Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

config system

Use the config system commands to configure options related to the overall operation of the FortiSwitch unit:

config system accprofile

Use this command to add access profiles that control administrator access to FortiSwitch features. Each FortiSwitch administrator account must include an access profile. You can create access profiles that deny access, allow read only, or allow both read and write access to FortiSwitch features.

Syntax

config system accprofile

edit <profile-name>

set admingrp {none | read | read-write}

set alias-commands {all | <list>}

set exec-alias-grp {none | read | read-write}

set loggrp {none | read | read-write}

set netgrp {none | read | read-write}

set routegrp {none | read | read-write}

set sysgrp {none | read | read-write}

end

Variable

Description

Default

<profile-name>

Enter the name for the profile.

No default

admingrp {none | read | read-write}

Set the access permission for admingrp.

none

alias-commands {all | <list>}

Specify the aliases and alias groups to include in the access profile or specify all. The aliases and alias groups specified for this access profile control which commands an administrator can run using the execute alias commands. Use a space to separate multiple items.

No default

exec-alias-grp {none | read | read-write}

Specify one of the following options:

  • Select none to prevent access to the execute alias configure commands.

  • Select read to provide access to the execute alias configure {get | show | show-full-configuration} command.
  • Select read-write to provide access to the execute alias configure {get | show | show-full-configuration | set | unset} and execute alias script commands.

none

loggrp {none | read | read-write}

Set the access permission for loggrp.

none

netgrp {none | read | read-write}

Set the access permission for netgrp.

none

routegrp {none | read | read-write}

Set the access permission for routegrp.

none

sysgrp {none | read | read-write}

Set the access permission for sysgrp.

none

Example

This example shows how to configure an access profile with just read-only permission:

config system accprofile

edit profile1

set admingrp read

set loggrp read

set netgrp read

set routegrp read

set sysgrp read

end

config system admin

Use the default admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels. Each administrator account except the default admin must include an access profile. You cannot delete the default super admin account or change the access profile (super_admin). In addition, there is also an access profile that allows read-only super admin privileges, super_admin_readonly. The super_admin_readonly profile cannot be deleted or changed, similar to the super_admin profile. This read-only super-admin may be used in a situation where it is necessary to troubleshoot a customer configuration without making changes.

You can authenticate administrators using a password stored on the FortiSwitch unit or you can use a RADIUS server to perform authentication. When you use RADIUS authentication, you can authenticate specific administrators or you can allow any account on the RADIUS server to access the FortiSwitch unit as an administrator.

Syntax

config system admin

edit <admin_name>

set accprofile <profile-name>

set accprofile-override {enable | disable}

set allow-remove-admin-session {enable | disable}

set comments <comments_string>

set gui-detail-panel-location {bottom | ide | side}

set {ip6-trusthost1 | ip6-trusthost2 | ip6-trusthost3 |

ip6-trusthost4 | ip6-tru sthost5 | ip6-trusthost6 |

ip6-trusthost7 | ip6-trusthost8 | ip6-trusthost9 |

ip6-trusthost10} <address_ipv6mask>

set password <admin_password>

set peer-auth {disable | enable}

set peer-group <peer-grp>

set remote-auth {enable | disable}

set remote-group <name>

set wildcard {enable | disable}

set schedule <schedule-name>

set ssh-public-key1 "<key-type> <key-value>"

set ssh-public-key2 "<key-type> <key-value>"

set ssh-public-key3 "<key-type> <key-value>"

set {trusthost1 | trusthost2 | trusthost3 | trusthost4 |

trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9

| trusthost10} <address_ipv4mask>

end

end

Variable

Description

Default

<admin_name>

Enter the name for the admin account.

No default

accprofile <profile‑name>

Enter the name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiSwitch features.

No default

accprofile-override {enable | disable}

Enable or disable whether the remote authentication server can override the accesss profile.

disable

allow-remove-admin-session {enable | disable}

Allow admin session to be removed by privileged admin users

disable

comments

<comments_string>

Enter the last name, first name, email address, phone number, mobile phone number, and pager number for this administrator. Separate each attribute with a comma, and enclose the string in double-quotes. The total length of the string can be up to 128 characters. (Optional)

No default

gui-detail-panel-location {bottom | hide | side}

Choose the position of the log detail window.

bottom

{ip6-trusthost1 | ip6‑trusthost2 | ip6‑trusthost3 | ip6‑trusthost4 | ip6‑trusthost5 | ip6‑trusthost6 | ip6‑trusthost7 | ip6‑trusthost8 | ip6‑trusthost9 | ip6‑trusthost10}

<address_ipv6mask>

Any IPv6 address and netmask from which the administrator can connect to the FortiSwitch unit.

If you want the administrator to be able to access the system from any address, set the trusted hosts to ::/0.

::/0

password

<admin_password>

Enter the password for this administrator. It can be up to 256 characters in length.

No default

peer-auth {disable | enable}

Set to enable peer certificate authentication (for HTTPS admin access).

disable

peer-group <peer-grp>

Name of peer group defined under config user peergrp or user group defined under config user group. Used for peer certificate authentication (for HTTPS admin access). This option is available only when peer-auth has been enabled.

No default

remote-auth

{enable | disable}

Enable or disable authentication of this administrator using a remote RADIUS, LDAP, or TACACS+ server.

disable

remote-group <name>

Enter the administrator user group name, if you are using RADIUS, LDAP, or TACACS+ authentication.

This is available only when remote-auth is enabled.

No default

wildcard {enable | disable}

Enable or disable wildcard RADIUS authentication. This option is available only when remote-auth is enabled.

disable

schedule <schedule-name>

Restrict times that an administrator can log in. Defined in config firewall schedule. No default indicates that the administrator can log in at any time.

No default

ssh-public-key1 "<key‑type> <key‑value>"

You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.

<key type> is ssh-dss for a DSA key or ssh-rsa for an RSA key.

<key-value> is the public key string of the SSH client.

No default

ssh-public-key2 "<key‑type> <key‑value>"

No default

ssh-public-key3 "<key‑type> <key‑value>"

No default

{trusthost1 | trusthost2 |

trusthost3 | trusthost4 |

trusthost5 | trusthost6 |

trusthost7 | trusthost8 |

trusthost9 | trusthost10}

<address_ipv4mask>

Any IPv4 address or subnet address and netmask from which the administrator can connect to the system.

If you want the administrator to be able to access the system from any address, set the trusted hosts to 0.0.0.0 and the netmask to 0.0.0.0.

0.0.0.0

0.0.0.0

Example

The following example creates a RADIUS system admin group:

config system admin

edit "RADIUS_Admins"

set remote-auth enable

set accprofile "super_admin"

set wildcard enable

set remote-group "RADIUS_Admins"

next

end

config system alias command

Use this command to grant an administrator access to individual configuration attributes, table entries, or CLI commands. You can also use this command to create a script to run multiple commands. Scripts are a simpler way to manage a large number of commands.

Notes:
  • Configuration-type aliases cannot create or delete table entries. For example, under the config switch interface command, you cannot create a new interface name with the edit <interface_name> command.
  • The super_admin administrator profile has access to all command aliases.

Syntax

config system alias command

edit <alias_name or script_name>

set description <string>

set type {configuration | script}

set path <path>

set attribute <attibute-name>

set permission {read | read-write}

set table-listing {allow | deny}

set limit-shown-attributes {disable | enable}

set read-only-attributes <attribute-name>

set table-ids-allowed <table-ID-value>

set command <string>

set table-entry-create {allow | deny}

config script-arguments

edit <argument_ID>

set type {integer | string | table-id}

set name <string>

set help <string>

set optional {enable | disable}

set range {enable | disable}

set range-delay <0-172800>

set allowed-values <string>

next

end

next

end

Variable

Description

Default

<alias_name or script_name>

If the type will be configuration, enter an alias name for the command in this configuration. If the type will be script,enter a script name.

The alias or script name cannot be all or match an alias group name.

No default
description <string>

If the type will be configuration, enter a description of the command or a help message. It can be up to 80-characters long. The description is displayed with the alias name when you enter execute alias configure {get | show | show-full-configuration | set | unset} ?.

If the type will be script, enter a description of the script. It can be up to 80-characters long. The description is displayed with the script name when you enter execute alias script ?.

No default
type {configuration | script}

The configuration type provides configuration-specific functionality to control get, show, show-full-configuration, set, and unset commands. You can also use the configuration type to limit accessible table entries and limit displayed attributes.

The script type allows the administrator to create a list of CLI commands to run.

configuration
path <path>

Required. Enter the period-separated path to the CLI command.

For example, enter set path switch.lldp.profile to apply the configuration to the config switch lldp profile command. Enter set path system.interface to apply the configuration to the config system interface command. You can specify only top-level objects, such as system.interface, router.bgp, or system.snmp.settings. If you specify child objects or child tables (such as system.interface.ipv6, router.bgp.neighbor, or switch.lldp.profile.custom-tlv), FortiSwitch returns an error.

No default

attribute <attibute-name>

Required. Enter the attribute that can be retrieved or modified.

Enter set attribute ? to see the list of valid attributes. If you enter an invalid value, FortiSwitchOS returns an error.

This option is available only when path has been set.

No default

permission {read | read-write}

Select read to allow this alias to be used by the execute alias configure {get | show | show-full-configuration} command. Select read-write to allow this alias to be used by the execute alias configure {get | show | show-full-configuration | set | unset} command.

read

table-listing {allow | deny}

Allow or prevent the listing of all entries by the execute alias configure {get | show | show-full-configuration} command commands.

  • Select allow to permit all entries to be listed.

  • Select deny to prevent the entries from being listed except for the entries specified in the table-ids-allowed setting. If table-ids-allowed is empty, a valid entry must be provided for listing.

This option is available only when path has been set.

deny

limit-shown-attributes {disable | enable}

Enable or disable whether to limit the attributes displayed with the show and get commands. Selecting disable displays all attributes for the show and get commands. Selecting enable displays only the attributes listed in attributes and read-only-attributes.

enable

read-only-attributes <attribute-name>

When limit-shown-attributes is enabled, you can enter additional attributes to display with the show and get commands. When you enter read-only-attributes ? to see a list of valid attributes, more attributes are available than when you enter set attribute ?. Read-only attributes can include child tables, child objects, and get-only attributes. You can list up to 31 attributes.

No default

table-ids-allowed <table-ID-value>

Specify which entries can be accepted by the execute alias configure {get | show | show-full-configuration | set | unset} command.

Enter set table-ids-allowed ? to see a list of valid entries. You can specify entries that do not currently exist; they can be created later.

If table-listing is set to deny, the table-ids-allowed entries are displayed when the user runs the execute alias configure {get | show | show-full-configuration} command without specifying any entry.

This option is available only when path has been set.

No default

command <string>

Enter the script command (within quotation marks) to be run. You can use the Enter key to separate command lines. Enter set command ? for formatting details.

This option is available only when type has been set to script.

No default

table-entry-create {allow | deny}

Allow or deny the creation of new table (or sub-table) entries.

This option is available only when type has been set to script. When type has been set to configuration, you cannot create any new table entries.

deny

config script-arguments

<argument_ID>

Enter an identifier for the argument. The identifier must match the identifier used in the script.

No default

type {integer | string | table-id}

Enter the data type that the argument accepts.

string

name <string>

Enter the display name for the argument. You can use uppercase and lowercase letters, numbers, and hyphens. The display name is shown when the user runs the execute alias script command.

No default

help <string>

Enter a help message for the argument. You can use uppercase and lowercase letters, numbers, slashes, parentheses, brackets, commas, underscores, and hyphens. The help message is displayed when the user runs the execute alias script command.

No default

optional {enable | disable}

Enable this option to allow the user to omit entering a value for this argument. Disable this option to force the user to specify a value for this argument.

disable

range {enable | disable}

Enable this option to allow a range of integers, a range of table identifiers, or a comma-separated list of strings. Disable this option to allow only a single value for this argument.

disable

range-delay <0-172800>

Enter the number of seconds to delay between values when executing.

This option is available only when range has been set to enable.

0

allowed-values <string>

Enter the values allowed for this argument.

  • If type is set to string, separate values with a space. For example: set allowed-values port1 port3 port7
  • If type is set to integer, you can use ranges and comma-separated values, such as “1-10” or “1-10,3,11,55”.
  • If type is set to table-id and the table identifiers are integers, you can use both ranges and comma-separated values, such as “1-10” or “1-10,3,11,55”.

No default

Examples

The following example creates two aliases for the config switch physical-port command.

  • The port-description alias allows an administrator to change the set description value; when running a get or show command, the administrator will see only the description configuration.
  • The port-status alias allows an administrator to change the set status value; the administrator will see both the description and port status configuration when running get or show commands.

 

config system alias command

edit "port-status"

set description "View or change the port status."

set type configuration

set path "switch.physical-port"

set attribute "status"

set permission read-write

set limit-shown-attributes enable

set read-only-attributes "description"

next

edit "port-description"

set description "View or change the port description."

set type configuration

set path "switch.physical-port"

set attribute "description"

set permission read-write

set limit-shown-attributes enable

next

end

The following example creates two scripts. Both scripts list the switch mac-address table.

  • The mac-list script is more flexible because it requires that the user specify the VLANs to list the MAC addresses from.
  • The list-mac-by-port-and-vlan-customer-AAA script is more controlled because it allows the user to see the MAC addresses learned on the specified VLANs.

 

config system alias command

edit "list-mac-by-port-and-vlan-customer-AAA"

set description "List MAC addresses on your VLANs and ports."

set type script

set command "diag switch mac-address filter clear

diag switch mac-address filter port-id-map 3-8

diag switch mac-address filter vlan-map 1000-1010

diag switch mac-address list

diag switch mac-address filter clear"

next

edit "mac-list"

set description "List MAC addresses learned on the provided VLANs"

set type script

set command "diag switch mac-address filter clear

diag switch mac-address filter vlan-map $1

diag switch mac-address list | grep -i mac

diag switch mac-address filter clear"

config script-arguments

edit 1

set name "VLAN-ID-map"

set help "List of VLANs to check"

next

end

next

end

config system alias group

Use this command to specify alias groups to bundle different alias commands together for easy assignment.

Syntax

config system alias group

edit <alias_group_name>

set description <string>

set commands <alias_command_list>

end

Variable

Description

Default

<alias_group_name> Enter a name for the alias group. The name cannot be all or match an alias name. No default
description <string> Enter a description of the command alias group. It can be up to 80-characters long. No default
commands <alias_command_name> Enter a list of command aliases. Use a space to separate them. No default

Example

This example shows how to create a group of two command aliases:

config system alias group

edit aliasgroup1

set description "Alias group for config switch physical-port."

set commands port-status port-description

end

config system arp-table

Use this command to manually add ARP table entries to the FortiSwitch unit. ARP table entries consist of a interface name, an IP address, and a MAC address.

Syntax

config system arp-table

edit <table_value>

set interface {<string> | internal | mgmt}

set ip <address_ipv4>

set mac <mac_address>

end

Variable

Description

Default

<table_value>

Enter the identification number for the table.

No default

interface {<string> | internal | mgmt}

Enter the interface to associate with this ARP entry

No default

ip <address_ipv4>

Enter the IP address of the ARP entry.

0.0.0.0

mac <mac_address>

Enter the MAC address of the device entered in the table, in the form of xx:xx:xx:xx:xx:xx.

00:00:00:00:00:00

Example

This example shows how to add an entry to an ARP table:

config system arp-table

edit 1

set interface internal

set ip 172.168.20.1

set mac 00:21:cc:d2:76:72

end

config system bluetooth

Use this command to configure Bluetooth.

