config switch-controller managed-switch

Configure FortiSwitch devices that are managed by this FortiGate.

config switch-controller managed-switch

Description: Configure FortiSwitch devices that are managed by this FortiGate.

edit <switch-id>

set name {string}

set description {string}

set switch-profile {string}

set access-profile {string}

set fsw-wan1-peer {string}

set fsw-wan1-admin [discovered|disable|...]

set poe-pre-standard-detection [enable|disable]

set poe-detection-type {integer}

set directly-connected {integer}

set version {integer}

set max-allowed-trunk-members {integer}

set pre-provisioned {integer}

set l3-discovered {integer}

set tdr-supported {string}

set dynamic-capability {user}

set switch-device-tag {string}

set switch-dhcp_opt43_key {string}

set mclag-igmp-snooping-aware [enable|disable]

set dynamically-discovered {integer}

set type [virtual|physical]

set owner-vdom {string}

set flow-identity {user}

set staged-image-version {string}

set delayed-restart-trigger {integer}

set firmware-provision [enable|disable]

set firmware-provision-version {string}

config ports

Description: Managed-switch port list.

edit <port-name>

set port-owner {string}

set switch-id {string}

set speed [10half|10full|...]

set status [up|down]

set poe-status [enable|disable]

set ip-source-guard [disable|enable]

set ptp-policy {string}

set aggregator-mode [bandwidth|count]

set rpvst-port [disabled|enabled]

set poe-pre-standard-detection [enable|disable]

set port-number {integer}

set port-prefix-type {integer}

set fortilink-port {integer}

set poe-capable {integer}

set stacking-port {integer}

set p2p-port {integer}

set mclag-icl-port {integer}

set fiber-port {integer}

set media-type {string}

set flags {integer}

set isl-local-trunk-name {string}

set isl-peer-port-name {string}

set isl-peer-device-name {string}

set fgt-peer-port-name {string}

set fgt-peer-device-name {string}

set vlan {string}

set allowed-vlans-all [enable|disable]

set allowed-vlans <vlan-name1>, <vlan-name2>, ...

set untagged-vlans <vlan-name1>, <vlan-name2>, ...

set type [physical|trunk]

set access-mode [dynamic|nac|...]

set matched-dpp-policy {string}

set matched-dpp-intf-tags {string}

set dhcp-snooping [untrusted|trusted]

set dhcp-snoop-option82-trust [enable|disable]

set arp-inspection-trust [untrusted|trusted]

set igmps-flood-reports [enable|disable]

set igmps-flood-traffic [enable|disable]

set stp-state [enabled|disabled]

set stp-root-guard [enabled|disabled]

set stp-bpdu-guard [enabled|disabled]

set stp-bpdu-guard-timeout {integer}

set edge-port [enable|disable]

set discard-mode [none|all-untagged|...]

set packet-sampler [enabled|disabled]

set packet-sample-rate {integer}

set sflow-counter-interval {integer}

set sample-direction [tx|rx|...]

set fec-capable {integer}

set fec-state [disabled|cl74|...]

set flow-control [disable|tx|...]

set pause-meter {integer}

set pause-meter-resume [75%|50%|...]

set loop-guard [enabled|disabled]

set loop-guard-timeout {integer}

set port-policy {string}

set qos-policy {string}

set storm-control-policy {string}

set port-security-policy {string}

set export-to-pool {string}

set export-tags <tag-name1>, <tag-name2>, ...

set learning-limit {integer}

set sticky-mac [enable|disable]

set lldp-status [disable|rx-only|...]

set lldp-profile {string}

set export-to {string}

set mac-addr {mac-address}

set port-selection-criteria [src-mac|dst-mac|...]

set description {string}

set lacp-speed [slow|fast]

set mode [static|lacp-passive|...]

set bundle [enable|disable]

set member-withdrawal-behavior [forward|block]

set mclag [enable|disable]

set min-bundle {integer}

set max-bundle {integer}

set members <member-name1>, <member-name2>, ...

next

end

config ip-source-guard

Description: IP source guard.

edit <port>

set description {string}

config binding-entry

Description: IP and MAC address configuration.

