execute
Use the execute
commands perform immediate operations on the FortiSwitch unit:
- execute 802-1x clear interface
- execute acl clear-counter
- execute acl key-compaction
- execute backup config
- execute acl key-compaction
- execute backup memory
- execute batch
- execute bpdu-guard
- execute cfg reload
- execute cfg save
- execute clear switch igmp-snoop
- execute clear system arp table
- execute cli check-template-status
- execute cli status-msg-only
- execute date
- execute dhcp lease-clear
- execute dhcp lease-list
- execute dhcp-snooping
- execute disconnect-admin-session
- execute factoryreset
- execute factoryresetfull
- execute flapguard reset
- execute interface dhcpclient-renew
- execute interface dhcp6client-renew
- execute interface pppoe-reconnect
- execute license add
- execute license enhanced-debugging
- execute license status
- execute log delete
- execute log delete-all
- execute log display
- execute log filter
- execute log-report reset
- execute factoryresetfull
- execute mac clear
- execute mac-limit-violation reset
- execute ping
- execute ping-options
- execute ping6
- execute ping6-options
- execute poe-reset
- execute reboot
- execute restore
- execute revision
- execute router clear bgp
- execute interface dhcp6client-renew
- execute router tech-support
- execute set-next-reboot
- execute shutdown
- execute ssh
- execute stage
- execute sticky-mac
- execute switch-controller get-conn-status
- execute system certificate ca
- execute system certificate crl import auto
- execute system certificate local export tftp
- execute system certificate local generate
- execute system certificate local import tftp
- execute system certificate remote
- execute system sniffer-profile delete-capture
- execute system sniffer-profile pause
- execute system sniffer-profile start
- execute system sniffer-profile stop
- execute system sniffer-profile upload
- execute telnet
- execute time
- execute traceroute
- execute tracert6
- execute upload config
- execute verify image
execute 802-1x clear interface
Use this command to clear all authorizations on a specified interface:
execute 802-1x clear interface {internal | port<integer>}
Example
This example shows how to remove all authorizations from port 1:
execute 802-1x clear interface port1
execute acl clear-counter
Use this command to clear the ACL counters associated with the specified policy:
execute acl clear-counter {all | ingress | egress | prelookup}
Variable |
Description |
all |
Delete the ACL counters for all policies. |
ingress |
Delete the ACL counters for ingress policies. |
egress |
Delete the ACL counters for egress policies. |
prelookup |
Delete the ACL counters for lookup policies. |
Example
This example deletes all ACL counters:
execute acl clear-counter all
execute acl key-compaction
NOTE: This command currently only works on the ingress policy.
Use the following command to clear the unused classifiers on ASIC hardware associated with ingress, egress, prelookup, or all policies for a particular group:
execute acl key-compaction {all | ingress | egress | prelookup} <group_ID>
Variable |
Description |
all |
Delete all unused classifiers for the specified group. |
ingress |
Delete the unused classifiers for ingress policies for the specified group. |
egress |
Delete the unused classifiers for egress policies for the specified group. |
prelookup |
Delete the unused classifiers for lookup policies for the specified group. |
<group_ID> |
Enter the group identifier.
Group identifiers are defined in the |
Example
This example deletes all unused classifiers from group 5:
execute acl key-compaction all 5
execute backup config
Use the execute backup config
commands to perform a partial backup of the FortiSwitch configuration to a flash disk, FTP server, or TFTP server.
Syntax
execute backup config flash <comment>
execute backup config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup config tftp <filename_str> <server_ipv4> [<backup_password_str>]
Variable |
Description |
config flash <comment> |
Back up the system configuration to the flash disk. Optionally, include a comment. |
config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>] |
Back up the system configuration to an FTP server. Optionally, you can specify a password to protect the saved data. |
config tftp <filename_str> <server_ipv4> [<backup_password_str>] |
Back up the system configuration to a file on a TFTP server. Optionally, you can specify a password to protect the saved data. |
Example
This example shows how to perform a partial backup of the FortiSwitch configuration to a file named fgt.cfg
on a TFTP server at IP address 192.168.1.23.
execute backup config tftp fgt.cfg 192.168.1.23
execute backup full-config
Use the execute backup full-config
commands to back up the full FortiSwitch configuration to a TFTP or FTP server.
Syntax
execute backup full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup full-config tftp <filename_str> <server_ipv4> [<backup_password_str>]
Variable |
Description |
full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>] |
Back up the full system configuration to a file on an FTP server. You can optionally specify a password to protect the saved data. |
full-config tftp <filename_str> <server_ipv4> [<backup_password_str>] |
Back up the full system configuration to a file on a TFTP server. You can optionally specify a password to protect the saved data. |
Example
This example shows how to back up the full FortiSwitch configuration to a file named fgt.cfg
on a TFTP server at IP address 192.168.1.23.
execute backup full-config tftp fgt.cfg 192.168.1.23
execute backup memory
Use the execute backup memory
commands to back up the FortiSwitch logs to a TFTP or FTP server.
