config system
Use the config system
commands to configure options related to the overall operation of the FortiSwitch unit:
- config system accprofile
- config system admin
- config system arp-table
- config system bug-report
- config system certificate ca
- config system certificate crl
- config system certificate local
- config system certificate ocsp
- config system certificate remote
- config system console
- config system dhcp server
- config system dns
- config system flow-export
- config system fsw-cloud
- config system global
- config system interface
- config system ipv6-neighbor-cache
- config system link-monitor
- config system location
- config system ntp
- config system password-policy
- config system schedule group
- config system schedule onetime
- config system schedule recurring
- config system settings
- config system sflow
- config system sniffer-profile
- config system snmp community
- config system snmp sysinfo
- config system snmp user
config system accprofile
Use this command to add access profile groups that control administrator access to FortiSwitch features. Each FortiSwitch administrator account must include an access profile. You can create access profiles that deny access, allow read only, or allow both read and write access to FortiSwitch features.
Syntax
config system accprofile
edit <profile-name>
set admingrp {none | read | read-write}
set loggrp {none | read | read-write}
set netgrp {none | read | read-write}
set routegrp {none | read | read-write}
set sysgrp {none | read | read-write}
end
Variable |
Description |
Default |
<profile-name> |
Enter the name for the profile. |
No default |
admingrp {none | read | read-write} |
Set the access permission for admingrp. |
none |
loggrp {none | read | read-write} |
Set the access permission for loggrp. |
none |
netgrp {none | read | read-write} |
Set the access permission for netgrp. |
none |
routegrp {none | read | read-write} |
Set the access permission for routegrp. |
none |
sysgrp {none | read | read-write} |
Set the access permission for sysgrp. |
none |
Example
This example shows how to configure an access profile with just read-only permission:
config system accprofile
edit profile1
set admingrp read
set loggrp read
set netgrp read
set routegrp read
set sysgrp read
end
config system admin
Use the default admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels. Each administrator account except the default admin must include an access profile. You cannot delete the default super admin account or change the access profile (super_admin). In addition, there is also an access profile that allows read-only super admin privileges, super_admin_readonly. The super_admin_readonly profile cannot be deleted or changed, similar to the super_admin profile. This read-only super-admin may be used in a situation where it is necessary to troubleshoot a customer configuration without making changes.
You can authenticate administrators using a password stored on the FortiSwitch unit or you can use a RADIUS server to perform authentication. When you use RADIUS authentication, you can authenticate specific administrators or you can allow any account on the RADIUS server to access the FortiSwitch unit as an administrator.
Syntax
config system admin
edit <admin_name>
set accprofile <profile-name>
set accprofile-override {enable | disable}
set allow-remove-admin-session {enable | disable}
set comments <comments_string>
set gui-detail-panel-location {bottom | ide | side}
set {ip6-trusthost1 | ip6-trusthost2 | ip6-trusthost3 |
ip6-trusthost4 | ip6-tru sthost5 | ip6-trusthost6 |
ip6-trusthost7 | ip6-trusthost8 | ip6-trusthost9 |
ip6-trusthost10} <address_ipv6mask>
set password <admin_password>
set peer-auth {disable | enable}
set peer-group <peer-grp>
set remote-auth {enable | disable}
set remote-group <name>
set wildcard {enable | disable}
set schedule <schedule-name>
set ssh-public-key1 "<key-type> <key-value>"
set ssh-public-key2 "<key-type> <key-value>"
set ssh-public-key3 "<key-type> <key-value>"
set {trusthost1 | trusthost2 | trusthost3 | trusthost4 |
trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9
| trusthost10} <address_ipv4mask>
end
end
Variable |
Description |
Default |
<admin_name> |
Enter the name for the admin account. |
No default |
accprofile <profile‑name> |
Enter the name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiSwitch features. |
No default |
accprofile-override {enable | disable} |
Enable or disable whether the remote authentication server can override the accesss profile. |
disable |
allow-remove-admin-session {enable | disable} |
Allow admin session to be removed by privileged admin users |
disable |
comments <comments_string> |
Enter the last name, first name, email address, phone number, mobile phone number, and pager number for this administrator. Separate each attribute with a comma, and enclose the string in double-quotes. The total length of the string can be up to 128 characters. (Optional) |
No default |
gui-detail-panel-location {bottom | hide | side} |
Choose the position of the log detail window. |
bottom |
{ip6-trusthost1 | ip6‑trusthost2 | ip6‑trusthost3 | ip6‑trusthost4 | ip6‑trusthost5 | ip6‑trusthost6 | ip6‑trusthost7 | ip6‑trusthost8 | ip6‑trusthost9 | ip6‑trusthost10} <address_ipv6mask> |
Any IPv6 address and netmask from which the administrator can connect to the FortiSwitch unit. If you want the administrator to be able to access the system from any address, set the trusted hosts to ::/0. |
::/0 |
password <admin_password> |
Enter the password for this administrator. It can be up to 256 characters in length. |
No default |
peer-auth {disable | enable} |
Set to enable peer certificate authentication (for HTTPS admin access). |
disable |
peer-group <peer-grp> |
Name of peer group defined under |
No default |
remote-auth {enable | disable} |
Enable or disable authentication of this administrator using a remote RADIUS, LDAP, or TACACS+ server. |
disable |
remote-group <name> |
Enter the administrator user group name, if you are using RADIUS, LDAP, or TACACS+ authentication. This is available only when |
No default |
wildcard {enable | disable} |
Enable or disable wildcard RADIUS authentication. This option is available only when |
disable |
schedule <schedule-name> |
Restrict times that an administrator can log in. Defined in |
No default |
ssh-public-key1 "<key‑type> <key‑value>" |
You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.
|
No default |
ssh-public-key2 "<key‑type> <key‑value>" |
No default |
|
ssh-public-key3 "<key‑type> <key‑value>" |
No default |
|
{trusthost1 | trusthost2 | trusthost3 | trusthost4 | trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9 | trusthost10} <address_ipv4mask> |
Any IPv4 address or subnet address and netmask from which the administrator can connect to the system. If you want the administrator to be able to access the system from any address, set the trusted hosts to 0.0.0.0 and the netmask to 0.0.0.0. |
0.0.0.0 0.0.0.0 |
Example
The following example creates a RADIUS system admin group:
config system admin
edit "RADIUS_Admins"
set remote-auth enable
set accprofile "super_admin"
set wildcard enable
set remote-group "RADIUS_Admins"
next
end
config system arp-table
Use this command to manually add ARP table entries to the FortiSwitch unit. ARP table entries consist of a interface name, an IP address, and a MAC address.
Syntax
config system arp-table
edit <table_value>
set interface {<string> | internal | mgmt}
set ip <address_ipv4>
set mac <mac_address>
end
Variable |
Description |
Default |
<table_value> |
Enter the identification number for the table. |
No default |
interface {<string> | internal | mgmt} |
Enter the interface to associate with this ARP entry |
No default |
ip <address_ipv4> |
Enter the IP address of the ARP entry. |
0.0.0.0 |
mac <mac_address> |
Enter the MAC address of the device entered in the table, in the form of xx:xx:xx:xx:xx:xx. |
00:00:00:00:00:00 |
Example
This example shows how to add an entry to an ARP table:
config system arp-table
edit 1
set interface internal
set ip 172.168.20.1
set mac 00:21:cc:d2:76:72
end
config system bug-report
Use this command to configure a custom email relay for sending problem reports to Fortinet customer support.
Syntax
config system bug-report
set auth {no | yes}
set mailto <email_address>
set password <password>
set server <servername>
set username <name>
set username-smtp <account_name>
end
Variable |
Description |
Default |
auth {no | yes} |
Enter |
no |
mailto <email_address> |
The email address for bug reports. |
fortiswitch@fortinet.com |
password <password> |
If the SMTP server requires authentication, enter the required password. |
No default |
server <servername> |
The SMTP server to use for sending bug report email. |
fortinet.com |
username <name> |
A valid user name on the specified SMTP server. |
bug_report |
username-smtp <account_name> |
A valid user name for authentication on the specified SMTP server. |
bug_report |
Example
This example shows how to configure a custom email relay:
config system bug-report
set auth yes
set mailto techdocs@fortinet.com
set password 123abc
set server fortinet.com
set username techdocs
set username-smtp techdocs
end
config system certificate ca
Use this command to configure CA certificates.
FortiSwitch includes a reserved entry named Fortinet_CA
. You cannot modify this entry.
Syntax
config system certificate ca
edit <name>
set ca <certificate>
set scep-url <string>
next
end
Variable |
Description |
Default |
name |
Enter the name of the certificate. |
No default |
certificate |
PEM format CA certificate. Paste the contents of a CA certificate file between quotation marks as shown in the example. |
No default |
set scep-url |
Full URL (such as http://www.test.com) |
No default |
Example
# config system certificate ca # get == [ Fortinet_CA ] == [ OracleSSLCA ] == [ ca ] FortiCore-VM # config system certificate ca FortiCore-VM (ca) # edit ca-new FortiCore-VM (ca-new) # set certificate "-----BEGIN CERTIFICATE----- > MIID0TCCArmgAwIBAgIJAKr1/WtE48FeMA0GCSqGSIb3DQEBCwUAMGgxEzARBgoJ > kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG > EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0Eg > MTAeFw0xNDA0MzAxNDE4MDhaFw0zNDA0MzAxNDE4MDhaMGgxEzARBgoJkiaJk/Is > ZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJVUzEQ > MA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0EgMTCCASIw > DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQQzsB9Uc37VuIyt5xJxcYYkc6K > XpYihHgskTQp6YYB4XHVimouHafMYyoFsnenrcgf2NGFDvi9l9x9mnL77920JqGr > LijieMiFEyP1nhGW8C6nJjkSsXLbgZNh9u6U+0oAbspsFRwdHDZOI7gIHSJ2zuiY > CkMAvjw9TN44Q4IFCvSIf7mfzZgBH7AW1sbgznqnAJsWQhQGTpxZAxubItesyduD > vj8tz9eb5u8JO3iQ/LYhMspNnxcpTFdaLn2v82NAFTtCrZdCd7aLj1DM0DPEX7Nw > V/rt/l+tlscglYyEoUnlPYuSQN0Q6Aj5i1GcKPvnFS0Oy9lGY1lT1vZJ4F0CAwEA > AaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE > FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv > FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv > edJiQpuHMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3DQEBCwUA > A4IBAQCq5KUHQNg51uh1pxKMXQ98ADj2bNzQbswdAFslPow8tTZIBMwhdrq02ZHC > XPyp2IHxfv+G+pMV1JFtdR0fy8ivilMNyjObEGh1Ss3kvvU7d1z3XwPxqpNcwDqs > 1K6RRg4zpNWCFPcliAkPDsDbaN1B6A6zJXqOpGgzwocU3dZbPe5sYLgkWZO2/8MI > eAEk7zoU1ZPSZiu5HghPafKuE1HYshvsak090tRgC6VLvaSLoNZlwR0GuFVGdewH > 4jR1HpENH7QiLCB1NGCoJgDi3qiFosw3M2+0ExevE1afj2Usm4oZir+Uty0rvR8D > 03RHH8yYbZ9rw0kuwTkJEo3bYDxH > -----END CERTIFICATE-----"
config system certificate crl
Use this command to configure the certificate revocation list.
