Fortinet black logo

Administration Guide

Home FortiSwitch Manager 7.2.3 Administration Guide
7.2.3
7.2.4
7.2.3
7.2.2
7.2.0

Creating and applying templates for managed-switch configurations

Creating and applying templates for managed-switch configurations

Starting in FortiSwitch Manager 7.2.2, you can use the CLI to do the following:

  • Create a template.

  • Copy a managed-switch configuration to a template.

  • Apply the template to a managed switch.

  • Apply the configuration of one managed switch to another managed switch.

You can manually apply configuration changes to up to 10 FortiSwitch units at a time or automatically apply changes to an unlimited number of switches using switch groups. Using templates makes it easier to configure new switches and to ensure that the same changes are made consistently to all switches of the same model.

Configuration changes are logged as system events. Use the execute log display command to view the logs.

Configuration templates are distinguished by their names:

<the_first_six_characters_of_the_serial_number>@<any_9_letters_and_numbers>

For example, S248EP@112233445 or S248EP@ABCDEFGHI.

The first six characters of the template name must match the first six characters of the switch model that you will use the template to configure. You also need to configure the set fsw-wan1-peer command in the template by specifying the FortiLink interface.

After you create a template for a specific model, you can copy the flags for dynamic capabilities to the template and then copy the configuration from a managed switch to the template.

To create a template:

config switch-controller managed-switch

edit "<the_first_six_characters_of_the_serial_number>@<any_9_letters_and_numbers>"

set fsw-wan1-peer <FortiLink_interface>

next

end

For example:

config switch-controller managed-switch

edit "S248EP@112233445"

set fsw-wan1-peer port3

next

end

You can use the template in the example to configure FS-248E-POE models.

To copy a managed-switch configuration to a template:

  1. Copy the flags for the dynamic capabilities from a managed switch to the template:

    execute switch-controller templating copy-dynamic-capability <serial_number> <template>

    For example, to copy the dynamic-capability flags for S248EP3X17000002 to S248EP@112233445:

    execute switch-controller templating copy-dynamic-capability S248EP3X17000002 S248EP@112233445

  2. Copy the configuration from a managed switch to the template:

    execute switch-controller templating apply-config <FortiSwitch_serial_number> <template>

    For example, to copy from S248EP3X17000003 to S248EP@112233445:

    execute switch-controller templating apply-config S248EP3X17000003 S248EP@112233445

    Enter C to make the changes or enter A to make no changes.

  3. If you entered C, you can enter V to see a summary of the changes made and whether the command was successful.

  4. If you entered V, you can enter y to display the log file with details of all changes made.

  5. If you entered y, you can press any key to return to the summary and then enter E to exit the command.

To manually apply a template to up to 10 managed switches of the same model:

NOTE: You can also this command to apply the configuration from one managed switch to another managed switch of the same model.

  1. Apply a template to up to 10 managed switches:

    execute switch-controller templating apply-config <template> <serial_number_1> ... <serial_number_10>

    For example, to copy from S248EP@112233445 to S248EP3X17000003 and S248EP3X17000002:

    execute switch-controller templating apply-config S248EP@112233445 S248EP3X17000003 S248EP3X17000002

  2. If there are any warnings or errors, enter C to continue with the command, enter S to skip the switch with the warnings or errors, enter A to make no changes, or enter V to see the details for all changes made for this command.

  3. If you entered C to continue, you can enter C to make the changes or enter A to make no changes.

  4. If you entered C, you can enter V to see a summary of the changes made and whether the command was successful or enter E to exit the command.

To automatically apply a template to new switch group members:

Create a FortiSwitch group with one or more FortiSwitch units. You can include different switch models as members of the switch group. You can include a managed FortiSwitch unit or template for each switch model for the set templates command. A switch can be listed as a value for both the set members command and set templates command. By default, template-auto-apply is enabled, and the templates are automatically applied to new switch group members of the same switch model when they are added to the switch group. If there are any errors, no changes are made to the switch group. Use the enable-allow-warnings setting if you want to continue with applying the template for a switch-group members that gives warnings but no errors.

