Fortinet white logo
Fortinet white logo

CLI Reference

config switch-controller managed-switch

config switch-controller managed-switch

Note

This command is available for model(s): FortiGate 1000D, FortiGate 100EF, FortiGate 100E, FortiGate 100F, FortiGate 101E, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 1200D, FortiGate 140E-POE, FortiGate 140E, FortiGate 1500DT, FortiGate 1500D, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3800D, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

It is not available for: FortiGate 5001E1, FortiGate 5001E.

Configure FortiSwitch devices that are managed by this FortiGate.

config switch-controller managed-switch
    Description: Configure FortiSwitch devices that are managed by this FortiGate.
    edit <switch-id>
        config 802-1X-settings
            Description: Configuration method to edit FortiSwitch 802.1X global settings.
            set local-override [enable|disable]
            set link-down-auth [set-unauth|no-action]
            set reauth-period {integer}
            set max-reauth-attempt {integer}
            set tx-period {integer}
        end
        set access-profile {string}
        config custom-command
            Description: Configuration method to edit FortiSwitch commands to be pushed to this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.
            edit <command-entry>
                set command-name {string}
            next
        end
        set delayed-restart-trigger {integer}
        set description {string}
        set dhcp-server-access-list [global|enable|...]
        set directly-connected {integer}
        set dynamic-capability {user}
        set dynamically-discovered {integer}
        set firmware-provision [enable|disable]
        set firmware-provision-latest [disable|once]
        set firmware-provision-version {string}
        set flow-identity {user}
        set fsw-wan1-admin [discovered|disable|...]
        set fsw-wan1-peer {string}
        config igmp-snooping
            Description: Configure FortiSwitch IGMP snooping global settings.
            set local-override [enable|disable]
            set aging-time {integer}
            set flood-unknown-multicast [enable|disable]
            config vlans
                Description: Configure IGMP snooping VLAN.
                edit <vlan-name>
                    set proxy [disable|enable|...]
                    set querier [disable|enable]
                    set querier-addr {ipv4-address}
                    set version {integer}
                next
            end
        end
        config ip-source-guard
            Description: IP source guard.
            edit <port>
                set description {string}
                config binding-entry
                    Description: IP and MAC address configuration.
                    edit <entry-name>
                        set ip {ipv4-address-any}
                        set mac {mac-address}
                    next
                end
            next
        end
        set l3-discovered {integer}
        set max-allowed-trunk-members {integer}
        set mclag-igmp-snooping-aware [enable|disable]
        config mirror
            Description: Configuration method to edit FortiSwitch packet mirror.
            edit <name>
                set status [active|inactive]
                set switching-packet [enable|disable]
                set dst {string}
                set src-ingress <name1>, <name2>, ...
                set src-egress <name1>, <name2>, ...
            next
        end
        set name {string}
        set override-snmp-community [enable|disable]
        set override-snmp-sysinfo [disable|enable]
        set override-snmp-trap-threshold [enable|disable]
        set override-snmp-user [enable|disable]
        set owner-vdom {string}
        set poe-detection-type {integer}
        set poe-pre-standard-detection [enable|disable]
        config ports
            Description: Managed-switch port list.
            edit <port-name>
                set port-owner {string}
                set switch-id {string}
                set speed [10half|10full|...]
                set status [up|down]
                set poe-status [enable|disable]
                set ip-source-guard [disable|enable]
                set ptp-policy {string}
                set aggregator-mode [bandwidth|count]
                set rpvst-port [disabled|enabled]
                set poe-pre-standard-detection [enable|disable]
                set port-number {integer}
                set port-prefix-type {integer}
                set fortilink-port {integer}
                set poe-capable {integer}
                set stacking-port {integer}
                set p2p-port {integer}
                set mclag-icl-port {integer}
                set fiber-port {integer}
                set media-type {string}
                set poe-standard {string}
                set poe-max-power {string}
                set flags {integer}
                set isl-local-trunk-name {string}
                set isl-peer-port-name {string}
                set isl-peer-device-name {string}
                set fgt-peer-port-name {string}
                set fgt-peer-device-name {string}
                set vlan {string}
                set allowed-vlans-all [enable|disable]
                set allowed-vlans <vlan-name1>, <vlan-name2>, ...
                set untagged-vlans <vlan-name1>, <vlan-name2>, ...
                set type [physical|trunk]
                set access-mode [dynamic|nac|...]
                set matched-dpp-policy {string}
                set matched-dpp-intf-tags {string}
                set dhcp-snooping [untrusted|trusted]
                set dhcp-snoop-option82-trust [enable|disable]
                set arp-inspection-trust [untrusted|trusted]
                set igmps-flood-reports [enable|disable]
                set igmps-flood-traffic [enable|disable]
                set stp-state [enabled|disabled]
                set stp-root-guard [enabled|disabled]
                set stp-bpdu-guard [enabled|disabled]
                set stp-bpdu-guard-timeout {integer}
                set edge-port [enable|disable]
                set discard-mode [none|all-untagged|...]
                set packet-sampler [enabled|disabled]
                set packet-sample-rate {integer}
                set sflow-counter-interval {integer}
                set sample-direction [tx|rx|...]
                set fec-capable {integer}
                set fec-state [disabled|cl74|...]
                set flow-control [disable|tx|...]
                set pause-meter {integer}
                set pause-meter-resume [75%|50%|...]
                set loop-guard [enabled|disabled]
                set loop-guard-timeout {integer}
                set port-policy {string}
                set qos-policy {string}
                set storm-control-policy {string}
                set port-security-policy {string}
                set export-to-pool {string}
                set interface-tags <tag-name1>, <tag-name2>, ...
                set learning-limit {integer}
                set sticky-mac [enable|disable]
                set lldp-status [disable|rx-only|...]
                set lldp-profile {string}
                set export-to {string}
                set mac-addr {mac-address}
                set port-selection-criteria [src-mac|dst-mac|...]
                set description {string}
                set lacp-speed [slow|fast]
                set mode [static|lacp-passive|...]
                set bundle [enable|disable]
                set member-withdrawal-behavior [forward|block]
                set mclag [enable|disable]
                set min-bundle {integer}
                set max-bundle {integer}
                set members <member-name1>, <member-name2>, ...
            next
        end
        set pre-provisioned {integer}
        set qos-drop-policy [taildrop|random-early-detection]
        set qos-red-probability {integer}
        config remote-log
            Description: Configure logging by FortiSwitch device to a remote syslog server.
            edit <name>
                set status [enable|disable]
                set server {string}
                set port {integer}
                set severity [emergency|alert|...]
                set csv [enable|disable]
                set facility [kernel|user|...]
            next
        end
        config snmp-community
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) communities.
            edit <id>
                set name {string}
                set status [disable|enable]
                config hosts
                    Description: Configure IPv4 SNMP managers (hosts).
                    edit <id>
                        set ip {user}
                    next
                end
                set query-v1-status [disable|enable]
                set query-v1-port {integer}
                set query-v2c-status [disable|enable]
                set query-v2c-port {integer}
                set trap-v1-status [disable|enable]
                set trap-v1-lport {integer}
                set trap-v1-rport {integer}
                set trap-v2c-status [disable|enable]
                set trap-v2c-lport {integer}
                set trap-v2c-rport {integer}
                set events {option1}, {option2}, ...
            next
        end
        config snmp-sysinfo
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) system info.
            set status [disable|enable]
            set engine-id {string}
            set description {string}
            set contact-info {string}
            set location {string}
        end
        config snmp-trap-threshold
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) trap threshold values.
            set trap-high-cpu-threshold {integer}
            set trap-low-memory-threshold {integer}
            set trap-log-full-threshold {integer}
        end
        config snmp-user
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) users.
            edit <name>
                set queries [disable|enable]
                set query-port {integer}
                set security-level [no-auth-no-priv|auth-no-priv|...]
                set auth-proto [md5|sha1|...]
                set auth-pwd {password}
                set priv-proto [aes128|aes192|...]
                set priv-pwd {password}
            next
        end
        set staged-image-version {string}
        config static-mac
            Description: Configuration method to edit FortiSwitch Static and Sticky MAC.
            edit <id>
                set type [static|sticky]
                set vlan {string}
                set mac {mac-address}
                set interface {string}
                set description {string}
            next
        end
        config storm-control
            Description: Configuration method to edit FortiSwitch storm control for measuring traffic activity using data rates to prevent traffic disruption.
            set local-override [enable|disable]
            set rate {integer}
            set unknown-unicast [enable|disable]
            set unknown-multicast [enable|disable]
            set broadcast [enable|disable]
        end
        config stp-instance
            Description: Configuration method to edit Spanning Tree Protocol (STP) instances.
            edit <id>
                set priority [0|4096|...]
            next
        end
        config stp-settings
            Description: Configuration method to edit Spanning Tree Protocol (STP) settings used to prevent bridge loops.
            set local-override [enable|disable]
            set name {string}
            set revision {integer}
            set hello-time {integer}
            set forward-time {integer}
            set max-age {integer}
            set max-hops {integer}
            set pending-timer {integer}
        end
        set switch-device-tag {string}
        set switch-dhcp_opt43_key {string}
        config switch-log
            Description: Configuration method to edit FortiSwitch logging settings (logs are transferred to and inserted into the FortiGate event log).
            set local-override [enable|disable]
            set status [enable|disable]
            set severity [emergency|alert|...]
        end
        set switch-profile {string}
        set tdr-supported {string}
        set type [virtual|physical]
        set version {integer}
    next
end

config switch-controller managed-switch

Parameter

Description

Type

Size

Default

access-profile

FortiSwitch access profile.

string

Maximum length: 31

default

delayed-restart-trigger

Delayed restart triggered for this FortiSwitch.

integer

Minimum value: 0 Maximum value: 255

0

description

Description.

string

Maximum length: 63

dhcp-server-access-list

DHCP snooping server access list.

option

-

global

Option

Description

global

Use global setting for DHCP snooping server access list.

enable

Override global setting and enable DHCP server access list.

disable

Override global setting and disable DHCP server access list.

