config switch-controller managed-switch

Configure FortiSwitch devices that are managed by this FortiGate.

config switch-controller managed-switch

Description: Configure FortiSwitch devices that are managed by this FortiGate.

edit <switch-id>

set name {string}

set description {string}

set switch-profile {string}

set access-profile {string}

set fsw-wan1-peer {string}

set fsw-wan1-admin [discovered|disable|...]

set poe-pre-standard-detection [enable|disable]

set poe-detection-type {integer}

set poe-lldp-detection [enable|disable]

set directly-connected {integer}

set version {integer}

set pre-provisioned {integer}

set dynamic-capability {integer}

set switch-device-tag {string}

set mclag-igmp-snooping-aware [enable|disable]

set dynamically-discovered {integer}

set type [virtual|physical]

set owner-vdom {string}

set flow-identity {user}

set staged-image-version {string}

set delayed-restart-trigger {integer}

config ports

Description: Managed-switch port list.

edit <port-name>

set port-owner {string}

set switch-id {string}

set speed [10half|10full|...]

set status [up|down]

set poe-status [enable|disable]

set poe-pre-standard-detection [enable|disable]

set port-number {integer}

set port-prefix-type {integer}

set fortilink-port {integer}

set poe-capable {integer}

set stacking-port {integer}

set fiber-port {integer}

set flags {integer}

set isl-local-trunk-name {string}

set isl-peer-port-name {string}

set isl-peer-device-name {string}

set fgt-peer-port-name {string}

set fgt-peer-device-name {string}

set vlan {string}

set allowed-vlans-all [enable|disable]

set allowed-vlans <vlan-name1>, <vlan-name2>, ...

set untagged-vlans <vlan-name1>, <vlan-name2>, ...

set type [physical|trunk]

set dhcp-snooping [untrusted|trusted]

set dhcp-snoop-option82-trust [enable|disable]

set arp-inspection-trust [untrusted|trusted]

set igmp-snooping [enable|disable]

set igmps-flood-reports [enable|disable]

set igmps-flood-traffic [enable|disable]

set stp-state [enabled|disabled]

set stp-root-guard [enabled|disabled]

set stp-bpdu-guard [enabled|disabled]

set stp-bpdu-guard-timeout {integer}

set edge-port [enable|disable]

set discard-mode [none|all-untagged|...]

set packet-sampler [enabled|disabled]

set packet-sample-rate {integer}

set sflow-counter-interval {integer}

set sample-direction [tx|rx|...]

set loop-guard [enabled|disabled]

set loop-guard-timeout {integer}

set qos-policy {string}

set storm-control-policy {string}

set port-security-policy {string}

set export-to-pool {string}

set export-tags <tag-name1>, <tag-name2>, ...

set learning-limit {integer}

set sticky-mac [enable|disable]

set lldp-status [disable|rx-only|...]

set lldp-profile {string}

set export-to {string}

set mac-addr {mac-address}

set port-selection-criteria [src-mac|dst-mac|...]

set description {string}

set lacp-speed [slow|fast]

set mode [static|lacp-passive|...]

set bundle [enable|disable]

set member-withdrawal-behavior [forward|block]

set mclag [enable|disable]

set min-bundle {integer}

set max-bundle {integer}

set members <member-name1>, <member-name2>, ...

next

end

config stp-settings

Description: Configuration method to edit Spanning Tree Protocol (STP) settings used to prevent bridge loops.

set local-override [enable|disable]

set name {string}

set revision {integer}

set hello-time {integer}

set forward-time {integer}

set max-age {integer}

set max-hops {integer}

set pending-timer {integer}

end

config stp-instance

Description: Configuration method to edit Spanning Tree Protocol (STP) instances.

edit <id>

set priority [0|4096|...]

next

end

set override-snmp-sysinfo [disable|enable]

config snmp-sysinfo

Description: Configuration method to edit Simple Network Management Protocol (SNMP) system info.

set status [disable|enable]

set engine-id {string}

set description {string}

set contact-info {string}

set location {string}

end

set override-snmp-trap-threshold [enable|disable]

config snmp-trap-threshold

Description: Configuration method to edit Simple Network Management Protocol (SNMP) trap threshold values.

set trap-high-cpu-threshold {integer}

set trap-low-memory-threshold {integer}

set trap-log-full-threshold {integer}

end

set override-snmp-community [enable|disable]

config snmp-community

Description: Configuration method to edit Simple Network Management Protocol (SNMP) communities.

