config switch-controller managed-switch

Configure FortiSwitch devices that are managed by this FortiGate.

config switch-controller managed-switch

Description: Configure FortiSwitch devices that are managed by this FortiGate.

edit <switch-id>

set name {string}

set description {string}

set switch-profile {string}

set access-profile {string}

set fsw-wan1-peer {string}

set fsw-wan1-admin [discovered|disable|...]

set poe-pre-standard-detection [enable|disable]

set poe-detection-type {integer}

set directly-connected {integer}

set version {integer}

set max-allowed-trunk-members {integer}

set pre-provisioned {integer}

set l3-discovered {integer}

set tdr-supported {string}

set dynamic-capability {user}

set switch-device-tag {string}

set switch-dhcp_opt43_key {string}

set mclag-igmp-snooping-aware [enable|disable]

set dynamically-discovered {integer}

set type [virtual|physical]

set owner-vdom {string}

set flow-identity {user}

set staged-image-version {string}

set delayed-restart-trigger {integer}

config ports

Description: Managed-switch port list.

edit <port-name>

set port-owner {string}

set switch-id {string}

set speed [10half|10full|...]

set status [up|down]

set poe-status [enable|disable]

set ip-source-guard [disable|enable]

set ptp-policy {string}

set aggregator-mode [bandwidth|count]

set rpvst-port [disabled|enabled]

set poe-pre-standard-detection [enable|disable]

set port-number {integer}

set port-prefix-type {integer}

set fortilink-port {integer}

set poe-capable {integer}

set stacking-port {integer}

set p2p-port {integer}

set mclag-icl-port {integer}

set fiber-port {integer}

set media-type {string}

set flags {integer}

set isl-local-trunk-name {string}

set isl-peer-port-name {string}

set isl-peer-device-name {string}

set fgt-peer-port-name {string}

set fgt-peer-device-name {string}

set vlan {string}

set allowed-vlans-all [enable|disable]

set allowed-vlans <vlan-name1>, <vlan-name2>, ...

set untagged-vlans <vlan-name1>, <vlan-name2>, ...

set type [physical|trunk]

set access-mode [normal|nac]

set dhcp-snooping [untrusted|trusted]

set dhcp-snoop-option82-trust [enable|disable]

set arp-inspection-trust [untrusted|trusted]

set igmps-flood-reports [enable|disable]

set igmps-flood-traffic [enable|disable]

set stp-state [enabled|disabled]

set stp-root-guard [enabled|disabled]

set stp-bpdu-guard [enabled|disabled]

set stp-bpdu-guard-timeout {integer}

set edge-port [enable|disable]

set discard-mode [none|all-untagged|...]

set packet-sampler [enabled|disabled]

set packet-sample-rate {integer}

set sflow-counter-interval {integer}

set sample-direction [tx|rx|...]

set flow-control [disable|tx|...]

set pause-meter {integer}

set pause-meter-resume [75%|50%|...]

set loop-guard [enabled|disabled]

set loop-guard-timeout {integer}

set qos-policy {string}

set storm-control-policy {string}

set port-security-policy {string}

set export-to-pool {string}

set export-tags <tag-name1>, <tag-name2>, ...

set learning-limit {integer}

set sticky-mac [enable|disable]

set lldp-status [disable|rx-only|...]

set lldp-profile {string}

set export-to {string}

set mac-addr {mac-address}

set port-selection-criteria [src-mac|dst-mac|...]

set description {string}

set lacp-speed [slow|fast]

set mode [static|lacp-passive|...]

set bundle [enable|disable]

set member-withdrawal-behavior [forward|block]

set mclag [enable|disable]

set min-bundle {integer}

set max-bundle {integer}

set members <member-name1>, <member-name2>, ...

next

end

config ip-source-guard

Description: IP source guard.

edit <port>

set description {string}

config binding-entry

Description: IP and MAC address configuration.

edit <entry-name>

set ip {ipv4-address-any}

set mac {mac-address}

next

end

next

end

config stp-settings

Description: Configuration method to edit Spanning Tree Protocol (STP) settings used to prevent bridge loops.

set local-override [enable|disable]

set name {string}

set revision {integer}

set hello-time {integer}

set forward-time {integer}

set max-age {integer}

set max-hops {integer}

set pending-timer {integer}

end

config stp-instance

Description: Configuration method to edit Spanning Tree Protocol (STP) instances.

edit <id>

set priority [0|4096|...]