Syntax
execute backup memory alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]
execute backup memory alllogs tftp <server_ipv4>
execute backup memory log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> <username_str> <password_str> {app-ctrl | event | ids | im | spam | virus | voip | webfilter}
execute backup memory log tftp <server_ipv4> {app‑ctrl | event | ids | im | spam | virus | voip | webfilter}
Variable |
Description |
memory alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>] |
Back up either all memory or all hard disk log files for to an FTP server. The disk option is available on FortiSwitch models that log to a hard disk.
|
memory alllogs tftp <server_ipv4> |
Back up either all memory or all hard disk log files for this FortiSwitch to a TFTP server. he disk option is available on FortiSwitch models that log to a hard disk. |
memory log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> <username_str> <password_str> {app-ctrl | event | ids | im | spam | virus | voip | webfilter} |
Back up the specified type of log file from either hard disk or memory to an FTP server. The disk option is available on FortiSwitch models that log to a hard disk. |
memory log tftp <server_ipv4> {app‑ctrl | event | ids | im | spam | virus | voip | webfilter} |
Back up the specified type of log file from either hard disk or memory to an FTP server. The disk option is available on FortiSwitch models that log to a hard disk. |
Example
This example shows how to back up all FortiSwitch log files to a file named fgt.cfg
on a TFTP server at IP address 192.168.1.23.
execute backup memory alllogs tftp fgt.cfg 192.168.1.23
execute batch
Use the execute batch
commands to execute a series of CLI commands.
The execute batch commands are controlled by the Maintenance (mntgrp) access control group. |
Syntax
execute batch [<cmd_cue>]
The parameter <cmd_cue> includes the following values:
-
end
— exit session and run the batch commands -
lastlog
— read the result of the last batch commands -
start
— start batch mode -
status
— batch mode status reporting if batch mode is running or stopped
Example
To start batch mode:
execute batch start
Enter batch mode...
To enter commands to run in batch mode:
config system global
set refresh 5
end
To execute the batch commands:
execute batch end
Exit and run batch commands...
execute bpdu-guard
Use this command to reset a port that goes down after receiving a BPDU:
execute bpdu-guard reset {internal | port<number>}
Example
This example shows how to reset port 1 after it receives a BPDU and goes down:
execute bpdu-guard reset port1
execute cfg reload
Use this command to restore the saved configuration when the configuration change mode is manual
or revert
. This command has no effect if the mode is automatic
, the default. The set cfg-save
command in system global
sets the configuration change mode.
When you reload the saved system configuration, the your session ends and the FortiSwitch performs a restart.
In the default configuration change mode, automatic
, CLI commands become part of the saved system configuration when you execute them by entering either next or end.
In manual
mode, commands take effect but do not become part of the saved configuration unless you execute the execute cfg save
command. When the system restarts, the saved configuration is loaded. Configuration changes that were not saved are lost.
The revert
mode is similar to manual
mode, except that configuration changes are saved automatically if the administrative session is idle for more than a specified timeout period. This provides a way to recover from an erroneous configuration change, such as changing the IP address of the interface you are using for administration. You set the timeout in system global
using the set cfg-revert-timeout
command.
Syntax
execute cfg reload
Example
This is sample output from the command when successful:
# execute cfg reload
configs reloaded. system will reboot. This is sample output from the command when not in runtime-only configuration mode:
# execute cfg reload
no config to be reloaded.
execute cfg save
Use this command to save configuration changes when the configuration change mode is manual
or revert
. If the mode is automatic
, the default, all changes are added to the saved configuration as you make them and this command has no effect. The set cfg-save
command in system global
sets the configuration change mode.
In manual
mode, commands take effect but do not become part of the saved configuration unless you execute the execute cfg save
command. When the system restarts, the saved configuration is loaded. Configuration changes that were not saved are lost.
The revert
mode is similar to manual
mode, except that configuration changes are reverted automatically if the administrative session is idle for more than a specified timeout period. This provides a way to recover from an erroneous configuration change, such as changing the IP address of the interface you are using for administration. To change the timeout from the default of 600 seconds, go to system global
and use the set cfg-revert-timeout
command.
Syntax
execute cfg save
Example
This is sample output from the command:
# execute cfg save
config saved.
This is sample output when not in runtime-only configuration mode. It also occurs when in runtime-only configuration mode and no changes have been made:
# execute cfg save
no config to be saved.
execute clear switch igmp-snoop
Use this command to clear the learned and configured multicast groups from the FortiSwitch unit.
Syntax
execute clear switch igmp-snoop
execute clear system arp table
Use this command to cslear all the entries in the ARP table.
Syntax
execute clear system arp table
execute cli check-template-status
Use this command to report the status of the secure copy protocol (SCP) script template.
Syntax
execute cli check-template-status
execute cli status-msg-only
Use this command to enable or disable the display of standardized CLI error output messages. If executed, this command stops other debug messages from displaying in the current CLI session.
Syntax
execute cli status-msg-only {enable | disable}
Variable |
Description |
Default |
status-msg-only {enable | disable} |
Enable or disable standardized CLI error output messages. Entering the command without enable or disable disables displaying standardized output. |
enable |
execute date
Use this command to display or set the system date.
Syntax
execute date [<date_str>]
date_str has the form yyyy-mm-dd
, where:
- yyyy is the year. The range is: 2001 to 2037
- mm is the month. The range is 01 to 12
- dd is the day of the month. The range is 01 to 31
If you do not specify a date, the command returns the current system date. Shortened values, such as “06” instead of “2006” for the year or “1” instead of “01” for month or day, are not valid.
