
MI(mirror ingress) ME(mirror egress) MB(mirror ingress and egress) CF (Combo Fiber), CC (Combo
Copper)
Use this command to list all virtual wires:

Example output
S524DF4K15000024 # diagnose switch physical-ports virtual-wire list

diagnose switch poe status
Use this command to display power over Ethernet (PoE) information for a specific port:
diagnose switch poe status <physicial_port_name>
<physicial_port_name> Enter the port name.

Fortinet, Inc.
diagnose
Example output
S524DF4K15000024 # diagnose switch poe status port1
Port(1) Power:0.00W, Power-Status: Searching

Remote Power Device Type: PD None
Power Class: 0
Defined Max Power: 0.00W, Priority: Low.
Voltage: 54.90V
Current: 0mA
diagnose switch ptp port add-link-delay
Use this command to add an estimated link delay in nanosecods to the specified poort. Adding a link delay helps with
debugging, and the setting is cleared when the switch is rebooted:
diagnose switch ptp port add-link-delay <port_name> <estimated_link_delay>
Example output
S548DN4K15000008 # diagnose switch ptp port add-link-delay port49 500

Adding port49's link_delay 500(ns).
diagnose switch ptp port get-link-delay
Use this command to display link-delay information for the specified port:
diagnose switch ptp port get-link-delay <port_name>
Example output
S548DN4K15000008 # diagnose switch ptp port get-link-delay port49
Portname Speed Link-Delay

__________ _____ ___________
port49 10G 500ns
Use this command to display information about the VLAN stacking (QinQ) configuation:

Fortinet, Inc.
diagnose
Example output
S548DF5018000776 # diagnose switch qnq dtag-cfg
Port Name | QinQ Mode | Add Inner-Tag | Remove Inner-Tag | Priority | Ether-
Type
======================================================================================
port39 | customer | add (vid 456) | enable | follow-s-tag | 0x8100
diagnose switch trunk list
Use this command to display link aggregation information:

diagnose switch trunk list [<trunk_name>]
[<trunk_name>] Display link aggregation information for the specified trunk. If the trunk
is not specified, link aggregation information for all trunks is displayed.
Example output
S524DF4K15000024 # diagnose switch trunk list trunk1
Switch Trunk Information, primary-Channel
Trunk Name: trunk1

Mode: fortinet-trunk
Port Selection Algorithm: N/A - Trunk Down
Trunk MAC: 08:5B:0E:F1:95:E6
Active Port Up Time

___________ _________________________
Non-Active Port Status

_______________ ____________________
port1 BLOCK
port2 BLOCK
S524DF4K15000024 # diagnose switch trunk list
Switch Trunk Information, primary-Channel
Trunk Name: Mclag-icl-trunk

Mode: lacp-active (mclag-icl)
Trunk MAC: 08:5B:0E:F1:95:F4
Active Port Up Time

___________ _________________________

Fortinet, Inc.
diagnose

_______________ ____________________
port15 BLOCK
port16 BLOCK
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)

(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled
status: down
ports: 2
LACP mode: active
LACP speed: slow
aggregator ID: 1
actor key: 0
actor MAC address: 08:5b:0e:f1:95:f4
partner key: 1
partner MAC address: 00:00:00:00:00:00
slave: port15
status: down
link failure count: 0
permanent MAC addr: 08:5b:0e:f1:95:f4
actor state: ASAIDD
partner state: PSIODD
aggregator ID: 1
slave: port16
status: down
link failure count: 0
permanent MAC addr: 08:5b:0e:f1:95:f5
actor state: ASAODD
partner state: PSIODD
aggregator ID: 2
Trunk Name: first-mclag

Mode: static (mclag)
Trunk MAC: 08:5B:0E:F1:95:E7
Active Port Up Time

___________ _________________________

_______________ ____________________
port2 BLOCK

Fortinet, Inc.
diagnose
diagnose switch trunk summary
Use this command to display a summary of the link aggregation information:

diagnose switch trunk summary [<trunk_name>]
[<trunk_name>] Display a summary of the link aggregation information for the specified trunk. If
the trunk is not specified, a summary for all trunks is displayed.
Example output
S524DF4K15000024 # diagnose switch trunk summary
Trunk Name Mode PSC MAC

Status Up Time
________________ _________________________ ___________ _________________ _____
______ _________
Mclag-icl-trunk lacp-active(mclag-icl) N/A 08:5B:0E:F1:95:F4 down

(0/2) N/A
first-mclag static(mclag) N/A 08:5B:0E:F1:95:E7 down
(0/1) N/A
8DN3X16000001-0 lacp-active(auto-isl) src-dst-ip 08:5B:0E:F0:9B:90 up
(1/1) 0 days,0 hours,1 mins,35 secs
S524DF4K15000024 # diagnose switch trunk summary first-mclag
Trunk Name Mode PSC MAC

Status Up Time
________________ _________________________ ___________ _________________ _____
______ _________
first-mclag static(mclag) N/A 08:5B:0E:F1:95:E7 down

(0/1) N/A
diagnose switch vlan
Use these commands to display information about virtual LANs:

diagnose switch vlan assignment capabilities
diagnose switch vlan assignment ether-proto flush
diagnose switch vlan assignment ether-proto list [{sorted-by-protocol | sorted-by-vlan}]
diagnose switch vlan assignment ipv4 flush
diagnose switch vlan assignment ipv4 list [{sorted-by-address | sorted-by-vlan}]
diagnose switch vlan assignment ipv6 flush
diagnose switch vlan assignment ipv6 list [{sorted-by-address | sorted-by-vlan}]

Fortinet, Inc.
diagnose
diagnose switch vlan assignment mac flush

diagnose switch vlan assignment mac list [{sorted-by-mac | sorted-by-vlan}]
diagnose switch vlan info cache <VLAN_ID>
diagnose switch vlan info dump
diagnose switch vlan list [<VLAN_ID>]
assignment capabilities Display information about hardware capabilities for VLAN

assignments.
assignment ether-proto flush Delete all VLAN entries assigned by Ethernet frame type and
protocol.
assignment ether-proto list Display VLAN assignments by Ethernet frame type and protocol. Use
[{sorted-by-protocol | sorted-by- sorted-by-protocol to list VLAN entries by protocol. Use
vlan}] sorted-by-vlan to list VLAN entries by the VLAN identifier.
assignment ipv4 flush Delete all VLAN entries assigned by IPv4 address or subnet.
assignment ipv4 list [{sorted-by- Display VLAN assignments by IPv4 address or subnet. Use
address | sorted-by-vlan}] sorted-by-address to list VLAN entries by the mask length and
IP address. Use sorted-by-vlan to list VLAN entries by the
VLAN identifier.
assignment ipv6 flush Delete all VLAN entries assigned by IPv6 address or subnet.
assignment ipv6 list [{sorted-by- Display VLAN assignments by IPv6 address or subnet. Use
address | sorted-by-vlan}] sorted-by-address to list VLAN entries by the mask length and
IP address. Use sorted-by-vlan to list VLAN entries by the
VLAN identifier.
assignment mac flush Delete all VLAN entries assigned by MAC address.
assignment mac list [{sorted-by- Display VLAN assignments by MAC address. Use sorted-by-mac
mac | sorted-by-vlan}] to list VLAN entries by the MAC address. Use sorted-by-vlan to
list VLAN entries by the VLAN identifier.
info cache <VLAN_ID> Display information about the VLAN cache.
info dump Display VLAN-related information.
list [<VLAN_ID>] Display which ports are assigned to the specified VLAN identifier. If
the VLAN identifier is not specified, the information for all VLAN
identifiers is displayed.
Example output
S524DF4K15000024 # diagnose switch vlan assignment capabilities

Assignment modes supported:
Port based assignment
IPv4 address/subnet based assignment
IPv6 address/subnet based assignment
MAC address based assignment
Ethernet Protocol based assignment

Fortinet, Inc.
diagnose
S524DF4K15000024 # diagnose switch vlan info dump

Ports:
[ port1] Force[disabled]
[internal] Force[disabled]
Private-VLANs:
S524DF4K15000024 # diagnose switch vlan list

VlanId Ports
______ ___________________________________________________
1 port1 port2 port3 port4 port5 port6 port7 port8 port9
port10 port11 port12 port13 port14 port15 port16 port17
port18 port19 port20 port21 port22 port23 port24 port25
port26 port27 port28 port29 port30
4094 internal
diagnose switch vlan-mapping egress hardware-entry
Use the following command to check the VLAN mapping on an interface for the egress direction:
diagnose switch vlan-mapping egress hardware-entry

Fortinet, Inc.
diagnose
diagnose switch vlan-mapping ingress hardware-entry
Use the following command to check the VLAN mapping on an interface for the ingress direction:
diagnose switch vlan-mapping ingress hardware-entry
diagnose sys checkused
Use the following command to check which tables are using the entry:
diagnose sys checkused <path.object.mkey>
<path.object.mkey> Display which tables use this entry.
Example output
S524DF4K15000024 # diagnose sys checkused switch.physical-port.name
may be used by table switch.trunk.members.member-name

may be used by table switch.mirror.dst
may be used by table switch.mirror.src-ingress.name
may be used by table switch.mirror.src-egress.name
may be used by table switch.acl.policy.ingress-interface.member-name
may be used by table switch.acl.policy.action.mirror
may be used by table switch.acl.policy.action.redirect
may be used by table switch.acl.policy.action.redirect-physical-port.member-name
may be used by table switch.acl.policy.action.egress-mask.member-name
may be used by table switch.virtual-wire.first-member
may be used by table switch.virtual-wire.second-member
may be used by table switch.auto-isl-port-group.members.member-name
may be used by table system.admin.dashboard.interface
diagnose sys cpuset
Use this command to display information about which CPU set uses a specific process:
diagnose sys cpuset <process_ID> <CPU_set_mask>
<process_ID> <CPU_set_mask> Specify the process identifier and CPU set mask to find out which
CPU set uses the process.

Fortinet, Inc.
diagnose
diagnose sys dayst-info
Use this command to display information about daylight saving time:

diagnose sys dayst-info
Example output
S524DF4K15000024 # diagnose sys dayst-info

The current timezone '(GMT-8:00)Pacific Time(US&Canada).' daylight saving time starts at Sun
Mar 8 02:00:00 1970, ends at Sun Nov 1 01:00:00 1970
diagnose sys fan status
Use this command to display fan information:

diagnose sys fan status
Example output
S524DF4K15000024 # diagnose sys fan status
Module Status
___________________________________
Fan OK
Fan speed is set to 50.0%.
diagnose sys flash
Use these commands to manage flash memory:

diagnose sys flash format
diagnose sys flash list [<file>]
format Format the shared data partition (flash partition 2).
list [<file>] Display statistics for a file or directory in flash memory. If no file or
directory is specified, statistics for all flash memory are returned.
Example output
S524DF4K15000024 # diagnose sys flash list

Partition Image TotalSize(KB) Used(KB) Use% Active
(*) 1 S524DF-3.6.3-FW-build0390-171020 53248 22922 43% Yes

Fortinet, Inc.
diagnose
4096 448 11% Yes

2 53248 0 0% No
Flag * : next-boot partition

Image build at Oct 20 2017 17:10:54 for b0390
diagnose sys flow-export
Use these commands to manage flow-export data:

diagnose sys flow-export delete-flows-all
diagnose sys flow-export expire-flows-all
delete-flows-all Delete all flow-export data.
expire-flows-all Expire all flow-export data.
diagnose sys fsw-cloud-mgr
Use these commands to manage the SSL tunnel for FortiSwitch cloud management:
diagnose sys fsw-cloud-mgr close-access-socket
diagnose sys fsw-cloud-mgr shutdown-ssl
close-access-socket Restart the SSL tunnel between a FortiSwitch and FortiSwitch cloud
management by closing the socket.
shutdown-ssl Restart the SSL tunnel between a FortiSwitch and FortiSwitch cloud
management by sending a SSL_SHUTDOWN request.
diagnose sys kill
Use this command to end a specified process:

diagnose sys kill <signal_number> <process_ID>
<signal_number> <process_ID> End the process with the specified signal.
To find out which processes are currently running, see diagnose sys vlan list on page 296.

Fortinet, Inc.
diagnose
diagnose sys link-monitor
Use these commands to manage the link monitor:

diagnose sys link-monitor interface <entry>
diagnose sys link-monitor launch <entry>
diagnose sys link-monitor status {entry | all}
To configure the link health monitor, see config system link-monitor on page 187.
interface <entry> Display information about the specified link-monitor entry.
launch <entry> Manually launch the specified link-monitor entry.
status {entry | all} Display information about a specified link-monitor entry or all link-
monitor entries.
diagnose sys mpstat
Use this command to display information about CPU use:

diagnose sys mpstat <delay> <loops>
<delay> <loops> Display information about the CPU use after the specified number of
seconds (default is 5) and for the specified number of loops (default is
1,000,000). If the values for <delay> <loops> are not specified, there is
no delay, and the output continues until a key is pressed.
Example output
S524DF4K15000024 # diagnose sys mpstat
Gathering data, wait 5 sec, press any key to quit.

..0..1..2..3..4
TIME CPU %usr %nice %sys %idle
04:02:59 PM all 0.00 0.00 5.73 94.27
0 0.00 0.00 10.87 89.13
1 0.00 0.00 0.59 99.41
04:02:59 PM 0.00 0.00 0.00 0.00
TIME CPU %usr %nice %sys %idle

04:03:04 PM all 0.00 0.00 6.87 93.13
0 0.00 0.00 12.75 87.25
1 0.00 0.00 1.00 99.00
04:03:04 PM 0.00 0.00 0.00 0.00

Fortinet, Inc.
diagnose
diagnose sys ntp status
Use this command to display the configuration of the Network Time Protocol (NTP) servers:
diagnose sys ntp status
To configure the NTP servers, see config system ntp on page 192.
diagnose sys pcb temp
Use this command to display the printed circuit board (PCB) temperature:
diagnose sys pcb temp
Example output
S524DF4K15000024 # diagnose sys pcb temp
Module Status
__________________________________
Sensor1 42.0 C
diagnose sys process
Use this command to display information about a specific process:

diagnose sys process <process_ID>
<process_ID> Display information about the specified process identifier.
To find out which processes are currently running, see diagnose sys vlan list on page 296.
diagnose sys psu status
Use this command to display information about the power supply unit (PSU):
diagnose sys psu status
Example output
S524DF4K15000024 # diagnose sys psu status

Fortinet, Inc.
diagnose
PSU1 is OK.
PSU2 is not present.
diagnose sys top
Use this command to list the processes currently running on your FortiSwitch unit:
diagnose sys top <delay> <lines>
<delay> <lines> Enter the number of seconds to delay (the default is 5) and the
maximum lines of output (the default is 20).
In the output, the codes displayed on the second output line mean the following:
l U is % of user space applications using CPU. In the example, 0U means 0% of the user space applications are
using CPU.
l S is % of system processes (or kernel processes) using CPU. In the example, 0S means 0% of the system
processes are using the CPU.
l I is % of idle CPU. In the example, 98I means the CPU is 98% idle.
l T is the total FortiOS system memory in Mb. In the example, 123T means there are 123 Mb of system memory.
l F is free memory in Mb. In the example, 25F means there is 25 Mb of free memory.
Each additional line of the command output displays the following information for each of the processes running on the
FortiSwitch (from left to right):
l Process name
l Process identifier
l State that the process is running in. The process state can be:
o R for running
o S for sleep
o Z for zombie
o D for disk sleep
l Amount of CPU that the process is using. CPU usage can range from 0.0 for a process that is sleeping to higher
values for a process that is taking a lot of CPU time.
l Amount of memory that the process is using. Memory usage can range from 0.1 to 5.5 and higher.
Example output
S524DF4K15000024 # diagnose sys top 5 5
Run Time: 3 days, 0 hours and 40 minutes

0U, 6S, 94I; 1978T, 1744F
pyfcgid 695 S 0.0 0.7
pyfcgid 791 S 0.0 0.7
pyfcgid 792 S 0.0 0.7
httpsd 696 S 0.0 0.6
cmdbsvr 611 S 0.0 0.6

Fortinet, Inc.
diagnose
diagnose sys vlan list
Use these commands to display information about configured VLANs:

diagnose syst vlan list
To configure a VLAN, see config switch vlan on page 140.
diagnose test application
Use these commands to test specific daemons:

diagnose test application dnsproxy <test_level>
diagnose test application fpmd <test_level>
diagnose test application radiusd <test_level>
diagnose test application sflowd <test_level>
diagnose test application snmpd <test_level>
dnsproxy <test_level> Specify the test level for the DNS proxy daemon:
1. Clear DNS cache.
2. Show statistics.
3. Dump DNS setting.
4. Reload the fully qualified domain name (FQDN).
5. Requery the FQDN.
6. Dump the FQDN.
fpmd <test_level> Specify the test level for the hardware offload daemon.
radiusd <test_level> Specify the test level for the RADIUS daemon:
l 2: Clear the RADIUS server database.
l 3: Show the RADIUS server database.
l 33: Show the RADIUS server database (with start time).
l 4: Show the RADIUS server database information.
l 9: Check the high availability (HA) context table checksums.
l 11: Show the HA synchronization connection status.
l 20: Show the RADIUS server configuration cache.
l 21: Show the RADIUS server interface configuration cache.
l 99: Restart.
sflowd <test_level> Specify the test level for the sFlow daemon:
l 1: Show collector setting.
l 2: Show state.
snmpd <test_level> Specify the test level for the SNMP daemon:
l 1: Display daemon process identifier.
l 2: Display SNMP statistics.
l 3: Clear SNMP statistics.
l 4: Generate test trap.

Fortinet, Inc.
diagnose
l 99: Restart daemon.

l 101: Reset the msgAuthoritativeEngineBoots attribute to 0 and
restart the daemon.
Example output
S524DF4K15000024 # diagnose test application dnsproxy 2

config: alloc=1
DNS_CACHE: alloc=0
DNS UDP: req=6680, res=0, fwd=26720, hits=0, alloc=0
cur=90 v6_cur=0
DNS TCP: req=0, alloc=0
S524DF4K15000024 # diagnose test application fpmd 2

L3 egr obj Num: 0 Max: 8192 LastFoundEgrId: 0
Valid: 0 Gw: 0.0.0.0 IfIndex: 0 RefCount: 0 EgrObj: 0 Status: 0
diagnose test authserver
Use these commands to test the authentication server:

diagnose test authserver cert <arguments>
diagnose test authserver ldap <server_name> <user_name> <password>
diagnose test authserver ldap-digest <arguments>
diagnose test authserver ldap-direct <arguments>
diagnose test authserver ldap-search <arguments>
diagnose test authserver local <arguments>
diagnose test authserver radius <server_name> <chap | pap | mschap | mschap2> <user_name>
<password>
diagnose test authserver radius-direct <server_name _or_IP_address> <port_number> <secret>
diagnose test authserver tacacs+ <server_name> <user_name> <password>
diagnose test authserver tacacs+-direct <arguments>
cert <arguments> Test the certificate authentication.
ldap <server_name> <user_ Test the connection to an LDAP server. For the server_name, use
name> <password> the name of the LDAP object, not the LDAP server name. Use
credentials that you have used in the LDAP object itself.
ldap-digest <arguments> Test the LDAP HA1 password query.
ldap-direct <arguments> Test the connection to an LDAP server.
ldap-search <arguments> Search for an LDAP server.
local <arguments> Test the local user.

