Fortinet white logo
Fortinet white logo

execute

execute

Use the execute commands perform immediate operations on the FortiSwitch unit:

execute 802-1x clear interface

Use this command to clear all authorizations on a specified interface:

execute 802-1x clear interface {internal | port<integer>}

Example

This example shows how to remove all authorizations from port 1:

execute 802-1x clear interface port1

execute acl clear-counter

Use this command to clear the ACL counters associated with the specified policy:

execute acl clear-counter {all | ingress | egress | prelookup}

Variable

Description

all

Delete the ACL counters for all policies.

ingress

Delete the ACL counters for ingress policies.

egress

Delete the ACL counters for egress policies.

prelookup

Delete the ACL counters for lookup policies.

Example

This example deletes all ACL counters:

execute acl clear-counter all

execute acl key-compaction

NOTE: This command currently only works on the ingress policy.

Use the following command to clear the unused classifiers on ASIC hardware associated with ingress, egress, prelookup, or all policies for a particular group:

execute acl key-compaction {all | ingress | egress | prelookup} <group_ID>

Variable

Description

all

Delete all unused classifiers for the specified group.

ingress

Delete the unused classifiers for ingress policies for the specified group.

egress

Delete the unused classifiers for egress policies for the specified group.

prelookup

Delete the unused classifiers for lookup policies for the specified group.

<group_ID>

Enter the group identifier.

Group identifiers are defined in the config switch acl ingress command.

Example

This example deletes all unused classifiers from group 5:

execute acl key-compaction all 5

execute backup config

Use the execute backup config commands to perform a partial backup of the FortiSwitch configuration to a flash disk, FTP server, or TFTP server.

Syntax

execute backup config flash <comment>

execute backup config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

execute backup config tftp <filename_str> <server_ipv4> [<backup_password_str>]

Variable

Description

config flash <comment>

Back up the system configuration to the flash disk. Optionally, include a comment.

config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

Back up the system configuration to an FTP server.

Optionally, you can specify a password to protect the saved data.

config tftp <filename_str> <server_ipv4> [<backup_password_str>]

Back up the system configuration to a file on a TFTP server. Optionally, you can specify a password to protect the saved data.

Example

This example shows how to perform a partial backup of the FortiSwitch configuration to a file named fgt.cfg on a TFTP server at IP address 192.168.1.23.

execute backup config tftp fgt.cfg 192.168.1.23

execute backup full-config

Use the execute backup full-config commands to back up the full FortiSwitch configuration to a TFTP or FTP server.

Syntax

execute backup full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

execute backup full-config tftp <filename_str> <server_ipv4> [<backup_password_str>]

Variable

Description

full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

Back up the full system configuration to a file on an FTP server. You can optionally specify a password to protect the saved data.

full-config tftp <filename_str> <server_ipv4> [<backup_password_str>]

Back up the full system configuration to a file on a TFTP server. You can optionally specify a password to protect the saved data.

Example

This example shows how to back up the full FortiSwitch configuration to a file named fgt.cfg on a TFTP server at IP address 192.168.1.23.

execute backup full-config tftp fgt.cfg 192.168.1.23

execute backup memory

Use the execute backup memory commands to back up the FortiSwitch logs to a TFTP or FTP server.

Syntax

execute backup memory alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]

execute backup memory alllogs tftp <server_ipv4>

execute backup memory log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> <username_str> <password_str> {app-ctrl | event | ids | im | spam | virus | voip | webfilter}

execute backup memory log tftp <server_ipv4> {app‑ctrl | event | ids | im | spam | virus | voip | webfilter}

Variable

Description

memory alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]

Back up either all memory or all hard disk log files for to an FTP server. The disk option is available on FortiSwitch models that log to a hard disk.

memory alllogs tftp <server_ipv4>

Back up either all memory or all hard disk log files for this FortiSwitch to a TFTP server. he disk option is available on FortiSwitch models that log to a hard disk.

memory log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> <username_str> <password_str> {app-ctrl | event | ids | im | spam | virus | voip | webfilter}

Back up the specified type of log file from either hard disk or memory to an FTP server.

The disk option is available on FortiSwitch models that log to a hard disk.

memory log tftp <server_ipv4> {app‑ctrl | event | ids | im | spam | virus | voip | webfilter}

Back up the specified type of log file from either hard disk or memory to an FTP server.

The disk option is available on FortiSwitch models that log to a hard disk.

Example

This example shows how to back up all FortiSwitch log files to a file named fgt.cfg on a TFTP server at IP address 192.168.1.23.

execute backup memory alllogs tftp fgt.cfg 192.168.1.23

execute batch

Use the execute batch commands to execute a series of CLI commands.

The execute batch commands are controlled by the Maintenance (mntgrp) access control group.

Syntax

execute batch [<cmd_cue>]

The parameter <cmd_cue> includes the following values:

  • end — exit session and run the batch commands
  • lastlog — read the result of the last batch commands
  • start — start batch mode
  • status— batch mode status reporting if batch mode is running or stopped

Example

To start batch mode:

execute batch start

Enter batch mode...

To enter commands to run in batch mode:

config system global

set refresh 5

end

To execute the batch commands:

execute batch end

Exit and run batch commands...

execute bpdu-guard

Use this command to reset a port that goes down after receiving a BPDU:

execute bpdu-guard reset {internal | port<number>}

Example

This example shows how to reset port 1 after it receives a BPDU and goes down:

execute bpdu-guard reset port1

execute cfg reload

Use this command to restore the saved configuration when the configuration change mode is manual or revert. This command has no effect if the mode is automatic, the default. The set cfg-save command in system global sets the configuration change mode.

When you reload the saved system configuration, the your session ends and the FortiSwitch performs a restart.

In the default configuration change mode, automatic, CLI commands become part of the saved system configuration when you execute them by entering either next or end.

In manual mode, commands take effect but do not become part of the saved configuration unless you execute the execute cfg save command. When the system restarts, the saved configuration is loaded. Configuration changes that were not saved are lost.

The revert mode is similar to manual mode, except that configuration changes are saved automatically if the administrative session is idle for more than a specified timeout period. This provides a way to recover from an erroneous configuration change, such as changing the IP address of the interface you are using for administration. You set the timeout in system global using the set cfg-revert-timeout command.

Syntax

execute cfg reload

Example

This is sample output from the command when successful:

# execute cfg reload

configs reloaded. system will reboot. This is sample output from the command when not in runtime-only configuration mode:

# execute cfg reload

no config to be reloaded.

execute cfg save

Use this command to save configuration changes when the configuration change mode is manual or revert. If the mode is automatic, the default, all changes are added to the saved configuration as you make them and this command has no effect. The set cfg-save command in system global sets the configuration change mode.

In manual mode, commands take effect but do not become part of the saved configuration unless you execute the execute cfg save command. When the system restarts, the saved configuration is loaded. Configuration changes that were not saved are lost.

The revert mode is similar to manual mode, except that configuration changes are reverted automatically if the administrative session is idle for more than a specified timeout period. This provides a way to recover from an erroneous configuration change, such as changing the IP address of the interface you are using for administration. To change the timeout from the default of 600 seconds, go to system global and use the set cfg-revert-timeout command.

Syntax

execute cfg save

Example

This is sample output from the command:

# execute cfg save

config saved.

This is sample output when not in runtime-only configuration mode. It also occurs when in runtime-only configuration mode and no changes have been made:

# execute cfg save

no config to be saved.

execute clear switch igmp-snoop

Use this command to clear the learned and configured multicast groups from the FortiSwitch unit.

Syntax

execute clear switch igmp-snoop

execute clear system arp table

Use this command to cslear all the entries in the ARP table.

Syntax

execute clear system arp table

execute cli check-template-status

Use this command to report the status of the secure copy protocol (SCP) script template.

Syntax

execute cli check-template-status

execute cli status-msg-only

Use this command to enable or disable the display of standardized CLI error output messages. If executed, this command stops other debug messages from displaying in the current CLI session.

Syntax

execute cli status-msg-only {enable | disable}

Variable

Description

Default

status-msg-only

{enable | disable}

Enable or disable standardized CLI error output messages. Entering the command without enable or disable disables displaying standardized output.

enable

execute date

Use this command to display or set the system date.

Syntax

execute date [<date_str>]

date_str has the form yyyy-mm-dd, where:

  • yyyy is the year. The range is: 2001 to 2037
  • mm is the month. The range is 01 to 12
  • dd is the day of the month. The range is 01 to 31

If you do not specify a date, the command returns the current system date. Shortened values, such as “06” instead of “2006” for the year or “1” instead of “01” for month or day, are not valid.

Example

This example sets the date to 17 September 2016:

execute date 2016-09-17

execute dhcp lease-clear

Use these commands to clear DHCP leases:

execute dhcp lease-clear all

execute dhcp lease-clear <xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...>

Variable

Description

Default

lease-clear all

Clear all DHCP leases.

No default

lease-clear <xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...>

Clear the DHCP leases for the specified IPv4 addresses. Use a comma to separate IPv4 addresses.

No default

Example

This example shows how to clear all DHCP leases on the specified IPv4 addresses:

execute dhcp lease-clear 1.2.3.4,5.6.7.8

execute dhcp lease-list

Use these commands to list DHCP leases:

execute dhcp lease-list

execute dhcp lease-list <interface>

Variable

Description

Default

lease-list

List all DHCP leases.

No default

lease-list <interface>

List the DHCP leases for the specified interface.

No default

Example

This example shows how to list all DHCP leases:

execute dhcp lease-list

execute dhcp-snooping

Use this command to remove an IP address from the DHCP-snooping client or server database on a specific VLAN:

execute dhcp-snooping expire-client <VLAN-ID> <xx:xx:xx:xx:xx:xx>

execute dhcp-snooping expire-server <VLAN-ID> <xx:xx:xx:xx:xx:xx>

Variable

Description

Default

<VLAN-ID>

Enter the VLAN identifier. The value range is 1-4095.

No default

<xx:xx:xx:xx:xx:xx>

Enter the MAC address for the IP address to remove.

No default

Example

This example shows how to remove the IP address that corresponds to VLAN 100 and to the MAC address 01:23:45:67:89:01 from the DHCP-snooping client database:

execute dhcp-snooping expire-client 100 01:23:45:67:89:01

execute disconnect-admin-session

Use this command to disconnect an administrator who is logged in.