Tooltip

If there is an error when applying a template to a new switch group member, you can manually apply the template to the new switch group member using the execute switch-controller templating apply-config command. This command allows you to interactively monitor the template being applied and then examine the output to see which command is failing and if there are any relevant CLI error messages.

config switch-controller switch-group

edit <switch_group_name>

set fortilink <FortiLink_interface>

set members "<serial_number_1>" "<serial_number_2>" ...

set templates "<template_name_or_serial_number>" "<template_name_or_serial_number>" ...

set template-auto-apply {enable | disable | enable-allow-warnings}

next

end

For example, this switch group includes two templates for two different switch models:

config switch-controller switch-group

edit switchgroup1

set fortilink "port3"

set members S524DF4K150000482 S248EP3X17000003 S248EP3X17000002

set templates S248EP@BBBBBBBBB S524DF@123456789

set template-auto-apply enable

next

end

The template is applied quietly when a new switch member is added with a model that matches one of the templates. An error message is returned if there are any problems.

To manually copy a template to a switch group:

  • To apply all templates to the switch group members that match the model of the template:

    execute switch-controller templating switch-group-apply-all <switch_group_name>

    For example, the templates in switchgroup1 are applied to the group members if the switch models match:

    execute switch-controller templating switch-group-apply-all switchgroup1

    Enter C to save the changes or enter A to undo the changes. Enter V to see the details for all changes made for this command.

  • To apply any matching templates to the specified members of the specified switch group. You can list up to 10 members.

    execute switch-controller templating switch-group-apply-members <switch_group_name> <serial_number_1> ... <serial_number_10>

    For example, one of the templates in switchgroup1 is applied to S248EP3X17000003 and S248EP3X17000002 if the switch model matches:

    execute switch-controller templating switch-group-apply-members switchgroup1 S248EP3X17000003 S248EP3X17000002

  • To apply the specified template to any matching members of the specified switch group:

    execute switch-controller templating switch-group-apply-template <switch_group_name> <template_name>

    For example, the configuration in S524DF@123456789 is applied to matching members in switchgroup1:

    execute switch-controller templating switch-group-apply-template switchgroup1 S524DF@123456789

  • To find switches that list the specified switch or template for the set last-template-applied value (under the config switch-controller managed-switch command) and re-apply the same configuration to those switches:

    execute switch-controller templating reapply-config <serial_number_or_template_name>

    For example, S248EP@BBBBBBBBB is re-applied to any managed switches that list them as the set last-template-applied value:

    execute switch-controller templating reapply-config S248EP@BBBBBBBBB

To get troubleshooting information:

diagnose debug application fswmtemplate <debug_level>

Note

This command enables more detailed output in the console and in the command logs when you run the execute templating commands and when templates are automatically applied to new switch group members.

Limitations

The following limitations apply to this feature:

  • The source and destination managed FortiSwitch models must be the same.

  • The name of the switch is not copied.

  • Read-only settings are not copied.

  • Dynamic capabilities are not copied.

  • Templates do not support switches with split-port configurations or other nondefault layouts. To work around this issue, configure the source switch with a split-port configuration, manually configure the destination switch with the same split-port configuration, and then apply the managed-switch configuration from the source switch to the destination switch.

  • IP addresses for system interfaces are not copied when templates are applied; this prevents IP conflicts.

  • Port speeds and other configurations that are determined at run-time might not be filtered when creating a template. Use caution or consult a managed switch to determine the acceptable values.

  • You cannot apply the managed-switch configuration from and to the same FortiSwitch unit.

  • When applying a template or managed-switch configuration to another switch, the system cannot delete entries that are not present in the source template or managed-switch configuration. These leftover entries might cause conflicts. To avoid configuration conflicts, Fortinet recommends first resetting an existing managed-switch configuration to the factory default configuration before applying a template.

  • If you change a template, it does not automatically update all switches that have had that template applied. Use the execute switch-controller templating reapply-config <template_name> command to re-apply the template to all managed switches that list the template in the set last-template-applied field. NOTE: If you applied a managed-switch configuration to other managed switches and then later change that managed-switch configuration, you can also use the execute switch-controller templating reapply-config <template_name> command to re-apply the managed-switch configuration to all managed switches that list that switch in the set last-template-applied field.