edit <id>

set name {string}

set status [disable|enable]

config hosts

Description: Configure IPv4 SNMP managers (hosts).

edit <id>

set ip {user}

next

end

set query-v1-status [disable|enable]

set query-v1-port {integer}

set query-v2c-status [disable|enable]

set query-v2c-port {integer}

set trap-v1-status [disable|enable]

set trap-v1-lport {integer}

set trap-v1-rport {integer}

set trap-v2c-status [disable|enable]

set trap-v2c-lport {integer}

set trap-v2c-rport {integer}

set events {option1}, {option2}, ...

next

end

set override-snmp-user [enable|disable]

config snmp-user

Description: Configuration method to edit Simple Network Management Protocol (SNMP) users.

edit <name>

set queries [disable|enable]

set query-port {integer}

set security-level [no-auth-no-priv|auth-no-priv|...]

set auth-proto [md5|sha]

set auth-pwd {password}

set priv-proto [aes|des]

set priv-pwd {password}

next

end

config switch-log

Description: Configuration method to edit FortiSwitch logging settings (logs are transferred to and inserted into the FortiGate event log).

set local-override [enable|disable]

set status [enable|disable]

set severity [emergency|alert|...]

end

config remote-log

Description: Configure logging by FortiSwitch device to a remote syslog server.

edit <name>

set status [enable|disable]

set server {string}

set port {integer}

set severity [emergency|alert|...]

set csv [enable|disable]

set facility [kernel|user|...]

next

end

config storm-control

Description: Configuration method to edit FortiSwitch storm control for measuring traffic activity using data rates to prevent traffic disruption.

set local-override [enable|disable]

set rate {integer}

set unknown-unicast [enable|disable]

set unknown-multicast [enable|disable]

set broadcast [enable|disable]

end

config mirror

Description: Configuration method to edit FortiSwitch packet mirror.

edit <name>

set status [active|inactive]

set switching-packet [enable|disable]

set dst {string}

set src-ingress <name1>, <name2>, ...

set src-egress <name1>, <name2>, ...

next

end

config static-mac

Description: Configuration method to edit FortiSwitch Static and Sticky MAC.

edit <id>

set type [static|sticky]

set vlan {string}

set mac {mac-address}

set interface {string}

set description {string}

next

end

config custom-command

Description: Configuration method to edit FortiSwitch commands to be pushed to this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.

edit <command-entry>

set command-name {string}

next

end

config igmp-snooping

Description: Configure FortiSwitch IGMP snooping global settings.

set local-override [enable|disable]

set aging-time {integer}

set flood-unknown-multicast [enable|disable]

end

config 802-1X-settings

Description: Configuration method to edit FortiSwitch 802.1X global settings.

set local-override [enable|disable]

set link-down-auth [set-unauth|no-action]

set reauth-period {integer}

set max-reauth-attempt {integer}

end

next

end

config switch-controller managed-switch

Parameter name

Description

Type

Size

name

Managed-switch name.

string

Maximum length: 35

description

Description.

string

Maximum length: 63

switch-profile

FortiSwitch profile.

string

Maximum length: 35

access-profile

FortiSwitch access profile.

string

Maximum length: 31

fsw-wan1-peer

Fortiswitch WAN1 peer port.

string

Maximum length: 35

fsw-wan1-admin

FortiSwitch WAN1 admin status; enable to authorize the FortiSwitch as a managed switch.

option

-

 

Option

Description

discovered

Link waiting to be authorized.

disable

Link unauthorized.

enable

Link authorized.

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

-

 

Option

Description

enable

Enable PoE pre-standard detection.

disable

Disable PoE pre-standard detection.

poe-detection-type

PoE detection type for FortiSwitch.

integer

Minimum value: 0 Maximum value: 255

poe-lldp-detection

Enable/disable PoE LLDP detection.

option

-

 

Option

Description

enable

Enable PoE LLDP detection.

disable

Disable PoE LLDP detection.

directly-connected

Directly connected FortiSwitch.

integer

Minimum value: 0 Maximum value: 1

version

FortiSwitch version.

integer

Minimum value: 0 Maximum value: 255

pre-provisioned

Pre-provisioned managed switch.

integer

Minimum value: 0 Maximum value: 255

dynamic-capability

List of features this FortiSwitch supports (not configurable) that is sent to the FortiGate device for subsequent configuration initiated by the FortiGate device.