Syntax

execute disconnect-admin-session <index_number>

To determine the index of the administrator that you want to disconnect, view the list of logged-in administrators with the following command:

execute disconnect‑admin-session ?

The list of logged-in administrators looks like this:

Connected:

INDEX USERNAME TYPE FROM TIME

0 admin WEB 172.20.120.51 Mon Aug 14 12:57:23 2006

1 admin2 CLI ssh(172.20.120.54) Mon Aug 14 12:57:23 2006

Example

This example shows how to disconnect the logged administrator admin2:

execute disconnect-admin-session 1

execute factoryreset

Use this command to reset the FortiSwitch configuration to factory default settings.

Syntax

execute factoryreset

This procedure deletes all changes that you have made to the FortiSwitch configuration and reverts the system to its original configuration, including resetting interface addresses.

execute factoryresetfull

Use this command to fully reset the FortiSwitch configuration to factory default settings.

Syntax

execute factoryreset

This procedure removes all configurations, saved user and application data, and licenses and resets the BIOS environment to the default. Images saved to the partitions are not removed.

execute flapguard reset

Use this command to reset the specified port if flap guard was triggered on that port:

execute flapguard reset <port_name>

Example

This example shows how to reset port 1 after flap guard was triggered on it:

execute flapguard reset port1

execute interface dhcpclient-renew

Use this command to renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no DHCP connection on the specified port, there is no output.

Syntax

execute interface dhcpclient-renew <interface>

Example output

This is the output for renewing the DHCP client on port 1 before the session closes:

# execute interface dhcpclient-renew port1

renewing dhcp lease on port1

execute interface dhcp6client-renew

Use this command to renew the DHCPv6 client for the specified DHCPv6 interface and close the CLI session. If there is no DHCPv6 connection on the specified port, there is no output.

Syntax

execute interface dhcp6client-renew <interface>

execute interface pppoe-reconnect

Use this command to reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If there is no PPPoE connection on the specified port, there is no output.

Syntax

execute interface pppoe-reconnect <interface>

execute license add

Use this command to add a new license.

Syntax

execute license add <key>

execute license enhanced-debugging

Use this command to get information about the enhanced debugging license or to remove it.

Syntax

execute license enhanced-debugging {clear | description | get | status}

Variable

Description

clear

Remove the current enhanced debugging license key.

description

Get a general description of the enhanced debugging license key.

get

Retrieve the enhanced debugging license key.

status

Check whether the enhanced debugging license is active.

Example output

S524DF4K15000024 # execute license enhanced-debugging description
This license will enable potentially hazardous debug, such as shells and other features.
			
S524DF4K15000024 # execute license enhanced-debugging status
enhanced-debugging: Active
Debug license flags: 0x01

execute license status

Use this command to display the status of all installed licenses.

Syntax

execute license status

Example output

S524DF4K15000024 # execute license status
License            | Status
enhanced-debugging : Active
FS-SW-LIC-500      : Active

execute log delete

Use this command to clear all traffic log entries in memory. You will be prompted to confirm the command.

Syntax

execute log delete

execute log delete-all

Use this command to clear all log entries in memory and current log files on hard disk. If your system has no hard disk, only log entries in system memory are cleared. You will be prompted to confirm the command.

Syntax

execute log delete-all

execute log display

Use this command to display log messages that you have selected with the execute log filter command.

Syntax

execute log display

The console displays the first 10 log messages. To view more messages, run the command again. You can do this until you have seen all of the selected log messages. To restart viewing the list from the beginning, use the following commands:

execute log filter start-line 1

execute log display

You can restore the log filters to their default values using the following command:

execute log filter reset

execute log filter

Use this command to select log messages for viewing or deletion. You can view one log category on one device at a time. Optionally, you can filter the messages to select only specified date ranges or severities of log messages. For traffic logs, you can filter log messages by source or destination IP address.

Commands are cumulative. If you omit a required variable, the command displays the current setting.

Use as many execute log filter commands as you need to define the log messages that you want to view.

execute log filter category <category_name>

execute log filter device {memory | faz | fds}

execute log filter dump

execute log filter field <name>

execute log filter ha-member <unitsn_str>

execute log filter max-checklines <int>

execute log filter reset

execute log filter start-line <line_number>

execute log filter view-lines <count>

Variable

Description

Default

category <category_name>

Enter the type of log you want to select.

For SQL logging and memory logging, one of:

utm, content, event, or traffic

event

device {memory | faz | fds}

Device where the logs are stored.

memory

dump

Display current filter settings.

No default

field <name>

Press Enter to view the fields that are available for the associated category. Enter the fields you want, using commas to separate multiple fields.

No default

ha-member <unitsn_str>

Select logs from the specified HA cluster member. Enter the serial number of the system.

No default

max-checklines <int>

Set maximum number lines to check. Range 100 to 1,000,000. A value of 0 disables the feature.

No default

reset

Execute this command to reset all filter settings.

No default

start-line <line_number>

Select logs starting at specified line number. The value must be 1 or higher.

1

view-lines <count>

Set lines per view. The value range is 5 to 1000.

10

execute log-report reset

Use this command to delete all logs, archives, and user configured report templates.

Syntax

execute log-report reset

execute loop-guard reset

Use this command to reset a port that has been put out of service by loop-guard.

execute loop-guard reset <interface>

Example

This example shows how to reset port 1 after loop guard was triggered on it:

execute loop-guard reset port1

execute mac clear

Use this command to clear MAC addresses.

Syntax

execute mac clear all

execute mac clear by-interface <interface>

execute mac clear by-mac-address <mac_address>

execute mac clear by-vlan <vlan_int>

execute mac clear by-vlan-and-interface <vlan_int> <interface>

execute mac clear by-vlan-and-mac-address <vlan_int> <mac_address>

Variable

Description

all

Clear all MAC entries.

by-interface <interface>

Clear all MAC entries on the specified interface.

by-mac-address <mac_address>

Clear all MAC entries for a specified MAC address.

by-vlan <vlan_int>

Clear all MAC entries for a specified VLAN.

by-vlan-and-interface <vlan_int> <interface>

Clear all MAC entries for a specified VLAN on a specified interface.

by-vlan-and-mac-address <vlan_int> <mac_address>

Clear all MAC entries for a specified VLAN that match the specified MAC address.

execute mac-limit-violation reset

Use these commands to reset the learning limit violation log.

To enable or disable the learning limit violation log for a FortiSwitch unit, see config switch global.

Syntax

execute mac-limit-violation reset all

execute mac-limit-violation reset interface <interface_name>

execute mac-limit-violation reset vlan <VLAN_ID>

Variable

Description

all

Clear all learning limit violation logs.

interface <interface_name>

Clear the learning limit violation log for a specific interface.

vlan <VLAN_ID>

Clear the learning limit violation log for a specific VLAN.

Example

This example shows how to clear the learning limit violation log for VLAN 5:

execute mac-limit-violation reset vlan 5

execute ping

The execute ping command sends one or more ICMP echo request (ping) to test the network connection between the FortiSwitch and another network device.

Syntax

execute ping <address_ipv4>

<address_ipv4> is an IP address.

Example

This example shows how to ping a host with the IP address 172.20.120.16.

#execute ping 172.20.120.16

PING 172.20.120.16 (172.20.120.16): 56 data bytes

64 bytes from 172.20.120.16: icmp_seq=0 ttl=128 time=0.5 ms

64 bytes from 172.20.120.16: icmp_seq=1 ttl=128 time=0.2 ms

64 bytes from 172.20.120.16: icmp_seq=2 ttl=128 time=0.2 ms

64 bytes from 172.20.120.16: icmp_seq=3 ttl=128 time=0.2 ms

64 bytes from 172.20.120.16: icmp_seq=4 ttl=128 time=0.2 ms

--- 172.20.120.16 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.2/0.2/0.5 ms

execute ping-options

Use this command to set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiSwitch and another network device.

Syntax

execute ping-options adaptive-ping {enable | disable}

execute ping-options data-size <bytes>

execute ping-options df-bit {yes | no}

execute ping-options interface {Auto | <outgoing_interface>}

execute ping-options interval <seconds>

execute ping-options pattern <2-byte_hex>

execute ping-options repeat-count <repeats>

execute ping-options reset

execute ping-options source {auto | <source-intf_ip>}

execute ping-options timeout <seconds>

execute ping-options tos <service_type>

execute ping-options ttl <hops>

execute ping-options validate-reply {yes | no}

execute ping-options view-settings

Variable

Description

Default

adaptive-ping {enable | disable}

Enable or disable adaptive ping.

disable

data-size <bytes>

Specify the datagram size in bytes.

56

df-bit {yes | no}

Set df-bit to yes to prevent the ICMP packet from being fragmented. Set df-bit to no to allow the ICMP packet to be fragmented.

no

interface {Auto | <outgoing_interface>}

Specify the source interface or select auto for the source interface to be automatically assigned.

auto

interval <seconds>

Specify the number of seconds between two pings. The value must be greater than 0.

No default

pattern <2-byte_hex>

Used to fill in the optional data buffer at the end of the ICMP packet. The size of the buffer is specified using the data_size parameter. This allows you to send out packets of different sizes for testing the effect of packet size on the connection.

No default

repeat-count <repeats>

Specify how many times to repeat ping.

5

reset

Reset the ping options to their default settings.

No default

source

{auto | <source-intf_ip>}

Specify the FortiSwitch interface from which to send the ping. If you specify auto, the system selects the source address and interface based on the route to the <host-name_str> or <host_ip>. Specifying the IP address of a FortiSwitch interface tests connections to different network segments from the specified interface.

auto

timeout <seconds>

Specify, in seconds, how long to wait until ping times out.

2

tos <service_type>

Set the ToS (Type of Service) field in the packet header to provide an indication of the quality of service wanted:
  • lowdelay — minimize delay
  • throughput — maximize throughput
  • reliability — maximize reliability
  • lowcost — minimize cost

0

ttl <hops>

Specify the time to live. Time to live is the number of hops the ping packet should be allowed to make before being discarded or returned.

64

validate-reply {yes | no}

Select yes to validate reply data.

no

view-settings

Display the current ping option settings.