next

end

set override-snmp-sysinfo [disable|enable]

config snmp-sysinfo

Description: Configuration method to edit Simple Network Management Protocol (SNMP) system info.

set status [disable|enable]

set engine-id {string}

set description {string}

set contact-info {string}

set location {string}

end

set override-snmp-trap-threshold [enable|disable]

config snmp-trap-threshold

Description: Configuration method to edit Simple Network Management Protocol (SNMP) trap threshold values.

set trap-high-cpu-threshold {integer}

set trap-low-memory-threshold {integer}

set trap-log-full-threshold {integer}

end

set override-snmp-community [enable|disable]

config snmp-community

Description: Configuration method to edit Simple Network Management Protocol (SNMP) communities.

edit <id>

set name {string}

set status [disable|enable]

config hosts

Description: Configure IPv4 SNMP managers (hosts).

edit <id>

set ip {user}

next

end

set query-v1-status [disable|enable]

set query-v1-port {integer}

set query-v2c-status [disable|enable]

set query-v2c-port {integer}

set trap-v1-status [disable|enable]

set trap-v1-lport {integer}

set trap-v1-rport {integer}

set trap-v2c-status [disable|enable]

set trap-v2c-lport {integer}

set trap-v2c-rport {integer}

set events {option1}, {option2}, ...

next

end

set override-snmp-user [enable|disable]

config snmp-user

Description: Configuration method to edit Simple Network Management Protocol (SNMP) users.

edit <name>

set queries [disable|enable]

set query-port {integer}

set security-level [no-auth-no-priv|auth-no-priv|...]

set auth-proto [md5|sha]

set auth-pwd {password}

set priv-proto [aes|des]

set priv-pwd {password}

next

end

set qos-drop-policy [taildrop|random-early-detection]

set qos-red-probability {integer}

config switch-log

Description: Configuration method to edit FortiSwitch logging settings (logs are transferred to and inserted into the FortiGate event log).

set local-override [enable|disable]

set status [enable|disable]

set severity [emergency|alert|...]

end

config remote-log

Description: Configure logging by FortiSwitch device to a remote syslog server.

edit <name>

set status [enable|disable]

set server {string}

set port {integer}

set severity [emergency|alert|...]

set csv [enable|disable]

set facility [kernel|user|...]

next

end

config storm-control

Description: Configuration method to edit FortiSwitch storm control for measuring traffic activity using data rates to prevent traffic disruption.

set local-override [enable|disable]

set rate {integer}

set unknown-unicast [enable|disable]

set unknown-multicast [enable|disable]

set broadcast [enable|disable]

end

config mirror

Description: Configuration method to edit FortiSwitch packet mirror.

edit <name>

set status [active|inactive]

set switching-packet [enable|disable]

set dst {string}

set src-ingress <name1>, <name2>, ...

set src-egress <name1>, <name2>, ...

next

end

config static-mac

Description: Configuration method to edit FortiSwitch Static and Sticky MAC.

edit <id>

set type [static|sticky]

set vlan {string}

set mac {mac-address}

set interface {string}

set description {string}

next

end

config custom-command

Description: Configuration method to edit FortiSwitch commands to be pushed to this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.

edit <command-entry>

set command-name {string}

next

end

config igmp-snooping

Description: Configure FortiSwitch IGMP snooping global settings.

set local-override [enable|disable]

set aging-time {integer}

set flood-unknown-multicast [enable|disable]

end

config 802-1X-settings

Description: Configuration method to edit FortiSwitch 802.1X global settings.

set local-override [enable|disable]

set link-down-auth [set-unauth|no-action]

set reauth-period {integer}

set max-reauth-attempt {integer}

set tx-period {integer}

end

next

end

config switch-controller managed-switch

Parameter

Description

Type

Size

Default

name

Managed-switch name.

string

Maximum length: 35

description

Description.

string

Maximum length: 63

switch-profile

FortiSwitch profile.

string

Maximum length: 35

default

access-profile

FortiSwitch access profile.

string

Maximum length: 31

default

fsw-wan1-peer

Fortiswitch WAN1 peer port.

string

Maximum length: 35

fsw-wan1-admin

FortiSwitch WAN1 admin status; enable to authorize the FortiSwitch as a managed switch.

option

-

discovered

 

Option

Description

discovered

Link waiting to be authorized.

disable

Link unauthorized.

enable

Link authorized.