directly-connected

Directly connected FortiSwitch.

integer

Minimum value: 0 Maximum value: 1

0

dynamic-capability

List of features this FortiSwitch supports (not configurable) that is sent to the FortiGate device for subsequent configuration initiated by the FortiGate device.

user

Not Specified

0x00000000000000000000000000000000

dynamically-discovered

Dynamically discovered FortiSwitch.

integer

Minimum value: 0 Maximum value: 1

0

firmware-provision

Enable/disable provisioning of firmware to FortiSwitches on join connection.

option

-

disable

Option

Description

enable

Enable firmware-provision.

disable

Disable firmware-provision.

firmware-provision-latest

Enable/disable one-time automatic provisioning of the latest firmware version.

option

-

disable

Option

Description

disable

Do not automatically provision the latest available firmware.

once

Automatically attempt a one-time upgrade to the latest available firmware version.

firmware-provision-version

Firmware version to provision to this FortiSwitch on bootup (major.minor.build, i.e. 6.2.1234).

string

Maximum length: 35

flow-identity

Flow-tracking netflow ipfix switch identity in hex format.

user

Not Specified

00000000

fsw-wan1-admin

FortiSwitch WAN1 admin status; enable to authorize the FortiSwitch as a managed switch.

option

-

discovered

Option

Description

discovered

Link waiting to be authorized.

disable

Link unauthorized.

enable

Link authorized.

fsw-wan1-peer

FortiSwitch WAN1 peer port.

string

Maximum length: 35

l3-discovered

Layer 3 management discovered.

integer

Minimum value: 0 Maximum value: 1

0

max-allowed-trunk-members

FortiSwitch maximum allowed trunk members.

integer

Minimum value: 0 Maximum value: 255

0

mclag-igmp-snooping-aware

Enable/disable MCLAG IGMP-snooping awareness.

option

-

enable

Option

Description

enable

Enable MCLAG IGMP-snooping awareness.

disable

Disable MCLAG IGMP-snooping awareness.

name

Managed-switch name.

string

Maximum length: 35

override-snmp-community

Enable/disable overriding the global SNMP communities.

option

-

disable

Option

Description

enable

Override the global SNMP communities.

disable

Use the global SNMP communities.

override-snmp-sysinfo

Enable/disable overriding the global SNMP system information.

option

-

disable

Option

Description

disable

Use the global SNMP system information.

enable

Override the global SNMP system information.

override-snmp-trap-threshold

Enable/disable overriding the global SNMP trap threshold values.

option

-

disable

Option

Description

enable

Override the global SNMP trap threshold values.

disable

Use the global SNMP trap threshold values.

override-snmp-user

Enable/disable overriding the global SNMP users.

option

-

disable

Option

Description

enable

Override the global SNMPv3 users.

disable

Use the global SNMPv3 users.

owner-vdom

VDOM which owner of port belongs to.

string

Maximum length: 31

poe-detection-type

PoE detection type for FortiSwitch.

integer

Minimum value: 0 Maximum value: 255

0

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

-

disable

Option

Description

enable

Enable PoE pre-standard detection.

disable

Disable PoE pre-standard detection.

pre-provisioned

Pre-provisioned managed switch.

integer

Minimum value: 0 Maximum value: 255

0

qos-drop-policy

Set QoS drop-policy.

option

-

taildrop

Option

Description

taildrop

Taildrop policy.

random-early-detection

Random early detection drop policy.

qos-red-probability

Set QoS RED/WRED drop probability.

integer

Minimum value: 0 Maximum value: 100

12

staged-image-version

Staged image version for FortiSwitch.

string

Maximum length: 127

switch-device-tag

User definable label/tag.

string

Maximum length: 32

switch-dhcp_opt43_key

DHCP option43 key.

string

Maximum length: 63

switch-id

Managed-switch id.

string

Maximum length: 16

switch-profile

FortiSwitch profile.

string

Maximum length: 35

default

tdr-supported

TDR supported.

string

Maximum length: 31

type

Indication of switch type, physical or virtual.

option

-

physical

Option

Description

virtual

Switch is of type virtual.

physical

Switch is of type physical.

version

FortiSwitch version.

integer

Minimum value: 0 Maximum value: 255

0

config 802-1X-settings

Parameter

Description

Type

Size

Default

local-override

Enable to override global 802.1X settings on individual FortiSwitches.

option

-

disable

Option

Description

enable

Override global 802.1X settings.

disable

Use global 802.1X settings.

link-down-auth

Authentication state to set if a link is down.

option

-

set-unauth

Option

Description

set-unauth

Interface set to unauth when down. Reauthentication is needed.

no-action

Interface reauthentication is not needed.

reauth-period

Reauthentication time interval.

integer

Minimum value: 0 Maximum value: 1440

60

max-reauth-attempt

Maximum number of authentication attempts.

integer

Minimum value: 0 Maximum value: 15

3

tx-period

802.1X Tx period.

integer

Minimum value: 4 Maximum value: 60

30

config custom-command

Parameter

Description

Type

Size

Default

command-entry

List of FortiSwitch commands.

string

Maximum length: 35

command-name

Names of commands to be pushed to this FortiSwitch device, as configured under config switch-controller custom-command.

string

Maximum length: 35

config igmp-snooping

Parameter

Description

Type

Size

Default

local-override

Enable/disable overriding the global IGMP snooping configuration.

option

-

disable

Option

Description

enable

Override the global IGMP snooping configuration.

disable

Use the global IGMP snooping configuration.

aging-time

Maximum time to retain a multicast snooping entry for which no packets have been seen.

integer

Minimum value: 15 Maximum value: 3600

300

flood-unknown-multicast

Enable/disable unknown multicast flooding.

option

-

disable

Option

Description

enable

Enable unknown multicast flooding.

disable

Disable unknown multicast flooding.

config vlans

Parameter

Description

Type

Size

Default

vlan-name

List of FortiSwitch VLANs.

string

Maximum length: 15

default

proxy

IGMP snooping proxy for the VLAN interface.

option

-

global

Option

Description

disable

Disable IGMP snooping proxy on VLAN interface.

enable

Enable IGMP snooping proxy on VLAN interface.

global

Use global setting for IGMP snooping proxy on VLAN interface.

querier

Enable/disable IGMP snooping querier for the VLAN interface.

option

-

disable

Option

Description

disable

Disable IGMP snooping querier on VLAN interface.

enable

Enable IGMP snooping querier on VLAN interface.

querier-addr

IGMP snooping querier address.

ipv4-address

Not Specified

0.0.0.0

version

IGMP snooping querying version.

integer

Minimum value: 2 Maximum value: 3

2

config ip-source-guard

Parameter

Description

Type

Size

Default

port

Ingress interface to which source guard is bound.

string

Maximum length: 15

description

Description.

string

Maximum length: 63

config binding-entry

Parameter

Description

Type

Size

Default

entry-name

Configure binding pair.

string

Maximum length: 16

ip

Source IP for this rule.

ipv4-address-any

Not Specified

0.0.0.0

mac

MAC address for this rule.

mac-address

Not Specified

00:00:00:00:00:00

config mirror

Parameter

Description

Type

Size

Default

name

Mirror name.

string

Maximum length: 63

status

Active/inactive mirror configuration.

option

-

inactive

Option

Description

active

Activate mirror configuration.

inactive

Deactivate mirror configuration.

switching-packet

Enable/disable switching functionality when mirroring.

option

-

disable

Option

Description

enable

Enable switching functionality when mirroring.

disable

Disable switching functionality when mirroring.

dst

Destination port.

string

Maximum length: 63

src-ingress <name>

Source ingress interfaces.

Interface name.

string

Maximum length: 79

src-egress <name>

Source egress interfaces.

Interface name.

string

Maximum length: 79

config ports

Parameter

Description

Type

Size

Default

port-name

Switch port name.

string

Maximum length: 15

port-owner

Switch port name.

string

Maximum length: 15

switch-id

Switch id.

string

Maximum length: 16

speed

Switch port speed; default and available settings depend on hardware.

option

-

auto

Option

Description

10half

10M half-duplex.

10full

10M full-duplex.

100half

100M half-duplex.

100full

100M full-duplex.

1000auto

Auto-negotiation (1G full-duplex only).

1000full-fiber

1G full-duplex (fiber SFPs only)

1000full

1G full-duplex

10000full

10G full-duplex

40000full

40G full-duplex

auto

Auto-negotiation.

auto-module

Auto Module.

100FX-half

100Mbps half-duplex.100Base-FX.

100FX-full

100Mbps full-duplex.100Base-FX.

100000full

100Gbps full-duplex.

2500auto

Auto-Negotiation (2.5Gbps Only).

25000full

25Gbps full-duplex.

50000full

50Gbps full-duplex.

10000cr

10Gbps copper interface.

10000sr

10Gbps SFI interface.

100000sr4

100Gbps SFI interface.

100000cr4

100Gbps copper interface.

40000sr4

40Gbps SFI interface.

40000cr4

40Gbps copper interface.

25000cr

25Gbps copper interface.

25000sr

25Gbps SFI interface.

50000cr

50Gbps copper interface.

50000sr

50Gbps SFI interface.

5000auto

5Gbps full-duplex.

status

Switch port admin status: up or down.

option

-

up

Option

Description

up

Set admin status up.

down

Set admin status down.

poe-status

Enable/disable PoE status.

option

-

enable

Option

Description

enable

Enable PoE status.

disable

Disable PoE status.

ip-source-guard

Enable/disable IP source guard.

option

-

disable

Option

Description

disable

Disable IP source guard.

enable

Enable IP source guard.

ptp-policy

PTP policy configuration.

string

Maximum length: 63

default

aggregator-mode

LACP member select mode.

option

-

bandwidth

Option

Description

bandwidth

Member selection based on largest total bandwidth of links of similar speed.

count

Member selection based on largest count of similar link speed.

rpvst-port

Enable/disable inter-operability with rapid PVST on this interface.

option

-

disabled

Option

Description

disabled

Disable inter-operability with rapid PVST on this interface.

enabled

Enable inter-operability with rapid PVST on this interface.