integer

Minimum value: 0 Maximum value: 4294967295

switch-device-tag

User definable label/tag.

string

Maximum length: 32

mclag-igmp-snooping-aware

Enable/disable MCLAG IGMP-snooping awareness.

option

-

 

Option

Description

enable

Enable MCLAG IGMP-snooping awareness.

disable

Disable MCLAG IGMP-snooping awareness.

dynamically-discovered

Dynamically discovered FortiSwitch.

integer

Minimum value: 0 Maximum value: 1

type

Indication of switch type, physical or virtual.

option

-

 

Option

Description

virtual

Switch is of type virtual.

physical

Switch is of type physical.

owner-vdom

VDOM which owner of port belongs to.

string

Maximum length: 31

flow-identity

Flow-tracking netflow ipfix switch identity in hex format(00000000-FFFFFFFF default=0).

user

Not Specified

staged-image-version

Staged image version for FortiSwitch.

string

Maximum length: 127

delayed-restart-trigger

Delayed restart triggered for this FortiSwitch.

integer

Minimum value: 0 Maximum value: 255

override-snmp-sysinfo

Enable/disable overriding the global SNMP system information.

option

-

 

Option

Description

disable

Use the global SNMP system information.

enable

Override the global SNMP system information.

override-snmp-trap-threshold

Enable/disable overriding the global SNMP trap threshold values.

option

-

 

Option

Description

enable

Override the global SNMP trap threshold values.

disable

Use the global SNMP trap threshold values.

override-snmp-community

Enable/disable overriding the global SNMP communities.

option

-

 

Option

Description

enable

Override the global SNMP communities.

disable

Use the global SNMP communities.

override-snmp-user

Enable/disable overriding the global SNMP users.

option

-

 

Option

Description

enable

Override the global SNMPv3 users.

disable

Use the global SNMPv3 users.

config ports

Parameter name

Description

Type

Size

port-owner

Switch port name.

string

Maximum length: 15

switch-id

Switch id.

string

Maximum length: 16

speed

Switch port speed; default and available settings depend on hardware.

option

-

 

Option

Description

10half

10M half-duplex.

10full

10M full-duplex.

100half

100M half-duplex.

100full

100M full-duplex.

1000auto

Auto-negotiation (1G full-duplex only).

1000fiber

1G full-duplex (fiber SFPs only)

1000full

1G full-duplex

10000

10G full-duplex

40000

40G full-duplex

auto

Auto-negotiation.

auto-module

Auto Module.

100FX-half

100Mbps half-duplex.100Base-FX.

100FX-full

100Mbps full-duplex.100Base-FX.

100000full

100Gbps full-duplex.

2500auto

Auto-Negotiation (2.5Gbps Only).

25000full

25Gbps full-duplex.

50000full

50Gbps full-duplex.

10000cr

10Gbps copper interface.

10000sr

10Gbps SFI interface.

100000sr4

100Gbps SFI interface.

100000cr4

100Gbps copper interface.

25000cr4

25Gbps copper interface.

25000sr4

25Gbps SFI interface.

5000full

5Gbps full-duplex.

status

Switch port admin status: up or down.

option

-

 

Option

Description

up

Set admin status up.

down

Set admin status down.

poe-status

Enable/disable PoE status.

option

-

 

Option

Description

enable

Enable PoE status.

disable

Disable PoE status.

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

-

 

Option

Description

enable

Enable PoE pre-standard detection.

disable

Disable PoE pre-standard detection.

port-number

Port number.

integer

Minimum value: 1 Maximum value: 64

port-prefix-type

Port prefix type.

integer

Minimum value: 0 Maximum value: 1

fortilink-port

FortiLink uplink port.

integer

Minimum value: 0 Maximum value: 1

poe-capable

PoE capable.

integer

Minimum value: 0 Maximum value: 1

stacking-port

Stacking port.

integer

Minimum value: 0 Maximum value: 1

fiber-port

Fiber-port.

integer

Minimum value: 0 Maximum value: 1

flags

Port properties flags.

integer

Minimum value: 0 Maximum value: 4294967295

isl-local-trunk-name

ISL local trunk name.

string

Maximum length: 15

isl-peer-port-name

ISL peer port name.

string

Maximum length: 15

isl-peer-device-name

ISL peer device name.

string

Maximum length: 16

fgt-peer-port-name

FGT peer port name.

string

Maximum length: 15

fgt-peer-device-name

FGT peer device name.