Syntax
config system certificate crl
edit <name>
set crl <crl>
set http-url <string>
set ldap-server <LDAP>
set scep-cert <certificate>
set scep-url <string>
end
Variable |
Description |
Default |
name |
Name of the certificate revocation list |
No default |
crl |
PEM format CRL. Paste the contents of a CRL file between quotation marks. |
No default |
http-url |
URL of HTTP server for CRL update |
No default |
ldap-server |
LDAP server |
No default |
scep-cert |
Local certificate used for CRL update using SCEP |
Fortinet_Factory |
scep-url |
URL of CA server for CRL update using SCEP |
No default |
config system certificate local
Use this command to manage local certificates. FortiSwitch includes a reserved entry named “Factory”. You cannot modify this entry.
Syntax
config system certificate local
edit <name>
set comments <string>
set password <passwd>
set private-key <key>
set scep-url <string>
next
end
Variable |
Description |
Default |
name |
Enter the name of the certificate. |
No default |
comments |
Optional administrator note. |
No default |
password |
Password that was used to encrypt the file. The FortiCore system uses the password to decrypt and install the certificate. |
* |
private-key |
Paste the contents of a key file between quotation marks as shown in the example. |
No default |
scep-url |
URL of SCEP server |
No default |
Example
# config system certificate local # get == [ Factory ] == [ csr_name_test ]
# show config system certificate local edit "csr_name_test" t7e4fiX6Sd6T5426Gg/HQXRH41mBwGmjKdBSHUbVUZTka2FtD1oLMWE2mTq1c9GMUz0DokPfoqxkjkmja5mWv4/w A5XdQ00lQmTeMZK/X5OSFmSS set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5/vf1VQB/28CAggA MBQGCCqGSIb3DQMHBAgZorM0zlnPNASCAViZk4wTZYYMPl0e7NwyxqvLND3LxUaV UG1XpUSPfnUP4YgrV2d0Uijclj5M7MS341cMVKZ7G1pS/6jvxUr0NamQv4j7JsJ0 t3G7LMkzcTiep26GUCy55Qt+iob7lh0iiKa+4uPOq/Mzy+84AWnRNLfIhevHPsYb rk4UbwNOFb0ZD9i06+UrFLsRGmtp/vlDyBgAoBojKxB/4j0G299QamnzPz4qneBc HtPqTMPELyqtT6w4cmnwp6Ti2OOAr9c44mKdyyAVZKie+Iu/4pSVBNSfuC+jjtmC k8OrCrG14NwrhbTY9zEnGxBRR1NMTEBBTqAQNYWtjUEQVjmY1GAJA3/oBQe7l8C/ G/IUVvc/aaqMvsKSNfDpgZaudTDe1Wxi1792ADGh7zslls+ykH9nmqh7BPfm30Nv f8O1hXgq01Lvo4v1xdC0w5oAeCyGlbTY5ZnXJFm0HCp0kA== -----END ENCRYPTED PRIVATE KEY----- " set csr "-----BEGIN CERTIFICATE REQUEST----- MIIBNzCB4gIBADBqMQswCQYDVQQIEwJjYTESMBAGA1UEBxMJc3Vubnl2YWxlMREw DwYDVQQKEwhmb3J0aW5ldDENMAsGA1UECxMEZmFkYzEQMA4GA1UEAxMHZXhhbXBs ZTETMBEGCSqGSIb3DQEJARYEcm9vdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDK XH/MC1KTkkZJiQDFb6IXHLYsSVbJzF0K30s3CVmKZvJQSBnmV8aq3fJjN281rrFT iUovVdBzwCF5jKbxsrPLAgMBAAGgEzARBgNVHRMxChMIQ0E6RkFMU0UwDQYJKoZI hvcNAQEFBQADQQB96NU+xjds83/6VRSzsyxeVxAGVD7F9Npuji8r/MpxPiMT0PQM G8Wg//26ZqpwjuPq2V1+7QU4MDk3B5VUJSEF -----END CERTIFICATE REQUEST----- "
config system certificate ocsp
Use this command to configure the OCSP server certificate.
Syntax
config system certificate ocsp
set cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}
set unavail-action {ignore | revoke}
set url <string>
end
Variable |
Description |
Default |
cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2} |
Enter the name of the certificate or select one of the listed certificates. |
No default |
unavail-action {ignore | revoke} |
Set if the FortiSwitch should ignore the OCSP check or revoke the certificate if the server is unavailable. |
revoke |
url <string> |
Enter the URL for the OCSP server. |
No default |
Example
This example shows how to configure the OCSP server certificate:
config system certificate ocsp
set cert Fortinet_CA
set unavail-action ignore
set url https://www.fortinet.com
end
config system certificate remote
Use this command to install remote certificates. The remote certificates are public certificates without a private key.
config system certificate remote
edit <name>
set remote "<cert>"
end
Variable |
Description |
Default |
name |
Name for the certificate |
No default |
remote "<cert>" |
PEM-format certificate |
No default |
config system console
Use this command to set the console command mode, the number of lines displayed by the console, and the baud rate.
Syntax
config system console
set baudrate <speed>
set mode {batch | line}
set output {standard | more}
end
Variable |
Description |
Default |
baudrate <speed> |
Set the console port baudrate. Select one of 9600, 19200, 38400, 57600, or 115200. |
115200 |
mode {batch | line} |
Set the console mode to line or batch. Used for autotesting only. |
line |
output {standard | more} |
Set console output to standard (no pause) or more (pause after each screen is full and resume when a key is pressed).
This setting applies to |
more |
Example
This example shows how to configure the console:
config system console
set baudrate 57600
set mode batch
set output standard
end
config system dhcp server
Use this command to configure DHCP servers.
Syntax
config system dhcp server
edit <id>
set auto-configuration {enable | disable}
set conflicted-ip-timeout <integer>
set default-gateway <xxx.xxx.xxx.xxx>
set dns-server1 <xxx.xxx.xxx.xxx>
set dns-server2 <xxx.xxx.xxx.xxx>
set dns-server3 <xxx.xxx.xxx.xxx>
set dns-service {default | local | specify
set domain <string>
set filename <string>
set interface <string>
set lease-time <integer>
set netmask <xxx.xxx.xxx.xxx>
set next-server <xxx.xxx.xxx.xxx>
set ntp-server1 <xxx.xxx.xxx.xxx>
set ntp-server2 <xxx.xxx.xxx.xxx>
set ntp-server3 <xxx.xxx.xxx.xxx>
set ntp-service {default | local | specify}
set status {enable | disable}
set tftp-server <xxx.xxx.xxx.xxx>
set timezone <00-75>
set timezone-option {default | disable | specify}
set vci-match {enable | disable}
set vci-string <VCI_strings>
set wifi-ac1 <xxx.xxx.xxx.xxx>
set wifi-ac2 <xxx.xxx.xxx.xxx>
set wifi-ac3 <xxx.xxx.xxx.xxx>
set wins-server1 <xxx.xxx.xxx.xxx>
set wins-server2 <xxx.xxx.xxx.xxx>
config exclude-range
edit <id>
set end-ip <xxx.xxx.xxx.xxx>
set start-ip <xxx.xxx.xxx.xxx>
next
end
config ip-range
edit <id>
set end-ip <xxx.xxx.xxx.xxx>
set start-ip <xxx.xxx.xxx.xxx>
next
end
config options
edit <id>
set code <integer>
set ip <IP_addresses>
set type {fqdn | hex | ip | string}
set value <string>
next
end
config reserved-address
edit <id>
set action {assign | block | reserved}
set circuit-id {<string> | <hex>}
set circuit-id-type {hex | string}
set description <string>
set ip <xxx.xxx.xxx.xxx>
set mac <xx:xx:xx:xx:xx:xx>
set remote-id {<string> | <hex>}
set remote-id-type {hex | string}
set type {mac | option82}
next
end
next
end
Variable |
Description |
Default |
<id> |
Enter the identifier. |
No default |
auto-configuration {enable | disable} |
Enable or disable automatic configuration. Auto configuration allows the DHCP server to dynamically assign IP addresses to hosts on the network connected to the interface |
enable |
conflicted-ip-timeout <integer> |
Enter the number of seconds before a conflicted IP address is removed from the DHCP range and is available to be reused. The range is 60-8640000 seconds. |
1800 |
default-gateway <xxx.xxx.xxx.xxx> |
Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients. |
0.0.0.0 |
dns-server1 <xxx.xxx.xxx.xxx> |
Enter the IPv4 address for the DNS server 1. This option is only available when |
0.0.0.0 |
dns-server2 <xxx.xxx.xxx.xxx> |
Enter the IPv4 address for the DNS server 2. This option is only available when |
0.0.0.0 |
dns-server3 <xxx.xxx.xxx.xxx> |
Enter the IPv4 address for the DNS server 3. This option is only available when |
0.0.0.0 |
dns-service {default | local | specify} |
Select how DNS servers are assigned to DHCP clients. Select |
specify |
domain <string> |
Enter the domain name suffix for the IP addresses that the DHCP server assigns to the clients. |
No default |
filename <string> |
Enter the name of the boot file on the TFTP server. |
No default |
interface <string> |
Enter the name of the interface. The DHCP server can assign IP configurations to clients connected to this interface. |
No default |
lease-time <integer> |
The lease time determines the length of time an IP address remains assigned to a client. After the lease expires, the address is released for allocation to the next client that requests an IP address.
Enter the lease time in seconds. The range is 300-8640000. The default lease time is seven days. |
604800 |
netmask <xxx.xxx.xxx.xxx> |
Enter the netmask of the addresses that the DHCP server assigns. |
0.0.0.0 |
next-server <xxx.xxx.xxx.xxx> |
Enter the IPv4 address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from. |
0.0.0.0 |
ntp-server1 <xxx.xxx.xxx.xxx> |
Enter the IPv4 address for the NTP server 1. This option is only available when |
0.0.0.0 |
ntp-server2 <xxx.xxx.xxx.xxx> |
Enter the IPv4 address for the NTP server 2. This option is only available when |
0.0.0.0 |
ntp-server3 <xxx.xxx.xxx.xxx> |
Enter the IPv4 address for the NTP server 3. This option is only available when |
0.0.0.0 |
ntp-service {default | local | specify} |
Select how Network Time Protocol (NTP) servers are assigned to DHCP clients. Select |
specify |
status {enable | disable} |
Enable or disable this DHCP configuration. |
enable |
tftp-server <string> |
You can configure multiple Trivial File Transfer Protocol (TFTP) servers for a Dynamic Host Configuration Protocol (DHCP) server. For example, you may want to configure a main TFTP server and a backup TFTP server.