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

-

disable

 

Option

Description

enable

Enable PoE pre-standard detection.

disable

Disable PoE pre-standard detection.

poe-detection-type

PoE detection type for FortiSwitch.

integer

Minimum value: 0 Maximum value: 255

0

directly-connected

Directly connected FortiSwitch.

integer

Minimum value: 0 Maximum value: 1

0

version

FortiSwitch version.

integer

Minimum value: 0 Maximum value: 255

0

max-allowed-trunk-members

FortiSwitch maximum allowed trunk members.

integer

Minimum value: 0 Maximum value: 255

0

pre-provisioned

Pre-provisioned managed switch.

integer

Minimum value: 0 Maximum value: 255

0

l3-discovered

Layer 3 management discovered.

integer

Minimum value: 0 Maximum value: 1

0

tdr-supported

TDR supported.

string

Maximum length: 31

dynamic-capability

List of features this FortiSwitch supports (not configurable) that is sent to the FortiGate device for subsequent configuration initiated by the FortiGate device.

user

Not Specified

0x00000000000000000000000000000000

switch-device-tag

User definable label/tag.

string

Maximum length: 32

switch-dhcp_opt43_key

DHCP option43 key.

string

Maximum length: 63

mclag-igmp-snooping-aware

Enable/disable MCLAG IGMP-snooping awareness.

option

-

enable

 

Option

Description

enable

Enable MCLAG IGMP-snooping awareness.

disable

Disable MCLAG IGMP-snooping awareness.

dynamically-discovered

Dynamically discovered FortiSwitch.

integer

Minimum value: 0 Maximum value: 1

0

type

Indication of switch type, physical or virtual.

option

-

physical

 

Option

Description

virtual

Switch is of type virtual.

physical

Switch is of type physical.

owner-vdom

VDOM which owner of port belongs to.

string

Maximum length: 31

flow-identity

Flow-tracking netflow ipfix switch identity in hex format.

user

Not Specified

00000000

staged-image-version

Staged image version for FortiSwitch.

string

Maximum length: 127

delayed-restart-trigger

Delayed restart triggered for this FortiSwitch.

integer

Minimum value: 0 Maximum value: 255

0

override-snmp-sysinfo

Enable/disable overriding the global SNMP system information.

option

-

disable

 

Option

Description

disable

Use the global SNMP system information.

enable

Override the global SNMP system information.

override-snmp-trap-threshold

Enable/disable overriding the global SNMP trap threshold values.

option

-

disable

 

Option

Description

enable

Override the global SNMP trap threshold values.

disable

Use the global SNMP trap threshold values.

override-snmp-community

Enable/disable overriding the global SNMP communities.

option

-

disable

 

Option

Description

enable

Override the global SNMP communities.

disable

Use the global SNMP communities.

override-snmp-user

Enable/disable overriding the global SNMP users.

option

-

disable

 

Option

Description

enable

Override the global SNMPv3 users.

disable

Use the global SNMPv3 users.

qos-drop-policy

Set QoS drop-policy.

option

-

taildrop

 

Option

Description

taildrop

Taildrop policy.

random-early-detection

Random early detection drop policy.

qos-red-probability

Set QoS RED/WRED drop probability.

integer

Minimum value: 0 Maximum value: 100

12

config ports

Parameter

Description

Type

Size

Default

port-owner

Switch port name.

string

Maximum length: 15

switch-id

Switch id.

string

Maximum length: 16

speed

Switch port speed; default and available settings depend on hardware.

option

-

auto

 

Option

Description

10half

10M half-duplex.

10full

10M full-duplex.

100half

100M half-duplex.

100full

100M full-duplex.

1000auto

Auto-negotiation (1G full-duplex only).

1000fiber

1G full-duplex (fiber SFPs only)

1000full

1G full-duplex

10000

10G full-duplex

40000

40G full-duplex

auto

Auto-negotiation.

auto-module

Auto Module.

100FX-half

100Mbps half-duplex.100Base-FX.

100FX-full

100Mbps full-duplex.100Base-FX.

100000full

100Gbps full-duplex.

2500auto

Auto-Negotiation (2.5Gbps Only).

25000full

25Gbps full-duplex.

50000full

50Gbps full-duplex.

10000cr

10Gbps copper interface.

10000sr

10Gbps SFI interface.

100000sr4

100Gbps SFI interface.

100000cr4

100Gbps copper interface.

25000cr4

25Gbps copper interface.

25000sr4

25Gbps SFI interface.

