Optional setup tasks
This section describes the following tasks:
- Configuring the FortiSwitch management port
- Migrating the configuration of standalone FortiSwitch units
- Converting to FortiSwitch standalone mode
- Changing the admin password on the FortiGate for all managed FortiSwitch units
- Enabling network-assisted device detection
- Using automatic network detection and configuration
- Limiting the number of parallel processes for FortiSwitch configuration
- Using the FortiSwitch serial number for automatic name resolution
- Configuring access to management and internal interfaces
- Configuring SNMP
- Configuring IPv4 source guard
Configuring the FortiSwitch management port
If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.
Using the Web administration GUI
- Go to Network > Static Routes > Create New > Route.
- Set Destination to Subnet and enter a subnetwork and mask.
- Set Device to the management interface.
- Add a Gateway IP address.
Using the FortiSwitch CLI
Enter the following commands:
config router static
edit 1
set device mgmt
set gateway <router IP address>
set dst <router subnet> <subnet mask>
end
end
In the following example, the FortiSwitch management port is connected to a router with IP address 192.168.0.10:
config router static
edit 1
set device mgmt
set gateway 192.168.0.10
set dst 192.168.0.0 255.255.0.0
end
end
Migrating the configuration of standalone FortiSwitch units
When a configured standalone FortiSwitch unit is converted to FortiLink mode, the standalone configuration is lost. To save time, use the fortilinkify.py utility to migrate your standalone configuration from one or more FortiSwitch units to a combined FortiGate-compatible configuration.
To get the script and instructions, go to:
https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/
Converting to FortiSwitch standalone mode
Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no longer be managed by a FortiGate:
-
execute switch-controller factory-reset <switch-id>—This command returns the FortiSwitch to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example:execute switch-controller factory-reset S1234567890
-
execute switch-controller switch-action set-standalone <switch-id>—This command returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from automatically detecting and authorizing the FortiSwitch. For example:execute switch-controller set-standalone S1234567890
You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:
config switch-controller global
set disable-discovery <switch-id>
end
For example:
config switch-controller global
set disable-discovery S1234567890
end
You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using the following commands:
config switch-controller global
append disable-discovery <switch-id>
unselect disable-discovery <switch-id>
end
For example:
config switch-controller global
append disable-discovery S012345678
unselect disable-discovery S1234567890
end
Changing the admin password on the FortiGate for all managed FortiSwitch units
By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:
config switch-controller switch-profile
edit default
set login-passwd-override {enable | disable}
set login-passwd <password>
next
end
If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set password will remain in the FortiSwitch. For example:
config switch-controller switch-profile
edit default
set login-passwd-override enable
unset login-passwd
next
end
Enabling network-assisted device detection
Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by the managed FortiSwitch unit.
To enable network-assisted device detection on a VDOM:
config switch-controller network-monitor-settings
set network-monitoring enable
end
You can display a list of detected devices from the Device Inventory menu in the GUI. To list the detected devices in the CLI, enter the following command:
diagnose user device list
Using automatic network detection and configuration
There are three commands that let you use automatic network detection and configuration.
To specify which policies can override the defaults for a specific ISL, ICl, or FortiLink interface:
config switch-controller auto-config custom
edit <automatically configured FortiLink, ISL, or ICL interface name>
config switch-binding
edit "switch serial number"
set policy "custom automatic-configuation policy"
end
To specify policies that are applied automatically for all ISL, ICL, and FortiLink interfaces:
config switch-controller auto-config default
set fgt-policy <default FortiLink automatic-configuration policy>
set isl-policy <default ISL automatic-configuration policy>
set icl-policy <default ICL automatic-configuration policy>
end
NOTE: The ICL automatic-configuration policy requires FortiOS 6.2.0 or later.
