Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.2.1
Copy Link

Configure FortiSwitch devices that are managed by this FortiGate.

  config switch-controller managed-switch
      Description: Configure FortiSwitch devices that are managed by this FortiGate.
      edit <switch-id>
          set name {string}
          set description {string}
          set switch-profile {string}
          set access-profile {string}
          set fsw-wan1-peer {string}
          set fsw-wan1-admin [discovered|disable|...]
          set fsw-wan2-peer {string}
          set fsw-wan2-admin [discovered|disable|...]
          set poe-pre-standard-detection [enable|disable]
          set poe-detection-type {integer}
          set poe-lldp-detection [enable|disable]
          set directly-connected {integer}
          set version {integer}
          set max-allowed-trunk-members {integer}
          set pre-provisioned {integer}
          set dynamic-capability {integer}
          set switch-device-tag {string}
          set dynamically-discovered {integer}
          set type [virtual|physical]
          set owner-vdom {string}
          set flow-identity {user}
          set staged-image-version {string}
          set delayed-restart-trigger {integer}
          config ports
              Description: Managed-switch port list.
              edit <port-name>
                  set port-owner {string}
                  set switch-id {string}
                  set speed [10half|10full|...]
                  set speed-mask {integer}
                  set status [up|down]
                  set poe-status [enable|disable]
                  set poe-pre-standard-detection [enable|disable]
                  set port-number {integer}
                  set port-prefix-type {integer}
                  set fortilink-port {integer}
                  set poe-capable {integer}
                  set stacking-port {integer}
                  set fiber-port {integer}
                  set flags {integer}
                  set virtual-port {integer}
                  set isl-local-trunk-name {string}
                  set isl-peer-port-name {string}
                  set isl-peer-device-name {string}
                  set fgt-peer-port-name {string}
                  set fgt-peer-device-name {string}
                  set vlan {string}
                  set allowed-vlans-all [enable|disable]
                  set allowed-vlans <vlan-name1>, <vlan-name2>, ...
                  set untagged-vlans <vlan-name1>, <vlan-name2>, ...
                  set type [physical|trunk]
                  set dhcp-snooping [untrusted|trusted]
                  set dhcp-snoop-option82-trust [enable|disable]
                  set arp-inspection-trust [untrusted|trusted]
                  set igmp-snooping [enable|disable]
                  set igmps-flood-reports [enable|disable]
                  set igmps-flood-traffic [enable|disable]
                  set stp-state [enabled|disabled]
                  set stp-root-guard [enabled|disabled]
                  set stp-bpdu-guard [enabled|disabled]
                  set stp-bpdu-guard-timeout {integer}
                  set edge-port [enable|disable]
                  set discard-mode [none|all-untagged|...]
                  set packet-sampler [enabled|disabled]
                  set packet-sample-rate {integer}
                  set sflow-counter-interval {integer}
                  set sample-direction [tx|rx|...]
                  set loop-guard [enabled|disabled]
                  set loop-guard-timeout {integer}
                  set qos-policy {string}
                  set storm-control-policy {string}
                  set port-security-policy {string}
                  set export-to-pool {string}
                  set export-tags <tag-name1>, <tag-name2>, ...
                  set export-to-pool-flag {integer}
                  set learning-limit {integer}
                  set sticky-mac [enable|disable]
                  set lldp-status [disable|rx-only|...]
                  set lldp-profile {string}
                  set export-to {string}
                  set mac-addr {mac-address}
                  set port-selection-criteria [src-mac|dst-mac|...]
                  set description {string}
                  set lacp-speed [slow|fast]
                  set mode [static|lacp-passive|...]
                  set bundle [enable|disable]
                  set member-withdrawal-behavior [forward|block]
                  set mclag [enable|disable]
                  set min-bundle {integer}
                  set max-bundle {integer}
                  set members <member-name1>, <member-name2>, ...
              next
          end
          config stp-settings
              Description: Configuration method to edit Spanning Tree Protocol (STP) settings used to prevent bridge loops.
              set local-override [enable|disable]
              set name {string}
              set status [enable|disable]
              set revision {integer}
              set hello-time {integer}
              set forward-time {integer}
              set max-age {integer}
              set max-hops {integer}
              set pending-timer {integer}
          end
          config switch-stp-settings
              Description: Configure spanning tree protocol (STP).
              set status [enable|disable]
          end
          config stp-instance
              Description: Configuration method to edit Spanning Tree Protocol (STP) instances.
              edit <id>
                  set priority [0|4096|...]
              next
          end
          set override-snmp-sysinfo [disable|enable]
          config snmp-sysinfo
              Description: Configuration method to edit Simple Network Management Protocol (SNMP) system info.
              set status [disable|enable]
              set engine-id {string}
              set description {string}
              set contact-info {string}
              set location {string}
          end
          set override-snmp-trap-threshold [enable|disable]
          config snmp-trap-threshold
              Description: Configuration method to edit Simple Network Management Protocol (SNMP) trap threshold values.
              set trap-high-cpu-threshold {integer}
              set trap-low-memory-threshold {integer}
              set trap-log-full-threshold {integer}
          end
          set override-snmp-community [enable|disable]
          config snmp-community
              Description: Configuration method to edit Simple Network Management Protocol (SNMP) communities.
              edit <id>
                  set name {string}
                  set status [disable|enable]
                  config hosts
                      Description: Configure IPv4 SNMP managers (hosts).
                      edit <id>
                          set ip {user}
                      next
                  end
                  set query-v1-status [disable|enable]
                  set query-v1-port {integer}
                  set query-v2c-status [disable|enable]
                  set query-v2c-port {integer}
                  set trap-v1-status [disable|enable]
                  set trap-v1-lport {integer}
                  set trap-v1-rport {integer}
                  set trap-v2c-status [disable|enable]
                  set trap-v2c-lport {integer}
                  set trap-v2c-rport {integer}
                  set events {option1}, {option2}, ...
              next
          end
          set override-snmp-user [enable|disable]
          config snmp-user
              Description: Configuration method to edit Simple Network Management Protocol (SNMP) users.
              edit <name>
                  set queries [disable|enable]
                  set query-port {integer}
                  set security-level [no-auth-no-priv|auth-no-priv|...]
                  set auth-proto [md5|sha]
                  set auth-pwd {password}
                  set priv-proto [aes|des]
                  set priv-pwd {password}
              next
          end
          config switch-log
              Description: Configuration method to edit FortiSwitch logging settings (logs are transferred to and inserted into the FortiGate event log).
              set local-override [enable|disable]
              set status [enable|disable]
              set severity [emergency|alert|...]
          end
          config remote-log
              Description: Configure logging by FortiSwitch device to a remote syslog server.
              edit <name>
                  set status [enable|disable]
                  set server {string}
                  set port {integer}
                  set severity [emergency|alert|...]
                  set csv [enable|disable]
                  set facility [kernel|user|...]
              next
          end
          config storm-control
              Description: Configuration method to edit FortiSwitch storm control for measuring traffic activity using data rates to prevent traffic disruption.
              set local-override [enable|disable]
              set rate {integer}
              set unknown-unicast [enable|disable]
              set unknown-multicast [enable|disable]
              set broadcast [enable|disable]
          end
          config mirror
              Description: Configuration method to edit FortiSwitch packet mirror.
              edit <name>
                  set status [active|inactive]
                  set switching-packet [enable|disable]
                  set dst {string}
                  set src-ingress <name1>, <name2>, ...
                  set src-egress <name1>, <name2>, ...
              next
          end
          config static-mac
              Description: Configuration method to edit FortiSwitch Static and Sticky MAC.
              edit <id>
                  set type [static|sticky]
                  set vlan {string}
                  set mac {mac-address}
                  set interface {string}
                  set description {string}
              next
          end
          config custom-command
              Description: Configuration method to edit FortiSwitch commands to be pushed to this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.
              edit <command-entry>
                  set command-name {string}
              next
          end
          config igmp-snooping
              Description: Configure FortiSwitch IGMP snooping global settings.
              set local-override [enable|disable]
              set aging-time {integer}
              set flood-unknown-multicast [enable|disable]
          end
          config 802-1X-settings
              Description: Configuration method to edit FortiSwitch 802.1X global settings.
              set local-override [enable|disable]
              set link-down-auth [set-unauth|no-action]
              set reauth-period {integer}
              set max-reauth-attempt {integer}
          end
      next
  end