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

-

disable

Option

Description

enable

Enable PoE pre-standard detection.

disable

Disable PoE pre-standard detection.

port-number

Port number.

integer

Minimum value: 1 Maximum value: 64

0

port-prefix-type

Port prefix type.

integer

Minimum value: 0 Maximum value: 1

0

fortilink-port

FortiLink uplink port.

integer

Minimum value: 0 Maximum value: 1

0

poe-capable

PoE capable.

integer

Minimum value: 0 Maximum value: 1

0

stacking-port

Stacking port.

integer

Minimum value: 0 Maximum value: 1

0

p2p-port

General peer to peer tunnel port.

integer

Minimum value: 0 Maximum value: 1

0

mclag-icl-port

MCLAG-ICL port.

integer

Minimum value: 0 Maximum value: 1

0

fiber-port

Fiber-port.

integer

Minimum value: 0 Maximum value: 1

0

media-type

Media type.

string

Maximum length: 31

poe-standard

PoE standard supported.

string

Maximum length: 63

poe-max-power

PoE maximum power.

string

Maximum length: 35

flags

Port properties flags.

integer

Minimum value: 0 Maximum value: 4294967295

0

isl-local-trunk-name

ISL local trunk name.

string

Maximum length: 15

isl-peer-port-name

ISL peer port name.

string

Maximum length: 15

isl-peer-device-name

ISL peer device name.

string

Maximum length: 16

fgt-peer-port-name

FGT peer port name.

string

Maximum length: 15

fgt-peer-device-name

FGT peer device name.

string

Maximum length: 16

vlan

Assign switch ports to a VLAN.

string

Maximum length: 15

allowed-vlans-all

Enable/disable all defined vlans on this port.

option

-

disable

Option

Description

enable

Enable all defined VLANs on this port.

disable

Disable all defined VLANs on this port.

allowed-vlans <vlan-name>

Configure switch port tagged VLANs.

VLAN name.

string

Maximum length: 79

untagged-vlans <vlan-name>

Configure switch port untagged VLANs.

VLAN name.

string

Maximum length: 79

type

Interface type: physical or trunk port.

option

-

physical

Option

Description

physical

Physical port.

trunk

Trunk port.

access-mode

Access mode of the port.

option

-

static

Option

Description

dynamic

Dynamic mode.

nac

NAC mode.

static

Static mode.

matched-dpp-policy

Matched child policy in the dynamic port policy.

string

Maximum length: 63

matched-dpp-intf-tags

Matched interface tags in the dynamic port policy.

string

Maximum length: 63

dhcp-snooping

Trusted or untrusted DHCP-snooping interface.

option

-

untrusted

Option

Description

untrusted

Untrusted DHCP snooping interface.

trusted

Trusted DHCP snooping interface.

dhcp-snoop-option82-trust

Enable/disable allowance of DHCP with option-82 on untrusted interface.

option

-

disable

Option

Description

enable

Enable allowance of DHCP with option-82 on untrusted interface.

disable

Disable allowance of DHCP with option-82 on untrusted interface.

arp-inspection-trust

Trusted or untrusted dynamic ARP inspection.

option

-

untrusted

Option

Description

untrusted

Untrusted dynamic ARP inspection.

trusted

Trusted dynamic ARP inspection.

igmps-flood-reports

Enable/disable flooding of IGMP reports to this interface when igmp-snooping enabled.

option

-

disable

Option

Description

enable

Enable flooding of IGMP snooping reports to this interface.

disable

Disable flooding of IGMP snooping reports to this interface.

igmps-flood-traffic

Enable/disable flooding of IGMP snooping traffic to this interface.

option

-

disable

Option

Description

enable

Enable flooding of IGMP snooping traffic to this interface.

disable

Disable flooding of IGMP snooping traffic to this interface.

stp-state

Enable/disable Spanning Tree Protocol (STP) on this interface.

option

-

enabled

Option

Description

enabled

Enable STP on this interface.

disabled

Disable STP on this interface.

stp-root-guard

Enable/disable STP root guard on this interface.

option

-

disabled

Option

Description

enabled

Enable STP root-guard on this interface.

disabled

Disable STP root-guard on this interface.

stp-bpdu-guard

Enable/disable STP BPDU guard on this interface.

option

-

disabled

Option

Description

enabled

Enable STP BPDU guard on this interface.

disabled

Disable STP BPDU guard on this interface.

stp-bpdu-guard-timeout

BPDU Guard disabling protection.

integer

Minimum value: 0 Maximum value: 120

5

edge-port

Enable/disable this interface as an edge port, bridging connections between workstations and/or computers.

option

-

enable

Option

Description

enable

Enable this interface as an edge port.

disable

Disable this interface as an edge port.

discard-mode

Configure discard mode for port.

option

-

none

Option

Description

none

Discard disabled.

all-untagged

Discard all frames that are untagged.

all-tagged

Discard all frames that are tagged.

packet-sampler

Enable/disable packet sampling on this interface.

option

-

disabled

Option

Description

enabled

Enable packet sampling on this interface.

disabled

Disable packet sampling on this interface.

packet-sample-rate

Packet sampling rate.

integer

Minimum value: 0 Maximum value: 99999

512

sflow-counter-interval

sFlow sampling counter polling interval in seconds.

integer

Minimum value: 0 Maximum value: 255

0

sample-direction

Packet sampling direction.

option

-

both

Option

Description

tx

Monitor transmitted traffic.

rx

Monitor received traffic.

both

Monitor transmitted and received traffic.

fec-capable

FEC capable.

integer

Minimum value: 0 Maximum value: 1

0

fec-state

State of forward error correction.

option

-

cl91

Option

Description

disabled

Disable forward error correction.

cl74

Enable Clause 74 FC-FEC, which only applies to 25Gbps.

cl91

Enable Clause 91 RS-FEC, which only applies to 100Gbps.

flow-control

Flow control direction.

option

-

disable

Option

Description

disable

Disable flow control.

tx

Enable flow control for transmission pause control frames.

rx

Enable flow control for receive pause control frames.

both

Enable flow control for both transmission and receive pause control frames.

pause-meter

Configure ingress pause metering rate, in kbps.

integer

Minimum value: 128 Maximum value: 2147483647

0

pause-meter-resume

Resume threshold for resuming traffic on ingress port.

option

-

50%

Option

Description

75%

Back pressure state won't be cleared until bucket count falls below 75% of pause threshold.

50%

Back pressure state won't be cleared until bucket count falls below 50% of pause threshold.

25%

Back pressure state won't be cleared until bucket count falls below 25% of pause threshold.

loop-guard

Enable/disable loop-guard on this interface, an STP optimization used to prevent network loops.

option

-

disabled

Option

Description

enabled

Enable loop-guard on this interface.

disabled

Disable loop-guard on this interface.

loop-guard-timeout

Loop-guard timeout.

integer

Minimum value: 0 Maximum value: 120

45

port-policy

Switch controller dynamic port policy from available options.

string

Maximum length: 63

qos-policy

Switch controller QoS policy from available options.

string

Maximum length: 63

default

storm-control-policy

Switch controller storm control policy from available options.

string

Maximum length: 63

default

port-security-policy

Switch controller authentication policy to apply to this managed switch from available options.

string

Maximum length: 31

export-to-pool

Switch controller export port to pool-list.

string

Maximum length: 35

interface-tags <tag-name>

Tag(s) associated with the interface for various features including virtual port pool, dynamic port policy.

FortiSwitch port tag name when exported to a virtual port pool or matched to dynamic port policy.

string

Maximum length: 63

learning-limit

Limit the number of dynamic MAC addresses on this Port.

integer

Minimum value: 0 Maximum value: 128

0

sticky-mac

Enable or disable sticky-mac on the interface.

option

-

disable

Option

Description

enable

Enable sticky mac on the interface.

disable

Disable sticky mac on the interface.

lldp-status

LLDP transmit and receive status.

option

-

tx-rx

Option

Description

disable

Disable LLDP TX and RX.

rx-only

Enable LLDP as RX only.

tx-only

Enable LLDP as TX only.

tx-rx

Enable LLDP TX and RX.

lldp-profile

LLDP port TLV profile.

string

Maximum length: 63

default-auto-isl

export-to

Export managed-switch port to a tenant VDOM.

string

Maximum length: 31

mac-addr

Port/Trunk MAC.

mac-address

Not Specified

00:00:00:00:00:00

port-selection-criteria

Algorithm for aggregate port selection.

option

-

src-dst-ip

Option

Description

src-mac

Source MAC address.

dst-mac

Destination MAC address.

src-dst-mac

Source and destination MAC address.

src-ip

Source IP address.

dst-ip

Destination IP address.

src-dst-ip

Source and destination IP address.

description

Description for port.

string

Maximum length: 63

lacp-speed

End Link Aggregation Control Protocol (LACP) messages every 30 seconds (slow) or every second (fast).

option

-

slow

Option

Description

slow

Send LACP message every 30 seconds.

fast

Send LACP message every second.

mode

LACP mode: ignore and do not send control messages, or negotiate 802.3ad aggregation passively or actively.

option

-

static

Option

Description

static

Static aggregation, do not send and ignore any control messages.

lacp-passive

Passively use LACP to negotiate 802.3ad aggregation.

lacp-active

Actively use LACP to negotiate 802.3ad aggregation.

bundle

Enable/disable Link Aggregation Group (LAG) bundling for non-FortiLink interfaces.

option

-

disable

Option

Description

enable

Enable bundling.

disable

Disable bundling.

member-withdrawal-behavior

Port behavior after it withdraws because of loss of control packets.

option

-

block

Option

Description

forward

Forward traffic.

block

Block traffic.

mclag

Enable/disable multi-chassis link aggregation (MCLAG).

option

-

disable

Option

Description

enable

Enable MCLAG.

disable

Disable MCLAG.

min-bundle

Minimum size of LAG bundle.

integer

Minimum value: 1 Maximum value: 24

1

max-bundle

Maximum size of LAG bundle.

integer

Minimum value: 1 Maximum value: 24

24

members <member-name>

Aggregated LAG bundle interfaces.