Syntax

config system bluetooth

set pin <string>

set status {disable | enable}

end

Variable

Description

Default

pin <string>

Enter the Bluetooth pair personal identification number (PIN).

1234

status {disable | enable}

Enable or disable support for Bluetooth.

disable

config system bug-report

Use this command to configure a custom email relay for sending problem reports to Fortinet customer support.

Syntax

config system bug-report

set auth {no | yes}

set mailto <email_address>

set password <password>

set server <servername>

set username <name>

set username-smtp <account_name>

end

Variable

Description

Default

auth {no | yes}

Enter yes if the SMTP server requires authentication or no if it does not.

no

mailto <email_address>

The email address for bug reports.

fortiswitch@fortinet.com

password <password>

If the SMTP server requires authentication, enter the required password.

No default

server <servername>

The SMTP server to use for sending bug report email.

fortinet.com

username <name>

A valid user name on the specified SMTP server.

bug_report

username-smtp <account_name>

A valid user name for authentication on the specified SMTP server.

bug_report

Example

This example shows how to configure a custom email relay:

config system bug-report

set auth yes

set mailto techdocs@fortinet.com

set password 123abc

set server fortinet.com

set username techdocs

set username-smtp techdocs

end

config system certificate ca

Use this command to configure CA certificates.

FortiSwitch includes a reserved entry named Fortinet_CA. You cannot modify this entry.

Syntax

config system certificate ca

edit <name>

set ca <certificate>

set scep-url <string>

next

end

Variable

Description

Default

name

Enter the name of the certificate.

No default

certificate

PEM format CA certificate. Paste the contents of a CA certificate file between quotation marks as shown in the example.

No default

set scep-url

Full URL (such as http://www.test.com)

No default

Example

	# config system certificate ca
	# get
	== [ Fortinet_CA ]
	== [ OracleSSLCA ]
	== [ ca ]
	FortiCore-VM # config system certificate ca
	FortiCore-VM (ca) # edit ca-new
	FortiCore-VM (ca-new) # set certificate "-----BEGIN CERTIFICATE-----
	> MIID0TCCArmgAwIBAgIJAKr1/WtE48FeMA0GCSqGSIb3DQEBCwUAMGgxEzARBgoJ
	> kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG
	> EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0Eg
	> MTAeFw0xNDA0MzAxNDE4MDhaFw0zNDA0MzAxNDE4MDhaMGgxEzARBgoJkiaJk/Is
	> ZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJVUzEQ
	> MA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0EgMTCCASIw
	> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQQzsB9Uc37VuIyt5xJxcYYkc6K
	> XpYihHgskTQp6YYB4XHVimouHafMYyoFsnenrcgf2NGFDvi9l9x9mnL77920JqGr
	> LijieMiFEyP1nhGW8C6nJjkSsXLbgZNh9u6U+0oAbspsFRwdHDZOI7gIHSJ2zuiY
	> CkMAvjw9TN44Q4IFCvSIf7mfzZgBH7AW1sbgznqnAJsWQhQGTpxZAxubItesyduD
	> vj8tz9eb5u8JO3iQ/LYhMspNnxcpTFdaLn2v82NAFTtCrZdCd7aLj1DM0DPEX7Nw
	> V/rt/l+tlscglYyEoUnlPYuSQN0Q6Aj5i1GcKPvnFS0Oy9lGY1lT1vZJ4F0CAwEA
	> AaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
	> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
	> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
	> edJiQpuHMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3DQEBCwUA
	> A4IBAQCq5KUHQNg51uh1pxKMXQ98ADj2bNzQbswdAFslPow8tTZIBMwhdrq02ZHC
	> XPyp2IHxfv+G+pMV1JFtdR0fy8ivilMNyjObEGh1Ss3kvvU7d1z3XwPxqpNcwDqs
	> 1K6RRg4zpNWCFPcliAkPDsDbaN1B6A6zJXqOpGgzwocU3dZbPe5sYLgkWZO2/8MI
	> eAEk7zoU1ZPSZiu5HghPafKuE1HYshvsak090tRgC6VLvaSLoNZlwR0GuFVGdewH
	> 4jR1HpENH7QiLCB1NGCoJgDi3qiFosw3M2+0ExevE1afj2Usm4oZir+Uty0rvR8D
	> 03RHH8yYbZ9rw0kuwTkJEo3bYDxH
	> -----END CERTIFICATE-----"

config system certificate crl

Use this command to configure the certificate revocation list.

Syntax

config system certificate crl

edit <name>

set crl <crl>

set http-url <string>

set ldap-server <LDAP>

set scep-cert <certificate>

set scep-url <string>

end

Variable

Description

Default

name

Name of the certificate revocation list

No default

crl

PEM format CRL. Paste the contents of a CRL file between quotation marks.

No default

http-url

URL of HTTP server for CRL update

No default

ldap-server

LDAP server

No default

scep-cert

Local certificate used for CRL update using SCEP

Fortinet_Factory

scep-url

URL of CA server for CRL update using SCEP

No default

config system certificate local

Use this command to manage local certificates. FortiSwitch includes a reserved entry named “Factory”. You cannot modify this entry.

Syntax

config system certificate local

edit <name>

set comments <string>

set password <passwd>

set private-key <key>

set scep-url <string>

next

end

Variable

Description

Default

name

Enter the name of the certificate.

No default

comments

Optional administrator note.

No default

password

Password that was used to encrypt the file. The FortiCore system uses the password to decrypt and install the certificate.

*

private-key

Paste the contents of a key file between quotation marks as shown in the example.

No default

scep-url

URL of SCEP server

No default

Example

 # config system certificate local
 # get
	== [ Factory ]
	== [ csr_name_test ]
# show
config system certificate local
edit "csr_name_test"
t7e4fiX6Sd6T5426Gg/HQXRH41mBwGmjKdBSHUbVUZTka2FtD1oLMWE2mTq1c9GMUz0DokPfoqxkjkmja5mWv4/w
A5XdQ00lQmTeMZK/X5OSFmSS
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5/vf1VQB/28CAggA
MBQGCCqGSIb3DQMHBAgZorM0zlnPNASCAViZk4wTZYYMPl0e7NwyxqvLND3LxUaV
UG1XpUSPfnUP4YgrV2d0Uijclj5M7MS341cMVKZ7G1pS/6jvxUr0NamQv4j7JsJ0
t3G7LMkzcTiep26GUCy55Qt+iob7lh0iiKa+4uPOq/Mzy+84AWnRNLfIhevHPsYb
rk4UbwNOFb0ZD9i06+UrFLsRGmtp/vlDyBgAoBojKxB/4j0G299QamnzPz4qneBc
HtPqTMPELyqtT6w4cmnwp6Ti2OOAr9c44mKdyyAVZKie+Iu/4pSVBNSfuC+jjtmC
k8OrCrG14NwrhbTY9zEnGxBRR1NMTEBBTqAQNYWtjUEQVjmY1GAJA3/oBQe7l8C/
G/IUVvc/aaqMvsKSNfDpgZaudTDe1Wxi1792ADGh7zslls+ykH9nmqh7BPfm30Nv
f8O1hXgq01Lvo4v1xdC0w5oAeCyGlbTY5ZnXJFm0HCp0kA==
-----END ENCRYPTED PRIVATE KEY-----
"
set csr "-----BEGIN CERTIFICATE REQUEST-----
MIIBNzCB4gIBADBqMQswCQYDVQQIEwJjYTESMBAGA1UEBxMJc3Vubnl2YWxlMREw
DwYDVQQKEwhmb3J0aW5ldDENMAsGA1UECxMEZmFkYzEQMA4GA1UEAxMHZXhhbXBs
ZTETMBEGCSqGSIb3DQEJARYEcm9vdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDK
XH/MC1KTkkZJiQDFb6IXHLYsSVbJzF0K30s3CVmKZvJQSBnmV8aq3fJjN281rrFT
iUovVdBzwCF5jKbxsrPLAgMBAAGgEzARBgNVHRMxChMIQ0E6RkFMU0UwDQYJKoZI
hvcNAQEFBQADQQB96NU+xjds83/6VRSzsyxeVxAGVD7F9Npuji8r/MpxPiMT0PQM
G8Wg//26ZqpwjuPq2V1+7QU4MDk3B5VUJSEF
-----END CERTIFICATE REQUEST-----
"

config system certificate ocsp

Use this command to configure the OCSP server certificate.

Syntax

config system certificate ocsp

set cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set unavail-action {ignore | revoke}

set url <string>

end

Variable

Description

Default

cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

Enter the name of the certificate or select one of the listed certificates.

No default

unavail-action {ignore | revoke}

Set if the FortiSwitch should ignore the OCSP check or revoke the certificate if the server is unavailable.

revoke

url <string>

Enter the URL for the OCSP server.

No default

Example

This example shows how to configure the OCSP server certificate:

config system certificate ocsp

set cert Fortinet_CA

set unavail-action ignore

set url https://www.fortinet.com

end

config system certificate remote

Use this command to install remote certificates. The remote certificates are public certificates without a private key.

config system certificate remote

edit <name>

set remote "<cert>"

end

Variable

Description

Default

name

Name for the certificate

No default

remote "<cert>"

PEM-format certificate

No default

config system console

Use this command to set the console command mode, the number of lines displayed by the console, and the baud rate.

Syntax

config system console

set baudrate <speed>

set mode {batch | line}

set output {standard | more}

end

Variable

Description

Default

baudrate <speed>

Set the console port baudrate. Select one of 9600, 19200, 38400, 57600, or 115200.

115200

mode {batch | line}

Set the console mode to line or batch. Used for autotesting only.

line

output {standard | more}

Set console output to standard (no pause) or more (pause after each screen is full and resume when a key is pressed).

This setting applies to show or get commands only.

more

Example

This example shows how to configure the console:

config system console

set baudrate 57600

set mode batch

set output standard

end

config system dhcp server

Use this command to configure DHCP servers.

Syntax

config system dhcp server

edit <id>

set auto-configuration {enable | disable}

set conflicted-ip-timeout <integer>

set default-gateway <xxx.xxx.xxx.xxx>

set dns-server1 <xxx.xxx.xxx.xxx>

set dns-server2 <xxx.xxx.xxx.xxx>

set dns-server3 <xxx.xxx.xxx.xxx>

set dns-service {default | local | specify

set domain <string>

set filename <string>

set interface <string>

set lease-time <integer>

set netmask <xxx.xxx.xxx.xxx>

set next-server <xxx.xxx.xxx.xxx>

set ntp-server1 <xxx.xxx.xxx.xxx>

set ntp-server2 <xxx.xxx.xxx.xxx>

set ntp-server3 <xxx.xxx.xxx.xxx>

set ntp-service {default | local | specify}

set status {enable | disable}

set tftp-server <xxx.xxx.xxx.xxx>

set timezone <00-75>

set timezone-option {default | disable | specify}

set vci-match {enable | disable}

set vci-string <VCI_strings>

set wifi-ac1 <xxx.xxx.xxx.xxx>

set wifi-ac2 <xxx.xxx.xxx.xxx>

set wifi-ac3 <xxx.xxx.xxx.xxx>

set wins-server1 <xxx.xxx.xxx.xxx>

set wins-server2 <xxx.xxx.xxx.xxx>

config exclude-range

edit <id>

set end-ip <xxx.xxx.xxx.xxx>

set start-ip <xxx.xxx.xxx.xxx>

next

end

config ip-range

edit <id>

set end-ip <xxx.xxx.xxx.xxx>

set start-ip <xxx.xxx.xxx.xxx>

next

end

config options

edit <id>

set code <integer>

set ip <IP_addresses>

set type {fqdn | hex | ip | string}

set value <string>

next

end

config reserved-address

edit <id>

set action {assign | block | reserved}

set circuit-id {<string> | <hex>}

set circuit-id-type {hex | string}

set description <string>

set ip <xxx.xxx.xxx.xxx>

set mac <xx:xx:xx:xx:xx:xx>

set remote-id {<string> | <hex>}

set remote-id-type {hex | string}

set type {mac | option82}

next

end

next

end

Variable

Description

Default

<id>

Enter the identifier.

No default

auto-configuration {enable | disable}

Enable or disable automatic configuration. Auto configuration allows the DHCP server to dynamically assign IP addresses to hosts on the network connected to the interface

enable

conflicted-ip-timeout <integer>

Enter the number of seconds before a conflicted IP address is removed from the DHCP range and is available to be reused. The range is 60-8640000 seconds.

1800

default-gateway <xxx.xxx.xxx.xxx>

Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.

0.0.0.0

dns-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 1. This option is only available when dns-service is set to specify.

0.0.0.0

dns-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 2. This option is only available when dns-service is set to specify.

0.0.0.0

dns-server3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 3. This option is only available when dns-service is set to specify.

0.0.0.0

dns-service {default | local | specify}

Select how DNS servers are assigned to DHCP clients. Select local to use the IP address of the DHCP server interface for the clientʼs DNS server IP address. Select default for clients to be assigned the FortiSwitch unitʼs configured DNS servers. Select specify to enter the IPv4 address for up to three DNS servers.

specify

domain <string>

Enter the domain name suffix for the IP addresses that the DHCP server assigns to the clients.

No default

filename <string>

Enter the name of the boot file on the TFTP server.

No default

interface <string>

Enter the name of the interface. The DHCP server can assign IP configurations to clients connected to this interface.

No default

lease-time <integer>

The lease time determines the length of time an IP address remains assigned to a client. After the lease expires, the address is released for allocation to the next client that requests an IP address.

Enter the lease time in seconds. The range is 300-8640000. The default lease time is seven days.

604800

netmask <xxx.xxx.xxx.xxx>

Enter the netmask of the addresses that the DHCP server assigns.

0.0.0.0

next-server <xxx.xxx.xxx.xxx>

Enter the IPv4 address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from.

0.0.0.0

ntp-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 1. This option is only available when ntp-service is set to specify.

0.0.0.0

ntp-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 2. This option is only available when ntp-service is set to specify.

0.0.0.0

ntp-server3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 3. This option is only available when ntp-service is set to specify.

0.0.0.0

ntp-service {default | local | specify}

Select how Network Time Protocol (NTP) servers are assigned to DHCP clients. Select local to use the IP address of the DHCP server interface for the clientʼs NTP server IP address. Select default for clients to be assigned the FortiSwitch unitʼs configured NTP servers. Select specify to enter the IPv4 address for up to three NTP servers.

specify

status {enable | disable}

Enable or disable this DHCP configuration.

enable

tftp-server <string>

You can configure multiple Trivial File Transfer Protocol (TFTP) servers for a Dynamic Host Configuration Protocol (DHCP) server. For example, you may want to configure a main TFTP server and a backup TFTP server.

Enter the hostname or IP address of each TFTP server in quotes. Separate multiple server entries with spaces.

No default

timezone <00-75>

Enter the time zone to be assigned to DHCP clients. This option is only available if timezone-option is set to specify.

(GMT+12:00)Eniwetok,Kwajalein)

timezone-option {default | disable | specify}

Select how the DHCP server sets the clientʼs time zone. Select disable for the DHCP server to not set the clientʼs time zone. Select default for clients to be assigned the FortiSwitch unitʼs configured time zone. Select specify to enter the time zone to be assigned to DHCP clients.

disable

vci-match {enable | disable}

Enable or disable vendor class identifier (VCI) matching. When enabled, only DHCP requests with a matching VCI are served.

disable

vci-string <VCI_strings>

Enter one or more VCI strings. This option is only available if vci-match is set to enable.

No default

wifi-ac1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 1 (DHCP option 138, RFC 5417).

0.0.0.0

wifi-ac2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 2 (DHCP option 138, RFC 5417).

0.0.0.0

wifi-ac3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 3 (DHCP option 138, RFC 5417).