Fortinet, Inc.
diagnose
radius <server_name> <chap | pap Test the connection to the RADIUS server.
| mschap | mschap2> <user_
name> <password>
radius-direct <server_name _or_ Test the connection to the RADIUS server. For the port number,
IP_address> <port_number> enter -1 to use the default port. Otherwise, enter the port number
<secret> to check.
tacacs+ <server_name> <user_ Test the connection to the TACACS+ server.

name> <password>
tacacs+-direct <arguments> Test the connection to the TACACS+ server.
diagnose user radius coa
Use this command to display information about RADIUS authentication and RADIUS accounting:
diagnose user radius coa
To configure RADIUS authentication and RADIUS accounting, see config user radius on page 210.

Fortinet, Inc.
execute
Use the execute commands perform immediate operations on the FortiSwitch unit:
l execute 802-1x clear interface on page 300
l execute acl clear-counter on page 301
l execute acl key-compaction on page 301
l execute backup config on page 302
l execute acl key-compaction on page 301
l execute backup memory on page 303
l execute batch on page 304
l execute bpdu-guard on page 305
l execute cfg reload on page 305
l execute cfg save on page 306
l execute clear switch igmp-snooping on page 307
l execute clear switch mld-snooping on page 307
l execute clear system arp table on page 307
l execute cli check-template-status on page 307
l execute cli status-msg-only on page 307
l execute date on page 308
l execute dhcp lease-clear on page 308
l execute dhcp lease-list on page 309
l execute dhcp-snooping on page 309
l execute disconnect-admin-session on page 310
l execute factoryreset on page 310
l execute factoryresetfull on page 310
l execute flapguard reset on page 311
l execute interface dhcpclient-renew on page 311
l execute interface dhcp6client-renew on page 311
l execute interface pppoe-reconnect on page 312
l execute license add on page 312
l execute license enhanced-debugging on page 312
l execute license status on page 313
l execute log delete on page 313
l execute log delete-all on page 313
l execute log display on page 314
l execute log filter on page 314
l execute log-report reset on page 315
l execute factoryresetfull on page 310
l execute mac clear on page 315
l execute mac-limit-violation reset on page 316
l execute macsec clearstat interface on page 317
l execute macsec reset interface on page 317

Fortinet, Inc.
execute
l execute ping on page 317

l execute ping-options on page 318
l execute ping6 on page 320
l execute ping6-options on page 320
l execute poe-reset on page 321
l execute reboot on page 322
l execute restore on page 322
l execute revision on page 324
l execute router clear bgp on page 324
l execute interface dhcp6client-renew on page 311
l execute router tech-support on page 325
l execute set-next-reboot on page 326
l execute shutdown on page 326
l execute source-guard-violation reset on page 327
l execute ssh on page 327
l execute stage on page 327
l execute sticky-mac on page 328
l execute switch-controller get-conn-status on page 328
l execute system certificate ca on page 329
l execute system certificate crl import auto on page 329
l execute system certificate local export tftp on page 330
l execute system certificate local generate on page 330
l execute system certificate local import tftp on page 331
l execute system certificate remote on page 332
l execute system sniffer-profile delete-capture on page 332
l execute system sniffer-profile pause on page 332
l execute system sniffer-profile start on page 333
l execute system sniffer-profile stop on page 333
l execute system sniffer-profile upload on page 333
l execute telnet on page 334
l execute time on page 334
l execute traceroute on page 335
l execute tracert6 on page 336
l execute upload config on page 336
l execute verify image on page 337
execute 802-1x clear interface
Use this command to clear all authorizations on a specified interface:

execute 802-1x clear interface {internal | port<integer>}

Fortinet, Inc.
execute
Example
This example shows how to remove all authorizations from port 1:

execute 802-1x clear interface port1
execute acl clear-counter
Use this command to clear the ACL counters associated with the specified policy:
execute acl clear-counter {all | ingress | egress | prelookup}
all Delete the ACL counters for all policies.
ingress Delete the ACL counters for ingress policies.
egress Delete the ACL counters for egress policies.
prelookup Delete the ACL counters for lookup policies.
Example
This example deletes all ACL counters:

execute acl clear-counter all
execute acl key-compaction
NOTE: This command currently only works on the ingress policy.

Use the following command to clear the unused classifiers on ASIC hardware associated with ingress, egress,
prelookup, or all policies for a particular group:
execute acl key-compaction {all | ingress | egress | prelookup} <group_ID>
all Delete all unused classifiers for the specified group.
ingress Delete the unused classifiers for ingress policies for the
specified group.
egress Delete the unused classifiers for egress policies for the
specified group.
prelookup Delete the unused classifiers for lookup policies for the
specified group.
<group_ID> Enter the group identifier.

Fortinet, Inc.
execute
Group identifiers are defined in the config switch acl

ingress command.
Example
This example deletes all unused classifiers from group 5:

execute acl key-compaction all 5
execute backup config
Use the execute backup config commands to perform a partial backup of the FortiSwitch configuration to a flash
disk, FTP server, or TFTP server.
Syntax
execute backup config flash <comment>

execute backup config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>
[<username_str> [<password_str>]] [<backup_password_str>]
execute backup config tftp <filename_str> <server_ipv4> [<backup_password_str>]
config flash <comment> Back up the system configuration to the flash disk. Optionally, include a
comment.
config ftp <filename_str> <server_ipv4 Back up the system configuration to an FTP server.
[:port_int] | server_fqdn[:port_int]> Optionally, you can specify a password to protect the saved data.
[<username_str> [<password_str>]]
[<backup_password_str>]
config tftp <filename_str> <server_ Back up the system configuration to a file on a TFTP server. Optionally,
ipv4> [<backup_password_str>] you can specify a password to protect the saved data.
Example
This example shows how to perform a partial backup of the FortiSwitch configuration to a file named fgt.cfg on a
TFTP server at IP address 192.168.1.23.
execute backup config tftp fgt.cfg 192.168.1.23

Fortinet, Inc.
execute
execute backup full-config
Use the execute backup full-config commands to back up the full FortiSwitch configuration to a TFTP or FTP
server.
Syntax
execute backup full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_

int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup full-config tftp <filename_str> <server_ipv4> [<backup_password_str>]
full-config ftp <filename_str> <server_ipv4 Back up the full system configuration to a file on an FTP server. You
[:port_int] | server_fqdn[:port_int]> can optionally specify a password to protect the saved data.
[<username_str> [<password_str>]]
[<backup_password_str>]
full-config tftp <filename_str> <server_ipv4> Back up the full system configuration to a file on a TFTP server. You
[<backup_password_str>] can optionally specify a password to protect the saved data.
Example
This example shows how to back up the full FortiSwitch configuration to a file named fgt.cfg on a TFTP server at IP
address 192.168.1.23.
execute backup full-config tftp fgt.cfg 192.168.1.23
execute backup memory
Use the execute backup memory commands to back up the FortiSwitch logs to a TFTP or FTP server.
Syntax
execute backup memory alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_int]>

execute backup memory alllogs tftp <server_ipv4>
execute backup memory log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> <username_str>
<password_str> {app-ctrl | event | ids | im | spam | virus | voip | webfilter}
execute backup memory log tftp <server_ipv4> {app-ctrl | event | ids | im | spam | virus |
voip | webfilter}
memory alllogs ftp <server_ipv4[:port_int] | Back up either all memory or all hard disk log files for to an FTP
server_fqdn[:port_int]> [<username_str> server. The disk option is available on FortiSwitch models that log to
<password_str>] a hard disk.

Fortinet, Inc.
execute
memory alllogs tftp <server_ipv4> Back up either all memory or all hard disk log files for this FortiSwitch
to a TFTP server. he disk option is available on FortiSwitch models
that log to a hard disk.
memory log ftp <server_ipv4[:port_int] | Back up the specified type of log file from either hard disk or memory
server_fqdn[:port_int]> <username_str> to an FTP server.
<password_str> {app-ctrl | event | ids | im | The disk option is available on FortiSwitch models that log to a hard
spam | virus | voip | webfilter} disk.
memory log tftp <server_ipv4> {app-ctrl | Back up the specified type of log file from either hard disk or memory
event | ids | im | spam | virus | voip | webfilter} to an FTP server.
The disk option is available on FortiSwitch models that log to a hard
disk.
Example
This example shows how to back up all FortiSwitch log files to a file named fgt.cfg on a TFTP server at IP address
192.168.1.23.
execute backup memory alllogs tftp fgt.cfg 192.168.1.23
execute batch
Use the execute batch commands to execute a series of CLI commands.
The execute batch commands are controlled by the Maintenance (mntgrp)

access control group.
Syntax
execute batch [<cmd_cue>]
The parameter <cmd_cue> includes the following values:

l end — exit session and run the batch commands
l lastlog — read the result of the last batch commands
l start — start batch mode
l status— batch mode status reporting if batch mode is running or stopped

Fortinet, Inc.
execute
Example
To start batch mode:
execute batch start

Enter batch mode...
To enter commands to run in batch mode:

set refresh 5
end
To execute the batch commands:
execute batch end

Exit and run batch commands...
execute bpdu-guard
Use this command to reset a port that goes down after receiving a BPDU:
execute bpdu-guard reset {internal | port<number>}
Example
This example shows how to reset port 1 after it receives a BPDU and goes down:
execute bpdu-guard reset port1
execute cfg reload
Use this command to restore the saved configuration when the configuration change mode is manual or revert. This
command has no effect if the mode is automatic, the default. The set cfg-save command in system global
sets the configuration change mode.
When you reload the saved system configuration, the your session ends and the FortiSwitch performs a restart.
In the default configuration change mode, automatic, CLI commands become part of the saved system configuration
when you execute them by entering either next or end.
In manual mode, commands take effect but do not become part of the saved configuration unless you execute the
execute cfg save command. When the system restarts, the saved configuration is loaded. Configuration changes
that were not saved are lost.
The revert mode is similar to manual mode, except that configuration changes are saved automatically if the
administrative session is idle for more than a specified timeout period. This provides a way to recover from an erroneous
configuration change, such as changing the IP address of the interface you are using for administration. You set the
timeout in system global using the set cfg-revert-timeout command.

Fortinet, Inc.
execute
Syntax
execute cfg reload
Example
This is sample output from the command when successful:

# execute cfg reload
configs reloaded. system will reboot. This is sample output from the command when not in
runtime-only configuration mode:
# execute cfg reload
no config to be reloaded.
execute cfg save
Use this command to save configuration changes when the configuration change mode is manual or revert. If the
mode is automatic, the default, all changes are added to the saved configuration as you make them and this
command has no effect. The set cfg-save command in system global sets the configuration change mode.
In manual mode, commands take effect but do not become part of the saved configuration unless you execute the
execute cfg save command. When the system restarts, the saved configuration is loaded. Configuration changes
that were not saved are lost.
The revert mode is similar to manual mode, except that configuration changes are reverted automatically if the
administrative session is idle for more than a specified timeout period. This provides a way to recover from an erroneous
configuration change, such as changing the IP address of the interface you are using for administration. To change the
timeout from the default of 600 seconds, go to system global and use the set cfg-revert-timeout
command.
Syntax
execute cfg save
Example
This is sample output from the command:

# execute cfg save
config saved.
This is sample output when not in runtime-only configuration mode. It also occurs when in
runtime-only configuration mode and no changes have been made:
# execute cfg save
no config to be saved.

Fortinet, Inc.
execute
Use this command to clear the learned and configured IPv4 multicast groups from the FortiSwitch unit.
Syntax
Use this command to clear the learned and configured IPv6 multicast groups from the FortiSwitch unit.
Syntax
execute clear system arp table
Use this command to cslear all the entries in the ARP table.
Syntax
execute clear system arp table
execute cli check-template-status
Use this command to report the status of the secure copy protocol (SCP) script template.
Syntax
execute cli check-template-status
execute cli status-msg-only
Use this command to enable or disable the display of standardized CLI error output messages. If executed, this
command stops other debug messages from displaying in the current CLI session.

Fortinet, Inc.
execute
Syntax
execute cli status-msg-only {enable | disable}
status-msg-only Enable or disable standardized CLI error output enable

{enable | disable} messages. Entering the command without enable or
disable disables displaying standardized output.
execute date
Use this command to display or set the system date.
Syntax
execute date [<date_str>]
date_str has the form yyyy-mm-dd, where:

l yyyy is the year. The range is: 2001 to 2037
l mm is the month. The range is 01 to 12
l dd is the day of the month. The range is 01 to 31
If you do not specify a date, the command returns the current system date. Shortened values, such as “06” instead of
“2006” for the year or “1” instead of “01” for month or day, are not valid.
Example
This example sets the date to 17 September 2016:

execute date 2016-09-17
execute dhcp lease-clear
Use these commands to clear DHCP leases:

execute dhcp lease-clear all
execute dhcp lease-clear <xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...>
lease-clear all Clear all DHCP leases. No default
lease-clear Clear the DHCP leases for the specified IPv4 No default
<xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...> addresses. Use a comma to separate IPv4
addresses.

Fortinet, Inc.
execute
Example
This example shows how to clear all DHCP leases on the specified IPv4 addresses:
execute dhcp lease-clear 1.2.3.4,5.6.7.8
Use these commands to list DHCP leases:

execute dhcp lease-list <interface>
lease-list List all DHCP leases. No default
lease-list <interface> List the DHCP leases for the specified interface. No default
Example
This example shows how to list all DHCP leases:

execute dhcp-snooping
Use this command to remove an IP address from the DHCP-snooping client or server database on a specific VLAN:
execute dhcp-snooping expire-client <VLAN-ID> <xx:xx:xx:xx:xx:xx>
execute dhcp-snooping expire-server <VLAN-ID> <xx:xx:xx:xx:xx:xx>
<VLAN-ID> Enter the VLAN identifier. The value range is 1-4095. No default
<xx:xx:xx:xx:xx:xx> Enter the MAC address for the IP address to remove. No default
Example
This example shows how to remove the IP address that corresponds to VLAN 100 and to the MAC address
01:23:45:67:89:01 from the DHCP-snooping client database:
execute dhcp-snooping expire-client 100 01:23:45:67:89:01

Fortinet, Inc.
execute
execute disconnect-admin-session
Use this command to disconnect an administrator who is logged in.
Syntax
execute disconnect-admin-session <index_number>
To determine the index of the administrator that you want to disconnect, view the list of logged-in administrators with
the following command:
execute disconnect-admin-session ?
The list of logged-in administrators looks like this:

Connected:
INDEX USERNAME TYPE FROM TIME
0 admin WEB 172.20.120.51 Mon Aug 14 12:57:23 2006

1 admin2 CLI ssh(172.20.120.54) Mon Aug 14 12:57:23 2006
Example
This example shows how to disconnect the logged administrator admin2:

execute disconnect-admin-session 1
execute factoryreset
Use this command to reset the FortiSwitch configuration to factory default settings.
Syntax
This procedure deletes all changes that you have made to the FortiSwitch
configuration and reverts the system to its original configuration, including resetting
interface addresses.
execute factoryresetfull
Use this command to fully reset the FortiSwitch configuration to factory default settings.

Fortinet, Inc.
execute
Syntax
This procedure removes all configurations, saved user and application data, and
licenses and resets the BIOS environment to the default. Images saved to the
partitions are not removed.
execute flapguard reset
Use this command to reset the specified port if flap guard was triggered on that port:
execute flapguard reset <port_name>
Example
This example shows how to reset port 1 after flap guard was triggered on it:
execute flapguard reset port1
execute interface dhcpclient-renew
Use this command to renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no
DHCP connection on the specified port, there is no output.
Syntax
execute interface dhcpclient-renew <interface>
Example output
This is the output for renewing the DHCP client on port 1 before the session closes:
# execute interface dhcpclient-renew port1
renewing dhcp lease on port1
execute interface dhcp6client-renew
Use this command to renew the DHCPv6 client for the specified DHCPv6 interface and close the CLI session. If there is
no DHCPv6 connection on the specified port, there is no output.

Fortinet, Inc.
execute
Syntax
execute interface dhcp6client-renew <interface>
execute interface pppoe-reconnect
Use this command to reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If
there is no PPPoE connection on the specified port, there is no output.
Syntax
execute interface pppoe-reconnect <interface>
execute license add
Use this command to add a new license.
Syntax
execute license add <key>
execute license enhanced-debugging
Use this command to get information about the enhanced debugging license or to remove it.
Syntax
execute license enhanced-debugging {clear | description | get | status}
clear Remove the current enhanced debugging license key.
description Get a general description of the enhanced debugging license key.
get Retrieve the enhanced debugging license key.
status Check whether the enhanced debugging license is active.

Fortinet, Inc.
execute
Example output
S524DF4K15000024 # execute license enhanced-debugging description

This license will enable potentially hazardous debug, such as shells and other features.
S524DF4K15000024 # execute license enhanced-debugging status

enhanced-debugging: Active
Debug license flags: 0x01
Use this command to display the status of all installed licenses.
Syntax
Example output
S524DF4K15000024 # execute license status

License | Status
enhanced-debugging : Active
FS-SW-LIC-500 : Active
execute log delete
Use this command to clear all traffic log entries in memory. You will be prompted to confirm the command.
Syntax
execute log delete
execute log delete-all
Use this command to clear all log entries in memory and current log files on hard disk. If your system has no hard disk,
only log entries in system memory are cleared. You will be prompted to confirm the command.
Syntax
execute log delete-all

Fortinet, Inc.
execute
execute log display
Use this command to display log messages that you have selected with the execute log filter command.
Syntax
execute log display
The console displays the first 10 log messages. To view more messages, run the command again. You can do this until
you have seen all of the selected log messages. To restart viewing the list from the beginning, use the following
commands:
execute log filter start-line 1
execute log display
You can restore the log filters to their default values using the following command:
execute log filter reset
execute log filter
Use this command to select log messages for viewing or deletion. You can view one log category on one device at a
time. Optionally, you can filter the messages to select only specified date ranges or severities of log messages. For
traffic logs, you can filter log messages by source or destination IP address.
Commands are cumulative. If you omit a required variable, the command displays the current setting.
Use as many execute log filter commands as you need to define the log messages that you want to view.
execute log filter category <category_name>
execute log filter device {memory | faz | fds}
execute log filter dump
execute log filter field <name>
execute log filter ha-member <unitsn_str>
execute log filter max-checklines <int>
execute log filter reset
execute log filter start-line <line_number>
execute log filter view-lines <count>
category <category_name> Enter the type of log you want to select. event
For SQL logging and memory logging, one of:
utm, content, event, or traffic
device {memory | faz | fds} Device where the logs are stored. memory
dump Display current filter settings. No default

Fortinet, Inc.
execute
field <name> Press Enter to view the fields that are available for the No default
associated category. Enter the fields you want, using commas
to separate multiple fields.
ha-member <unitsn_str> Select logs from the specified HA cluster member. Enter the No default
serial number of the system.
max-checklines <int> Set maximum number lines to check. Range 100 to 1,000,000. No default
A value of 0 disables the feature.
reset Execute this command to reset all filter settings. No default
start-line <line_number> Select logs starting at specified line number. The value must 1
be 1 or higher.
view-lines <count> Set lines per view. The value range is 5 to 1000. 10
execute log-report reset
Use this command to delete all logs, archives, and user configured report templates.
Syntax
execute log-report reset
execute loop-guard reset
Use this command to reset a port that has been put out of service by loop-guard.
execute loop-guard reset <interface>
Example
This example shows how to reset port 1 after loop guard was triggered on it:
execute loop-guard reset port1
execute mac clear
Use this command to clear MAC addresses.