Example
This example sets the date to 17 September 2016:
execute date 2016-09-17
execute dhcp lease-clear
Use these commands to clear DHCP leases:
execute dhcp lease-clear all
execute dhcp lease-clear <xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...>
Variable |
Description |
Default |
lease-clear all |
Clear all DHCP leases. |
No default |
lease-clear <xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...> |
Clear the DHCP leases for the specified IPv4 addresses. Use a comma to separate IPv4 addresses. |
No default |
Example
This example shows how to clear all DHCP leases on the specified IPv4 addresses:
execute dhcp lease-clear 1.2.3.4,5.6.7.8
execute dhcp lease-list
Use these commands to list DHCP leases:
execute dhcp lease-list
execute dhcp lease-list <interface>
Variable |
Description |
Default |
lease-list |
List all DHCP leases. |
No default |
lease-list <interface> |
List the DHCP leases for the specified interface. |
No default |
Example
This example shows how to list all DHCP leases:
execute dhcp lease-list
execute dhcp-snooping
Use this command to remove an IP address from the DHCP-snooping client or server database on a specific VLAN:
execute dhcp-snooping expire-client <VLAN-ID> <xx:xx:xx:xx:xx:xx>
execute dhcp-snooping expire-server <VLAN-ID> <xx:xx:xx:xx:xx:xx>
Variable |
Description |
Default |
<VLAN-ID> |
Enter the VLAN identifier. The value range is 1-4095. |
No default |
<xx:xx:xx:xx:xx:xx> |
Enter the MAC address for the IP address to remove. |
No default |
Example
This example shows how to remove the IP address that corresponds to VLAN 100 and to the MAC address 01:23:45:67:89:01 from the DHCP-snooping client database:
execute dhcp-snooping expire-client 100 01:23:45:67:89:01
execute disconnect-admin-session
Use this command to disconnect an administrator who is logged in.
Syntax
execute disconnect-admin-session <index_number>
To determine the index of the administrator that you want to disconnect, view the list of logged-in administrators with the following command:
execute disconnect‑admin-session ?
The list of logged-in administrators looks like this:
Connected:
INDEX USERNAME TYPE FROM TIME
0 admin WEB 172.20.120.51 Mon Aug 14 12:57:23 2006
1 admin2 CLI ssh(172.20.120.54) Mon Aug 14 12:57:23 2006
Example
This example shows how to disconnect the logged administrator admin2
:
execute disconnect-admin-session 1
execute factoryreset
Use this command to reset the FortiSwitch configuration to factory default settings.
Syntax
execute factoryreset
|
This procedure deletes all changes that you have made to the FortiSwitch configuration and reverts the system to its original configuration, including resetting interface addresses. |
execute factoryresetfull
Use this command to fully reset the FortiSwitch configuration to factory default settings.
Syntax
execute factoryreset
|
This procedure removes all configurations, saved user and application data, and licenses and resets the BIOS environment to the default. Images saved to the partitions are not removed. |
execute flapguard reset
Use this command to reset the specified port if flap guard was triggered on that port:
execute flapguard reset <port_name>
Example
This example shows how to reset port 1 after flap guard was triggered on it:
execute flapguard reset port1
execute interface dhcpclient-renew
Use this command to renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no DHCP connection on the specified port, there is no output.
Syntax
execute interface dhcpclient-renew <interface>
Example output
This is the output for renewing the DHCP client on port 1 before the session closes:
# execute interface dhcpclient-renew port1
renewing dhcp lease on port1
execute interface dhcp6client-renew
Use this command to renew the DHCPv6 client for the specified DHCPv6 interface and close the CLI session. If there is no DHCPv6 connection on the specified port, there is no output.
Syntax
execute interface dhcp6client-renew <interface>
execute interface pppoe-reconnect
Use this command to reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If there is no PPPoE connection on the specified port, there is no output.
Syntax
execute interface pppoe-reconnect <interface>
execute license add
Use this command to add a new license.
Syntax
execute license add <key>
execute license enhanced-debugging
Use this command to get information about the enhanced debugging license or to remove it.
Syntax
execute license enhanced-debugging {clear | description | get | status}
Variable |
Description |
clear |
Remove the current enhanced debugging license key. |
description |
Get a general description of the enhanced debugging license key. |
get |
Retrieve the enhanced debugging license key. |
status |
Check whether the enhanced debugging license is active. |
Example output
S524DF4K15000024 # execute license enhanced-debugging description This license will enable potentially hazardous debug, such as shells and other features. S524DF4K15000024 # execute license enhanced-debugging status enhanced-debugging: Active Debug license flags: 0x01
execute license status
Use this command to display the status of all installed licenses.
Syntax
execute license status
Example output
S524DF4K15000024 # execute license status License | Status enhanced-debugging : Active FS-SW-LIC-500 : Active
execute log delete
Use this command to clear all traffic log entries in memory. You will be prompted to confirm the command.
Syntax
execute log delete
execute log delete-all
Use this command to clear all log entries in memory and current log files on hard disk. If your system has no hard disk, only log entries in system memory are cleared. You will be prompted to confirm the command.
Syntax
execute log delete-all
execute log display
Use this command to display log messages that you have selected with the execute log filter
command.
Syntax
execute log display
The console displays the first 10 log messages. To view more messages, run the command again. You can do this until you have seen all of the selected log messages. To restart viewing the list from the beginning, use the following commands:
execute log filter start-line 1
execute log display
You can restore the log filters to their default values using the following command:
execute log filter reset
execute log filter
Use this command to select log messages for viewing or deletion. You can view one log category on one device at a time. Optionally, you can filter the messages to select only specified date ranges or severities of log messages. For traffic logs, you can filter log messages by source or destination IP address.