0.0.0.0

wins-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WINS server 1.

0.0.0.0

wins-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WINS server 2.

0.0.0.0

config exclude-range

<id>

Enter the identifier.

No default

end-ip <xxx.xxx.xxx.xxx>

Enter the end of the IP address range that will not be assigned to clients.

0.0.0.0

start-ip <xxx.xxx.xxx.xxx>

Enter the start of the IP address range that will not be assigned to clients.

0.0.0.0

config ip-range

<id>

Enter the identifier.

No default

end-ip <xxx.xxx.xxx.xxx>

Enter the end of the DHCP IP address range.

0.0.0.0

start-ip <xxx.xxx.xxx.xxx>

Enter the start of the DHCP IP address range.

0.0.0.0

config options

<id>

Enter the identifier.

No default

code <integer>

Select the DHCP option code. The range is 0-255.

9

ip <IP_addresses>

If type is set to ip, enter the IP addresses.

No default

type {fqdn | hex | ip | string}

Select the format of the DHCP option: fully qualified domain name, hexadecimal, IP address, or string.

hex

value <string>

Enter the DHCP option value. This option is available when type is set to fqdn, hex, or string.

No default

config reserved-address

<id>

Enter the identifier.

No default

action {assign | block | reserved}

Select how the DHCP server configures the client with the reserved MAC address. Select assign for the DHCP server to configure the client with this MAC address like any other client. Select block to prevent the DHCP server from assigning IP settings to the client with this MAC address. Select reserved for the DHCP server to assign the reserved IP address to the client with this MAC address.

reserved

circuit-id {<string> | <hex>}

Enter the DHCP option-82 Circuit ID of the client that will get the reserved IP address. The circuit-id format is controlled by the circuit-id-type setting. This option is only available when type is set to option82.

No default

circuit-id-type {hex | string}

Select whether the format of circuit-id is hexadecimal or string. This option is only available when type is set to option82.

string

description <string>

Enter a description of this entry.

No default

ip <xxx.xxx.xxx.xxx>

Enter the IPv4 address to be reserved for the MAC address. This option is only available when action is set to reserved.

0.0.0.0

mac <xx:xx:xx:xx:xx:xx>.

Enter the MAC address of the client that will get the reserved IP address. This option is only available when type is set to mac.

00:00:00:00:00:00

remote-id {<string> | <hex>}

Enter the DHCP option-82 Remote ID of the client that will get the reserved IP address. This option is only available when type is set to option82.

No default

remote-id-type {hex | string}

Select whether the format of remote-id is hexadecimal or string. This option is only available when type is set to option82.

string

type {mac | option82}

Select whether to match the IP address with the MAC address or DHCP option 82.

mac

Example

This example shows how to configure a DHCP server:

config system dhcp server

edit 1

set default-gateway 50.50.50.2

set domain "FortiswitchTest.com"

set filename "text1.conf"

set interface "svi10"

config ip-range

edit 1

set end-ip 50.50.0.10

set start-ip 50.50.0.5

next

end

set lease-time 360

set netmask 255.255.0.0

set next-server 60.60.60.2

config options

edit 1

set value "dddd"

next

end

set tftp-server "1.2.3.4"

set timezone-option specify

set wifi-ac1 5.5.5.1

set wifi-ac2 5.5.5.2

set wifi-ac3 5.5.5.3

set wins-server1 6.6.6.1

set wins-server2 6.6.6.2

set dns-server1 7.7.7.1

set dns-server2 7.7.7.2

set dns-server3 7.7.7.3

set ntp-server1 8.8.8.1

set ntp-server2 8.8.8.2

set ntp-server3 8.8.8.3

next

end

config system dns

Use this command to set the DNS server addresses. Several FortiSwitch functions, including sending email alerts and URL blocking, use DNS.

Syntax

config system dns

set cache-notfound-responses {enable | disable}

set dns-cache-limit <integer>

set dns-cache-ttl <int>

set domain <domain_name>

set ip6-primary <dns_ipv6>

set ip6-secondary <dns_ip6>

set primary <dns_ipv4>

set secondary <dns_ip4>

set source-ip <ipv4_addr>

end

Variable

Description

Default

cache-notfound-responses {enable | disable}

Enable to cache NOTFOUND responses from the DNS server.

disable

dns-cache-limit <integer>

Set maximum number of entries in the DNS cache.

5000

dns-cache-ttl <int>

Enter the duration, in seconds, that the DNS cache retains information.

1800

domain <domain_name>

Set the local domain name (optional).

No default

ip6-primary <dns_ipv6>

Enter the primary IPv6 DNS server IP address.

::

ip6-secondary <dns_ip6>

Enter the secondary IPv6 DNS server IP address.

::

primary <dns_ipv4>

Enter the primary DNS server IP address.

0.0.0.0

secondary <dns_ip4>

Enter the secondary DNS IP server address.

0.0.0.0

source-ip <ipv4_addr>

Enter the IP address for communications to DNS server.

0.0.0.0

Example

This example shows how to set the DNS server addresses:

config system dns

set cache-notfound-responses enable

set dns-cache-limit 2000

set dns-cache-ttl 900

set domain fortinet.com

set primary 172.91.112.53

set secondary 172.91.112.52

end

config system fips-cc

Use this command to configure Federal Information Processing Standards (FIPS) mode.

caution icon Back up your FortiSwitch configuration before enabling or disabling FIPS mode. When you enable or disable FIPS mode, your switch configuration is deleted.

Syntax

config system fips-cc

set entropy-token {disable | dynamic | enable}

set reseed-interval <0-1440 minutes>

set self-test-interval <0-1440 minutes>

set status {disable | enable}

end

Variable

Description

Default

entropy-token {disable | dynamic | enable}

Specify whether to use the entropy seed:

  • disable—Do not use the entropy seed.
  • dynamic—The FortiSwitch unit detects whether the entropy seed is present when the switch starts.
  • enable—Use the entropy seed when the switch starts. This setting is required for FIPS mode.
dynamic
reseed-interval <0-1440 minutes> Set the number of minutes between reseeding the entropy token. 1440
self-test-interval <0-1440 minutes> Set the number of minutes between self-tests of the system. Set this option to 0 to disable system self-tests. 0
status {disable | enable} Enable or disable FIPS mode. disable

Example

This example shows how to configure FIPS mode:

config system fips-cc

set entropy-token enable

set reseed-interval 720

set self-test-interval 720

set status enable

end

config system flow-export

You can sample IP packets on a FortiSwitch unit and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format.

The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.

Syntax

config system flow-export

set filter <string>

set format {netflow1 | netflow5 | netflow9 | ipfix}

set identity <hexadecimal>

set level {ip | mac | port | proto | vlan}

set max-export-pkt-size <integer>

set template-export-period <1-60>

set timeout-general <integer>

set timeout-icmp <integer>

set timeout-max <integer>

set timeout-tcp <integer>

set timeout-tcp-fin <integer>

set timeout-tcp-rst <integer>

set timeout-udp <integer>

config collectors

edit <collector_name>

set ip <IPv4_address>

set port <port_number>

set transport {sctp | tcp | udp}

end

config aggregates

edit <aggregate_ID>

set ip <IPv4_address_mask>

end

end

Variable

Description

Default

filter <string>

Specify the Berkeley packet filter (BPF) to use. For example, set filter "host 33.33.33.2".

No default

format {netflow1 | netflow5 | netflow9 | ipfix}

You can set the format of the exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.

 

NOTE: When the export format is NetFlow version 5, the sample rate used in the exported packets is derived from the lowest port number where sampling is enabled. Fortinet recommends that administrators using NetFlow version 5 set the sample rate consistently across all ports.

netflow9

identity <hexadecimal>

Required. Enter a unique number to identify which FortiSwitch unit the data originates from. The range of values is 0x00000000-0xFFFFFFFF. If identity is not specified, the “Burn in MAC” value is used instead (see get system status).

0x00000000

level {ip | mac | port | proto | vlan}

You can set the flow-tracking level to one of the following: - ip—The FortiSwitch unit collects the source IP address and destination IP address from the sample packet.

  • mac—The FortiSwitch unit collects the source MAC address and destination MAC address from the sample packet.
  • port—The FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
  • proto—The FortiSwitch unit collects the source IP address, destination IP address, and protocol from the sample packet.
  • vlan—The FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, protocol, and VLAN from the sample packet.

ip

max-export-pkt-size <integer>

Set the maximum size in bytes of exported packets in the application level. The range of values is 512-9216.

512

template-export-period <1-60>

Set the number of minutes before the template is exported.

5

timeout-general <integer>

Set the general timeout in seconds for the flow session. The range of values is 60-604800.

3600

timeout-icmp <integer>

Set the ICMP timeout for the flow session. The range of values is 60-604800.

300

timeout-max <integer>

Set the maximum number of seconds before the flow session times out. The range of values is 60-604800.

604800

timeout-tcp <integer>

Set the TCP timeout for the flow session. The range of values is 60-604800.

3600

timeout-tcp-fin <integer>

Set the TCP FIN flag timeout for the flow session. The range of values is 60-604800.

300

timeout-tcp-rst <integer>

Set the TCP RST flag timeout for the flow session. The range of values is 60-604800.

120

timeout-udp <integer>

Set the UDP timeout for the flow session. The range of values is 60-604800.

300

config collectors

<collector_name>

Enter the name of the flow-export collector.

No default

ip <IPv4_address>

Enter the IP address for the collector.

 

The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.

0.0.0.0

port <port_number>

Enter the port number for the collector.

 

The range of values is 0-65535. The default port for NetFlow is 2055; the default port for IPFIX is 4739.

0

transport {sctp | tcp | udp}

You can set exported packets to use UDP, TCP, or SCTP for transport.

udp

config aggregates

<id>

Enter the identifier.

No default

<IPv4_address_mask>

Enter the IPv4 address and mask to match. All matching sessions are aggregated into the same flow.

No default

Example

This example shows how to configure flow export:

config system flow-export

set format ipfix

set level ip

config collectors

edit flowone

set ip 169.254.3.1

set port 5

set transport tcp

next

end

end

config system fsw-cloud

Use this command to configure the FortiSwitch Cloud. The FortiSwitch Cloud allows you to quickly check the status and to configure multiple FortiSwitch units through a single management portal.

NOTE: To use the FortiSwitch Cloud, you must have a Cloud Management license, and your FortiSwitch unit must be in standalone mode, connected to the Internet, and the system time must be accurate. To set the time on your FortiSwitch unit, see config system ntp.

Syntax

config system fsw-cloud

set interval <integer>

set name <string>

set port <port_number>

set status {enable | disable}

end

Variable

Description

Default

interval <integer>

The time in seconds allowed for domain name system (DNS) resolution. The value range is 3-300 seconds.

45

name <string>

The domain name for the FortiSwitch Cloud.

fortiswitch-dispatch.forticloud.com

port <port_number>

Port number used to connect to the FortiSwitch Cloud.

443

status {enable | disable}

Whether the FortiSwitch Cloud is enabled or disabled.

disable

Example

This example shows how to configure the FortiSwitch Cloud:

config system fsw-cloud

set interval 150

set name fortiswitch-dispatch.forticloud.com

set port 443

set status enable

end

config system global

Use this command to configure global settings that affect various FortiSwitch systems and configurations.

Syntax

config system global

set 802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set 802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

set admin-concurrent {enable | disable}

set admin-https-pki-required {enable | disable}

set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | tlsv1-3}

set admin-lockout-duration <time_int>

set admin-lockout-threshold <failed_int>

set admin-port <port_number>

set admin-scp {enable | disable}

set admin-server-cert {self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

set admin-sport <port_number>

set admin-ssh-grace-time <time_int>

set admin-ssh-port <port_number>

set admin-ssh-v1 {enable | disable}

set admin-telnet-port <port_number>

set admintimeout <admin_timeout_minutes>

set alertd-relog {enable | disable}

set alert-interval <1-1440 minutes>

set allow-subnet-overlap {enable | disable}

set arp-timeout <seconds>

set asset-tag <string>

set cfg-save {automatic | manual | revert}

set clt-cert-req {enable | disable}

set csr-ca-attribute {enable | disable}

set daily-restart {enable | disable}

set detect_ip_conflict {enable | disable}

set dhcp-client-location {description | hostname | intfname | mode | vlan}

set dhcp-option-format {ascii | legacy}

set dhcp-remote-id {hostname | ip | mac}

set dhcp-server-access-list {enable | disable}

set dhcp-snoop-client-req {drop-untrusted | forward-untrusted}

set dhcps-db-exp <number_of_seconds>

set dhcps-db-per-port-learn-limit <number_of_entries>

set dst {enable | disable}

set hostname <unithostname>

set image-rotation {enable | disable}

set ip-conflict-ignore-default {enable | disable}

set ipv6-accept-dad <0 | 1 | 2>

set ipv6-all-forwarding {enable | disable}

set kernel-crashlog {enable | disable}

set kernel-devicelog {enable | disable}

set l3-host-expiry {enable | disable}

set language <language>

set ldapconntimeout <ldaptimeout_msec>

set post-login-banner "<string>"

set pre-login-banner "<string>"

set private-data-encryption {enable | disable}

set radius-coa-port <port_number>

set radius-port <radius_port>

set remoteauthtimeout <timeout_sec>

set revision-backup-on-logout {enable | disable}

set revision-backup-on-upgrade {enable | disable}

set strong-crypto {enable | disable}

set switch-mgmt-mode {fortilink | local}

set tcp-mss-min <48-10000>

set tcp6-mss-min<48-10000>

set timezone <timezone_number>

end

Variable

Description

Default

802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

Set the CA certificate for port security (802.1x):
  • Entrust_802.1x_CA—Select this CA if you are using 802.1x authentication.
  • Entrust_802.1x_G2_CA—Select this CA if you want to use the Google Internet Authority G2.
  • Entrust_802.1x_L1K_CA—Select this CA if you want to use http://ocsp.entrust.net.
  • Fortinet_CA—Select this CA if you want to use the factory-installed certificate.
  • Fortinet_CA2—Select this CA if you want to use the factory-installed certificate.

Entrust_802.1x_CA

802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

Set the certificate for port security (802.1x):
  • Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA. This is the default certificate for 802.1x authentication.
  • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.

Entrust_802.1x

admin-concurrent {enable | disable}

Enable to enforce concurrent administrator logins. When enabled, the FortiSwitch restricts concurrent access from the same admin user name but on different IP addresses. Use policy-auth-concurrent for firewall authenticated users.

enable

admin-https-pki-required {enable | disable}

Enable to allow user to log in by providing a valid certificate if PKI is enabled for HTTPS administrative access. The default setting of disable allows admin users to log in by providing a valid certificate or password.

disable

admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | tlsv1-3}

Set the allowed SSL/TLS versions for Web administration.

tlsv1-1 tlsv1-2 tlsv1-3

admin-lockout-duration <time_int>

Set the administration account’s lockout duration in seconds for the firewall. Repeated failed login attempts will enable the lockout. Use admin-lockout-threshold to set the number of failed attempts that will trigger the lockout.

60

admin-lockout-threshold

<failed_int>

Set the threshold, or number of failed attempts, before the account is locked out for the admin-lockout-duration.

3

admin-port <port_number>

Enter the port to use for HTTP administrative access.

80

admin-scp {enable | disable}

Enable to allow system configuration download by the secure copy (SCP) protocol.

disable

admin-server-cert

{self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

Select the administration HTTPS server certificate to use:
  • self-sign—Use a self-signed security certificate. Self-signed certificates are free and will encrypt the data just as securely as a purchased certificate. Self-signed certificates, however, are not likely to be recognized by the CA certificate store so will be considered by any checks against that store as invalid.
  • Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA.
  • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.