edit <entry-name>

set ip {ipv4-address-any}

set mac {mac-address}

next

end

next

end

config stp-settings

Description: Configuration method to edit Spanning Tree Protocol (STP) settings used to prevent bridge loops.

set local-override [enable|disable]

set name {string}

set revision {integer}

set hello-time {integer}

set forward-time {integer}

set max-age {integer}

set max-hops {integer}

set pending-timer {integer}

end

config stp-instance

Description: Configuration method to edit Spanning Tree Protocol (STP) instances.

edit <id>

set priority [0|4096|...]

next

end

set override-snmp-sysinfo [disable|enable]

config snmp-sysinfo

Description: Configuration method to edit Simple Network Management Protocol (SNMP) system info.

set status [disable|enable]

set engine-id {string}

set description {string}

set contact-info {string}

set location {string}

end

set override-snmp-trap-threshold [enable|disable]

config snmp-trap-threshold

Description: Configuration method to edit Simple Network Management Protocol (SNMP) trap threshold values.

set trap-high-cpu-threshold {integer}

set trap-low-memory-threshold {integer}

set trap-log-full-threshold {integer}

end

set override-snmp-community [enable|disable]

config snmp-community

Description: Configuration method to edit Simple Network Management Protocol (SNMP) communities.

edit <id>

set name {string}

set status [disable|enable]

config hosts

Description: Configure IPv4 SNMP managers (hosts).

edit <id>

set ip {user}

next

end

set query-v1-status [disable|enable]

set query-v1-port {integer}

set query-v2c-status [disable|enable]

set query-v2c-port {integer}

set trap-v1-status [disable|enable]

set trap-v1-lport {integer}

set trap-v1-rport {integer}

set trap-v2c-status [disable|enable]

set trap-v2c-lport {integer}

set trap-v2c-rport {integer}

set events {option1}, {option2}, ...

next

end

set override-snmp-user [enable|disable]

config snmp-user

Description: Configuration method to edit Simple Network Management Protocol (SNMP) users.

edit <name>

set queries [disable|enable]

set query-port {integer}

set security-level [no-auth-no-priv|auth-no-priv|...]

set auth-proto [md5|sha1|...]

set auth-pwd {password}

set priv-proto [aes128|aes192|...]

set priv-pwd {password}

next

end

set qos-drop-policy [taildrop|random-early-detection]

set qos-red-probability {integer}

config switch-log

Description: Configuration method to edit FortiSwitch logging settings (logs are transferred to and inserted into the FortiGate event log).

set local-override [enable|disable]

set status [enable|disable]

set severity [emergency|alert|...]

end

config remote-log

Description: Configure logging by FortiSwitch device to a remote syslog server.

edit <name>

set status [enable|disable]

set server {string}

set port {integer}

set severity [emergency|alert|...]

set csv [enable|disable]

set facility [kernel|user|...]

next

end

config storm-control

Description: Configuration method to edit FortiSwitch storm control for measuring traffic activity using data rates to prevent traffic disruption.

set local-override [enable|disable]

set rate {integer}

set unknown-unicast [enable|disable]

set unknown-multicast [enable|disable]

set broadcast [enable|disable]

end

config mirror

Description: Configuration method to edit FortiSwitch packet mirror.

edit <name>

set status [active|inactive]

set switching-packet [enable|disable]

set dst {string}

set src-ingress <name1>, <name2>, ...

set src-egress <name1>, <name2>, ...

next

end

config static-mac

Description: Configuration method to edit FortiSwitch Static and Sticky MAC.

edit <id>

set type [static|sticky]

set vlan {string}

set mac {mac-address}

set interface {string}

set description {string}

next

end

config custom-command

Description: Configuration method to edit FortiSwitch commands to be pushed to this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.

edit <command-entry>

set command-name {string}

next

end

config igmp-snooping

Description: Configure FortiSwitch IGMP snooping global settings.

set local-override [enable|disable]

set aging-time {integer}

set flood-unknown-multicast [enable|disable]

end

config 802-1X-settings

Description: Configuration method to edit FortiSwitch 802.1X global settings.