Interface name from available options.

string

Maximum length: 79

config remote-log

Parameter

Description

Type

Size

Default

name

Remote log name.

string

Maximum length: 35

status

Enable/disable logging by FortiSwitch device to a remote syslog server.

option

-

disable

Option

Description

enable

Enable logging by FortiSwitch device to a remote syslog server.

disable

Disable logging by FortiSwitch device to a remote syslog server.

server

IPv4 address of the remote syslog server.

string

Maximum length: 63

port

Remote syslog server listening port.

integer

Minimum value: 0 Maximum value: 65535

514

severity

Severity of logs to be transferred to remote log server.

option

-

information

Option

Description

emergency

Emergency level.

alert

Alert level.

critical

Critical level.

error

Error level.

warning

Warning level.

notification

Notification level.

information

Information level.

debug

Debug level.

csv

Enable/disable comma-separated value (CSV) strings.

option

-

disable

Option

Description

enable

Enable comma-separated value (CSV) strings.

disable

Disable comma-separated value (CSV) strings.

facility

Facility to log to remote syslog server.

option

-

local7

Option

Description

kernel

Kernel messages.

user

Random user-level messages.

mail

Mail system.

daemon

System daemons.

auth

Security/authorization messages.

syslog

Messages generated internally by syslogd.

lpr

Line printer subsystem.

news

Network news subsystem.

uucp

UUCP server messages.

cron

Clock daemon.

authpriv

Security/authorization messages (private).

ftp

FTP daemon.

ntp

NTP daemon.

audit

Log audit.

alert

Log alert.

clock

Clock daemon.

local0

Reserved for local use.

local1

Reserved for local use.

local2

Reserved for local use.

local3

Reserved for local use.

local4

Reserved for local use.

local5

Reserved for local use.

local6

Reserved for local use.

local7

Reserved for local use.

config snmp-community

Parameter

Description

Type

Size

Default

id

SNMP community ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

name

SNMP community name.

string

Maximum length: 35

status

Enable/disable this SNMP community.

option

-

enable

Option

Description

disable

Disable SNMP community.

enable

Enable SNMP community.

query-v1-status

Enable/disable SNMP v1 queries.

option

-

enable

Option

Description

disable

Disable SNMP v1 queries.

enable

Enable SNMP v1 queries.

query-v1-port

SNMP v1 query port.

integer

Minimum value: 0 Maximum value: 65535

161

query-v2c-status

Enable/disable SNMP v2c queries.

option

-

enable

Option

Description

disable

Disable SNMP v2c queries.

enable

Enable SNMP v2c queries.

query-v2c-port

SNMP v2c query port.

integer

Minimum value: 0 Maximum value: 65535

161

trap-v1-status

Enable/disable SNMP v1 traps.

option

-

enable

Option

Description

disable

Disable SNMP v1 traps.

enable

Enable SNMP v1 traps.

trap-v1-lport

SNMP v2c trap local port.

integer

Minimum value: 0 Maximum value: 65535

162

trap-v1-rport

SNMP v2c trap remote port.

integer

Minimum value: 0 Maximum value: 65535

162

trap-v2c-status

Enable/disable SNMP v2c traps.

option

-

enable

Option

Description

disable

Disable SNMP v2c traps.

enable

Enable SNMP v2c traps.

trap-v2c-lport

SNMP v2c trap local port.

integer

Minimum value: 0 Maximum value: 65535

162

trap-v2c-rport

SNMP v2c trap remote port.

integer

Minimum value: 0 Maximum value: 65535

162

events

SNMP notifications (traps) to send.

option

-

cpu-high mem-low log-full intf-ip ent-conf-change

Option

Description

cpu-high

Send a trap when CPU usage too high.

mem-low

Send a trap when available memory is low.

log-full

Send a trap when log disk space becomes low.

intf-ip

Send a trap when an interface IP address is changed.

ent-conf-change

Send a trap when an entity MIB change occurs (RFC4133).

config hosts

Parameter

Description

Type

Size

Default

id

Host entry ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

IPv4 address of the SNMP manager (host).

user

Not Specified

config snmp-sysinfo

Parameter

Description

Type

Size

Default

status

Enable/disable SNMP.

option

-

disable

Option

Description

disable

Disable SNMP.

enable

Enable SNMP.

engine-id

Local SNMP engine ID string (max 24 char).

string

Maximum length: 24

description

System description.

string

Maximum length: 35

contact-info

Contact information.

string

Maximum length: 35

location

System location.

string

Maximum length: 35

config snmp-trap-threshold

Parameter

Description

Type

Size

Default

trap-high-cpu-threshold

CPU usage when trap is sent.

integer

Minimum value: 0 Maximum value: 4294967295

80

trap-low-memory-threshold

Memory usage when trap is sent.

integer

Minimum value: 0 Maximum value: 4294967295

80

trap-log-full-threshold

Log disk usage when trap is sent.

integer

Minimum value: 0 Maximum value: 4294967295

90

config snmp-user

Parameter

Description

Type

Size

Default

name

SNMP user name.

string

Maximum length: 32

queries

Enable/disable SNMP queries for this user.

option

-

enable

Option

Description

disable

Disable SNMP queries for this user.

enable

Enable SNMP queries for this user.

query-port

SNMPv3 query port.

integer

Minimum value: 0 Maximum value: 65535

161

security-level

Security level for message authentication and encryption.

option

-

no-auth-no-priv

Option

Description

no-auth-no-priv

Message with no authentication and no privacy (encryption).

auth-no-priv

Message with authentication but no privacy (encryption).

auth-priv

Message with authentication and privacy (encryption).

auth-proto

Authentication protocol.

option

-

sha256

Option

Description

md5

HMAC-MD5-96 authentication protocol.

sha1

HMAC-SHA-1 authentication protocol.

sha224

HMAC-SHA-224 authentication protocol.

sha256

HMAC-SHA-256 authentication protocol.

sha384

HMAC-SHA-384 authentication protocol.

sha512

HMAC-SHA-512 authentication protocol.

auth-pwd

Password for authentication protocol.

password

Not Specified

priv-proto

Privacy (encryption) protocol.

option

-

aes128

Option

Description

aes128

CFB128-AES-128 symmetric encryption protocol.

aes192

CFB128-AES-192 symmetric encryption protocol.

aes192c

CFB128-AES-192-C symmetric encryption protocol.

aes256

CFB128-AES-256 symmetric encryption protocol.

aes256c

CFB128-AES-256-C symmetric encryption protocol.

des

CBC-DES symmetric encryption protocol.

priv-pwd

Password for privacy (encryption) protocol.

password

Not Specified

config static-mac

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

type

Type.

option

-

static

Option

Description

static

Static MAC.

sticky

Sticky MAC.

vlan

Vlan.

string

Maximum length: 15

mac

MAC address.

mac-address

Not Specified

00:00:00:00:00:00

interface

Interface name.

string

Maximum length: 35

description

Description.

string

Maximum length: 63

config storm-control

Parameter

Description

Type

Size

Default

local-override

Enable to override global FortiSwitch storm control settings for this FortiSwitch.

option

-

disable

Option

Description

enable

Override global storm control settings.

disable

Use global storm control settings.

rate

Rate in packets per second at which storm traffic is controlled. Storm control drops excess traffic data rates beyond this threshold.

integer

Minimum value: 1 Maximum value: 10000000

500

unknown-unicast

Enable/disable storm control to drop unknown unicast traffic.

option

-

disable

Option

Description

enable

Drop unknown unicast traffic.

disable

Allow unknown unicast traffic.

unknown-multicast

Enable/disable storm control to drop unknown multicast traffic.

option

-

disable

Option

Description

enable

Drop unknown multicast traffic.

disable

Allow unknown multicast traffic.

broadcast

Enable/disable storm control to drop broadcast traffic.

option

-

disable

Option

Description

enable

Drop broadcast traffic.

disable

Allow broadcast traffic.

config stp-instance

Parameter

Description

Type

Size

Default

id

Instance ID.

string

Maximum length: 2

priority

Priority.

option

-

32768

Option

Description

0

0.

4096

4096.

8192

8192.

12288

12288.

16384

16384.

20480

20480.

24576

24576.

28672

28672.

32768

32768.

36864

36864.

40960

40960.

45056

45056.

49152

49152.

53248

53248.

57344

57344.

61440

61440.

config stp-settings

Parameter

Description

Type

Size

Default

local-override

Enable to configure local STP settings that override global STP settings.

option

-

disable

Option

Description

enable

Override global STP settings.

disable

Use global STP settings.

name

Name of local STP settings configuration.

string

Maximum length: 31

revision

STP revision number.

integer

Minimum value: 0 Maximum value: 65535

0

hello-time

Period of time between successive STP frame Bridge Protocol Data Units.

integer

Minimum value: 1 Maximum value: 10

2

forward-time

Period of time a port is in listening and learning state.

integer

Minimum value: 4 Maximum value: 30

15

max-age

Maximum time before a bridge port saves its configuration BPDU information.

integer

Minimum value: 6 Maximum value: 40

20

max-hops

Maximum number of hops between the root bridge and the furthest bridge.

integer

Minimum value: 1 Maximum value: 40

20

pending-timer

Pending time.

integer

Minimum value: 1 Maximum value: 15

4

config switch-log

Parameter

Description

Type

Size

Default

local-override

Enable to configure local logging settings that override global logging settings.

option

-

disable

Option

Description

enable

Override global logging settings.

disable

Use global logging settings.

status

Enable/disable adding FortiSwitch logs to the FortiGate event log.

option

-

enable

Option

Description

enable

Add FortiSwitch logs to the FortiGate event log.

disable

Do not add FortiSwitch logs to the FortiGate event log.

severity

Severity of FortiSwitch logs that are added to the FortiGate event log.

option

-

notification

Option

Description

emergency

Emergency level.

alert

Alert level.

critical

Critical level.

error

Error level.

warning

Warning level.

notification

Notification level.

information

Information level.

debug

Debug level.

config switch-controller managed-switch

config switch-controller managed-switch

Note

This command is available for model(s): FortiGate 1000D, FortiGate 100EF, FortiGate 100E, FortiGate 100F, FortiGate 101E, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 1200D, FortiGate 140E-POE, FortiGate 140E, FortiGate 1500DT, FortiGate 1500D, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3800D, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

It is not available for: FortiGate 5001E1, FortiGate 5001E.