No default

Example

Use the following command to increase the number of pings sent:

execute ping-options repeat-count 10

Use the following command to send all pings from the FortiSwitch interface with IP address 192.168.10.23:

execute ping-options source 192.168.10.23

execute ping6

The ping6 command sends one or more ICMP echo request (ping) to test the network connection between the FortiSwitch and an IPv6-capable network device.

Syntax

execute ping6 {<address_ipv6> | <host-name_str>}

Example

This example shows how to ping a host with the IPv6 address 12AB:0:0:CD30:123:4567:89AB:CDEF.

execute ping6 12AB:0:0:CD30:123:4567:89AB:CDEF

execute ping6-options

Use this command to set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiSwitch and an IPv6-capable network device.

Syntax

execute ping6-options data-size <bytes>

execute ping6-options interval <seconds>

execute ping6-options pattern <2-byte_hex>

execute ping6-options repeat-count <repeats>

execute ping6-options source {auto | <source-intf_ip>}

execute ping6-options timeout <seconds>

execute ping6-options tos <service_type>

execute ping6-options ttl <hops>

execute ping6-options validate-reply {yes | no}

execute ping6-options view-settings

Variable

Description

Default

data-size <bytes>

Specify the datagram size in bytes.

56

df-bit {yes | no}

Set df-bit to yes to prevent the ICMP packet from being fragmented. Set df-bit to no to allow the ICMP packet to be fragmented.

no

interval <seconds>

Specify the number of seconds between two pings. The value must be greater than 0.

No default

pattern <2-byte_hex>

Used to fill in the optional data buffer at the end of the ICMP packet. The size of the buffer is specified using the data_size parameter. This allows you to send out packets of different sizes for testing the effect of packet size on the connection.

No default

repeat-count <repeats>

Specify how many times to repeat ping.

5

source

{auto | <source-intf_ip>}

Specify the FortiSwitch interface from which to send the ping. If you specify auto, the system selects the source address and interface based on the route to the <host-name_str> or <host_ip>. Specifying the IP address of a FortiSwitch interface tests connections to different network segments from the specified interface.

auto

timeout <seconds>

Specify, in seconds, how long to wait until ping times out.

2

tos <service_type>

Set the ToS (Type of Service) field in the packet header to provide an indication of the quality of service wanted:
  • lowdelay — minimize delay
  • throughput — maximize throughput
  • reliability — maximize reliability
  • lowcost — minimize cost

0

ttl <hops>

Specify the time to live. Time to live is the number of hops the ping packet should be allowed to make before being discarded or returned.

64

validate-reply {yes | no}

Select yes to validate reply data.

no

view-settings

Display the current ping option settings.

No default

Example

Use the following command to validate reply data:

execute ping6-options validate-reply yes

execute poe-reset

This command performs a PoE reset on the specified port.

Syntax

execute poe-reset <port_number>

Example

Use the following command to reset the PoE power on port 1:

execute poe-reset port1

execute reboot

Use this command to restart the system.

Abruptly powering off your system may corrupt its configuration. Use the reboot or shutdown commands to ensure proper shutdown procedures are followed to prevent any loss of configuration.

Syntax

execute reboot [comment “comment_string”>]

[comment <“comment_string”>]enables you to optionally add a message that will appear in the hard disk log indicating the reason for the reboot. If the message is more than one word it must be enclosed in quotation marks.

Example

This example shows the reboot command with a message included:

execute reboot comment “December monthly maintenance”

execute restore

Use this command to restore a configuration, firmware, or IPS signature file. The following options are available:

  • restore the configuration from a file
  • change the FortiSwitch firmware
  • restore the bios from a file

When virtual domain configuration is enabled, the content of the backup file depends on the administrator account that created it.

A backup of the system configuration from the super admin account contains the global settings and the settings for all of the VDOMs. Only the super admin account can restore the configuration from this file.

A backup file from a regular administrator account contains the global settings and the settings for the VDOM to which the administrator belongs. Only a regular administrator account can restore the configuration from this file.

Syntax

execute restore bios tftp <filename_str> <server_ipv4[:port_int]>

execute restore config flash <revision>

execute restore config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>] [<backup_password_str>]

execute restore config tftp <filename_str> <server_ipv4> [<backup_password_str>]

execute restore image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]

execute restore image management-station <version_int>

execute restore image tftp <filename_str> <server_ipv4>

execute restore secondary-image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]

execute restore secondary-image tftp <filename_str> <server_ipv4>

Variable

Description

bios tftp <filename_str> <server_ipv4[:port_int]>

Restore the BIOS. Download the restore file from a TFTP server.

config flash <revision>

Restore the specified revision of the system configuration from the flash disk.

config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>] [<backup_password_str>]

Restore the system configuration from an FTP server. The new configuration replaces the existing configuration, including administrator accounts and passwords.

If the backup file was created with a password, you must specify the password.

config tftp <filename_str> <server_ipv4> [<backup_password_str>]

Restore the system configuration from a file on a TFTP server. The new configuration replaces the existing configuration, including administrator accounts and passwords.

If the backup file was created with a password, you must specify the password.

image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]

Download a firmware image from an FTP server to the FortiSwitch unit. The FortiSwitch unit reboots, loading the new firmware.

This command is not available in multiple VDOM mode.

image management-station <version_int>

Download a firmware image from the central management station. This is available if you have configured a FortiManager unit as a central management server. This is also available if your account with FortiGuard Analysis and Management Service allows you to upload firmware images.

image tftp <filename_str> <server_ipv4>

Download a firmware image from a TFTP server to the FortiSwitch unit. The FortiSwitch unit reboots, loading the new firmware.

secondary-image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]

Download a firmware image from an FTP server to the FortiSwitch unit. The FortiSwitch unit saves the new firmware image in the secondary image partition.

secondary-image tftp <filename_str> <server_ipv4>

Download a firmware image from a TFTP server to the FortiSwitch unit. The FortiSwitch unit saves the new firmware image in the secondary image partition.

Example

This example shows how to upload a configuration file from a TFTP server to the FortiSwitch and restart the FortiSwitch with this configuration. The name of the configuration file on the TFTP server is backupconfig. The IP address of the TFTP server is 192.168.1.23.

execute restore config tftp backupconfig 192.168.1.23

execute revision

Use this command to manage configuration and firmware image files on the local disk.

Syntax

execute revision delete config <revision>

execute revision list config

execute revision show config

Variable

Description

delete config <revision>

Delete the specified configuration revision on the local disk.

list config

List the configuration revisions on the local disk.

show config

Display the details of the configuration revision on the local disk.

Example

Use the following command to delete revision 1 of the configuration file on the local disk:

execute revision delete config 1

execute router clear bgp

Use this command to clear the BGP routing configuration.

Syntax

execute router clear bgp {all | as | dampening | external | ip}

Variable

Description

all <arguments>

Clear all BGP peers

as <arguments>

Clear a BGP peer by AS number.

dampening {<IP_address> | <IP_address/length>}

Clear the BGP flap-dampening information.

external <arguments>

Clear all external BGP peers.

ip <arguments>

Clear a BGP peer by IP address.

Example

Use the following command to delete the BGP flap-dampening information:

execute router clear bgp dampening 1.2.3.4

execute router clear ospf

Use this command to clear the OSPF routing configuration from the specified interface.

Syntax

execute router clear ospf interface <interface_name>

Example

Use the following command to delete the OSPF routing configuration from the VLAN interface:

execute router clear ospf interface vlan20

execute router tech-support

Use this command to display the specified routing configuration and troubleshooting information.

Syntax

execute router tech-support {ospf | rip | bgp | isis | static}

Example

Use the following command to display the BGP routing configuration and troubleshooting information:

execute router tech-support bgp

execute set-next-reboot

Use this command to specify the flash partition for the next reboot. The system can use the boot image from either the primary or the secondary flash partition.

NOTE: You must disable image rotation before you can use the execute set-next-reboot command.

Syntax

execute set-next-reboot <primary | secondary>

Example

This example specifies that the next reboot will use the secondary flash partition:

execute set-next-reboot secondary

Set next reboot partition to secondary

execute shutdown

Use this command to shut down the system immediately. You will be prompted to confirm this command.

caution icon

Abruptly powering off your system might corrupt its configuration. Using the reboot and shutdown options in the CLI or in the Web-based manager ensure proper shutdown procedures are followed to prevent any loss of configuration.

Syntax

execute shutdown [comment <"comment_string">]

The comment field is optional. Use it to add a message that will appear in the event log message that records the shutdown. The comment message does not appear on the Alert Message console. If the message is more than one word it must be enclosed in quotation marks.

Example

This example shows the reboot command with a message included:

execute shutdown comment “emergency facility shutdown”

An event log message similar to the following is recorded:

2009-09-08 11:12:31 critical admin 41986 ssh(172.20.120.11) shutdown User admin shutdown the device from ssh(172.20.120.11). The reason is 'emergency facility shutdown'

execute ssh

Use this command to establish an SSH session with another system.

Syntax

execute ssh <destination>

<destination> is the destination in the form user@IPv4_address, user@iPv6_address, or user@DNS_name. If the IPv6 address is a link-local address, you must specify an output interface using %.

Examples

execute ssh admin@fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.

execute ssh admin@172.20.120.122

execute ssh 1002::21

execute ssh 12.345.6.78

To end an SSH session, type exit:

S524DF4K15000024 # exit

Connection to 172.20.120.122 closed.

S524DF4K15000024 #

execute stage

Use this command to stage an image from an FTP or TFTP server.

Syntax

execute stage image ftp <string> <ftp server>[:ftp port]

execute stage image tftp <string> <ip>

image is the image file name (including path) on the remote server.

execute sticky-mac

Use this command to manage MAC addresses that were dynamically learned and are persistent when the status of a FortiSwitch port changes (goes down or up).

Syntax

execute sticky-mac delete-unsaved {all | interface <interface_name>}

execute sticky-mac save {all | interface <interface_name>}

Variable

Description

delete-unsaved {all | interface <interface_name>}

Delete all persistent MAC entries (instead of saving them in the FortiSwitch configuration file) for all interfaces or for the specified interface.

save {all | interface <interface_name>}

Save all persistent MAC entries in the FortiSwitch configuration file for all interfaces or for the specified interface.

execute switch-controller get-conn-status

Use this command to display the status of the FortiLink connection. This command is valid only when the FortiSwitch is managed by a FortiGate.