Enter the hostname or IP address of each TFTP server in quotes. Separate multiple server entries with spaces. |
No default |
timezone <00-75> |
Enter the time zone to be assigned to DHCP clients. This option is only available if |
(GMT+12:00)Eniwetok,Kwajalein) |
timezone-option {default | disable | specify} |
Select how the DHCP server sets the clientʼs time zone. Select |
disable |
vci-match {enable | disable} |
Enable or disable vendor class identifier (VCI) matching. When enabled, only DHCP requests with a matching VCI are served. |
disable |
vci-string <VCI_strings> |
Enter one or more VCI strings. This option is only available if |
No default |
wifi-ac1 <xxx.xxx.xxx.xxx> |
Enter the IPv4 address for the WiFi Access Controller 1 (DHCP option 138, RFC 5417). |
0.0.0.0 |
wifi-ac2 <xxx.xxx.xxx.xxx> |
Enter the IPv4 address for the WiFi Access Controller 2 (DHCP option 138, RFC 5417). |
0.0.0.0 |
wifi-ac3 <xxx.xxx.xxx.xxx> |
Enter the IPv4 address for the WiFi Access Controller 3 (DHCP option 138, RFC 5417). |
0.0.0.0 |
wins-server1 <xxx.xxx.xxx.xxx> |
Enter the IPv4 address for the WINS server 1. |
0.0.0.0 |
wins-server2 <xxx.xxx.xxx.xxx> |
Enter the IPv4 address for the WINS server 2. |
0.0.0.0 |
config exclude-range |
||
<id> |
Enter the identifier. |
No default |
end-ip <xxx.xxx.xxx.xxx> |
Enter the end of the IP address range that will not be assigned to clients. |
0.0.0.0 |
start-ip <xxx.xxx.xxx.xxx> |
Enter the start of the IP address range that will not be assigned to clients. |
0.0.0.0 |
config ip-range |
||
<id> |
Enter the identifier. |
No default |
end-ip <xxx.xxx.xxx.xxx> |
Enter the end of the DHCP IP address range. |
0.0.0.0 |
start-ip <xxx.xxx.xxx.xxx> |
Enter the start of the DHCP IP address range. |
0.0.0.0 |
config options |
||
<id> |
Enter the identifier. |
No default |
code <integer> |
Select the DHCP option code. The range is 0-255. |
9 |
ip <IP_addresses> |
If |
No default |
type {fqdn | hex | ip | string} |
Select the format of the DHCP option: fully qualified domain name, hexadecimal, IP address, or string. |
hex |
value <string> |
Enter the DHCP option value. This option is available when |
No default |
config reserved-address |
||
<id> |
Enter the identifier. |
No default |
action {assign | block | reserved} |
Select how the DHCP server configures the client with the reserved MAC address. Select |
reserved |
circuit-id {<string> | <hex>} |
Enter the DHCP option-82 Circuit ID of the client that will get the reserved IP address. The circuit-id format is controlled by the |
No default |
circuit-id-type {hex | string} |
Select whether the format of |
string |
description <string> |
Enter a description of this entry. |
No default |
ip <xxx.xxx.xxx.xxx> |
Enter the IPv4 address to be reserved for the MAC address. This option is only available when |
0.0.0.0 |
mac <xx:xx:xx:xx:xx:xx>. |
Enter the MAC address of the client that will get the reserved IP address. This option is only available when |
00:00:00:00:00:00 |
remote-id {<string> | <hex>} |
Enter the DHCP option-82 Remote ID of the client that will get the reserved IP address. This option is only available when |
No default |
remote-id-type {hex | string} |
Select whether the format of |
string |
type {mac | option82} |
Select whether to match the IP address with the MAC address or DHCP option 82. |
mac |
Example
This example shows how to configure a DHCP server:
config system dhcp server
edit 1
set default-gateway 50.50.50.2
set domain "FortiswitchTest.com"
set filename "text1.conf"
set interface "svi10"
config ip-range
edit 1
set end-ip 50.50.0.10
set start-ip 50.50.0.5
next
end
set lease-time 360
set netmask 255.255.0.0
set next-server 60.60.60.2
config options
edit 1
set value "dddd"
next
end
set tftp-server "1.2.3.4"
set timezone-option specify
set wifi-ac1 5.5.5.1
set wifi-ac2 5.5.5.2
set wifi-ac3 5.5.5.3
set wins-server1 6.6.6.1
set wins-server2 6.6.6.2
set dns-server1 7.7.7.1
set dns-server2 7.7.7.2
set dns-server3 7.7.7.3
set ntp-server1 8.8.8.1
set ntp-server2 8.8.8.2
set ntp-server3 8.8.8.3
next
end
config system dns
Use this command to set the DNS server addresses. Several FortiSwitch functions, including sending email alerts and URL blocking, use DNS.
Syntax
config system dns
set cache-notfound-responses {enable | disable}
set dns-cache-limit <integer>
set dns-cache-ttl <int>
set domain <domain_name>
set ip6-primary <dns_ipv6>
set ip6-secondary <dns_ip6>
set primary <dns_ipv4>
set secondary <dns_ip4>
set source-ip <ipv4_addr>
end
Variable |
Description |
Default |
cache-notfound-responses {enable | disable} |
Enable to cache NOTFOUND responses from the DNS server. |
disable |
dns-cache-limit <integer> |
Set maximum number of entries in the DNS cache. |
5000 |
dns-cache-ttl <int> |
Enter the duration, in seconds, that the DNS cache retains information. |
1800 |
domain <domain_name> |
Set the local domain name (optional). |
No default |
ip6-primary <dns_ipv6> |
Enter the primary IPv6 DNS server IP address. |
:: |
ip6-secondary <dns_ip6> |
Enter the secondary IPv6 DNS server IP address. |
:: |
primary <dns_ipv4> |
Enter the primary DNS server IP address. |
0.0.0.0 |
secondary <dns_ip4> |
Enter the secondary DNS IP server address. |
0.0.0.0 |
source-ip <ipv4_addr> |
Enter the IP address for communications to DNS server. |
0.0.0.0 |
Example
This example shows how to set the DNS server addresses:
config system dns
set cache-notfound-responses enable
set dns-cache-limit 2000
set dns-cache-ttl 900
set domain fortinet.com
set primary 172.91.112.53
set secondary 172.91.112.52
end
config system flow-export
You can sample IP packets on a FortiSwitch unit and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format.
The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.
NOTE:
- Flow export is supported on FortiSwitch models 2xx and higher.
- To use flow export, you must first enable packet sampling for each switch port and trunk:
config switch interface
edit <interface>
set packet-sampler enabled
set packet-sample-rate <0-99999>
end
Syntax
config system flow-export
set collector-ip <IPv4_address>
set collector-port <port_number>
set format {netflow1 | netflow5 | netflow9 | ipfix}
set identity <hexadecimal>
set level {ip | mac | port | proto | vlan}
set max-export-pkt-size <integer>
set timeout-general <integer>
set timeout-icmp <integer>
set timeout-max <integer>
set timeout-tcp <integer>
set timeout-tcp-fin <integer>
set timeout-tcp-rst <integer>
set timeout-udp <integer>
set transport {sctp | tcp | udp}
config aggregates
edit <id>
set ip <IPv4_address_mask>
end
end
Variable |
Description |
Default |
collector-ip <IPv4_address> |
Enter the IP address for the collector.
The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx. |
0.0.0.0 |
collector-port <port_number> |
Enter the port number for the collector.
The range of values is 0-65535. The default port for NetFlow is 2055; the default port for IPFIX is 4739. |
0 |
format {netflow1 | netflow5 | netflow9 | ipfix} |
You can set the format of the exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.
NOTE: When the export format is NetFlow version 5, the sample rate used in the exported packets is derived from the lowest port number where sampling is enabled. Fortinet recommends that administrators using NetFlow version 5 set the sample rate consistently across all ports. |
netflow9 |
identity <hexadecimal> |
Required. Enter a unique number to identify which FortiSwitch unit the data originates from. The range of values is 0x00000000-0xFFFFFFFF. If |
0x00000000 |
level {ip | mac | port | proto | vlan} |
You can set the flow-tracking level to one of the following:
-
|
ip |
max-export-pkt-size <integer> |
Set the maximum size in bytes of exported packets in the application level. The range of values is 512-9216. |
512 |
timeout-general <integer> |
Set the general timeout in seconds for the flow session. The range of values is 60-604800. |
3600 |
timeout-icmp <integer> |
Set the ICMP timeout for the flow session. The range of values is 60-604800. |
300 |
timeout-max <integer> |
Set the maximum number of seconds before the flow session times out. The range of values is 60-604800. |
604800 |
timeout-tcp <integer> |
Set the TCP timeout for the flow session. The range of values is 60-604800. |
3600 |
timeout-tcp-fin <integer> |
Set the TCP FIN flag timeout for the flow session. The range of values is 60-604800. |
300 |
timeout-tcp-rst <integer> |
Set the TCP RST flag timeout for the flow session. The range of values is 60-604800. |
120 |
timeout-udp <integer> |
Set the UDP timeout for the flow session. The range of values is 60-604800. |
300 |
transport {sctp | tcp | udp} |
You can set exported packets to use UDP, TCP, or SCTP for transport. |
udp |
<id> |
Enter the identifier. |
No default |
<IPv4_address_mask> |
Enter the IPv4 address and mask to match. All matching sessions are aggregated into the same flow. |
No default |
Example
This example shows how to configure flow export:
config system flow-export
set collector-ip 169.254.3.1
set collector-port 5
set format ipfix
set level ip
set transport tcp
end
config system fsw-cloud
Use this command to configure the FortiSwitch Cloud. The FortiSwitch Cloud allows you to quickly check the status and to configure multiple FortiSwitch units through a single management portal.
NOTE: To use the FortiSwitch Cloud, you must have a Cloud Management license, and your FortiSwitch unit must be in standalone mode, connected to the Internet, and the system time must be accurate. To set the time on your FortiSwitch unit, see config system ntp.