set local-override [enable|disable]

set link-down-auth [set-unauth|no-action]

set reauth-period {integer}

set max-reauth-attempt {integer}

set tx-period {integer}

end

next

end

config switch-controller managed-switch

Parameter

Description

Type

Size

Default

name

Managed-switch name.

string

Maximum length: 35

description

Description.

string

Maximum length: 63

switch-profile

FortiSwitch profile.

string

Maximum length: 35

default

access-profile

FortiSwitch access profile.

string

Maximum length: 31

default

fsw-wan1-peer

Fortiswitch WAN1 peer port.

string

Maximum length: 35

fsw-wan1-admin

FortiSwitch WAN1 admin status; enable to authorize the FortiSwitch as a managed switch.

option

-

discovered

 

Option

Description

discovered

Link waiting to be authorized.

disable

Link unauthorized.

enable

Link authorized.

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

-

disable

 

Option

Description

enable

Enable PoE pre-standard detection.

disable

Disable PoE pre-standard detection.

poe-detection-type

PoE detection type for FortiSwitch.

integer

Minimum value: 0 Maximum value: 255

0

directly-connected

Directly connected FortiSwitch.

integer

Minimum value: 0 Maximum value: 1

0

version

FortiSwitch version.

integer

Minimum value: 0 Maximum value: 255

0

max-allowed-trunk-members

FortiSwitch maximum allowed trunk members.

integer

Minimum value: 0 Maximum value: 255

0

pre-provisioned

Pre-provisioned managed switch.

integer

Minimum value: 0 Maximum value: 255

0

l3-discovered

Layer 3 management discovered.

integer

Minimum value: 0 Maximum value: 1

0

tdr-supported

TDR supported.

string

Maximum length: 31

dynamic-capability

List of features this FortiSwitch supports (not configurable) that is sent to the FortiGate device for subsequent configuration initiated by the FortiGate device.

user

Not Specified

0x00000000000000000000000000000000

switch-device-tag

User definable label/tag.

string

Maximum length: 32

switch-dhcp_opt43_key

DHCP option43 key.

string

Maximum length: 63

mclag-igmp-snooping-aware

Enable/disable MCLAG IGMP-snooping awareness.

option

-

enable

 

Option

Description

enable

Enable MCLAG IGMP-snooping awareness.

disable

Disable MCLAG IGMP-snooping awareness.

dynamically-discovered

Dynamically discovered FortiSwitch.

integer

Minimum value: 0 Maximum value: 1

0

type

Indication of switch type, physical or virtual.

option

-

physical

 

Option

Description

virtual

Switch is of type virtual.

physical

Switch is of type physical.

owner-vdom

VDOM which owner of port belongs to.

string

Maximum length: 31

flow-identity

Flow-tracking netflow ipfix switch identity in hex format.

user

Not Specified

00000000

staged-image-version

Staged image version for FortiSwitch.

string

Maximum length: 127

delayed-restart-trigger

Delayed restart triggered for this FortiSwitch.

integer

Minimum value: 0 Maximum value: 255

0

firmware-provision

Enable/disable provisioning of firmware to FortiSwitches on join connection.

option

-

disable

 

Option

Description

enable

Enable firmware-provision.

disable

Disable firmware-provision.

firmware-provision-version

Firmware version to provision to this FortiSwitch on bootup (major.minor.build, i.e. 6.2.1234).

string

Maximum length: 35

override-snmp-sysinfo

Enable/disable overriding the global SNMP system information.

option

-

disable

 

Option

Description

disable

Use the global SNMP system information.

enable

Override the global SNMP system information.

override-snmp-trap-threshold

Enable/disable overriding the global SNMP trap threshold values.

option

-

disable

 

Option

Description

enable

Override the global SNMP trap threshold values.

disable

Use the global SNMP trap threshold values.

override-snmp-community

Enable/disable overriding the global SNMP communities.

option

-

disable

 

Option

Description

enable

Override the global SNMP communities.

disable

Use the global SNMP communities.

override-snmp-user

Enable/disable overriding the global SNMP users.

option

-

disable

 