Syntax

execute switch-controller get-conn-status

Example

S524DF4K15000024 # execute switch-controller get-conn-status

Get managed-switch S524DF4K15000024 connection status:

Connection: Connected

Image Version: FG100D-v6.2-build849

Remote Address: xxx.xxx.x.x

Join Time: Wed Mar 13 08:38:57 2019

DTLS Version: DTLSv1.2

execute system certificate ca

Use this command to import a CA certificate from a TFTP or SCEP server to the FortiSwitch or to export a CA certificate from the FortiSwitch to a TFTP server.

Before using this command, you must obtain a CA certificate issued by a Certificate Authority.

Syntax

execute system certificate ca export tftp <name> <file-name> <tftp_ip>

execute system certificate ca import auto <ca_server_url> [ca_identifier_str]

execute system certificate ca import tftp <file-name> <tftp_ip>

Variable

Description

import

Import the CA certificate from a TFTP server to the FortiSwitch unit.

export

Export or copy the CA certificate from the FortiSwitch to a file on the TFTP server. The available CA certificates are Entrust_802.1x_CA, Entrust_802.1x_G2_CA, Entrust_802.1x_L1K_CA, Fortinet_CA, and Fortinet_CA2.

<name>

Enter the name of the CA certificate.

<file-name>

Enter the file name on the TFTP server.

<tftp_ip>

Enter the TFTP server address.

auto

Retrieve a CA certificate from a SCEP server.

tftp

Import the CA certificate to the FortiSwitch from a file on a TFTP server (local administrator PC).

<ca_server_url>

Enter the URL of the CA certificate server.

<ca_identifier_str>

CA identifier on CA certificate server (optional).

execute system certificate crl import auto

Use this command to get a certificate revocation list via LDAP, HTTP, or SCEP protocol, depending on the autoupdate configuration.

To use this command, the authentication servers must already be configured.

Syntax

execute system certificate crl import auto <crl-name>

Variable

Description

import

Import the CRL from the configured LDAP, HTTP, or SCEP authentication server to the FortiSwitch unit.

<crl-name>

Enter the name of the CRL.

auto

Trigger an auto-update of the CRL from the configured authentication server.

execute system certificate local export tftp

Use this command to export a local certificate from the FortiSwitch to a TFTP server.

Syntax

execute system certificate local export tftp <name> <file-name> <tftp_ip>

Variable

Description

export

Export or copy the local certificate from the FortiSwitch unit to a file on the TFTP server.

<name>

Enter the name of the local certificate. Available local certificates are Entrust_802.1x, Fortinet_Factory, and Fortinet_Firmware.

<file-name>

Enter the file name on the TFTP server.

<tftp_ip>

Enter the TFTP server address.

execute system certificate local generate

Use this command to generate a local certificate.

When you generate a certificate request, you create a private and public key pair for the local FortiSwitch unit. The public key accompanies the certificate request. The private key remains confidential.

When you receive the signed certificate from the CA, use the system certificate local import command to install it on the FortiSwitch unit.

Syntax

execute system certificate local generate <name> <key-length> <subject_str> <country> <state> <city> <organization> <bu> <email> <SAN> <URL> <challenge> <source_IP> <CA_id> <password>

Variable

Description

<name>

Enter the local certificate name.

<key-length>

Enter the key size, which can be 1024, 1536, or 2048.

<subject_str>

Enter the subject (host IP address/domain name/e-mail address).

<country>

Enter the country name (such as canada), country code (such as ca), or null for none.

<state>

Enter the state.

<city>

Enter the city.

<organization>

Enter the company name.

<bu>

Enter the business unit.

<email>

Enter the email address.

<SAN>

This field is optional. Enter a subject alternative name.

<URL>

This field is optional. Enter the URL of the CA server for signing using SCEP.

<challenge>

Enter the challenge password for signing using SCEP.

<source_IP>

This field is optional. Enter the source IP address for communicating with the CA server.

<CA_id>

This field is optional. Enter the CA identifier of the CA server for sign using SCEP.

<password>

This field is optional. Enter the password if you are using a private key.

execute system certificate local import tftp

Use this command to import a local certificate to the FortiSwitch from a TFTP server.

Syntax

execute system certificate local import tftp <file-name> <tftp_ip>

Variable

Description

<name>

Enter the name of the local certificate.

<file-name>

Enter the file name on the TFTP server.

<tftp_ip>

Enter the TFTP server address.

execute system certificate remote

Use this command to import a remote certificate from a TFTP server or to export a remote certificate from the FortiSwitch unit to a TFTP server. The remote certificates are public certificates without a private key. They are used as OCSP (Online Certificate Status Protocol) server certificates.

Syntax

execute system certificate remote import tftp <file-name> <tftp_ip>

execute system certificate remote export tftp <name> <file-name> <tftp_ip>

Variable

Description

import

Import the remote certificate from the TFTP server to the FortiSwitch unit.

export

Export or copy the remote certificate from the FortiSwitch to a file on the TFTP server.

To view a list of the certificates, use the following command:

execute system certificate remote export tftp ?

<name>

Enter the name of the local certificate.

<file-name>

Enter the file name on the TFTP server.

<tftp_ip>

Enter the TFTP server address.

execute system sniffer-profile delete-capture

Use this command to delete the .pcap file for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile delete-capture <profile_name>

Example

execute system sniffer-profile delete-capture profile1

execute system sniffer-profile pause

Use this command to pause a packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile pause <profile_name>

Example

execute system sniffer-profile pause profile1

execute system sniffer-profile start

Use this command to start a packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile start <profile-name>

Example

execute system sniffer-profile start profile1

execute system sniffer-profile stop

Use this command to stop a packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile stop <profile-name>

Examples

execute system sniffer-profile stop profile1

execute system sniffer-profile upload

Use this command to upload the .pcap file for a specific packet-capture profile to a TFTP or FTP server. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile upload ftp <profile_name> <file_name> <FTP_server_IP_address:<optional_port>>

execute system sniffer-profile upload tftp <profile_name> <file_name> <TFTP_server_IP_address:<optional_port>>

Variable

Description

<profile_name>

Enter the name of the packet-capture profile.

<file_name>

Enter the name of the .pcap file and the path where it is located.

<FTP_server_IP_address:<optional_port>>

Enter the IP address of the FTP server and optionally enter the port number.

<TFTP_server_IP_address:<optional_port>>

Enter the IP address of the TFTP server and optionally enter the port number.

Examples

execute system sniffer-profile upload ftp profile profile1.pcap 192.168.1.23

execute telnet

Use this command to create a Telnet client. You can use this tool to test network connectivity.

Syntax

execute telnet <telnet_ipv4 or telnet_ipv6>

<telnet_ipv4 or telnet_ipv6> is the IPv4 or IPv6 address to connect with. If the IPv6 address is a link-local address, you must specify an output interface using %.

Type exit to close the Telnet session.

Examples

execute telnet fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.

execute telnet 1002::21

execute telnet 12.345.6.78

execute time

Use this command to display or set the system time.

Syntax

execute time [<time_str>]

time_str has the form hh:mm:ss, where:

  • hh is the hour. The range is 00 to 23.
  • mm is the minutes. The range is 00 to 59.
  • ss is the seconds. The range is 00 to 59.

If you do not specify a time, the command returns the current system time.

You are allowed to shorten numbers to only one digit when setting the time. For example both 01:01:01 and 1:1:1 are allowed.

Example

This example sets the system time to 15:31:03:

execute time 15:31:03

execute traceroute

Use this command to test the connection between the FortiSwitch and another network device, and display information about the network hops between the FortiSwitch and the device.

Syntax

execute traceroute {<ip_address> | <host-name>}

Example

This example shows how to test the connection with http://docs.forticare.com. In this example, the traceroute command times out after the first hop indicating a possible problem.

#execute traceoute docs.fortinet.com

traceroute to docs.fortinet.com (65.39.139.196), 30 hops max, 38 byte packets

1 172.20.120.2 (172.20.120.2) 0.324 ms 0.427 ms 0.360 ms

2 * * *

If your FortiSwitch is not connected to a working DNS server, you will not be able to connect to remote host-named locations with traceroute.

execute tracert6

Use this command to test the connection between the FortiSwitch and another network device using the IPv6 protocol and to display information about the network hops between the FortiSwitch and the device.

Syntax

tracert6 [-Fdn] [-f first_ttl] [-i interface] [-m max_ttl]

[-s src_addr] [-q nprobes] [-w waittime] [-z sendwait]

host [paddatalen]

Variable

Description

-F

Set the Don’t Fragment bit.

-d

Enable debugging.

-n

Do not resolve numeric address to domain name.

-f <first_ttl>

Set the initial time-to-live used in the first outgoing probe packet.

-i <interface>

Select interface to use for tracert.

-m <max_ttl>

Set the max time-to-live (max number of hops) used in outgoing probe packets.

-s <src_addr>

Set the source IP address to use in outgoing probe packets.

-q <nprobes>

Set the number probes per hop.

-w <waittime>

Set the time in seconds to wait for response to a probe. Default is 5.

-z <sendwait>

Set the time in milliseconds to pause between probes.

host

Enter the IP address or FQDN to probe.

<paddatalen>

Set the packet size to use when probing.

execute upload config

Use this command to upload system configurations to the flash disk from FTP or TFTP sources.

Syntax

execute upload config ftp <filename_str> <comment> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

execute upload config tftp <filename_str> <comment> <server_ipv4>

Variable

Description

<comment>

Comment string.

<filename_str>

Filename to upload.

<server_fqdn[:port_int]>

Server fully qualified domain name and optional port.

<server_ipv4[:port_int]>

Server IP address and optional port number.

<username_str>

User name required on server.

<password_str>

Password required on server.

<backup_password_str>

Password for backup file.

execute verify image

Use this command to verify the integrity of the image in the primary or secondary (if applicable) flash partition.

Syntax

execute verify image {primary | secondary}

Example

execute verify image primary

Verifying the image in flash......100%

No issue found!

execute verify image secondary

Verifying the image in flash......100%

Bad/corrupted image found in flash!