5000full

5Gbps full-duplex.

status

Switch port admin status: up or down.

option

-

up

 

Option

Description

up

Set admin status up.

down

Set admin status down.

poe-status

Enable/disable PoE status.

option

-

enable

 

Option

Description

enable

Enable PoE status.

disable

Disable PoE status.

ip-source-guard

Enable/disable IP source guard.

option

-

disable

 

Option

Description

disable

Disable IP source guard.

enable

Enable IP source guard.

ptp-policy

PTP policy configuration.

string

Maximum length: 63

default

aggregator-mode

LACP member select mode.

option

-

bandwidth

 

Option

Description

bandwidth

Member selection based on largest total bandwidth of links of similar speed.

count

Member selection based on largest count of similar link speed.

rpvst-port

Enable/disable inter-operability with rapid PVST on this interface.

option

-

disabled

 

Option

Description

disabled

Disable inter-operability with rapid PVST on this interface.

enabled

Enable inter-operability with rapid PVST on this interface.

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

-

disable

 

Option

Description

enable

Enable PoE pre-standard detection.

disable

Disable PoE pre-standard detection.

port-number

Port number.

integer

Minimum value: 1 Maximum value: 64

0

port-prefix-type

Port prefix type.

integer

Minimum value: 0 Maximum value: 1

0

fortilink-port

FortiLink uplink port.

integer

Minimum value: 0 Maximum value: 1

0

poe-capable

PoE capable.

integer

Minimum value: 0 Maximum value: 1

0

stacking-port

Stacking port.

integer

Minimum value: 0 Maximum value: 1

0

p2p-port

General peer to peer tunnel port.

integer

Minimum value: 0 Maximum value: 1

0

mclag-icl-port

MCLAG-ICL port.

integer

Minimum value: 0 Maximum value: 1

0

fiber-port

Fiber-port.

integer

Minimum value: 0 Maximum value: 1

0

media-type

Media type.

string

Maximum length: 31

flags

Port properties flags.

integer

Minimum value: 0 Maximum value: 4294967295

0

isl-local-trunk-name

ISL local trunk name.

string

Maximum length: 15

isl-peer-port-name

ISL peer port name.

string

Maximum length: 15

isl-peer-device-name

ISL peer device name.

string

Maximum length: 16

fgt-peer-port-name

FGT peer port name.

string

Maximum length: 15

fgt-peer-device-name

FGT peer device name.

string

Maximum length: 16

vlan

Assign switch ports to a VLAN.

string

Maximum length: 15

allowed-vlans-all

Enable/disable all defined vlans on this port.

option

-

disable

 

Option

Description

enable

Enable all defined VLANs on this port.

disable

Disable all defined VLANs on this port.

allowed-vlans <vlan-name>

Configure switch port tagged vlans

VLAN name.

string

Maximum length: 79

untagged-vlans <vlan-name>

Configure switch port untagged vlans

VLAN name.

string

Maximum length: 79

type

Interface type: physical or trunk port.

option

-

physical

 

Option

Description

physical

Physical port.

trunk

Trunk port.

access-mode

Access mode of the port.

option

-

normal

 

Option

Description

normal

Normal mode.

nac

NAC mode.

dhcp-snooping

Trusted or untrusted DHCP-snooping interface.

option

-

untrusted

 

Option

Description

untrusted

Untrusted DHCP snooping interface.

trusted

Trusted DHCP snooping interface.

dhcp-snoop-option82-trust

Enable/disable allowance of DHCP with option-82 on untrusted interface.

option

-

disable

 

Option

Description

enable

Enable allowance of DHCP with option-82 on untrusted interface.

disable

Disable allowance of DHCP with option-82 on untrusted interface.

arp-inspection-trust

Trusted or untrusted dynamic ARP inspection.

option

-

untrusted

 

Option

Description

untrusted

Untrusted dynamic ARP inspection.

trusted

Trusted dynamic ARP inspection.

igmps-flood-reports

Enable/disable flooding of IGMP reports to this interface when igmp-snooping enabled.

option

-

disable

 

Option

Description

enable

Enable flooding of IGMP snooping reports to this interface.

disable

Disable flooding of IGMP snooping reports to this interface.

igmps-flood-traffic

Enable/disable flooding of IGMP snooping traffic to this interface.

option

-

disable

 

Option

Description

enable

Enable flooding of IGMP snooping traffic to this interface.

disable

Disable flooding of IGMP snooping traffic to this interface.

stp-state

Enable/disable Spanning Tree Protocol (STP) on this interface.

option

-

enabled

 