Syntax
config system fsw-cloud
set interval <integer>
set name <string>
set port <port_number>
set status {enable | disable}
end
Variable |
Description |
Default |
interval <integer> |
The time in seconds allowed for domain name system (DNS) resolution. The value range is 3-300 seconds. |
45 |
name <string> |
The domain name for the FortiSwitch Cloud. |
fortiswitch-dispatch.forticloud.com |
port <port_number> |
Port number used to connect to the FortiSwitch Cloud. |
443 |
status {enable | disable} |
Whether the FortiSwitch Cloud is enabled or disabled. |
disable |
Example
This example shows how to configure the FortiSwitch Cloud:
config system fsw-cloud
set interval 150
set name fortiswitch-dispatch.forticloud.com
set port 443
set status enable
end
config system global
Use this command to configure global settings that affect various FortiSwitch systems and configurations.
Syntax
config system global
set 802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}
set 802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}
set admin-concurrent {enable | disable}
set admin-https-pki-required {enable | disable}
set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | tlsv1-3}
set admin-lockout-duration <time_int>
set admin-lockout-threshold <failed_int>
set admin-port <port_number>
set admin-scp {enable | disable}
set admin-server-cert {self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}
set admin-sport <port_number>
set admin-ssh-grace-time <time_int>
set admin-ssh-port <port_number>
set admin-ssh-v1 {enable | disable}
set admin-telnet-port <port_number>
set admintimeout <admin_timeout_minutes>
set alertd-relog {enable | disable}
set alert-interval <1-1440 minutes>
set allow-subnet-overlap {enable | disable}
set arp-timeout <seconds>
set asset-tag <string>
set cfg-save {automatic | manual | revert}
set clt-cert-req {enable | disable}
set csr-ca-attribute {enable | disable}
set daily-restart {enable | disable}
set detect_ip_conflict {enable | disable}
set dhcp-client-location {description | hostname | intfname | mode | vlan}
set dhcp-option-format {ascii | legacy}
set dhcp-remote-id {hostname | ip | mac}
set dhcp-server-access-list {enable | disable}
set dhcp-snoop-client-req {drop-untrusted | forward-untrusted}
set dhcps-db-exp <number_of_seconds>
set dhcps-db-per-port-learn-limit <number_of_entries>
set dst {enable | disable}
set hostname <unithostname>
set image-rotation {enable | disable}
set ip-conflict-ignore-default {enable | disable}
set ipv6-accept-dad <0 | 1 | 2>
set ipv6-all-forwarding {enable | disable}
set kernel-crashlog {enable | disable}
set l3-host-expiry {enable | disable}
set language <language>
set ldapconntimeout <ldaptimeout_msec>
set private-data-encryption {enable | disable}
set radius-coa-port <port_number>
set radius-port <radius_port>
set remoteauthtimeout <timeout_sec>
set revision-backup-on-logout {enable | disable}
set revision-backup-on-upgrade {enable | disable}
set strong-crypto {enable | disable}
set switch-mgmt-mode {fortilink | local}
set tcp-mss-min <48-10000>
set tcp6-mss-min<48-10000>
set timezone <timezone_number>
end
Variable |
Description |
Default |
802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2} |
Set the CA certificate for port security (802.1x):
|
Entrust_802.1x_CA |
802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware} |
Set the certificate for port security (802.1x):
|
Entrust_802.1x |
admin-concurrent {enable | disable} |
Enable to enforce concurrent administrator logins. When enabled, the FortiSwitch restricts concurrent access from the same admin user name but on different IP addresses.
Use |
enable |
admin-https-pki-required {enable | disable} |
Enable to allow user to log in by providing a valid certificate if PKI is enabled for HTTPS administrative access. The default setting of |
disable |
admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | tlsv1-3} |
Set the allowed SSL/TLS versions for Web administration. |
tlsv1-1 tlsv1-2 tlsv1-3 |
admin-lockout-duration <time_int> |
Set the administration account’s lockout duration in seconds for the firewall. Repeated failed login attempts will enable the lockout. Use admin-lockout-threshold to set the number of failed attempts that will trigger the lockout. |
60 |
admin-lockout-threshold <failed_int> |
Set the threshold, or number of failed attempts, before the account is locked out for the admin-lockout-duration. |
3 |
admin-port <port_number> |
Enter the port to use for HTTP administrative access. |
80 |
admin-scp {enable | disable} |
Enable to allow system configuration download by the secure copy (SCP) protocol. |
disable |
admin-server-cert {self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware} |
Select the administration HTTPS server certificate to use:
|
Fortinet_Firmware |
admin-sport <port_number> |
Enter the port to use for HTTPS administrative access. |
443 |
admin-ssh-grace-time <time_int> |
Enter the maximum time permitted between making an SSH connection to the FortiSwitch and authenticating. Range is 10 to 3600 seconds. |
120 |
admin-ssh-port <port_number> |
Enter the port to use for SSH administrative access. |
22 |
admin-ssh-v1 {enable | disable} |
Enable compatibility with SSH v1.0. |
disable |
admin-telnet-port <port_number> |
Enter the port to use for telnet administrative access. |
23 |
admintimeout <admin_timeout_minutes> |
Set the number of minutes before an idle administrator times out. This controls the amount of inactive time before the administrator must log in again. The maximum To improve security, keep the idle timeout at the default value of 5 minutes. |
5 |
alertd-relog {enable | disable} |
Enable or disable re-logs when a sensor exceeds its threshold. |
disable |
alert-interval |
NOTE: This command is only available after the Set how often an alert is generated for temperature sensors when they exceed their set thresholds. |
30 |
allow-subnet-overlap {enable | disable} |
Use this command to allow two interfaces to include the same IP address in the same subnet. The command applies only between the mgmt interface and an internal interface. Note: Different interfaces cannot have overlapping IP addresses or subnets. Caution: For advanced users only. Use this only for existing network configurations that cannot be changed to eliminate IP address overlapping. |
disable |
arp-timeout <seconds> |
Set the number of seconds before dynamic ARP entries are removed from the cache. |
180 |
asset-tag |
LLDP uses the asset tag to help identify the unit. The asset tag can be up to 32 characters, and will be added to the LLDP-MED inventory TLV (when that TLV is enabled). |
No default |
cfg-save {automatic | manual | revert} |
Set the method for saving the FortiSwitch system configuration and enter into runtime-only configuration mode. Methods for saving the configuration are:
|
automatic |
clt-cert-req {enable | disable} |
Enable or disable the requirement to have a client certificate to log in to the GUI. |
disable |
csr-ca-attribute {enable | disable} |
Enable to use the CA attribute in your certificate. Some CA servers reject CSRs that have the CA attribute. |
enable |
daily-restart {enable | disable} |
Enable to restart the FortiSwitch every day. The time of the restart is controlled by |
disable |
detect_ip_conflict {enable | disable} |
Enable the Detect IP Conflict feature. |
enable |
dhcp-client-location {description | hostname | intfname | mode | vlan} |
Select which parameters to include to describe the client location. Separate multiple parameters with a space.
|
intfname vlan mode |
dhcp-option-format {ascii | legacy} |
Select the format for the DHCP string:
|
ascii |
dhcp-remote-id {hostname | ip | mac} |
Select which parameters to include in the remote-id field:
|
mac |
dhcp-server-access-list {enable | disable} |
Set to |
disable |
dhcp-snoop-client-req {drop-untrusted | forward-untrusted} |
Select which transmission mode to use for broadcasting client DHCP packets:
|
forward-untrusted |
dhcps-db-exp <number_of_seconds> |
Set the number of seconds for a DHCP-snooping server database entry to be kept.The range of values is 300-259200. |
86400 |
dhcps-db-per-port-learn-limit <number_of_entries> |
Set the maximum number of DHCP server entries that are learned per interface. The range of values is 0-1024. |
64 |
dst {enable | disable} |
Enable or disable daylight saving time. If you enable daylight saving time, the FortiSwitch unit adjusts the system time when the time zone changes to daylight saving time and back to standard time. |
enable |
hostname <unithostname> |
Enter a name to identify this FortiSwitch unit. A hostname can only include letters, numbers, hyphens, and underlines. No spaces are allowed. While the hostname can be longer than 16 characters, if it is longer than 16 characters it will be truncated and end with a “~” to indicate it has been truncated. This shortened hostname will be displayed in the CLI, and other locations the hostname is used. Some models support hostnames up to 35 characters. By default the hostname of your system is its serial number which includes the model. |
FortiSwitch serial number. |
image-rotation {enable | disable} |
Enable or disable the rotation of the partition used to upgrade the FortiSwitch image. |
enable |
ip-conflict-ignore-default {enable | disable} |
Enable or disable IP conflict detection for the default IP address. |
enable |
ipv6-accept-dad <0 | 1 | 2> |
Specify whether to accept IPv6 duplicat address detection (DAD). Set to 0 to disable DAD. Set to 1 to enable DAD. Set to 2 to enable DAD and disable IPv6 operation if a MAC-based duplicate link-local address is found. |
1 |
ipv6-all-forwarding {enable | disable |
Enable or disable IPv6 forwarding. |
enable |
kernel-crashlog {enable | disable} |
Enable or disable whether to log a kernel crash. |
enable |
l3-host-expiry {enable | disable} |
Enable or disable layer-3 host expiry. |
disable |
language <language> |
Set the display language. You can set |
english |
ldapconntimeout <ldaptimeout_msec> |
LDAP connection timeout in msec |
500 |
private-data-encryption {enable | disable} |
Enable or disable private data encryption using an AES 128-bit key. |
disable |
radius-coa-port <port_number> |
Set the port number to be used for the RADIUS change of authorization (CoA). |
3799 |
radius-port <radius_port> |
Change the default RADIUS port. The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port on your system. |
1812 |
remoteauthtimeout <timeout_sec> |
The number of seconds that the FortiSwitch waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. The range is 0 to 300 seconds, 0 means no timeout. To improve security keep the remote authentication timeout at the default value of 5 seconds. However, if a RADIUS request needs to traverse multiple hops or several RADIUS requests are made, the default timeout of 5 seconds may not be long enough to receive a response. |
5 |
revision-backup-on-logout {disable | enable} |
Enable or disable backing up the latest configuration revision when the administrator logs out of the CLI or Web GUI. |
enable |
revision-backup-on-upgrade {enable | disable} |
Enable or disable backing up the latest configuration revision when the administrator starts an upgrade. |
enable |
strong-crypto {enable | disable} |
Strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access. When strong encryption is enabled, HTTPS is supported by the following web browsers: Netscape 7.2, Netscape 8.0, Firefox, and Microsoft Internet Explorer 7.0 (beta). NOTE: Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption. |
disable |
switch-mgmt-mode {fortilink | local} |
Determines whether the switch is being managed locally, or managed by a FortiGate through a FortiLink connection. |
local |
tcp-mss-min <48-10000> |
Enter the minimum allowed TCP MSS value in bytes. |
48 |
tcp6-mss-min <48-10000> |
Enter the minimum allowed TCP MSS value in bytes. |
48 |
timezone <timezone_number> |
The number corresponding to your time zone from 00 to 72.