Fortinet, Inc.
execute
Syntax
execute mac clear all

execute mac clear by-interface <interface>
execute mac clear by-mac-address <mac_address>
execute mac clear by-vlan <vlan_int>
execute mac clear by-vlan-and-interface <vlan_int> <interface>
execute mac clear by-vlan-and-mac-address <vlan_int> <mac_address>
all Clear all MAC entries.
by-interface <interface> Clear all MAC entries on the specified interface.
by-mac-address <mac_address> Clear all MAC entries for a specified MAC address.
by-vlan <vlan_int> Clear all MAC entries for a specified VLAN.
by-vlan-and-interface <vlan_int> Clear all MAC entries for a specified VLAN on a specified interface.
<interface>
by-vlan-and-mac-address <vlan_int> Clear all MAC entries for a specified VLAN that match the specified MAC
<mac_address> address.
execute mac-limit-violation reset
Use these commands to reset the learning limit violation log.

To enable or disable the learning limit violation log for a FortiSwitch unit, see config switch global on page 88.
Syntax
execute mac-limit-violation reset all

execute mac-limit-violation reset interface <interface_name>
execute mac-limit-violation reset vlan <VLAN_ID>
all Clear all learning limit violation logs.
interface <interface_name> Clear the learning limit violation log for a specific interface.
vlan <VLAN_ID> Clear the learning limit violation log for a specific VLAN.
Example
This example shows how to clear the learning limit violation log for VLAN 5:
execute mac-limit-violation reset vlan 5

Fortinet, Inc.
execute
execute macsec clearstat interface
Use this command to clear all MACsec statistics on a single interface.
Syntax
execute macsec clearstat interface <interface _name>
Example
This example shows how to clear the MACsec statistics on port 5.

#execute macsec clearstat interface port5
execute macsec reset interface
Use this command to reset the MACsec session on a single interface.
Syntax
execute macsec reset interface <interface _name>
Example
This example shows how to reset the MACsec session on port 5.

#execute macsec reset interface port5
execute ping
The execute ping command sends one or more ICMP echo request (ping) to test the network connection between
the FortiSwitch and another network device.
Syntax
execute ping <address_ipv4>
<address_ipv4> is an IP address.

Fortinet, Inc.
execute
Example
This example shows how to ping a host with the IP address 172.20.120.16.
#execute ping 172.20.120.16
PING 172.20.120.16 (172.20.120.16): 56 data bytes

--- 172.20.120.16 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.2/0.2/0.5 ms
execute ping-options
Use this command to set ICMP echo request (ping) options to control the way ping tests the network connection
between the FortiSwitch and another network device.
Syntax
execute ping-options adaptive-ping {enable | disable}

execute ping-options data-size <bytes>
execute ping-options df-bit {yes | no}
execute ping-options interface {Auto | <outgoing_interface>}
execute ping-options interval <seconds>
execute ping-options pattern <2-byte_hex>
execute ping-options repeat-count <repeats>
execute ping-options reset
execute ping-options source {auto | <source-intf_ip>}
execute ping-options timeout <seconds>
execute ping-options tos <service_type>
execute ping-options ttl <hops>
execute ping-options validate-reply {yes | no}
execute ping-options view-settings
adaptive-ping {enable | disable} Enable or disable adaptive ping. disable
data-size <bytes> Specify the datagram size in bytes. 56
df-bit {yes | no} Set df-bit to yes to prevent the ICMP packet from being no
fragmented. Set df-bit to no to allow the ICMP packet to be
fragmented.

Fortinet, Inc.
execute
interface {Auto | <outgoing_ Specify the source interface or select auto for the source auto
interface>} interface to be automatically assigned.
interval <seconds> Specify the number of seconds between two pings. The value No default
must be greater than 0.
pattern <2-byte_hex> Used to fill in the optional data buffer at the end of the ICMP No default
packet. The size of the buffer is specified using the data_
size parameter. This allows you to send out packets of
different sizes for testing the effect of packet size on the
connection.
repeat-count <repeats> Specify how many times to repeat ping. 5
reset Reset the ping options to their default settings. No default
source Specify the FortiSwitch interface from which to send the ping. auto
{auto | <source-intf_ip>} If you specify auto, the system selects the source address and
interface based on the route to the <host-name_str> or
<host_ip>. Specifying the IP address of a FortiSwitch
interface tests connections to different network segments from
the specified interface.
timeout <seconds> Specify, in seconds, how long to wait until ping times out. 2
tos <service_type> Set the ToS (Type of Service) field in the packet header to 0
provide an indication of the quality of service wanted:
l lowdelay — minimize delay
l throughput — maximize throughput
l reliability — maximize reliability
l lowcost — minimize cost
ttl <hops> Specify the time to live. Time to live is the number of hops the 64
ping packet should be allowed to make before being discarded
or returned.
validate-reply {yes | no} Select yes to validate reply data. no
view-settings Display the current ping option settings. No default
Example
Use the following command to increase the number of pings sent:

execute ping-options repeat-count 10
Use the following command to send all pings from the FortiSwitch interface with IP address 192.168.10.23:
execute ping-options source 192.168.10.23

Fortinet, Inc.
execute
execute ping6
The ping6 command sends one or more ICMP echo request (ping) to test the network connection between the
FortiSwitch and an IPv6-capable network device.
Syntax
execute ping6 {<address_ipv6> | <host-name_str>}
Example
This example shows how to ping a host with the IPv6 address 12AB:0:0:CD30:123:4567:89AB:CDEF.
execute ping6 12AB:0:0:CD30:123:4567:89AB:CDEF
execute ping6-options
Use this command to set ICMP echo request (ping) options to control the way ping tests the network connection
between the FortiSwitch and an IPv6-capable network device.
Syntax
execute ping6-options data-size <bytes>

execute ping6-options interval <seconds>
execute ping6-options pattern <2-byte_hex>
execute ping6-options repeat-count <repeats>
execute ping6-options source {auto | <source-intf_ip>}
execute ping6-options timeout <seconds>
execute ping6-options tos <service_type>
execute ping6-options ttl <hops>
execute ping6-options validate-reply {yes | no}
execute ping6-options view-settings
data-size <bytes> Specify the datagram size in bytes. 56
df-bit {yes | no} Set df-bit to yes to prevent the ICMP packet from being no
fragmented. Set df-bit to no to allow the ICMP packet to be
fragmented.
interval <seconds> Specify the number of seconds between two pings. The value No default
must be greater than 0.

Fortinet, Inc.
execute
pattern <2-byte_hex> Used to fill in the optional data buffer at the end of the ICMP No default
packet. The size of the buffer is specified using the data_
size parameter. This allows you to send out packets of
different sizes for testing the effect of packet size on the
connection.
repeat-count <repeats> Specify how many times to repeat ping. 5
source Specify the FortiSwitch interface from which to send the ping. auto
{auto | <source-intf_ip>} If you specify auto, the system selects the source address and
interface based on the route to the <host-name_str> or
<host_ip>. Specifying the IP address of a FortiSwitch
interface tests connections to different network segments from
the specified interface.
timeout <seconds> Specify, in seconds, how long to wait until ping times out. 2
tos <service_type> Set the ToS (Type of Service) field in the packet header to 0
provide an indication of the quality of service wanted:
l lowdelay — minimize delay
l throughput — maximize throughput
l reliability — maximize reliability
l lowcost — minimize cost
ttl <hops> Specify the time to live. Time to live is the number of hops the 64
ping packet should be allowed to make before being discarded
or returned.
validate-reply {yes | no} Select yes to validate reply data. no
view-settings Display the current ping option settings. No default
Example
Use the following command to validate reply data:

execute ping6-options validate-reply yes
execute poe-reset
This command performs a PoE reset on the specified port.
Syntax
execute poe-reset <port_number>

Fortinet, Inc.
execute
Example
Use the following command to reset the PoE power on port 1:

execute poe-reset port1
execute reboot
Use this command to restart the system.
Abruptly powering off your system may corrupt its configuration. Use the reboot or
shutdown commands to ensure proper shutdown procedures are followed to
prevent any loss of configuration.
Syntax
execute reboot [comment “comment_string”>]
[comment <“comment_string”>]enables you to optionally add a message that will appear in the hard disk log
indicating the reason for the reboot. If the message is more than one word it must be enclosed in quotation marks.
Example
This example shows the reboot command with a message included:

execute reboot comment “December monthly maintenance”
execute restore
Use this command to restore a configuration, firmware, or IPS signature file. The following options are available:
l restore the configuration from a file
l change the FortiSwitch firmware
l restore the bios from a file
When virtual domain configuration is enabled, the content of the backup file depends on the administrator account that
created it.
A backup of the system configuration from the super admin account contains the global settings and the settings for all
of the VDOMs. Only the super admin account can restore the configuration from this file.
A backup file from a regular administrator account contains the global settings and the settings for the VDOM to which
the administrator belongs. Only a regular administrator account can restore the configuration from this file.

Fortinet, Inc.
execute
Syntax
execute restore bios tftp <filename_str> <server_ipv4[:port_int]>

execute restore config flash <revision>
execute restore config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>
[<username_str> <password_str>] [<backup_password_str>]
execute restore config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute restore image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>
execute restore image management-station <version_int>
execute restore image tftp <filename_str> <server_ipv4>
execute restore secondary-image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> <password_str>]
execute restore secondary-image tftp <filename_str> <server_ipv4>
bios tftp <filename_str> <server_ipv4[:port_ Restore the BIOS. Download the restore file from a TFTP server.
int]>
config flash <revision> Restore the specified revision of the system configuration from the
flash disk.
config ftp <filename_str> <server_ipv4[:port_ Restore the system configuration from an FTP server. The new
int] | server_fqdn[:port_int]> [<username_ configuration replaces the existing configuration, including
str> <password_str>] [<backup_password_ administrator accounts and passwords.
str>] If the backup file was created with a password, you must specify the
password.
config tftp <filename_str> <server_ipv4> Restore the system configuration from a file on a TFTP server. The
[<backup_password_str>] new configuration replaces the existing configuration, including
administrator accounts and passwords.
If the backup file was created with a password, you must specify the
password.
image ftp <filename_str> <server_ipv4 Download a firmware image from an FTP server to the FortiSwitch
[:port_int] | server_fqdn[:port_int]> unit. The FortiSwitch unit reboots, loading the new firmware.
[<username_str> <password_str>] This command is not available in multiple VDOM mode.
image management-station <version_int> Download a firmware image from the central management station.
This is available if you have configured a FortiManager unit as a
central management server. This is also available if your account
with FortiGuard Analysis and Management Service allows you to
upload firmware images.
image tftp <filename_str> <server_ipv4> Download a firmware image from a TFTP server to the FortiSwitch
unit. The FortiSwitch unit reboots, loading the new firmware.
secondary-image ftp <filename_str> Download a firmware image from an FTP server to the FortiSwitch
<server_ipv4[:port_int] | server_fqdn[:port_ unit. The FortiSwitch unit saves the new firmware image in the
int]> [<username_str> <password_str>] secondary image partition.
secondary-image tftp <filename_str> Download a firmware image from a TFTP server to the FortiSwitch
<server_ipv4> unit. The FortiSwitch unit saves the new firmware image in the
secondary image partition.

Fortinet, Inc.
execute
Example
This example shows how to upload a configuration file from a TFTP server to the FortiSwitch and restart the FortiSwitch
with this configuration. The name of the configuration file on the TFTP server is backupconfig. The IP address of the
TFTP server is 192.168.1.23.
execute restore config tftp backupconfig 192.168.1.23
execute revision
Use this command to manage configuration and firmware image files on the local disk.
Syntax
execute revision delete config <revision>

execute revision list config
execute revision show config
delete config <revision> Delete the specified configuration revision on the local disk.
list config List the configuration revisions on the local disk.
show config Display the details of the configuration revision on the local disk.
Example
Use the following command to delete revision 1 of the configuration file on the local disk:
execute revision delete config 1
execute router clear bgp
Use this command to clear the BGP routing configuration.
Syntax
execute router clear bgp {all | as | dampening | external | ip | ipv6}
all <arguments> Clear all BGP peers
as <arguments> Clear a BGP peer by AS number.

Fortinet, Inc.
execute
dampening {<IP_address> | <IP_address/length>} Clear the BGP flap-dampening information.
external <arguments> Clear all external BGP peers.
ip <A.B.C.D|X:X::X:X|*> Clear a BGP peer by IPv4 or IPv6 address. Use *

to clear all BGP peers.
ipv6 <A.B.C.D|X:X::X:X|*> Clear a BGP peer by IPv4 or IPv6 address. Use *

to clear all BGP peers.
Example
Use the following command to delete the BGP flap-dampening information:

execute router clear bgp dampening 1.2.3.4
execute router clear ospf
Use this command to clear the OSPF routing configuration from the specified interface.
Syntax
execute router clear ospf interface <interface_name>
Example
Use the following command to delete the OSPF routing configuration from the VLAN interface:
execute router clear ospf interface vlan20
execute router tech-support
Use this command to display the specified routing configuration and troubleshooting information.
Syntax
execute router tech-support {ospf | rip | bgp | isis | static}
Example
Use the following command to display the BGP routing configuration and troubleshooting information:
execute router tech-support bgp

Fortinet, Inc.
execute
execute set-next-reboot
Use this command to specify the flash partition for the next reboot. The system can use the boot image from either the
primary or the secondary flash partition.
NOTE: You must disable image rotation before you can use the execute set-next-reboot command.
Syntax
execute set-next-reboot <primary | secondary>
Example
This example specifies that the next reboot will use the secondary flash partition:
execute set-next-reboot secondary
Set next reboot partition to secondary
execute shutdown
Use this command to shut down the system immediately. You will be prompted to confirm this command.
Abruptly powering off your system might corrupt its configuration. Using the reboot
and shutdown options in the CLI or in the Web-based manager ensure proper
shutdown procedures are followed to prevent any loss of configuration.
Syntax
execute shutdown [comment <"comment_string">]
The comment field is optional. Use it to add a message that will appear in the event log message that records the
shutdown. The comment message does not appear on the Alert Message console. If the message is more than one
word it must be enclosed in quotation marks.
Example
This example shows the reboot command with a message included:

execute shutdown comment “emergency facility shutdown”
An event log message similar to the following is recorded:

2009-09-08 11:12:31 critical admin 41986 ssh(172.20.120.11) shutdown User admin shutdown the
device from ssh(172.20.120.11). The reason is 'emergency facility shutdown'

Fortinet, Inc.
execute
execute source-guard-violation reset
Use these commands to reset the source-guard violations.
Syntax
execute source-guard-violation reset all

execute source-guard-violation reset interface <interface_name>
all Reset all source-guard violations.
interface <interface_name> Reset source-guard violations for the specified switch

interface.
execute ssh
Use this command to establish an SSH session with another system.
Syntax
execute ssh <destination>
<destination> is the destination in the form user@IPv4_address, user@iPv6_address, or user@DNS_name. If the

IPv6 address is a link-local address, you must specify an output interface using %.
Examples
execute ssh admin@fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.

execute ssh admin@172.20.120.122
execute ssh 1002::21
execute ssh 12.345.6.78
To end an SSH session, type exit:

S524DF4K15000024 # exit
Connection to 172.20.120.122 closed.
S524DF4K15000024 #
execute stage
Use this command to stage an image from an FTP or TFTP server.

Fortinet, Inc.
execute
Syntax
execute stage image ftp <string> <ftp server>[:ftp port]

execute stage image tftp <string> <ip>
image is the image file name (including path) on the remote server.
execute sticky-mac
Use this command to manage MAC addresses that were dynamically learned and are persistent when the status of a
FortiSwitch port changes (goes down or up).
Syntax
execute sticky-mac delete-unsaved {all | interface <interface_name>}

execute sticky-mac save {all | interface <interface_name>}
delete-unsaved {all | interface <interface_name>} Delete all persistent MAC entries (instead of saving them in
the FortiSwitch configuration file) for all interfaces or for the
specified interface.
save {all | interface <interface_name>} Save all persistent MAC entries in the FortiSwitch
configuration file for all interfaces or for the specified
interface.
execute switch-controller get-conn-status
Use this command to display the status of the FortiLink connection. This command is valid only when the FortiSwitch is
managed by a FortiGate.
Syntax
execute switch-controller get-conn-status
Example
S524DF4K15000024 # execute switch-controller get-conn-status
Get managed-switch S524DF4K15000024 connection status:

Connection: Connected
Image Version: FG100D-v6.2-build849
Remote Address: xxx.xxx.x.x
Join Time: Wed Mar 13 08:38:57 2019

Fortinet, Inc.
execute
DTLS Version: DTLSv1.2
execute system certificate ca
Use this command to import a CA certificate from a TFTP or SCEP server to the FortiSwitch or to export a CA certificate
from the FortiSwitch to a TFTP server.
Before using this command, you must obtain a CA certificate issued by a Certificate Authority.
Syntax
execute system certificate ca export tftp <name> <file-name> <tftp_ip>

execute system certificate ca import auto <ca_server_url> [ca_identifier_str]
execute system certificate ca import tftp <file-name> <tftp_ip>
import Import the CA certificate from a TFTP server to the FortiSwitch unit.
export Export or copy the CA certificate from the FortiSwitch to a file on the TFTP
server. The available CA certificates are Entrust_802.1x_CA, Entrust_802.1x_
G2_CA, Entrust_802.1x_L1K_CA, Fortinet_CA, and Fortinet_CA2.
<name> Enter the name of the CA certificate.
<file-name> Enter the file name on the TFTP server.
<tftp_ip> Enter the TFTP server address.
auto Retrieve a CA certificate from a SCEP server.
tftp Import the CA certificate to the FortiSwitch from a file on a TFTP server (local
administrator PC).
<ca_server_url> Enter the URL of the CA certificate server.
<ca_identifier_str> CA identifier on CA certificate server (optional).
execute system certificate crl import auto
Use this command to get a certificate revocation list via LDAP, HTTP, or SCEP protocol, depending on the
autoupdate configuration.
To use this command, the authentication servers must already be configured.
Syntax
execute system certificate crl import auto <crl-name>

Fortinet, Inc.
execute
import Import the CRL from the configured LDAP, HTTP, or SCEP authentication
server to the FortiSwitch unit.
<crl-name> Enter the name of the CRL.
auto Trigger an auto-update of the CRL from the configured authentication server.
execute system certificate local export tftp
Use this command to export a local certificate from the FortiSwitch to a TFTP server.
Syntax
execute system certificate local export tftp <name> <file-name> <tftp_ip>
export Export or copy the local certificate from the FortiSwitch unit to a file on the
TFTP server.
<name> Enter the name of the local certificate. Available local certificates are Entrust_
802.1x, Fortinet_Factory, and Fortinet_Firmware.
execute system certificate local generate
Use this command to generate a local certificate.