Commands are cumulative. If you omit a required variable, the command displays the current setting.
Use as many execute log filter
commands as you need to define the log messages that you want to view.
execute log filter category <category_name>
execute log filter device {memory | faz | fds}
execute log filter dump
execute log filter field <name>
execute log filter ha-member <unitsn_str>
execute log filter max-checklines <int>
execute log filter reset
execute log filter start-line <line_number>
execute log filter view-lines <count>
Variable |
Description |
Default |
category <category_name> |
Enter the type of log you want to select. For SQL logging and memory logging, one of: utm, content, event, or traffic
|
event |
device {memory | faz | fds} |
Device where the logs are stored. |
memory |
dump |
Display current filter settings. |
No default |
field <name> |
Press Enter to view the fields that are available for the associated category. Enter the fields you want, using commas to separate multiple fields. |
No default |
ha-member <unitsn_str> |
Select logs from the specified HA cluster member. Enter the serial number of the system. |
No default |
max-checklines <int> |
Set maximum number lines to check. Range 100 to 1,000,000. A value of 0 disables the feature. |
No default |
reset |
Execute this command to reset all filter settings. |
No default |
start-line <line_number> |
Select logs starting at specified line number. The value must be 1 or higher. |
1 |
view-lines <count> |
Set lines per view. The value range is 5 to 1000. |
10 |
execute log-report reset
Use this command to delete all logs, archives, and user configured report templates.
Syntax
execute log-report reset
execute loop-guard reset
Use this command to reset a port that has been put out of service by loop-guard.
execute loop-guard reset <interface>
Example
This example shows how to reset port 1 after loop guard was triggered on it:
execute loop-guard reset port1
execute mac clear
Use this command to clear MAC addresses.
Syntax
execute mac clear all
execute mac clear by-interface <interface>
execute mac clear by-mac-address <mac_address>
execute mac clear by-vlan <vlan_int>
execute mac clear by-vlan-and-interface <vlan_int> <interface>
execute mac clear by-vlan-and-mac-address <vlan_int> <mac_address>
Variable |
Description |
all |
Clear all MAC entries.
|
by-interface <interface> |
Clear all MAC entries on the specified interface. |
by-mac-address <mac_address> |
Clear all MAC entries for a specified MAC address. |
by-vlan <vlan_int> |
Clear all MAC entries for a specified VLAN. |
by-vlan-and-interface <vlan_int> <interface> |
Clear all MAC entries for a specified VLAN on a specified interface. |
by-vlan-and-mac-address <vlan_int> <mac_address> |
Clear all MAC entries for a specified VLAN that match the specified MAC address. |
execute mac-limit-violation reset
Use these commands to reset the learning limit violation log.
To enable or disable the learning limit violation log for a FortiSwitch unit, see config switch global.
Syntax
execute mac-limit-violation reset all
execute mac-limit-violation reset interface <interface_name>
execute mac-limit-violation reset vlan <VLAN_ID>
Variable |
Description |
all |
Clear all learning limit violation logs. |
interface <interface_name> |
Clear the learning limit violation log for a specific interface. |
vlan <VLAN_ID> |
Clear the learning limit violation log for a specific VLAN. |
Example
This example shows how to clear the learning limit violation log for VLAN 5:
execute mac-limit-violation reset vlan 5
execute ping
The execute ping
command sends one or more ICMP echo request (ping) to test the network connection between the FortiSwitch and another network device.
Syntax
execute ping <address_ipv4>
<address_ipv4>
is an IP address.
Example
This example shows how to ping a host with the IP address 172.20.120.16.
#execute ping 172.20.120.16
PING 172.20.120.16 (172.20.120.16): 56 data bytes
64 bytes from 172.20.120.16: icmp_seq=0 ttl=128 time=0.5 ms
64 bytes from 172.20.120.16: icmp_seq=1 ttl=128 time=0.2 ms
64 bytes from 172.20.120.16: icmp_seq=2 ttl=128 time=0.2 ms
64 bytes from 172.20.120.16: icmp_seq=3 ttl=128 time=0.2 ms
64 bytes from 172.20.120.16: icmp_seq=4 ttl=128 time=0.2 ms
--- 172.20.120.16 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.5 ms
execute ping-options
Use this command to set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiSwitch and another network device.