Press |
00 |
Example
This example shows how to set your private data encryption key:
S548DN5018000535 # config system global
S548DN5018000535 (global) # set private-data-encryption enable
S548DN5018000535 (global) # end
Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdefabcdef0123456789
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdefabcdef0123456789
Your private data encryption key is accepted.
This example shows how to set the lockout threshold to one attempt and the duration before the administrator can try again to log in to five minutes:
config system global
set admin-lockout-threshold 1
set admin-lockout-duration 300
end
config system interface
Use this command to edit the configuration of an interface.
|
If you enter a name string in the |
Syntax
config system interface
edit <interface_name>
set allowaccess <access_types>
set alias <name_string>
set bfd {enable | disable | global}
set bfd-desired-min-tx <interval_msec>
set bfd-detect-mult <multiplier>
set bfd-required-min-rx <interval_msec>
set description <text>
set dhcp-relay-service {enable | disable}
set dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}
set dhcp-relay-option82 {enable | disable}
set dhcp-vendor-specific-option <string>
set external {enable | disable)
set fail-detect {enable | disable}
set fail-detect-option {link-down | detectserver}
set fail-alert-method {link-d own | link-failed-signal}
set fail-alert-interfaces {port1 port2 ...}
set icmp-redirect {enable | disable}
set interface <interface_name>
set ip <interface_ipv4mask>
set log {enable | disable}
set mode <static | dhcp>
set dhcp-client-identifier <client_name_str>
set distance <1-255>
set defaultgw {enable | disable}
set dns-server-override {enable | disable}
set mtu-override {enable | disable}
set secondary-IP {enable | disable}
set snmp-index <integer>
set src-check {disable | loose | strict}
set src-check-allow-default {enable | disable}
set status {down | up}
set type {loopback | vlan}
set vlanid <id_number>
set vrrp-virtual-mac {enable | disable}
config ipv6
set ip6-address <ipv6_netmask>
set ip6-allowaccess <access_types>
set autoconf {disable | enable}
set ip6-unknown-mcast-to-cpu {disable | enable}
set ip6-mode {dhcp | static}
set ip6-dns-server-override {disable | enable}
set dhcp6-information-request {disable | enable}
set ip6-send-adv {disable | enable}
set ip6-manage-flag {disable | enable}
set ip6-other-flag {disable | enable}
set ip6-max-interval <4-1800>
set ip6-min-interval <3-1350>
set ip6-link-mtu <integer>
set ip6-reachable-time <0-3600000>
set ip6-retrans-time <0-2147483647>
set ip6-default-life <0-9000>
set ip6-hop-limit <0-255>
set vrip6_link_local {enable | disable}
set vrrp-virtual-mac6 {enable | disable}
config ip6-extra-address
edit <prefix_ipv6>
end
config ip6-prefix-list
edit <prefix_ipv6>
set autonomous-flag {disable | enable}
set onlink-flag {disable | enable}
set preferred-life-time <0-2147483647>
set valid-life-time <0-2147483647>
end
end
config secondaryip
edit <id>
set ip <IP_address_and_netmask>
set allowaccess <access_types>
config vrrp
edit <VRID_int>
set adv-interval <seconds_int>
set preempt {enable | disable}
set priority <prio_int>
set start-time <seconds_int>
set status {enable | disable}
set version {2 | 3}
set vrdst <ipv4_addr>
set vrgrp <integer>
set vrip <ipv4_addr>
|
A VLAN cannot have the same name as a zone or a virtual domain. |
Variable |
Description |
Default |
<interface_name> |
Edit an existing interface or create a new VLAN interface. |
No default |
allowaccess <access_types> |
Enter the types of management access permitted on this interface or secondary IP address. Valid types are:
Separate each type with a space. To add or remove an option from the list, retype the complete list as required. |
Varies for each interface. |
alias <name_string> |
Enter an alias name for the interface. Once configured, the alias will be displayed with the interface name to make it easier to distinguish. The alias can be a maximum of 25 characters.
This option is only available when interface type is |
No default. |
bfd {enable | disable | global} |
The status of bidirectional forwarding detection (bfd) on this interface:
|
global |
bfd-desired-min-tx <interval_msec> |
Enter the minimum desired interval for the BFD transmit interval. Valid range is from 1 to 100 000 msec. This option is available only when |
50 |
bfd-detect-mult <multiplier> |
Select the BFD detection multiplier. This option is available only when |
3 |
bfd-required-min-rx <interval_msec> |
Enter the minimum required interface for the BFD receive interval. Valid range is from 1 to 100 000 msec.
This is available only when |
50 |
description <text> |
Optionally, enter up to 63 characters to describe this interface. |
No default |
dhcp-relay-service {enable | disable} |
Enable to provide DHCP relay service on this interface. The DHCP type relayed depends on the setting of There must be no other DHCP server of the same type (regular or ipsec) configured on this interface. |
disable |
dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>} |
Set DHCP relay IP addresses. You can specify up to eight DHCP relay servers for DHCP coverage of subnets. Replies from all DHCP servers are forwarded back to the client. The client responds to the offer it wants to accept. Do not set |
No default |
dhcp-relay-option82 {enable | disable} |
Enable to allow option-82 insertion in the DHCP relay. This option is available only when |
disable |
dhcp-vendor-specific-option <string> |
Set the value for DHCP vendor-specific option 43. |
No default |
external {enable | disable) |
Enable to indicate that an interface is an external interface connected to an external network. This option is used for SIP NAT when the |
disable |
fail-detect {enable | disable} |
Enable interface failure detection. |
disable |
fail-detect-option { |
Select whether the system detects interface failure by port detection ( |
link‑down |
fail-alert-method {link‑down | link‑failed‑signal} |
Select the signal that the system uses to signal the link failure: Link Down or Link Failed. This option is available only when |
link‑down |
fail-alert-interfaces {port1 port2 ...} |
Select the interfaces to which failure detection applies. This option is available only when |
No default |
icmp-redirect {enable | disable} |
Disable to stop ICMP redirect from sending from this interface. ICMP redirect messages are sent by a router to notify the original sender of packets that there is a better route available. |
enable |
interface <interface_name> |
Enter the name of the interface. This option is available ony when |
internal |
ip <interface_ipv4mask> |
Enter the interface IP address and netmask. This option is not available if |
Varies for each interface. |
log {enable | disable} |
Enable or disable traffic logging of connections to this interface. Traffic will be logged only when it is on an administrative port. All other traffic will not be logged. Enabling this setting may reduce system performance, and is normally used only for troubleshooting. |
disable |
mode <interface_mode> |
Configure the connection mode for the interface as one of:
|
static |
dhcp-client-identifier |
Override the default DHCP client identifier used by this interface. The DHCP client identifier is used by DHCP to identify individual DHCP clients (in this case individual interfaces).
By default, the DHCP client identifier for each interface is created based on the model name and the interface MAC address. In some cases, you might want to specify your own DHCP client identifier using this command.
This option is available only when the |
No default |
distance <1-255> |
Enter the distance of learned routes. This command is available only when |
5 |
defaultgw {enable | disable} |
Enable to get the gateway IP address from the DHCP server.
This option is available only when the |
disable |
dns-server-override {enable | disable} |
Disable to prevent this interface from using DNS server addresses it acquires by DHCP. This option is available only when the |
enable |
mtu-override {enable | disable} |
Select enable to use custom MTU size instead of default (1 500). This is available only for physical interfaces and some tunnel interfaces (not IPsec). If you change the MTU size, you must reboot the FortiSwitch to update the MTU values of the VLANs on this interface. Some models support MTU sizes larger than the standard 1 500 bytes. |
disable |
secondary-IP {enable | disable} |
Enable to add a secondary IP address to the interface. This option must be enabled before configuring a secondary IP address. When disabled, the Web-based manager interface displays only the option to enable secondary IP. |
disable |
snmp-index <integer> |
Configure the SNMP index |
|
src-check {disable | loose | strict} |
Set to Set to Set to |
disable |
src-check-allow-default {enable | disable} |
If you disable the This option is available only when |
disable |
status {down | up} |
Start or stop the interface. If the interface is stopped, it does not accept or send packets. If you stop a physical interface, associated virtual interfaces such as VLAN interfaces will also stop. |
|
type {loopback | vlan} |
Enter the type of interface. NOTE: Some types are read only and are set automatically by hardware.
|
vlan |
vlanid <id_number> |
Enter a VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface.
The VLAN ID can be any number between 1 and 4094, as 0 and 4095 are reserved, but it must match the VLAN ID added by the IEEE 802.1Q-compliant router on the other end of the connection. Two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN ID to different physical interfaces, and you can add more multiple VLANs with different VLAN IDs to the same physical interface.
This is available only when editing an interface with a type of |
No default |
vrrp-virtual-mac {enable | disable} |
Enable VRRP virtual MAC addresses for the IPv4 VRRP routers added to this interface.See RFC 5798 for information about the VRRP virtual MAC addresses. |
disable |
config ipv6
Configure IPv6 settings for the interface.
Syntax
config system interface
edit <interface_name>
config ipv6
set ip6-address <ipv6_netmask>
set ip6-allowaccess <access_types>
set autoconf {disable | enable}
set ip6-unknown-mcast-to-cpu {disable | enable}
set ip6-mode {dhcp | static}
set ip6-dns-server-override {disable | enable}
set dhcp6-information-request {disable | enable}
set ip6-send-adv {disable | enable}
set ip6-manage-flag {disable | enable}
set ip6-other-flag {disable | enable}
set ip6-max-interval <4-1800>
set ip6-min-interval <3-1350>
set ip6-link-mtu <integer>
set ip6-reachable-time <0-3600000>
set ip6-retrans-time <0-2147483647>
set ip6-default-life <0-9000>
set ip6-hop-limit <0-255>
set vrip6_link_local {enable | disable}
set vrrp-virtual-mac6 {enable | disable}
config ip6-extra-address
edit <prefix_ipv6>
end
config ip6-prefix-list
edit <prefix_ipv6>
set autonomous-flag {disable | enable}
set onlink-flag {disable | enable}
set preferred-life-time <0-2147483647>
set valid-life-time <0-2147483647>
end
end
end
Variable |
Description |
Default |
<interface_name> |
Edit an existing interface or create a new VLAN interface. |
No default |
ip6-address <ipv6_netmask> |
The interface IPv6 address and netmask. The format for IPv6 addresses and netmasks is described in RFC 3513. This command is only available in NAT/Route mode. |
::/0 |
ip6-allowaccess <access_types> |
Enter the types of management access permitted on this IPv6 interface.