When you generate a certificate request, you create a private and public key pair for the local FortiSwitch unit. The
public key accompanies the certificate request. The private key remains confidential.
When you receive the signed certificate from the CA, use the system certificate local import command to
install it on the FortiSwitch unit.
Syntax
execute system certificate local generate <name> <key-length> <subject_str> <country> <state>
<city> <organization> <bu> <email> <SAN> <URL> <challenge> <source_IP> <CA_id> <password>
<name> Enter the local certificate name.

Fortinet, Inc.
execute
<key-length> Enter the key size, which can be 1024, 1536, or 2048.
<subject_str> Enter the subject (host IP address/domain name/e-mail address).
<country> Enter the country name (such as canada), country code (such as ca), or
null for none.
<state> Enter the state.
<city> Enter the city.
<organization> Enter the company name.
<bu> Enter the business unit.
<email> Enter the email address.
<SAN> This field is optional. Enter a subject alternative name.
<URL> This field is optional. Enter the URL of the CA server for signing using SCEP.
<challenge> Enter the challenge password for signing using SCEP.
<source_IP> This field is optional. Enter the source IP address for communicating with the
CA server.
<CA_id> This field is optional. Enter the CA identifier of the CA server for sign using
SCEP.
<password> This field is optional. Enter the password if you are using a private key.
execute system certificate local import tftp
Use this command to import a local certificate to the FortiSwitch from a TFTP server.
Syntax
execute system certificate local import tftp <file-name> <tftp_ip>
<name> Enter the name of the local certificate.

Fortinet, Inc.
execute
execute system certificate remote
Use this command to import a remote certificate from a TFTP server or to export a remote certificate from the
FortiSwitch unit to a TFTP server. The remote certificates are public certificates without a private key. They are used as
OCSP (Online Certificate Status Protocol) server certificates.
Syntax
execute system certificate remote import tftp <file-name> <tftp_ip>

execute system certificate remote export tftp <name> <file-name> <tftp_ip>
import Import the remote certificate from the TFTP server to the FortiSwitch
unit.
export Export or copy the remote certificate from the FortiSwitch to a file on
the TFTP server.
To view a list of the certificates, use the following command:
execute system certificate remote export tftp ?
<name> Enter the name of the local certificate.
execute system sniffer-profile delete-capture
Use this command to delete the .pcap file for a specific packet-capture profile. To create a packet-capture profile, see
config system sniffer-profile on page 198.
Syntax
execute system sniffer-profile delete-capture <profile_name>
Example
execute system sniffer-profile delete-capture profile1
execute system sniffer-profile pause
Use this command to pause a packet capture for a specific packet-capture profile. To create a packet-capture profile,
see config system sniffer-profile on page 198.

Fortinet, Inc.
execute
Syntax
execute system sniffer-profile pause <profile_name>
Example
execute system sniffer-profile pause profile1
execute system sniffer-profile start
Use this command to start a packet capture for a specific packet-capture profile. To create a packet-capture profile, see
Syntax
Example
execute system sniffer-profile start profile1
execute system sniffer-profile stop
Use this command to stop a packet capture for a specific packet-capture profile. To create a packet-capture profile, see
Syntax
execute system sniffer-profile stop <profile-name>
Examples
execute system sniffer-profile stop profile1
execute system sniffer-profile upload
Use this command to upload the .pcap file for a specific packet-capture profile to a TFTP or FTP server. To create a
packet-capture profile, see config system sniffer-profile on page 198.

Fortinet, Inc.
execute
Syntax
execute system sniffer-profile upload ftp <profile_name> <file_name> <FTP_server_IP_

address:<optional_port>>
execute system sniffer-profile upload tftp <profile_name> <file_name> <TFTP_server_IP_
address:<optional_port>>
<profile_name> Enter the name of the packet-capture profile.
<file_name> Enter the name of the .pcap file and the path where it is located.
<FTP_server_IP_address:<optional_ Enter the IP address of the FTP server and optionally enter the port
port>> number.
<TFTP_server_IP_address:<optional_ Enter the IP address of the TFTP server and optionally enter the port
port>> number.
Examples
execute system sniffer-profile upload ftp profile profile1.pcap 192.168.1.23
execute telnet
Use this command to create a Telnet client. You can use this tool to test network connectivity.
Syntax
execute telnet <telnet_ipv4 or telnet_ipv6>
<telnet_ipv4 or telnet_ipv6> is the IPv4 or IPv6 address to connect with. If the IPv6 address is a link-local
address, you must specify an output interface using %.
Type exit to close the Telnet session.
Examples
execute telnet fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.

execute telnet 1002::21
execute telnet 12.345.6.78
execute time
Use this command to display or set the system time.

Fortinet, Inc.
execute
Syntax
execute time [<time_str>]
time_str has the form hh:mm:ss, where:

l hh is the hour. The range is 00 to 23.
l mm is the minutes. The range is 00 to 59.
l ss is the seconds. The range is 00 to 59.
If you do not specify a time, the command returns the current system time.
You are allowed to shorten numbers to only one digit when setting the time. For example both 01:01:01 and 1:1:1 are
allowed.
Example
This example sets the system time to 15:31:03:

execute time 15:31:03
execute traceroute
Use this command to test the connection between the FortiSwitch and another network device, and display information
about the network hops between the FortiSwitch and the device.
Syntax
execute traceroute {<ip_address> | <host-name>}
Example
This example shows how to test the connection with http://docs.forticare.com. In this example, the traceroute
command times out after the first hop indicating a possible problem.
#execute traceoute docs.fortinet.com
traceroute to docs.fortinet.com (65.39.139.196), 30 hops max, 38 byte packets
1 172.20.120.2 (172.20.120.2) 0.324 ms 0.427 ms 0.360 ms
2 * * *
If your FortiSwitch is not connected to a working DNS server, you will not be able to connect to remote host-named
locations with traceroute.

Fortinet, Inc.
execute
execute tracert6
Use this command to test the connection between the FortiSwitch and another network device using the IPv6 protocol
and to display information about the network hops between the FortiSwitch and the device.
Syntax
tracert6 [-Fdn] [-f first_ttl] [-i interface] [-m max_ttl]

[-s src_addr] [-q nprobes] [-w waittime] [-z sendwait]
host [paddatalen]
-F Set the Don’t Fragment bit.
-d Enable debugging.
-n Do not resolve numeric address to domain name.
-f <first_ttl> Set the initial time-to-live used in the first outgoing probe packet.
-i <interface> Select interface to use for tracert.
-m <max_ttl> Set the max time-to-live (max number of hops) used in outgoing
probe packets.
-s <src_addr> Set the source IP address to use in outgoing probe packets.
-q <nprobes> Set the number probes per hop.
-w <waittime> Set the time in seconds to wait for response to a probe. Default is 5.
-z <sendwait> Set the time in milliseconds to pause between probes.
host Enter the IP address or FQDN to probe.
<paddatalen> Set the packet size to use when probing.
execute upload config
Use this command to upload system configurations to the flash disk from FTP or TFTP sources.
Syntax
execute upload config ftp <filename_str> <comment> <server_ipv4[:port_int] | server_fqdn

[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute upload config tftp <filename_str> <comment> <server_ipv4>

Fortinet, Inc.
execute
<comment> Comment string.
<filename_str> Filename to upload.
<server_fqdn[:port_int]> Server fully qualified domain name and optional port.
<server_ipv4[:port_int]> Server IP address and optional port number.
<username_str> User name required on server.
<password_str> Password required on server.
<backup_password_str> Password for backup file.
execute verify image
Use this command to verify the integrity of the image in the primary or secondary (if applicable) flash partition.
Syntax
execute verify image {primary | secondary}
Example

No issue found!

Bad/corrupted image found in flash!
Command fail. Return code -1

Fortinet, Inc.
get
The get commands provide information about the operation of the FortiSwitch unit:
l get hardware cpu on page 340
l get hardware memory on page 341
l get hardware status on page 342
l get log custom-field on page 342
l get log eventfilter on page 342
l get log gui on page 343
l get log memory on page 343
l get log syslogd on page 345
l get log syslogd2 on page 345
l get log syslogd3 on page 346
l get router info bfd neighbor on page 347
l get router info bgp on page 347
l get router info gwdetect on page 348
l get router info isis on page 348
l get router info kernel on page 349
l get router info multicast on page 349
l get router info ospf on page 350
l get router info rip on page 351
l get router info routing-table on page 352
l get router info vrrp on page 353
l get router info6 bfd neighbor on page 354
l get router info6 bgp on page 354
l get router info6 isis on page 355
l get router info6 kernel on page 355
l get router info6 ospf on page 356
l get router info6 rip on page 357
l get router info6 routing-table on page 357
l get router info6 vrrp on page 358
l get switch acl on page 358
l get switch dhcp-snooping on page 359
l get switch flapguard settings on page 361
l get switch global on page 361
l get switch igmp-snooping on page 362
l get switch interface on page 363
l get switch ip-mac-binding on page 364
l get switch ip-source-guard on page 364
l get switch ip-source-guard-violations on page 364
l get switch lldp on page 364
l get switch mac-limit-violations on page 365

Fortinet, Inc.
get
l get switch mirror status on page 366

l get switch mld-snooping on page 367
l get switch modules on page 368
l get switch network-monitor on page 369
l get switch phy-mode on page 370
l get switch physical-port on page 370
l get switch poe inline on page 370
l get switch qos on page 371
l get switch raguard-policy on page 372
l get switch security-feature on page 372
l get switch static-mac on page 373
l get switch storm-control on page 373
l get switch stp instance on page 374
l get switch stp settings on page 374
l get switch trunk on page 374
l get switch virtual-wire on page 375
l get switch vlan on page 375
l get system accprofile on page 376
l get system admin list on page 376
l get system admin status on page 377
l get system arp on page 378
l get system arp-table on page 378
l get system auto-update on page 378
l get system bug-report on page 379
l get system certificate on page 379
l get system cmdb status on page 380
l get system console on page 381
l get system dns on page 382
l get system flow-export on page 382
l get system flow-export-data on page 383
l get system fsw-cloud on page 383
l get system fsw-cloud-mgr connection-info on page 384
l get system global on page 385
l get system info admin ssh on page 386
l get system info admin status on page 386
l get system interface physical on page 387
l get system ipv6-neighbor-cache on page 387
l get system link-monitor on page 387
l get system location on page 388
l get system ntp on page 388
l get system password-policy on page 389
l get system performance firewall statistics on page 389
l get system performance status on page 390
l get system performance top on page 390
l get system schedule group on page 391

Fortinet, Inc.
get
l get system schedule onetime on page 392

l get system schedule recurring on page 392
l get system settings on page 392
l get system sflow on page 393
l get system sniffer-profile capture on page 393
l get system sniffer-profile summary on page 393
l get system snmp sysinfo on page 394
l get system source-ip status on page 394
l get system startup-error-log on page 395
l get system status on page 395
l get test on page 396
l get user group on page 396
l get user ldap on page 397
l get user local on page 397
l get user radius on page 397
l get user setting on page 398
l get user tacacs+ on page 398
get hardware cpu
Use this command to display detailed information about the CPUs installed in your FortiSwitch unit.
Syntax
get hardware cpu
Example output
S524DF4K15000024 # get hardware cpu
Processor : ARMv7 Processor rev 0 (v7l)

processor : 0
BogoMIPS : 1993.93
processor : 1
BogoMIPS : 1993.93
Features : swp half thumb fastmult edsp tls

CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x3
CPU part : 0xc09
CPU revision : 0
Hardware : Broadcom iProc

Revision : 0000
Serial : 0000000000000000

Fortinet, Inc.
get
get hardware memory
Use this command to display information about FortiSwitch memory use. Information includes the total memory,
memory in use, and free memory.
Syntax
get hardware memory
Example output
S524DF4K15000024 # get hardware memory

MemTotal: 2026080 kB
MemFree: 1725840 kB
Buffers: 1336 kB
Cached: 68548 kB
SwapCached: 0 kB
Active: 42724 kB
Inactive: 59596 kB
Active(anon): 32436 kB
Inactive(anon): 0 kB
Active(file): 10288 kB
Inactive(file): 59596 kB
Unevictable: 0 kB
Mlocked: 0 kB
HighTotal: 221184 kB
HighFree: 119468 kB
LowTotal: 1804896 kB
LowFree: 1606372 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 32436 kB
Mapped: 14680 kB
Shmem: 0 kB
Slab: 15348 kB
SReclaimable: 3800 kB
SUnreclaim: 11548 kB
KernelStack: 776 kB
PageTables: 3556 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 1013040 kB
Committed_AS: 594696 kB
VmallocTotal: 245760 kB
VmallocUsed: 66276 kB
VmallocChunk: 163772 kB

Fortinet, Inc.
get
get hardware status
Report information about the FortiSwitch hardware including ASIC version, CPU type, amount of memory, flash drive
size, hard disk size (if present), and USB flash size (if present). Use this information to troubleshoot, to provide to
Fortinet Support, or to confirm the features that your FortiSwitch model supports.
Syntax
get hardware status
Example output
S524DF4K15000024 # get hardware status

Model name: FortiSwitch-524D-FPOE
CPU: ARMv7 Processor rev 0 (v7l)
RAM: 1978 MB
MTD Flash: 52 MB /dev/mtd
Hard disk: not available
Switch CPLD Version: V0.4
Poe Firmware Version:2.6.3
get log custom-field
Use this command to get information about custom log fields that have been created. To create custom log fields, see
config log custom-field on page 18.
Syntax
get log custom-field
Example output
S524DF4K15000024 # get log custom-field
== [ 1 ]
id: 1
== [ 2 ]
id: 2
This output shows that two custom fields have been created.
get log eventfilter
Use this command to find out which logs are enabled:

Fortinet, Inc.
get
l Event logs show configuration changes and allow you to monitor the activities administrators perform.
l Router logs allow you to review all router activity. Router logs are available only on supported platforms if you have
the advanced features license.
l System logs show system-level activity such as IP conflicts.
l User logs show user activity such as who is logged on and when.
To enable event logging, see config log eventfilter on page 19.
Syntax
get log eventfilter
Example output
S524DF4K15000024 # get log eventfilter
event : enable
router : enable
system : enable
user : enable
get log gui
Use this command to find out which device is being used to display logs in the Web-based manager.
Syntax
get log gui
Example output
S524DF4K15000024 # get log gui

log-device : memory
This output shows that logs are being displayed from memory.
get log memory
Use this command to find out the current settings for logging to system memory.
Syntax
get log memory filter

get log memory global-setting

Fortinet, Inc.
get
get log memory setting
filter Find out the severity level of log entries made in system memory. The system logs all
messages at and above the selected severity level. For example, if the severity is
error, the system logs error, critical, alert, and emergency level
messages.
l error — An erroneous condition exists and functionality is probably affected.
l information — General information about system operations.
l debug — Information used for diagnosing or debugging the system.
global-setting Find out the global settings for logging to system memory:
l full-final-warning-threshold — the number of log entries saved before
a final warning is sent. When all memory is filled, the system overwrites the oldest
log entries.
l full-first-warning-threshold — the number of log entries saved before
receiving the first warning.

l full-second-warning-threshold — the number of log entries saved for
receiving the second warning.

l hourly-upload — whether the log is uploaded hourly.
l max-size — the maximum size of the memory buffer log, in bytes.
setting Find out the general settings for logging to system memory:
l diskfull — whether the oldest log entries are overwritten when the system
memory is full.
l status — whether logging to system memory is enabled.
Example output
S524DF4K15000024 # get log memory filter

severity : information
S524DF4K15000024 # get log memory global-setting

full-final-warning-threshold: 95
full-first-warning-threshold: 75
full-second-warning-threshold: 90
hourly-upload : disable
max-size : 98304
S524DF4K15000024 # get log memory setting

diskfull : overwrite
status : enable

Fortinet, Inc.
get
get log syslogd
Use this command to get information about your system log 1 settings.
Syntax
get log syslogd {filter | setting}
filter Find out the severity level of system log 1 entries. The system logs all
messages at and above the selected severity level. For example, if the
severity is error, the system logs error, critical, alert, and
emergency level messages.
l error — An erroneous condition exists and functionality is probably
affected.
setting Find out the general settings for the system log 1:
l diskfull — whether the oldest log entries are overwritten when the
system memory is full.

Example output
S524DF4K15000024 # get log syslogd filter

S524DF4K15000024 # get log syslogd setting

status : disable
get log syslogd2
Syntax
get log syslogd2 {filter | setting}

Fortinet, Inc.
get
filter Find out the severity level of system log 2 entries. The system logs all messages at and
above the selected severity level. For example, if the severity is error, the system logs
error, critical, alert, and emergency level messages.
l error — An erroneous condition exists and functionality is probably affected.
l diskfull — whether the oldest log entries are overwritten when the system
memory is full.
Example output
S524DF4K15000024 # get log syslogd2 filter

S524DF4K15000024 # get log syslogd2 setting

status : disable
get log syslogd3
Syntax
get log syslogd3 {filter | setting}
filter Find out the severity level of system log 3 entries. The system logs all
messages at and above the selected severity level. For example, if the
severity is error, the system logs error, critical, alert, and
emergency level messages.
l error — An erroneous condition exists and functionality is probably
affected.

Fortinet, Inc.
get

l diskfull — whether the oldest log entries are overwritten when the
system memory is full.

Example output
S524DF4K15000024 # get log syslogd3 filter

S524DF4K15000024 # get log syslogd3 setting

status : disable
get router info bfd neighbor
Use this command to find out where bidirectional forwarding detection (BFD) has been enabled. If you do not specify
the BFD peer IPv4 address or interface, all BFD peers are returned.
Syntax
get router info bfd neighbor [<BFD_local_IPv4_address>] [<BFD_peer_interface>]
Example output
S524DF4K15000024 # get router info bfd neighbor
OurAddr NeighAddr LD/RD State Int

192.168.15.2 192.168.15.1 1/4 UP vlan2000
192.168.16.2 192.168.16.1 2/2 UP vlan2001
get router info bgp
Use this command to get information about the Border Gateway Protocol (BGP) routing configuration.
Syntax
get router info bgp {cidr-only | community | community-info | community-list | dampening |

filter-list | inconsistent-as | neighbors | network | network-longer-prefixes | paths |
prefix-list | regexp | quote-regexp | route-map | scan | summary | memory}

Fortinet, Inc.
get
cidr-only Display routes with nonnatural netmasks.
community Display routes matching the communities.
community-info List all BGP community information.
community-list Display routes matching the community list.
dampening Display router dampening infomation.
filter-list Display routes conforming to the filter list.
inconsistent-as Display routes with inconsistent AS paths.
neighbors Show BGP neighbors for IPv4 and IPv6.
network Show the BGP information for the network.
network-longer-prefixes Show the BGP information for routes and more specific routes.
paths Display the BGP path information for IPv4 and IPv6.
prefix-list Display routes conforming to the prefix list.
regexp Display routes matching the AS path with regular expressions.
quote-regexp Display routes matching the AS path with regular expressions within quotation marks.
route-map Display routes conforming to the route map.
scan Display the BGP scan status.
summary Display a summary of the BGP neighbor status for IPv4 and IPv6.
memory Display the BGP memory table.
get router info gwdetect
Use this command to get information about the gwdetect status.
Syntax
get router info gwdetect
get router info isis
Use this command to get information about the Intermediate System to Intermediate System Protocol (IS-IS) routing
configuration for IPv4 traffic.