Fortinet_Firmware

admin-sport <port_number>

Enter the port to use for HTTPS administrative access.

443

admin-ssh-grace-time

<time_int>

Enter the maximum time permitted between making an SSH connection to the FortiSwitch and authenticating. Range is 10 to 3600 seconds.

120

admin-ssh-port <port_number>

Enter the port to use for SSH administrative access.

22

admin-ssh-v1 {enable | disable}

Enable compatibility with SSH v1.0.

disable

admin-telnet-port

<port_number>

Enter the port to use for telnet administrative access.

23

admintimeout <admin_timeout_minutes>

Set the number of minutes before an idle administrator times out. This controls the amount of inactive time before the administrator must log in again. The maximum admintimeout interval is 480 minutes (8 hours).

To improve security, keep the idle timeout at the default value of 5 minutes.

5

alertd-relog {enable | disable}

Enable or disable re-logs when a sensor exceeds its threshold.

disable

alert-interval

NOTE: This command is only available after the alertd-relog option has been enabled.

Set how often an alert is generated for temperature sensors when they exceed their set thresholds.

30

allow-subnet-overlap {enable | disable}

Use this command to allow two interfaces to include the same IP address in the same subnet. The command applies only between the mgmt interface and an internal interface.

Note: Different interfaces cannot have overlapping IP addresses or subnets.

Caution: For advanced users only. Use this only for existing network configurations that cannot be changed to eliminate IP address overlapping.

disable

arp-timeout <seconds>

Set the number of seconds before dynamic ARP entries are removed from the cache.

300

asset-tag

LLDP uses the asset tag to help identify the unit. The asset tag can be up to 32 characters, and will be added to the LLDP-MED inventory TLV (when that TLV is enabled).

No default

cfg-save {automatic | manual | revert}

Set the method for saving the FortiSwitch system configuration and enter into runtime-only configuration mode. Methods for saving the configuration are:
  • automatic automatically save the configuration after every change.
  • manual manually save the configuration using the execute acl key-compaction command.
  • revert manually save the current configuration and then revert to that saved configuration after cfg-revert-timeout expires.
Switching to automatic mode disconnects your session. This command is used as part of the runtime-only configuration mode.

automatic

clt-cert-req {enable | disable}

Enable or disable the requirement to have a client certificate to log in to the GUI.

disable

csr-ca-attribute {enable | disable}

Enable to use the CA attribute in your certificate. Some CA servers reject CSRs that have the CA attribute.

enable

daily-restart {enable | disable}

Enable to restart the FortiSwitch every day.

The time of the restart is controlled by restart-time.

disable

detect_ip_conflict {enable | disable}

Enable the Detect IP Conflict feature.

enable

dhcp-client-location {description | hostname | intfname | mode | vlan}

Select which parameters to include to describe the client location. Separate multiple parameters with a space.
  • description—Include the interface description.
  • hostname—Include the host name.
  • intfname—Include the interface name.
  • mode—Include the mode.
  • vlan—Include the VLAN.

intfname vlan mode

dhcp-option-format {ascii | legacy}

Select the format for the DHCP string:
  • ascii—This format allows the user to choose the values for the circuit-id and remote-id fields.
  • legacy—This format generates a predefined fixed format for the circuit-id and remote-id fields.

ascii

dhcp-remote-id {hostname | ip | mac}

Select which parameters to include in the remote-id field:
  • hostname—Include the host name.
  • ip—Include the IP address.
  • mac—Include the MAC address.

mac

dhcp-server-access-list {enable | disable}

Set to disable for DHCP snooping to allow any DHCP server from trusted interfaces. Set to enable for DHCP snooping to allow only DHCP servers that are included in the allowed server list.

disable

dhcp-snoop-client-req {drop-untrusted | forward-untrusted}

Select which transmission mode to use for broadcasting client DHCP packets:
  • drop-untrusted—Client packets are broadcasted on trusted ports in the VLAN.
  • forward-untrusted—By default, client packets are broadcasted on all ports in the VLAN.

forward-untrusted

dhcps-db-exp <number_of_seconds>

Set the number of seconds for a DHCP-snooping server database entry to be kept. The range of values is 300-259200.

86400

dhcps-db-per-port-learn-limit <number_of_entries>

Set the maximum number of DHCP server entries that are learned per interface. The range of values is 0-1024.

64

dst {enable | disable}

Enable or disable daylight saving time.

If you enable daylight saving time, the FortiSwitch unit adjusts the system time when the time zone changes to daylight saving time and back to standard time.

enable

hostname <unithostname>

Enter a name to identify this FortiSwitch unit. A hostname can only include letters, numbers, hyphens, and underlines. No spaces are allowed.

While the hostname can be longer than 16 characters, if it is longer than 16 characters it will be truncated and end with a “~” to indicate it has been truncated. This shortened hostname will be displayed in the CLI, and other locations the hostname is used.

Some models support hostnames up to 35 characters.

By default the hostname of your system is its serial number which includes the model.

FortiSwitch serial number.

image-rotation {enable | disable}

Enable or disable the rotation of the partition used to upgrade the FortiSwitch image.

enable

ip-conflict-ignore-default {enable | disable}

Enable or disable IP conflict detection for the default IP address.

enable

ipv6-accept-dad <0 | 1 | 2>

Specify whether to accept IPv6 duplicat address detection (DAD). Set to 0 to disable DAD. Set to 1 to enable DAD. Set to 2 to enable DAD and disable IPv6 operation if a MAC-based duplicate link-local address is found.

1

ipv6-all-forwarding {enable | disable

Enable or disable IPv6 forwarding.

enable

kernel-crashlog {enable | disable}

Enable or disable whether to log a kernel crash.

enable

kernel-devicelog {enable | disable}

Enable or disable the capture of kernel device messages to the log.

enable

l3-host-expiry {enable | disable}

Enable or disable layer-3 host expiry.

disable

language <language>

Set the display language. You can set <language> to one of english, french, japanese, korean, portuguese, spanish, simch (Simplified Chinese) or trach (Traditional Chinese).

english

ldapconntimeout <ldaptimeout_msec>

LDAP connection timeout in msec

500

post-login-banner "<string>"

Enter a message for the system post-login banner.

No default

pre-login-banner "<string>"

Enter a message for the system pre-login banner.

No default

private-data-encryption {enable | disable}

Enable or disable private data encryption using an AES 128-bit key.

disable

radius-coa-port <port_number>

Set the port number to be used for the RADIUS change of authorization (CoA).

3799

radius-port <radius_port>

Change the default RADIUS port. The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port on your system.

1812

remoteauthtimeout

<timeout_sec>

The number of seconds that the FortiSwitch waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. The range is 0 to 300 seconds, 0 means no timeout.

To improve security keep the remote authentication timeout at the default value of 5 seconds. However, if a RADIUS request needs to traverse multiple hops or several RADIUS requests are made, the default timeout of 5 seconds may not be long enough to receive a response.

5

revision-backup-on-logout {disable | enable}

Enable or disable backing up the latest configuration revision when the administrator logs out of the CLI or Web GUI.

enable

revision-backup-on-upgrade {enable | disable}

Enable or disable backing up the latest configuration revision when the administrator starts an upgrade.

enable

strong-crypto {enable | disable}

Strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access. When strong encryption is enabled, HTTPS is supported by the following web browsers: Netscape 7.2, Netscape 8.0, Firefox, and Microsoft Internet Explorer 7.0 (beta).

NOTE: Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption.

disable

switch-mgmt-mode {fortilink | local}

Determines whether the switch is being managed locally, or managed by a FortiGate through a FortiLink connection.

local

tcp-mss-min <48-10000>

Enter the minimum allowed TCP MSS value in bytes.

48

tcp6-mss-min <48-10000>

Enter the minimum allowed TCP MSS value in bytes.

48

timezone <timezone_number>

The number corresponding to your time zone from 00 to 72. Press ? to list time zones and their numbers. Choose the time zone for the FortiSwitch from the list and enter the correct number.

00

Example

This example shows how to set your private data encryption key:

S548DN5018000535 # config system global

 

S548DN5018000535 (global) # set private-data-encryption enable

 

S548DN5018000535 (global) # end

Please type your private data encryption key (32 hexadecimal numbers):

0123456789abcdefabcdef0123456789

Please re-enter your private data encryption key (32 hexadecimal numbers) again:

0123456789abcdefabcdef0123456789

Your private data encryption key is accepted.

 

This example shows how to set the lockout threshold to one attempt and the duration before the administrator can try again to log in to five minutes:

config system global

set admin-lockout-threshold 1

set admin-lockout-duration 300

end

config system interface

Use this command to edit the configuration of an interface.

If you enter a name string in the edit command that is not the name of a physical interface, the command creates a VLAN subinterface.

Syntax

config system interface

edit <interface_name>

set allowaccess <access_types>

set alias <name_string>

set bfd {enable | disable | global}

set bfd-desired-min-tx <interval_msec>

set bfd-detect-mult <multiplier>

set bfd-required-min-rx <interval_msec>

set description <text>

set dhcp-relay-service {enable | disable}

set dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}

set dhcp-relay-option82 {enable | disable}

set dhcp-vendor-specific-option <string>

set external {enable | disable)

set fail-detect {enable | disable}

set fail-detect-option {link-down | detectserver}

set fail-alert-method {link-d own | link-failed-signal}

set fail-alert-interfaces {port1 port2 ...}

set icmp-redirect {enable | disable}

set interface <interface_name>

set ip <interface_ipv4mask>

set log {enable | disable}

set mode <static | dhcp>

set dhcp-client-identifier <client_name_str>

set distance <1-255>

set defaultgw {enable | disable}

set dns-server-override {enable | disable}

set mtu-override {enable | disable}

set secondary-IP {enable | disable}

set snmp-index <integer>

set src-check {disable | loose | strict}

set src-check-allow-default {enable | disable}

set status {down | up}

set type {loopback | vlan}

set vlanid <id_number>

set vrf <string>

set vrrp-virtual-mac {enable | disable}

config ipv6

set ip6-address <ipv6_netmask>

set ip6-allowaccess <access_types>

set autoconf {disable | enable}

set ip6-unknown-mcast-to-cpu {disable | enable}

set ip6-mode {dhcp | static}

set ip6-dns-server-override {disable | enable}

set dhcp6-information-request {disable | enable}

set ip6-send-adv {disable | enable}

set ip6-manage-flag {disable | enable}

set ip6-other-flag {disable | enable}

set ip6-max-interval <4-1800>

set ip6-min-interval <3-1350>

set ip6-link-mtu <integer>

set ip6-reachable-time <0-3600000>

set ip6-retrans-time <0-2147483647>

set ip6-default-life <0-9000>

set ip6-hop-limit <0-255>

set vrip6_link_local {enable | disable}

set vrrp-virtual-mac6 {enable | disable}

config ip6-extra-address

edit <prefix_ipv6>

end

config ip6-prefix-list

edit <prefix_ipv6>

set autonomous-flag {disable | enable}

set onlink-flag {disable | enable}

set preferred-life-time <0-2147483647>

set valid-life-time <0-2147483647>

end

end

config secondaryip

edit <id>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

config vrrp

edit <VRID_int>

set adv-interval <seconds_int>

set preempt {enable | disable}

set priority <prio_int>

set start-time <seconds_int>

set status {enable | disable}

set version {2 | 3}

set vrdst <ipv4_addr>

set vrgrp <integer>

set vrip <ipv4_addr>

 

A VLAN cannot have the same name as a zone or a virtual domain.

Variable

Description

Default

<interface_name>

Edit an existing interface or create a new VLAN interface.

No default

allowaccess <access_types>

Enter the types of management access permitted on this interface or secondary IP address. Valid types are:

http https ping radius-acct snmp ssh telnet.

Separate each type with a space.

To add or remove an option from the list, retype the complete list as required.

Varies for each interface.

alias <name_string>

Enter an alias name for the interface. Once configured, the alias will be displayed with the interface name to make it easier to distinguish. The alias can be a maximum of 25 characters. This option is only available when interface type is physical.

No default.

bfd {enable | disable | global}

The status of bidirectional forwarding detection (bfd) on this interface:
  • enable — enable BFD and ignore global BFD configuration.
  • disable — disable BFD on this interface.
  • global — use the BFD configuration in system settings for the virtual domain to which this interface belongs.

global

bfd-desired-min-tx <interval_msec>

Enter the minimum desired interval for the BFD transmit interval. Valid range is from 1 to 100 000 msec. This option is available only when bfd is enabled.

50

bfd-detect-mult <multiplier>

Select the BFD detection multiplier. This option is available only when bfd is enabled.

3

bfd-required-min-rx <interval_msec>

Enter the minimum required interface for the BFD receive interval. Valid range is from 1 to 100 000 msec. This is available only when bfd is enabled.

50

description <text>

Optionally, enter up to 63 characters to describe this interface.

No default

dhcp-relay-service {enable | disable}

Enable to provide DHCP relay service on this interface. The DHCP type relayed depends on the setting of dhcp-relay-type.

There must be no other DHCP server of the same type (regular or ipsec) configured on this interface.

disable

dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}

Set DHCP relay IP addresses. You can specify up to eight DHCP relay servers for DHCP coverage of subnets. Replies from all DHCP servers are forwarded back to the client. The client responds to the offer it wants to accept.

Do not set dhcp-relay-ip to 0.0.0.0. This option is available only when dhcp-relay-service is enabled.

No default

dhcp-relay-option82 {enable | disable}

Enable to allow option-82 insertion in the DHCP relay. This option is available only when dhcp-relay-service is enabled.

disable

dhcp-vendor-specific-option <string>

Set the value for DHCP vendor-specific option 43.

No default

external {enable | disable)

Enable to indicate that an interface is an external interface connected to an external network. This option is used for SIP NAT when the config VoIP profile SIP contact-fixup option is disabled.

disable

fail-detect {enable | disable}

Enable interface failure detection.

disable

fail-detect-option {link-down | detectserver}

Select whether the system detects interface failure by port detection (link-down) or ping server (detectserver). This option is available only when fail-detect is enabled.

link‑down

fail-alert-method

{link‑down | link‑failed‑signal}

Select the signal that the system uses to signal the link failure: Link Down or Link Failed. This option is available only when fail-detect is enabled.

link‑down

fail-alert-interfaces {port1 port2 ...}

Select the interfaces to which failure detection applies. This option is available only when fail-detect is enabled.

No default

icmp-redirect {enable | disable}

Disable to stop ICMP redirect from sending from this interface. ICMP redirect messages are sent by a router to notify the original sender of packets that there is a better route available.

enable

interface <interface_name>

Enter the name of the interface. This option is available ony when vlanid is set.

internal

ip <interface_ipv4mask>

Enter the interface IP address and netmask. This option is not available if mode is set to dhcp. You can set the IP and netmask, but they are not displayed. This is only available in NAT/Route mode. The IP address cannot be on the same subnet as any other interface.

Varies for each interface.

log {enable | disable}

Enable or disable traffic logging of connections to this interface. Traffic will be logged only when it is on an administrative port. All other traffic will not be logged. Enabling this setting may reduce system performance, and is normally used only for troubleshooting.

disable

mode <interface_mode>

Configure the connection mode for the interface as one of:

  • static — configure a static IP address for the interface.
  • dhcp — configure the interface to receive its IP address from an external DHCP server.

static

dhcp-client-identifier

Override the default DHCP client identifier used by this interface. The DHCP client identifier is used by DHCP to identify individual DHCP clients (in this case individual interfaces). By default, the DHCP client identifier for each interface is created based on the model name and the interface MAC address. In some cases, you might want to specify your own DHCP client identifier using this command. This option is available only when the mode is set to dhcp.