Valid types are: |
Varies for each interface. |
autoconf {disable | enable} |
Enable or disable the automatic address configuration. |
disable |
ip6-unknown-mcast-to-cpu {disable | enable} |
Enable or disable the sending of unknown multicast addresses to the CPU. |
disable |
ip6-mode {dhcp | static} |
Set the addressing mode to be static or DHCP. DHCP addressing mode is available only when autoconf is disabled. |
static |
ip6-dns-server-override {disable | enable} |
Enable or disable using the DNS server acquired by DHCP. This command is available only when the ip6-mode is set to dhcp. |
enable |
dhcp6-information-request {disable | enable} |
Enable or disable the DHCPv6 infomation request. |
disable |
ip6-send-adv {disable | enable} |
Enable or disable the sending of the IPv6 router advertisement. This command is only available when autoconf is disabled. |
disable |
ip6-manage-flag {disable | enable} |
Enable or disable the sending of the IPv6 managed flag. |
disable |
ip6-other-flag {disable | enable} |
Enable or disable the sending of the IPv6 other flag. |
disable |
ip6-max-interval <4-1800> |
Specify the maximum number of seconds before the RA is sent. |
600 |
ip6-min-interval <3-1350> |
Specify the minium number of seconds before the RA is sent. |
198 |
ip6-link-mtu <integer> |
Specify the IPv6 link maximum transmission unit. |
0 |
ip6-reachable-time <0-3600000> |
Specify the IPv6 reachable time in milliseconds. |
0 |
ip6-retrans-time <0-2147483647> |
Specify the IPv6 retransmit time in milliseconds. |
0 |
ip6-default-life <0-9000> |
Specify the IPv6 default life in seconds. |
1800 |
ip6-hop-limit <0-255> |
Specify the maximum number of IPv6 hops. |
0 |
vrip6_link_local {enable | disable} |
Enter the link-local IPv6 address of virtual router. |
No default |
vrrp-virtual-mac6 {enable | disable} |
Enable VRRP virtual MAC addresses for the IPv6 VRRP routers added to this interface. See RFC 5798 for information about the VRRP virtual MAC addresses. |
disable |
config ip6-extra-addr |
||
<prefix_ipv6> |
IPv6 address prefix. Configure addditonal IPv6 prefixes for this IPv6 interface. |
No default |
config ip6-prefix-list |
||
<prefix_ipv6> |
IPv6 advertised prefix list. Configure which IPv6 prefixes are advertised.. |
No default |
autonomous-flag {disable | enable} |
Enable or disable the autonomous flag. |
enable |
onlink-flag {disable | enable} |
Enable or disable the onlink flag. |
disable |
preferred-life-time <0-2147483647> |
Specify the preferred lifetime in seconds for the advertised IPv6 prefix. |
604800 |
valid-life-time <0-2147483647> |
Specify the valid lifetime in seconds for the advertised IPv6 prefix. |
2592000 |
config secondaryip
Configure a second IP address for the interface.
Syntax
config system interface
edit <interface_name>
config secondaryip
edit <id>
set ip <IP_address_and_netmask>
set allowaccess <access_types>
end
end
Variable |
Description |
Default |
<interface_name> |
Edit an existing interface or create a new VLAN interface. |
No default |
<id> |
Identifier. |
No default |
ip <IP_address_and_netmask> |
Enter the IP address and netmask. |
0.0.0.0 0.0.0.0 |
allowaccess <access_types> |
Enter the types of management access permitted on this interface or secondary IP address. Valid types are:
Separate each type with a space. To add or remove an option from the list, retype the complete list as required. |
No default |
config vrrp
Add one or more VRRP virtual routers to a interface. For information about VRRP, see RFC 5798.
Syntax
config system interface
edit <interface_name>
config vrrp
edit <VRID_int>
set adv-interval <seconds_int>
set preempt {enable | disable}
set priority <prio_int>
set start-time <seconds_int>
set status {enable | disable}
set version {2 | 3}
set vrdst <ipv4_addr>
set vrgrp <integer>
set vrip <ipv4_addr>
end
Variable |
Description |
Default |
<interface_name> |
Edit an existing interface or create a new VLAN interface. |
No default |
<VRID_int> |
VRRP virtual router ID (1 to 255). Identifies the VRRP virtual router. |
None |
adv-interval <seconds_int> |
VRRP advertisement interval (1-255 seconds). |
1 |
preempt {enable | disable} |
Enable or disable VRRP preempt mode. In preempt mode a higher priority backup system can preempt a lower priority master system. |
enable |
priority <prio_int> |
Priority of this virtual router (1-255). The VRRP virtual router on a network with the highest priority becomes the master. |
100 |
start-time <seconds_int> |
The startup time of this virtual router (1-255 seconds). The startup time is the maximum time that the backup system waits between receiving advertisement messages from the master system. |
3 |
status {enable | disable} |
Enable or disable this virtual router. |
enable |
version {2 | 3} |
Set the VRRP version to VRRP version 2 or VRRP version 3. |
2 |
vrdst <ipv4_addr> |
Monitor the route to this destination. |
0.0.0.0 |
vrgrp <integer> |
VRRP group identifier. The value range is 1-65535. |
0 |
vrip <ipv4_addr> |
IP address of the virtual router. |
0.0.0.0 |
Example
This example shows how to configure VRRP:
config system interface
edit "vlan-8"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https http ssh
set vrrp-virtual-mac enable
config vrrp
edit 5
set priority 255
set vrgrp 50
set vrip 11.1.1.100
next
edit 6
set priority 200
set vrgrp 50
set vrip 11.1.1.100
next
edit 7
set priority 150
set vrgrp 50
set vrip 11.1.1.100
next
end
set snmp-index 20
set vlanid 8
set interface "internal"
next
end
config system ipv6-neighbor-cache
Use this command to configure the IPv6 neighbor cache table:
config system ipv6-neighbor-cache
edit <id>
set interface {<string> | internal | mgmt}
set ipv6 <IPv6_address>
set mac <MAC_address>
end
Variable |
Description |
Default |
<id> |
Enter a unique integer to create a new entry. |
No default |
interface <interface_name> |
Required. Enter the interface. |
No default |
ipv6 <IPv6_address> |
Enter the IPv6 addresss in the following format:
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx |
:: |
mac <MAC_address> |
Enter the MAC address in the following format:
xx:xx:xx:xx:xx:xx |
00:00:00:00:00:00 |
Example
This example shows how to configure an entry in the IPv6 neighbor cache table.
config system ipv6-neighbor-cache
edit id
set interface internal
set ipv6 e80::a5b:eff:fef1:95e4
set mac 00:21:cc:d2:76:72
end
config system link-monitor
Use this command to configure the link health monitor.
config system link-monitor
edit <link monitor name>
set addr-mode {ipv4 | ipv6}
set srcintf <string>
set protocol {arp | ping}
set gateway-ip <IPv4 address>
set gateway-ip6 <IPv6 address>
set source-ip <IPv4 address>
set source-ip6 <IPv6 address>
set interval <integer>
set timeout <integer>
set failtime <integer>
set recoverytime <integer>
set update-static-route {enable | disable}
set status {enable | disable}
next
end
Variable |
Description |
Default |
---|---|---|
<link monitor name> |
Enter the link monitor name. |
No default |
addr-mode {ipv4 | ipv6} |
Select whether to use IPv4 or IPv6 addresses. |
ipv4 |
srcintf <string> |
Interface where the monitor traffic is sent. |
No default |
protocol {arp | ping} |
Protocols used to detect the server. Select ARP or ping. |
arp |
gateway-ip <IPv4 address> |
Gateway IPv4 address used to PING the server. This option is available only when |
0.0.0.0 |
gateway-ip6 <IPv6 address> |
Gateway IPv6 address used to PING the server. This option is available only when |
No default |
source-ip <IPv4 address> |
Source IPv4 address used in packet to the server. This option is available only when |
0.0.0.0 |
source-ip6 <IPv6 address> |
Source IPv6 address used in packet to the server. This option is available only when |
No default |
interval <integer> |
Detection interval in seconds. The range is 1-3600. |
5 |
timeout <integer> |
Detect request timeout in seconds. The range is 1-255. |
1 |
failtime <integer> |
Number of retry attempts before bringing server down. The range is 1-10. |
5 |
recoverytime <integer> |
Number of retry attempts before bringing server up. The range is 1-10. |
5 |
update-static-route {enable | disable} |
Enable or disable update static route. |
enable |
status {enable | disable} |
Enable or disable link monitor administrative status. |
enable |
config system location
Use this command to configure the location table used by LLDP-MED for enhanced 911 emergency calls.