Configure FortiSwitch devices that are managed by this FortiGate.

config switch-controller managed-switch
    Description: Configure FortiSwitch devices that are managed by this FortiGate.
    edit <switch-id>
        config 802-1X-settings
            Description: Configuration method to edit FortiSwitch 802.1X global settings.
            set local-override [enable|disable]
            set link-down-auth [set-unauth|no-action]
            set reauth-period {integer}
            set max-reauth-attempt {integer}
            set tx-period {integer}
        end
        set access-profile {string}
        config custom-command
            Description: Configuration method to edit FortiSwitch commands to be pushed to this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.
            edit <command-entry>
                set command-name {string}
            next
        end
        set delayed-restart-trigger {integer}
        set description {string}
        set dhcp-server-access-list [global|enable|...]
        set directly-connected {integer}
        set dynamic-capability {user}
        set dynamically-discovered {integer}
        set firmware-provision [enable|disable]
        set firmware-provision-latest [disable|once]
        set firmware-provision-version {string}
        set flow-identity {user}
        set fsw-wan1-admin [discovered|disable|...]
        set fsw-wan1-peer {string}
        config igmp-snooping
            Description: Configure FortiSwitch IGMP snooping global settings.
            set local-override [enable|disable]
            set aging-time {integer}
            set flood-unknown-multicast [enable|disable]
            config vlans
                Description: Configure IGMP snooping VLAN.
                edit <vlan-name>
                    set proxy [disable|enable|...]
                    set querier [disable|enable]
                    set querier-addr {ipv4-address}
                    set version {integer}
                next
            end
        end
        config ip-source-guard
            Description: IP source guard.
            edit <port>
                set description {string}
                config binding-entry
                    Description: IP and MAC address configuration.
                    edit <entry-name>
                        set ip {ipv4-address-any}
                        set mac {mac-address}
                    next
                end
            next
        end
        set l3-discovered {integer}
        set max-allowed-trunk-members {integer}
        set mclag-igmp-snooping-aware [enable|disable]
        config mirror
            Description: Configuration method to edit FortiSwitch packet mirror.
            edit <name>
                set status [active|inactive]
                set switching-packet [enable|disable]
                set dst {string}
                set src-ingress <name1>, <name2>, ...
                set src-egress <name1>, <name2>, ...
            next
        end
        set name {string}
        set override-snmp-community [enable|disable]
        set override-snmp-sysinfo [disable|enable]
        set override-snmp-trap-threshold [enable|disable]
        set override-snmp-user [enable|disable]
        set owner-vdom {string}
        set poe-detection-type {integer}
        set poe-pre-standard-detection [enable|disable]
        config ports
            Description: Managed-switch port list.
            edit <port-name>
                set port-owner {string}
                set switch-id {string}
                set speed [10half|10full|...]
                set status [up|down]
                set poe-status [enable|disable]
                set ip-source-guard [disable|enable]
                set ptp-policy {string}
                set aggregator-mode [bandwidth|count]
                set rpvst-port [disabled|enabled]
                set poe-pre-standard-detection [enable|disable]
                set port-number {integer}
                set port-prefix-type {integer}
                set fortilink-port {integer}
                set poe-capable {integer}
                set stacking-port {integer}
                set p2p-port {integer}
                set mclag-icl-port {integer}
                set fiber-port {integer}
                set media-type {string}
                set poe-standard {string}
                set poe-max-power {string}
                set flags {integer}
                set isl-local-trunk-name {string}
                set isl-peer-port-name {string}
                set isl-peer-device-name {string}
                set fgt-peer-port-name {string}
                set fgt-peer-device-name {string}
                set vlan {string}
                set allowed-vlans-all [enable|disable]
                set allowed-vlans <vlan-name1>, <vlan-name2>, ...
                set untagged-vlans <vlan-name1>, <vlan-name2>, ...
                set type [physical|trunk]
                set access-mode [dynamic|nac|...]
                set matched-dpp-policy {string}
                set matched-dpp-intf-tags {string}
                set dhcp-snooping [untrusted|trusted]
                set dhcp-snoop-option82-trust [enable|disable]
                set arp-inspection-trust [untrusted|trusted]
                set igmps-flood-reports [enable|disable]
                set igmps-flood-traffic [enable|disable]
                set stp-state [enabled|disabled]
                set stp-root-guard [enabled|disabled]
                set stp-bpdu-guard [enabled|disabled]
                set stp-bpdu-guard-timeout {integer}
                set edge-port [enable|disable]
                set discard-mode [none|all-untagged|...]
                set packet-sampler [enabled|disabled]
                set packet-sample-rate {integer}
                set sflow-counter-interval {integer}
                set sample-direction [tx|rx|...]
                set fec-capable {integer}
                set fec-state [disabled|cl74|...]
                set flow-control [disable|tx|...]
                set pause-meter {integer}
                set pause-meter-resume [75%|50%|...]
                set loop-guard [enabled|disabled]
                set loop-guard-timeout {integer}
                set port-policy {string}
                set qos-policy {string}
                set storm-control-policy {string}
                set port-security-policy {string}
                set export-to-pool {string}
                set interface-tags <tag-name1>, <tag-name2>, ...
                set learning-limit {integer}
                set sticky-mac [enable|disable]
                set lldp-status [disable|rx-only|...]
                set lldp-profile {string}
                set export-to {string}
                set mac-addr {mac-address}
                set port-selection-criteria [src-mac|dst-mac|...]
                set description {string}
                set lacp-speed [slow|fast]
                set mode [static|lacp-passive|...]
                set bundle [enable|disable]
                set member-withdrawal-behavior [forward|block]
                set mclag [enable|disable]
                set min-bundle {integer}
                set max-bundle {integer}
                set members <member-name1>, <member-name2>, ...
            next
        end
        set pre-provisioned {integer}
        set qos-drop-policy [taildrop|random-early-detection]
        set qos-red-probability {integer}
        config remote-log
            Description: Configure logging by FortiSwitch device to a remote syslog server.
            edit <name>
                set status [enable|disable]
                set server {string}
                set port {integer}
                set severity [emergency|alert|...]
                set csv [enable|disable]
                set facility [kernel|user|...]
            next
        end
        config snmp-community
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) communities.
            edit <id>
                set name {string}
                set status [disable|enable]
                config hosts
                    Description: Configure IPv4 SNMP managers (hosts).
                    edit <id>
                        set ip {user}
                    next
                end
                set query-v1-status [disable|enable]
                set query-v1-port {integer}
                set query-v2c-status [disable|enable]
                set query-v2c-port {integer}
                set trap-v1-status [disable|enable]
                set trap-v1-lport {integer}
                set trap-v1-rport {integer}
                set trap-v2c-status [disable|enable]
                set trap-v2c-lport {integer}
                set trap-v2c-rport {integer}
                set events {option1}, {option2}, ...
            next
        end
        config snmp-sysinfo
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) system info.
            set status [disable|enable]
            set engine-id {string}
            set description {string}
            set contact-info {string}
            set location {string}
        end
        config snmp-trap-threshold
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) trap threshold values.
            set trap-high-cpu-threshold {integer}
            set trap-low-memory-threshold {integer}
            set trap-log-full-threshold {integer}
        end
        config snmp-user
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) users.
            edit <name>
                set queries [disable|enable]
                set query-port {integer}
                set security-level [no-auth-no-priv|auth-no-priv|...]
                set auth-proto [md5|sha1|...]
                set auth-pwd {password}
                set priv-proto [aes128|aes192|...]
                set priv-pwd {password}
            next
        end
        set staged-image-version {string}
        config static-mac
            Description: Configuration method to edit FortiSwitch Static and Sticky MAC.
            edit <id>
                set type [static|sticky]
                set vlan {string}
                set mac {mac-address}
                set interface {string}
                set description {string}
            next
        end
        config storm-control
            Description: Configuration method to edit FortiSwitch storm control for measuring traffic activity using data rates to prevent traffic disruption.
            set local-override [enable|disable]
            set rate {integer}
            set unknown-unicast [enable|disable]
            set unknown-multicast [enable|disable]
            set broadcast [enable|disable]
        end
        config stp-instance
            Description: Configuration method to edit Spanning Tree Protocol (STP) instances.
            edit <id>
                set priority [0|4096|...]
            next
        end
        config stp-settings
            Description: Configuration method to edit Spanning Tree Protocol (STP) settings used to prevent bridge loops.
            set local-override [enable|disable]
            set name {string}
            set revision {integer}
            set hello-time {integer}
            set forward-time {integer}
            set max-age {integer}
            set max-hops {integer}
            set pending-timer {integer}
        end
        set switch-device-tag {string}
        set switch-dhcp_opt43_key {string}
        config switch-log
            Description: Configuration method to edit FortiSwitch logging settings (logs are transferred to and inserted into the FortiGate event log).
            set local-override [enable|disable]
            set status [enable|disable]
            set severity [emergency|alert|...]
        end
        set switch-profile {string}
        set tdr-supported {string}
        set type [virtual|physical]
        set version {integer}
    next
end

config switch-controller managed-switch

Parameter

Description

Type

Size

Default

access-profile

FortiSwitch access profile.

string

Maximum length: 31

default

delayed-restart-trigger

Delayed restart triggered for this FortiSwitch.

integer

Minimum value: 0 Maximum value: 255

0

description

Description.

string

Maximum length: 63

dhcp-server-access-list

DHCP snooping server access list.

option

-

global

Option

Description

global

Use global setting for DHCP snooping server access list.

enable

Override global setting and enable DHCP server access list.

disable

Override global setting and disable DHCP server access list.