config switch-controller managed-switch

Parameter Name Description Type Size
name Managed-switch name. string Maximum length: 35
description Description. string Maximum length: 63
switch-profile FortiSwitch profile. string Maximum length: 35
access-profile FortiSwitch access profile. string Maximum length: 31
fsw-wan1-peer Fortiswitch WAN1 peer port. string Maximum length: 35
fsw-wan1-admin FortiSwitch WAN1 admin status; enable to authorize the FortiSwitch as a managed switch.
discovered: Link waiting to be authorized.
disable: Link unauthorized.
enable: Link authorized.
option -
fsw-wan2-peer FortiSwitch WAN2 peer port. string Maximum length: 35
fsw-wan2-admin FortiSwitch WAN2 admin status; enable to authorize the FortiSwitch as a managed switch.
discovered: Link waiting to be authorized.
disable: Link unauthorized.
enable: Link authorized.
option -
poe-pre-standard-detection Enable/disable PoE pre-standard detection.
enable: Enable PoE pre-standard detection.
disable: Disable PoE pre-standard detection.
option -
poe-detection-type PoE detection type for FortiSwitch. integer Minimum value: 0 Maximum value: 255
poe-lldp-detection Enable/disable PoE LLDP detection.
enable: Enable PoE LLDP detection.
disable: Disable PoE LLDP detection.
option -
directly-connected Directly connected FortiSwitch. integer Minimum value: 0 Maximum value: 1
version FortiSwitch version. integer Minimum value: 0 Maximum value: 255
max-allowed-trunk-members FortiSwitch maximum allowed trunk members. integer Minimum value: 0 Maximum value: 255
pre-provisioned Pre-provisioned managed switch. integer Minimum value: 0 Maximum value: 255
dynamic-capability List of features this FortiSwitch supports (not configurable) that is sent to the FortiGate device for subsequent configuration initiated by the FortiGate device. integer Minimum value: 0 Maximum value: 4294967295
switch-device-tag User definable label/tag. string Maximum length: 32
dynamically-discovered Dynamically discovered FortiSwitch. integer Minimum value: 0 Maximum value: 1
type Indication of switch type, physical or virtual.
virtual: Switch is of type virtual.
physical: Switch is of type physical.
option -
owner-vdom VDOM which owner of port belongs to. string Maximum length: 31
flow-identity Flow-tracking netflow ipfix switch identity in hex format(00000000-FFFFFFFF default=0). user Not Specified
staged-image-version Staged image version for FortiSwitch. string Maximum length: 127
delayed-restart-trigger Delayed restart triggered for this FortiSwitch. integer Minimum value: 0 Maximum value: 255
override-snmp-sysinfo Enable/disable overriding the global SNMP system information.
disable: Use the global SNMP system information.
enable: Override the global SNMP system information.
option -
override-snmp-trap-threshold Enable/disable overriding the global SNMP trap threshold values.
enable: Override the global SNMP trap threshold values.
disable: Use the global SNMP trap threshold values.
option -
override-snmp-community Enable/disable overriding the global SNMP communities.
enable: Override the global SNMP communities.
disable: Use the global SNMP communities.
option -
override-snmp-user Enable/disable overriding the global SNMP users.
enable: Override the global SNMPv3 users.
disable: Use the global SNMPv3 users.
option -