Fortinet, Inc.
get
Syntax
get router info isis {interface | neighbor | database | route | summary | summary-table |
topology}
interface Show the IS-IS interfaces.
neighbor Show the IS-IS neighbor adjacencies.
database Show the IS-IS link state database.
route Show the IS-IS IP routing table.
summary Show the IS-IS summary.
summary-table Show the IS-IS IPv4 summary table.
topology Show the IS-IS paths.
get router info kernel
Use this command to get information about the IPv4 kernel routing table. The IPv4 kernel routing table displays
information about all of the routes in the kernel.
Syntax
get router info kernel <routing_type>
get router info multicast
Use this command to get information about the Protocol Independent Multicast (PIM) routing configuration.
Syntax
get router info multicast {config | igmp | pim | table | table-count}
config Show the multicast routing configuration.
igmp Show the multicast routing IGMP information.
pim Show PIM information.
table Show the multicast routing table.
table-count Show the multicast route and packet count.

Fortinet, Inc.
get
get router info ospf
Use this command to get information about any IPv4 open shortest path first (OSPF) routing that has been configured.
To set up IPv4 OSPF routing, see config router ospf on page 52.
Syntax
get router info ospf config

get router info ospf redist-route
get router info ospf summary
get router info ospf database {brief | self-originate | router | network | summary | asbr-
summary| external | nssa-external | opaque-link | opaque-area | opaque-as | max-age}
get router info ospf interface [<interface_name>]
get router info ospf route
get router info ospf neighbor {<neighbor_ID> | all | detail | detail all | <interface_IP_
address>}
get router info ospf border-routers
get router info ospf status
config Display detailed information about the current OSPF configuration, including interfaces,
areas, access lists, and IP addresses.
redist-route Display information about the OSPF redistributed routes.
summary Display summary table information.
database {brief | self- Display information about the OSPF database.

originate | router | network
| summary | asbr-
summary| external | nssa-
external | opaque-link |
opaque-area | opaque-as |
max-age}
interface [<interface_ Display information about the specified OSPF interface. If the interface is not specified,
name>] information about all OSPF interfaces is returned.
route Display the OSPF routing table.
neighbor {<neighbor_ID> | Display information about OSPF neighbors.

all | detail | detail all |
<interface_IP_address>}
border-routers Display information about OSPF border routers.
status Display the current status of the OSPF routing, including router identifier, flags, timers,
and areas.

Fortinet, Inc.
get
Example output
S524DF4K15000024 # get router info ospf status
OSPF Routing Process, OSPF Router ID: 1.1.1.2

Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is disabled
Initial SPF scheduling delay 5000 millisec(s)
Minimum hold time between consecutive SPFs 10000 millisec(s)
Maximum hold time between consecutive SPFs 10000 millisec(s)
Hold time multiplier is currently 1
SPF algorithm last executed 2d07h22m ago
Last SPF duration 105 usecs
SPF timer is inactive
Refresh timer 10 secs PacketsSent: 0 PacketsRecv: 0
Number of external LSA 0. Checksum Sum 0x00000000
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
Adjacency changes are logged
Area ID: 0.0.0.4 (NSSA)

Shortcutting mode: Default, S-bit consensus: ok
Number of interfaces in this area: Total: 0, Active: 0
It is an NSSA configuration.
Elected NSSA/ABR performs type-7/type-5 LSA translation.
It is not ABR, therefore not Translator.
Number of fully adjacent neighbors in this area: 0
Area has message digest authentication
Number of full virtual adjacencies going through this area: 0
SPF algorithm executed 1 times
Default-Route Cost: 1
Number of LSA 1
Number of router LSA 1. Checksum Sum 0x0000ebf8
Number of network LSA 0. Checksum Sum 0x00000000
Number of summary LSA 0. Checksum Sum 0x00000000
Number of ASBR summary LSA 0. Checksum Sum 0x00000000
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000
get router info rip
Use this command to get information about any Routing Information Protocol (RIP) routing that has been configured.
To set up RIP routing, see config router rip on page 64.
Syntax
get router info rip {config | database | status}

Fortinet, Inc.
get
config Display detailed information about the current RIP configuration, including keys in the
keychain, interfaces, access lists, and IP addresses.
database Display information about the RIP database.
status Display the current status of the RIP routing, including filter lists, redistribution, RIP
version, and interfaces.
Example output
S524DF4K15000024 # get router info rip status
Routing Protocol is "rip"

Sending updates every 30 seconds with +/-50%, next due in 21 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: static
Default version control: send version 2, receive version 2
Interface Send Recv UpdSend Key-chain
vlan35 2 2 9
vlan85 2 2 8
Routing for Networks:
170.38.65.0/24
180.1.1.0/24
0.0.0.0
Distance: (default is 120)
get router info routing-table
Use these commands to get information about the IPv4 routing table.
Syntax
get router info routing-table summary

get router info routing-table details <A.B.C.D/M>
get router info routing-table all
get router info routing-table rip
get router info routing-table ospf
get router info routing-table bgp
get router info routing-table isis
get router info routing-table static
get router info routing-table connected
get router info routing-table dump <A.B.C.D>

Fortinet, Inc.
get
summary Display a summary of the existing routes.
details <A.B.C.D/M> Display the routing table entries that include the specified IP address or route prefix.
all Display all routing table entries.
rip Display the RIP routes in the routing table.
ospf Display the OSPF routes in the routing table.
bgp Display the BGP routess in the routing table.
isis Display the IS-IS routes in the routing table.
static Display the static routes in the routing table.
connected Display the connected routes in the routing table.
dump <A.B.C.D> Display the details of routing table entries that include the specified IP address or route
prefix.
Example output
S524DF4K15000024 # get router info routing-table summary

Route Source Routes FIB (vrf default)
connected 3 3
static 1 1
------
Totals 4 4
S524DF4K15000024 # get router info routing-table all

Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route ^ - HW install failed
S>* 0.0.0.0/0 [5/0] via 169.254.1.1, internal, 00:36:02

C>* 10.254.252.0/23 is directly connected, rspan, 00:34:37
C>* 169.254.1.0/24 is directly connected, internal, 1d00h57m
C>* 192.168.2.0/24 is directly connected, mgmt, 01:51:05
Use this command to get information about Virtual Router Redundancy Protocol (VRRP) groups for IPv4.
Syntax

Fortinet, Inc.
get
Example output
S524DF4K15000024 # get router info vrrp

Interface: vlan-8, primary IP address: 10.10.10.1
UseVMAC: 1
VRID: 5
vrip: 11.1.1.100, priority: 255, state: MASTER
adv_interval: 1, preempt: 1, start_time: 3
vrmac: 00:00:5e:00:01:05
vrdst:
vrgrp: 50
get router info6 bfd neighbor
Use this command to find out where bidirectional forwarding detection (BFD). If you do not specify the BFD peer IPv6
address, all BFD peers are returned.
Syntax
get router info6 bfd neighbor [<X:X::X:X>]
get router info6 bgp
Use this command to get information about the Border Gateway Protocol (BGP) routing configuration.
Syntax
get router info6 bgp {community | community-list | dampening | filter-list | neighbors |

network | network-longer-prefixes | paths | prefix-list | regexp | route-map | summary}
community Display routes matching the communities.
community-list Display routes matching the community list.
dampening Display router dampening infomation.
filter-list Display routes conforming to the filter list.
neighbors Show BGP neighbors.
network Show the BGP information for the network.
network-longer-prefixes Show the BGP information for routes and more specific routes.
paths Display the BGP path information.

Fortinet, Inc.
get
prefix-list Display routes conforming to the prefix list.
regexp Display routes matching the AS path with regular expressions.
route-map Display routes conforming to the route map.
summary Display a summary of the BGP neighbor status.
get router info6 isis
Use this command to get information about the Intermediate System to Intermediate System Protocol (IS-IS) routing
configuration for IPv6 traffic.
Syntax
get router info6 isis {interface | neighbor | database | route | summary | summary-table6 |
topology}
interface Show the IS-IS interfaces.
neighbor Show the IS-IS neighbor adjacencies.
database Show the IS-IS link state database.
route Show the IS-IS IP routing table.
summary Show the IS-IS summary.
summary-table 6 Show the IS-IS IPv6 summary table.
topology Show the IS-IS paths.
get router info6 kernel
Use this command to get information about the IPv6 kernel routing table. The IPv6 kernel routing table displays
information about all of the routes in the kernel.
Syntax
get router info6 kernel

Fortinet, Inc.
get
Example output
S524DF4K15000024 # get router info6 kernel

type=02 protocol=unspec flag=00000000 oif=1(lo) dst:::1/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::/128 gwy::: prio=0
type=01 protocol=kernel flag=00000000 oif=42(internal) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=2(mgmt) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=49(rspan) dst:fe80::/64 prio=100
type=01 protocol=boot flag=00000000 oif=42(internal) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=2(mgmt) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=49(rspan) dst:ff00::/8 prio=100
type=07 protocol=kernel flag=00000000 oif=1(lo) prio=ffffffff
get router info6 ospf
Use this command to get information about any IPv6 open shortest path first (OSPF) routing that has been configured.
To set up IPv6 OSPF routing, see config router ospf6 on page 59.
Syntax
get router info6 ospf database [{router | network | inter-prefix | inter-router | external |
link | intra-prefix}]
get router info6 ospf interface [<interface_name>]
get router info6 ospf route [<IPv6_address>]
get router info6 ospf redistribute
get router info6 ospf border-route [detail]
get router info6 ospf neighbor {<A.B.C.D> | detail}
get router info6 ospf status
database [{router | Display information about the OSPF link state advertisement (LSA) database. Specify
network | inter-prefix | the router LSA, network LSA, inter-prefix LSA, inter-router LSA, external LSA, link LSA,
inter-router | external | link or intra-prefix LSA database. If you do not specify which LSA database, information
| intra-prefix}] about all LSA databases is returned.
interface [<interface_ Display information about the OSPF interface. If you do not specify the interface,
name>] information about all interfaces is returned.
route [<IPv6_address>] Display the OSPF routing table. If you do not specify an IPv6 address, all IPv6 routes are
returned.
redistribute Display redistributing external information.
border-route [detail] Display general or detailed information about OSPF border routers.

Fortinet, Inc.
get
neighbor {<A.B.C.D> | Display information about OSPF neighbors in general or in detail or specify a neighbor
detail} ID.
status Display the current status of the OSPF routing, including router identifier, flags, timers,
and areas.
get router info6 rip
Use this command to get information about any IPv6 Routing Information Protocol (RIP) routing that has been
configured. To set up IPv6 RIP routing, see config router ripng on page 67.
Syntax
get router info6 rip config

get router info6 rip database
get router info6 rip status
config Display information about the RIP confguration.
database Display information about the RIP routes.
status Display the current status of the RIP routing, including timers, filter lists, and neighbors.
get router info6 routing-table
Use these commands to get information about the IPv6 routing table. If you do not specify which IPv6 routing table,
information about all IPv6 routing tables is returned.
Syntax
get router info6 routing-table rip

get router info6 routing-table ospf
get router info6 routing-table bgp
get router info6 routing-table static
get router info6 routing-table connected
rip Display the RIP routes in the routing table.
ospf Display the OSPF routes in the routing table.

Fortinet, Inc.
get
bgp Display the BGP routes in the routing table.
static Display the static routes in the routing table.
connected Display the connected routes in the routing table.
Example output
S524DF4K15000024 # get router info6 routing-table

Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route ^ - HW install failed
C * fe80::/64 is directly connected, rspan, 02:41:19

C * fe80::/64 is directly connected, mgmt, 03:56:28
C>* fe80::/64 is directly connected, internal, 1d03h03m
K>* ff00::/8 [0/256] is directly connected, rspan, 02:41:20
get router info6 vrrp
Use this command to get information about Virtual Router Redundancy Protocol (VRRP) groups for IPv6.
Syntax
get router info6 vrrp
get switch acl
Use these commands to display the ACL settings.
Syntax
get switch acl counters {all | egress | ingress | prelookup}

get switch acl egress
get switch acl ingress
get switch acl policer
get switch acl prelookup
get switch acl service custom
get switch acl settings
get switch acl usage

Fortinet, Inc.
get
counters {all | egress | Display information about all ACL policies, egress ACL policies, ingress ACL policies, or
ingress | prelookup} lookup ACL policies.
egress Display information about the ACL policy for the egress stage.
ingress Display information about the ACL policy for the ingress stage.
policer List which ACL policers are available for different types of traffic.
prelookup Display information about the ACL policy for the lookup stage.
service custom Display a list of preconfigured service entries .
settings Display the global ACL settings for the FortiSwitch unit.
usage Display how much of available resources are used by ACL.
Example output
S524DF4K15000024 # get switch acl policer

== [ 1 ]
id: 1 description: policer1
S524DF4K15000024 # get switch acl settings

density-mode : disable
trunk-load-balance : enable
S524DF4K15000024 # get switch acl usage

Device RULES COUNTERS POLICERS STAGE
(total/free) (total/free) (total/free)
________________________________________________________________
0 2048 /2023 4096 /4071 4096 /4096 ingress
0 512 /511 1024 /1024 768 /768 egress
0 768 /767 0 /0 0 /0 prelookup
S524DF4K15000024 # get switch acl counters ingress

ingress:
ID Packets Bytes description
___________________________________________________________
get switch dhcp-snooping
Use these commands to display more information about the IPv4 or IPv6 DHCP-snooping databases.

Fortinet, Inc.
get
Syntax
get switch dhcp-snooping allowed-sever-list

get switch dhcp-snooping client-db-details
get switch dhcp-snooping client6-db-details
get switch dhcp-snooping database-summary
get limit-db-details
get switch dhcp-snooping server-db-details
get switch dhcp-snooping server6-db-details
get switch dhcp-snooping status
allowed-sever-list Display the allowed DHCP server list.
client-db-details Display details about the IPv4 DHCP-snooping client database.
client6-db-details Display details about the IPv6 DHCP-snooping client database.
database-summary List the number of VLANs with various features enabled, list trusted and untrusted ports,
and report how much of the databases are used.
limit-db-details Display details about the DHCP-snooping lease-count database.
server-db-details Display details about the IPv4 DHCP-snooping server database.

If the dhcp-server-access-list is enabled globally and the server is configured for the
dhcp-server-access-list, the svr-list column displays allowed for that server. If the
dhcp-server-access-list is enabled globally and the server is not configured in the dhcp-
server-access-list, the svr-list column displays blocked for that server.
server6-db-details Display details about the IPv6 DHCP-snooping server database.

If the dhcp-server-access-list is enabled globally and the server is configured for the
dhcp-server-access-list, the svr-list column displays allowed for that server. If the
dhcp-server-access-list is enabled globally and the server is not configured in the dhcp-
server-access-list, the svr-list column displays blocked for that server.
status Display details about the DHCP-snooping client and server database.
Example output
S548DF5018000776 # get switch dhcp-snooping allowed-server-list
vlan ip
10 xxx.x.x.x
FS1D243Z14000027 # get switch dhcp-snooping client-db-details
mac vlan ip lease(sec) expiry(sec) interface hostname domainname vendor server-ip
00:01:00:00:00:01 100 xxx.x.x.xxx 86400 86398 port3
00:03:00:00:00:03 100 xxx.x.x.x 86400 86394 port5
00:03:00:00:00:04 100 xxx.x.x.x 86400 86394 port5

Fortinet, Inc.
get
FS1D243Z14000027 # get switch dhcp-snooping server-db-details
mac vlan ip interface status svr-list last-seen-time expiry-time OFFER/ACK/NAK/OTHER
00:11:01:00:00:01 10 xxx.x.x.x port1 trusted allowed 2018-09-11 11:21:09 2018-09-12 11:21:09 7/5/0/0
get switch flapguard settings
Use this command to display the flap guard settings.
Syntax
get switch flapguard settings
Example output
S524DF4K15000024 # get switch flapguard settings
flap-duration : 30
flap-rate : 5
status : disable
get switch global
Use this command to get information about the global settings of your FortiSwitch unit.
Syntax
get switch global
Example output
S524DF4K15000024 # get switch global

name : (null)
mac-aging-interval : 150
poe-alarm-threshold : 40
poe-power-mode : first-come-first-served
poe-guard-band : 10
ip-mac-binding : enable
dmi-global-all : enable
poe-pre-standard-detect: enable
poe-power-budget : 200
trunk-hash-mode : enhanced

Fortinet, Inc.
get
trunk-hash-unkunicast-src-dst: enable
auto-fortilink-discovery: enable
auto-isl : enable
mclag-peer-info-timeout: 300
auto-isl-port-group : 0
max-path-in-ecmp-group: 4
virtual-wire-tpid : 0xdee5
loop-guard-tx-interval: 15
dhcp-snooping-database-export: enable
forti-trunk-dmac : 02:80:c2:00:00:02
port-security:
link-down-auth : set-unauth
reauth-period : 60
max-reauth-attempt : 2
get switch igmp-snooping
Use this command to get the IGMP-snooping settings of your FortiSwitch unit.
Syntax
get switch igmp-snooping {globals | group | static-group | status}
globals Display the global IGMP-snooping configuration on the FortiSwitch unit.
group Display a list of learned multicast groups.
static-group Display the list of configured static groups.
status Display the status of IGMP-snooping VLANs and group
Example output
S524DF4K15000024 # get switch igmp-snooping globals

aging-time : 300
leave-response-timeout: 10
query-interval : 120
FS1D243Z13000023 # get switch igmp-snooping group

Number of Groups: 7
port of-port VLAN GROUP Age
(__port__9) 1 23 231.8.5.4 16
(__port__9) 1 23 231.8.5.5 16
(__port__9) 1 23 231.8.5.6 16
(__port__9) 1 23 231.8.5.7 16
(__port__9) 1 23 231.8.5.8 16
(__port__9) 1 23 231.8.5.9 16
(__port__9) 1 23 231.8.5.10 16
(__port__43) 3 23 querier 17
(__port__14) 8 --- flood-reports ---

Fortinet, Inc.
get
(__port__10) 2 --- flood-traffic ---
FS1D243Z13000023 # get switch igmp-snooping static-group
_______ ______________ _______________ _________________________
11 g239-1 239:1:1:1 port6 trunk-2
11 g239-11 239:2:2:11 port26 port48 trunk-2
40 g239-1 239:1:1:1 port5 port25 trunk-2
40 g239-2 239:2:2:2 port25 port26
S524DF4K15000048 # get switch igmp-snooping status
IGMP-SNOOPING enabled vlans:

-------------------------------
100
IGMP-Proxy enabled vlans:

-------------------------------
Max multicast snooping groups 1022
Total IGMP groups 0 (Learned 0, Static 0)

Total MLD groups 0 (Learned 0, Static 0)
Remaining allowed mcast snooping groups: 1022
get switch interface
Use this command to get information about the interfaces, including the class of service (CoS) value, whether sFlow is
enabled on the interface, and whether dynamically learned MAC addresses are persistent on the interface.
Syntax
get switch interface
Example output
S524DF4K15000024 # get switch interface
== [ port1 ]
name: port1 sflow-sampler: disabled port-security:
default-cos: 0 sticky-mac: disable
== [ port2 ]
== [ port3 ]
...