Syntax
execute ping-options adaptive-ping {enable | disable}
execute ping-options data-size <bytes>
execute ping-options df-bit {yes | no}
execute ping-options interface {Auto | <outgoing_interface>}
execute ping-options interval <seconds>
execute ping-options pattern <2-byte_hex>
execute ping-options repeat-count <repeats>
execute ping-options reset
execute ping-options source {auto | <source-intf_ip>}
execute ping-options timeout <seconds>
execute ping-options tos <service_type>
execute ping-options ttl <hops>
execute ping-options validate-reply {yes | no}
execute ping-options view-settings
Variable |
Description |
Default |
adaptive-ping {enable | disable} |
Enable or disable adaptive ping. |
disable |
data-size <bytes> |
Specify the datagram size in bytes. |
56 |
df-bit {yes | no} |
Set |
no |
interface {Auto | <outgoing_interface>} |
Specify the source interface or select |
auto |
interval <seconds> |
Specify the number of seconds between two pings. The value must be greater than 0. |
No default |
pattern <2-byte_hex> |
Used to fill in the optional data buffer at the end of the ICMP packet. The size of the buffer is specified using the |
No default |
repeat-count <repeats> |
Specify how many times to repeat ping. |
5 |
reset |
Reset the ping options to their default settings. |
No default |
source {auto | <source-intf_ip>} |
Specify the FortiSwitch interface from which to send the ping. If you specify |
auto |
timeout <seconds> |
Specify, in seconds, how long to wait until ping times out. |
2 |
tos <service_type> |
Set the ToS (Type of Service) field in the packet header to provide an indication of the quality of service wanted:
|
0 |
ttl <hops> |
Specify the time to live. Time to live is the number of hops the ping packet should be allowed to make before being discarded or returned. |
64 |
validate-reply {yes | no} |
Select |
|
view-settings |
Display the current ping option settings. |
No default |
Example
Use the following command to increase the number of pings sent:
execute ping-options repeat-count 10
Use the following command to send all pings from the FortiSwitch interface with IP address 192.168.10.23:
execute ping-options source 192.168.10.23
execute ping6
The ping6 command sends one or more ICMP echo request (ping) to test the network connection between the FortiSwitch and an IPv6-capable network device.
Syntax
execute ping6 {<address_ipv6> | <host-name_str>}
Example
This example shows how to ping a host with the IPv6 address 12AB:0:0:CD30:123:4567:89AB:CDEF
.
execute ping6 12AB:0:0:CD30:123:4567:89AB:CDEF
execute ping6-options
Use this command to set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiSwitch and an IPv6-capable network device.
Syntax
execute ping6-options data-size <bytes>
execute ping6-options interval <seconds>
execute ping6-options pattern <2-byte_hex>
execute ping6-options repeat-count <repeats>
execute ping6-options source {auto | <source-intf_ip>}
execute ping6-options timeout <seconds>
execute ping6-options tos <service_type>
execute ping6-options ttl <hops>
execute ping6-options validate-reply {yes | no}
execute ping6-options view-settings
Variable |
Description |
Default |
data-size <bytes> |
Specify the datagram size in bytes. |
56 |
df-bit {yes | no} |
Set |
no |
interval <seconds> |
Specify the number of seconds between two pings. The value must be greater than 0. |
No default |
pattern <2-byte_hex> |
Used to fill in the optional data buffer at the end of the ICMP packet. The size of the buffer is specified using the |
No default |
repeat-count <repeats> |
Specify how many times to repeat ping. |
5 |
source {auto | <source-intf_ip>} |
Specify the FortiSwitch interface from which to send the ping. If you specify |
auto |
timeout <seconds> |
Specify, in seconds, how long to wait until ping times out. |
2 |
tos <service_type> |
Set the ToS (Type of Service) field in the packet header to provide an indication of the quality of service wanted:
|
0 |
ttl <hops> |
Specify the time to live. Time to live is the number of hops the ping packet should be allowed to make before being discarded or returned. |
64 |
validate-reply {yes | no} |
Select |
|
view-settings |
Display the current ping option settings. |
No default |
Example
Use the following command to validate reply data:
execute ping6-options validate-reply yes
execute poe-reset
This command performs a PoE reset on the specified port.
Syntax
execute poe-reset <port_number>
Example
Use the following command to reset the PoE power on port 1:
execute poe-reset port1
execute reboot
Use this command to restart the system.
|
Abruptly powering off your system may corrupt its configuration. Use the |
Syntax
execute reboot [comment “comment_string”>]
[comment <“comment_string”>]
enables you to optionally add a message that will appear in the hard disk log indicating the reason for the reboot. If the message is more than one word it must be enclosed in quotation marks.
Example
This example shows the reboot command with a message included:
execute reboot comment “December monthly maintenance”
execute restore
Use this command to restore a configuration, firmware, or IPS signature file. The following options are available:
- restore the configuration from a file
- change the FortiSwitch firmware
- restore the bios from a file
When virtual domain configuration is enabled, the content of the backup file depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings and the settings for all of the VDOMs. Only the super admin account can restore the configuration from this file.
A backup file from a regular administrator account contains the global settings and the settings for the VDOM to which the administrator belongs. Only a regular administrator account can restore the configuration from this file.
Syntax
execute restore bios tftp <filename_str> <server_ipv4[:port_int]>
execute restore config flash <revision>
execute restore config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>] [<backup_password_str>]
execute restore config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute restore image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]
execute restore image management-station <version_int>
execute restore image tftp <filename_str> <server_ipv4>
execute restore secondary-image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>]
execute restore secondary-image tftp <filename_str> <server_ipv4>
Variable |
Description |
bios tftp <filename_str> <server_ipv4[:port_int]> |
Restore the BIOS. Download the restore file from a TFTP server. |
config flash <revision> |
Restore the specified revision of the system configuration from the flash disk. |
config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>] [<backup_password_str>] |
Restore the system configuration from an FTP server. The new configuration replaces the existing configuration, including administrator accounts and passwords. If the backup file was created with a password, you must specify the password. |
config tftp <filename_str> <server_ipv4> [<backup_password_str>] |
Restore the system configuration from a file on a TFTP server. The new configuration replaces the existing configuration, including administrator accounts and passwords. If the backup file was created with a password, you must specify the password. |
image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>] |
Download a firmware image from an FTP server to the FortiSwitch unit. The FortiSwitch unit reboots, loading the new firmware. This command is not available in multiple VDOM mode. |
image management-station <version_int> |
Download a firmware image from the central management station. This is available if you have configured a FortiManager unit as a central management server. This is also available if your account with FortiGuard Analysis and Management Service allows you to upload firmware images. |
image tftp <filename_str> <server_ipv4> |
Download a firmware image from a TFTP server to the FortiSwitch unit. The FortiSwitch unit reboots, loading the new firmware. |
secondary-image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> <password_str>] |
Download a firmware image from an FTP server to the FortiSwitch unit. The FortiSwitch unit saves the new firmware image in the secondary image partition. |
secondary-image tftp <filename_str> <server_ipv4> |
Download a firmware image from a TFTP server to the FortiSwitch unit. The FortiSwitch unit saves the new firmware image in the secondary image partition. |
Example
This example shows how to upload a configuration file from a TFTP server to the FortiSwitch and restart the FortiSwitch with this configuration. The name of the configuration file on the TFTP server is backupconfig
. The IP address of the TFTP server is 192.168.1.23.