config ports

Parameter Name Description Type Size
port-owner Switch port name. string Maximum length: 15
switch-id Switch id. string Maximum length: 16
speed Switch port speed; default and available settings depend on hardware.
10half: 10M half-duplex.
10full: 10M full-duplex.
100half: 100M half-duplex.
100full: 100M full-duplex.
1000auto: Auto-negotiation (1G full-duplex only).
1000fiber: 1G full-duplex (fiber SFPs only)
1000full: 1G full-duplex
10000: 10G full-duplex
40000: 40G full-duplex
auto: Auto-negotiation.
auto-module: Auto Module.
100FX-half: 100Mbps half-duplex.100Base-FX.
100FX-full: 100Mbps full-duplex.100Base-FX.
100000full: 100Gbps full-duplex.
2500full: 2.5Gbps full-duplex.
25000full: 25Gbps full-duplex.
50000full: 50Gbps full-duplex.
10000cr: 10Gbps copper interface.
10000sr: 10Gbps SFI interface.
100000sr4: 100Gbps SFI interface.
100000cr4: 100Gbps copper interface.
25000cr4: 25Gbps copper interface.
25000sr4: 25Gbps SFI interface.
5000full: 5Gbps full-duplex.
option -
speed-mask Switch port speed mask. integer Minimum value: 0 Maximum value: 4294967295
status Switch port admin status: up or down.
up: Set admin status up.
down: Set admin status down.
option -
poe-status Enable/disable PoE status.
enable: Enable PoE status.
disable: Disable PoE status.
option -
poe-pre-standard-detection Enable/disable PoE pre-standard detection.
enable: Enable PoE pre-standard detection.
disable: Disable PoE pre-standard detection.
option -
port-number Port number. integer Minimum value: 1 Maximum value: 64
port-prefix-type Port prefix type. integer Minimum value: 0 Maximum value: 1
fortilink-port FortiLink uplink port. integer Minimum value: 0 Maximum value: 1
poe-capable PoE capable. integer Minimum value: 0 Maximum value: 1
stacking-port Stacking port. integer Minimum value: 0 Maximum value: 1
fiber-port Fiber-port. integer Minimum value: 0 Maximum value: 1
flags Port properties flags. integer Minimum value: 0 Maximum value: 4294967295
virtual-port Virtualized switch port. integer Minimum value: 0 Maximum value: 1
isl-local-trunk-name ISL local trunk name. string Maximum length: 15
isl-peer-port-name ISL peer port name. string Maximum length: 15
isl-peer-device-name ISL peer device name. string Maximum length: 16
fgt-peer-port-name FGT peer port name. string Maximum length: 15
fgt-peer-device-name FGT peer device name. string Maximum length: 16
vlan Assign switch ports to a VLAN. string Maximum length: 15
allowed-vlans-all Enable/disable all defined vlans on this port.
enable: Enable all defined VLANs on this port.
disable: Disable all defined VLANs on this port.
option -
allowed-vlans <vlan-name> Configure switch port tagged vlans
VLAN name.
string Maximum length: 79
untagged-vlans <vlan-name> Configure switch port untagged vlans
VLAN name.
string Maximum length: 79
type Interface type: physical or trunk port.
physical: Physical port.
trunk: Trunk port.
option -
dhcp-snooping Trusted or untrusted DHCP-snooping interface.
untrusted: Untrusted DHCP snooping interface.
trusted: Trusted DHCP snooping interface.
option -
dhcp-snoop-option82-trust Enable/disable allowance of DHCP with option-82 on untrusted interface.
enable: Enable allowance of DHCP with option-82 on untrusted interface.
disable: Disable allowance of DHCP with option-82 on untrusted interface.
option -
arp-inspection-trust Trusted or untrusted dynamic ARP inspection.
untrusted: Untrusted dynamic ARP inspection.
trusted: Trusted dynamic ARP inspection.
option -
igmp-snooping Set IGMP snooping mode for the physical port interface.
enable: Interface takes part in IGMP snooping.
disable: Interface does not take part in IGMP snooping.
option -
igmps-flood-reports Enable/disable flooding of IGMP reports to this interface when igmp-snooping enabled.
enable: Enable flooding of IGMP snooping reports to this interface.
disable: Disable flooding of IGMP snooping reports to this interface.
option -
igmps-flood-traffic Enable/disable flooding of IGMP snooping traffic to this interface.
enable: Enable flooding of IGMP snooping traffic to this interface.
disable: Disable flooding of IGMP snooping traffic to this interface.
option -
stp-state Enable/disable Spanning Tree Protocol (STP) on this interface.
enabled: Enable STP on this interface.
disabled: Disable STP on this interface.
option -
stp-root-guard Enable/disable STP root guard on this interface.
enabled: Enable STP root-guard on this interface.
disabled: Disable STP root-guard on this interface.
option -
stp-bpdu-guard Enable/disable STP BPDU guard on this interface.
enabled: Enable STP BPDU guard on this interface.
disabled: Disable STP BPDU guard on this interface.
option -
stp-bpdu-guard-timeout BPDU Guard disabling protection (0 - 120 min). integer Minimum value: 0 Maximum value: 120
edge-port Enable/disable this interface as an edge port, bridging connections between workstations and/or computers.
enable: Enable this interface as an edge port.
disable: Disable this interface as an edge port.
option -
discard-mode Configure discard mode for port.
none: Discard disabled.
all-untagged: Discard all frames that are untagged.
all-tagged: Discard all frames that are tagged.
option -
packet-sampler Enable/disable packet sampling on this interface.
enabled: Enable packet sampling on this interface.
disabled: Disable packet sampling on this interface.
option -
packet-sample-rate Packet sampling rate (0 - 99999 p/sec). integer Minimum value: 0 Maximum value: 99999
sflow-counter-interval sFlow sampling counter polling interval (0 - 255 sec). integer Minimum value: 0 Maximum value: 255
sample-direction Packet sampling direction.
tx: Monitor transmitted traffic.
rx: Monitor received traffic.
both: Monitor transmitted and received traffic.
option -
loop-guard Enable/disable loop-guard on this interface, an STP optimization used to prevent network loops.
enabled: Enable loop-guard on this interface.
disabled: Disable loop-guard on this interface.
option -
loop-guard-timeout Loop-guard timeout (0 - 120 min, default = 45). integer Minimum value: 0 Maximum value: 120
qos-policy Switch controller QoS policy from available options. string Maximum length: 63
storm-control-policy Switch controller storm control policy from available options. string Maximum length: 63
port-security-policy Switch controller authentication policy to apply to this managed switch from available options. string Maximum length: 31
export-to-pool Switch controller export port to pool-list. string Maximum length: 35
export-tags <tag-name> Configure tag name for FortiSwitch port when exported.
FortiSwitch port tag name when exported.
string Maximum length: 63
export-to-pool-flag Switch controller export port to pool-list. integer Minimum value: 0 Maximum value: 1
learning-limit Limit the number of dynamic MAC addresses on this Port (1 - 128, 0 = no limit, default). integer Minimum value: 0 Maximum value: 128
sticky-mac Enable or disable sticky-mac on the interface.
enable: Enable sticky mac on the interface.
disable: Disable sticky mac on the interface.
option -
lldp-status LLDP transmit and receive status.
disable: Disable LLDP TX and RX.
rx-only: Enable LLDP as RX only.
tx-only: Enable LLDP as TX only.
tx-rx: Enable LLDP TX and RX.
option -
lldp-profile LLDP port TLV profile. string Maximum length: 63
export-to Export managed-switch port to a tenant VDOM. string Maximum length: 31
mac-addr Port/Trunk MAC. mac-address Not Specified
port-selection-criteria Algorithm for aggregate port selection.
src-mac: Source MAC address.
dst-mac: Destination MAC address.
src-dst-mac: Source and destination MAC address.
src-ip: Source IP address.
dst-ip: Destination IP address.
src-dst-ip: Source and destination IP address.
option -
description Description for port. string Maximum length: 63
lacp-speed end Link Aggregation Control Protocol (LACP) messages every 30 seconds (slow) or every second (fast).
slow: Send LACP message every 30 seconds.
fast: Send LACP message every second.
option -
mode LACP mode: ignore and do not send control messages, or negotiate 802.3ad aggregation passively or actively.
static: Static aggregation, do not send and ignore any control messages.
lacp-passive: Passively use LACP to negotiate 802.3ad aggregation.
lacp-active: Actively use LACP to negotiate 802.3ad aggregation.
option -
bundle Enable/disable Link Aggregation Group (LAG) bundling for non-FortiLink interfaces.
enable: Enable bundling.
disable: Disable bundling.
option -
member-withdrawal-behavior Port behavior after it withdraws because of loss of control packets.
forward: Forward traffic.
block: Block traffic.
option -
mclag Enable/disable multi-chassis link aggregation (MCLAG).
enable: Enable MCLAG.
disable: Disable MCLAG.
option -
min-bundle Minimum size of LAG bundle (1 - 24, default = 1) integer Minimum value: 1 Maximum value: 24
max-bundle Maximum size of LAG bundle (1 - 24, default = 24) integer Minimum value: 1 Maximum value: 24
members <member-name> Aggregated LAG bundle interfaces.
Interface name from available options.
string Maximum length: 79

config stp-settings

Parameter Name Description Type Size
local-override Enable to configure local STP settings that override global STP settings.
enable: Override global STP settings.
disable: Use global STP settings.
option -
name Name of local STP settings configuration. string Maximum length: 31
status Enable/disable STP.
enable: Enable STP.
disable: Disable STP.
option -
revision STP revision number (0 - 65535). integer Minimum value: 0 Maximum value: 65535
hello-time Period of time between successive STP frame Bridge Protocol Data Units (BPDUs) sent on a port (1 - 10 sec, default = 2). integer Minimum value: 1 Maximum value: 10
forward-time Period of time a port is in listening and learning state (4 - 30 sec, default = 15). integer Minimum value: 4 Maximum value: 30
max-age Maximum time before a bridge port saves its configuration BPDU information (6 - 40 sec, default = 20). integer Minimum value: 6 Maximum value: 40
max-hops Maximum number of hops between the root bridge and the furthest bridge (1- 40, default = 20). integer Minimum value: 1 Maximum value: 40
pending-timer Pending time (1 - 15 sec, default = 4). integer Minimum value: 1 Maximum value: 15

config switch-stp-settings

Parameter Name Description Type Size
status Enable/disable STP.
enable: Enable STP.
disable: Disable STP.
option -

config stp-instance

Parameter Name Description Type Size
priority Priority.
0: 0.
4096: 4096.
8192: 8192.
12288: 12288.
16384: 16384.
20480: 20480.
24576: 24576.
28672: 28672.
32768: 32768.
36864: 36864.
40960: 40960.
45056: 45056.
49152: 49152.
53248: 53248.
57344: 57344.
61440: 61440.
option -

config snmp-sysinfo

Parameter Name Description Type Size
status Enable/disable SNMP.
disable: Disable SNMP.
enable: Enable SNMP.
option -
engine-id Local SNMP engine ID string (max 24 char). string Maximum length: 24
description System description. string Maximum length: 35
contact-info Contact information. string Maximum length: 35
location System location. string Maximum length: 35

config snmp-trap-threshold

Parameter Name Description Type Size
trap-high-cpu-threshold CPU usage when trap is sent. integer Minimum value: 0 Maximum value: 4294967295
trap-low-memory-threshold Memory usage when trap is sent. integer Minimum value: 0 Maximum value: 4294967295
trap-log-full-threshold Log disk usage when trap is sent. integer Minimum value: 0 Maximum value: 4294967295