To specify policy definitions that define the behavior on automatically configured interfaces:
config switch-controller auto-config policy
edit <policy_name>
set qos-policy <automatic-configuration QoS policy>
set storm-control-policy <automatic-configuation storm-control policy>
set poe-status {enable | disable}
set igmp-flood-report {enable | disable}
set igmp-flood-traffic {enable | disable}
end
Limiting the number of parallel processes for FortiSwitch configuration
Use the following CLI commands to reduce the number of parallel processes that the switch controller uses for configuring FortiSwitch units:
config global
config switch-controller system
set parallel-process-override enable
set parallel-process <1-300>
end
end
Using the FortiSwitch serial number for automatic name resolution
By default, you can check that FortiSwitch unit is accessible from the FortiGate unit with the execute ping <FortiSwitch_IP_address> command. If you want to use the FortiSwitch serial number instead of the FortiSwitch IP address, use the following commands:
config switch-controller global
set sn-dns-resolution enable
end
Then you can use the execute ping <FortiSwitch_serial_ number>.<domain_name> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example:
FG100D3G15817028 (root) # execute ping S524DF4K15000024.fsw
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes
64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms
Optionally, you can omit the domain name (.fsw) from the command by setting the default DNS domain on the FortiGate unit.
config system dns
set domain "fsw"
end
Now you can use the execute ping <FortiSwitch_serial_number> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example:
FG100D3G15817028 (root) # execute ping S524DF4K15000024
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes
64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms
--- S524DF4K15000024.fsw ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
Configuring access to management and internal interfaces
The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have different access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-access security policy with the following commands:
config switch-controller security-policy local-access
edit <policy_name>
set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
end
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set access-profile <name_of_policy>
end
For example:
config switch-controller security-policy local-access
edit policy1
set mgmt-allowaccess https ping ssh radius-acct
set internal-allowaccess https ssh snmp telnet
end
config switch-controller managed-switch
edit S524DF4K15000024
set access-profile policy1
end
NOTE: After you upgrade to FortiOS 6.2, the allowaccess settings for the FortiSwitch mgmt and internal interfaces are overridden by the default local-access security policy.
Configuring SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.
The managed FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers have read-only access to FortiSwitch system information through queries and can receive trap messages from the managed FortiSwitch unit.
To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiSwitch SNMP agent.
FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting the FortiSwitch MIB File download link.
You configure SNMP on a global level so that all managed FortiSwitch units use the same settings. If you want one of the FortiSwitch units to use different settings from the global settings, configure SNMP locally.
Configuring SNMP globally
To configure SNMP globally, configure the following settings:
- Configure the SNMP system information.
- Configure the SNMP community.
- Configure the SNMP trap threshold values.
- Configure the SNMP user.
To configure the SNMP system information globally:
config switch-controller snmp-sysinfo
set status enable
set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>
set description <system_description>
set contact-info <contact_information>
set location <FortiGate_location>
end
To configure the SNMP community globally:
config switch-controller snmp-community
edit <SNMP_community_ID>
set status enable
set query-v1-status enable
set query-v1-port <0-65535; the default is 161>
set query-v2c-status enable
set query-v2c-port <0-65535; the default is 161>
set trap-v1-status enable
set trap-v1-lport <0-65535; the default is 162>
set trap-v1-rport <0-65535; the default is 162>
set trap-v2c-status enable
set trap-v2c-lport <0-65535; the default is 162>
set trap-v2c-rport <0-65535; the default is 162>
set events {cpu-high mem-low log-full intf-ip ent-conf-change}
config hosts
edit <host_entry_ID>
set ip <IPv4_address_of_the_SNMP_manager>
end
end
To configure the SNMP trap threshold values globally:
config switch-controller snmp-trap-threshold
set trap-high-cpu-threshold <percentage_value; the default is 80>
set trap-low-memory-threshold <percentage_value; the default is 80>
set trap-log-full-threshold <percentage_value; the default is 90>
end
To configure the SNMP user globally:
config switch-controller snmp-user
edit <SNMP_user_name>
set queries enable
set query-port <0-65535; the default is 161>
set security-level {auth-priv | auth-no-priv | no-auth-no-priv}
set auth-proto {md5 | sha}
set auth-pwd <password_for_authentication_protocol>
set priv-proto {aes | des}
set priv-pwd <password_for_encryption_protocol>
end
Configuring SNMP locally
To configure SNMP for a specific FortiSwitch unit, configure the following settings:
- Configure the SNMP system information.
- Configure the SNMP community.
- Configure the SNMP trap threshold values.
- Configure the SNMP user.