Previous
Next

Creating and applying templates for managed-switch configurations

Starting in FortiSwitch Manager 7.2.2, you can use the CLI to do the following:

  • Create a template.

  • Copy a managed-switch configuration to a template.

  • Apply the template to a managed switch.

  • Apply the configuration of one managed switch to another managed switch.

You can manually apply configuration changes to up to 10 FortiSwitch units at a time or automatically apply changes to an unlimited number of switches using switch groups. Using templates makes it easier to configure new switches and to ensure that the same changes are made consistently to all switches of the same model.

Configuration changes are logged as system events. Use the execute log display command to view the logs.

Configuration templates are distinguished by their names:

<the_first_six_characters_of_the_serial_number>@<any_9_letters_and_numbers>

For example, S248EP@112233445 or S248EP@ABCDEFGHI.

The first six characters of the template name must match the first six characters of the switch model that you will use the template to configure. You also need to configure the set fsw-wan1-peer command in the template by specifying the FortiLink interface.

After you create a template for a specific model, you can copy the flags for dynamic capabilities to the template and then copy the configuration from a managed switch to the template.

To create a template:

config switch-controller managed-switch

edit "<the_first_six_characters_of_the_serial_number>@<any_9_letters_and_numbers>"

set fsw-wan1-peer <FortiLink_interface>

next

end

For example:

config switch-controller managed-switch

edit "S248EP@112233445"

set fsw-wan1-peer port3

next

end

You can use the template in the example to configure FS-248E-POE models.

To copy a managed-switch configuration to a template:

  1. Copy the flags for the dynamic capabilities from a managed switch to the template:

    execute switch-controller templating copy-dynamic-capability <serial_number> <template>

    For example, to copy the dynamic-capability flags for S248EP3X17000002 to S248EP@112233445:

    execute switch-controller templating copy-dynamic-capability S248EP3X17000002 S248EP@112233445

  2. Copy the configuration from a managed switch to the template:

    execute switch-controller templating apply-config <FortiSwitch_serial_number> <template>

    For example, to copy from S248EP3X17000003 to S248EP@112233445:

    execute switch-controller templating apply-config S248EP3X17000003 S248EP@112233445

    Enter C to make the changes or enter A to make no changes.

  3. If you entered C, you can enter V to see a summary of the changes made and whether the command was successful.

  4. If you entered V, you can enter y to display the log file with details of all changes made.

  5. If you entered y, you can press any key to return to the summary and then enter E to exit the command.

To manually apply a template to up to 10 managed switches of the same model:

NOTE: You can also this command to apply the configuration from one managed switch to another managed switch of the same model.

  1. Apply a template to up to 10 managed switches:

    execute switch-controller templating apply-config <template> <serial_number_1> ... <serial_number_10>

    For example, to copy from S248EP@112233445 to S248EP3X17000003 and S248EP3X17000002:

    execute switch-controller templating apply-config S248EP@112233445 S248EP3X17000003 S248EP3X17000002

  2. If there are any warnings or errors, enter C to continue with the command, enter S to skip the switch with the warnings or errors, enter A to make no changes, or enter V to see the details for all changes made for this command.

  3. If you entered C to continue, you can enter C to make the changes or enter A to make no changes.

  4. If you entered C, you can enter V to see a summary of the changes made and whether the command was successful or enter E to exit the command.

To automatically apply a template to new switch group members:

Create a FortiSwitch group with one or more FortiSwitch units. You can include different switch models as members of the switch group. You can include a managed FortiSwitch unit or template for each switch model for the set templates command. A switch can be listed as a value for both the set members command and set templates command. By default, template-auto-apply is enabled, and the templates are automatically applied to new switch group members of the same switch model when they are added to the switch group. If there are any errors, no changes are made to the switch group. Use the enable-allow-warnings setting if you want to continue with applying the template for a switch-group members that gives warnings but no errors.