string

Maximum length: 16

vlan

Assign switch ports to a VLAN.

string

Maximum length: 15

allowed-vlans-all

Enable/disable all defined vlans on this port.

option

-

 

Option

Description

enable

Enable all defined VLANs on this port.

disable

Disable all defined VLANs on this port.

allowed-vlans <vlan-name>

Configure switch port tagged vlans

VLAN name.

string

Maximum length: 79

untagged-vlans <vlan-name>

Configure switch port untagged vlans

VLAN name.

string

Maximum length: 79

type

Interface type: physical or trunk port.

option

-

 

Option

Description

physical

Physical port.

trunk

Trunk port.

dhcp-snooping

Trusted or untrusted DHCP-snooping interface.

option

-

 

Option

Description

untrusted

Untrusted DHCP snooping interface.

trusted

Trusted DHCP snooping interface.

dhcp-snoop-option82-trust

Enable/disable allowance of DHCP with option-82 on untrusted interface.

option

-

 

Option

Description

enable

Enable allowance of DHCP with option-82 on untrusted interface.

disable

Disable allowance of DHCP with option-82 on untrusted interface.

arp-inspection-trust

Trusted or untrusted dynamic ARP inspection.

option

-

 

Option

Description

untrusted

Untrusted dynamic ARP inspection.

trusted

Trusted dynamic ARP inspection.

igmp-snooping

Set IGMP snooping mode for the physical port interface.

option

-

 

Option

Description

enable

Interface takes part in IGMP snooping.

disable

Interface does not take part in IGMP snooping.

igmps-flood-reports

Enable/disable flooding of IGMP reports to this interface when igmp-snooping enabled.

option

-

 

Option

Description

enable

Enable flooding of IGMP snooping reports to this interface.

disable

Disable flooding of IGMP snooping reports to this interface.

igmps-flood-traffic

Enable/disable flooding of IGMP snooping traffic to this interface.

option

-

 

Option

Description

enable

Enable flooding of IGMP snooping traffic to this interface.

disable

Disable flooding of IGMP snooping traffic to this interface.

stp-state

Enable/disable Spanning Tree Protocol (STP) on this interface.

option

-

 

Option

Description

enabled

Enable STP on this interface.

disabled

Disable STP on this interface.

stp-root-guard

Enable/disable STP root guard on this interface.

option

-

 

Option

Description

enabled

Enable STP root-guard on this interface.

disabled

Disable STP root-guard on this interface.

stp-bpdu-guard

Enable/disable STP BPDU guard on this interface.

option

-

 

Option

Description

enabled

Enable STP BPDU guard on this interface.

disabled

Disable STP BPDU guard on this interface.

stp-bpdu-guard-timeout

BPDU Guard disabling protection (0 - 120 min).

integer

Minimum value: 0 Maximum value: 120

edge-port

Enable/disable this interface as an edge port, bridging connections between workstations and/or computers.

option

-

 

Option

Description

enable

Enable this interface as an edge port.

disable

Disable this interface as an edge port.

discard-mode

Configure discard mode for port.

option

-

 

Option

Description

none

Discard disabled.

all-untagged

Discard all frames that are untagged.

all-tagged

Discard all frames that are tagged.

packet-sampler

Enable/disable packet sampling on this interface.

option

-

 

Option

Description

enabled

Enable packet sampling on this interface.

disabled

Disable packet sampling on this interface.

packet-sample-rate

Packet sampling rate (0 - 99999 p/sec).

integer

Minimum value: 0 Maximum value: 99999

sflow-counter-interval

sFlow sampling counter polling interval (0 - 255 sec).

integer

Minimum value: 0 Maximum value: 255

sample-direction

Packet sampling direction.

option

-

 

Option

Description

tx

Monitor transmitted traffic.

rx

Monitor received traffic.

both

Monitor transmitted and received traffic.

loop-guard

Enable/disable loop-guard on this interface, an STP optimization used to prevent network loops.

option

-

 

Option

Description

enabled

Enable loop-guard on this interface.

disabled

Disable loop-guard on this interface.

loop-guard-timeout

Loop-guard timeout (0 - 120 min, default = 45).

integer

Minimum value: 0 Maximum value: 120

qos-policy

Switch controller QoS policy from available options.

string

Maximum length: 63

storm-control-policy

Switch controller storm control policy from available options.

string

Maximum length: 63

port-security-policy

Switch controller authentication policy to apply to this managed switch from available options.

string

Maximum length: 31

export-to-pool

Switch controller export port to pool-list.

string

Maximum length: 35

export-tags <tag-name>

Configure export tag(s) for FortiSwitch port when exported to a virtual pool.