config snmp-community

Parameter Name Description Type Size
name SNMP community name. string Maximum length: 35
status Enable/disable this SNMP community.
disable: Disable SNMP community.
enable: Enable SNMP community.
option -
query-v1-status Enable/disable SNMP v1 queries.
disable: Disable SNMP v1 queries.
enable: Enable SNMP v1 queries.
option -
query-v1-port SNMP v1 query port (default = 161). integer Minimum value: 0 Maximum value: 65535
query-v2c-status Enable/disable SNMP v2c queries.
disable: Disable SNMP v2c queries.
enable: Enable SNMP v2c queries.
option -
query-v2c-port SNMP v2c query port (default = 161). integer Minimum value: 0 Maximum value: 65535
trap-v1-status Enable/disable SNMP v1 traps.
disable: Disable SNMP v1 traps.
enable: Enable SNMP v1 traps.
option -
trap-v1-lport SNMP v2c trap local port (default = 162). integer Minimum value: 0 Maximum value: 65535
trap-v1-rport SNMP v2c trap remote port (default = 162). integer Minimum value: 0 Maximum value: 65535
trap-v2c-status Enable/disable SNMP v2c traps.
disable: Disable SNMP v2c traps.
enable: Enable SNMP v2c traps.
option -
trap-v2c-lport SNMP v2c trap local port (default = 162). integer Minimum value: 0 Maximum value: 65535
trap-v2c-rport SNMP v2c trap remote port (default = 162). integer Minimum value: 0 Maximum value: 65535
events SNMP notifications (traps) to send.
cpu-high: Send a trap when CPU usage too high.
mem-low: Send a trap when available memory is low.
log-full: Send a trap when log disk space becomes low.
intf-ip: Send a trap when an interface IP address is changed.
ent-conf-change: Send a trap when an entity MIB change occurs (RFC4133).
option -

config hosts

Parameter Name Description Type Size
ip IPv4 address of the SNMP manager (host). user Not Specified

config snmp-user

Parameter Name Description Type Size
queries Enable/disable SNMP queries for this user.
disable: Disable SNMP queries for this user.
enable: Enable SNMP queries for this user.
option -
query-port SNMPv3 query port (default = 161). integer Minimum value: 0 Maximum value: 65535
security-level Security level for message authentication and encryption.
no-auth-no-priv: Message with no authentication and no privacy (encryption).
auth-no-priv: Message with authentication but no privacy (encryption).
auth-priv: Message with authentication and privacy (encryption).
option -
auth-proto Authentication protocol.
md5: HMAC-MD5-96 authentication protocol.
sha: HMAC-SHA-96 authentication protocol.
option -
auth-pwd Password for authentication protocol. password Not Specified
priv-proto Privacy (encryption) protocol.
aes: CFB128-AES-128 symmetric encryption protocol.
des: CBC-DES symmetric encryption protocol.
option -
priv-pwd Password for privacy (encryption) protocol. password Not Specified

config switch-log

Parameter Name Description Type Size
local-override Enable to configure local logging settings that override global logging settings.
enable: Override global logging settings.
disable: Use global logging settings.
option -
status Enable/disable adding FortiSwitch logs to the FortiGate event log.
enable: Add FortiSwitch logs to the FortiGate event log.
disable: Do not add FortiSwitch logs to the FortiGate event log.
option -
severity Severity of FortiSwitch logs that are added to the FortiGate event log.
emergency: Emergency level.
alert: Alert level.
critical: Critical level.
error: Error level.
warning: Warning level.
notification: Notification level.
information: Information level.
debug: Debug level.
option -

config remote-log

Parameter Name Description Type Size
status Enable/disable logging by FortiSwitch device to a remote syslog server.
enable: Enable logging by FortiSwitch device to a remote syslog server.
disable: Disable logging by FortiSwitch device to a remote syslog server.
option -
server IPv4 address of the remote syslog server. string Maximum length: 63
port Remote syslog server listening port. integer Minimum value: 0 Maximum value: 65535
severity Severity of logs to be transferred to remote log server.
emergency: Emergency level.
alert: Alert level.
critical: Critical level.
error: Error level.
warning: Warning level.
notification: Notification level.
information: Information level.
debug: Debug level.
option -
csv Enable/disable comma-separated value (CSV) strings.
enable: Enable comma-separated value (CSV) strings.
disable: Disable comma-separated value (CSV) strings.
option -
facility Facility to log to remote syslog server.
kernel: Kernel messages.
user: Random user-level messages.
mail: Mail system.
daemon: System daemons.
auth: Security/authorization messages.
syslog: Messages generated internally by syslogd.
lpr: Line printer subsystem.
news: Network news subsystem.
uucp: UUCP server messages.
cron: Clock daemon.
authpriv: Security/authorization messages (private).
ftp: FTP daemon.
ntp: NTP daemon.
audit: Log audit.
alert: Log alert.
clock: Clock daemon.
local0: Reserved for local use.
local1: Reserved for local use.
local2: Reserved for local use.
local3: Reserved for local use.
local4: Reserved for local use.
local5: Reserved for local use.
local6: Reserved for local use.
local7: Reserved for local use.
option -

config storm-control

Parameter Name Description Type Size
local-override Enable to override global FortiSwitch storm control settings for this FortiSwitch.
enable: Override global storm control settings.
disable: Use global storm control settings.
option -
rate Rate in packets per second at which storm traffic is controlled (1 - 10000000, default = 500). Storm control drops excess traffic data rates beyond this threshold. integer Minimum value: 1 Maximum value: 10000000
unknown-unicast Enable/disable storm control to drop unknown unicast traffic.
enable: Drop unknown unicast traffic.
disable: Allow unknown unicast traffic.
option -
unknown-multicast Enable/disable storm control to drop unknown multicast traffic.
enable: Drop unknown multicast traffic.
disable: Allow unknown multicast traffic.
option -
broadcast Enable/disable storm control to drop broadcast traffic.
enable: Drop broadcast traffic.
disable: Allow broadcast traffic.
option -

config mirror

Parameter Name Description Type Size
status Active/inactive mirror configuration.
active: Activate mirror configuration.
inactive: Deactivate mirror configuration.
option -
switching-packet Enable/disable switching functionality when mirroring.
enable: Enable switching functionality when mirroring.
disable: Disable switching functionality when mirroring.
option -
dst Destination port. string Maximum length: 63
src-ingress <name> Source ingress interfaces.
Interface name.
string Maximum length: 79
src-egress <name> Source egress interfaces.
Interface name.
string Maximum length: 79

config static-mac

Parameter Name Description Type Size
type Type.
static: Static MAC.
sticky: Sticky MAC.
option -
vlan Vlan. string Maximum length: 15
mac MAC address. mac-address Not Specified
interface Interface name. string Maximum length: 35
description Description. string Maximum length: 63

config custom-command

Parameter Name Description Type Size
command-name Names of commands to be pushed to this FortiSwitch device, as configured under config switch-controller custom-command. string Maximum length: 35

config igmp-snooping

Parameter Name Description Type Size
local-override Enable/disable overriding the global IGMP snooping configuration.
enable: Override the global IGMP snooping configuration.
disable: Use the global IGMP snooping configuration.
option -
aging-time Maximum time to retain a multicast snooping entry for which no packets have been seen (15 - 3600 sec, default = 300). integer Minimum value: 15 Maximum value: 3600
flood-unknown-multicast Enable/disable unknown multicast flooding.
enable: Enable unknown multicast flooding.
disable: Disable unknown multicast flooding.
option -

config 802-1X-settings

Parameter Name Description Type Size
local-override Enable to override global 802.1X settings on individual FortiSwitches.
enable: Override global 802.1X settings.
disable: Use global 802.1X settings.
option -
link-down-auth Authentication state to set if a link is down.
set-unauth: Interface set to unauth when down. Reauthentication is needed.
no-action: Interface reauthentication is not needed.
option -
reauth-period Reauthentication time interval (1 - 1440 min, default = 60, 0 = disable). integer Minimum value: 1 Maximum value: 1440
max-reauth-attempt Maximum number of authentication attempts (0 - 15, default = 3). integer Minimum value: 0 Maximum value: 15