Command fail. Return code -1

execute

execute

Use the execute commands perform immediate operations on the FortiSwitch unit:

execute 802-1x clear interface

Use this command to clear all authorizations on a specified interface:

execute 802-1x clear interface {internal | port<integer>}

Example

This example shows how to remove all authorizations from port 1:

execute 802-1x clear interface port1

execute acl clear-counter

Use this command to clear the ACL counters associated with the specified policy:

execute acl clear-counter {all | ingress | egress | prelookup}

Variable

Description

all

Delete the ACL counters for all policies.

ingress

Delete the ACL counters for ingress policies.

egress

Delete the ACL counters for egress policies.

prelookup

Delete the ACL counters for lookup policies.

Example

This example deletes all ACL counters:

execute acl clear-counter all

execute acl key-compaction

NOTE: This command currently only works on the ingress policy.

Use the following command to clear the unused classifiers on ASIC hardware associated with ingress, egress, prelookup, or all policies for a particular group:

execute acl key-compaction {all | ingress | egress | prelookup} <group_ID>

Variable

Description

all

Delete all unused classifiers for the specified group.

ingress

Delete the unused classifiers for ingress policies for the specified group.

egress

Delete the unused classifiers for egress policies for the specified group.

prelookup

Delete the unused classifiers for lookup policies for the specified group.

<group_ID>

Enter the group identifier.

Group identifiers are defined in the config switch acl ingress command.

Example

This example deletes all unused classifiers from group 5:

execute acl key-compaction all 5

execute backup config

Use the execute backup config commands to perform a partial backup of the FortiSwitch configuration to a flash disk, FTP server, or TFTP server.

Syntax

execute backup config flash <comment>

execute backup config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

execute backup config tftp <filename_str> <server_ipv4> [<backup_password_str>]

Variable

Description

config flash <comment>

Back up the system configuration to the flash disk. Optionally, include a comment.

config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

Back up the system configuration to an FTP server.

Optionally, you can specify a password to protect the saved data.

config tftp <filename_str> <server_ipv4> [<backup_password_str>]

Back up the system configuration to a file on a TFTP server. Optionally, you can specify a password to protect the saved data.

Example

This example shows how to perform a partial backup of the FortiSwitch configuration to a file named fgt.cfg on a TFTP server at IP address 192.168.1.23.

execute backup config tftp fgt.cfg 192.168.1.23

execute backup full-config

Use the execute backup full-config commands to back up the full FortiSwitch configuration to a TFTP or FTP server.

Syntax

execute backup full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

execute backup full-config tftp <filename_str> <server_ipv4> [<backup_password_str>]

Variable

Description

full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

Back up the full system configuration to a file on an FTP server. You can optionally specify a password to protect the saved data.

full-config tftp <filename_str> <server_ipv4> [<backup_password_str>]

Back up the full system configuration to a file on a TFTP server. You can optionally specify a password to protect the saved data.

Example

This example shows how to back up the full FortiSwitch configuration to a file named fgt.cfg on a TFTP server at IP address 192.168.1.23.

execute backup full-config tftp fgt.cfg 192.168.1.23

execute backup memory

Use the execute backup memory commands to back up the FortiSwitch logs to a TFTP or FTP server.

Syntax

execute backup memory alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]

execute backup memory alllogs tftp <server_ipv4>

execute backup memory log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> <username_str> <password_str> {app-ctrl | event | ids | im | spam | virus | voip | webfilter}

execute backup memory log tftp <server_ipv4> {app‑ctrl | event | ids | im | spam | virus | voip | webfilter}

Variable

Description

memory alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]

Back up either all memory or all hard disk log files for to an FTP server. The disk option is available on FortiSwitch models that log to a hard disk.

memory alllogs tftp <server_ipv4>

Back up either all memory or all hard disk log files for this FortiSwitch to a TFTP server. he disk option is available on FortiSwitch models that log to a hard disk.

memory log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> <username_str> <password_str> {app-ctrl | event | ids | im | spam | virus | voip | webfilter}

Back up the specified type of log file from either hard disk or memory to an FTP server.

The disk option is available on FortiSwitch models that log to a hard disk.

memory log tftp <server_ipv4> {app‑ctrl | event | ids | im | spam | virus | voip | webfilter}

Back up the specified type of log file from either hard disk or memory to an FTP server.

The disk option is available on FortiSwitch models that log to a hard disk.

Example

This example shows how to back up all FortiSwitch log files to a file named fgt.cfg on a TFTP server at IP address 192.168.1.23.

execute backup memory alllogs tftp fgt.cfg 192.168.1.23

execute batch

Use the execute batch commands to execute a series of CLI commands.

The execute batch commands are controlled by the Maintenance (mntgrp) access control group.

Syntax

execute batch [<cmd_cue>]

The parameter <cmd_cue> includes the following values:

  • end — exit session and run the batch commands
  • lastlog — read the result of the last batch commands
  • start — start batch mode
  • status— batch mode status reporting if batch mode is running or stopped

Example

To start batch mode:

execute batch start

Enter batch mode...

To enter commands to run in batch mode:

config system global

set refresh 5

end

To execute the batch commands:

execute batch end

Exit and run batch commands...

execute bpdu-guard

Use this command to reset a port that goes down after receiving a BPDU:

execute bpdu-guard reset {internal | port<number>}

Example

This example shows how to reset port 1 after it receives a BPDU and goes down:

execute bpdu-guard reset port1

execute cfg reload

Use this command to restore the saved configuration when the configuration change mode is manual or revert. This command has no effect if the mode is automatic, the default. The set cfg-save command in system global sets the configuration change mode.

When you reload the saved system configuration, the your session ends and the FortiSwitch performs a restart.

In the default configuration change mode, automatic, CLI commands become part of the saved system configuration when you execute them by entering either next or end.

In manual mode, commands take effect but do not become part of the saved configuration unless you execute the execute cfg save command. When the system restarts, the saved configuration is loaded. Configuration changes that were not saved are lost.

The revert mode is similar to manual mode, except that configuration changes are saved automatically if the administrative session is idle for more than a specified timeout period. This provides a way to recover from an erroneous configuration change, such as changing the IP address of the interface you are using for administration. You set the timeout in system global using the set cfg-revert-timeout command.

Syntax

execute cfg reload

Example

This is sample output from the command when successful:

# execute cfg reload

configs reloaded. system will reboot. This is sample output from the command when not in runtime-only configuration mode:

# execute cfg reload

no config to be reloaded.

execute cfg save

Use this command to save configuration changes when the configuration change mode is manual or revert. If the mode is automatic, the default, all changes are added to the saved configuration as you make them and this command has no effect. The set cfg-save command in system global sets the configuration change mode.

In manual mode, commands take effect but do not become part of the saved configuration unless you execute the execute cfg save command. When the system restarts, the saved configuration is loaded. Configuration changes that were not saved are lost.

The revert mode is similar to manual mode, except that configuration changes are reverted automatically if the administrative session is idle for more than a specified timeout period. This provides a way to recover from an erroneous configuration change, such as changing the IP address of the interface you are using for administration. To change the timeout from the default of 600 seconds, go to system global and use the set cfg-revert-timeout command.

Syntax

execute cfg save

Example

This is sample output from the command:

# execute cfg save

config saved.

This is sample output when not in runtime-only configuration mode. It also occurs when in runtime-only configuration mode and no changes have been made:

# execute cfg save

no config to be saved.

execute clear switch igmp-snoop

Use this command to clear the learned and configured multicast groups from the FortiSwitch unit.

Syntax

execute clear switch igmp-snoop

execute clear system arp table

Use this command to cslear all the entries in the ARP table.

Syntax

execute clear system arp table

execute cli check-template-status

Use this command to report the status of the secure copy protocol (SCP) script template.

Syntax

execute cli check-template-status

execute cli status-msg-only

Use this command to enable or disable the display of standardized CLI error output messages. If executed, this command stops other debug messages from displaying in the current CLI session.

Syntax

execute cli status-msg-only {enable | disable}

Variable

Description

Default

status-msg-only

{enable | disable}

Enable or disable standardized CLI error output messages. Entering the command without enable or disable disables displaying standardized output.

enable

execute date

Use this command to display or set the system date.

Syntax

execute date [<date_str>]

date_str has the form yyyy-mm-dd, where:

  • yyyy is the year. The range is: 2001 to 2037
  • mm is the month. The range is 01 to 12
  • dd is the day of the month. The range is 01 to 31

If you do not specify a date, the command returns the current system date. Shortened values, such as “06” instead of “2006” for the year or “1” instead of “01” for month or day, are not valid.

Example

This example sets the date to 17 September 2016:

execute date 2016-09-17

execute dhcp lease-clear

Use these commands to clear DHCP leases:

execute dhcp lease-clear all

execute dhcp lease-clear <xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...>

Variable

Description

Default

lease-clear all

Clear all DHCP leases.

No default

lease-clear <xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...>

Clear the DHCP leases for the specified IPv4 addresses. Use a comma to separate IPv4 addresses.

No default

Example

This example shows how to clear all DHCP leases on the specified IPv4 addresses:

execute dhcp lease-clear 1.2.3.4,5.6.7.8

execute dhcp lease-list

Use these commands to list DHCP leases:

execute dhcp lease-list

execute dhcp lease-list <interface>

Variable

Description

Default

lease-list

List all DHCP leases.

No default

lease-list <interface>

List the DHCP leases for the specified interface.

No default

Example

This example shows how to list all DHCP leases:

execute dhcp lease-list

execute dhcp-snooping

Use this command to remove an IP address from the DHCP-snooping client or server database on a specific VLAN:

execute dhcp-snooping expire-client <VLAN-ID> <xx:xx:xx:xx:xx:xx>

execute dhcp-snooping expire-server <VLAN-ID> <xx:xx:xx:xx:xx:xx>

Variable

Description

Default

<VLAN-ID>

Enter the VLAN identifier. The value range is 1-4095.

No default

<xx:xx:xx:xx:xx:xx>

Enter the MAC address for the IP address to remove.

No default

Example

This example shows how to remove the IP address that corresponds to VLAN 100 and to the MAC address 01:23:45:67:89:01 from the DHCP-snooping client database:

execute dhcp-snooping expire-client 100 01:23:45:67:89:01

execute disconnect-admin-session

Use this command to disconnect an administrator who is logged in.