FortiSwitch port tag name when exported to a virtual pool.

string

Maximum length: 63

learning-limit

Limit the number of dynamic MAC addresses on this Port (1 - 128, 0 = no limit, default).

integer

Minimum value: 0 Maximum value: 128

sticky-mac

Enable or disable sticky-mac on the interface.

option

-

 

Option

Description

enable

Enable sticky mac on the interface.

disable

Disable sticky mac on the interface.

lldp-status

LLDP transmit and receive status.

option

-

 

Option

Description

disable

Disable LLDP TX and RX.

rx-only

Enable LLDP as RX only.

tx-only

Enable LLDP as TX only.

tx-rx

Enable LLDP TX and RX.

lldp-profile

LLDP port TLV profile.

string

Maximum length: 63

export-to

Export managed-switch port to a tenant VDOM.

string

Maximum length: 31

mac-addr

Port/Trunk MAC.

mac-address

Not Specified

port-selection-criteria

Algorithm for aggregate port selection.

option

-

 

Option

Description

src-mac

Source MAC address.

dst-mac

Destination MAC address.

src-dst-mac

Source and destination MAC address.

src-ip

Source IP address.

dst-ip

Destination IP address.

src-dst-ip

Source and destination IP address.

description

Description for port.

string

Maximum length: 63

lacp-speed

end Link Aggregation Control Protocol (LACP) messages every 30 seconds (slow) or every second (fast).

option

-

 

Option

Description

slow

Send LACP message every 30 seconds.

fast

Send LACP message every second.

mode

LACP mode: ignore and do not send control messages, or negotiate 802.3ad aggregation passively or actively.

option

-

 

Option

Description

static

Static aggregation, do not send and ignore any control messages.

lacp-passive

Passively use LACP to negotiate 802.3ad aggregation.

lacp-active

Actively use LACP to negotiate 802.3ad aggregation.

bundle

Enable/disable Link Aggregation Group (LAG) bundling for non-FortiLink interfaces.

option

-

 

Option

Description

enable

Enable bundling.

disable

Disable bundling.

member-withdrawal-behavior

Port behavior after it withdraws because of loss of control packets.

option

-

 

Option

Description

forward

Forward traffic.

block

Block traffic.

mclag

Enable/disable multi-chassis link aggregation (MCLAG).

option

-

 

Option

Description

enable

Enable MCLAG.

disable

Disable MCLAG.

min-bundle

Minimum size of LAG bundle (1 - 24, default = 1)

integer

Minimum value: 1 Maximum value: 24

max-bundle

Maximum size of LAG bundle (1 - 24, default = 24)

integer

Minimum value: 1 Maximum value: 24

members <member-name>

Aggregated LAG bundle interfaces.

Interface name from available options.

string

Maximum length: 79

config stp-settings

Parameter name

Description

Type

Size

local-override

Enable to configure local STP settings that override global STP settings.

option

-

 

Option

Description

enable

Override global STP settings.

disable

Use global STP settings.

name

Name of local STP settings configuration.

string

Maximum length: 31

revision

STP revision number (0 - 65535).

integer

Minimum value: 0 Maximum value: 65535

hello-time

Period of time between successive STP frame Bridge Protocol Data Units (BPDUs) sent on a port (1 - 10 sec, default = 2).

integer

Minimum value: 1 Maximum value: 10

forward-time

Period of time a port is in listening and learning state (4 - 30 sec, default = 15).

integer

Minimum value: 4 Maximum value: 30

max-age

Maximum time before a bridge port saves its configuration BPDU information (6 - 40 sec, default = 20).

integer

Minimum value: 6 Maximum value: 40

max-hops

Maximum number of hops between the root bridge and the furthest bridge (1- 40, default = 20).

integer

Minimum value: 1 Maximum value: 40

pending-timer

Pending time (1 - 15 sec, default = 4).

integer

Minimum value: 1 Maximum value: 15

config stp-instance

Parameter name

Description

Type

Size

priority

Priority.

option

-

 

Option

Description

0

0.

4096

4096.

8192

8192.

12288

12288.

16384

16384.

20480

20480.

24576

24576.

28672

28672.

32768

32768.

36864

36864.

40960

40960.

45056

45056.

49152

49152.