Option

Description

enable

Override the global SNMPv3 users.

disable

Use the global SNMPv3 users.

qos-drop-policy

Set QoS drop-policy.

option

-

taildrop

 

Option

Description

taildrop

Taildrop policy.

random-early-detection

Random early detection drop policy.

qos-red-probability

Set QoS RED/WRED drop probability.

integer

Minimum value: 0 Maximum value: 100

12

config ports

Parameter

Description

Type

Size

Default

port-owner

Switch port name.

string

Maximum length: 15

switch-id

Switch id.

string

Maximum length: 16

speed

Switch port speed; default and available settings depend on hardware.

option

-

auto

 

Option

Description

10half

10M half-duplex.

10full

10M full-duplex.

100half

100M half-duplex.

100full

100M full-duplex.

1000auto

Auto-negotiation (1G full-duplex only).

1000fiber

1G full-duplex (fiber SFPs only)

1000full

1G full-duplex

10000

10G full-duplex

40000

40G full-duplex

auto

Auto-negotiation.

auto-module

Auto Module.

100FX-half

100Mbps half-duplex.100Base-FX.

100FX-full

100Mbps full-duplex.100Base-FX.

100000full

100Gbps full-duplex.

2500auto

Auto-Negotiation (2.5Gbps Only).

25000full

25Gbps full-duplex.

50000full

50Gbps full-duplex.

10000cr

10Gbps copper interface.

10000sr

10Gbps SFI interface.

100000sr4

100Gbps SFI interface.

100000cr4

100Gbps copper interface.

25000cr4

25Gbps copper interface.

25000sr4

25Gbps SFI interface.

5000full

5Gbps full-duplex.

status

Switch port admin status: up or down.

option

-

up

 

Option

Description

up

Set admin status up.

down

Set admin status down.

poe-status

Enable/disable PoE status.

option

-

enable

 

Option

Description

enable

Enable PoE status.

disable

Disable PoE status.

ip-source-guard

Enable/disable IP source guard.

option

-

disable

 

Option

Description

disable

Disable IP source guard.

enable

Enable IP source guard.

ptp-policy

PTP policy configuration.

string

Maximum length: 63

default

aggregator-mode

LACP member select mode.

option

-

bandwidth

 

Option

Description

bandwidth

Member selection based on largest total bandwidth of links of similar speed.

count

Member selection based on largest count of similar link speed.

rpvst-port

Enable/disable inter-operability with rapid PVST on this interface.

option

-

disabled

 

Option

Description

disabled

Disable inter-operability with rapid PVST on this interface.

enabled

Enable inter-operability with rapid PVST on this interface.

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

-

disable

 

Option

Description

enable

Enable PoE pre-standard detection.

disable

Disable PoE pre-standard detection.

port-number

Port number.

integer

Minimum value: 1 Maximum value: 64

0

port-prefix-type

Port prefix type.

integer

Minimum value: 0 Maximum value: 1

0

fortilink-port

FortiLink uplink port.

integer

Minimum value: 0 Maximum value: 1

0

poe-capable

PoE capable.

integer

Minimum value: 0 Maximum value: 1

0

stacking-port

Stacking port.

integer

Minimum value: 0 Maximum value: 1

0

p2p-port

General peer to peer tunnel port.

integer

Minimum value: 0 Maximum value: 1

0

mclag-icl-port

MCLAG-ICL port.

integer

Minimum value: 0 Maximum value: 1

0

fiber-port

Fiber-port.

integer

Minimum value: 0 Maximum value: 1

0

media-type

Media type.

string

Maximum length: 31

flags

Port properties flags.

integer

Minimum value: 0 Maximum value: 4294967295

0

isl-local-trunk-name

ISL local trunk name.

string

Maximum length: 15

isl-peer-port-name

ISL peer port name.

string

Maximum length: 15

isl-peer-device-name

ISL peer device name.

string

Maximum length: 16

fgt-peer-port-name

FGT peer port name.

string

Maximum length: 15

fgt-peer-device-name

FGT peer device name.

string

Maximum length: 16

vlan

Assign switch ports to a VLAN.