execute restore config tftp backupconfig 192.168.1.23
execute revision
Use this command to manage configuration and firmware image files on the local disk.
Syntax
execute revision delete config <revision>
execute revision list config
execute revision show config
Variable |
Description |
delete config <revision> |
Delete the specified configuration revision on the local disk. |
list config |
List the configuration revisions on the local disk. |
show config |
Display the details of the configuration revision on the local disk. |
Example
Use the following command to delete revision 1 of the configuration file on the local disk:
execute revision delete config 1
execute router clear bgp
Use this command to clear the BGP routing configuration.
Syntax
execute router clear bgp {all | as | dampening | external | ip}
Variable |
Description |
all <arguments> |
Clear all BGP peers |
as <arguments> |
Clear a BGP peer by AS number. |
dampening {<IP_address> | <IP_address/length>} |
Clear the BGP flap-dampening information. |
external <arguments> |
Clear all external BGP peers. |
ip <arguments> |
Clear a BGP peer by IP address. |
Example
Use the following command to delete the BGP flap-dampening information:
execute router clear bgp dampening 1.2.3.4
execute router clear ospf
Use this command to clear the OSPF routing configuration from the specified interface.
Syntax
execute router clear ospf interface <interface_name>
Example
Use the following command to delete the OSPF routing configuration from the VLAN interface:
execute router clear ospf interface vlan20
execute router tech-support
Use this command to display the specified routing configuration and troubleshooting information.
Syntax
execute router tech-support {ospf | rip | bgp | isis | static}
Example
Use the following command to display the BGP routing configuration and troubleshooting information:
execute router tech-support bgp
execute set-next-reboot
Use this command to specify the flash partition for the next reboot. The system can use the boot image from either the primary or the secondary flash partition.
NOTE: You must disable image rotation before you can use the execute set-next-reboot command.
Syntax
execute set-next-reboot <primary | secondary>
Example
This example specifies that the next reboot will use the secondary flash partition:
execute set-next-reboot secondary
Set next reboot partition to secondary
execute shutdown
Use this command to shut down the system immediately. You will be prompted to confirm this command.
|
Abruptly powering off your system might corrupt its configuration. Using the reboot and shutdown options in the CLI or in the Web-based manager ensure proper shutdown procedures are followed to prevent any loss of configuration. |
Syntax
execute shutdown [comment <"comment_string">]
The comment field is optional. Use it to add a message that will appear in the event log message that records the shutdown. The comment message does not appear on the Alert Message console. If the message is more than one word it must be enclosed in quotation marks.
Example
This example shows the reboot command with a message included:
execute shutdown comment “emergency facility shutdown”
An event log message similar to the following is recorded:
2009-09-08 11:12:31 critical admin 41986 ssh(172.20.120.11) shutdown User admin shutdown the device from ssh(172.20.120.11). The reason is 'emergency facility shutdown'
execute ssh
Use this command to establish an SSH session with another system.
Syntax
execute ssh <destination>
<destination>
is the destination in the form user@IPv4_address, user@iPv6_address, or user@DNS_name. If the IPv6 address is a link-local address, you must specify an output interface using %.
Examples
execute ssh admin@fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.
execute ssh admin@172.20.120.122
execute ssh 1002::21
execute ssh 12.345.6.78
To end an SSH session, type exit
:
S524DF4K15000024 # exit
Connection to 172.20.120.122 closed.
S524DF4K15000024 #
execute stage
Use this command to stage an image from an FTP or TFTP server.
Syntax
execute stage image ftp <string> <ftp server>[:ftp port]
execute stage image tftp <string> <ip>
image is the image file name (including path) on the remote server.
execute sticky-mac
Use this command to manage MAC addresses that were dynamically learned and are persistent when the status of a FortiSwitch port changes (goes down or up).
Syntax
execute sticky-mac delete-unsaved {all | interface <interface_name>}
execute sticky-mac save {all | interface <interface_name>}
Variable |
Description |
delete-unsaved {all | interface <interface_name>} |
Delete all persistent MAC entries (instead of saving them in the FortiSwitch configuration file) for all interfaces or for the specified interface. |
save {all | interface <interface_name>} |
Save all persistent MAC entries in the FortiSwitch configuration file for all interfaces or for the specified interface. |
execute switch-controller get-conn-status
Use this command to display the status of the FortiLink connection. This command is valid only when the FortiSwitch is managed by a FortiGate.