directly-connected

Directly connected FortiSwitch.

integer

Minimum value: 0 Maximum value: 1

0

dynamic-capability

List of features this FortiSwitch supports (not configurable) that is sent to the FortiGate device for subsequent configuration initiated by the FortiGate device.

user

Not Specified

0x00000000000000000000000000000000

dynamically-discovered

Dynamically discovered FortiSwitch.

integer

Minimum value: 0 Maximum value: 1

0

firmware-provision

Enable/disable provisioning of firmware to FortiSwitches on join connection.

option

-

disable

Option

Description

enable

Enable firmware-provision.

disable

Disable firmware-provision.

firmware-provision-latest

Enable/disable one-time automatic provisioning of the latest firmware version.

option

-

disable

Option

Description

disable

Do not automatically provision the latest available firmware.

once

Automatically attempt a one-time upgrade to the latest available firmware version.

firmware-provision-version

Firmware version to provision to this FortiSwitch on bootup (major.minor.build, i.e. 6.2.1234).

string

Maximum length: 35

flow-identity

Flow-tracking netflow ipfix switch identity in hex format.

user

Not Specified

00000000

fsw-wan1-admin

FortiSwitch WAN1 admin status; enable to authorize the FortiSwitch as a managed switch.

option

-

discovered

Option

Description

discovered

Link waiting to be authorized.

disable

Link unauthorized.

enable

Link authorized.

fsw-wan1-peer

FortiSwitch WAN1 peer port.

string

Maximum length: 35

l3-discovered

Layer 3 management discovered.

integer

Minimum value: 0 Maximum value: 1

0

max-allowed-trunk-members

FortiSwitch maximum allowed trunk members.

integer

Minimum value: 0 Maximum value: 255

0

mclag-igmp-snooping-aware

Enable/disable MCLAG IGMP-snooping awareness.

option

-

enable

Option

Description

enable

Enable MCLAG IGMP-snooping awareness.

disable

Disable MCLAG IGMP-snooping awareness.

name

Managed-switch name.

string

Maximum length: 35

override-snmp-community

Enable/disable overriding the global SNMP communities.

option

-

disable

Option

Description

enable

Override the global SNMP communities.

disable

Use the global SNMP communities.

override-snmp-sysinfo

Enable/disable overriding the global SNMP system information.

option

-

disable

Option

Description

disable

Use the global SNMP system information.

enable

Override the global SNMP system information.

override-snmp-trap-threshold

Enable/disable overriding the global SNMP trap threshold values.

option

-

disable

Option

Description

enable

Override the global SNMP trap threshold values.

disable

Use the global SNMP trap threshold values.

override-snmp-user

Enable/disable overriding the global SNMP users.

option

-

disable

Option

Description

enable

Override the global SNMPv3 users.

disable

Use the global SNMPv3 users.

owner-vdom

VDOM which owner of port belongs to.

string

Maximum length: 31

poe-detection-type

PoE detection type for FortiSwitch.

integer

Minimum value: 0 Maximum value: 255

0

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

-

disable

Option

Description

enable

Enable PoE pre-standard detection.

disable

Disable PoE pre-standard detection.

pre-provisioned

Pre-provisioned managed switch.

integer

Minimum value: 0 Maximum value: 255

0

qos-drop-policy

Set QoS drop-policy.

option

-

taildrop

Option

Description

taildrop

Taildrop policy.

random-early-detection

Random early detection drop policy.

qos-red-probability

Set QoS RED/WRED drop probability.

integer

Minimum value: 0 Maximum value: 100

12

staged-image-version

Staged image version for FortiSwitch.

string

Maximum length: 127

switch-device-tag

User definable label/tag.

string

Maximum length: 32

switch-dhcp_opt43_key

DHCP option43 key.

string

Maximum length: 63

switch-id

Managed-switch id.

string

Maximum length: 16

switch-profile

FortiSwitch profile.

string

Maximum length: 35

default

tdr-supported

TDR supported.

string

Maximum length: 31

type

Indication of switch type, physical or virtual.

option

-

physical

Option

Description

virtual

Switch is of type virtual.

physical

Switch is of type physical.

version

FortiSwitch version.

integer

Minimum value: 0 Maximum value: 255

0

config 802-1X-settings

Parameter

Description

Type

Size

Default

local-override

Enable to override global 802.1X settings on individual FortiSwitches.

option

-

disable

Option

Description

enable

Override global 802.1X settings.

disable

Use global 802.1X settings.

link-down-auth

Authentication state to set if a link is down.

option

-

set-unauth

Option

Description

set-unauth

Interface set to unauth when down. Reauthentication is needed.

no-action

Interface reauthentication is not needed.

reauth-period

Reauthentication time interval.

integer

Minimum value: 0 Maximum value: 1440

60

max-reauth-attempt

Maximum number of authentication attempts.

integer

Minimum value: 0 Maximum value: 15

3

tx-period

802.1X Tx period.

integer

Minimum value: 4 Maximum value: 60

30

config custom-command

Parameter

Description

Type

Size

Default

command-entry

List of FortiSwitch commands.

string

Maximum length: 35

command-name

Names of commands to be pushed to this FortiSwitch device, as configured under config switch-controller custom-command.

string

Maximum length: 35

config igmp-snooping

Parameter

Description

Type

Size

Default

local-override

Enable/disable overriding the global IGMP snooping configuration.

option

-

disable

Option

Description

enable

Override the global IGMP snooping configuration.

disable

Use the global IGMP snooping configuration.

aging-time

Maximum time to retain a multicast snooping entry for which no packets have been seen.

integer

Minimum value: 15 Maximum value: 3600

300

flood-unknown-multicast

Enable/disable unknown multicast flooding.

option

-

disable

Option

Description

enable

Enable unknown multicast flooding.

disable

Disable unknown multicast flooding.

config vlans

Parameter

Description

Type

Size

Default

vlan-name

List of FortiSwitch VLANs.

string

Maximum length: 15

default

proxy

IGMP snooping proxy for the VLAN interface.

option

-

global

Option

Description

disable

Disable IGMP snooping proxy on VLAN interface.

enable

Enable IGMP snooping proxy on VLAN interface.

global

Use global setting for IGMP snooping proxy on VLAN interface.

querier

Enable/disable IGMP snooping querier for the VLAN interface.

option

-

disable

Option

Description

disable

Disable IGMP snooping querier on VLAN interface.

enable

Enable IGMP snooping querier on VLAN interface.

querier-addr

IGMP snooping querier address.

ipv4-address

Not Specified

0.0.0.0

version

IGMP snooping querying version.

integer

Minimum value: 2 Maximum value: 3

2

config ip-source-guard

Parameter

Description

Type

Size

Default

port

Ingress interface to which source guard is bound.

string

Maximum length: 15

description

Description.

string

Maximum length: 63

config binding-entry

Parameter

Description

Type

Size

Default

entry-name

Configure binding pair.

string

Maximum length: 16

ip

Source IP for this rule.

ipv4-address-any

Not Specified

0.0.0.0

mac

MAC address for this rule.

mac-address

Not Specified

00:00:00:00:00:00

config mirror

Parameter

Description

Type

Size

Default

name

Mirror name.

string

Maximum length: 63

status

Active/inactive mirror configuration.

option

-

inactive

Option

Description

active

Activate mirror configuration.

inactive

Deactivate mirror configuration.

switching-packet

Enable/disable switching functionality when mirroring.

option

-

disable

Option

Description

enable

Enable switching functionality when mirroring.

disable

Disable switching functionality when mirroring.

dst

Destination port.

string

Maximum length: 63

src-ingress <name>

Source ingress interfaces.

Interface name.

string

Maximum length: 79

src-egress <name>

Source egress interfaces.

Interface name.

string

Maximum length: 79

config ports

Parameter

Description

Type

Size

Default

port-name

Switch port name.

string

Maximum length: 15

port-owner

Switch port name.

string

Maximum length: 15

switch-id

Switch id.

string

Maximum length: 16

speed

Switch port speed; default and available settings depend on hardware.

option

-

auto

Option

Description

10half

10M half-duplex.

10full

10M full-duplex.

100half

100M half-duplex.

100full

100M full-duplex.

1000auto

Auto-negotiation (1G full-duplex only).

1000full-fiber

1G full-duplex (fiber SFPs only)

1000full

1G full-duplex

10000full

10G full-duplex

40000full

40G full-duplex

auto

Auto-negotiation.

auto-module

Auto Module.

100FX-half

100Mbps half-duplex.100Base-FX.

100FX-full

100Mbps full-duplex.100Base-FX.

100000full

100Gbps full-duplex.

2500auto

Auto-Negotiation (2.5Gbps Only).

25000full

25Gbps full-duplex.

50000full

50Gbps full-duplex.

10000cr

10Gbps copper interface.

10000sr

10Gbps SFI interface.

100000sr4

100Gbps SFI interface.

100000cr4

100Gbps copper interface.

40000sr4

40Gbps SFI interface.

40000cr4

40Gbps copper interface.

25000cr

25Gbps copper interface.

25000sr

25Gbps SFI interface.

50000cr

50Gbps copper interface.

50000sr

50Gbps SFI interface.

5000auto

5Gbps full-duplex.

status

Switch port admin status: up or down.

option

-

up

Option

Description

up

Set admin status up.

down

Set admin status down.

poe-status

Enable/disable PoE status.

option

-

enable

Option

Description

enable

Enable PoE status.

disable

Disable PoE status.

ip-source-guard

Enable/disable IP source guard.

option

-

disable

Option

Description

disable

Disable IP source guard.

enable

Enable IP source guard.

ptp-policy

PTP policy configuration.

string

Maximum length: 63

default

aggregator-mode

LACP member select mode.

option

-

bandwidth

Option

Description

bandwidth

Member selection based on largest total bandwidth of links of similar speed.

count

Member selection based on largest count of similar link speed.

rpvst-port

Enable/disable inter-operability with rapid PVST on this interface.

option

-

disabled

Option

Description

disabled

Disable inter-operability with rapid PVST on this interface.

enabled

Enable inter-operability with rapid PVST on this interface.