Fortinet, Inc.
get
get switch ip-mac-binding
Use this command to get information about IP MAC binding.
Syntax
Example output
== [ 1 ]
seq-num: 1
get switch ip-source-guard
Use this command to get information about the IP source-guard entries.
Syntax
get switch ip-source-guard
get switch ip-source-guard-violations
Use these commands to get source-guard violations.
Syntax
get switch ip-source-guard-violations all

get switch ip-source-guard-violations interface <interface_name>
all Display all source-guard violations.
interface <interface_name> Display source-guard violations for the specified interface.
get switch lldp
Use this command to get information about LLDP.

Fortinet, Inc.
get
Syntax
get switch lldp {auto-isl-status | neighbors-detail <physical port name>| neighbors-summary

| profile | settings | stats}
auto-isl-status Display statistics and staus for the automatic ISL configuration.
neighbors-detail Display details about a specific LLDP port.

<physical port name>
neighbors-summary Display a summary of LLDP neighbors.
profile Display the name of available LLDP profiles.
settings Display whether LLDP is enabled globally, the number of tx-intervals before the local
LLDP data expires, the frequency of LLDP PDU transmission, how often the FortiSwitch
transmits the first four LLDP packets when a link comes up, and the primary
management interface advertised in LLDP and CDP PDUs.
stats Display the number of packets transmitted, received, and discarded; the number of
neighbors added, deleted, and expired; and the number of unknown TLVs.
Example output
S524DF4K15000024 # get switch lldp profile

== [ default ]
name: default 802.1-tlvs: 802.3-tlvs: med-tlvs: inventory-management network-policy
== [ default-auto-isl ]
name: default-auto-isl 802.1-tlvs: 802.3-tlvs: med-tlvs:
== [ 1 ]
name: 1 802.1-tlvs: 802.3-tlvs: med-tlvs: inventory-management network-policy
== [ Forti670i ]
name: Forti670i 802.1-tlvs: 802.3-tlvs: med-tlvs: inventory-management network-policy
S524DF4K15000024 # get switch lldp settings

status : enable
tx-hold : 8
tx-interval : 2000
fast-start-interval : 3
management-interface: internal
get switch mac-limit-violations
Use this command to see the first MAC address that exceeded the learning limit for an interface or VLAN.
To enable the learning limit violation log for a FortiSwitch unit, see config switch global on page 88.
Syntax
get switch mac-limit-violations {all | interface <interface_name> | vlan <VLAN_ID>}

Fortinet, Inc.
get
all Display the first MAC address that exceeded the learning limit on any interface
or VLAN. An asterisk by the interface name indicates that the interface-based
learning limit was exceeded. An asterisk by the VLAN identifier indicates the
VLAN-based learning limit was exceeded.
interface <interface_name> Display the first MAC address that exceeded the learning limit on a specific
interface
vlan <VLAN_ID> Display the first MAC address that exceeded the learning limit on a specific
VLAN.
Example output
S524DF4K16000028 # get switch mac-limit-violations all

Port VLAN ID MAC Address Timestamp
----------------------------------------------------------------------------------
port3* 5 00:00:01:00:00:01 2017-12-05 15:55:20
port15 9* 0a:c1:08:bf:cc:80 2017-12-05 15:55:44
S524DF4K16000028 # get switch mac-limit-violations interface port3

----------------------------------------------------------------------------------
port3* 5 00:00:01:00:00:01 2017-12-05 15:55:20
S524DF4K16000028 # get switch mac-limit-violations vlan 9

----------------------------------------------------------------------------------
port15 9* 0a:c1:08:bf:cc:80 2017-12-05 15:55:44
get switch mirror status
Use this command to get information about the ERSPAN-auto mirror sessions of your FortiSwitch unit. To configure a
packet mirror, see config switch mirror on page 111.
Syntax
get switch mirror status <session>
Example output
# get switch mirror status flink.sniffer
flink.sniffer
Mode : ERSPAN-auto
Status : Inactive
Source-Ports:
Ingress: port2, port3
Egress : port8, port9

Fortinet, Inc.
get
Used-by-ACLs : False
Auto-config-state : N/A
Last-update : never
Issues : None
Collector-IP : 0.0.0.0
Source-IP : N/A
Source-MAC : N/A
Next-Hop :
IP : N/A
MAC : N/A
Via-System-Interface : N/A
VLAN : N/A
Via-Switch-Interface : N/A
get switch mld-snooping
Use this command to get the MLD-snooping settings of your FortiSwitch unit.
Syntax
get switch mld-snooping {globals | group | static-group | status}
globals Display the global MLD-snooping configuration on the FortiSwitch unit.
group Display a list of learned multicast groups.
static-group Display the list of configured static groups.
status Display the status of MLD-snooping VLANs and group
Example output
S548DF5018000776 # get switch mld-snooping globals
aging-time : 300
leave-response-timeout: 10
query-interval : 125
S548DF5018000776 # get switch mld-snooping group
MLD-SNOOPING mcast-groups:
Max Entries: 1022
port VLAN GROUP Age-timeout MLD-Version
Total Number of Learned MLD groups: 0
S548DF5018000776 # get switch mld-snooping static-group

Fortinet, Inc.
get
_______ ______________ _______________ _________________________
S548DF5018000776 # get switch mld-snooping status
MLD-SNOOPING enabled vlans:

-------------------------------
40
MLD-Proxy enabled vlans:

-------------------------------
40
Max multicast snooping groups 1022
Total MLD groups 0 (Learned 0, Static 0)

Total IGMP groups 0 (Learned 0, Static 0)
Remaining allowed mcast snooping groups: 1022
get switch modules
Use this command to get information about the modules in your FortiSwitch unit.
Syntax
get switch modules {detail | limits | status | summary} [<port>]
detail [<port>] Display module details for a specific port, split port, or all available ports.
limits [<port>] Display module limits for a specific port, split port, or all available ports.
status [<port>] Display module status for a specific port, split port, or all available ports.
summary [<port>] Display summary information of all modules for a specific port or all available ports and
split ports.
Example output
FS108D3W14000720 # get switch modules detail port10

____________________________________________________________
Port(port10)
identifier SFP/SFP+
connector Unk (0x00)
transceiver 1000-Base-T
encoding 8B/10B
Length Decode Common
length_smf_1km N/A
length_cable 100 meter
SFP Specific
length_smf_100m N/A

Fortinet, Inc.
get
length_50um_om2 N/A
length_62um_om1 N/A
length_50um_om3 N/A
vendor FINISAR CORP.
vendor_oid 0x009065
vendor_pn FCLF-8521-3
vendor_rev A
vendor_sn PBR1X35
manuf_date 06/20/2007
FS1E48T419000036 # get switch modules status port51.2

___________________________________________________________
Port(port51.2)
temperature 23.777344 C
voltage 3.303100 volts
alarm_flags 0x0000
warning_flags 0x0000
laser_bias 0.758000 mAmps
tx_power -2.379219 dBm
rx_power -2.201871 dBm
options 0x000F ( TX_DISABLE TX_FAULT RX_LOSS TX_POWER_LEVEL1 )
options_status 0x0008 ( TX_POWER_LEVEL1 )
get switch network-monitor
Use this command to get information about network monitoring on the FortiSwitch unit.
Syntax
get switch network-monitor {directed | settings}
directed List the static entries for network monitoring on the switch.
settings Display the global settings for network monitoring on the switch.
Example output
S524DF4K15000024 # get switch network-monitor directed

== [ 1 ]
id: 1
S524DF4K15000024 # get switch network-monitor settings

db-aging-interval : 3600
status : disable
survey-mode : disable
survey-mode-interval: 120

Fortinet, Inc.
get
get switch phy-mode
Use this command to find out which split ports have been configured. to configure split ports, see config switch phy-
mode on page 117.
Syntax
get switch phy-mode
Example output
S524DF4K15000024 # get switch phy-mode

port29-phy-mode : 1x40G
port30-phy-mode : 1x40G
get switch physical-port
Use this command to get information about the physical ports of your FortiSwitch unit. To configure physical ports, see
config switch physical-port on page 119.
Syntax
get switch physical-port
Example output
S524DF4K15000024 # get switch physical-port

== [ port1 ]
name: port1 egress-drop-mode: enabled link-status: down status: up
== [ port2 ]
== [ port3 ]
...
Use this command to get information about the system’s power over Ethernet (PoE) functions.
Syntax

Fortinet, Inc.
get
Example output
S524DF4K15000024 # get switch poe inline
Unit Power Budget: 10.00W

Unit Guard Band: 10.00W
Unit Power Consumption: 0.00W
Unit Poe Power Mode : First come first served based.
Interface Status State Max-Power(W) Power-consumption(W)Class Error

----------------------------------------------------------------------------------
port1 Enabled Searching 0.00 0.00 0
get switch qos
Use this command to get information about the QoS configuration:
Syntax
get switch qos (dot1p-map | ip-dscp-map | qos-policy)
dot1p-map List the available dot1p maps, as well as the CoS values.
ip-dscp-map List the available DSCP maps.
qos-policy List the available QoS policies.

Fortinet, Inc.
get
Example output
S524DF4K15000024 # get switch qos dot1p-map

== [ test1 ]
name: test1 priority-0: queue-2 priority-1: queue-0 priority-2: queue-1 priority-
3: queue-3 priority-4: queue-4 priority-5: queue-5 priority-6: queue-6 priority-7:
queue-7
S524DF4K15000024 # get switch qos ip-dscp-map

== [ m1 ]
name: m1
S524DF4K15000024 # get switch qos qos-policy

== [ default ]
name: default
== [ policy1 ]
name: policy1
Use the following command to list the available IPv6 RA-guard policies. To create an IPv6 RA-guard policy, see config
switch raguard-policy on page 129.
Syntax
Example output
S524DF4K15000024 # get switch raguard-policy

== [ RApolicy1 ]
name: RApolicy1
get switch security-feature
Use this command to display the security-feature settings. To configure security checks for incoming TCP/UDP packets,
see config switch security-feature on page 131.
Syntax
get switch security-feature
Example output
S524DF4K15000024 # get switch security-feature

Fortinet, Inc.
get
sip-eq-dip : enable
tcp-flag : enable
tcp-port-eq : enable
tcp-flag-FUP : enable
tcp-flag-SF : enable
v4-first-frag : enable
udp-port-eq : enable
tcp-hdr-partial : enable
macsa-eq-macda : enable
allow-mcast-sa : enable
allow-sa-mac-all-zero: enable
get switch static-mac
Use this command to display the static MAC addresses.
Syntax
get switch static-mac
Example output
S524DF4K15000024 # get switch static-mac
== [ 1 ]
seq-num: 1 interface: port5 mac: 00:21:cc:d2:76:72 vlan-id: 35
Use this command to display storm control settings on your FortiSwitch unit. To configure storm control, see config
switch storm-control on page 134.
Syntax
Example output
S524DF4K15000024 # get switch storm-control
broadcast : enable
rate : 1000
unknown-multicast : enable
unknown-unicast : enable

Fortinet, Inc.
get
Use this command to get information about STP instances on your FortiSwitch unit. To configure an STP instance, see
config switch stp instance on page 134.
Syntax
Example output
# get switch stp instance

== [ 0 ]
id: 0
== [ 1 ]
id: 1
Use this command to get information about STP settings on your FortiSwitch unit. To configure STP settings, see config
switch stp settings on page 135.
Syntax
Example output
S524DF4K15000024 # get switch stp settings
forward-time : 15
hello-time : 5
max-age : 20
max-hops : 20
name : region1
revision : 1
status : enable
get switch trunk
Use this command to get information about which trunks on the FortiSwitch unit have been configured for link
aggregation. To configure link aggregation, see config switch trunk on page 136.

Fortinet, Inc.
get
Syntax
get switch trunk
Example output
# get switch trunk

== [ 1 ]
name: 1 members:
== [ port3 ]
member-name: port3
== [ port10 ]
member-name: port10
== [ port1 ]
member-name: port1
get switch virtual-wire
Virtual wire allows you to forward traffic between two ports with minimal filtering or packet modifications. To configure a
virtual wire, see config switch virtual-wire on page 139.
Syntax
get switch virtual-wire
Example output
S524DF4K15000024 # get switch virtual-wire
== [ 1 ]
name: 1
get switch vlan
Use this command to get information about VLANs on the FortiSwitch unit. To configure a VLAN, see config switch vlan
on page 140.
Syntax
get switch vlan
Example output
# get switch vlan

Fortinet, Inc.
get
== [ 1 ]
id: 1 private-vlan-type: primary isolated-vlan: 2 community-vlans: 3
== [ 2 ]
id: 2 private-vlan-type: isolated sub-VLAN primary-vlan: 1
== [ 3 ]
id: 3 private-vlan-type: community sub-VLAN primary-vlan: 1
get system accprofile
Use this command to view a list of all the system administration access groups. To add an access profile group, see
config system accprofile on page 149.
Syntax
get system admin accprofile
Example output
S524DF4K15000024 # get system accprofile
== [ prof_admin ]
name: prof_admin
== [ profile1 ]
name: profile1
get system admin list
Use this command to view a list of all the current administration sessions.
Syntax
get system admin list
Example output
# get system admin list
username local device remote started
admin sshv2 port1:172.20.120.148:22 172.20.120.16:4167 2006-08-09 12:24:20
admin https port1:172.20.120.148:443 172.20.120.161:56365 2006-08-09 12:24:20
admin https port1:172.20.120.148:443 172.20.120.16:4214 2006-08-09 12:25:29

Fortinet, Inc.
get
username Name of the admin account for this session
local The protocol this session used to connect to the system.
device The interface, IP address, and port used by this session to connect to the system.
remote The IP address and port used by the originating computer to connect to the system.
started The time the current session started.
get system admin status
Use this command to view the status of the currently logged in admin and their session. To configure an administrator
account, see config system admin on page 150.
Syntax
get system admin status
Example Output
# get system admin status
username: admin
login local: sshv2
login device: port1:172.20.120.148:22
login remote: 172.20.120.16:4167
login vdom: root
login started: 2006-08-09 12:24:20
current time: 2006-08-09 12:32:12
username Name of the admin account currently logged in.
login local The protocol used to start the current session.
login device The login information from the FortiSwitch including interface, IP
address, and port number.
login remote The computer the user is logging in from including the IP address
and port number.
login vdom The virtual domain the admin is current logged into.
login started The time the current session started.
current time The current time of day on the system

Fortinet, Inc.
get
get system arp
Use this command to view the ARP table entries on the FortiSwitch unit. To manually add ARP table entries to the
FortiSwitch unit, see config system arp-table on page 152.
Syntax
get system arp
Example output
S524DF4K15000024 # get system arp
Address Age(min) Hardware Addr Interface

10.105.16.1 0 90:6c:ac:15:2f:94 mgmt
11.1.1.100 - 00:00:5e:00:01:05 vlan-8 (proxy)
get system arp-table
Use this command to view the ARP tables on the FortiSwitch unit.
Syntax
get system arp-table
Example output
# get system arp-table

== [ 1 ]
id: 1 interface: internal ip: 10.10.10.10 mac: 01:02:03:04:05:aa
get system auto-update
Use this command to get information about automatic updates.
Syntax
get system auto-update {status | versions}

Fortinet, Inc.
get
status Display the status of automatic updates.
versions Display object versions.
Example output
S524DF4K15000024 # get system auto-update status

FDN availability: unknown at Wed Dec 31 17:00:00 1969
Push update: disable

Scheduled update: enable
Update daily: 1:00
Server override: disable
Push address override: disable
Web proxy tunneling: disable
get system bug-report
Use this command to get information about configuration related to bug reporting. To configure a custom email relay for
sending problem reports to Fortinet customer support, see config system bug-report on page 153.
Syntax
get system bug-report
Example output
S524DF4K15000024 # get system bug-report

auth : no
mailto : fortiswitch@fortinet.com
password : (null)
server : fortinet.com
username : bug_report
username-smtp : bug_report
get system certificate
Use this command to display configuration related to central management service:
Syntax
get system certificate (ca | crl | local | oscp | remote)

Fortinet, Inc.
get
ca List available CA certificates.
crl Display the certificate revocation lists available.
local List available local keys and certificates.
ocsp Display the OCSP (Online Certificate Status Protocol) server

certificate, the action to take when the server is unavailable, and the
URL to the OCSP server.
remote List available remote certificates.
Example output
S524DF4K15000024 # get system certificate ca

== [ Fortinet_CA ]
name: Fortinet_CA
== [ Fortinet_CA2 ]
name: Fortinet_CA2
== [ Entrust_802.1x_CA ]
name: Entrust_802.1x_CA
== [ Entrust_802.1x_L1K_CA ]
name: Entrust_802.1x_L1K_CA
== [ Entrust_802.1x_G2_CA ]
name: Entrust_802.1x_G2_CA
S524DF4K15000024 # get system certificate crl

== [ 1 ]
name: 1
S524DF4K15000024 # get system certificate local

== [ Fortinet_Factory ]
name: Fortinet_Factory
== [ Fortinet_Firmware ]
name: Fortinet_Firmware
== [ Entrust_802.1x ]
name: Entrust_802.1x
S524DF4K15000024 # get system certificate ocsp

cert : (null)
unavail-action : revoke
url : (null)
S524DF4K15000024 # get system certificate remote

== [ 1 ]
name: 1
get system cmdb status
Use this command to view information about configuration management database (CMDB) on the FortiSwitch unit.