config system location
edit <name>
config address-civic
set additional <string>
set additional-code <string>
set block <string>
set branch-road <string>
set building <string>
set city <string>
set city-division <string>
set country <string>
set country-subdivision <string>
set county <string>
set direction <string>
set floor <string>
set landmark <string>
set language <string>
set name <string>
set number <string>
set number-suffix <string>
set place-type <string>
set post-office-box <string>
set postal-community <string>
set primary-road <string>
set road-section <string>
set room <string>
set script <string>
set seat <string>
set street <string>
set street-name-post-mod <string>
set street-name-pre-mod <string>
set street-suffix <string>
set sub-branch-road <string>
set trailing-str-suffix <string>
set unit <string>
set zip <string>
end
config coordinates
set altitude <string>
set altitude-unit {f | m}
set datum {NAD83 | NAD83/MLLW | WGS84}
set latitude <string>
set longitude <string>
end
config elin-number
set elin-number <number>
end
Variable |
Description |
Default |
<name> |
Enter a unique name for the location entry. |
No default |
config address-civic |
||
additional <string> |
Enter additional location information, for example, west wing. |
No default |
additional-code <string> |
Enter the additional country-specific code for the location. In Japan, use the Japan Industry Standard (JIS) address code. |
No default |
block <string> |
Enter the neighborhood (Korea) or block. |
No default |
branch-road <string> |
Enter the branch road name. This value is used when side streets do not have unique names so that both the primary road and side street are used to identify the correct road. |
No default |
building <string> |
Enter the name of the building (structure) if the address includes more than one building, for example, Law Library. |
No default |
city <string> |
Enter the city (Germany), township, or shi (Japan). |
No default |
city-division <string> |
Enter the city division, borough, city district (Germany), ward, or chou (Japan). |
No default |
country <string> |
Enter the two-letter ISO 3166 country code in capital ASCII letters, for example, US, CA, DK, and DE. |
No default |
country-subdivision <string> |
Enter the national subdivision (such as state, canton, region, province, or prefecture). In Canada, the subdivision is province. In Germany, the subdivision is state. In Japan, the subdivision is metropolis. In Korea, the subdivision is province. In the United States, the subdivision is state. |
No default |
county <string> |
Enter the county (Canada, Germany, Korea, and United States), parish, gun (Japan), or district (India). |
No default |
direction <string> |
Enter N, E, S, W, NE, NW, SE, or SW for the leading street direction. |
No default |
floor <string> |
Enter the floor number, for example, 4. |
No default |
landmark <string> |
Enter the nickname, landmark, or vanity address, for example, UC Berkeley. |
No default |
language <string> |
Enter the ISO 639 language code used for the address information. |
No default |
name <string> |
Enter the person or organization associated with the address, for example, Fortinet or Textures Beauty Salon. |
No default |
number <string> |
Enter the street address, for example, 1560. |
No default |
number-suffix <string> |
Enter any modifier to the street address. For example, if the full street address is 1560A, enter 1560 for the number and A for the number-suffix. |
No default |
place-type <string> |
Enter the type of place, for example, home, office, or street. |
No default |
post-office-box <string> |
Enter the post office box, for example, P.O. Box 1543. When the post-office-box value is set, the street address components are replaced with this value. |
No default |
postal-community <string> |
Enter the postal community name, for example, Alviso. When the postal-community name is set, the civic community name is replaced by this value. |
No default |
primary-road <string> |
Enter the primary road or street name for the address. |
No default |
road-section <string> |
Enter the specific section or stretch of a primary road. This field is used when the same street number appears more than once on the primary road. |
No default |
room <string> |
Enter the room number, for example, 7A. |
No default |
script <string> |
Enter the script used to present the address information, for example, Latn. |
No default |
seat <string> |
Enter the seat number in a stadium or theater or a cubicle number in an office or a booth in a trade show. |
No default |
street <string> |
Enter the street (Canada, Germany, Korea, and United States). |
No default |
street-name-post-mod <string> |
Enter an optional part of the street name that appears after the actual street name. If the full street name is |
No default |
street-name-pre-mod <string> |
Enter an optional part of the street name that appears before the actual street name. If the full street name is |
No default |
street-suffix <string> |
Enter the type of street, for example, Ave or Place. Valid values are listed in the United States Postal Service Publication 28 [18], Appendix C. |
No default |
sub-branch-road <string> |
Enter the name of a street that branches off of a branch road. This value is used when the primary road, branch road, and subbranch road names are needed to identify the correct street. |
No default |
trailing-str-suffix <string> |
Enter N, E, S, W, NE, NW, SE, or SW for the trailing street direction. |
No default |
unit <string> |
Enter the unit (apartment or suite), for example, Apt 27. |
No default |
zip <string> |
Enter the postal or zip code for the address, for example, 94089-1345. |
No default |
config coordinates |
||
altitude <string> |
Enter the vertical height of a location using the altitude-unit to specify the unit used. The format is +/- floating point number, for example, 117.47. |
No default |
altitude-unit {f | m} |
Select whether the altitude is measured in m (meters) or f (floors). |
m |
datum {NAD83 | NAD83/MLLW | WGS84} |
Select which map is used for the location: WGS84, NAD83, or NAD83/MLLW. |
WGS84 |
latitude <string> |
Enter the latitude. The format is floating point starting with +/- or ending with N/S, for example, +/-16.67 or 16.67N. |
No default |
longitude <string> |
Enter the longitude. The format is floating point starting with +/- or ending with E/W, for example, +/-26.789 or 26.789E. |
No default |
config elin-number |
||
elin-number <number> |
Enter the emergency location identification number (ELIN), which is a unique phone number. The value is a 10 to 20 byte numerical string. |
No default |
Example
This example shows how to configure the location table for Fortinet.
config system location
edit Fortinet
config address-civic
set country "US"
set language "English"
set county "Santa Clara"
set city "Sunnyvale"
set street "Kifer"
set street-suffix "Road"
set number "899"
set zip "94086"
set building "1"
set floor "1"
set seat "1293"
end
next
edit "Fortinet"
config elin-number
set elin-number "14082357700"
end
end
config system ntp
Use this command to configure Network Time Protocol (NTP) servers.
Syntax
config system ntp
set allow-unsync-source {enable | disable}
set authentication {enable | disable}
set log-time-adjustments {enable | disable}
set ntpsync {enable | disable}
set source-ip <ipv4_addr>
set source-ip6 <ipv6_addr>
set syncinterval <interval_int>
config ntpserver
edit <serverid_int>
set authentication {enable | disable}
set key <string>
set key-id <integer>
set ntpv3 {enable | disable}
set server {<ipv4_addr>| <ipv6_addr>}
end
end
Variable |
Description |
Default |
allow-unsync-source {enable | disable} |
Enable or disable whether an unsynchronized NTP server source is allowed. |
disable |
authentication {enable | diable} |
Enable or disable authentication. |
disable |
log-time-adjustments {enable | disable} |
Enable or disable whether FortiSwitch logs when NTP adjusts the system time. |
enable |
ntpsync {enable | disable} |
Enable or disable whether the system time is synchronized with the NTP server. |
enable |
source-ip <ipv4_addr> |
Enter the source IPv4 address for communication with the NTP server. |
0.0.0.0 |
source-ip6 <ipv6_addr> |
Enter the source IPv6 address for communication with the NTP server. |
No default |
syncinterval <interval_int> |
Enter the interval in minutes between contacting the NTP server to synchronize time. The range is from 1 to 1,440 minutes. This option is availabe only when |
10 |
<serverid_int> |
Enter the number for this NTP server entry. |
No default |
authentication {enable | diable} |
Enable or disable authentication. If you enable authenication and use the NTPv3 protocol, MD5 authentication is used. If you enable authentication and use the NTPv4 protocol, SHA1 authentication is used. |
disable |
key <string> |
If authentication is enabled, enter a key for authentication. |
No default |
key-id <integer> |
If authentication is enabled, enter a key identifier for authentication. |
0 |
ntpv3 {enable | disable} |
Enable this option to use the NTPv3 protocol. Disable this option to use the NTPv4 protocol. |
disable |
server {<ipv4_addr> | <ipv6_addr>} |
Enter the IPv4 or IPv6 address for this NTP server. |
No default |
Example
This example shows how to configure an NTP server:
config system ntp
set authentication enable
set ntpsyn enable
set syncinterval 5
set source-ip 192.168.4.5
end
config system password-policy
Use this command to configure higher security requirements for administrator passwords and IPsec VPN pre-shared keys.
Syntax
config system password-policy
set status enable
set apply-to [admin-password ipsec-preshared-key]
set change-4-characters {enable | disable}
set minimum-length <chars>
set min-lower-case-letter <num_int>
set min-upper-case-letter <num_int>
set min-non-alphanumeric <num_int>
set min-number <num_int>
set expire-status {enable | disable}
set expire-day <num_int>
end
Variable |
Description |
Default |
status enable |
Enable password policy. The password policy cannot be disabled. |
enable |
apply-to [admin‑password ipsec-preshared-key] |
Select where the policy applies: administrator passwords or IPSec preshared keys. This option is available only when |
admin‑password |
change-4-characters {enable | disable} |
Enable to require the new password to differ from the old password by at least four characters. This option is available only when |
disable |
minimum-length <chars> |
Set the minimum length of password in characters. Range 8 to 32. This option is available only when |
8 |
min-lower-case-letter <num_int> |
Enter the minimum number of required lower case letters in every password. This option is available only when |
0 |
min-upper-case-letter <num_int> |
Enter the minimum number of required upper case letters in every password. This option is available only when |
0 |
min-non-alphanumeric <num_int> |
Enter the minimum number of required non-alphanumeric characters in every password. This option is available only when |
0 |
min-number <num_int> |
Enter the minimum number of number characters required in every password. This option is available only when |
0 |
expire-status {enable | disable} |
Enable to have passwords expire. This option is available only when |
enable |
expire-day <num_int> |
Enter the number of days before the current password is expired and the user will be required to change their password. This option is available only when |
90 |
Example
This example shows how to configure a password policy for administrator passwords:
config system password-policy
set status enable
set apply-to admin-password
set change-4-characters enable
set minimum-length 10
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 30
end
config system schedule group
Use this command to define a schedule group. A schedule group can contain both one-time schedules and recurring schedules. To create one-time and recurring schedules, see config system schedule onetime and config system schedule recurring.
Syntax
config system schedule group
edit <schedule_group_name>
set member <schedule_name1> <schedule_name2> ...
end
Variable |
Description |
Default |
<schedule_group_name> |
Enter the name of the schedule group. |
No default |
member <schedule_name1> <schedule_name2> ... |
Enter the names of the schedules to include. Separate multiple names with a space. The schedules must already be defined with the config system schedule onetime or config system schedule recurring command. |
No default |
Example
This example shows how to create a schedule group:
config system schedule group
edit group1
set member schedule1 schedule2
end
config system schedule onetime
Use this command to define a one-time schedule for when a policy will be enforced.
Syntax
config system schedule onetime
edit <schedule_name>
set start <time_date>
set end <time_date>
end
Variable |
Description |
Default |
<schedule_name> |
Enter the name of the schedule. |
No default |
start <time_date> |
Enter the start time and date for the schedule in the following format: hh:mm yyyy/mm/dd |
00:00 1900/01/01 |
end <time_date> |
Enter the end time and date for the schedule in the following format: hh:mm yyyy/mm/dd |
00:00 1900/01/01 |
Example
This example shows how to create a one-time schedule:
config system schedule onetime
edit schedule1
set start 07:00 2019/03/22
set end 07:00 2019/03/29
end
config system schedule recurring
Use this command to define a schedule for specified hours every week.
Syntax
config system schedule recurring
edit <schedule_name>
set day {monday | tuesday | wednesday | thursday | friday | saturday | sunday}
set start <time>
set end <time>
end
Variable |
Description |
Default |
<schedule_name> |
Enter the name of the schedule. |
No default |
day {monday | tuesday | wednesday | thursday | friday | saturday | sunday} |
Enter one or more days for the ACL to be enforced. Separate days with a space. |
monday tuesday wednesday thursday friday |
start <time> |
Enter the start time for the schedule in the following format: hh:mm |
24:00 |
end <time> |
Enter the end time for the schedule in the following format: hh:mm |
24:00 |
Example
This example shows how to create a recurring schedule:
config system schedule recurring
edit schedule2
set day monday wednesday friday
set start 07:00
set end 08:00
end
config system settings
Use this comand to configure equal cost multi-path (ECMP) routing.
