Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Optional setup tasks

This section describes the following tasks:

Configuring the FortiSwitch management port

If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.

Using the Web administration GUI

  1. Go to Network > Static Routes > Create New > Route.
  2. Set Destination to Subnet and enter a subnetwork and mask.
  3. Set Device to the management interface.
  4. Add a Gateway IP address.

Using the FortiSwitch CLI

Enter the following commands:

config router static

edit 1

set device mgmt

set gateway <router IP address>

set dst <router subnet> <subnet mask>

end

end

In the following example, the FortiSwitch management port is connected to a router with IP address 192.168.0.10:

config router static

edit 1

set device mgmt

set gateway 192.168.0.10

set dst 192.168.0.0 255.255.0.0

end

end

Migrating the configuration of standalone FortiSwitch units

When a configured standalone FortiSwitch unit is converted to FortiLink mode, the standalone configuration is lost. To save time, use the fortilinkify.py utility to migrate your standalone configuration from one or more FortiSwitch units to a combined FortiGate-compatible configuration.

To get the script and instructions, go to:

https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/

Converting to FortiSwitch standalone mode

Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no longer be managed by a FortiGate:

  • execute switch-controller factory-reset <switch-id>—This command returns the FortiSwitch to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example:execute switch-controller factory-reset S1234567890
  • execute switch-controller switch-action set-standalone <switch-id>—This command returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from automatically detecting and authorizing the FortiSwitch. For example:execute switch-controller set-standalone S1234567890

You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:

config switch-controller global

set disable-discovery <switch-id>

end

For example:

config switch-controller global

set disable-discovery S1234567890

end

You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using the following commands:

config switch-controller global

append disable-discovery <switch-id>

unselect disable-discovery <switch-id>

end

For example:

config switch-controller global

append disable-discovery S012345678

unselect disable-discovery S1234567890

end

Changing the admin password on the FortiGate for all managed FortiSwitch units

By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:

config switch-controller switch-profile

edit default

set login-passwd-override {enable | disable}

set login-passwd <password>

next

end

If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set password will remain in the FortiSwitch. For example:

config switch-controller switch-profile

edit default

set login-passwd-override enable

unset login-passwd

next

end

Enabling network-assisted device detection

Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by the managed FortiSwitch unit.

To enable network-assisted device detection on a VDOM:

config switch-controller network-monitor-settings

set network-monitoring enable

end

You can display a list of detected devices from the Device Inventory menu in the GUI. To list the detected devices in the CLI, enter the following command:

diagnose user device list

Using automatic network detection and configuration

There are three commands that let you use automatic network detection and configuration.

To specify which policies can override the defaults for a specific ISL, ICl, or FortiLink interface:

config switch-controller auto-config custom

edit <automatically configured FortiLink, ISL, or ICL interface name>

config switch-binding

edit "switch serial number"

set policy "custom automatic-configuation policy"

end

To specify policies that are applied automatically for all ISL, ICL, and FortiLink interfaces:

config switch-controller auto-config default

set fgt-policy <default FortiLink automatic-configuration policy>

set isl-policy <default ISL automatic-configuration policy>

set icl-policy <default ICL automatic-configuration policy>

end

NOTE: The ICL automatic-configuration policy requires FortiOS 6.2.0 or later.

To specify policy definitions that define the behavior on automatically configured interfaces:

config switch-controller auto-config policy

edit <policy_name>

set qos-policy <automatic-configuration QoS policy>

set storm-control-policy <automatic-configuation storm-control policy>

set poe-status {enable | disable}

set igmp-flood-report {enable | disable}

set igmp-flood-traffic {enable | disable}

end

Limiting the number of parallel processes for FortiSwitch configuration

Use the following CLI commands to reduce the number of parallel processes that the switch controller uses for configuring FortiSwitch units:

config global

config switch-controller system

set parallel-process-override enable

set parallel-process <1-300>

end

end

Using the FortiSwitch serial number for automatic name resolution

By default, you can check that FortiSwitch unit is accessible from the FortiGate unit with the execute ping <FortiSwitch_IP_address> command. If you want to use the FortiSwitch serial number instead of the FortiSwitch IP address, use the following commands:

config switch-controller global

set sn-dns-resolution enable

end

 