No default

distance <1-255>

Enter the distance of learned routes.

This command is available only when mode is set to dhcp.

5

defaultgw {enable | disable}

Enable to get the gateway IP address from the DHCP server. This option is available only when the mode is set to dhcp.

disable

dns-server-override {enable | disable}

Disable to prevent this interface from using DNS server addresses it acquires by DHCP. This option is available only when the mode is set to dhcp.

enable

mtu-override {enable | disable}

Select enable to use custom MTU size instead of default (1 500). This is available only for physical interfaces and some tunnel interfaces (not IPsec). If you change the MTU size, you must reboot the FortiSwitch to update the MTU values of the VLANs on this interface. Some models support MTU sizes larger than the standard 1 500 bytes.

disable

secondary-IP {enable | disable}

Enable to add a secondary IP address to the interface. This option must be enabled before configuring a secondary IP address. When disabled, the Web-based manager interface displays only the option to enable secondary IP.

disable

snmp-index <integer>

Configure the SNMP index

 

src-check {disable | loose | strict}

Set to disable if you do not want to use unicast reverse-path forwarding (uRPF).

Set to strict to ensure that the packet was received on the same interface that the router uses to forward the return packet.

Set to loose to ensure that the routing table includes the source IP address of the packet.

disable

src-check-allow-default {enable | disable}

If you disable the src-default-route-check option, the packet is dropped if the source IP address is not found in the routing table. If you enable the src-default-route-check option, the packet is allowed even if the source IP address is not found in the routing table, but the default route is found in the routing table.

This option is available only when src-check is set to loose.

disable

status {down | up}

Start or stop the interface. If the interface is stopped, it does not accept or send packets. If you stop a physical interface, associated virtual interfaces such as VLAN interfaces will also stop.

up(down for VLANs)

type {loopback | vlan}

Enter the type of interface. NOTE: Some types are read only and are set automatically by hardware.
  • loopback — a virtual interface that is always up. This interface’s status and link status are not affected by external changes. It is primarily used for blackhole routing - dropping all packets that match this route. This route is advertised to neighbors through dynamic routing protocols as any other static route. loopback interfaces have no dhcp settings, no forwarding, no mode, or dns settings. You can create a loopback interface from the CLI or Web-based manager.
  • vlan — a virtual LAN interface. This is the type of interface created by default on any existing physical interface. VLANs increase the number of network interfaces beyond the physical connections on the system. VLANs cannot be configured on a switch mode interface in Transparent mode.

vlan

vlanid <id_number>

Enter a VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. The VLAN ID can be any number between 1 and 4094, as 0 and 4095 are reserved, but it must match the VLAN ID added by the IEEE 802.1Q-compliant router on the other end of the connection. Two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN ID to different physical interfaces, and you can add more multiple VLANs with different VLAN IDs to the same physical interface. This is available only when editing an interface with a type of VLAN.

No default

vrf <string>

Assign this virtual routing and forwarding (VRF) instance to a switch virtual interface (SVI).

After the SVI is created, the VRF instance cannot be changed or unset. The VRF instance cannot be assigned to an internal SVI.

No default

vrrp-virtual-mac {enable | disable}

Enable VRRP virtual MAC addresses for the IPv4 VRRP routers added to this interface.See RFC 5798 for information about the VRRP virtual MAC addresses.

disable

config ipv6

Configure IPv6 settings for the interface.

Syntax

config system interface

edit <interface_name>

config ipv6

set ip6-address <ipv6_netmask>

set ip6-allowaccess <access_types>

set autoconf {disable | enable}

set ip6-unknown-mcast-to-cpu {disable | enable}

set ip6-mode {dhcp | static}

set ip6-dns-server-override {disable | enable}

set dhcp6-information-request {disable | enable}

set ip6-send-adv {disable | enable}

set ip6-manage-flag {disable | enable}

set ip6-other-flag {disable | enable}

set ip6-max-interval <4-1800>

set ip6-min-interval <3-1350>

set ip6-link-mtu <integer>

set ip6-reachable-time <0-3600000>

set ip6-retrans-time <0-2147483647>

set ip6-default-life <0-9000>

set ip6-hop-limit <0-255>

set vrip6_link_local {enable | disable}

set vrrp-virtual-mac6 {enable | disable}

config ip6-extra-address

edit <prefix_ipv6>

end

config ip6-prefix-list

edit <prefix_ipv6>

set autonomous-flag {disable | enable}

set onlink-flag {disable | enable}

set preferred-life-time <0-2147483647>

set valid-life-time <0-2147483647>

end

end

end

Variable

Description

Default

<interface_name>

Edit an existing interface or create a new VLAN interface.

No default

ip6-address <ipv6_netmask>

The interface IPv6 address and netmask. The format for IPv6 addresses and netmasks is described in RFC 3513.

This command is only available in NAT/Route mode.

::/0

ip6-allowaccess <access_types>

Enter the types of management access permitted on this IPv6 interface. Valid types are: fgfm, http, https, ping, snmp, ssh, and telnet. Separate the types with spaces. If you want to add or remove an option from the list, retype the list as required.

Varies for each interface.

autoconf {disable | enable}

Enable or disable the automatic address configuration.

disable

ip6-unknown-mcast-to-cpu {disable | enable}

Enable or disable the sending of unknown multicast addresses to the CPU.

disable

ip6-mode {dhcp | static}

Set the addressing mode to be static or DHCP.

DHCP addressing mode is available only when autoconf is disabled.

static

ip6-dns-server-override {disable | enable}

Enable or disable using the DNS server acquired by DHCP.

This command is available only when the ip6-mode is set to dhcp.

enable

dhcp6-information-request {disable | enable}

Enable or disable the DHCPv6 infomation request.

disable

ip6-send-adv {disable | enable}

Enable or disable the sending of the IPv6 router advertisement.

This command is only available when autoconf is disabled.

disable

ip6-manage-flag {disable | enable}

Enable or disable the sending of the IPv6 managed flag.

disable

ip6-other-flag {disable | enable}

Enable or disable the sending of the IPv6 other flag.

disable

ip6-max-interval <4-1800>

Specify the maximum number of seconds before the RA is sent.

600

ip6-min-interval <3-1350>

Specify the minium number of seconds before the RA is sent.

198

ip6-link-mtu <integer>

Specify the IPv6 link maximum transmission unit.

0

ip6-reachable-time <0-3600000>

Specify the IPv6 reachable time in milliseconds.

0

ip6-retrans-time <0-2147483647>

Specify the IPv6 retransmit time in milliseconds.

0

ip6-default-life <0-9000>

Specify the IPv6 default life in seconds.

1800

ip6-hop-limit <0-255>

Specify the maximum number of IPv6 hops.

0

vrip6_link_local {enable | disable}

Enter the link-local IPv6 address of virtual router.

No default

vrrp-virtual-mac6 {enable | disable}

Enable VRRP virtual MAC addresses for the IPv6 VRRP routers added to this interface. See RFC 5798 for information about the VRRP virtual MAC addresses.

disable

config ip6-extra-addr

<prefix_ipv6>

IPv6 address prefix. Configure addditonal IPv6 prefixes for this IPv6 interface.

No default

config ip6-prefix-list

<prefix_ipv6>

IPv6 advertised prefix list. Configure which IPv6 prefixes are advertised..

No default

autonomous-flag {disable | enable}

Enable or disable the autonomous flag.

enable

onlink-flag {disable | enable}

Enable or disable the onlink flag.

disable

preferred-life-time <0-2147483647>

Specify the preferred lifetime in seconds for the advertised IPv6 prefix.

604800

valid-life-time <0-2147483647>

Specify the valid lifetime in seconds for the advertised IPv6 prefix.

2592000

config secondaryip

Configure a second IP address for the interface.

Syntax

config system interface

edit <interface_name>

config secondaryip

edit <id>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

end

end

Variable

Description

Default

<interface_name>

Edit an existing interface or create a new VLAN interface.

No default

<id>

Identifier.

No default

ip <IP_address_and_netmask>

Enter the IP address and netmask.

0.0.0.0 0.0.0.0

allowaccess <access_types>

Enter the types of management access permitted on this interface or secondary IP address. Valid types are:

http https ping radius-acct snmp ssh telnet.

Separate each type with a space.

To add or remove an option from the list, retype the complete list as required.

No default

config vrrp

Add one or more VRRP virtual routers to a interface. For information about VRRP, see RFC 5798.

Syntax

config system interface

edit <interface_name>

config vrrp

edit <VRID_int>

set adv-interval <seconds_int>

set preempt {enable | disable}

set priority <prio_int>

set start-time <seconds_int>

set status {enable | disable}

set version {2 | 3}

set vrdst <ipv4_addr>

set vrgrp <integer>

set vrip <ipv4_addr>

end

Variable

Description

Default

<interface_name>

Edit an existing interface or create a new VLAN interface.

No default

<VRID_int>

VRRP virtual router ID (1 to 255). Identifies the VRRP virtual router.

None

adv-interval <seconds_int>

VRRP advertisement interval (1-255 seconds).

1

preempt {enable | disable}

Enable or disable VRRP preempt mode. In preempt mode a higher priority backup system can preempt a lower priority master system.

enable

priority <prio_int>

Priority of this virtual router (1-255). The VRRP virtual router on a network with the highest priority becomes the master.

100

start-time <seconds_int>

The startup time of this virtual router (1-255 seconds). The startup time is the maximum time that the backup system waits between receiving advertisement messages from the master system.

3

status {enable | disable}

Enable or disable this virtual router.

enable

version {2 | 3}

Set the VRRP version to VRRP version 2 or VRRP version 3.

2

vrdst <ipv4_addr>

Monitor the route to this destination.

0.0.0.0

vrgrp <integer>

VRRP group identifier. The value range is 1-65535.

0

vrip <ipv4_addr>

IP address of the virtual router.

0.0.0.0

Example

This example shows how to configure VRRP:

config system interface

edit "vlan-8"

set ip 10.10.10.1 255.255.255.0

set allowaccess ping https http ssh

set vrrp-virtual-mac enable

config vrrp

edit 5

set priority 255

set vrgrp 50

set vrip 11.1.1.100

next

edit 6

set priority 200

set vrgrp 50

set vrip 11.1.1.100

next

edit 7

set priority 150

set vrgrp 50

set vrip 11.1.1.100

next

end

set snmp-index 20

set vlanid 8

set interface "internal"

next

end

config system ipv6-neighbor-cache

Use this command to configure the IPv6 neighbor cache table:

config system ipv6-neighbor-cache

edit <id>

set interface {<string> | internal | mgmt}

set ipv6 <IPv6_address>

set mac <MAC_address>

end

Variable

Description

Default

<id>

Enter a unique integer to create a new entry.

No default

interface <interface_name>

Required. Enter the interface.

No default

ipv6 <IPv6_address>

Enter the IPv6 addresss in the following format:

 

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

::

mac <MAC_address>

Enter the MAC address in the following format:

 

xx:xx:xx:xx:xx:xx

00:00:00:00:00:00

Example

This example shows how to configure an entry in the IPv6 neighbor cache table.

config system ipv6-neighbor-cache

edit id

set interface internal

set ipv6 e80::a5b:eff:fef1:95e4

set mac 00:21:cc:d2:76:72

end

config system link-monitor

Use this command to configure the link health monitor.

config system link-monitor

edit <link monitor name>

set addr-mode {ipv4 | ipv6}

set srcintf <string>

set protocol {arp | ping}

set gateway-ip <IPv4 address>

set gateway-ip6 <IPv6 address>

set source-ip <IPv4 address>

set source-ip6 <IPv6 address>

set interval <integer>

set timeout <integer>

set failtime <integer>

set recoverytime <integer>

set update-static-route {enable | disable}

set status {enable | disable}

next

end

Variable

Description

Default

<link monitor name>

Enter the link monitor name.

No default

addr-mode {ipv4 | ipv6}

Select whether to use IPv4 or IPv6 addresses.

ipv4

srcintf <string>

Interface where the monitor traffic is sent.

No default

protocol {arp | ping}

Protocols used to detect the server. Select ARP or ping.

arp

gateway-ip <IPv4 address>

Gateway IPv4 address used to PING the server. This option is available only when addr-mode is set to ipv4.

0.0.0.0

gateway-ip6 <IPv6 address>

Gateway IPv6 address used to PING the server. This option is available only when addr-mode is set to ipv6.

No default

source-ip <IPv4 address>

Source IPv4 address used in packet to the server. This option is available only when addr-mode is set to ipv4.

0.0.0.0

source-ip6 <IPv6 address>

Source IPv6 address used in packet to the server. This option is available only when addr-mode is set to ipv6.

No default

interval <integer>

Detection interval in seconds. The range is 1-3600.

5

timeout <integer>

Detect request timeout in seconds. The range is 1-255.

1

failtime <integer>

Number of retry attempts before bringing server down. The range is 1-10.

5

recoverytime <integer>

Number of retry attempts before bringing server up. The range is 1-10.

5

update-static-route {enable | disable}

Enable or disable update static route.

enable

status {enable | disable}

Enable or disable link monitor administrative status.

enable

config system location

Use this command to configure the location table used by LLDP-MED for enhanced 911 emergency calls.

config system location

edit <name>

config address-civic

set additional <string>

set additional-code <string>

set block <string>

set branch-road <string>

set building <string>

set city <string>

set city-division <string>

set country <string>

set country-subdivision <string>

set county <string>

set direction <string>

set floor <string>

set landmark <string>

set language <string>

set name <string>

set number <string>

set number-suffix <string>

set place-type <string>

set post-office-box <string>

set postal-community <string>

set primary-road <string>

set road-section <string>

set room <string>

set script <string>

set seat <string>

set street <string>

set street-name-post-mod <string>

set street-name-pre-mod <string>

set street-suffix <string>

set sub-branch-road <string>

set trailing-str-suffix <string>

set unit <string>

set zip <string>

end

config coordinates

set altitude <string>

set altitude-unit {f | m}

set datum {NAD83 | NAD83/MLLW | WGS84}

set latitude <string>

set longitude <string>

end

config elin-number

set elin-number <number>

end

Variable

Description

Default

<name>

Enter a unique name for the location entry.

No default

config address-civic

additional <string>

Enter additional location information, for example, west wing.

No default

additional-code <string>

Enter the additional country-specific code for the location. In Japan, use the Japan Industry Standard (JIS) address code.

No default

block <string>

Enter the neighborhood (Korea) or block.

No default

branch-road <string>

Enter the branch road name. This value is used when side streets do not have unique names so that both the primary road and side street are used to identify the correct road.

No default

building <string>

Enter the name of the building (structure) if the address includes more than one building, for example, Law Library.

No default

city <string>

Enter the city (Germany), township, or shi (Japan).

No default

city-division <string>

Enter the city division, borough, city district (Germany), ward, or chou (Japan).

No default

country <string>

Enter the two-letter ISO 3166 country code in capital ASCII letters, for example, US, CA, DK, and DE.

No default

country-subdivision <string>

Enter the national subdivision (such as state, canton, region, province, or prefecture). In Canada, the subdivision is province. In Germany, the subdivision is state. In Japan, the subdivision is metropolis. In Korea, the subdivision is province. In the United States, the subdivision is state.

No default

county <string>

Enter the county (Canada, Germany, Korea, and United States), parish, gun (Japan), or district (India).

No default

direction <string>

Enter N, E, S, W, NE, NW, SE, or SW for the leading street direction.

No default

floor <string>

Enter the floor number, for example, 4.

No default

landmark <string>

Enter the nickname, landmark, or vanity address, for example, UC Berkeley.

No default

language <string>

Enter the ISO 639 language code used for the address information.