string

Maximum length: 15

allowed-vlans-all

Enable/disable all defined vlans on this port.

option

-

disable

 

Option

Description

enable

Enable all defined VLANs on this port.

disable

Disable all defined VLANs on this port.

allowed-vlans <vlan-name>

Configure switch port tagged vlans

VLAN name.

string

Maximum length: 79

untagged-vlans <vlan-name>

Configure switch port untagged vlans

VLAN name.

string

Maximum length: 79

type

Interface type: physical or trunk port.

option

-

physical

 

Option

Description

physical

Physical port.

trunk

Trunk port.

access-mode

Access mode of the port.

option

-

static

 

Option

Description

dynamic

Dynamic mode.

nac

NAC mode.

static

Static mode.

matched-dpp-policy

Matched child policy in the dynamic port policy.

string

Maximum length: 63

matched-dpp-intf-tags

Matched interface tags in the dynamic port policy.

string

Maximum length: 63

dhcp-snooping

Trusted or untrusted DHCP-snooping interface.

option

-

untrusted

 

Option

Description

untrusted

Untrusted DHCP snooping interface.

trusted

Trusted DHCP snooping interface.

dhcp-snoop-option82-trust

Enable/disable allowance of DHCP with option-82 on untrusted interface.

option

-

disable

 

Option

Description

enable

Enable allowance of DHCP with option-82 on untrusted interface.

disable

Disable allowance of DHCP with option-82 on untrusted interface.

arp-inspection-trust

Trusted or untrusted dynamic ARP inspection.

option

-

untrusted

 

Option

Description

untrusted

Untrusted dynamic ARP inspection.

trusted

Trusted dynamic ARP inspection.

igmps-flood-reports

Enable/disable flooding of IGMP reports to this interface when igmp-snooping enabled.

option

-

disable

 

Option

Description

enable

Enable flooding of IGMP snooping reports to this interface.

disable

Disable flooding of IGMP snooping reports to this interface.

igmps-flood-traffic

Enable/disable flooding of IGMP snooping traffic to this interface.

option

-

disable

 

Option

Description

enable

Enable flooding of IGMP snooping traffic to this interface.

disable

Disable flooding of IGMP snooping traffic to this interface.

stp-state

Enable/disable Spanning Tree Protocol (STP) on this interface.

option

-

enabled

 

Option

Description

enabled

Enable STP on this interface.

disabled

Disable STP on this interface.

stp-root-guard

Enable/disable STP root guard on this interface.

option

-

disabled

 

Option

Description

enabled

Enable STP root-guard on this interface.

disabled

Disable STP root-guard on this interface.

stp-bpdu-guard

Enable/disable STP BPDU guard on this interface.

option

-

disabled

 

Option

Description

enabled

Enable STP BPDU guard on this interface.

disabled

Disable STP BPDU guard on this interface.

stp-bpdu-guard-timeout

BPDU Guard disabling protection .

integer

Minimum value: 0 Maximum value: 120

5

edge-port

Enable/disable this interface as an edge port, bridging connections between workstations and/or computers.

option

-

enable

 

Option

Description

enable

Enable this interface as an edge port.

disable

Disable this interface as an edge port.

discard-mode

Configure discard mode for port.

option

-

none

 

Option

Description

none

Discard disabled.

all-untagged

Discard all frames that are untagged.

all-tagged

Discard all frames that are tagged.

packet-sampler

Enable/disable packet sampling on this interface.

option

-

disabled

 

Option

Description

enabled

Enable packet sampling on this interface.

disabled

Disable packet sampling on this interface.

packet-sample-rate

Packet sampling rate .

integer

Minimum value: 0 Maximum value: 99999

512

sflow-counter-interval

sFlow sampling counter polling interval .

integer

Minimum value: 0 Maximum value: 255

0

sample-direction

Packet sampling direction.

option

-

both

 

Option

Description

tx

Monitor transmitted traffic.

rx

Monitor received traffic.

both

Monitor transmitted and received traffic.

fec-capable

FEC capable.

integer

Minimum value: 0 Maximum value: 1

0

fec-state

State of forward err