Then you can use the execute ping <FortiSwitch_serial_ number>.<domain_name> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example:

FG100D3G15817028 (root) # execute ping S524DF4K15000024.fsw

PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes

64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms

 

Optionally, you can omit the domain name (.fsw) from the command by setting the default DNS domain on the FortiGate unit.

config system dns

set domain "fsw"

end

 

Now you can use the execute ping <FortiSwitch_serial_number> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example:

FG100D3G15817028 (root) # execute ping S524DF4K15000024

PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes

64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms

 

--- S524DF4K15000024.fsw ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.0/0.0/0.0 ms

Configuring access to management and internal interfaces

The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have different access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-access security policy with the following commands:

config switch-controller security-policy local-access

edit <policy_name>

set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}

set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set access-profile <name_of_policy>

end

For example:

config switch-controller security-policy local-access

edit policy1

set mgmt-allowaccess https ping ssh radius-acct

set internal-allowaccess https ssh snmp telnet

end

config switch-controller managed-switch

edit S524DF4K15000024

set access-profile policy1

end

 

NOTE: After you upgrade to FortiOS 6.2, the allowaccess settings for the FortiSwitch mgmt and internal interfaces are overridden by the default local-access security policy.

Configuring SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.

The managed FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers have read-only access to FortiSwitch system information through queries and can receive trap messages from the managed FortiSwitch unit.

To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiSwitch SNMP agent.

FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting the FortiSwitch MIB File download link.

You configure SNMP on a global level so that all managed FortiSwitch units use the same settings. If you want one of the FortiSwitch units to use different settings from the global settings, configure SNMP locally.

Configuring SNMP globally

To configure SNMP globally, configure the following settings:

  1. Configure the SNMP system information.
  2. Configure the SNMP community.
  3. Configure the SNMP trap threshold values.
  4. Configure the SNMP user.
To configure the SNMP system information globally:

config switch-controller snmp-sysinfo

set status enable

set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>

set description <system_description>

set contact-info <contact_information>

set location <FortiGate_location>

end

To configure the SNMP community globally:

config switch-controller snmp-community

edit <SNMP_community_ID>

set status enable

set query-v1-status enable

set query-v1-port <0-65535; the default is 161>

set query-v2c-status enable

set query-v2c-port <0-65535; the default is 161>

set trap-v1-status enable

set trap-v1-lport <0-65535; the default is 162>

set trap-v1-rport <0-65535; the default is 162>

set trap-v2c-status enable

set trap-v2c-lport <0-65535; the default is 162>

set trap-v2c-rport <0-65535; the default is 162>

set events {cpu-high mem-low log-full intf-ip ent-conf-change}

config hosts

edit <host_entry_ID>

set ip <IPv4_address_of_the_SNMP_manager>

end

end

To configure the SNMP trap threshold values globally:

config switch-controller snmp-trap-threshold

set trap-high-cpu-threshold <percentage_value; the default is 80>

set trap-low-memory-threshold <percentage_value; the default is 80>

set trap-log-full-threshold <percentage_value; the default is 90>

end

To configure the SNMP user globally:

config switch-controller snmp-user

edit <SNMP_user_name>

set queries enable

set query-port <0-65535; the default is 161>

set security-level {auth-priv | auth-no-priv | no-auth-no-priv}

set auth-proto {md5 | sha}

set auth-pwd <password_for_authentication_protocol>

set priv-proto {aes | des}

set priv-pwd <password_for_encryption_protocol>

end

Configuring SNMP locally

To configure SNMP for a specific FortiSwitch unit, configure the following settings:

  1. Configure the SNMP system information.
  2. Configure the SNMP community.
  3. Configure the SNMP trap threshold values.
  4. Configure the SNMP user.
To configure the SNMP system information locally:

config switch-controller managed-switch

set override-snmp-sysinfo enable

config snmp-sysinfo

set status enable

set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>

set description <system_description>

set contact-info <contact_information>

set location <FortiGate_location>

end

end

To configure the SNMP community locally:

config switch-controller managed-switch

set override-snmp-community enable

config snmp-community

edit <SNMP_community_ID>

set status enable

set query-v1-status enable

set query-v1-port <0-65535; the default is 161>

set query-v2c-status enable

set query-v2c-port <0-65535; the default is 161>

set trap-v1-status enable

set trap-v1-lport <0-65535; the default is 162>

set trap-v1-rport <0-65535; the default is 162>

set trap-v2c-status enable

set trap-v2c-lport <0-65535; the default is 162>

set trap-v2c-rport <0-65535; the default is 162>

set events {cpu-high mem-low log-full intf-ip ent-conf-change}

config hosts

edit <host_entry_ID>

set ip <IPv4_address_of_the_SNMP_manager>

end

end

To configure the SNMP trap threshold values locally:

config switch-controller managed-switch

set override-snmp-trap-threshold enable

config snmp-trap-threshold

set trap-high-cpu-threshold <percentage_value; the default is 80>

set trap-low-memory-threshold <percentage_value; the default is 80>

set trap-log-full-threshold <percentage_value; the default is 90>

end

end

To configure the SNMP user locally:

config switch-controller managed-switch

set override-snmp-user enable

config snmp-user

edit <SNMP_user_name>

set queries enable

set query-port <0-65535; the default is 161>

set security-level {auth-priv | auth-no-priv | no-auth-no-priv}

set auth-proto {md5 | sha}

set auth-pwd <password_for_authentication_protocol>

set priv-proto {aes | des}

set priv-pwd <password_for_encryption_protocol>

end

end

Configuring IPv4 source guard

IPv4 source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses. Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.

IPv4 source guard allows traffic from the following sources:

  • Static entries—IP addresses that have been manually associated with MAC addresses.
  • Dynamic entries—IP addresses that have been learned through DHCP snooping.

By default, IPv4 source guard is disabled. You must enable it on each port that you want protected.

If you add more than 2,048 IP source guard entries from a FortiGate unit, you will get an error. When there is a conflict between static entries and dynamic entries, static entries take precedence over dynamic entries.

IPv4 source guard can be configured in FortiOS only for managed FortiSwitch units that support IP source guard. The following FortiSwitch models support IP source guard:

  • FSR-124D
  • FS-224D-FPOE
  • FS-248D
  • FS-424D-POE
  • FS-424D-FPOE
  • FS-448D-POE
  • FS-448D-FPOE
  • FS-424D
  • FS-448D
  • FSW-2xxE

Configuring IPv4 source guard consists of the following steps:

  1. Enable IPv4 source guard in the FortiOS CLI.
  2. Create static entries on the FortiSwitch unit by binding IPv4 addresses with MAC addresses.
  3. Check the IPv4 source-guard entries on the FortiSwitch unit.

Enabling IPv4 source guard

You must enable IPv4 source guard in the FortiOS CLI before you can configure it.

To enable IPv4 source guard:

config switch-controller managed-switch

edit <FortiSwitch_serial_number

config ports

edit <port_name>

set ip-source-guard enable

next

end

end

For example:

config switch-controller managed-switch

edit S424DF4K15000024

config ports

edit port20

set ip-source-guard enable

next

end

end

Creating static entries

After you enable IPv4 source guard in the FortiOS CLI, you can create static entries in the FortiOS CLI by binding IPv4 addresses with MAC addresses. For IPv4 source-guard dynamic entries, you need to configure DHCP snooping. See Using the FortiGate GUI.

To create static entries:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ip-source-guard

edit <port_name>

config binding-entry

edit <id>

set ip <xxx.xxx.xxx.xxx>

set mac <XX:XX:XX:XX:XX:XX>

next

end

next

end

next

end

 

For example:

config switch-controller managed-switch

edit S424DF4K15000024

config ip-source-guard

edit port4

config binding-entry

edit 1

set ip 172.168.20.1

set mac 00:21:cc:d2:76:72

next

end

next

end

next

end

Checking the IPv4 source-guard entries

After you configure IPv4 source guard , you can check the entries.

Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are added by DHCP snooping.

Use this command in the FortiOS CLI to display all IP source-guard entries:

diagnose switch-controller switch-info ip-source-guard hardware <FortiSwitch_serial_number>

Optional setup tasks

This section describes the following tasks:

Configuring the FortiSwitch management port

If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.