Tooltip

If there is an error when applying a template to a new switch group member, you can manually apply the template to the new switch group member using the execute switch-controller templating apply-config command. This command allows you to interactively monitor the template being applied and then examine the output to see which command is failing and if there are any relevant CLI error messages.

config switch-controller switch-group

edit <switch_group_name>

set fortilink <FortiLink_interface>

set members "<serial_number_1>" "<serial_number_2>" ...

set templates "<template_name_or_serial_number>" "<template_name_or_serial_number>" ...

set template-auto-apply {enable | disable | enable-allow-warnings}

next

end

For example, this switch group includes two templates for two different switch models:

config switch-controller switch-group

edit switchgroup1

set fortilink "port3"

set members S524DF4K150000482 S248EP3X17000003 S248EP3X17000002

set templates S248EP@BBBBBBBBB S524DF@123456789

set template-auto-apply enable

next

end

The template is applied quietly when a new switch member is added with a model that matches one of the templates. An error message is returned if there are any problems.

To manually copy a template to a switch group:

  • To apply all templates to the switch group members that match the model of the template:

    execute switch-controller templating switch-group-apply-all <switch_group_name>

    For example, the templates in switchgroup1 are applied to the group members if the switch models match:

    execute switch-controller templating switch-group-apply-all switchgroup1

    Enter C to save the changes or enter A to undo the changes. Enter V to see the details for all changes made for this command.

  • To apply any matching templates to the specified members of the specified switch group. You can list up to 10 members.

    execute switch-controller templating switch-group-apply-members <switch_group_name> <serial_number_1> ... <serial_number_10>

    For example, one of the templates in switchgroup1 is applied to S248EP3X17000003 and S248EP3X17000002 if the switch model matches:

    execute switch-controller templating switch-group-apply-members switchgroup1 S248EP3X17000003 S248EP3X17000002

  • To apply the specified template to any matching members of the specified switch group:

    execute switch-controller templating switch-group-apply-template <switch_group_name> <template_name>

    For example, the configuration in S524DF@123456789 is applied to matching members in switchgroup1:

    execute switch-controller templating switch-group-apply-template switchgroup1 S524DF@123456789

  • To find switches that list the specified switch or template for the set last-template-applied value (under the config switch-controller managed-switch command) and re-apply the same configuration to those switches:

    execute switch-controller templating reapply-config <serial_number_or_template_name>

    For example, S248EP@BBBBBBBBB is re-applied to any managed switches that list them as the set last-template-applied value:

    execute switch-controller templating reapply-config S248EP@BBBBBBBBB

To get troubleshooting information:

diagnose debug application fswmtemplate <debug_level>

Note

This command enables more detailed output in the console and in the command logs when you run the execute templating commands and when templates are automatically applied to new switch group members.

Limitations

The following limitations apply to this feature:

  • The source and destination managed FortiSwitch models must be the same.

  • The name of the switch is not copied.

  • Read-only settings are not copied.

  • Dynamic capabilities are not copied.

  • Templates do not support switches with split-port configurations or other nondefault layouts. To work around this issue, configure the source switch with a split-port configuration, manually configure the destination switch with the same split-port configuration, and then apply the managed-switch configuration from the source switch to the destination switch.

  • IP addresses for system interfaces are not copied when templates are applied; this prevents IP conflicts.

  • Port speeds and other configurations that are determined at run-time might not be filtered when creating a template. Use caution or consult a managed switch to determine the acceptable values.

  • You cannot apply the managed-switch configuration from and to the same FortiSwitch unit.

  • When applying a template or managed-switch configuration to another switch, the system cannot delete entries that are not present in the source template or managed-switch configuration. These leftover entries might cause conflicts. To avoid configuration conflicts, Fortinet recommends first resetting an existing managed-switch configuration to the factory default configuration before applying a template.

  • If you change a template, it does not automatically update all switches that have had that template applied. Use the execute switch-controller templating reapply-config <template_name> command to re-apply the template to all managed switches that list the template in the set last-template-applied field. NOTE: If you applied a managed-switch configuration to other managed switches and then later change that managed-switch configuration, you can also use the execute switch-controller templating reapply-config <template_name> command to re-apply the managed-switch configuration to all managed switches that list that switch in the set last-template-applied field.

Previous
Next