Configure FortiSwitch devices that are managed by this FortiGate.

  config switch-controller managed-switch
      Description: Configure FortiSwitch devices that are managed by this FortiGate.
      edit <switch-id>
          set name {string}
          set description {string}
          set switch-profile {string}
          set access-profile {string}
          set fsw-wan1-peer {string}
          set fsw-wan1-admin [discovered|disable|...]
          set fsw-wan2-peer {string}
          set fsw-wan2-admin [discovered|disable|...]
          set poe-pre-standard-detection [enable|disable]
          set poe-detection-type {integer}
          set poe-lldp-detection [enable|disable]
          set directly-connected {integer}
          set version {integer}
          set max-allowed-trunk-members {integer}
          set pre-provisioned {integer}
          set dynamic-capability {integer}
          set switch-device-tag {string}
          set dynamically-discovered {integer}
          set type [virtual|physical]
          set owner-vdom {string}
          set flow-identity {user}
          set staged-image-version {string}
          set delayed-restart-trigger {integer}
          config ports
              Description: Managed-switch port list.
              edit <port-name>
                  set port-owner {string}
                  set switch-id {string}
                  set speed [10half|10full|...]
                  set speed-mask {integer}
                  set status [up|down]
                  set poe-status [enable|disable]
                  set poe-pre-standard-detection [enable|disable]
                  set port-number {integer}
                  set port-prefix-type {integer}
                  set fortilink-port {integer}
                  set poe-capable {integer}
                  set stacking-port {integer}
                  set fiber-port {integer}
                  set flags {integer}
                  set virtual-port {integer}
                  set isl-local-trunk-name {string}
                  set isl-peer-port-name {string}
                  set isl-peer-device-name {string}
                  set fgt-peer-port-name {string}
                  set fgt-peer-device-name {string}
                  set vlan {string}
                  set allowed-vlans-all [enable|disable]
                  set allowed-vlans <vlan-name1>, <vlan-name2>, ...
                  set untagged-vlans <vlan-name1>, <vlan-name2>, ...
                  set type [physical|trunk]
                  set dhcp-snooping [untrusted|trusted]
                  set dhcp-snoop-option82-trust [enable|disable]
                  set arp-inspection-trust [untrusted|trusted]
                  set igmp-snooping [enable|disable]
                  set igmps-flood-reports [enable|disable]
                  set igmps-flood-traffic [enable|disable]
                  set stp-state [enabled|disabled]
                  set stp-root-guard [enabled|disabled]
                  set stp-bpdu-guard [enabled|disabled]
                  set stp-bpdu-guard-timeout {integer}
                  set edge-port [enable|disable]
                  set discard-mode [none|all-untagged|...]
                  set packet-sampler [enabled|disabled]
                  set packet-sample-rate {integer}
                  set sflow-counter-interval {integer}
                  set sample-direction [tx|rx|...]
                  set loop-guard [enabled|disabled]
                  set loop-guard-timeout {integer}
                  set qos-policy {string}
                  set storm-control-policy {string}
                  set port-security-policy {string}
                  set export-to-pool {string}
                  set export-tags <tag-name1>, <tag-name2>, ...
                  set export-to-pool-flag {integer}
                  set learning-limit {integer}
                  set sticky-mac [enable|disable]
                  set lldp-status [disable|rx-only|...]
                  set lldp-profile {string}
                  set export-to {string}
                  set mac-addr {mac-address}
                  set port-selection-criteria [src-mac|dst-mac|...]
                  set description {string}
                  set lacp-speed [slow|fast]
                  set mode [static|lacp-passive|...]
                  set bundle [enable|disable]
                  set member-withdrawal-behavior [forward|block]
                  set mclag [enable|disable]
                  set min-bundle {integer}
                  set max-bundle {integer}
                  set members <member-name1>, <member-name2>, ...
              next
          end
          config stp-settings
              Description: Configuration method to edit Spanning Tree Protocol (STP) settings used to prevent bridge loops.
              set local-override [enable|disable]
              set name {string}
              set status [enable|disable]
              set revision {integer}
              set hello-time {integer}
              set forward-time {integer}
              set max-age {integer}
              set max-hops {integer}
              set pending-timer {integer}
          end
          config switch-stp-settings
              Description: Configure spanning tree protocol (STP).
              set status [enable|disable]
          end
          config stp-instance
              Description: Configuration method to edit Spanning Tree Protocol (STP) instances.
              edit <id>
                  set priority [0|4096|...]
              next
          end
          set override-snmp-sysinfo [disable|enable]
          config snmp-sysinfo
              Description: Configuration method to edit Simple Network Management Protocol (SNMP) system info.
              set status [disable|enable]
              set engine-id {string}
              set description {string}
              set contact-info {string}
              set location {string}
          end
          set override-snmp-trap-threshold [enable|disable]
          config snmp-trap-threshold
              Description: Configuration method to edit Simple Network Management Protocol (SNMP) trap threshold values.
              set trap-high-cpu-threshold {integer}
              set trap-low-memory-threshold {integer}
              set trap-log-full-threshold {integer}
          end
          set override-snmp-community [enable|disable]
          config snmp-community
              Description: Configuration method to edit Simple Network Management Protocol (SNMP) communities.
              edit <id>
                  set name {string}
                  set status [disable|enable]
                  config hosts
                      Description: Configure IPv4 SNMP managers (hosts).
                      edit <id>
                          set ip {user}
                      next
                  end
                  set query-v1-status [disable|enable]
                  set query-v1-port {integer}
                  set query-v2c-status [disable|enable]
                  set query-v2c-port {integer}
                  set trap-v1-status [disable|enable]
                  set trap-v1-lport {integer}
                  set trap-v1-rport {integer}
                  set trap-v2c-status [disable|enable]
                  set trap-v2c-lport {integer}
                  set trap-v2c-rport {integer}
                  set events {option1}, {option2}, ...
              next
          end
          set override-snmp-user [enable|disable]
          config snmp-user
              Description: Configuration method to edit Simple Network Management Protocol (SNMP) users.
              edit <name>
                  set queries [disable|enable]
                  set query-port {integer}
                  set security-level [no-auth-no-priv|auth-no-priv|...]
                  set auth-proto [md5|sha]
                  set auth-pwd {password}
                  set priv-proto [aes|des]
                  set priv-pwd {password}
              next
          end
          config switch-log
              Description: Configuration method to edit FortiSwitch logging settings (logs are transferred to and inserted into the FortiGate event log).
              set local-override [enable|disable]
              set status [enable|disable]
              set severity [emergency|alert|...]
          end
          config remote-log
              Description: Configure logging by FortiSwitch device to a remote syslog server.
              edit <name>
                  set status [enable|disable]
                  set server {string}
                  set port {integer}
                  set severity [emergency|alert|...]
                  set csv [enable|disable]
                  set facility [kernel|user|...]
              next
          end
          config storm-control
              Description: Configuration method to edit FortiSwitch storm control for measuring traffic activity using data rates to prevent traffic disruption.
              set local-override [enable|disable]
              set rate {integer}
              set unknown-unicast [enable|disable]
              set unknown-multicast [enable|disable]
              set broadcast [enable|disable]
          end
          config mirror
              Description: Configuration method to edit FortiSwitch packet mirror.
              edit <name>
                  set status [active|inactive]
                  set switching-packet [enable|disable]
                  set dst {string}
                  set src-ingress <name1>, <name2>, ...
                  set src-egress <name1>, <name2>, ...
              next
          end
          config static-mac
              Description: Configuration method to edit FortiSwitch Static and Sticky MAC.
              edit <id>
                  set type [static|sticky]
                  set vlan {string}
                  set mac {mac-address}
                  set interface {string}
                  set description {string}
              next
          end
          config custom-command
              Description: Configuration method to edit FortiSwitch commands to be pushed to this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.
              edit <command-entry>
                  set command-name {string}
              next
          end
          config igmp-snooping
              Description: Configure FortiSwitch IGMP snooping global settings.
              set local-override [enable|disable]
              set aging-time {integer}
              set flood-unknown-multicast [enable|disable]
          end
          config 802-1X-settings
              Description: Configuration method to edit FortiSwitch 802.1X global settings.
              set local-override [enable|disable]
              set link-down-auth [set-unauth|no-action]
              set reauth-period {integer}
              set max-reauth-attempt {integer}
          end
      next
  end