Syntax

execute disconnect-admin-session <index_number>

To determine the index of the administrator that you want to disconnect, view the list of logged-in administrators with the following command:

execute disconnect‑admin-session ?

The list of logged-in administrators looks like this:

Connected:

INDEX USERNAME TYPE FROM TIME

0 admin WEB 172.20.120.51 Mon Aug 14 12:57:23 2006

1 admin2 CLI ssh(172.20.120.54) Mon Aug 14 12:57:23 2006

Example

This example shows how to disconnect the logged administrator admin2:

execute disconnect-admin-session 1

execute factoryreset

Use this command to reset the FortiSwitch configuration to factory default settings.

Syntax

execute factoryreset

This procedure deletes all changes that you have made to the FortiSwitch configuration and reverts the system to its original configuration, including resetting interface addresses.

execute factoryresetfull

Use this command to fully reset the FortiSwitch configuration to factory default settings.

Syntax

execute factoryreset

This procedure removes all configurations, saved user and application data, and licenses and resets the BIOS environment to the default. Images saved to the partitions are not removed.

execute flapguard reset

Use this command to reset the specified port if flap guard was triggered on that port:

execute flapguard reset <port_name>

Example

This example shows how to reset port 1 after flap guard was triggered on it:

execute flapguard reset port1

execute interface dhcpclient-renew

Use this command to renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no DHCP connection on the specified port, there is no output.

Syntax

execute interface dhcpclient-renew <interface>

Example output

This is the output for renewing the DHCP client on port 1 before the session closes:

# execute interface dhcpclient-renew port1

renewing dhcp lease on port1

execute interface dhcp6client-renew

Use this command to renew the DHCPv6 client for the specified DHCPv6 interface and close the CLI session. If there is no DHCPv6 connection on the specified port, there is no output.

Syntax

execute interface dhcp6client-renew <interface>

execute interface pppoe-reconnect

Use this command to reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If there is no PPPoE connection on the specified port, there is no output.

Syntax

execute interface pppoe-reconnect <interface>

execute license add

Use this command to add a new license.

Syntax

execute license add <key>

execute license enhanced-debugging

Use this command to get information about the enhanced debugging license or to remove it.

Syntax

execute license enhanced-debugging {clear | description | get | status}

Variable

Description

clear

Remove the current enhanced debugging license key.

description

Get a general description of the enhanced debugging license key.

get

Retrieve the enhanced debugging license key.

status

Check whether the enhanced debugging license is active.

Example output

S524DF4K15000024 # execute license enhanced-debugging description
This license will enable potentially hazardous debug, such as shells and other features.
			
S524DF4K15000024 # execute license enhanced-debugging status
enhanced-debugging: Active
Debug license flags: 0x01

execute license status

Use this command to display the status of all installed licenses.

Syntax

execute license status

Example output

S524DF4K15000024 # execute license status
License            | Status
enhanced-debugging : Active
FS-SW-LIC-500      : Active

execute log delete

Use this command to clear all traffic log entries in memory. You will be prompted to confirm the command.

Syntax

execute log delete

execute log delete-all

Use this command to clear all log entries in memory and current log files on hard disk. If your system has no hard disk, only log entries in system memory are cleared. You will be prompted to confirm the command.

Syntax

execute log delete-all

execute log display

Use this command to display log messages that you have selected with the execute log filter command.

Syntax

execute log display

The console displays the first 10 log messages. To view more messages, run the command again. You can do this until you have seen all of the selected log messages. To restart viewing the list from the beginning, use the following commands:

execute log filter start-line 1

execute log display

You can restore the log filters to their default values using the following command:

execute log filter reset

execute log filter

Use this command to select log messages for viewing or deletion. You can view one log category on one device at a time. Optionally, you can filter the messages to select only specified date ranges or severities of log messages. For traffic logs, you can filter log messages by source or destination IP address.

Commands are cumulative. If you omit a required variable, the command displays the current setting.

Use as many execute log filter commands as you need to define the log messages that you want to view.

execute log filter category <category_name>

execute log filter device {memory | faz | fds}

execute log filter dump

execute log filter field <name>

execute log filter ha-member <unitsn_str>

execute log filter max-checklines <int>

execute log filter reset

execute log filter start-line <line_number>

execute log filter view-lines <count>

Variable

Description

Default

category <category_name>

Enter the type of log you want to select.

For SQL logging and memory logging, one of:

utm, content, event, or traffic

event

device {memory | faz | fds}

Device where the logs are stored.

memory

dump

Display current filter settings.

No default

field <name>

Press Enter to view the fields that are available for the associated category. Enter the fields you want, using commas to separate multiple fields.

No default

ha-member <unitsn_str>

Select logs from the specified HA cluster member. Enter the serial number of the system.

No default

max-checklines <int>

Set maximum number lines to check. Range 100 to 1,000,000. A value of 0 disables the feature.

No default

reset

Execute this command to reset all filter settings.

No default

start-line <line_number>

Select logs starting at specified line number. The value must be 1 or higher.

1

view-lines <count>

Set lines per view. The value range is 5 to 1000.

10

execute log-report reset

Use this command to delete all logs, archives, and user configured report templates.

Syntax

execute log-report reset

execute loop-guard reset

Use this command to reset a port that has been put out of service by loop-guard.

execute loop-guard reset <interface>

Example

This example shows how to reset port 1 after loop guard was triggered on it:

execute loop-guard reset port1

execute mac clear

Use this command to clear MAC addresses.

Syntax

execute mac clear all

execute mac clear by-interface <interface>

execute mac clear by-mac-address <mac_address>

execute mac clear by-vlan <vlan_int>

execute mac clear by-vlan-and-interface <vlan_int> <interface>

execute mac clear by-vlan-and-mac-address <vlan_int> <mac_address>

Variable

Description

all

Clear all MAC entries.

by-interface <interface>

Clear all MAC entries on the specified interface.

by-mac-address <mac_address>

Clear all MAC entries for a specified MAC address.

by-vlan <vlan_int>

Clear all MAC entries for a specified VLAN.

by-vlan-and-interface <vlan_int> <interface>

Clear all MAC entries for a specified VLAN on a specified interface.

by-vlan-and-mac-address <vlan_int> <mac_address>

Clear all MAC entries for a specified VLAN that match the specified MAC address.

execute mac-limit-violation reset

Use these commands to reset the learning limit violation log.

To enable or disable the learning limit violation log for a FortiSwitch unit, see config switch global.

Syntax

execute mac-limit-violation reset all

execute mac-limit-violation reset interface <interface_name>

execute mac-limit-violation reset vlan <VLAN_ID>

Variable

Description

all

Clear all learning limit violation logs.

interface <interface_name>

Clear the learning limit violation log for a specific interface.

vlan <VLAN_ID>

Clear the learning limit violation log for a specific VLAN.

Example

This example shows how to clear the learning limit violation log for VLAN 5:

execute mac-limit-violation reset vlan 5

execute ping

The execute ping command sends one or more ICMP echo request (ping) to test the network connection between the FortiSwitch and another network device.

Syntax

execute ping <address_ipv4>

<address_ipv4> is an IP address.

Example

This example shows how to ping a host with the IP address 172.20.120.16.

#execute ping 172.20.120.16

PING 172.20.120.16 (172.20.120.16): 56 data bytes

64 bytes from 172.20.120.16: icmp_seq=0 ttl=128 time=0.5 ms

64 bytes from 172.20.120.16: icmp_seq=1 ttl=128 time=0.2 ms

64 bytes from 172.20.120.16: icmp_seq=2 ttl=128 time=0.2 ms

64 bytes from 172.20.120.16: icmp_seq=3 ttl=128 time=0.2 ms

64 bytes from 172.20.120.16: icmp_seq=4 ttl=128 time=0.2 ms

--- 172.20.120.16 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.2/0.2/0.5 ms

execute ping-options

Use this command to set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiSwitch and another network device.

Syntax

execute ping-options adaptive-ping {enable | disable}

execute ping-options data-size <bytes>

execute ping-options df-bit {yes | no}

execute ping-options interface {Auto | <outgoing_interface>}

execute ping-options interval <seconds>

execute ping-options pattern <2-byte_hex>

execute ping-options repeat-count <repeats>

execute ping-options reset

execute ping-options source {auto | <source-intf_ip>}

execute ping-options timeout <seconds>

execute ping-options tos <service_type>

execute ping-options ttl <hops>

execute ping-options validate-reply {yes | no}

execute ping-options view-settings

Variable

Description

Default

adaptive-ping {enable | disable}

Enable or disable adaptive ping.

disable

data-size <bytes>

Specify the datagram size in bytes.

56

df-bit {yes | no}

Set df-bit to yes to prevent the ICMP packet from being fragmented. Set df-bit to no to allow the ICMP packet to be fragmented.

no

interface {Auto | <outgoing_interface>}

Specify the source interface or select auto for the source interface to be automatically assigned.

auto

interval <seconds>

Specify the number of seconds between two pings. The value must be greater than 0.

No default

pattern <2-byte_hex>

Used to fill in the optional data buffer at the end of the ICMP packet. The size of the buffer is specified using the data_size parameter. This allows you to send out packets of different sizes for testing the effect of packet size on the connection.

No default

repeat-count <repeats>

Specify how many times to repeat ping.

5

reset

Reset the ping options to their default settings.

No default

source

{auto | <source-intf_ip>}

Specify the FortiSwitch interface from which to send the ping. If you specify auto, the system selects the source address and interface based on the route to the <host-name_str> or <host_ip>. Specifying the IP address of a FortiSwitch interface tests connections to different network segments from the specified interface.

auto

timeout <seconds>

Specify, in seconds, how long to wait until ping times out.

2

tos <service_type>

Set the ToS (Type of Service) field in the packet header to provide an indication of the quality of service wanted:
  • lowdelay — minimize delay
  • throughput — maximize throughput
  • reliability — maximize reliability
  • lowcost — minimize cost

0

ttl <hops>

Specify the time to live. Time to live is the number of hops the ping packet should be allowed to make before being discarded or returned.

64

validate-reply {yes | no}

Select yes to validate reply data.

no

view-settings

Display the current ping option settings.