To configure the SNMP system information locally:
config switch-controller managed-switch
set override-snmp-sysinfo enable
config snmp-sysinfo
set status enable
set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>
set description <system_description>
set contact-info <contact_information>
set location <FortiGate_location>
end
end
To configure the SNMP community locally:
config switch-controller managed-switch
set override-snmp-community enable
config snmp-community
edit <SNMP_community_ID>
set status enable
set query-v1-status enable
set query-v1-port <0-65535; the default is 161>
set query-v2c-status enable
set query-v2c-port <0-65535; the default is 161>
set trap-v1-status enable
set trap-v1-lport <0-65535; the default is 162>
set trap-v1-rport <0-65535; the default is 162>
set trap-v2c-status enable
set trap-v2c-lport <0-65535; the default is 162>
set trap-v2c-rport <0-65535; the default is 162>
set events {cpu-high mem-low log-full intf-ip ent-conf-change}
config hosts
edit <host_entry_ID>
set ip <IPv4_address_of_the_SNMP_manager>
end
end
To configure the SNMP trap threshold values locally:
config switch-controller managed-switch
set override-snmp-trap-threshold enable
config snmp-trap-threshold
set trap-high-cpu-threshold <percentage_value; the default is 80>
set trap-low-memory-threshold <percentage_value; the default is 80>
set trap-log-full-threshold <percentage_value; the default is 90>
end
end
To configure the SNMP user locally:
config switch-controller managed-switch
set override-snmp-user enable
config snmp-user
edit <SNMP_user_name>
set queries enable
set query-port <0-65535; the default is 161>
set security-level {auth-priv | auth-no-priv | no-auth-no-priv}
set auth-proto {md5 | sha}
set auth-pwd <password_for_authentication_protocol>
set priv-proto {aes | des}
set priv-pwd <password_for_encryption_protocol>
end
end
Configuring IPv4 source guard
IPv4 source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses. Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.
IPv4 source guard allows traffic from the following sources:
- Static entries—IP addresses that have been manually associated with MAC addresses.
- Dynamic entries—IP addresses that have been learned through DHCP snooping.
By default, IPv4 source guard is disabled. You must enable it on each port that you want protected.
If you add more than 2,048 IP source guard entries from a FortiGate unit, you will get an error. When there is a conflict between static entries and dynamic entries, static entries take precedence over dynamic entries.
IPv4 source guard can be configured in FortiOS only for managed FortiSwitch units that support IP source guard. The following FortiSwitch models support IP source guard:
- FSR-124D
- FS-224D-FPOE
- FS-248D
- FS-424D-POE
- FS-424D-FPOE
- FS-448D-POE
- FS-448D-FPOE
- FS-424D
- FS-448D
- FSW-2xxE
Configuring IPv4 source guard consists of the following steps:
- Enable IPv4 source guard in the FortiOS CLI.
- Create static entries on the FortiSwitch unit by binding IPv4 addresses with MAC addresses.
-
Check the IPv4 source-guard entries on the FortiSwitch unit.
Enabling IPv4 source guard
You must enable IPv4 source guard in the FortiOS CLI before you can configure it.
To enable IPv4 source guard:
config switch-controller managed-switch
edit <FortiSwitch_serial_number
config ports
edit <port_name>
set ip-source-guard enable
next
end
end
For example:
config switch-controller managed-switch
edit S424DF4K15000024
config ports
edit port20
set ip-source-guard enable
next
end
end
Creating static entries
After you enable IPv4 source guard in the FortiOS CLI, you can create static entries in the FortiOS CLI by binding IPv4 addresses with MAC addresses. For IPv4 source-guard dynamic entries, you need to configure DHCP snooping. See Using the FortiGate GUI.
To create static entries:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ip-source-guard
edit <port_name>
config binding-entry
edit <id>
set ip <xxx.xxx.xxx.xxx>
set mac <XX:XX:XX:XX:XX:XX>
next
end
next
end
next
end
For example:
config switch-controller managed-switch
edit S424DF4K15000024
config ip-source-guard
edit port4
config binding-entry
edit 1
set ip 172.168.20.1
set mac 00:21:cc:d2:76:72
next
end
next
end
next
end
Checking the IPv4 source-guard entries
After you configure IPv4 source guard , you can check the entries.
Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are added by DHCP snooping.
Use this command in the FortiOS CLI to display all IP source-guard entries:
diagnose switch-controller switch-info ip-source-guard hardware <FortiSwitch_serial_number>