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

-

disable

Option

Description

enable

Enable PoE pre-standard detection.

disable

Disable PoE pre-standard detection.

port-number

Port number.

integer

Minimum value: 1 Maximum value: 64

0

port-prefix-type

Port prefix type.

integer

Minimum value: 0 Maximum value: 1

0

fortilink-port

FortiLink uplink port.

integer

Minimum value: 0 Maximum value: 1

0

poe-capable

PoE capable.

integer

Minimum value: 0 Maximum value: 1

0

stacking-port

Stacking port.

integer

Minimum value: 0 Maximum value: 1

0

p2p-port

General peer to peer tunnel port.

integer

Minimum value: 0 Maximum value: 1

0

mclag-icl-port

MCLAG-ICL port.

integer

Minimum value: 0 Maximum value: 1

0

fiber-port

Fiber-port.

integer

Minimum value: 0 Maximum value: 1

0

media-type

Media type.

string

Maximum length: 31

poe-standard

PoE standard supported.

string

Maximum length: 63

poe-max-power

PoE maximum power.

string

Maximum length: 35

flags

Port properties flags.

integer

Minimum value: 0 Maximum value: 4294967295

0

isl-local-trunk-name

ISL local trunk name.

string

Maximum length: 15

isl-peer-port-name

ISL peer port name.

string

Maximum length: 15

isl-peer-device-name

ISL peer device name.

string

Maximum length: 16

fgt-peer-port-name

FGT peer port name.

string

Maximum length: 15

fgt-peer-device-name

FGT peer device name.

string

Maximum length: 16

vlan

Assign switch ports to a VLAN.

string

Maximum length: 15

allowed-vlans-all

Enable/disable all defined vlans on this port.

option

-

disable

Option

Description

enable

Enable all defined VLANs on this port.

disable

Disable all defined VLANs on this port.

allowed-vlans <vlan-name>

Configure switch port tagged VLANs.

VLAN name.

string

Maximum length: 79

untagged-vlans <vlan-name>

Configure switch port untagged VLANs.

VLAN name.

string

Maximum length: 79

type

Interface type: physical or trunk port.

option

-

physical

Option

Description

physical

Physical port.

trunk

Trunk port.

access-mode

Access mode of the port.

option

-

static

Option

Description

dynamic

Dynamic mode.

nac

NAC mode.

static

Static mode.

matched-dpp-policy

Matched child policy in the dynamic port policy.

string

Maximum length: 63

matched-dpp-intf-tags

Matched interface tags in the dynamic port policy.

string

Maximum length: 63

dhcp-snooping

Trusted or untrusted DHCP-snooping interface.

option

-

untrusted

Option

Description

untrusted

Untrusted DHCP snooping interface.

trusted

Trusted DHCP snooping interface.

dhcp-snoop-option82-trust

Enable/disable allowance of DHCP with option-82 on untrusted interface.

option

-

disable

Option

Description

enable

Enable allowance of DHCP with option-82 on untrusted interface.

disable

Disable allowance of DHCP with option-82 on untrusted interface.

arp-inspection-trust

Trusted or untrusted dynamic ARP inspection.

option

-

untrusted

Option

Description

untrusted

Untrusted dynamic ARP inspection.

trusted

Trusted dynamic ARP inspection.

igmps-flood-reports

Enable/disable flooding of IGMP reports to this interface when igmp-snooping enabled.

option

-

disable

Option

Description

enable

Enable flooding of IGMP snooping reports to this interface.

disable

Disable flooding of IGMP snooping reports to this interface.

igmps-flood-traffic

Enable/disable flooding of IGMP snooping traffic to this interface.

option

-

disable

Option

Description

enable

Enable flooding of IGMP snooping traffic to this interface.

disable

Disable flooding of IGMP snooping traffic to this interface.

stp-state

Enable/disable Spanning Tree Protocol (STP) on this interface.

option

-

enabled

Option

Description

enabled

Enable STP on this interface.

disabled

Disable STP on this interface.

stp-root-guard

Enable/disable STP root guard on this interface.

option

-

disabled

Option

Description

enabled

Enable STP root-guard on this interface.

disabled

Disable STP root-guard on this interface.

stp-bpdu-guard

Enable/disable STP BPDU guard on this interface.

option

-

disabled

Option

Description

enabled

Enable STP BPDU guard on this interface.

disabled

Disable STP BPDU guard on this interface.

stp-bpdu-guard-timeout

BPDU Guard disabling protection.

integer

Minimum value: 0 Maximum value: 120

5

edge-port

Enable/disable this interface as an edge port, bridging connections between workstations and/or computers.

option

-

enable

Option

Description

enable

Enable this interface as an edge port.

disable

Disable this interface as an edge port.

discard-mode

Configure discard mode for port.

option

-

none

Option

Description

none

Discard disabled.

all-untagged

Discard all frames that are untagged.

all-tagged

Discard all frames that are tagged.

packet-sampler

Enable/disable packet sampling on this interface.

option

-

disabled

Option

Description

enabled

Enable packet sampling on this interface.

disabled

Disable packet sampling on this interface.

packet-sample-rate

Packet sampling rate.

integer

Minimum value: 0 Maximum value: 99999

512

sflow-counter-interval

sFlow sampling counter polling interval in seconds.

integer

Minimum value: 0 Maximum value: 255

0

sample-direction

Packet sampling direction.

option

-

both

Option

Description

tx

Monitor transmitted traffic.

rx

Monitor received traffic.

both

Monitor transmitted and received traffic.

fec-capable

FEC capable.

integer

Minimum value: 0 Maximum value: 1

0

fec-state

State of forward error correction.

option

-

cl91

Option

Description

disabled

Disable forward error correction.

cl74

Enable Clause 74 FC-FEC, which only applies to 25Gbps.

cl91

Enable Clause 91 RS-FEC, which only applies to 100Gbps.

flow-control

Flow control direction.

option

-

disable

Option

Description

disable

Disable flow control.

tx

Enable flow control for transmission pause control frames.

rx

Enable flow control for receive pause control frames.

both

Enable flow control for both transmission and receive pause control frames.

pause-meter

Configure ingress pause metering rate, in kbps.

integer

Minimum value: 128 Maximum value: 2147483647

0

pause-meter-resume

Resume threshold for resuming traffic on ingress port.

option

-

50%

Option

Description

75%

Back pressure state won't be cleared until bucket count falls below 75% of pause threshold.

50%

Back pressure state won't be cleared until bucket count falls below 50% of pause threshold.

25%

Back pressure state won't be cleared until bucket count falls below 25% of pause threshold.

loop-guard

Enable/disable loop-guard on this interface, an STP optimization used to prevent network loops.

option

-

disabled

Option

Description

enabled

Enable loop-guard on this interface.

disabled

Disable loop-guard on this interface.

loop-guard-timeout

Loop-guard timeout.

integer

Minimum value: 0 Maximum value: 120

45

port-policy

Switch controller dynamic port policy from available options.

string

Maximum length: 63

qos-policy

Switch controller QoS policy from available options.

string

Maximum length: 63

default

storm-control-policy

Switch controller storm control policy from available options.

string

Maximum length: 63

default

port-security-policy

Switch controller authentication policy to apply to this managed switch from available options.

string

Maximum length: 31

export-to-pool

Switch controller export port to pool-list.

string

Maximum length: 35

interface-tags <tag-name>

Tag(s) associated with the interface for various features including virtual port pool, dynamic port policy.

FortiSwitch port tag name when exported to a virtual port pool or matched to dynamic port policy.

string

Maximum length: 63

learning-limit

Limit the number of dynamic MAC addresses on this Port.

integer

Minimum value: 0 Maximum value: 128

0

sticky-mac

Enable or disable sticky-mac on the interface.

option

-

disable

Option

Description

enable

Enable sticky mac on the interface.

disable

Disable sticky mac on the interface.

lldp-status

LLDP transmit and receive status.

option

-

tx-rx

Option

Description

disable

Disable LLDP TX and RX.

rx-only

Enable LLDP as RX only.

tx-only

Enable LLDP as TX only.

tx-rx

Enable LLDP TX and RX.

lldp-profile

LLDP port TLV profile.

string

Maximum length: 63

default-auto-isl

export-to

Export managed-switch port to a tenant VDOM.

string

Maximum length: 31

mac-addr

Port/Trunk MAC.

mac-address

Not Specified

00:00:00:00:00:00

port-selection-criteria

Algorithm for aggregate port selection.

option

-

src-dst-ip

Option

Description

src-mac

Source MAC address.

dst-mac

Destination MAC address.

src-dst-mac

Source and destination MAC address.

src-ip

Source IP address.

dst-ip

Destination IP address.

src-dst-ip

Source and destination IP address.

description

Description for port.

string

Maximum length: 63

lacp-speed

End Link Aggregation Control Protocol (LACP) messages every 30 seconds (slow) or every second (fast).

option

-

slow

Option

Description

slow

Send LACP message every 30 seconds.

fast

Send LACP message every second.

mode

LACP mode: ignore and do not send control messages, or negotiate 802.3ad aggregation passively or actively.

option

-

static

Option

Description

static

Static aggregation, do not send and ignore any control messages.

lacp-passive

Passively use LACP to negotiate 802.3ad aggregation.

lacp-active

Actively use LACP to negotiate 802.3ad aggregation.

bundle

Enable/disable Link Aggregation Group (LAG) bundling for non-FortiLink interfaces.

option

-

disable

Option

Description

enable

Enable bundling.

disable

Disable bundling.

member-withdrawal-behavior

Port behavior after it withdraws because of loss of control packets.

option

-

block

Option

Description

forward

Forward traffic.

block

Block traffic.

mclag

Enable/disable multi-chassis link aggregation (MCLAG).

option

-

disable

Option

Description

enable

Enable MCLAG.

disable

Disable MCLAG.

min-bundle

Minimum size of LAG bundle.

integer

Minimum value: 1 Maximum value: 24

1

max-bundle

Maximum size of LAG bundle.

integer

Minimum value: 1 Maximum value: 24

24

members <member-name>

Aggregated LAG bundle interfaces.