Syntax
execute switch-controller get-conn-status
Example
S524DF4K15000024 # execute switch-controller get-conn-status
Get managed-switch S524DF4K15000024 connection status:
Connection: Connected
Image Version: FG100D-v6.2-build849
Remote Address: xxx.xxx.x.x
Join Time: Wed Mar 13 08:38:57 2019
DTLS Version: DTLSv1.2
execute system certificate ca
Use this command to import a CA certificate from a TFTP or SCEP server to the FortiSwitch or to export a CA certificate from the FortiSwitch to a TFTP server.
Before using this command, you must obtain a CA certificate issued by a Certificate Authority.
Syntax
execute system certificate ca export tftp <name> <file-name> <tftp_ip>
execute system certificate ca import auto <ca_server_url> [ca_identifier_str]
execute system certificate ca import tftp <file-name> <tftp_ip>
Variable |
Description |
import |
Import the CA certificate from a TFTP server to the FortiSwitch unit. |
export |
Export or copy the CA certificate from the FortiSwitch to a file on the TFTP server. The available CA certificates are Entrust_802.1x_CA, Entrust_802.1x_G2_CA, Entrust_802.1x_L1K_CA, Fortinet_CA, and Fortinet_CA2. |
<name> |
Enter the name of the CA certificate. |
<file-name> |
Enter the file name on the TFTP server. |
<tftp_ip> |
Enter the TFTP server address. |
auto |
Retrieve a CA certificate from a SCEP server. |
tftp |
Import the CA certificate to the FortiSwitch from a file on a TFTP server (local administrator PC). |
<ca_server_url> |
Enter the URL of the CA certificate server. |
<ca_identifier_str> |
CA identifier on CA certificate server (optional). |
execute system certificate crl import auto
Use this command to get a certificate revocation list via LDAP, HTTP, or SCEP protocol, depending on the autoupdate
configuration.
To use this command, the authentication servers must already be configured.
Syntax
execute system certificate crl import auto <crl-name>
Variable |
Description |
import |
Import the CRL from the configured LDAP, HTTP, or SCEP authentication server to the FortiSwitch unit. |
<crl-name> |
Enter the name of the CRL. |
auto |
Trigger an auto-update of the CRL from the configured authentication server. |
execute system certificate local export tftp
Use this command to export a local certificate from the FortiSwitch to a TFTP server.
Syntax
execute system certificate local export tftp <name> <file-name> <tftp_ip>
Variable |
Description |
export |
Export or copy the local certificate from the FortiSwitch unit to a file on the TFTP server. |
<name> |
Enter the name of the local certificate. Available local certificates are Entrust_802.1x, Fortinet_Factory, and Fortinet_Firmware. |
<file-name> |
Enter the file name on the TFTP server. |
<tftp_ip> |
Enter the TFTP server address. |
execute system certificate local generate
Use this command to generate a local certificate.
When you generate a certificate request, you create a private and public key pair for the local FortiSwitch unit. The public key accompanies the certificate request. The private key remains confidential.
When you receive the signed certificate from the CA, use the system certificate local import
command to install it on the FortiSwitch unit.
Syntax
execute system certificate local generate <name> <key-length> <subject_str> <country> <state> <city> <organization> <bu> <email> <SAN> <URL> <challenge> <source_IP> <CA_id> <password>
Variable |
Description |
<name> |
Enter the local certificate name. |
<key-length> |
Enter the key size, which can be 1024, 1536, or 2048. |
<subject_str> |
Enter the subject (host IP address/domain name/e-mail address). |
<country> |
Enter the country name (such as |
<state> |
Enter the state. |
<city> |
Enter the city. |
<organization> |
Enter the company name. |
<bu> |
Enter the business unit. |
<email> |
Enter the email address. |
<SAN> |
This field is optional. Enter a subject alternative name. |
<URL> |
This field is optional. Enter the URL of the CA server for signing using SCEP. |
<challenge> |
Enter the challenge password for signing using SCEP. |
<source_IP> |
This field is optional. Enter the source IP address for communicating with the CA server. |
<CA_id> |
This field is optional. Enter the CA identifier of the CA server for sign using SCEP. |
<password> |
This field is optional. Enter the password if you are using a private key. |
execute system certificate local import tftp
Use this command to import a local certificate to the FortiSwitch from a TFTP server.
Syntax
execute system certificate local import tftp <file-name> <tftp_ip>
Variable |
Description |
<name> |
Enter the name of the local certificate. |
<file-name> |
Enter the file name on the TFTP server. |
<tftp_ip> |
Enter the TFTP server address. |
execute system certificate remote
Use this command to import a remote certificate from a TFTP server or to export a remote certificate from the FortiSwitch unit to a TFTP server. The remote certificates are public certificates without a private key. They are used as OCSP (Online Certificate Status Protocol) server certificates.
Syntax
execute system certificate remote import tftp <file-name> <tftp_ip>
execute system certificate remote export tftp <name> <file-name> <tftp_ip>
Variable |
Description |
import |
Import the remote certificate from the TFTP server to the FortiSwitch unit. |
export |
Export or copy the remote certificate from the FortiSwitch to a file on the TFTP server. To view a list of the certificates, use the following command:
|
<name> |
Enter the name of the local certificate. |
<file-name> |
Enter the file name on the TFTP server. |
<tftp_ip> |
Enter the TFTP server address. |
execute system sniffer-profile delete-capture
Use this command to delete the .pcap file for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.