No default

name <string>

Enter the person or organization associated with the address, for example, Fortinet or Textures Beauty Salon.

No default

number <string>

Enter the street address, for example, 1560.

No default

number-suffix <string>

Enter any modifier to the street address. For example, if the full street address is 1560A, enter 1560 for the number and A for the number-suffix.

No default

place-type <string>

Enter the type of place, for example, home, office, or street.

No default

post-office-box <string>

Enter the post office box, for example, P.O. Box 1543. When the post-office-box value is set, the street address components are replaced with this value.

No default

postal-community <string>

Enter the postal community name, for example, Alviso. When the postal-community name is set, the civic community name is replaced by this value.

No default

primary-road <string>

Enter the primary road or street name for the address.

No default

road-section <string>

Enter the specific section or stretch of a primary road. This field is used when the same street number appears more than once on the primary road.

No default

room <string>

Enter the room number, for example, 7A.

No default

script <string>

Enter the script used to present the address information, for example, Latn.

No default

seat <string>

Enter the seat number in a stadium or theater or a cubicle number in an office or a booth in a trade show.

No default

street <string>

Enter the street (Canada, Germany, Korea, and United States).

No default

street-name-post-mod <string>

Enter an optional part of the street name that appears after the actual street name. If the full street name is East End Avenue Extended, the street-name-post-mod is Extended.

No default

street-name-pre-mod <string>

Enter an optional part of the street name that appears before the actual street name. If the full street name is Old North First Street, the street-name-pre-mod is Old.

No default

street-suffix <string>

Enter the type of street, for example, Ave or Place. Valid values are listed in the United States Postal Service Publication 28 [18], Appendix C.

No default

sub-branch-road <string>

Enter the name of a street that branches off of a branch road. This value is used when the primary road, branch road, and subbranch road names are needed to identify the correct street.

No default

trailing-str-suffix <string>

Enter N, E, S, W, NE, NW, SE, or SW for the trailing street direction.

No default

unit <string>

Enter the unit (apartment or suite), for example, Apt 27.

No default

zip <string>

Enter the postal or zip code for the address, for example, 94089-1345.

No default

config coordinates

altitude <string>

Enter the vertical height of a location using the altitude-unit to specify the unit used. The format is +/- floating point number, for example, 117.47.

No default

altitude-unit {f | m}

Select whether the altitude is measured in m (meters) or f (floors).

m

datum {NAD83 | NAD83/MLLW | WGS84}

Select which map is used for the location: WGS84, NAD83, or NAD83/MLLW.

WGS84

latitude <string>

Enter the latitude. The format is floating point starting with +/- or ending with N/S, for example, +/-16.67 or 16.67N.

No default

longitude <string>

Enter the longitude. The format is floating point starting with +/- or ending with E/W, for example, +/-26.789 or 26.789E.

No default

config elin-number

elin-number <number>

Enter the emergency location identification number (ELIN), which is a unique phone number. The value is a 10 to 20 byte numerical string.

No default

Example

This example shows how to configure the location table for Fortinet.

config system location

edit Fortinet

config address-civic

set country "US"

set language "English"

set county "Santa Clara"

set city "Sunnyvale"

set street "Kifer"

set street-suffix "Road"

set number "899"

set zip "94086"

set building "1"

set floor "1"

set seat "1293"

end

next

edit "Fortinet"

config elin-number

set elin-number "14082357700"

end

end

config system ntp

Use this command to configure Network Time Protocol (NTP) servers.

Syntax

config system ntp

set allow-unsync-source {enable | disable}

set authentication {enable | disable}

set log-time-adjustments {enable | disable}

set ntpsync {enable | disable}

set source-ip <ipv4_addr>

set source-ip6 <ipv6_addr>

set syncinterval <interval_int>

config ntpserver

edit <serverid_int>

set authentication {enable | disable}

set key <string>

set key-id <integer>

set ntpv3 {enable | disable}

set server {<ipv4_addr>| <ipv6_addr>}

end

end

Variable

Description

Default

allow-unsync-source {enable | disable}

Enable or disable whether an unsynchronized NTP server source is allowed.

disable

authentication {enable | diable}

Enable or disable authentication.

disable

log-time-adjustments {enable | disable}

Enable or disable whether FortiSwitch logs when NTP adjusts the system time.

enable

ntpsync {enable | disable}

Enable or disable whether the system time is synchronized with the NTP server.

enable

source-ip <ipv4_addr>

Enter the source IPv4 address for communication with the NTP server.

0.0.0.0

source-ip6 <ipv6_addr>

Enter the source IPv6 address for communication with the NTP server.

No default

syncinterval <interval_int>

Enter the interval in minutes between contacting the NTP server to synchronize time. The range is from 1 to 1,440 minutes.

This option is availabe only when ntpsync is enabled.

10

<serverid_int>

Enter the number for this NTP server entry.

No default

authentication {enable | diable}

Enable or disable authentication. If you enable authenication and use the NTPv3 protocol, MD5 authentication is used. If you enable authentication and use the NTPv4 protocol, SHA1 authentication is used.

disable

key <string>

If authentication is enabled, enter a key for authentication.

No default

key-id <integer>

If authentication is enabled, enter a key identifier for authentication.

0

ntpv3 {enable | disable}

Enable this option to use the NTPv3 protocol. Disable this option to use the NTPv4 protocol.

disable

server {<ipv4_addr> | <ipv6_addr>}

Enter the IPv4 or IPv6 address for this NTP server.

No default

Example

This example shows how to configure an NTP server:

config system ntp

set authentication enable

set ntpsyn enable

set syncinterval 5

set source-ip 192.168.4.5

end

config system password-policy

Use this command to configure higher security requirements for administrator passwords and IPsec VPN pre-shared keys.

Syntax

config system password-policy

set status enable

set apply-to [admin-password ipsec-preshared-key]

set change-4-characters {enable | disable}

set minimum-length <chars>

set min-lower-case-letter <num_int>

set min-upper-case-letter <num_int>

set min-non-alphanumeric <num_int>

set min-number <num_int>

set expire-status {enable | disable}

set expire-day <num_int>

end

Variable

Description

Default

status enable

Enable password policy. The password policy cannot be disabled.

enable

apply-to [admin‑password ipsec-preshared-key]

Select where the policy applies: administrator passwords or IPSec preshared keys. This option is available only when status is enabled.

admin‑password

change-4-characters {enable | disable}

Enable to require the new password to differ from the old password by at least four characters. This option is available only when status is enabled.

disable

minimum-length <chars>

Set the minimum length of password in characters. Range 8 to 32. This option is available only when status is enabled.

8

min-lower-case-letter

<num_int>

Enter the minimum number of required lower case letters in every password. This option is available only when status is enabled.

0

min-upper-case-letter

<num_int>

Enter the minimum number of required upper case letters in every password. This option is available only when status is enabled.

0

min-non-alphanumeric <num_int>

Enter the minimum number of required non-alphanumeric characters in every password. This option is available only when status is enabled.

0

min-number <num_int>

Enter the minimum number of number characters required in every password. This option is available only when status is enabled.

0

expire-status {enable | disable}

Enable to have passwords expire. This option is available only when status is enabled.

enable

expire-day <num_int>

Enter the number of days before the current password is expired and the user will be required to change their password. This option is available only when status is enabled and expire-status is enabled.

90

Example

This example shows how to configure a password policy for administrator passwords:

config system password-policy

set status enable

set apply-to admin-password

set change-4-characters enable

set minimum-length 10

set min-lower-case-letter 1

set min-upper-case-letter 1

set min-non-alphanumeric 1

set min-number 1

set expire-status enable

set expire-day 30

end

config system schedule group

Use this command to define a schedule group. A schedule group can contain both one-time schedules and recurring schedules. To create one-time and recurring schedules, see config system schedule onetime and config system schedule recurring.

Syntax

config system schedule group

edit <schedule_group_name>

set member <schedule_name1> <schedule_name2> ...

end

Variable

Description

Default

<schedule_group_name>

Enter the name of the schedule group.

No default

member <schedule_name1> <schedule_name2> ...

Enter the names of the schedules to include. Separate multiple names with a space.

The schedules must already be defined with the config system schedule onetime or config system schedule recurring command.

No default

Example

This example shows how to create a schedule group:

config system schedule group

edit group1

set member schedule1 schedule2

end

config system schedule onetime

Use this command to define a one-time schedule for when a policy will be enforced.

Syntax

config system schedule onetime

edit <schedule_name>

set start <time_date>

set end <time_date>

end

Variable

Description

Default

<schedule_name>

Enter the name of the schedule.

No default

start <time_date>

Enter the start time and date for the schedule in the following format: hh:mm yyyy/mm/dd

00:00 1900/01/01

end <time_date>

Enter the end time and date for the schedule in the following format: hh:mm yyyy/mm/dd

00:00 1900/01/01

Example

This example shows how to create a one-time schedule:

config system schedule onetime

edit schedule1

set start 07:00 2019/03/22

set end 07:00 2019/03/29

end

config system schedule recurring

Use this command to define a schedule for specified hours every week.

Syntax

config system schedule recurring

edit <schedule_name>

set day {monday | tuesday | wednesday | thursday | friday | saturday | sunday}

set start <time>

set end <time>

end

Variable

Description

Default

<schedule_name>

Enter the name of the schedule.

No default

day {monday | tuesday | wednesday | thursday | friday | saturday | sunday}

Enter one or more days for the ACL to be enforced. Separate days with a space.

monday tuesday wednesday thursday friday

start <time>

Enter the start time for the schedule in the following format: hh:mm

24:00

end <time>

Enter the end time for the schedule in the following format: hh:mm

24:00

Example

This example shows how to create a recurring schedule:

config system schedule recurring

edit schedule2

set day monday wednesday friday

set start 07:00

set end 08:00

end

config system settings

Use this comand to configure equal cost multi-path (ECMP) routing.

ECMP is a forwarding mechanism that enables load-sharing of traffic to multiple paths of equal cost. An ECMP set is formed when the routing table contains multiple next-hop address for the same destination with equal cost. Routes of equal cost have the same preference and metric value. If there is an ECMP set for an active route, the switch uses a hash algorithm to choose one of the next-hop addresses. As input to the hash, the switch uses one or more of the following fields in the packet to be routed:

  • Source IP
  • Destination IP
  • Input port

Syntax

config system settings

set ip-ecmp-mode {source-ip-based | dst-ip-based | port-based}

end

Variable

Description

Default

ip-ecmp-mode {source-ip-based | dst-ip-based | port-based}

Select the IPv4 ECMP mode:

  • dst-ip-based — Select the next hop based on the destination IP address.
  • port-based — Select the next hop based on the TCP/UDP port.
  • source-ip-based — Select the next hop based on the source IP address.

source-ip-based

Example

This example shows how to configure ECMP:

config system settings

set ip-ecmp-mode port-based

end

config system sflow

Use this command to add or change the IP address and UDP port that FortiSwitch sFlow agents use to send sFlow datagrams to sFlow collectors.

sFlow is a network monitoring protocol described in http://www.sflow.org. FortiSwitch implements sFlow version 5. You can configure one or more FortiSwitch interfaces as sFlow agents that monitor network traffic and send sFlow datagrams containing information about traffic flow to sFlow collectors.

sFlow is normally used to provide an overall traffic flow picture of your network. You would usually operate sFlow agents on switches, routers, and firewall on your network, collect traffic data from all of them and use collectors to show traffic flows and patterns.

Syntax

config system sflow

config collectors

edit <collector_name>

set ip <collector_IPv4_address>

set port <collector_port>

next

end

end

Variable

Description

Default

<collector_name>

Enter a name for the sFlow collector.

No default

ip <collector_IPv4_address>

The sFlow agents send sFlow datagrams to the sFlow collector at this IPv4 address.

0.0.0.0

port <collector_port>

The UDP port number used for sending sFlow datagrams. Change this setting only if required by your sFlow collector or your network configuration. The value range is 0-65535.

6343

Example

This example shows how to configure sFlow:

config system sflow

config collectors

edit collector1

set ip 20.20.20.0

set port 200

next

end

end

config system sniffer-profile

Use this command to define a packet-capture profile to select which packets to examine. To start, stop, and pause the packet capture, see the execute system sniffer-profile commands.

Syntax

config system sniffer-profile

edit <profile_name>

set filter {<string> | none}

set max-pkt-count <1-maximum>

set max-pkt-len <64-1534>

set switch-interface <switch_interface_name>

set system-interface <system_interface_name>

end

Variable

Description

Default

<profile_name>

The name of the packet-capture profile.

No default

filter {<string> | none}

Enter none or enter the filter for selecting which packets to capture. For example, if you want packets using UDP port 1812 between hosts named forti1 and either forti2 or forti3:

 

'udp and port 1812 and host forti1 and \( forti2 or forti3 \)'

none

max-pkt-count <1-maximum>

Enter how many packets to be captured on the selected interface. The maximum number of packets that can be captured differs according to platform. See the FortiSwitchOS Adminstration Guide for details.

4000

max-pkt-len <64-1534>

Enter the maximum packet length in bytes to be captured on the interface.

128

switch-interface <switch_interface_name>

Enter the switch interface name that you want to capture packets on. You cannot select both a switch interface and a system interface.

No default

system-interface <system_interface_name>

Enter the system interface name that you want to capture packets on. You cannot select both a switch interface and a system interface.

No default

Example

This example shows how to create a packet-capture profile:

config system sniffer-profile

edit profile1

set filter none

set max-pkt-count 100

set max-pkt-len 100

set system-interface mgmt

end

config system snmp community

Use this command to configure SNMP communities on your FortiSwitch unit. You add SNMP communities so that SNMP managers can connect to the system to view system information and receive SNMP traps. SNMP traps are triggered when system events occur.

You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the system for a different set of events. You can also the add IP addresses of up to 8 SNMP managers for each community.

Whey you configure an SNMP manager, ensure that you list it as a host in a community on the FortiSwitch that it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from that FortiSwitch unit, and will not be able to query it.

Syntax

config system snmp community

edit <index_number>

set events <events_list>

set name <community_name>

set query-v1-port <port_number>

set query-v1-status {enable | disable}

set query-v2c-port <port_number>

set query-v2c-status {enable | disable}

set status {enable | disable}

set trap-v1-lport <port_number>

set trap-v1-rport <port_number>

set trap-v1-status {enable | disable}

set trap-v2c-lport <port_number>

set trap-v2c-rport <port_number>

set trap-v2c-status {enable | disable}

config hosts

edit <host_number>

set interface <if_name>

set ip <address_ipv4>

set source-ip <address_ipv4/mask>

end

config hosts6

edit <host_number>

set interface <if_name>

set ip6 <address_ipv6>

set source-ip6 <address_ipv6>

end

end

Variable

Description

Default

<index_number>

Enter the index number of the community in the SNMP communities table. Enter an unused index number to create a new SNMP community.

No default

events <events_list>

Enable the events for which the system should send traps to the SNMP managers in this community.

All events enabled.

name <community_name>

Enter the name of the SNMP community.

No default

query-v1-port <port_number>

Enter the SNMP v1 query port number used for SNMP manager queries.

161

query-v1-status {enable | disable}

Enable or disable SNMP v1 queries for this SNMP community.

enable

query-v2c-port <port_number>

Enter the SNMP v2c query port number used for SNMP manager queries.

161

query-v2c-status {enable | disable}

Enable or disable SNMP v2c queries for this SNMP community.

enable

status {enable | disable}

Enable or disable the SNMP community.

enable

trap-v1-lport <port_number>

Enter the SNMP v1 local port number used for sending traps to the SNMP managers.