No default

Example

Use the following command to increase the number of pings sent:

execute ping-options repeat-count 10

Use the following command to send all pings from the FortiSwitch interface with IP address 192.168.10.23:

execute ping-options source 192.168.10.23

execute ping6

The ping6 command sends one or more ICMP echo request (ping) to test the network connection between the FortiSwitch and an IPv6-capable network device.

Syntax

execute ping6 {<address_ipv6> | <host-name_str>}

Example

This example shows how to ping a host with the IPv6 address 12AB:0:0:CD30:123:4567:89AB:CDEF.

execute ping6 12AB:0:0:CD30:123:4567:89AB:CDEF

execute ping6-options

Use this command to set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiSwitch and an IPv6-capable network device.

Syntax

execute ping6-options data-size <bytes>

execute ping6-options interval <seconds>

execute ping6-options pattern <2-byte_hex>

execute ping6-options repeat-count <repeats>

execute ping6-options source {auto | <source-intf_ip>}

execute ping6-options timeout <seconds>

execute ping6-options tos <service_type>

execute ping6-options ttl <hops>

execute ping6-options validate-reply {yes | no}

execute ping6-options view-settings

Variable

Description

Default

data-size <bytes>

Specify the datagram size in bytes.

56

df-bit {yes | no}

Set df-bit to yes to prevent the ICMP packet from being fragmented. Set df-bit to no to allow the ICMP packet to be fragmented.

no

interval <seconds>

Specify the number of seconds between two pings. The value must be greater than 0.

No default

pattern <2-byte_hex>

Used to fill in the optional data buffer at the end of the ICMP packet. The size of the buffer is specified using the data_size parameter. This allows you to send out packets of different sizes for testing the effect of packet size on the connection.

No default

repeat-count <repeats>

Specify how many times to repeat ping.

5

source

{auto | <source-intf_ip>}

Specify the FortiSwitch interface from which to send the ping. If you specify auto, the system selects the source address and interface based on the route to the <host-name_str> or <host_ip>. Specifying the IP address of a FortiSwitch interface tests connections to different network segments from the specified interface.

auto

timeout <seconds>

Specify, in seconds, how long to wait until ping times out.

2

tos <service_type>

Set the ToS (Type of Service) field in the packet header to provide an indication of the quality of service wanted:
  • lowdelay — minimize delay
  • throughput — maximize throughput
  • reliability — maximize reliability
  • lowcost — minimize cost

0

ttl <hops>

Specify the time to live. Time to live is the number of hops the ping packet should be allowed to make before being discarded or returned.

64

validate-reply {yes | no}

Select yes to validate reply data.

no

view-settings

Display the current ping option settings.

No default

Example

Use the following command to validate reply data:

execute ping6-options validate-reply yes

execute poe-reset

This command performs a PoE reset on the specified port.

Syntax

execute poe-reset <port_number>

Example

Use the following command to reset the PoE power on port 1:

execute poe-reset port1

execute reboot

Use this command to restart the system.

Abruptly powering off your system may corrupt its configuration. Use the reboot or shutdown commands to ensure proper shutdown procedures are followed to prevent any loss of configuration.

Syntax

execute reboot [comment “comment_string”>]

[comment <“comment_string”>]enables you to optionally add a message that will appear in the hard disk log indicating the reason for the reboot. If the message is more than one word it must be enclosed in quotation marks.

Example

This example shows the reboot command with a message included:

execute reboot comment “December monthly maintenance”

execute restore

Use this command to restore a configuration, firmware, or IPS signature file. The following options are available:

  • restore the configuration from a file
  • change the FortiSwitch firmware
  • restore the bios from a file

When virtual domain configuration is enabled, the content of the backup file depends on the administrator account that created it.

A backup of the system configuration from the super admin account contains the global settings and the settings for all of the VDOMs. Only the super admin account can restore the configuration from this file.

A backup file from a regular administrator account contains the global settings and the settings for the VDOM to which the administrator belongs. Only a regular administrator account can restore the configuration from this file.

Syntax

execute restore bios tftp <filename_str> <server_ipv4[:port_int]>

execute restore config flash <revision>

execute restore config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>] [<backup_password_str>]

execute restore config tftp <filename_str> <server_ipv4> [<backup_password_str>]

execute restore image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]

execute restore image management-station <version_int>

execute restore image tftp <filename_str> <server_ipv4>

execute restore secondary-image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]

execute restore secondary-image tftp <filename_str> <server_ipv4>

Variable

Description

bios tftp <filename_str> <server_ipv4[:port_int]>

Restore the BIOS. Download the restore file from a TFTP server.

config flash <revision>

Restore the specified revision of the system configuration from the flash disk.

config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>] [<backup_password_str>]

Restore the system configuration from an FTP server. The new configuration replaces the existing configuration, including administrator accounts and passwords.

If the backup file was created with a password, you must specify the password.

config tftp <filename_str> <server_ipv4> [<backup_password_str>]

Restore the system configuration from a file on a TFTP server. The new configuration replaces the existing configuration, including administrator accounts and passwords.

If the backup file was created with a password, you must specify the password.

image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]

Download a firmware image from an FTP server to the FortiSwitch unit. The FortiSwitch unit reboots, loading the new firmware.

This command is not available in multiple VDOM mode.

image management-station <version_int>

Download a firmware image from the central management station. This is available if you have configured a FortiManager unit as a central management server. This is also available if your account with FortiGuard Analysis and Management Service allows you to upload firmware images.

image tftp <filename_str> <server_ipv4>

Download a firmware image from a TFTP server to the FortiSwitch unit. The FortiSwitch unit reboots, loading the new firmware.

secondary-image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]

Download a firmware image from an FTP server to the FortiSwitch unit. The FortiSwitch unit saves the new firmware image in the secondary image partition.

secondary-image tftp <filename_str> <server_ipv4>

Download a firmware image from a TFTP server to the FortiSwitch unit. The FortiSwitch unit saves the new firmware image in the secondary image partition.

Example

This example shows how to upload a configuration file from a TFTP server to the FortiSwitch and restart the FortiSwitch with this configuration. The name of the configuration file on the TFTP server is backupconfig. The IP address of the TFTP server is 192.168.1.23.

execute restore config tftp backupconfig 192.168.1.23

execute revision

Use this command to manage configuration and firmware image files on the local disk.

Syntax

execute revision delete config <revision>

execute revision list config

execute revision show config

Variable

Description

delete config <revision>

Delete the specified configuration revision on the local disk.

list config

List the configuration revisions on the local disk.

show config

Display the details of the configuration revision on the local disk.

Example

Use the following command to delete revision 1 of the configuration file on the local disk:

execute revision delete config 1

execute router clear bgp

Use this command to clear the BGP routing configuration.

Syntax

execute router clear bgp {all | as | dampening | external | ip}

Variable

Description

all <arguments>

Clear all BGP peers

as <arguments>

Clear a BGP peer by AS number.

dampening {<IP_address> | <IP_address/length>}

Clear the BGP flap-dampening information.

external <arguments>

Clear all external BGP peers.

ip <arguments>

Clear a BGP peer by IP address.

Example

Use the following command to delete the BGP flap-dampening information:

execute router clear bgp dampening 1.2.3.4

execute router clear ospf

Use this command to clear the OSPF routing configuration from the specified interface.

Syntax

execute router clear ospf interface <interface_name>

Example

Use the following command to delete the OSPF routing configuration from the VLAN interface:

execute router clear ospf interface vlan20

execute router tech-support

Use this command to display the specified routing configuration and troubleshooting information.

Syntax

execute router tech-support {ospf | rip | bgp | isis | static}

Example

Use the following command to display the BGP routing configuration and troubleshooting information:

execute router tech-support bgp

execute set-next-reboot

Use this command to specify the flash partition for the next reboot. The system can use the boot image from either the primary or the secondary flash partition.

NOTE: You must disable image rotation before you can use the execute set-next-reboot command.

Syntax

execute set-next-reboot <primary | secondary>

Example

This example specifies that the next reboot will use the secondary flash partition:

execute set-next-reboot secondary

Set next reboot partition to secondary

execute shutdown

Use this command to shut down the system immediately. You will be prompted to confirm this command.

caution icon

Abruptly powering off your system might corrupt its configuration. Using the reboot and shutdown options in the CLI or in the Web-based manager ensure proper shutdown procedures are followed to prevent any loss of configuration.

Syntax

execute shutdown [comment <"comment_string">]

The comment field is optional. Use it to add a message that will appear in the event log message that records the shutdown. The comment message does not appear on the Alert Message console. If the message is more than one word it must be enclosed in quotation marks.

Example

This example shows the reboot command with a message included:

execute shutdown comment “emergency facility shutdown”

An event log message similar to the following is recorded:

2009-09-08 11:12:31 critical admin 41986 ssh(172.20.120.11) shutdown User admin shutdown the device from ssh(172.20.120.11). The reason is 'emergency facility shutdown'

execute ssh

Use this command to establish an SSH session with another system.

Syntax

execute ssh <destination>

<destination> is the destination in the form user@IPv4_address, user@iPv6_address, or user@DNS_name. If the IPv6 address is a link-local address, you must specify an output interface using %.

Examples

execute ssh admin@fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.

execute ssh admin@172.20.120.122

execute ssh 1002::21

execute ssh 12.345.6.78

To end an SSH session, type exit:

S524DF4K15000024 # exit

Connection to 172.20.120.122 closed.

S524DF4K15000024 #

execute stage

Use this command to stage an image from an FTP or TFTP server.

Syntax

execute stage image ftp <string> <ftp server>[:ftp port]

execute stage image tftp <string> <ip>

image is the image file name (including path) on the remote server.

execute sticky-mac

Use this command to manage MAC addresses that were dynamically learned and are persistent when the status of a FortiSwitch port changes (goes down or up).

Syntax

execute sticky-mac delete-unsaved {all | interface <interface_name>}

execute sticky-mac save {all | interface <interface_name>}

Variable

Description

delete-unsaved {all | interface <interface_name>}

Delete all persistent MAC entries (instead of saving them in the FortiSwitch configuration file) for all interfaces or for the specified interface.

save {all | interface <interface_name>}

Save all persistent MAC entries in the FortiSwitch configuration file for all interfaces or for the specified interface.

execute switch-controller get-conn-status

Use this command to display the status of the FortiLink connection. This command is valid only when the FortiSwitch is managed by a FortiGate.