Syntax
execute system sniffer-profile delete-capture <profile_name>
Example
execute system sniffer-profile delete-capture profile1
execute system sniffer-profile pause
Use this command to pause a packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.
Syntax
execute system sniffer-profile pause <profile_name>
Example
execute system sniffer-profile pause profile1
execute system sniffer-profile start
Use this command to start a packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.
Syntax
execute system sniffer-profile start <profile-name>
Example
execute system sniffer-profile start profile1
execute system sniffer-profile stop
Use this command to stop a packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.
Syntax
execute system sniffer-profile stop <profile-name>
Examples
execute system sniffer-profile stop profile1
execute system sniffer-profile upload
Use this command to upload the .pcap file for a specific packet-capture profile to a TFTP or FTP server. To create a packet-capture profile, see config system sniffer-profile.
Syntax
execute system sniffer-profile upload ftp <profile_name> <file_name> <FTP_server_IP_address:<optional_port>>
execute system sniffer-profile upload tftp <profile_name> <file_name> <TFTP_server_IP_address:<optional_port>>
Variable |
Description |
<profile_name> |
Enter the name of the packet-capture profile. |
<file_name> |
Enter the name of the .pcap file and the path where it is located. |
<FTP_server_IP_address:<optional_port>> |
Enter the IP address of the FTP server and optionally enter the port number. |
<TFTP_server_IP_address:<optional_port>> |
Enter the IP address of the TFTP server and optionally enter the port number. |
Examples
execute system sniffer-profile upload ftp profile profile1.pcap 192.168.1.23
execute telnet
Use this command to create a Telnet client. You can use this tool to test network connectivity.
Syntax
execute telnet <telnet_ipv4 or telnet_ipv6>
<telnet_ipv4 or telnet_ipv6>
is the IPv4 or IPv6 address to connect with. If the IPv6 address is a link-local address, you must specify an output interface using %.
Type exit
to close the Telnet session.
Examples
execute telnet fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.
execute telnet 1002::21
execute telnet 12.345.6.78
execute time
Use this command to display or set the system time.
Syntax
execute time [<time_str>]
time_str has the form hh:mm:ss, where:
- hh is the hour. The range is 00 to 23.
- mm is the minutes. The range is 00 to 59.
- ss is the seconds. The range is 00 to 59.
If you do not specify a time, the command returns the current system time.
You are allowed to shorten numbers to only one digit when setting the time. For example both 01:01:01 and 1:1:1 are allowed.
Example
This example sets the system time to 15:31:03:
execute time 15:31:03
execute traceroute
Use this command to test the connection between the FortiSwitch and another network device, and display information about the network hops between the FortiSwitch and the device.
Syntax
execute traceroute {<ip_address> | <host-name>}
Example
This example shows how to test the connection with http://docs.forticare.com. In this example, the traceroute command times out after the first hop indicating a possible problem.
#execute traceoute docs.fortinet.com
traceroute to docs.fortinet.com (65.39.139.196), 30 hops max, 38 byte packets
1 172.20.120.2 (172.20.120.2) 0.324 ms 0.427 ms 0.360 ms
2 * * *
If your FortiSwitch is not connected to a working DNS server, you will not be able to connect to remote host-named locations with traceroute.
execute tracert6
Use this command to test the connection between the FortiSwitch and another network device using the IPv6 protocol and to display information about the network hops between the FortiSwitch and the device.
Syntax
tracert6 [-Fdn] [-f first_ttl] [-i interface] [-m max_ttl]
[-s src_addr] [-q nprobes] [-w waittime] [-z sendwait]
host [paddatalen]
Variable |
Description |
-F |
Set the Don’t Fragment bit. |
-d |
Enable debugging. |
-n |
Do not resolve numeric address to domain name. |
-f <first_ttl> |
Set the initial time-to-live used in the first outgoing probe packet. |
-i <interface> |
Select interface to use for tracert. |
-m <max_ttl> |
Set the max time-to-live (max number of hops) used in outgoing probe packets. |
-s <src_addr> |
Set the source IP address to use in outgoing probe packets. |
-q <nprobes> |
Set the number probes per hop. |
-w <waittime> |
Set the time in seconds to wait for response to a probe. Default is 5. |
-z <sendwait> |
Set the time in milliseconds to pause between probes. |
host |
Enter the IP address or FQDN to probe. |
<paddatalen> |
Set the packet size to use when probing. |
execute upload config
Use this command to upload system configurations to the flash disk from FTP or TFTP sources.
Syntax
execute upload config ftp <filename_str> <comment> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute upload config tftp <filename_str> <comment> <server_ipv4>
Variable |
Description |
<comment> |
Comment string. |
<filename_str> |
Filename to upload. |
<server_fqdn[:port_int]> |
Server fully qualified domain name and optional port. |
<server_ipv4[:port_int]> |
Server IP address and optional port number. |
<username_str> |
User name required on server. |
<password_str> |
Password required on server. |
<backup_password_str> |
Password for backup file. |
execute verify image
Use this command to verify the integrity of the image in the primary or secondary (if applicable) flash partition.
Syntax
execute verify image {primary | secondary}
Example
execute verify image primary
Verifying the image in flash......100%
No issue found!
execute verify image secondary
Verifying the image in flash......100%
Bad/corrupted image found in flash!
Command fail. Return code -1