Fortinet, Inc.
get
Syntax
get system cmdb status
version Version of the CMDB software.
owner id Process identifier of the CMDB server daemon.
update index The updated index shows how many changes have been
made in the CMDB.
config checksum The configuration file version used by FortiManager.
last request pid The last process to access the CMDB.
last request type Type of the last attempted access of the CMDB.
last request The number of the last attempted access of the CMDB.
Example output
# get system cmdb status

version: 1
owner id: 18
update index: 6070
config checksum: 12879299049430971535
last request pid: 68
last request type: 29
last request: 78
get system console
Use this command to get information about the console connection. To configure the console, see config system
console on page 158.
Syntax
get system console
Example output
S524DF4K15000024 # get system console

baudrate : 115200
mode : line
output : more

Fortinet, Inc.
get
get system dns
Use this command to get information about the DNS settings. To configure DNS, see config system dns on page 164.
Syntax
get system dns
Example output
S524DF4K15000024 # get system dns

primary : 208.91.112.53
secondary : 208.91.112.52
domain : (null)
ip6-primary : ::
ip6-secondary : ::
dns-cache-limit : 5000
dns-cache-ttl : 1800
cache-notfound-responses: disable
source-ip : 0.0.0.0
get system flow-export
Use this command to display the flow-export configuration. To configure flow export, see config system flow-export on
page 165.
Syntax
get system flow-export
Example output
S524DF4K15000024 # get system flow-export

aggregates:
collector-ip : 0.0.0.0
collector-port : 0
format : ipfix
identity : 0x00000000
level : ip
max-export-pkt-size : 512
timeout-general : 3600
timeout-icmp : 300
timeout-max : 604800
timeout-tcp : 3600
timeout-tcp-fin : 300
timeout-tcp-rst : 120

Fortinet, Inc.
get
timeout-udp : 300
transport : tcp
get system flow-export-data
Use this command to display the flow-export data. To configure flow export, see config system flow-export on page 165.
Syntax
get system flow-export-data flows {all | <count>} {ip | subnet | mac | all} <switch_interface_
name>
get system flow-export-data flows-raw {all | <count>} {ip | subnet | mac | all} <switch_
interface_name>
get system flow-export-data statistics
NOTE: Layer-2 flows for netflow 1 and netflow 5 are not supported. For the output of the get system flow-
export-data statistics command, the Incompatible Type field displays how many flows are not exported
because they are not supported.
flows {all | <count>} {ip | subnet | mac | all} Display the specified number of records or all records of flow data for
<switch_interface_name> the specified IP address, subnet (class IP address and netmask),
MAC address, or all.
flows-raw {all | <count>} {ip | subnet | mac | Display the specified number of records or all records of raw flow
all} <switch_interface_name> data for the specified IP address, subnet (class IP address and
netmask), MAC address, or all.
statistics Display the statistics for the flow data.
get system fsw-cloud
Use this command to display the configuration of the FortiSwitch Cloud. To configure the FortiSwitch Cloud, see config
system fsw-cloud on page 168.
Syntax
get system fsw-cloud
Example output
S524DF4K15000024 # get system fsw-cloud
interval : 15

Fortinet, Inc.
get
name : fortiswitch-dispatch.forticloud.com
port : 443
status : enable
get system fsw-cloud-mgr connection-info
Use this command to check your connections to the FortiSwitch Cloud.
Syntax
get system fsw-cloud-mgr connection-info
Example output
S1D243Z14000027 # get system fsw-cloud-mgr connection-info
Dispatch Service : IP= xx.xxx.xxx.xx

Access Service : IP= xx.xxx.xxx.xxx, Port= 443, Connected on: 2017-10-25 18:03:33
State-Machine : State= FSMGR_STATE_READY, Event= EV_READY_HBEAT_GOOD
Bootstrap Service : hostname= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com, Port= 8000

Bootstrap State : State= OK, api-ver= v1
SSL verify Code : ok

SSL Tunnel Uptime : Days: 0 Hours: 20 Mins: 5
SSL Tunnel stats : restart-count= 5, Reason= HTTP Response data error
Stats:
========
Switch Keep Alive Tx/Reply := 2408 / 2408
Manager Keep Alive Rx/Error := 2410 / 0
Socks Req Rx/Last Stream-ID := 10131 / 490

Reset Req Rx/last Stream-ID := 247 / 490
Goaway Req Rx := 0
Unknown Req Rx := 0
Syslog Tx/Err := 199 / 0
Used SOCKS stream-id:

=======================
SID SockFd State Description
___ ______ _____ _______________
5 0 DATA SYSLOG DATA

Fortinet, Inc.
get
get system global
Use this command to get the global settings of your FortiSwitch unit. To configure global settings, config system global
on page 169.
Syntax
get system global
Example output
S524DF4K15000024 # get system global

802.1x-ca-certificate: Entrust_802.1x_CA
802.1x-certificate : Entrust_802.1x
admin-concurrent : enable
admin-https-pki-required: disable
admin-https-ssl-versions: tlsv1-1 tlsv1-2
admin-lockout-duration: 60
admin-lockout-threshold: 3
admin-port : 80
admin-scp : disable
admin-server-cert : Fortinet_Firmware
admin-sport : 443
admin-ssh-grace-time: 120
admin-ssh-port : 22
admin-ssh-v1 : disable
admin-telnet-port : 23
admintimeout : 5
allow-subnet-overlap: disable
asset-tag : (null)
cfg-save : automatic
csr-ca-attribute : enable
daily-restart : disable
detect-ip-conflict : enable
dst : enable
gui-lines-per-page : 50
hostname : S524DF4K15000024
image-rotation : disable
kernel-crashlog : enable
language : english
ldapconntimeout : 500
radius-port : 1812
refresh : 0
remoteauthtimeout : 5
revision-backup-on-logout: enable
revision-backup-on-upgrade: enable
strong-crypto : disable
switch-mgmt-mode : local
timezone : (GMT-8:00)Pacific Time(US&Canada).
user-server-cert : Fortinet_Factory

Fortinet, Inc.
get
get system info admin ssh
Use this command to display information about the SSH configuration on the FortiSwitch unit such as:
l the SSH port number
l the interfaces with SSH enabled
l the hostkey DSA fingerprint
l the hostkey RSA fingerprint
Syntax
get system info admin ssh
Example output
# get system info admin ssh

SSH v2 is enabled on port 22
SSH is enabled on the following 1 interfaces:
mgmt
SSH hostkey DSA fingerprint = cd:e1:87:70:bb:f0:9c:7d:e3:7b:73:f7:44:23:a5:99
SSH hostkey RSA fingerprint = c9:5b:49:1d:7c:ba:be:f3:9d:39:33:4d:48:9d:b8:49
get system info admin status
Use this command to display administrators that are logged into the FortiSwitch unit.
Syntax
get system info admin status
Index The order the administrators logged in.
User name The name of the user account logged in.
Login type Which interface was used to log in.
From The IP address this user logged in from.
Example output
Index User name Login type From

0 admin CLI ssh(172.20.120.16)
1 admin WEB 172.20.120.16

Fortinet, Inc.
get
get system interface physical
Use this command to list information about the physical network interfaces.
Syntax
get system interface physical
Example output
S524DF4K15000024 # get system interface physical
== [onboard]
==[internal]
mode: static
ip: 0.0.0.0 0.0.0.0
ipv6: ::/0
status: up
speed: n/a (Duplex: n/a)
rx : 0 bytes 0 packets
tx : 8405158 bytes 160742 packets
==[mgmt]
mode: dhcp
ip: 10.105.19.3 255.255.252.0
ipv6: ::/0
status: up
speed: 1000Mbps (Duplex: full)
rx : 11558117 bytes 85986 packets
tx : 7048800 bytes 39380 packet
get system ipv6-neighbor-cache
Use this command to list information about the IPv6 neighbor cache table. To configure the IPv6 neighbor cache table,
see config system ipv6-neighbor-cache on page 186.
Syntax
get system ipv6-neighbor-cache
get system link-monitor
Use this command to list information about the physical network interfaces. To configure the link health monitor, see
config system link-monitor on page 187.

Fortinet, Inc.
get
Syntax
get system link-monitor
get system location
Use this command to get information about the location table used by LLDP-MED for enhanced 911 emergency calls.
To configure a location table, see config system location on page 188.
Syntax
get system location
Example output
S548DF5018000776 # get system location

== [ Fortinet ]
name: Fortinet
get system ntp
Use this command to get information about the NTP settings. To configure an NTP server, see config system ntp on
page 192.
Syntax
get system ntp
Example output
ntpserver:
== [ 1 ]
id: 1
== [ 2 ]
id: 2
ntpsync : enable
source-ip : 0.0.0.0
syncinterval : 1

Fortinet, Inc.
get
get system password-policy
Use this command to view the password policy. To create a password policy, see config system password-policy on
page 193.
Syntax
get system password-policy
Example output
# get system password-policy

status : enable
apply-to : admin-password
minimum-length : 8
min-lower-case-letter: 2
min-upper-case-letter: 2
min-non-alphanumeric: 0
min-number : 2
change-4-characters : disable
expire-status : disable
get system performance firewall statistics
Use this command to display a list of traffic types (such as browsing, email, and DNS) and the number of packets and
number of payload bytes accepted by the firewall for each type since the system was restarted.
Syntax
Example output

getting traffic statistics...
Browsing: 623738 packets, 484357448 bytes
DNS: 5129187383836672 packets, 182703613804544 bytes
E-Mail: 23053606 packets, 2 bytes
FTP: 0 packets, 0 bytes
Gaming: 0 packets, 0 bytes
IM: 0 packets, 0 bytes
Newsgroups: 0 packets, 0 bytes
P2P: 0 packets, 0 bytes
Streaming: 0 packets, 0 bytes
TFTP: 654722117362778112 packets, 674223966126080 bytes
VoIP: 16834455 packets, 10 bytes

Fortinet, Inc.
get
Generic TCP: 266287972352 packets, 8521215115264 bytes

Generic UDP: 0 packets, 0 bytes
Generic ICMP: 0 packets, 0 bytes
Generic IP: 0 packets, 0 bytes
get system performance status
Use this command to display FortiSwitch CPU usage, memory usage, network usage, sessions, virus, IPS attacks, and
system up time.
Syntax
get system performance status
Example output
S524DF4K15000024 # get system performance status
CPU states: 0% user 16% system 0% nice 84% idle

Memory states: 10% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes
Uptime: 0 days, 22 hours, 5 minutes
CPU states The percentages of CPU cycles used by user, system, nice and idle
categories of processes. These categories are:
user -CPU usage of normal user-space processes
system -CPU usage of kernel
nice - CPU usage of user-space processes having other-than-
normal running priority
idle - Idle CPU cycles
Adding user, system, and nice produces the total CPU usage as seen
on the CPU widget on the web-based system status dashboard.
Memory states The percentage of memory used.
Average network usage The average amount of network traffic in kbps in the last 1, 10 and 30
minutes.
Uptime How long since the system has been restarted.
get system performance top
Use this command to display the list of processes running on the system (similar to the Linux top command).
The following commands are available when get system performance top is running:

Fortinet, Inc.
get
l Press Q or Ctrl+C to quit.

l Press P to sort the processes by the amount of CPU that the processes are using.
l Press M to sort the processes by the amount of memory that the processes are using.
Syntax
get system performance top [<delay_int>] <max_lines_int>]]
<delay_int> The delay, in seconds, between updating the process list. The default is 5 seconds.
<max_lines_int> The maximum number of processes displayed in the output. The default is 20 lines.
Example output
S524DF4K15000024 # get system performance top
Run Time: 0 days, 22 hours and 13 minutes

0U, 7S, 93I; 1978T, 1684F
newcli 3424 R < 0.1 0.4
pyfcgid 770 S 0.0 0.7
pyfcgid 898 S 0.0 0.7
pyfcgid 899 S 0.0 0.7
cmdbsvr 610 S 0.0 0.6
httpsd 771 S 0.0 0.6
httpsd 1998 S 0.0 0.5
httpsd 901 S 0.0 0.5
miglogd 773 S 0.0 0.5
initXXXXXXXXXXX 1 S 0.0 0.5
newcli 1040 S < 0.0 0.5
ipconflictd 799 S 0.0 0.5
httpsd 900 S 0.0 0.4
fsmgrd 806 S 0.0 0.4
lldpmedd 800 S 0.0 0.4
eap_proxy 804 S 0.0 0.4
authd 803 S 0.0 0.4
router_launcher 768 S 0.0 0.4
sshd 790 S 0.0 0.4
stpd 795 S 0.0 0.4
get system schedule group
Use this command to list available schedule groups for when an access control list (ACL) will be active. To configure a
schedule group, see config system schedule group on page 195.
Syntax
get system schedule group

Fortinet, Inc.
get
Example output
S548DF5018000776 # get system schedule group

== [ group1 ]
name: group1
get system schedule onetime
Use this command to list available one-time schedules for when an access control list (ACL) will be active. To configure
a one-time schedule, see config system schedule onetime on page 195.
Syntax
get system schedule onetime
Example output
S548DF5018000776 # get system schedule onetime

== [ schedule1 ]
name: schedule1
get system schedule recurring
Use this command to list schedules for when an access control list (ACL) will be active every week. To configure a
recurring schedule, see config system schedule recurring on page 196.
Syntax
get system schedule recurring
Example output
S548DF5018000776 # get system schedule recurring

== [ schedule2 ]
name: schedule2
get system settings
Use this command to get information about equal cost multi-path (ECMP) routing. To configure ECMP routing, see
config system settings on page 197.

Fortinet, Inc.
get
Syntax
get system settings
Example output
#get system settings

v4-ecmp-mode : source-ip-based
get system sflow
Use this command to display the sFlow settings. To configure sFlow, see config system sflow on page 198.
Syntax
get system sflow
Example output
S524DF4K15000024 # get system sflow

collector-ip : 0.0.0.0
collector-port : 6343
get system sniffer-profile capture
Use this command to display the packet capture for a specific packet-capture profile. To create a packet-capture profile,
see config system sniffer-profile on page 198.
Syntax
get system sniffer-profile capture <profile_name>
get system sniffer-profile summary
Use this command to display the status of all configured packet-capture profiles. To create a packet-capture profile, see
Syntax
get system sniffer-profile summary

Fortinet, Inc.
get
Example output
S524DF4K15000024 # get system sniffer-profile summary
Maximum memory available for storing packet-capture: 100 MB.
Name | Status | Pkt-Count |Snap Len | Size (KB) | Filter

=========================================================================================
profile1 | Stop | No Capture | 100 | 0.00 | none
get system snmp sysinfo
Use this command to get information about your system’s SNMP settings. To configure the SNMP agent, see config
system snmp sysinfo on page 201.
Syntax
get system snmp sysinfo
Example output
S524DF4K15000024 # get system snmp sysinfo
contact-info : (null)
description : (null)
engine-id : (null)
location : (null)
status : disable
trap-high-cpu-threshold: 80
trap-log-full-threshold: 90
trap-low-memory-threshold: 80
trap-temp-alarm-threshold: 60
trap-temp-warning-threshold: 50
get system source-ip status
Use this command to list defined source IP addresses.
Syntax
get system source-ip status
Example output
# get sys source-ip status

Fortinet, Inc.
get
The following services force their communication to use

a specific source IP address:
service=NTP source-ip=172.18.19.101
service=DNS source-ip=172.18.19.101
vdom=root service=RADIUS name=server-pc25 source-ip=10.1.100.101
vdom=root service=TACACS+ name=tac_plus_pc25 source-ip=10.1.100.101
vdom=root service=FSAE name=pc26 source-ip=172.18.19.101
vdom=V1 service=RADIUS name=pc25-Radius source-ip=172.16.200.101
vdom=V1 service=TACACS+ name=pc25-tacacs+ source-ip=172.16.200.101
vdom=V1 service=FSAE name=pc16 source-ip=172.16.200.101
get system startup-error-log
Use this command to display information about system startup errors. This command only displays information if an
error occurs when the system starts up.
Syntax
get system startup-error-log
get system status
Use this command to display FortiSwitch status information including:

l firmware version, build number, and branch point
l serial number
l host name
l system time and date and related settings
Syntax
get system status
Example output
S524DF4K15000024 # get system status
Version: FortiSwitch-524D-FPOE v3.6.2,build0382,170829 (GA)

Serial-Number: S524DF4K15000024
BIOS version: 04000013
System Part-Number: P18045-04
Burn in MAC: 08:5b:0e:f1:95:e4
Hostname: S524DF4K15000024
Distribution: International

Fortinet, Inc.
get
Branch point: 382

System time: Tue Sep 12 16:16:40 2017
get test
Use this command to display information about applications on this FortiSwitch unit:
Syntax
get test {dnsproxy | fpmd | radiusd | sflowd | snmpd} <test_level_int>
{dnsproxy | fpmd | radiusd | sflowd | snmpd} Set the application to be tested.

Tests can be run on the following applications:
l dnsproxy — DNS proxy
l fpmd — FPM daemon
l radiusd— RADIUS daemon
l sflowd — sFlow daemon
l snmpd— SNMP daemon
<test_level_int> Set the level for the test.
Example output
S524DF4K15000024 # get test fpmd 1

ROUTE_V4_ADD : 9
INTF_V4_ADDR_ADD : 14
ROUTE_V4_MGMT_FWD_DISABLED : 4
ROUTE_ADD_INVALID_FAMILY : 3
ROUTE_ADD_INET127 : 1
S524DF4K15000024 # get test sflowd 1

cmf sflow collector:0.0.0.0:[6343]
sflowd collector:0.0.0.0:[6343]
get user group
Use this command to list all user groups. To add a user group, see config user group on page 204.
Syntax
get user group

Fortinet, Inc.
get
Example output
S524DF4K15000024 # get user group

== [ group1 ]
name: group1
== [ radgroup ]
name: radgroup
get user ldap
Use this command to list LDAP users. To add an LDAP user, see config user ldap on page 206.
Syntax
get user ldap
get user local
Use this command to list local users. To add a local user, see config user local on page 207.
Syntax
get user local
Example output
S524DF4K15000024 # get user local
== [ user1 ]
name: user1
get user radius
Use this command to list RADIUS users. To add a RADIUS user, see config user radius on page 210.
Syntax
get user radius

Fortinet, Inc.
get
Example output
S524DF4K15000024 # get user radius
== [ serve2 ]
name: serve2
== [ radone ]
name: radone
get user setting
Use this command to get information about all the system’s user settings.
Syntax
get user setting
Example output
S524DF4K15000024 # get user setting
auth-blackout-time : 0
auth-cert : (null)
auth-http-basic : disable
auth-invalid-max : 5
auth-multi-group : enable
auth-ports:
== [ 1 ]
id: 1
auth-secure-http : disable
auth-timeout : 5
auth-timeout-type : idle-timeout
auth-type : http https ftp telnet
get user tacacs+
Use this command to get information about tacacs+ users.
Syntax
get user tacacs+

Fortinet, Inc.
get
Example output
S524DF4K15000024 # get user tacacs+
== [ tacserver ]
name: tacserver

Fortinet, Inc.
Appendix: FortiSwitch QoS template
The following is a template for setting up QoS on a FortiSwitch unit:

edit "voice-dot1p"
next
end

edit "voice-dscp"
config map
edit "1"
set cos-queue 1
set value 46
next
edit "2"
set cos-queue 2
set value 24,26,48,56
next
edit "5"
set cos-queue 3
set value 34
next
end
next
end

edit "default" // you can ignore this portion, this is default policy
config cos-queue
edit "queue-0"
next
edit "queue-1"
next
edit "queue-2"
next
edit "queue-3"
next
edit "queue-4"
next
edit "queue-5"
next
edit "queue-6"
next