config switch-controller managed-switch

Parameter Name Description Type Size
name Managed-switch name. string Maximum length: 35
description Description. string Maximum length: 63
switch-profile FortiSwitch profile. string Maximum length: 35
access-profile FortiSwitch access profile. string Maximum length: 31
fsw-wan1-peer Fortiswitch WAN1 peer port. string Maximum length: 35
fsw-wan1-admin FortiSwitch WAN1 admin status; enable to authorize the FortiSwitch as a managed switch.
discovered: Link waiting to be authorized.
disable: Link unauthorized.
enable: Link authorized.
option -
fsw-wan2-peer FortiSwitch WAN2 peer port. string Maximum length: 35
fsw-wan2-admin FortiSwitch WAN2 admin status; enable to authorize the FortiSwitch as a managed switch.
discovered: Link waiting to be authorized.
disable: Link unauthorized.
enable: Link authorized.
option -
poe-pre-standard-detection Enable/disable PoE pre-standard detection.
enable: Enable PoE pre-standard detection.
disable: Disable PoE pre-standard detection.
option -
poe-detection-type PoE detection type for FortiSwitch. integer Minimum value: 0 Maximum value: 255
poe-lldp-detection Enable/disable PoE LLDP detection.
enable: Enable PoE LLDP detection.
disable: Disable PoE LLDP detection.
option -
directly-connected Directly connected FortiSwitch. integer Minimum value: 0 Maximum value: 1
version FortiSwitch version. integer Minimum value: 0 Maximum value: 255
max-allowed-trunk-members FortiSwitch maximum allowed trunk members. integer Minimum value: 0 Maximum value: 255
pre-provisioned Pre-provisioned managed switch. integer Minimum value: 0 Maximum value: 255
dynamic-capability List of features this FortiSwitch supports (not configurable) that is sent to the FortiGate device for subsequent configuration initiated by the FortiGate device. integer Minimum value: 0 Maximum value: 4294967295
switch-device-tag User definable label/tag. string Maximum length: 32
dynamically-discovered Dynamically discovered FortiSwitch. integer Minimum value: 0 Maximum value: 1
type Indication of switch type, physical or virtual.
virtual: Switch is of type virtual.
physical: Switch is of type physical.
option -
owner-vdom VDOM which owner of port belongs to. string Maximum length: 31
flow-identity Flow-tracking netflow ipfix switch identity in hex format(00000000-FFFFFFFF default=0). user Not Specified
staged-image-version Staged image version for FortiSwitch. string Maximum length: 127
delayed-restart-trigger Delayed restart triggered for this FortiSwitch. integer Minimum value: 0 Maximum value: 255
override-snmp-sysinfo Enable/disable overriding the global SNMP system information.
disable: Use the global SNMP system information.
enable: Override the global SNMP system information.
option -
override-snmp-trap-threshold Enable/disable overriding the global SNMP trap threshold values.
enable: Override the global SNMP trap threshold values.
disable: Use the global SNMP trap threshold values.
option -
override-snmp-community Enable/disable overriding the global SNMP communities.
enable: Override the global SNMP communities.
disable: Use the global SNMP communities.
option -
override-snmp-user Enable/disable overriding the global SNMP users.
enable: Override the global SNMPv3 users.
disable: Use the global SNMPv3 users.
option -