162

trap-v1-rport <port_number>

Enter the SNMP v1 remote port number used for sending traps to the SNMP managers.

162

trap-v1-status {enable | disable}

Enable or disable SNMP v1 traps for this SNMP community.

enable

trap-v2c-lport <port_number>

Enter the SNMP v2c local port number used for sending traps to the SNMP managers.

162

trap-v2c-rport <port_number>

Enter the SNMP v2c remote port number used for sending traps to the SNMP managers.

162

trap-v2c-status

{enable | disable}

Enable or disable SNMP v2c traps for this SNMP community.

enable

config hosts and hosts6

<host_number>

Enter the index number of the host in the table. Enter an unused index number to create a new host.

No Default

interface <if_name>

Enter the name of the FortiSwitch interface to which the SNMP manager connects.

No default

ip <address_ipv4>

Enter the IPv4 IP address of the SNMP manager (for hosts).

0.0.0.0

ip6 <address_ipv6>

Enter the IPv6 IP address of the SNMP manager (for hosts6).

::

source-ip <address_ipv4/mask>

Enter the source IPv4 IP address for SNMP traps sent by the FortiSwitch (for hosts).

0.0.0.0/ 0.0.0.0

source-ip6 <address_ipv6>

Enter the source IPv6 IP address for SNMP traps sent by the FortiSwitch (for hosts6).

::

config system snmp sysinfo

Use this command to enable the FortiSwitch SNMP agent and to enter basic system information used by the SNMP agent. Enter information about the system to identify it. When your SNMP manager receives traps from this FortiSwitch unit, you will know which system sent the information. Some SNMP traps indicate high CPU usage, log full, or low memory.

Syntax

config system snmp sysinfo

set contact-info <info_str>

set description <description>

set engine-id <engine-id_str>

set location <location>

set status {enable | disable}

set trap-high-cpu-threshold <percentage>

set trap-log-full-threshold <percentage>

set trap-low-memory-threshold <percentage>

set trap-temp-alarm-threshold <temperature in degrees Celsius>

set trap-temp-warning-threshold <temperature in degrees Celsius>

end

Variable

Description

Default

contact-info <info_str>

Add the contact information for the person responsible for this FortiSwitch unit. The contact information can be up to 35 characters long.

No default

description <description>

Add a name or description of the system. The description can be up to 35 characters long.

No default

engine-id <engine-id_str>

Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is included in each message sent to or from the SNMP engine. In FortiOS, the snmpEngineID is composed of two parts:
  • Fortinet prefix 0x8000304404
  • the optional engine-id string, 24 characters maximum, defined in this command

Optionally, enter an engine-id value.

No default

location <location>

Describe the physical location of the system. The system location description can be up to 35 characters long.

No default

status {enable | disable}

Enable or disable the FortiSwitch SNMP agent.

disable

trap-high-cpu-threshold

<percentage>

Enter the percentage of CPU used that will trigger the threshold SNMP trap for the high-cpu.

There is some smoothing of the high CPU trap to ensure the CPU usage is constant rather than a momentary spike. This feature prevents frequent and unnecessary traps.

80

trap-log-full-threshold

<percentage>

Enter the percentage of disk space used that will trigger the threshold SNMP trap for the log-full.

90

trap-low-memory-threshold <percentage>

Enter the percentage of memory used that will be the threshold SNMP trap for the low-memory.

80

trap-temp-alarm-threshold <temperature in degrees Celsius>

Set an alarm for when the system temperature reaches the specified temperature.

60

trap-temp-warning-threshold <temperature in degrees Celsius>

Set a warning for when the system temperature reaches the specified temperature. The warning threshold must be lower than the alarm threshold.

50

Example

This example shows how to set a warning and an alarm for specified system temperatures:

config system snmp sysinfo

set status enable

set trap-temp-alarm-threshold 80

set trap-temp-warning-threshold 70

end

config system snmp user

Use this command to configure an SNMP user including which SNMP events the user wants to be notified about, which hosts will be notified, and if queries are enabled which port to listen on for them.

FortiSwitchOS implements the user security model of RFC 3414. You can require the user to authenticate with a password and you can use encryption to protect the communication with the user.

Syntax

config system snmp user

edit <user_name>

set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}

set auth-pwd <password>

set events {cpu-high ent-conf-change intf-ip log-full mem-low}

set notify-hosts <IP_address>

set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}

set priv-pwd <password>

set queries {enable | disable}

set query-port <port_int>

set security-level {no-auth-no-priv | auth-no-priv | auth-priv}

end

Variable

Description

Default

<user_name>

Edit or add selected user.

No default

auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}

Select the authentication protocol.
  • md5—HMAC-MD5-96 authentication protocol
  • sha1—HMAC-SHA-1 authentication protocol
  • sha224—HMAC-SHA-224 authentication protocol
  • sha256—HMAC-SHA-256 authentication protocol
  • sha384—HMAC-SHA-384 authentication protocol
  • sha512—HMAC-SHA-512 authentication protocol
This option is available only when security-level is set to auth-priv or auth-no-priv.

sha1

auth-pwd <password>

Enter the password for the authentication protocol. his option is available only when security-level is set to auth-priv or auth-no-priv.

No default

events {cpu-high ent-conf-change intf-ip log-full mem-low}

Specify one or more SNMP notifications (traps) to send. Separate multiple values with a space. The following notifications are available:

  • cpu-high—The CPU usage is too high.
  • ent-conf-change—The configuration of an entity was changed (refer to RFC 4133).
  • intf-ip—The IP address for an interface was changed.
  • log-full—The available log space is low.
  • mem-low—The available memory is low.

cpu-high mem-low log-full intf-ip ent-conf-change

notify-hosts <IP_address>

Specify one or more IPv4 addresses to send notifications (traps) to.

No default

priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}

Select the encryption protocol.
  • aes128—CFB128-AES-128 symmetric encryption protocol
  • aes192—CFB128-AES-192 symmetric encryption protocol
  • aes192c—CFB128-AES-192-C symmetric encryption protocol (required for certain clients)
  • aes256—CFB128-AES-256 symmetric encryption protocol
  • aes256c—CFB128-AES-256-C symmetric encryption protocol (required for certain clients)
  • des—CBC-DES symmetric encryption protocol
This option is available only when security-level is set to auth-priv.

aes128

priv-pwd <password>

Enter the password for the encryption protocol. This option is available only when security-level is set to auth-priv.

No default

queries {enable | disable}

Enable or disable SNMP v3 queries for this user. Queries are used to determine the status of SNMP variables.

enable

query-port <port_int>

Enter the number of the port used for SNMP v3 queries. If multiple versions of SNMP are being supported, each version should listen on a different port.

161

security-level {no-auth-no-priv | auth-no-priv | auth-priv}

Set the security level to one of:
  • no-auth-no-priv—no authentication or privacy
  • auth-no-priv—authentication but no privacy
  • auth-priv—authentication and privacy

no-auth-no-priv

config system

Use the config system commands to configure options related to the overall operation of the FortiSwitch unit:

config system accprofile

Use this command to add access profiles that control administrator access to FortiSwitch features. Each FortiSwitch administrator account must include an access profile. You can create access profiles that deny access, allow read only, or allow both read and write access to FortiSwitch features.

Syntax

config system accprofile

edit <profile-name>

set admingrp {none | read | read-write}

set alias-commands {all | <list>}

set exec-alias-grp {none | read | read-write}

set loggrp {none | read | read-write}

set netgrp {none | read | read-write}

set routegrp {none | read | read-write}

set sysgrp {none | read | read-write}

end

Variable

Description

Default

<profile-name>

Enter the name for the profile.

No default

admingrp {none | read | read-write}

Set the access permission for admingrp.

none

alias-commands {all | <list>}

Specify the aliases and alias groups to include in the access profile or specify all. The aliases and alias groups specified for this access profile control which commands an administrator can run using the execute alias commands. Use a space to separate multiple items.

No default

exec-alias-grp {none | read | read-write}

Specify one of the following options:

  • Select none to prevent access to the execute alias configure commands.

  • Select read to provide access to the execute alias configure {get | show | show-full-configuration} command.
  • Select read-write to provide access to the execute alias configure {get | show | show-full-configuration | set | unset} and execute alias script commands.

none

loggrp {none | read | read-write}

Set the access permission for loggrp.

none

netgrp {none | read | read-write}

Set the access permission for netgrp.

none

routegrp {none | read | read-write}

Set the access permission for routegrp.

none

sysgrp {none | read | read-write}

Set the access permission for sysgrp.

none

Example

This example shows how to configure an access profile with just read-only permission:

config system accprofile

edit profile1

set admingrp read

set loggrp read

set netgrp read

set routegrp read

set sysgrp read

end

config system admin

Use the default admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels. Each administrator account except the default admin must include an access profile. You cannot delete the default super admin account or change the access profile (super_admin). In addition, there is also an access profile that allows read-only super admin privileges, super_admin_readonly. The super_admin_readonly profile cannot be deleted or changed, similar to the super_admin profile. This read-only super-admin may be used in a situation where it is necessary to troubleshoot a customer configuration without making changes.

You can authenticate administrators using a password stored on the FortiSwitch unit or you can use a RADIUS server to perform authentication. When you use RADIUS authentication, you can authenticate specific administrators or you can allow any account on the RADIUS server to access the FortiSwitch unit as an administrator.

Syntax

config system admin

edit <admin_name>

set accprofile <profile-name>

set accprofile-override {enable | disable}

set allow-remove-admin-session {enable | disable}

set comments <comments_string>

set gui-detail-panel-location {bottom | ide | side}

set {ip6-trusthost1 | ip6-trusthost2 | ip6-trusthost3 |

ip6-trusthost4 | ip6-tru sthost5 | ip6-trusthost6 |

ip6-trusthost7 | ip6-trusthost8 | ip6-trusthost9 |

ip6-trusthost10} <address_ipv6mask>

set password <admin_password>

set peer-auth {disable | enable}

set peer-group <peer-grp>

set remote-auth {enable | disable}

set remote-group <name>

set wildcard {enable | disable}

set schedule <schedule-name>

set ssh-public-key1 "<key-type> <key-value>"

set ssh-public-key2 "<key-type> <key-value>"

set ssh-public-key3 "<key-type> <key-value>"

set {trusthost1 | trusthost2 | trusthost3 | trusthost4 |

trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9

| trusthost10} <address_ipv4mask>

end

end

Variable

Description

Default

<admin_name>

Enter the name for the admin account.

No default

accprofile <profile‑name>

Enter the name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiSwitch features.

No default

accprofile-override {enable | disable}

Enable or disable whether the remote authentication server can override the accesss profile.

disable

allow-remove-admin-session {enable | disable}

Allow admin session to be removed by privileged admin users

disable

comments

<comments_string>

Enter the last name, first name, email address, phone number, mobile phone number, and pager number for this administrator. Separate each attribute with a comma, and enclose the string in double-quotes. The total length of the string can be up to 128 characters. (Optional)

No default

gui-detail-panel-location {bottom | hide | side}

Choose the position of the log detail window.

bottom

{ip6-trusthost1 | ip6‑trusthost2 | ip6‑trusthost3 | ip6‑trusthost4 | ip6‑trusthost5 | ip6‑trusthost6 | ip6‑trusthost7 | ip6‑trusthost8 | ip6‑trusthost9 | ip6‑trusthost10}

<address_ipv6mask>

Any IPv6 address and netmask from which the administrator can connect to the FortiSwitch unit.

If you want the administrator to be able to access the system from any address, set the trusted hosts to ::/0.

::/0

password

<admin_password>

Enter the password for this administrator. It can be up to 256 characters in length.

No default

peer-auth {disable | enable}

Set to enable peer certificate authentication (for HTTPS admin access).

disable

peer-group <peer-grp>

Name of peer group defined under config user peergrp or user group defined under config user group. Used for peer certificate authentication (for HTTPS admin access). This option is available only when peer-auth has been enabled.

No default

remote-auth

{enable | disable}

Enable or disable authentication of this administrator using a remote RADIUS, LDAP, or TACACS+ server.

disable

remote-group <name>

Enter the administrator user group name, if you are using RADIUS, LDAP, or TACACS+ authentication.

This is available only when remote-auth is enabled.

No default

wildcard {enable | disable}

Enable or disable wildcard RADIUS authentication. This option is available only when remote-auth is enabled.

disable

schedule <schedule-name>

Restrict times that an administrator can log in. Defined in config firewall schedule. No default indicates that the administrator can log in at any time.

No default

ssh-public-key1 "<key‑type> <key‑value>"

You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.

<key type> is ssh-dss for a DSA key or ssh-rsa for an RSA key.

<key-value> is the public key string of the SSH client.

No default

ssh-public-key2 "<key‑type> <key‑value>"

No default

ssh-public-key3 "<key‑type> <key‑value>"

No default

{trusthost1 | trusthost2 |

trusthost3 | trusthost4 |

trusthost5 | trusthost6 |

trusthost7 | trusthost8 |

trusthost9 | trusthost10}

<address_ipv4mask>

Any IPv4 address or subnet address and netmask from which the administrator can connect to the system.

If you want the administrator to be able to access the system from any address, set the trusted hosts to 0.0.0.0 and the netmask to 0.0.0.0.

0.0.0.0

0.0.0.0

Example

The following example creates a RADIUS system admin group:

config system admin

edit "RADIUS_Admins"

set remote-auth enable

set accprofile "super_admin"

set wildcard enable

set remote-group "RADIUS_Admins"

next

end

config system alias command

Use this command to grant an administrator access to individual configuration attributes, table entries, or CLI commands. You can also use this command to create a script to run multiple commands. Scripts are a simpler way to manage a large number of commands.

Notes:
  • Configuration-type aliases cannot create or delete table entries. For example, under the config switch interface command, you cannot create a new interface name with the edit <interface_name> command.
  • The super_admin administrator profile has access to all command aliases.

Syntax

config system alias command

edit <alias_name or script_name>

set description <string>

set type {configuration | script}

set path <path>

set attribute <attibute-name>

set permission {read | read-write}

set table-listing {allow | deny}

set limit-shown-attributes {disable | enable}

set read-only-attributes <attribute-name>

set table-ids-allowed <table-ID-value>

set command <string>

set table-entry-create {allow | deny}

config script-arguments

edit <argument_ID>

set type {integer | string | table-id}

set name <string>

set help <string>

set optional {enable | disable}

set range {enable | disable}

set range-delay <0-172800>

set allowed-values <string>

next

end

next

end

Variable

Description

Default

<alias_name or script_name>

If the type will be configuration, enter an alias name for the command in this configuration. If the type will be script,enter a script name.

The alias or script name cannot be all or match an alias group name.

No default
description <string>

If the type will be configuration, enter a description of the command or a help message. It can be up to 80-characters long. The description is displayed with the alias name when you enter execute alias configure {get | show | show-full-configuration | set | unset} ?.

If the type will be script, enter a description of the script. It can be up to 80-characters long. The description is displayed with the script name when you enter execute alias script ?.

No default
type {configuration | script}

The configuration type provides configuration-specific functionality to control get, show, show-full-configuration, set, and unset commands. You can also use the configuration type to limit accessible table entries and limit displayed attributes.

The script type allows the administrator to create a list of CLI commands to run.

configuration
path <path>

Required. Enter the period-separated path to the CLI command.

For example, enter set path switch.lldp.profile to apply the configuration to the config switch lldp profile command. Enter set path system.interface to apply the configuration to the config system interface command. You can specify only top-level objects, such as system.interface, router.bgp, or system.snmp.settings. If you specify child objects or child tables (such as system.interface.ipv6, router.bgp.neighbor, or switch.lldp.profile.custom-tlv), FortiSwitch returns an error.