ECMP is a forwarding mechanism that enables load-sharing of traffic to multiple paths of equal cost. An ECMP set is formed when the routing table contains multiple next-hop address for the same destination with equal cost. Routes of equal cost have the same preference and metric value. If there is an ECMP set for an active route, the switch uses a hash algorithm to choose one of the next-hop addresses. As input to the hash, the switch uses one or more of the following fields in the packet to be routed:
- Source IP
- Destination IP
- Input port
Syntax
config system settings
set ip-ecmp-mode {source-ip-based | dst-ip-based | port-based}
end
Variable |
Description |
Default |
ip-ecmp-mode {source-ip-based | dst-ip-based | port-based} |
Select the IPv4 ECMP mode:
|
source-ip-based |
Example
This example shows how to configure ECMP:
config system settings
set ip-ecmp-mode port-based
end
config system sflow
Use this command to add or change the IP address and UDP port that FortiSwitch sFlow agents use to send sFlow datagrams to an sFlow collector.
sFlow is a network monitoring protocol described in http://www.sflow.org. FortiSwitch implements sFlow version 5. You can configure one or more FortiSwitch interfaces as sFlow agents that monitor network traffic and send sFlow datagrams containing information about traffic flow to an sFlow collector.
sFlow is normally used to provide an overall traffic flow picture of your network. You would usually operate sFlow agents on switches, routers, and firewall on your network, collect traffic data from all of them and use a collector to show traffic flows and patterns.
Syntax
config system sflow
set collector-ip <collector_ipv4>
set collector_port <port_int>
end
Variable |
Description |
Default |
collector-ip <collector_ipv4> |
The sFlow agents send sFlow datagrams to the sFlow collector at this IP address. |
0.0.0.0 |
collector_port <port_int> |
The UDP port number used for sending sFlow datagrams. Change this setting only if required by your sFlow collector or your network configuration. The value range is 0-65535. |
6343 |
Example
This example shows how to configure sFlow:
config system sflow
set collector-ip 20.20.20.0
set collector_port 200
end
config system sniffer-profile
Use this command to define a packet-capture profile to select which packets to examine. To start, stop, and pause the packet capture, see the execute system sniffer-profile
commands.
Syntax
config system sniffer-profile
edit <profile_name>
set filter {<string> | none}
set max-pkt-count <1-maximum>
set max-pkt-len <64-1534>
set switch-interface <switch_interface_name>
set system-interface <system_interface_name>
end
Variable |
Description |
Default |
<profile_name> |
The name of the packet-capture profile. |
No default |
filter {<string> | none} |
Enter
|
none |
max-pkt-count <1-maximum> |
Enter how many packets to be captured on the selected interface. The maximum number of packets that can be captured differs according to platform. See the FortiSwitchOS Adminstration Guide for details. |
4000 |
max-pkt-len <64-1534> |
Enter the maximum packet length in bytes to be captured on the interface. |
128 |
switch-interface <switch_interface_name> |
Enter the switch interface name that you want to capture packets on. You cannot select both a switch interface and a system interface. |
No default |
system-interface <system_interface_name> |
Enter the system interface name that you want to capture packets on. You cannot select both a switch interface and a system interface. |
No default |
Example
This example shows how to create a packet-capture profile:
config system sniffer-profile
edit profile1
set filter none
set max-pkt-count 100
set max-pkt-len 100
set system-interface mgmt
end
config system snmp community
Use this command to configure SNMP communities on your FortiSwitch unit. You add SNMP communities so that SNMP managers can connect to the system to view system information and receive SNMP traps. SNMP traps are triggered when system events occur.
You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the system for a different set of events. You can also the add IP addresses of up to 8 SNMP managers for each community.
|
Whey you configure an SNMP manager, ensure that you list it as a host in a community on the FortiSwitch that it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from that FortiSwitch unit, and will not be able to query it. |
Syntax
config system snmp community
edit <index_number>
set events <events_list>
set name <community_name>
set query-v1-port <port_number>
set query-v1-status {enable | disable}
set query-v2c-port <port_number>
set query-v2c-status {enable | disable}
set status {enable | disable}
set trap-v1-lport <port_number>
set trap-v1-rport <port_number>
set trap-v1-status {enable | disable}
set trap-v2c-lport <port_number>
set trap-v2c-rport <port_number>
set trap-v2c-status {enable | disable}
config hosts
edit <host_number>
set interface <if_name>
set ip <address_ipv4>
set source-ip <address_ipv4/mask>
end
config hosts6
edit <host_number>
set interface <if_name>
set ip6 <address_ipv6>
set source-ip6 <address_ipv6>
end
end
Variable |
Description |
Default |
<index_number> |
Enter the index number of the community in the SNMP communities table. Enter an unused index number to create a new SNMP community. |
No default |
events <events_list> |
Enable the events for which the system should send traps to the SNMP managers in this community. |
All events enabled. |
name <community_name> |
Enter the name of the SNMP community. |
No default |
query-v1-port <port_number> |
Enter the SNMP v1 query port number used for SNMP manager queries. |
161 |
query-v1-status {enable | disable} |
Enable or disable SNMP v1 queries for this SNMP community. |
enable |
query-v2c-port <port_number> |
Enter the SNMP v2c query port number used for SNMP manager queries. |
161 |
query-v2c-status {enable | disable} |
Enable or disable SNMP v2c queries for this SNMP community. |
enable |
status {enable | disable} |
Enable or disable the SNMP community. |
enable |
trap-v1-lport <port_number> |
Enter the SNMP v1 local port number used for sending traps to the SNMP managers. |
162 |
trap-v1-rport <port_number> |
Enter the SNMP v1 remote port number used for sending traps to the SNMP managers. |
162 |
trap-v1-status {enable | disable} |
Enable or disable SNMP v1 traps for this SNMP community. |
enable |
trap-v2c-lport <port_number> |
Enter the SNMP v2c local port number used for sending traps to the SNMP managers. |
162 |
trap-v2c-rport <port_number> |
Enter the SNMP v2c remote port number used for sending traps to the SNMP managers. |
162 |
trap-v2c-status {enable | disable} |
Enable or disable SNMP v2c traps for this SNMP community. |
enable |
config hosts and hosts6 |
||
<host_number> |
Enter the index number of the host in the table. Enter an unused index number to create a new host. |
No Default |
interface <if_name> |
Enter the name of the FortiSwitch interface to which the SNMP manager connects. |
No default |
ip <address_ipv4> |
Enter the IPv4 IP address of the SNMP manager (for |
0.0.0.0 |
ip6 <address_ipv6> |
Enter the IPv6 IP address of the SNMP manager (for |
:: |
source-ip <address_ipv4/mask> |
Enter the source IPv4 IP address for SNMP traps sent by the FortiSwitch (for |
0.0.0.0/ 0.0.0.0 |
source-ip6 <address_ipv6> |
Enter the source IPv6 IP address for SNMP traps sent by the FortiSwitch (for |
:: |
config system snmp sysinfo
Use this command to enable the FortiSwitch SNMP agent and to enter basic system information used by the SNMP agent. Enter information about the system to identify it. When your SNMP manager receives traps from this FortiSwitch unit, you will know which system sent the information. Some SNMP traps indicate high CPU usage, log full, or low memory.
Syntax
config system snmp sysinfo
set contact-info <info_str>
set description <description>
set engine-id <engine-id_str>
set location <location>
set status {enable | disable}
set trap-high-cpu-threshold <percentage>
set trap-log-full-threshold <percentage>
set trap-low-memory-threshold <percentage>
set trap-temp-alarm-threshold <temperature in degrees Celsius>
set trap-temp-warning-threshold <temperature in degrees Celsius>
end
Variable |
Description |
Default |
contact-info <info_str> |
Add the contact information for the person responsible for this FortiSwitch unit. The contact information can be up to 35 characters long. |
No default |
description <description> |
Add a name or description of the system. The description can be up to 35 characters long. |
No default |
engine-id <engine-id_str> |
Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is included in each message sent to or from the SNMP engine. In FortiOS, the snmpEngineID is composed of two parts:
Optionally, enter an engine-id value. |
No default |
location <location> |
Describe the physical location of the system. The system location description can be up to 35 characters long. |
No default |
status {enable | disable} |
Enable or disable the FortiSwitch SNMP agent. |
disable |
trap-high-cpu-threshold <percentage> |
Enter the percentage of CPU used that will trigger the threshold SNMP trap for the high-cpu. There is some smoothing of the high CPU trap to ensure the CPU usage is constant rather than a momentary spike. This feature prevents frequent and unnecessary traps. |
80 |
trap-log-full-threshold <percentage> |
Enter the percentage of disk space used that will trigger the threshold SNMP trap for the log-full. |
90 |
trap-low-memory-threshold <percentage> |
Enter the percentage of memory used that will be the threshold SNMP trap for the low-memory. |
80 |
trap-temp-alarm-threshold <temperature in degrees Celsius> |
Set an alarm for when the system temperature reaches the specified temperature. |
60 |
trap-temp-warning-threshold <temperature in degrees Celsius> |
Set a warning for when the system temperature reaches the specified temperature. The warning threshold must be lower than the alarm threshold. |
50 |
Example
This example shows how to set a warning and an alarm for specified system temperatures:
config system snmp sysinfo
set status enable
set trap-temp-alarm-threshold 80
set trap-temp-warning-threshold 70
end
config system snmp user
Use this command to configure an SNMP user including which SNMP events the user wants to be notified about, which hosts will be notified, and if queries are enabled which port to listen on for them.
FortiSwitchOS implements the user security model of RFC 3414. You can require the user to authenticate with a password and you can use encryption to protect the communication with the user.
Syntax
config system snmp user
edit <user_name>
set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}
set auth-pwd <password>
set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}
set priv-pwd <password>
set queries {enable | disable}
set query-port <port_int>
set security-level {no-auth-no-priv | auth-no-priv | auth-priv}
end
Variable |
Description |
Default |
<user_name> |
Edit or add selected user. |
No default |
auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512} |
Select the authentication protocol.
security-level is set to auth-priv or auth-no-priv . |
sha1 |
auth-pwd <password> |
Enter the password for the authentication protocol. This option is available only when |
No default |
priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des} |
Select the encryption protocol.
security-level is set to auth-priv . |
aes128 |
priv-pwd <password> |
Enter the password for the encryption protocol. This option is available only when |
No default |
queries {enable | disable} |
Enable or disable SNMP v3 queries for this user. Queries are used to determine the status of SNMP variables. |
|
query-port <port_int> |
Enter the number of the port used for SNMP v3 queries. If multiple versions of SNMP are being supported, each version should listen on a different port. |
161 |
security-level {no-auth-no-priv | auth-no-priv | auth-priv} |
Set the security level to one of:
|
no-auth-no-priv |