config ports

Parameter Name Description Type Size
port-owner Switch port name. string Maximum length: 15
switch-id Switch id. string Maximum length: 16
speed Switch port speed; default and available settings depend on hardware.
10half: 10M half-duplex.
10full: 10M full-duplex.
100half: 100M half-duplex.
100full: 100M full-duplex.
1000auto: Auto-negotiation (1G full-duplex only).
1000fiber: 1G full-duplex (fiber SFPs only)
1000full: 1G full-duplex
10000: 10G full-duplex
40000: 40G full-duplex
auto: Auto-negotiation.
auto-module: Auto Module.
100FX-half: 100Mbps half-duplex.100Base-FX.
100FX-full: 100Mbps full-duplex.100Base-FX.
100000full: 100Gbps full-duplex.
2500full: 2.5Gbps full-duplex.
25000full: 25Gbps full-duplex.
50000full: 50Gbps full-duplex.
10000cr: 10Gbps copper interface.
10000sr: 10Gbps SFI interface.
100000sr4: 100Gbps SFI interface.
100000cr4: 100Gbps copper interface.
25000cr4: 25Gbps copper interface.
25000sr4: 25Gbps SFI interface.
5000full: 5Gbps full-duplex.
option -
speed-mask Switch port speed mask. integer Minimum value: 0 Maximum value: 4294967295
status Switch port admin status: up or down.
up: Set admin status up.
down: Set admin status down.
option -
poe-status Enable/disable PoE status.
enable: Enable PoE status.
disable: Disable PoE status.
option -
poe-pre-standard-detection Enable/disable PoE pre-standard detection.
enable: Enable PoE pre-standard detection.
disable: Disable PoE pre-standard detection.
option -
port-number Port number. integer Minimum value: 1 Maximum value: 64
port-prefix-type Port prefix type. integer Minimum value: 0 Maximum value: 1
fortilink-port FortiLink uplink port. integer Minimum value: 0 Maximum value: 1
poe-capable PoE capable. integer Minimum value: 0 Maximum value: 1
stacking-port Stacking port. integer Minimum value: 0 Maximum value: 1
fiber-port Fiber-port. integer Minimum value: 0 Maximum value: 1
flags Port properties flags. integer Minimum value: 0 Maximum value: 4294967295
virtual-port Virtualized switch port. integer Minimum value: 0 Maximum value: 1
isl-local-trunk-name ISL local trunk name. string Maximum length: 15
isl-peer-port-name ISL peer port name. string Maximum length: 15
isl-peer-device-name ISL peer device name. string Maximum length: 16
fgt-peer-port-name FGT peer port name. string Maximum length: 15
fgt-peer-device-name FGT peer device name. string Maximum length: 16
vlan Assign switch ports to a VLAN. string Maximum length: 15
allowed-vlans-all Enable/disable all defined vlans on this port.
enable: Enable all defined VLANs on this port.
disable: Disable all defined VLANs on this port.
option -
allowed-vlans <vlan-name> Configure switch port tagged vlans
VLAN name.
string Maximum length: 79
untagged-vlans <vlan-name> Configure switch port untagged vlans
VLAN name.
string Maximum length: 79
type Interface type: physical or trunk port.
physical: Physical port.
trunk: Trunk port.
option -
dhcp-snooping Trusted or untrusted DHCP-snooping interface.
untrusted: Untrusted DHCP snooping interface.
trusted: Trusted DHCP snooping interface.
option -
dhcp-snoop-option82-trust Enable/disable allowance of DHCP with option-82 on untrusted interface.
enable: Enable allowance of DHCP with option-82 on untrusted interface.
disable: Disable allowance of DHCP with option-82 on untrusted interface.
option -
arp-inspection-trust Trusted or untrusted dynamic ARP inspection.
untrusted: Untrusted dynamic ARP inspection.
trusted: Trusted dynamic ARP inspection.
option -
igmp-snooping Set IGMP snooping mode for the physical port interface.
enable: Interface takes part in IGMP snooping.
disable: Interface does not take part in IGMP snooping.
option -
igmps-flood-reports Enable/disable flooding of IGMP reports to this interface when igmp-snooping enabled.
enable: Enable flooding of IGMP snooping reports to this interface.
disable: Disable flooding of IGMP snooping reports to this interface.
option -
igmps-flood-traffic Enable/disable flooding of IGMP snooping traffic to this interface.
enable: Enable flooding of IGMP snooping traffic to this interface.
disable: Disable flooding of IGMP snooping traffic to this interface.
option -
stp-state Enable/disable Spanning Tree Protocol (STP) on this interface.
enabled: Enable STP on this interface.
disabled: Disable STP on this interface.
option -
stp-root-guard Enable/disable STP root guard on this interface.
enabled: Enable STP root-guard on this interface.
disabled: Disable STP root-guard on this interface.
option -
stp-bpdu-guard Enable/disable STP BPDU guard on this interface.
enabled: Enable STP BPDU guard on this interface.
disabled: Disable STP BPDU guard on this interface.
option -
stp-bpdu-guard-timeout BPDU Guard disabling protection (0 - 120 min). integer Minimum value: 0 Maximum value: 120
edge-port Enable/disable this interface as an edge port, bridging connections between workstations and/or computers.
enable: Enable this interface as an edge port.
disable: Disable this interface as an edge port.
option -
discard-mode Configure discard mode for port.
none: Discard disabled.
all-untagged: Discard all frames that are untagged.
all-tagged: Discard all frames that are tagged.
option -
packet-sampler Enable/disable packet sampling on this interface.
enabled: Enable packet sampling on this interface.
disabled: Disable packet sampling on this interface.
option -
packet-sample-rate Packet sampling rate (0 - 99999 p/sec). integer Minimum value: 0 Maximum value: 99999
sflow-counter-interval sFlow sampling counter polling interval (0 - 255 sec). integer Minimum value: 0 Maximum value: 255
sample-direction Packet sampling direction.
tx: Monitor transmitted traffic.
rx: Monitor received traffic.
both: Monitor transmitted and received traffic.
option -
loop-guard Enable/disable loop-guard on this interface, an STP optimization used to prevent network loops.
enabled: Enable loop-guard on this interface.
disabled: Disable loop-guard on this interface.
option -
loop-guard-timeout Loop-guard timeout (0 - 120 min, default = 45). integer Minimum value: 0 Maximum value: 120
qos-policy Switch controller QoS policy from available options. string Maximum length: 63
storm-control-policy Switch controller storm control policy from available options. string Maximum length: 63
port-security-policy Switch controller authentication policy to apply to this managed switch from available options. string Maximum length: 31
export-to-pool Switch controller export port to pool-list. string Maximum length: 35
export-tags <tag-name> Configure tag name for FortiSwitch port when exported.
FortiSwitch port tag name when exported.
string Maximum length: 63
export-to-pool-flag Switch controller export port to pool-list. integer Minimum value: 0 Maximum value: 1
learning-limit Limit the number of dynamic MAC addresses on this Port (1 - 128, 0 = no limit, default). integer Minimum value: 0 Maximum value: 128
sticky-mac Enable or disable sticky-mac on the interface.
enable: Enable sticky mac on the interface.
disable: Disable sticky mac on the interface.
option -
lldp-status LLDP transmit and receive status.
disable: Disable LLDP TX and RX.
rx-only: Enable LLDP as RX only.
tx-only: Enable LLDP as TX only.
tx-rx: Enable LLDP TX and RX.
option -
lldp-profile LLDP port TLV profile. string Maximum length: 63
export-to Export managed-switch port to a tenant VDOM. string Maximum length: 31
mac-addr Port/Trunk MAC. mac-address Not Specified
port-selection-criteria Algorithm for aggregate port selection.
src-mac: Source MAC address.
dst-mac: Destination MAC address.
src-dst-mac: Source and destination MAC address.
src-ip: Source IP address.
dst-ip: Destination IP address.
src-dst-ip: Source and destination IP address.
option -
description Description for port. string Maximum length: 63
lacp-speed end Link Aggregation Control Protocol (LACP) messages every 30 seconds (slow) or every second (fast).
slow: Send LACP message every 30 seconds.
fast: Send LACP message every second.
option -
mode LACP mode: ignore and do not send control messages, or negotiate 802.3ad aggregation passively or actively.
static: Static aggregation, do not send and ignore any control messages.
lacp-passive: Passively use LACP to negotiate 802.3ad aggregation.
lacp-active: Actively use LACP to negotiate 802.3ad aggregation.
option -
bundle Enable/disable Link Aggregation Group (LAG) bundling for non-FortiLink interfaces.
enable: Enable bundling.
disable: Disable bundling.
option -
member-withdrawal-behavior Port behavior after it withdraws because of loss of control packets.
forward: Forward traffic.
block: Block traffic.
option -
mclag Enable/disable multi-chassis link aggregation (MCLAG).
enable: Enable MCLAG.
disable: Disable MCLAG.
option -
min-bundle Minimum size of LAG bundle (1 - 24, default = 1) integer Minimum value: 1 Maximum value: 24
max-bundle Maximum size of LAG bundle (1 - 24, default = 24) integer Minimum value: 1 Maximum value: 24
members <member-name> Aggregated LAG bundle interfaces.
Interface name from available options.
string Maximum length: 79

config stp-settings

Parameter Name Description Type Size
local-override Enable to configure local STP settings that override global STP settings.
enable: Override global STP settings.
disable: Use global STP settings.
option -
name Name of local STP settings configuration. string Maximum length: 31
status Enable/disable STP.
enable: Enable STP.
disable: Disable STP.
option -
revision STP revision number (0 - 65535). integer Minimum value: 0 Maximum value: 65535
hello-time Period of time between successive STP frame Bridge Protocol Data Units (BPDUs) sent on a port (1 - 10 sec, default = 2). integer Minimum value: 1 Maximum value: 10
forward-time Period of time a port is in listening and learning state (4 - 30 sec, default = 15). integer Minimum value: 4 Maximum value: 30
max-age Maximum time before a bridge port saves its configuration BPDU information (6 - 40 sec, default = 20). integer Minimum value: 6 Maximum value: 40
max-hops Maximum number of hops between the root bridge and the furthest bridge (1- 40, default = 20). integer Minimum value: 1 Maximum value: 40
pending-timer Pending time (1 - 15 sec, default = 4). integer Minimum value: 1 Maximum value: 15

config switch-stp-settings

Parameter Name Description Type Size
status Enable/disable STP.
enable: Enable STP.
disable: Disable STP.
option -

config stp-instance

Parameter Name Description Type Size
priority Priority.
0: 0.
4096: 4096.
8192: 8192.
12288: 12288.
16384: 16384.
20480: 20480.
24576: 24576.
28672: 28672.
32768: 32768.
36864: 36864.
40960: 40960.
45056: 45056.
49152: 49152.
53248: 53248.
57344: 57344.
61440: 61440.
option -

config snmp-sysinfo

Parameter Name Description Type Size
status Enable/disable SNMP.
disable: Disable SNMP.
enable: Enable SNMP.
option -
engine-id Local SNMP engine ID string (max 24 char). string Maximum length: 24
description System description. string Maximum length: 35
contact-info Contact information. string Maximum length: 35
location System location. string Maximum length: 35

config snmp-trap-threshold

Parameter Name Description Type Size
trap-high-cpu-threshold CPU usage when trap is sent. integer Minimum value: 0 Maximum value: 4294967295
trap-low-memory-threshold Memory usage when trap is sent. integer Minimum value: 0 Maximum value: 4294967295
trap-log-full-threshold Log disk usage when trap is sent. integer Minimum value: 0 Maximum value: 4294967295