Syntax

execute switch-controller get-conn-status

Example

S524DF4K15000024 # execute switch-controller get-conn-status

Get managed-switch S524DF4K15000024 connection status:

Connection: Connected

Image Version: FG100D-v6.2-build849

Remote Address: xxx.xxx.x.x

Join Time: Wed Mar 13 08:38:57 2019

DTLS Version: DTLSv1.2

execute system certificate ca

Use this command to import a CA certificate from a TFTP or SCEP server to the FortiSwitch or to export a CA certificate from the FortiSwitch to a TFTP server.

Before using this command, you must obtain a CA certificate issued by a Certificate Authority.

Syntax

execute system certificate ca export tftp <name> <file-name> <tftp_ip>

execute system certificate ca import auto <ca_server_url> [ca_identifier_str]

execute system certificate ca import tftp <file-name> <tftp_ip>

Variable

Description

import

Import the CA certificate from a TFTP server to the FortiSwitch unit.

export

Export or copy the CA certificate from the FortiSwitch to a file on the TFTP server. The available CA certificates are Entrust_802.1x_CA, Entrust_802.1x_G2_CA, Entrust_802.1x_L1K_CA, Fortinet_CA, and Fortinet_CA2.

<name>

Enter the name of the CA certificate.

<file-name>

Enter the file name on the TFTP server.

<tftp_ip>

Enter the TFTP server address.

auto

Retrieve a CA certificate from a SCEP server.

tftp

Import the CA certificate to the FortiSwitch from a file on a TFTP server (local administrator PC).

<ca_server_url>

Enter the URL of the CA certificate server.

<ca_identifier_str>

CA identifier on CA certificate server (optional).

execute system certificate crl import auto

Use this command to get a certificate revocation list via LDAP, HTTP, or SCEP protocol, depending on the autoupdate configuration.

To use this command, the authentication servers must already be configured.

Syntax

execute system certificate crl import auto <crl-name>

Variable

Description

import

Import the CRL from the configured LDAP, HTTP, or SCEP authentication server to the FortiSwitch unit.

<crl-name>

Enter the name of the CRL.

auto

Trigger an auto-update of the CRL from the configured authentication server.

execute system certificate local export tftp

Use this command to export a local certificate from the FortiSwitch to a TFTP server.

Syntax

execute system certificate local export tftp <name> <file-name> <tftp_ip>

Variable

Description

export

Export or copy the local certificate from the FortiSwitch unit to a file on the TFTP server.

<name>

Enter the name of the local certificate. Available local certificates are Entrust_802.1x, Fortinet_Factory, and Fortinet_Firmware.

<file-name>

Enter the file name on the TFTP server.

<tftp_ip>

Enter the TFTP server address.

execute system certificate local generate

Use this command to generate a local certificate.

When you generate a certificate request, you create a private and public key pair for the local FortiSwitch unit. The public key accompanies the certificate request. The private key remains confidential.

When you receive the signed certificate from the CA, use the system certificate local import command to install it on the FortiSwitch unit.

Syntax

execute system certificate local generate <name> <key-length> <subject_str> <country> <state> <city> <organization> <bu> <email> <SAN> <URL> <challenge> <source_IP> <CA_id> <password>

Variable

Description

<name>

Enter the local certificate name.

<key-length>

Enter the key size, which can be 1024, 1536, or 2048.

<subject_str>

Enter the subject (host IP address/domain name/e-mail address).

<country>

Enter the country name (such as canada), country code (such as ca), or null for none.

<state>

Enter the state.

<city>

Enter the city.

<organization>

Enter the company name.

<bu>

Enter the business unit.

<email>

Enter the email address.

<SAN>

This field is optional. Enter a subject alternative name.

<URL>

This field is optional. Enter the URL of the CA server for signing using SCEP.

<challenge>

Enter the challenge password for signing using SCEP.

<source_IP>

This field is optional. Enter the source IP address for communicating with the CA server.

<CA_id>

This field is optional. Enter the CA identifier of the CA server for sign using SCEP.

<password>

This field is optional. Enter the password if you are using a private key.

execute system certificate local import tftp

Use this command to import a local certificate to the FortiSwitch from a TFTP server.

Syntax

execute system certificate local import tftp <file-name> <tftp_ip>

Variable

Description

<name>

Enter the name of the local certificate.

<file-name>

Enter the file name on the TFTP server.

<tftp_ip>

Enter the TFTP server address.

execute system certificate remote

Use this command to import a remote certificate from a TFTP server or to export a remote certificate from the FortiSwitch unit to a TFTP server. The remote certificates are public certificates without a private key. They are used as OCSP (Online Certificate Status Protocol) server certificates.

Syntax

execute system certificate remote import tftp <file-name> <tftp_ip>

execute system certificate remote export tftp <name> <file-name> <tftp_ip>

Variable

Description

import

Import the remote certificate from the TFTP server to the FortiSwitch unit.

export

Export or copy the remote certificate from the FortiSwitch to a file on the TFTP server.

To view a list of the certificates, use the following command:

execute system certificate remote export tftp ?

<name>

Enter the name of the local certificate.

<file-name>

Enter the file name on the TFTP server.

<tftp_ip>

Enter the TFTP server address.

execute system sniffer-profile delete-capture

Use this command to delete the .pcap file for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile delete-capture <profile_name>

Example

execute system sniffer-profile delete-capture profile1

execute system sniffer-profile pause

Use this command to pause a packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile pause <profile_name>

Example

execute system sniffer-profile pause profile1

execute system sniffer-profile start

Use this command to start a packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile start <profile-name>

Example

execute system sniffer-profile start profile1

execute system sniffer-profile stop

Use this command to stop a packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile stop <profile-name>

Examples

execute system sniffer-profile stop profile1

execute system sniffer-profile upload

Use this command to upload the .pcap file for a specific packet-capture profile to a TFTP or FTP server. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile upload ftp <profile_name> <file_name> <FTP_server_IP_address:<optional_port>>

execute system sniffer-profile upload tftp <profile_name> <file_name> <TFTP_server_IP_address:<optional_port>>

Variable

Description

<profile_name>

Enter the name of the packet-capture profile.

<file_name>

Enter the name of the .pcap file and the path where it is located.

<FTP_server_IP_address:<optional_port>>

Enter the IP address of the FTP server and optionally enter the port number.

<TFTP_server_IP_address:<optional_port>>

Enter the IP address of the TFTP server and optionally enter the port number.

Examples

execute system sniffer-profile upload ftp profile profile1.pcap 192.168.1.23

execute telnet

Use this command to create a Telnet client. You can use this tool to test network connectivity.

Syntax

execute telnet <telnet_ipv4 or telnet_ipv6>

<telnet_ipv4 or telnet_ipv6> is the IPv4 or IPv6 address to connect with. If the IPv6 address is a link-local address, you must specify an output interface using %.

Type exit to close the Telnet session.

Examples

execute telnet fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.

execute telnet 1002::21

execute telnet 12.345.6.78

execute time

Use this command to display or set the system time.

Syntax

execute time [<time_str>]

time_str has the form hh:mm:ss, where:

  • hh is the hour. The range is 00 to 23.
  • mm is the minutes. The range is 00 to 59.
  • ss is the seconds. The range is 00 to 59.

If you do not specify a time, the command returns the current system time.

You are allowed to shorten numbers to only one digit when setting the time. For example both 01:01:01 and 1:1:1 are allowed.

Example

This example sets the system time to 15:31:03:

execute time 15:31:03

execute traceroute

Use this command to test the connection between the FortiSwitch and another network device, and display information about the network hops between the FortiSwitch and the device.

Syntax

execute traceroute {<ip_address> | <host-name>}

Example

This example shows how to test the connection with http://docs.forticare.com. In this example, the traceroute command times out after the first hop indicating a possible problem.

#execute traceoute docs.fortinet.com

traceroute to docs.fortinet.com (65.39.139.196), 30 hops max, 38 byte packets

1 172.20.120.2 (172.20.120.2) 0.324 ms 0.427 ms 0.360 ms

2 * * *

If your FortiSwitch is not connected to a working DNS server, you will not be able to connect to remote host-named locations with traceroute.

execute tracert6

Use this command to test the connection between the FortiSwitch and another network device using the IPv6 protocol and to display information about the network hops between the FortiSwitch and the device.

Syntax

tracert6 [-Fdn] [-f first_ttl] [-i interface] [-m max_ttl]

[-s src_addr] [-q nprobes] [-w waittime] [-z sendwait]

host [paddatalen]

Variable

Description

-F

Set the Don’t Fragment bit.

-d

Enable debugging.

-n

Do not resolve numeric address to domain name.

-f <first_ttl>

Set the initial time-to-live used in the first outgoing probe packet.

-i <interface>

Select interface to use for tracert.

-m <max_ttl>

Set the max time-to-live (max number of hops) used in outgoing probe packets.

-s <src_addr>

Set the source IP address to use in outgoing probe packets.

-q <nprobes>

Set the number probes per hop.

-w <waittime>

Set the time in seconds to wait for response to a probe. Default is 5.

-z <sendwait>

Set the time in milliseconds to pause between probes.

host

Enter the IP address or FQDN to probe.

<paddatalen>

Set the packet size to use when probing.

execute upload config

Use this command to upload system configurations to the flash disk from FTP or TFTP sources.

Syntax

execute upload config ftp <filename_str> <comment> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

execute upload config tftp <filename_str> <comment> <server_ipv4>

Variable

Description

<comment>

Comment string.

<filename_str>

Filename to upload.

<server_fqdn[:port_int]>

Server fully qualified domain name and optional port.

<server_ipv4[:port_int]>

Server IP address and optional port number.

<username_str>

User name required on server.

<password_str>

Password required on server.

<backup_password_str>

Password for backup file.

execute verify image

Use this command to verify the integrity of the image in the primary or secondary (if applicable) flash partition.

Syntax

execute verify image {primary | secondary}

Example

execute verify image primary

Verifying the image in flash......100%

No issue found!

execute verify image secondary

Verifying the image in flash......100%

Bad/corrupted image found in flash!

Command fail. Return code -1