Fortinet, Inc.
Appendix: FortiSwitch QoS template
edit "queue-7"
next
end
set schedule round-robin
next
edit "voice_egr_policy"
config cos-queue
edit "queue-0"
next
edit "queue-1"
set weight 0
next
edit "queue-2"
set weight 6
next
edit "queue-3"
set weight 37
next
edit "queue-4"
set weight 12
next
edit "queue-5"
next
edit "queue-6"
next
edit "queue-7"
next
end
set schedule weighted
next
end
edit "port5"
...
set trust-dot1p-map " voice-dot1p "
set trust-ip-dscp-map " voice-dscp "
next
edit "port6"
...
next
edit "port7"
...
next
end
edit "port14"
...
set qos-policy "voice_egr_policy"
end

Fortinet, Inc.
Fig_DHCP_Client
Item Documento Pagina Url
SWITCH DE ACESSO – ITEM 1:
ESPECIFICAÇÕES TÉCNICAS:
Mínimo de 48 interfaces de 1Gbps RJ-45 FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Mínimo de 4 interfaces de 1Gbps RJ-45 SFP FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Possui interface de console RJ-45 FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Tamanho de 1U para montagem em Rack, deve acompanhar todos os itens para fixação. FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Capacidade de switching de 104 Gbps FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Suportar 155 Mpps FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
MAC address storage mínimo de 16K FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Latencia máxima de 4 μs FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Suportar Agregação de links com até 8 elementos FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Ofereça suporte a pelo menos 16 grupos de agregação de link FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf

Buffers de pacote de pelo menos 1,5 MB FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Memória DRAM de pelo menos 256 MB FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Flash de pelo menos 64 MB FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
MTBF superior a 140 mil horas FortiSwitch_Secure_Access_Series.pdf 7 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Temperatura de operação pelo menos na faixa de 0 a 45 ºC FortiSwitch_Secure_Access_Series.pdf 8 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
CARACTERÍSTICAS:
Funcionalidades de Administração
O switch deverá aceitar atualizações de firmware FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 38 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Os switches com PoE deverão ter a capacidade de habilitar ou desabilitar a funcionalidade de PoE FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 80 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar detecção e notificação de conflitos de endereços IP FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 64 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
FortiSwitch_Secure_Access_Series.pdf 2 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o gerenciamento em nuvem
FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 323 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar administração por IPv4 e IPv6 FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 26-28 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar Telnet / SSH para acesso a console FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 26-28 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar HTTP / HTTPS FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 26-28 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar SNMP v1/v2c/v3 FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 58 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá permitir a configuração do relógio através de um servidor NTP FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 35-36 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 80-81 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá contar com uma interface de linha de comando padrão e uma interface de configuração web
FortiSwitchOS-6.4.3-CLI_Reference.pdf 14 http://docs.fortinet.com/document/fortiswitch/6.4.3/fortiswitchos-cli-reference/608648/introduction
Deverá suportar atualizações de Software por TFTP/FTP/GUI
Deverá suportar HTTP REST API para configuração e monitoração FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 14-15,17 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
O Switch de acesso deve ser gerenciado por controladora centralizada do mesmo fabricante do Firewall Fortigate, já
FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 14-15 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
em uso pela SEINFRA
Deve possuir garantia de, no mínimo, 36 meses Conforme Proposta Comercial ** **
FUNCIONALIDADES DE CAMADA 2
Deverá suportar Link Aggregation estático FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 54 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deve suportar LACP FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 54 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deverá suportar Spanning Tree FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 54 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deverá suportar Jumbo Frames FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar a negociação automática de porta e de Duplex FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf

Deverá suportar ou padrão IEEE 802.1D MAC Bridging/STP FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1s Multiple Spanning Tree Protocol ( MSTP) FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar a função STP Root Guard FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar STP BPDU Guard FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar Edge Port / Port Fast FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1Q VLAN Tagging FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deve suportar o padrão IEEE 802.3ad Link Aggregation com LACP FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deve ser capaz de balancear o tráfego Unicast/Multicast em uma mesma porta Trunk (dst-ip, dst-mac, srcdst-ip, src-
dst-mac, src-ip, src-mac)
Deve suportar o padrão IEEE 802.1AX Link Aggregation FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar instâncias de Spanning Tree (MSTP/CST) FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3x Flow Control com Back-pressure FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3 10Base-T FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3u 100Base-TX FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf

Deverá suportar o padrão IEEE 802.3z 1000Base-SX/LX FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3ab 1000Base-T FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3 CSMA/CD com método de acesso e as especificações da camada física FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá contar com a funcionalidade de Storm Control FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar a criação de VLANS por MAC, IP e Ethertype-based FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf

Deverá suportar 4094 VLANS simultâneas
Deve suportar números de identificador de local de emergência (ELINs) e não LLDP- MED FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 128 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a negociação de PoE em LLDP-MED FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 81-82,126 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá ser possível limitar a quantidade de MACs aprendidos por porta. FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 89 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá permitir um mínimo de 15 instâncias de MSTP FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá permitir Storm Control de broadcast de forma independente em cada porta FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 164-165 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar um mecanismo de detecção e prevenção de loops FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar SPAN FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 144 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar RSPAN e ERSPAN FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 144 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 2571 referente a arquitetura do SNMP FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 58 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar DHCP Client
Suportar_DHCP_Client.pdf ** Fig_DHCP_Client
Deverá suportar a RFC 854 que especifica o protocolo TELNET FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 349 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 2865 referente ao RADIUS FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 349 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 1643 que possui as definições de objetos gerenciados para interfaces Ethernet-like FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 348 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 1213 referente a MIB-II FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 348 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar a RFC 1354 - IP Forwarding Table MIB FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 348 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar a RFC 2572, referente ao processamento e envio de mensagens SNMP FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 350 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 1573 SNMP MIB II FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 348 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction

Deve suportar a RFC 1157 SNMPv1/v2c FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 350 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 2030 SNTP FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 349 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
RFCS SUPORTADAS
Deverá suportar Port Mirroring FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 144 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar Autenticação admin pela RFC 2865 RADIUS FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 51,2865 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar o padrão IEEE 802.1x authentication port-based FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1x authentication MAC-based FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1x Guest and Fallback VLAN FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1x MAC Access Bypass (MAB) FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1x Dynamic VLAN Assignment FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1ab Link Layer Discovery Protocol (LLDP) FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1ab LLDP-MED FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar EAP pass-through FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 295-296 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar detecção de dispositivos FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 98 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deverá suportar DHCP Snooping FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar listas de servidores DHCP permitidos FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá permitir Dynamic ARP Inspection (DAI) FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá permitir Access VLANs FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
# FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
FUNCIONALIDADES DE VISIBILIDADE E SEGURANÇA
Deverá suportar Syslog FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 56 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar Energy-Efficient Ethernet (EEE) FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 81-83 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
SWITCH DE ACESSO – ITEM 2:
ESPECIFICAÇÕES TÉCNICAS
Mínimo de 24 interfaces de 1Gbps SFP FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Mínimo de 4 interfaces de 10Gbps conforme o padrão IEEE 802.3ae FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Possui 1 porta de gerenciamento dedicada FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Possui interface de console RJ-45 FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Tamanho de 1U para montagem em Rack, deve acompanhar todos os itens para fixação. FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Capacidade de switching de 128 Gbps FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Suportar 204 Mpps FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
MAC address storage mínimo de 32K FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
** ** https://docs.fortinet.com/max-value-table
Tabela de roteamento de 16k entradas
** ** https://docs.fortinet.com/max-value-table
Host Table de 16K entradas
Suportar protocolos de enrutamiento dinémico OSPF v2, RIPv2, VRRP FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Latência máxima de 1μs FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Suportar Agregação de links com até 8 elementos FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Ofereça suporte a pelo menos 28 grupos de agregação de link FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Buffers de pacote de pelo menos 4 MB FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Memória DRAM de pelo menos 1 GB FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Flash de pelo menos 256 MB FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Fonte redundante do tipo interno FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
MTBF superior a 400 mil horas FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Temperatura de operação pelo menos na faixa de 0 a 45 ºC. FortiSwitch_Secure_Access_Series.pdf 15 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf

CARACTERÍSTICAS:
Funcionalidades de Administração
O switch deverá aceitar atualizações de firmware FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 38 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Os switches com PoE deverão ter a capacidade de habilitar ou desabilitar a funcionalidade de PoE FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 80 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar detecção e notificação de conflitos de endereços IP FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 64 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar o gerenciamento em nuvem
Deverá suportar administração por IPv4 e IPv6 FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 26-28 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar Telnet / SSH para acesso a console FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 26-28 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar HTTP / HTTPS FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 26-28 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar SNMP v1/v2c/v3 FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 58 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá permitir a configuração do relógio através de um servidor NTP FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 35-36 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá contar com uma interface de linha de comando padrão e uma interface de configuração web
Deverá suportar atualizações de Software por TFTP/FTP/GUI
Deverá suportar HTTP REST API para configuração e monitoração FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 14-15,17 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
O Switch de acesso deve ser gerenciado por controladora centralizada do mesmo fabricante do Firewall Fortigate, já
em uso pela SEINFRA
Deve possuir garantia de, no mínimo, 36 meses; Conforme Proposta Comercial ** **
FUNCIONALIDADES DE ALTA DISPONIBILIDADE
Deverá suportar Multi-Chassis LAG ( MCLAG ) FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar STO sobre Multi-Chassis LAG ( MCLAG) ** ** http://docs.fortinet.com/document/fortiswitch/6.4.2/administration-guide/860027/mclag
RECURSOS DE QUALIDADE DE SERVIÇO
Deve suportar a priorização de tráfego baseado em 802.1p FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deve suportar a priorização de tráfego baseado em IP TOS/DSCP FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar marcação de tráfego com 802.1p e/ou IP TOS/DSCP
Deverá suportar Link Aggregation estático FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 54 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deve suportar LACP FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 54 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deverá suportar Spanning Tree FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 54 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deverá suportar Jumbo Frames FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar a negociação automática de porta e de Duplex FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1D MAC Bridging/STP FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1s Multiple Spanning Tree Protocol ( MSTP) FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar a função STP Root Guard FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar STP BPDU Guard FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar Edge Port / Port Fast FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1Q VLAN Tagging FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar Private VLAN FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deve suportar o padrão IEEE 802.3ad Link Aggregation com LACP FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deve ser capaz de balancear o tráfego Unicast/Multicast em uma mesma porta Trunk (dst-ip, dst-mac, srcdst-ip, src-
dst-mac, src-ip, src-mac)
Deve suportar o padrão IEEE 802.1AX Link Aggregation FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar instâncias de Spanning Tree (MSTP/CST) FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3x Flow Control com Back-pressure FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3 10Base-T FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3u 100Base-TX FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3z 1000Base-SX/LX FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3ab 1000Base-T FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.3 CSMA/CD com método de acesso e as especificações da camada física FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá contar com a funcionalidade de Storm Control FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar a criação de VLANS por MAC, IP e Ethertype-based FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar a funcionalidade de Virtual-Wire FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar Time-Domain Reflectometer (TDR) FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 23 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction

Deverá suportar 4094 VLANS simultâneas
Deverá suportar IGMP Snooping FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 19 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar IGMP Proxy e querier FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 19 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar números de identificador de local de emergência (ELINs) e não LLDP- MED FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 128 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a negociação de PoE em LLDP-MED FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 81-82,126 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá ser possível limitar a quantidade de MACs aprendidos por porta. FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 89 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá permitir um mínimo de 15 instâncias de MSTP FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá permitir Storm Control de broadcast de forma independente em cada porta FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 164-165 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar um mecanismo de detecção e prevenção de loops FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar VLAN Stacking (QinQ) fortiswitch-v6.4.3-release-notes.pdf 12 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
Deverá suportar SPAN FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 144 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar RSPAN e ERSPAN FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 144 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar roteamento estático FortiSwitch_Secure_Access_Series.pdf 3 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deve suportar RIP v2 FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar OSPF v2 FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar VRRP FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
fortiswitch-v6.4.3-release-notes.pdf 13 https://docs.fortinet.com/document/fortiswitch/6.4.3/release-notes
Deve suportar IS-IS ** ** http://docs.fortinet.com/document/fortigate/6.4.3/cli-reference/558620/router-isis
Deverá suportar BGP ** ** http://docs.fortinet.com/document/fortigate/6.4.3/administration-guide/750736/bgp
Deverá suportar Bidirectional Forwarding Detection (BFD) FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf

Deverá suportar DHCP Relay FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá Suportar DHCP Server FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 176-177 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 2571 referente a arquitetura do SNMP FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 58 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar DHCP Client FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 176-177 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 854 que especifica o protocolo TELNET FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 349 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 2865 referente ao RADIUS FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 349 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 1643 que possui as definições de objetos gerenciados para interfaces Ethernet-like FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 348 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 1213 referente a MIB-II FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 348 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar a RFC 1354 - IP Forwarding Table MIB FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 348 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar a RFC 2572, referente ao processamento e envio de mensagens SNMP FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 350 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 1573 SNMP MIB II FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 348 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar a RFC 1157 SNMPv1/v2c FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 350 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar a RFC 2030 SNTP FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 349 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
RFCS SUPORTADAS
Deverá suportar Port Mirroring FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 144 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar Autenticação admin pela RFC 2865 RADIUS FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 51,2865 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar o padrão IEEE 802.1x authentication port-based FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1x authentication MAC-based FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1x Guest and Fallback VLAN FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1x MAC Access Bypass (MAB) FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1x Dynamic VLAN Assignment FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar Radius CoA (Change of Authority) FortiSwitch_Secure_Access_Series.pdf 18 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1ab Link Layer Discovery Protocol (LLDP) FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar o padrão IEEE 802.1ab LLDP-MED FortiSwitch_Secure_Access_Series.pdf 4 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf
Deverá suportar Radius Accounting FortiSwitch_Secure_Access_Series.pdf 18 https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf

Deverá suportar EAP pass-through FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 295-296 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar detecção de dispositivos FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar MAC-IP binding FortiSwitch-6.4.3-Managed_by_FortiOS_6.4.pdf 14-15 http://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/950458/what-s-new-in-fortios-6-4-3
** ** http://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/78606/firewall-ipmacbinding-table
Deve suportar Sflow FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar Flow Export FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar ACLs FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar múltiplas ACLs de entrada FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 153-154 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar agendamentos de ACLs FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar DHCP Snooping FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar listas de servidores DHCP permitidos FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá suportar bloqueio de DHCP FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá permitir Dynamic ARP Inspection (DAI) FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá permitir Access VLANs FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 18 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deverá permitir tagging de tráfego com VLAN ID por meio de ACLs FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 154-155 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
FUNCIONALIDADES DE VISIBILIDADE E SEGURANÇA
Deverá suportar Syslog FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 56 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve conter um sensor de temperatura interno FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 23 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve permitir monitorar a temperatura do dispositivo FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 38,322 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Deve suportar Energy-Efficient Ethernet (EEE) FortiSwitchOS-6.4.3-Administration_Guide—Standalone_Mode.pdf 81-83 http://docs.fortinet.com/document/fortiswitch/6.4.3/administration-guide/790467/introduction
Todos os Switches de acesso devem ser gerenciados por controladora centralizada do mesmo fabricante do Firewall
Fortigate, já em uso pela SEINFRA
Deve possuir garantia de, no mínimo, 36 meses Conforme Proposta Comercial ** **

Data Sheet FSW

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Data Sheet FSW

Enviado por

Direitos autorais:

Formatos disponíveis

FICHA DE DADOS

FortiSwitch ™ Família de Acesso Seguro

desempenho e capacidade de gerenciamento. Seguro, simples e escalável,

o FortiSwitch é a escolha certa para empresas preocupadas com ameaças

Totalmente integrado ao Fortinet Security Fabric via FortiLink, o FortiSwitch

pode ser gerenciado diretamente a partir da interface familiar FortiGate. Esse

gerenciamento de painel único de vidro fornece visibilidade e controle completos

de usuários e dispositivos na rede, independentemente de como eles se

conectam. Isso torna o FortiSwitch ideal para implantações de SD-Branch com

FortiLink é um protocolo de gerenciamento proprietário inovador

que permite ao nosso FortiGate Next Generation Firewall

ideal para implantações SD-Branch. § Até 48 portas em um formato compacto de 1

§ Empilháveis até 300 switches por FortiGate,

§ Suporta comutação Wire-speed e modo

Entrada Intervalo médio Prêmio Agregação

FORTISWITCH FORTILINK MODE (COM FORTIGATE)

Detecção Automática de Múltiplos Switches Número de sim

Inter-Switch Links) Atualização de Software de Switches

Configuração de VLAN centralizada sim

Mudar de controle POE sim

Configuração de agregação de link sim

Spanning Tree sim

LLDP / MED sim

IGMP Snooping sim

Roteamento L3 e roteamento Sim (FortiGate)

baseado em política de serviços Sim (FortiGate)

Domínio Virtual Sim (FortiGate)

Coleção de Syslog de autenticação 802.1x (baseada em porta, baseada sim

em MAC, MAB) sim

DHCP Snooping sim

Detecção de Dispositivo sim

Lista MAC Preto / Enquanto Sim (FortiGate)

Política de controle de usuários e dispositivos Sim (FortiGate)

Firewall Sim (FortiGate)

IPC, AV, controle de aplicativos, botnet Sim (FortiGate)

Suporte FortiLink FortiGate em HA Cluster LAG sim

suporte para conexão FortiLink sim

Molduras Jumbo sim sim sim

Negociação automática para velocidade de porta e sim sim sim

crossover automático duplex MDI / MDIX sim sim sim

IEEE 802.1D MAC Bridging / STP sim sim sim

Guard sim sim sim

STP BPDU Guard sim sim sim

Edge Port / Port Fast sim sim sim

IEEE 802.1Q VLAN Tagging VLAN sim sim sim

privada sim Não sim

Agregação de link IEEE 802.3ad com LACP sim sim sim

dst-mac, src-dst-ip, src-dst-mac, src-ip, src-mac)

Instâncias de Spanning Tree de Agregação de Link sim sim sim

IEEE 802.1AX (MSTP / CST) 15/1 15/1 15/1

10Base-T sim sim sim

IEEE 802.3u 100Base-TX sim sim sim

IEEE 802.3z 1000Base-SX / LX sim sim sim

IEEE 802.3ab 1000Base-T sim sim sim

Ethernet IEEE 802.3az com eficiência energética sim sim

IEEE 802.3bz Multi Gigabit Ethernet Não Não Sim (M426E-FPOE)

Método de acesso IEEE 802.3 CSMA / CD e

Controle de tempestade sim sim sim

MAC, IP, VLANs baseadas em Ethertype sim sim sim

Virtual-Wire sim Não sim

SFP) Time-Domain Reflectcometry (TDR) sim sim sim

Roteamento estático (baseado em hardware) sim N/D sim

Entradas de roteamento 64 em 2xxE

Entradas de host 1K em 2xxE