config snmp-community

Parameter Name Description Type Size
name SNMP community name. string Maximum length: 35
status Enable/disable this SNMP community.
disable: Disable SNMP community.
enable: Enable SNMP community.
option -
query-v1-status Enable/disable SNMP v1 queries.
disable: Disable SNMP v1 queries.
enable: Enable SNMP v1 queries.
option -
query-v1-port SNMP v1 query port (default = 161). integer Minimum value: 0 Maximum value: 65535
query-v2c-status Enable/disable SNMP v2c queries.
disable: Disable SNMP v2c queries.
enable: Enable SNMP v2c queries.
option -
query-v2c-port SNMP v2c query port (default = 161). integer Minimum value: 0 Maximum value: 65535
trap-v1-status Enable/disable SNMP v1 traps.
disable: Disable SNMP v1 traps.
enable: Enable SNMP v1 traps.
option -
trap-v1-lport SNMP v2c trap local port (default = 162). integer Minimum value: 0 Maximum value: 65535
trap-v1-rport SNMP v2c trap remote port (default = 162). integer Minimum value: 0 Maximum value: 65535
trap-v2c-status Enable/disable SNMP v2c traps.
disable: Disable SNMP v2c traps.
enable: Enable SNMP v2c traps.
option -
trap-v2c-lport SNMP v2c trap local port (default = 162). integer Minimum value: 0 Maximum value: 65535
trap-v2c-rport SNMP v2c trap remote port (default = 162). integer Minimum value: 0 Maximum value: 65535
events SNMP notifications (traps) to send.
cpu-high: Send a trap when CPU usage too high.
mem-low: Send a trap when available memory is low.
log-full: Send a trap when log disk space becomes low.
intf-ip: Send a trap when an interface IP address is changed.
ent-conf-change: Send a trap when an entity MIB change occurs (RFC4133).
option -

config hosts

Parameter Name Description Type Size
ip IPv4 address of the SNMP manager (host). user Not Specified

config snmp-user

Parameter Name Description Type Size
queries Enable/disable SNMP queries for this user.
disable: Disable SNMP queries for this user.
enable: Enable SNMP queries for this user.
option -
query-port SNMPv3 query port (default = 161). integer Minimum value: 0 Maximum value: 65535
security-level Security level for message authentication and encryption.
no-auth-no-priv: Message with no authentication and no privacy (encryption).
auth-no-priv: Message with authentication but no privacy (encryption).
auth-priv: Message with authentication and privacy (encryption).
option -
auth-proto Authentication protocol.
md5: HMAC-MD5-96 authentication protocol.
sha: HMAC-SHA-96 authentication protocol.
option -
auth-pwd Password for authentication protocol. password Not Specified
priv-proto Privacy (encryption) protocol.
aes: CFB128-AES-128 symmetric encryption protocol.
des: CBC-DES symmetric encryption protocol.
option -
priv-pwd Password for privacy (encryption) protocol. password Not Specified

config switch-log

Parameter Name Description Type Size
local-override Enable to configure local logging settings that override global logging settings.
enable: Override global logging settings.
disable: Use global logging settings.
option -
status Enable/disable adding FortiSwitch logs to the FortiGate event log.
enable: Add FortiSwitch logs to the FortiGate event log.
disable: Do not add FortiSwitch logs to the FortiGate event log.
option -
severity Severity of FortiSwitch logs that are added to the FortiGate event log.
emergency: Emergency level.
alert: Alert level.
critical: Critical level.
error: Error level.
warning: Warning level.
notification: Notification level.
information: Information level.
debug: Debug level.
option -

config remote-log

Parameter Name Description Type Size
status Enable/disable logging by FortiSwitch device to a remote syslog server.
enable: Enable logging by FortiSwitch device to a remote syslog server.
disable: Disable logging by FortiSwitch device to a remote syslog server.
option -
server IPv4 address of the remote syslog server. string Maximum length: 63
port Remote syslog server listening port. integer Minimum value: 0 Maximum value: 65535
severity Severity of logs to be transferred to remote log server.
emergency: Emergency level.
alert: Alert level.
critical: Critical level.
error: Error level.
warning: Warning level.
notification: Notification level.
information: Information level.
debug: Debug level.
option -
csv Enable/disable comma-separated value (CSV) strings.
enable: Enable comma-separated value (CSV) strings.
disable: Disable comma-separated value (CSV) strings.
option -
facility Facility to log to remote syslog server.
kernel: Kernel messages.
user: Random user-level messages.
mail: Mail system.
daemon: System daemons.
auth: Security/authorization messages.
syslog: Messages generated internally by syslogd.
lpr: Line printer subsystem.
news: Network news subsystem.
uucp: UUCP server messages.
cron: Clock daemon.
authpriv: Security/authorization messages (private).
ftp: FTP daemon.
ntp: NTP daemon.
audit: Log audit.
alert: Log alert.
clock: Clock daemon.
local0: Reserved for local use.
local1: Reserved for local use.
local2: Reserved for local use.
local3: Reserved for local use.
local4: Reserved for local use.
local5: Reserved for local use.
local6: Reserved for local use.
local7: Reserved for local use.
option -

config storm-control

Parameter Name Description Type Size
local-override Enable to override global FortiSwitch storm control settings for this FortiSwitch.
enable: Override global storm control settings.
disable: Use global storm control settings.
option -
rate Rate in packets per second at which storm traffic is controlled (1 - 10000000, default = 500). Storm control drops excess traffic data rates beyond this threshold. integer Minimum value: 1 Maximum value: 10000000
unknown-unicast Enable/disable storm control to drop unknown unicast traffic.
enable: Drop unknown unicast traffic.
disable: Allow unknown unicast traffic.
option -
unknown-multicast Enable/disable storm control to drop unknown multicast traffic.
enable: Drop unknown multicast traffic.
disable: Allow unknown multicast traffic.
option -
broadcast Enable/disable storm control to drop broadcast traffic.
enable: Drop broadcast traffic.
disable: Allow broadcast traffic.
option -

config mirror

Parameter Name Description Type Size
status Active/inactive mirror configuration.
active: Activate mirror configuration.
inactive: Deactivate mirror configuration.
option -
switching-packet Enable/disable switching functionality when mirroring.
enable: Enable switching functionality when mirroring.
disable: Disable switching functionality when mirroring.
option -
dst Destination port. string Maximum length: 63
src-ingress <name> Source ingress interfaces.
Interface name.
string Maximum length: 79
src-egress <name> Source egress interfaces.
Interface name.
string Maximum length: 79

config static-mac

Parameter Name Description Type Size
type Type.
static: Static MAC.
sticky: Sticky MAC.
option -
vlan Vlan. string Maximum length: 15
mac MAC address. mac-address Not Specified
interface Interface name. string Maximum length: 35
description Description. string Maximum length: 63

config custom-command

Parameter Name Description Type Size
command-name Names of commands to be pushed to this FortiSwitch device, as configured under config switch-controller custom-command. string Maximum length: 35

config igmp-snooping

Parameter Name Description Type Size
local-override Enable/disable overriding the global IGMP snooping configuration.
enable: Override the global IGMP snooping configuration.
disable: Use the global IGMP snooping configuration.
option -
aging-time Maximum time to retain a multicast snooping entry for which no packets have been seen (15 - 3600 sec, default = 300). integer Minimum value: 15 Maximum value: 3600
flood-unknown-multicast Enable/disable unknown multicast flooding.
enable: Enable unknown multicast flooding.
disable: Disable unknown multicast flooding.
option -

config 802-1X-settings

Parameter Name Description Type Size
local-override Enable to override global 802.1X settings on individual FortiSwitches.
enable: Override global 802.1X settings.
disable: Use global 802.1X settings.
option -
link-down-auth Authentication state to set if a link is down.
set-unauth: Interface set to unauth when down. Reauthentication is needed.
no-action: Interface reauthentication is not needed.
option -
reauth-period Reauthentication time interval (1 - 1440 min, default = 60, 0 = disable). integer Minimum value: 1 Maximum value: 1440
max-reauth-attempt Maximum number of authentication attempts (0 - 15, default = 3). integer Minimum value: 0 Maximum value: 15