Using the Web administration GUI

  1. Go to Network > Static Routes > Create New > Route.
  2. Set Destination to Subnet and enter a subnetwork and mask.
  3. Set Device to the management interface.
  4. Add a Gateway IP address.

Using the FortiSwitch CLI

Enter the following commands:

config router static

edit 1

set device mgmt

set gateway <router IP address>

set dst <router subnet> <subnet mask>

end

end

In the following example, the FortiSwitch management port is connected to a router with IP address 192.168.0.10:

config router static

edit 1

set device mgmt

set gateway 192.168.0.10

set dst 192.168.0.0 255.255.0.0

end

end

Migrating the configuration of standalone FortiSwitch units

When a configured standalone FortiSwitch unit is converted to FortiLink mode, the standalone configuration is lost. To save time, use the fortilinkify.py utility to migrate your standalone configuration from one or more FortiSwitch units to a combined FortiGate-compatible configuration.

To get the script and instructions, go to:

https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/

Converting to FortiSwitch standalone mode

Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no longer be managed by a FortiGate:

  • execute switch-controller factory-reset <switch-id>—This command returns the FortiSwitch to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example:execute switch-controller factory-reset S1234567890
  • execute switch-controller switch-action set-standalone <switch-id>—This command returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from automatically detecting and authorizing the FortiSwitch. For example:execute switch-controller set-standalone S1234567890

You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:

config switch-controller global

set disable-discovery <switch-id>

end

For example:

config switch-controller global

set disable-discovery S1234567890

end

You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using the following commands:

config switch-controller global

append disable-discovery <switch-id>

unselect disable-discovery <switch-id>

end

For example:

config switch-controller global

append disable-discovery S012345678

unselect disable-discovery S1234567890

end

Changing the admin password on the FortiGate for all managed FortiSwitch units

By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:

config switch-controller switch-profile

edit default

set login-passwd-override {enable | disable}

set login-passwd <password>

next

end

If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set password will remain in the FortiSwitch. For example:

config switch-controller switch-profile

edit default

set login-passwd-override enable

unset login-passwd

next

end

Enabling network-assisted device detection

Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by the managed FortiSwitch unit.

To enable network-assisted device detection on a VDOM:

config switch-controller network-monitor-settings

set network-monitoring enable

end

You can display a list of detected devices from the Device Inventory menu in the GUI. To list the detected devices in the CLI, enter the following command:

diagnose user device list

Using automatic network detection and configuration

There are three commands that let you use automatic network detection and configuration.

To specify which policies can override the defaults for a specific ISL, ICl, or FortiLink interface:

config switch-controller auto-config custom

edit <automatically configured FortiLink, ISL, or ICL interface name>

config switch-binding

edit "switch serial number"

set policy "custom automatic-configuation policy"

end

To specify policies that are applied automatically for all ISL, ICL, and FortiLink interfaces:

config switch-controller auto-config default

set fgt-policy <default FortiLink automatic-configuration policy>

set isl-policy <default ISL automatic-configuration policy>

set icl-policy <default ICL automatic-configuration policy>

end

NOTE: The ICL automatic-configuration policy requires FortiOS 6.2.0 or later.

To specify policy definitions that define the behavior on automatically configured interfaces:

config switch-controller auto-config policy

edit <policy_name>

set qos-policy <automatic-configuration QoS policy>

set storm-control-policy <automatic-configuation storm-control policy>

set poe-status {enable | disable}

set igmp-flood-report {enable | disable}

set igmp-flood-traffic {enable | disable}

end

Limiting the number of parallel processes for FortiSwitch configuration

Use the following CLI commands to reduce the number of parallel processes that the switch controller uses for configuring FortiSwitch units:

config global

config switch-controller system

set parallel-process-override enable

set parallel-process <1-300>

end

end

Using the FortiSwitch serial number for automatic name resolution

By default, you can check that FortiSwitch unit is accessible from the FortiGate unit with the execute ping <FortiSwitch_IP_address> command. If you want to use the FortiSwitch serial number instead of the FortiSwitch IP address, use the following commands:

config switch-controller global

set sn-dns-resolution enable

end

 