Interface name from available options.

string

Maximum length: 79

config remote-log

Parameter

Description

Type

Size

Default

name

Remote log name.

string

Maximum length: 35

status

Enable/disable logging by FortiSwitch device to a remote syslog server.

option

-

disable

Option

Description

enable

Enable logging by FortiSwitch device to a remote syslog server.

disable

Disable logging by FortiSwitch device to a remote syslog server.

server

IPv4 address of the remote syslog server.

string

Maximum length: 63

port

Remote syslog server listening port.

integer

Minimum value: 0 Maximum value: 65535

514

severity

Severity of logs to be transferred to remote log server.

option

-

information

Option

Description

emergency

Emergency level.

alert

Alert level.

critical

Critical level.

error

Error level.

warning

Warning level.

notification

Notification level.

information

Information level.

debug

Debug level.

csv

Enable/disable comma-separated value (CSV) strings.

option

-

disable

Option

Description

enable

Enable comma-separated value (CSV) strings.

disable

Disable comma-separated value (CSV) strings.

facility

Facility to log to remote syslog server.

option

-

local7

Option

Description

kernel

Kernel messages.

user

Random user-level messages.

mail

Mail system.

daemon

System daemons.

auth

Security/authorization messages.

syslog

Messages generated internally by syslogd.

lpr

Line printer subsystem.

news

Network news subsystem.

uucp

UUCP server messages.

cron

Clock daemon.

authpriv

Security/authorization messages (private).

ftp

FTP daemon.

ntp

NTP daemon.

audit

Log audit.

alert

Log alert.

clock

Clock daemon.

local0

Reserved for local use.

local1

Reserved for local use.

local2

Reserved for local use.

local3

Reserved for local use.

local4

Reserved for local use.

local5

Reserved for local use.

local6

Reserved for local use.

local7

Reserved for local use.

config snmp-community

Parameter

Description

Type

Size

Default

id

SNMP community ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

name

SNMP community name.

string

Maximum length: 35

status

Enable/disable this SNMP community.

option

-

enable

Option

Description

disable

Disable SNMP community.

enable

Enable SNMP community.

query-v1-status

Enable/disable SNMP v1 queries.

option

-

enable

Option

Description

disable

Disable SNMP v1 queries.

enable

Enable SNMP v1 queries.

query-v1-port

SNMP v1 query port.

integer

Minimum value: 0 Maximum value: 65535

161

query-v2c-status

Enable/disable SNMP v2c queries.

option

-

enable

Option

Description

disable

Disable SNMP v2c queries.

enable

Enable SNMP v2c queries.

query-v2c-port

SNMP v2c query port.

integer

Minimum value: 0 Maximum value: 65535

161

trap-v1-status

Enable/disable SNMP v1 traps.

option

-

enable

Option

Description

disable

Disable SNMP v1 traps.

enable

Enable SNMP v1 traps.

trap-v1-lport

SNMP v2c trap local port.

integer

Minimum value: 0 Maximum value: 65535

162

trap-v1-rport

SNMP v2c trap remote port.

integer

Minimum value: 0 Maximum value: 65535

162

trap-v2c-status

Enable/disable SNMP v2c traps.

option

-

enable

Option

Description

disable

Disable SNMP v2c traps.

enable

Enable SNMP v2c traps.

trap-v2c-lport

SNMP v2c trap local port.

integer

Minimum value: 0 Maximum value: 65535

162

trap-v2c-rport

SNMP v2c trap remote port.

integer

Minimum value: 0 Maximum value: 65535

162

events

SNMP notifications (traps) to send.

option

-

cpu-high mem-low log-full intf-ip ent-conf-change

Option

Description

cpu-high

Send a trap when CPU usage too high.

mem-low

Send a trap when available memory is low.

log-full

Send a trap when log disk space becomes low.

intf-ip

Send a trap when an interface IP address is changed.

ent-conf-change

Send a trap when an entity MIB change occurs (RFC4133).

config hosts

Parameter

Description

Type

Size

Default

id

Host entry ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

IPv4 address of the SNMP manager (host).

user

Not Specified

config snmp-sysinfo

Parameter

Description

Type

Size

Default

status

Enable/disable SNMP.

option

-

disable

Option

Description

disable

Disable SNMP.

enable

Enable SNMP.

engine-id

Local SNMP engine ID string (max 24 char).

string

Maximum length: 24

description

System description.

string

Maximum length: 35

contact-info

Contact information.

string

Maximum length: 35

location

System location.

string

Maximum length: 35

config snmp-trap-threshold

Parameter

Description

Type

Size

Default

trap-high-cpu-threshold

CPU usage when trap is sent.

integer

Minimum value: 0 Maximum value: 4294967295

80

trap-low-memory-threshold

Memory usage when trap is sent.

integer

Minimum value: 0 Maximum value: 4294967295

80

trap-log-full-threshold

Log disk usage when trap is sent.

integer

Minimum value: 0 Maximum value: 4294967295

90

config snmp-user

Parameter

Description

Type

Size

Default

name

SNMP user name.

string

Maximum length: 32

queries

Enable/disable SNMP queries for this user.

option

-

enable

Option

Description

disable

Disable SNMP queries for this user.

enable

Enable SNMP queries for this user.

query-port

SNMPv3 query port.

integer

Minimum value: 0 Maximum value: 65535

161

security-level

Security level for message authentication and encryption.

option

-

no-auth-no-priv

Option

Description

no-auth-no-priv

Message with no authentication and no privacy (encryption).

auth-no-priv

Message with authentication but no privacy (encryption).

auth-priv

Message with authentication and privacy (encryption).

auth-proto

Authentication protocol.

option

-

sha256

Option

Description

md5

HMAC-MD5-96 authentication protocol.

sha1

HMAC-SHA-1 authentication protocol.

sha224

HMAC-SHA-224 authentication protocol.

sha256

HMAC-SHA-256 authentication protocol.

sha384

HMAC-SHA-384 authentication protocol.

sha512

HMAC-SHA-512 authentication protocol.

auth-pwd

Password for authentication protocol.

password

Not Specified

priv-proto

Privacy (encryption) protocol.

option

-

aes128

Option

Description

aes128

CFB128-AES-128 symmetric encryption protocol.

aes192

CFB128-AES-192 symmetric encryption protocol.

aes192c

CFB128-AES-192-C symmetric encryption protocol.

aes256

CFB128-AES-256 symmetric encryption protocol.

aes256c

CFB128-AES-256-C symmetric encryption protocol.

des

CBC-DES symmetric encryption protocol.

priv-pwd

Password for privacy (encryption) protocol.

password

Not Specified

config static-mac

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

type

Type.

option

-

static

Option

Description

static

Static MAC.

sticky

Sticky MAC.

vlan

Vlan.

string

Maximum length: 15

mac

MAC address.

mac-address

Not Specified

00:00:00:00:00:00

interface

Interface name.

string

Maximum length: 35

description

Description.

string

Maximum length: 63

config storm-control

Parameter

Description

Type

Size

Default

local-override

Enable to override global FortiSwitch storm control settings for this FortiSwitch.

option

-

disable

Option

Description

enable

Override global storm control settings.

disable

Use global storm control settings.

rate

Rate in packets per second at which storm traffic is controlled. Storm control drops excess traffic data rates beyond this threshold.

integer

Minimum value: 1 Maximum value: 10000000

500

unknown-unicast

Enable/disable storm control to drop unknown unicast traffic.

option

-

disable

Option

Description

enable

Drop unknown unicast traffic.

disable

Allow unknown unicast traffic.

unknown-multicast

Enable/disable storm control to drop unknown multicast traffic.

option

-

disable

Option

Description

enable

Drop unknown multicast traffic.

disable

Allow unknown multicast traffic.

broadcast

Enable/disable storm control to drop broadcast traffic.

option

-

disable

Option

Description

enable

Drop broadcast traffic.

disable

Allow broadcast traffic.

config stp-instance

Parameter

Description

Type

Size

Default

id

Instance ID.

string

Maximum length: 2

priority

Priority.

option

-

32768

Option

Description

0

0.

4096

4096.

8192

8192.

12288

12288.

16384

16384.

20480

20480.

24576

24576.

28672

28672.

32768

32768.

36864

36864.

40960

40960.

45056

45056.

49152

49152.

53248

53248.

57344

57344.

61440

61440.

config stp-settings

Parameter

Description

Type

Size

Default

local-override

Enable to configure local STP settings that override global STP settings.

option

-

disable

Option

Description

enable

Override global STP settings.

disable

Use global STP settings.

name

Name of local STP settings configuration.

string

Maximum length: 31

revision

STP revision number.

integer

Minimum value: 0 Maximum value: 65535

0

hello-time

Period of time between successive STP frame Bridge Protocol Data Units.

integer

Minimum value: 1 Maximum value: 10

2

forward-time

Period of time a port is in listening and learning state.

integer

Minimum value: 4 Maximum value: 30

15

max-age

Maximum time before a bridge port saves its configuration BPDU information.

integer

Minimum value: 6 Maximum value: 40

20

max-hops

Maximum number of hops between the root bridge and the furthest bridge.

integer

Minimum value: 1 Maximum value: 40

20

pending-timer

Pending time.

integer

Minimum value: 1 Maximum value: 15

4

config switch-log

Parameter

Description

Type

Size

Default

local-override

Enable to configure local logging settings that override global logging settings.

option

-

disable

Option

Description

enable

Override global logging settings.

disable

Use global logging settings.

status

Enable/disable adding FortiSwitch logs to the FortiGate event log.

option

-

enable

Option

Description

enable

Add FortiSwitch logs to the FortiGate event log.

disable

Do not add FortiSwitch logs to the FortiGate event log.

severity

Severity of FortiSwitch logs that are added to the FortiGate event log.

option

-

notification

Option

Description

emergency

Emergency level.

alert

Alert level.

critical

Critical level.

error

Error level.

warning

Warning level.

notification

Notification level.

information

Information level.

debug

Debug level.