Option

Description

enabled

Enable STP on this interface.

disabled

Disable STP on this interface.

stp-root-guard

Enable/disable STP root guard on this interface.

option

-

disabled

 

Option

Description

enabled

Enable STP root-guard on this interface.

disabled

Disable STP root-guard on this interface.

stp-bpdu-guard

Enable/disable STP BPDU guard on this interface.

option

-

disabled

 

Option

Description

enabled

Enable STP BPDU guard on this interface.

disabled

Disable STP BPDU guard on this interface.

stp-bpdu-guard-timeout

BPDU Guard disabling protection .

integer

Minimum value: 0 Maximum value: 120

5

edge-port

Enable/disable this interface as an edge port, bridging connections between workstations and/or computers.

option

-

enable

 

Option

Description

enable

Enable this interface as an edge port.

disable

Disable this interface as an edge port.

discard-mode

Configure discard mode for port.

option

-

none

 

Option

Description

none

Discard disabled.

all-untagged

Discard all frames that are untagged.

all-tagged

Discard all frames that are tagged.

packet-sampler

Enable/disable packet sampling on this interface.

option

-

disabled

 

Option

Description

enabled

Enable packet sampling on this interface.

disabled

Disable packet sampling on this interface.

packet-sample-rate

Packet sampling rate .

integer

Minimum value: 0 Maximum value: 99999

512

sflow-counter-interval

sFlow sampling counter polling interval .

integer

Minimum value: 0 Maximum value: 255

0

sample-direction

Packet sampling direction.

option

-

both

 

Option

Description

tx

Monitor transmitted traffic.

rx

Monitor received traffic.

both

Monitor transmitted and received traffic.

flow-control

Flow control direction.

option

-

disable

 

Option

Description

disable

Disable flow control.

tx

Enable flow control for transmission pause control frames.

rx

Enable flow control for receive pause control frames.

both

Enable flow control for both transmission and receive pause control frames.

pause-meter

Configure ingress pause metering rate, in kbps .

integer

Minimum value: 128 Maximum value: 2147483647

0

pause-meter-resume

Resume threshold for resuming traffic on ingress port.

option

-

50%

 

Option

Description

75%

Back pressure state won't be cleared until bucket count falls below 75% of pause threshold.

50%

Back pressure state won't be cleared until bucket count falls below 50% of pause threshold.

25%

Back pressure state won't be cleared until bucket count falls below 25% of pause threshold.

loop-guard

Enable/disable loop-guard on this interface, an STP optimization used to prevent network loops.

option

-

disabled

 

Option

Description

enabled

Enable loop-guard on this interface.

disabled

Disable loop-guard on this interface.

loop-guard-timeout

Loop-guard timeout .

integer

Minimum value: 0 Maximum value: 120

45

qos-policy

Switch controller QoS policy from available options.

string

Maximum length: 63

default

storm-control-policy

Switch controller storm control policy from available options.

string

Maximum length: 63

default

port-security-policy

Switch controller authentication policy to apply to this managed switch from available options.

string

Maximum length: 31

export-to-pool

Switch controller export port to pool-list.

string

Maximum length: 35

export-tags <tag-name>

Configure export tag(s) for FortiSwitch port when exported to a virtual port pool.

FortiSwitch port tag name when exported to a virtual port pool.

string

Maximum length: 63

learning-limit

Limit the number of dynamic MAC addresses on this Port .

integer

Minimum value: 0 Maximum value: 128

0

sticky-mac

Enable or disable sticky-mac on the interface.

option

-

disable

 

Option

Description

enable

Enable sticky mac on the interface.

disable

Disable sticky mac on the interface.

lldp-status

LLDP transmit and receive status.

option

-

tx-rx

 

Option

Description

disable

Disable LLDP TX and RX.

rx-only

Enable LLDP as RX only.

tx-only

Enable LLDP as TX only.

tx-rx

Enable LLDP TX and RX.

lldp-profile

LLDP port TLV profile.

string

Maximum length: 63

default-auto-isl

export-to

Export managed-switch port to a tenant VDOM.

string

Maximum length: 31

mac-addr

Port/Trunk MAC.

mac-address

Not Specified

00:00:00:00:00:00

port-selection-criteria

Algorithm for aggregate port selection.

option

-

src-dst-ip

 

Option

Description

src-mac

Source MAC address.

dst-mac

Destination MAC address.

src-dst-mac

Source and destination MAC address.

src-ip

Source IP address.

dst-ip

Destination IP address.