Then you can use the execute ping <FortiSwitch_serial_ number>.<domain_name> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example:

FG100D3G15817028 (root) # execute ping S524DF4K15000024.fsw

PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes

64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms

 

Optionally, you can omit the domain name (.fsw) from the command by setting the default DNS domain on the FortiGate unit.

config system dns

set domain "fsw"

end

 

Now you can use the execute ping <FortiSwitch_serial_number> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example:

FG100D3G15817028 (root) # execute ping S524DF4K15000024

PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes

64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms

 

--- S524DF4K15000024.fsw ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.0/0.0/0.0 ms

Configuring access to management and internal interfaces

The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have different access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-access security policy with the following commands:

config switch-controller security-policy local-access

edit <policy_name>

set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}

set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set access-profile <name_of_policy>

end

For example:

config switch-controller security-policy local-access

edit policy1

set mgmt-allowaccess https ping ssh radius-acct

set internal-allowaccess https ssh snmp telnet

end

config switch-controller managed-switch

edit S524DF4K15000024

set access-profile policy1

end

 

NOTE: After you upgrade to FortiOS 6.2, the allowaccess settings for the FortiSwitch mgmt and internal interfaces are overridden by the default local-access security policy.

Configuring SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.

The managed FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers have read-only access to FortiSwitch system information through queries and can receive trap messages from the managed FortiSwitch unit.

To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiSwitch SNMP agent.

FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting the FortiSwitch MIB File download link.

You configure SNMP on a global level so that all managed FortiSwitch units use the same settings. If you want one of the FortiSwitch units to use different settings from the global settings, configure SNMP locally.

Configuring SNMP globally

To configure SNMP globally, configure the following settings:

  1. Configure the SNMP system information.
  2. Configure the SNMP community.
  3. Configure the SNMP trap threshold values.
  4. Configure the SNMP user.
To configure the SNMP system information globally:

config switch-controller snmp-sysinfo

set status enable

set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>

set description <system_description>

set contact-info <contact_information>

set location <FortiGate_location>

end

To configure the SNMP community globally:

config switch-controller snmp-community

edit <SNMP_community_ID>

set status enable

set query-v1-status enable

set query-v1-port <0-65535; the default is 161>

set query-v2c-status enable

set query-v2c-port <0-65535; the default is 161>

set trap-v1-status enable

set trap-v1-lport <0-65535; the default is 162>

set trap-v1-rport <0-65535; the default is 162>

set trap-v2c-status enable

set trap-v2c-lport <0-65535; the default is 162>

set trap-v2c-rport <0-65535; the default is 162>

set events {cpu-high mem-low log-full intf-ip ent-conf-change}

config hosts

edit <host_entry_ID>

set ip <IPv4_address_of_the_SNMP_manager>

end

end

To configure the SNMP trap threshold values globally:

config switch-controller snmp-trap-threshold

set trap-high-cpu-threshold <percentage_value; the default is 80>

set trap-low-memory-threshold <percentage_value; the default is 80>

set trap-log-full-threshold <percentage_value; the default is 90>

end

To configure the SNMP user globally:

config switch-controller snmp-user

edit <SNMP_user_name>

set queries enable

set query-port <0-65535; the default is 161>

set security-level {auth-priv | auth-no-priv | no-auth-no-priv}

set auth-proto {md5 | sha}

set auth-pwd <password_for_authentication_protocol>

set priv-proto {aes | des}

set priv-pwd <password_for_encryption_protocol>

end

Configuring SNMP locally

To configure SNMP for a specific FortiSwitch unit, configure the following settings:

  1. Configure the SNMP system information.
  2. Configure the SNMP community.
  3. Configure the SNMP trap threshold values.
  4. Configure the SNMP user.
To configure the SNMP system information locally:

config switch-controller managed-switch

set override-snmp-sysinfo enable

config snmp-sysinfo

set status enable

set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>

set description <system_description>

set contact-info <contact_information>

set location <FortiGate_location>

end

end

To configure the SNMP community locally:

config switch-controller managed-switch

set override-snmp-community enable

config snmp-community

edit <SNMP_community_ID>

set status enable

set query-v1-status enable

set query-v1-port <0-65535; the default is 161>

set query-v2c-status enable

set query-v2c-port <0-65535; the default is 161>

set trap-v1-status enable

set trap-v1-lport <0-65535; the default is 162>

set trap-v1-rport <0-65535; the default is 162>

set trap-v2c-status enable

set trap-v2c-lport <0-65535; the default is 162>

set trap-v2c-rport <0-65535; the default is 162>

set events {cpu-high mem-low log-full intf-ip ent-conf-change}

config hosts

edit <host_entry_ID>

set ip <IPv4_address_of_the_SNMP_manager>

end

end

To configure the SNMP trap threshold values locally:

config switch-controller managed-switch

set override-snmp-trap-threshold enable

config snmp-trap-threshold

set trap-high-cpu-threshold <percentage_value; the default is 80>

set trap-low-memory-threshold <percentage_value; the default is 80>

set trap-log-full-threshold <percentage_value; the default is 90>

end

end

To configure the SNMP user locally:

config switch-controller managed-switch

set override-snmp-user enable

config snmp-user

edit <SNMP_user_name>

set queries enable

set query-port <0-65535; the default is 161>

set security-level {auth-priv | auth-no-priv | no-auth-no-priv}

set auth-proto {md5 | sha}

set auth-pwd <password_for_authentication_protocol>

set priv-proto {aes | des}

set priv-pwd <password_for_encryption_protocol>

end

end

Configuring IPv4 source guard

IPv4 source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses. Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.

IPv4 source guard allows traffic from the following sources:

  • Static entries—IP addresses that have been manually associated with MAC addresses.
  • Dynamic entries—IP addresses that have been learned through DHCP snooping.

By default, IPv4 source guard is disabled. You must enable it on each port that you want protected.

If you add more than 2,048 IP source guard entries from a FortiGate unit, you will get an error. When there is a conflict between static entries and dynamic entries, static entries take precedence over dynamic entries.

IPv4 source guard can be configured in FortiOS only for managed FortiSwitch units that support IP source guard. The following FortiSwitch models support IP source guard:

  • FSR-124D
  • FS-224D-FPOE
  • FS-248D
  • FS-424D-POE
  • FS-424D-FPOE
  • FS-448D-POE
  • FS-448D-FPOE
  • FS-424D
  • FS-448D
  • FSW-2xxE

Configuring IPv4 source guard consists of the following steps:

  1. Enable IPv4 source guard in the FortiOS CLI.
  2. Create static entries on the FortiSwitch unit by binding IPv4 addresses with MAC addresses.
  3. Check the IPv4 source-guard entries on the FortiSwitch unit.

Enabling IPv4 source guard

You must enable IPv4 source guard in the FortiOS CLI before you can configure it.

To enable IPv4 source guard:

config switch-controller managed-switch

edit <FortiSwitch_serial_number

config ports

edit <port_name>

set ip-source-guard enable

next

end

end

For example:

config switch-controller managed-switch

edit S424DF4K15000024

config ports

edit port20

set ip-source-guard enable

next

end

end

Creating static entries

After you enable IPv4 source guard in the FortiOS CLI, you can create static entries in the FortiOS CLI by binding IPv4 addresses with MAC addresses. For IPv4 source-guard dynamic entries, you need to configure DHCP snooping. See Using the FortiGate GUI.

To create static entries:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ip-source-guard

edit <port_name>

config binding-entry

edit <id>

set ip <xxx.xxx.xxx.xxx>

set mac <XX:XX:XX:XX:XX:XX>

next

end

next

end

next

end

 

For example:

config switch-controller managed-switch

edit S424DF4K15000024

config ip-source-guard

edit port4

config binding-entry

edit 1

set ip 172.168.20.1

set mac 00:21:cc:d2:76:72

next

end

next

end

next

end

Checking the IPv4 source-guard entries

After you configure IPv4 source guard , you can check the entries.

Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are added by DHCP snooping.

Use this command in the FortiOS CLI to display all IP source-guard entries:

diagnose switch-controller switch-info ip-source-guard hardware <FortiSwitch_serial_number>