No default

attribute <attibute-name>

Required. Enter the attribute that can be retrieved or modified.

Enter set attribute ? to see the list of valid attributes. If you enter an invalid value, FortiSwitchOS returns an error.

This option is available only when path has been set.

No default

permission {read | read-write}

Select read to allow this alias to be used by the execute alias configure {get | show | show-full-configuration} command. Select read-write to allow this alias to be used by the execute alias configure {get | show | show-full-configuration | set | unset} command.

read

table-listing {allow | deny}

Allow or prevent the listing of all entries by the execute alias configure {get | show | show-full-configuration} command commands.

  • Select allow to permit all entries to be listed.

  • Select deny to prevent the entries from being listed except for the entries specified in the table-ids-allowed setting. If table-ids-allowed is empty, a valid entry must be provided for listing.

This option is available only when path has been set.

deny

limit-shown-attributes {disable | enable}

Enable or disable whether to limit the attributes displayed with the show and get commands. Selecting disable displays all attributes for the show and get commands. Selecting enable displays only the attributes listed in attributes and read-only-attributes.

enable

read-only-attributes <attribute-name>

When limit-shown-attributes is enabled, you can enter additional attributes to display with the show and get commands. When you enter read-only-attributes ? to see a list of valid attributes, more attributes are available than when you enter set attribute ?. Read-only attributes can include child tables, child objects, and get-only attributes. You can list up to 31 attributes.

No default

table-ids-allowed <table-ID-value>

Specify which entries can be accepted by the execute alias configure {get | show | show-full-configuration | set | unset} command.

Enter set table-ids-allowed ? to see a list of valid entries. You can specify entries that do not currently exist; they can be created later.

If table-listing is set to deny, the table-ids-allowed entries are displayed when the user runs the execute alias configure {get | show | show-full-configuration} command without specifying any entry.

This option is available only when path has been set.

No default

command <string>

Enter the script command (within quotation marks) to be run. You can use the Enter key to separate command lines. Enter set command ? for formatting details.

This option is available only when type has been set to script.

No default

table-entry-create {allow | deny}

Allow or deny the creation of new table (or sub-table) entries.

This option is available only when type has been set to script. When type has been set to configuration, you cannot create any new table entries.

deny

config script-arguments

<argument_ID>

Enter an identifier for the argument. The identifier must match the identifier used in the script.

No default

type {integer | string | table-id}

Enter the data type that the argument accepts.

string

name <string>

Enter the display name for the argument. You can use uppercase and lowercase letters, numbers, and hyphens. The display name is shown when the user runs the execute alias script command.

No default

help <string>

Enter a help message for the argument. You can use uppercase and lowercase letters, numbers, slashes, parentheses, brackets, commas, underscores, and hyphens. The help message is displayed when the user runs the execute alias script command.

No default

optional {enable | disable}

Enable this option to allow the user to omit entering a value for this argument. Disable this option to force the user to specify a value for this argument.

disable

range {enable | disable}

Enable this option to allow a range of integers, a range of table identifiers, or a comma-separated list of strings. Disable this option to allow only a single value for this argument.

disable

range-delay <0-172800>

Enter the number of seconds to delay between values when executing.

This option is available only when range has been set to enable.

0

allowed-values <string>

Enter the values allowed for this argument.

  • If type is set to string, separate values with a space. For example: set allowed-values port1 port3 port7
  • If type is set to integer, you can use ranges and comma-separated values, such as “1-10” or “1-10,3,11,55”.
  • If type is set to table-id and the table identifiers are integers, you can use both ranges and comma-separated values, such as “1-10” or “1-10,3,11,55”.

No default

Examples

The following example creates two aliases for the config switch physical-port command.

  • The port-description alias allows an administrator to change the set description value; when running a get or show command, the administrator will see only the description configuration.
  • The port-status alias allows an administrator to change the set status value; the administrator will see both the description and port status configuration when running get or show commands.

 

config system alias command

edit "port-status"

set description "View or change the port status."

set type configuration

set path "switch.physical-port"

set attribute "status"

set permission read-write

set limit-shown-attributes enable

set read-only-attributes "description"

next

edit "port-description"

set description "View or change the port description."

set type configuration

set path "switch.physical-port"

set attribute "description"

set permission read-write

set limit-shown-attributes enable

next

end

The following example creates two scripts. Both scripts list the switch mac-address table.

  • The mac-list script is more flexible because it requires that the user specify the VLANs to list the MAC addresses from.
  • The list-mac-by-port-and-vlan-customer-AAA script is more controlled because it allows the user to see the MAC addresses learned on the specified VLANs.

 

config system alias command

edit "list-mac-by-port-and-vlan-customer-AAA"

set description "List MAC addresses on your VLANs and ports."

set type script

set command "diag switch mac-address filter clear

diag switch mac-address filter port-id-map 3-8

diag switch mac-address filter vlan-map 1000-1010

diag switch mac-address list

diag switch mac-address filter clear"

next

edit "mac-list"

set description "List MAC addresses learned on the provided VLANs"

set type script

set command "diag switch mac-address filter clear

diag switch mac-address filter vlan-map $1

diag switch mac-address list | grep -i mac

diag switch mac-address filter clear"

config script-arguments

edit 1

set name "VLAN-ID-map"

set help "List of VLANs to check"

next

end

next

end

config system alias group

Use this command to specify alias groups to bundle different alias commands together for easy assignment.

Syntax

config system alias group

edit <alias_group_name>

set description <string>

set commands <alias_command_list>

end

Variable

Description

Default

<alias_group_name> Enter a name for the alias group. The name cannot be all or match an alias name. No default
description <string> Enter a description of the command alias group. It can be up to 80-characters long. No default
commands <alias_command_name> Enter a list of command aliases. Use a space to separate them. No default

Example

This example shows how to create a group of two command aliases:

config system alias group

edit aliasgroup1

set description "Alias group for config switch physical-port."

set commands port-status port-description

end

config system arp-table

Use this command to manually add ARP table entries to the FortiSwitch unit. ARP table entries consist of a interface name, an IP address, and a MAC address.

Syntax

config system arp-table

edit <table_value>

set interface {<string> | internal | mgmt}

set ip <address_ipv4>

set mac <mac_address>

end

Variable

Description

Default

<table_value>

Enter the identification number for the table.

No default

interface {<string> | internal | mgmt}

Enter the interface to associate with this ARP entry

No default

ip <address_ipv4>

Enter the IP address of the ARP entry.

0.0.0.0

mac <mac_address>

Enter the MAC address of the device entered in the table, in the form of xx:xx:xx:xx:xx:xx.

00:00:00:00:00:00

Example

This example shows how to add an entry to an ARP table:

config system arp-table

edit 1

set interface internal

set ip 172.168.20.1

set mac 00:21:cc:d2:76:72

end

config system bluetooth

Use this command to configure Bluetooth.

Syntax

config system bluetooth

set pin <string>

set status {disable | enable}

end

Variable

Description

Default

pin <string>

Enter the Bluetooth pair personal identification number (PIN).

1234

status {disable | enable}

Enable or disable support for Bluetooth.

disable

config system bug-report

Use this command to configure a custom email relay for sending problem reports to Fortinet customer support.

Syntax

config system bug-report

set auth {no | yes}

set mailto <email_address>

set password <password>

set server <servername>

set username <name>

set username-smtp <account_name>

end

Variable

Description

Default

auth {no | yes}

Enter yes if the SMTP server requires authentication or no if it does not.

no

mailto <email_address>

The email address for bug reports.

fortiswitch@fortinet.com

password <password>

If the SMTP server requires authentication, enter the required password.

No default

server <servername>

The SMTP server to use for sending bug report email.

fortinet.com

username <name>

A valid user name on the specified SMTP server.

bug_report

username-smtp <account_name>

A valid user name for authentication on the specified SMTP server.

bug_report

Example

This example shows how to configure a custom email relay:

config system bug-report

set auth yes

set mailto techdocs@fortinet.com

set password 123abc

set server fortinet.com

set username techdocs

set username-smtp techdocs

end

config system certificate ca

Use this command to configure CA certificates.

FortiSwitch includes a reserved entry named Fortinet_CA. You cannot modify this entry.

Syntax

config system certificate ca

edit <name>

set ca <certificate>

set scep-url <string>

next

end

Variable

Description

Default

name

Enter the name of the certificate.

No default

certificate

PEM format CA certificate. Paste the contents of a CA certificate file between quotation marks as shown in the example.

No default

set scep-url

Full URL (such as http://www.test.com)

No default

Example

	# config system certificate ca
	# get
	== [ Fortinet_CA ]
	== [ OracleSSLCA ]
	== [ ca ]
	FortiCore-VM # config system certificate ca
	FortiCore-VM (ca) # edit ca-new
	FortiCore-VM (ca-new) # set certificate "-----BEGIN CERTIFICATE-----
	> MIID0TCCArmgAwIBAgIJAKr1/WtE48FeMA0GCSqGSIb3DQEBCwUAMGgxEzARBgoJ
	> kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG
	> EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0Eg
	> MTAeFw0xNDA0MzAxNDE4MDhaFw0zNDA0MzAxNDE4MDhaMGgxEzARBgoJkiaJk/Is
	> ZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJVUzEQ
	> MA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0EgMTCCASIw
	> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQQzsB9Uc37VuIyt5xJxcYYkc6K
	> XpYihHgskTQp6YYB4XHVimouHafMYyoFsnenrcgf2NGFDvi9l9x9mnL77920JqGr
	> LijieMiFEyP1nhGW8C6nJjkSsXLbgZNh9u6U+0oAbspsFRwdHDZOI7gIHSJ2zuiY
	> CkMAvjw9TN44Q4IFCvSIf7mfzZgBH7AW1sbgznqnAJsWQhQGTpxZAxubItesyduD
	> vj8tz9eb5u8JO3iQ/LYhMspNnxcpTFdaLn2v82NAFTtCrZdCd7aLj1DM0DPEX7Nw
	> V/rt/l+tlscglYyEoUnlPYuSQN0Q6Aj5i1GcKPvnFS0Oy9lGY1lT1vZJ4F0CAwEA
	> AaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
	> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
	> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
	> edJiQpuHMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3DQEBCwUA
	> A4IBAQCq5KUHQNg51uh1pxKMXQ98ADj2bNzQbswdAFslPow8tTZIBMwhdrq02ZHC
	> XPyp2IHxfv+G+pMV1JFtdR0fy8ivilMNyjObEGh1Ss3kvvU7d1z3XwPxqpNcwDqs
	> 1K6RRg4zpNWCFPcliAkPDsDbaN1B6A6zJXqOpGgzwocU3dZbPe5sYLgkWZO2/8MI
	> eAEk7zoU1ZPSZiu5HghPafKuE1HYshvsak090tRgC6VLvaSLoNZlwR0GuFVGdewH
	> 4jR1HpENH7QiLCB1NGCoJgDi3qiFosw3M2+0ExevE1afj2Usm4oZir+Uty0rvR8D
	> 03RHH8yYbZ9rw0kuwTkJEo3bYDxH
	> -----END CERTIFICATE-----"

config system certificate crl

Use this command to configure the certificate revocation list.

Syntax

config system certificate crl

edit <name>

set crl <crl>

set http-url <string>

set ldap-server <LDAP>

set scep-cert <certificate>

set scep-url <string>

end

Variable

Description

Default

name

Name of the certificate revocation list

No default

crl

PEM format CRL. Paste the contents of a CRL file between quotation marks.

No default

http-url

URL of HTTP server for CRL update

No default

ldap-server

LDAP server

No default

scep-cert

Local certificate used for CRL update using SCEP

Fortinet_Factory

scep-url

URL of CA server for CRL update using SCEP

No default

config system certificate local

Use this command to manage local certificates. FortiSwitch includes a reserved entry named “Factory”. You cannot modify this entry.

Syntax

config system certificate local

edit <name>

set comments <string>

set password <passwd>

set private-key <key>

set scep-url <string>

next

end

Variable

Description

Default

name

Enter the name of the certificate.

No default

comments

Optional administrator note.

No default

password

Password that was used to encrypt the file. The FortiCore system uses the password to decrypt and install the certificate.

*

private-key

Paste the contents of a key file between quotation marks as shown in the example.

No default

scep-url

URL of SCEP server

No default

Example

 # config system certificate local
 # get
	== [ Factory ]
	== [ csr_name_test ]
# show
config system certificate local
edit "csr_name_test"
t7e4fiX6Sd6T5426Gg/HQXRH41mBwGmjKdBSHUbVUZTka2FtD1oLMWE2mTq1c9GMUz0DokPfoqxkjkmja5mWv4/w
A5XdQ00lQmTeMZK/X5OSFmSS
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5/vf1VQB/28CAggA
MBQGCCqGSIb3DQMHBAgZorM0zlnPNASCAViZk4wTZYYMPl0e7NwyxqvLND3LxUaV
UG1XpUSPfnUP4YgrV2d0Uijclj5M7MS341cMVKZ7G1pS/6jvxUr0NamQv4j7JsJ0
t3G7LMkzcTiep26GUCy55Qt+iob7lh0iiKa+4uPOq/Mzy+84AWnRNLfIhevHPsYb
rk4UbwNOFb0ZD9i06+UrFLsRGmtp/vlDyBgAoBojKxB/4j0G299QamnzPz4qneBc
HtPqTMPELyqtT6w4cmnwp6Ti2OOAr9c44mKdyyAVZKie+Iu/4pSVBNSfuC+jjtmC
k8OrCrG14NwrhbTY9zEnGxBRR1NMTEBBTqAQNYWtjUEQVjmY1GAJA3/oBQe7l8C/
G/IUVvc/aaqMvsKSNfDpgZaudTDe1Wxi1792ADGh7zslls+ykH9nmqh7BPfm30Nv
f8O1hXgq01Lvo4v1xdC0w5oAeCyGlbTY5ZnXJFm0HCp0kA==
-----END ENCRYPTED PRIVATE KEY-----
"
set csr "-----BEGIN CERTIFICATE REQUEST-----
MIIBNzCB4gIBADBqMQswCQYDVQQIEwJjYTESMBAGA1UEBxMJc3Vubnl2YWxlMREw
DwYDVQQKEwhmb3J0aW5ldDENMAsGA1UECxMEZmFkYzEQMA4GA1UEAxMHZXhhbXBs
ZTETMBEGCSqGSIb3DQEJARYEcm9vdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDK
XH/MC1KTkkZJiQDFb6IXHLYsSVbJzF0K30s3CVmKZvJQSBnmV8aq3fJjN281rrFT
iUovVdBzwCF5jKbxsrPLAgMBAAGgEzARBgNVHRMxChMIQ0E6RkFMU0UwDQYJKoZI
hvcNAQEFBQADQQB96NU+xjds83/6VRSzsyxeVxAGVD7F9Npuji8r/MpxPiMT0PQM
G8Wg//26ZqpwjuPq2V1+7QU4MDk3B5VUJSEF
-----END CERTIFICATE REQUEST-----
"

config system certificate ocsp

Use this command to configure the OCSP server certificate.

Syntax

config system certificate ocsp

set cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set unavail-action {ignore | revoke}

set url <string>

end

Variable

Description

Default

cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

Enter the name of the certificate or select one of the listed certificates.

No default

unavail-action {ignore | revoke}

Set if the FortiSwitch should ignore the OCSP check or revoke the certificate if the server is unavailable.

revoke

url <string>

Enter the URL for the OCSP server.

No default

Example

This example shows how to configure the OCSP server certificate:

config system certificate ocsp

set cert Fortinet_CA

set unavail-action ignore

set url https://www.fortinet.com

end

config system certificate remote

Use this command to install remote certificates. The remote certificates are public certificates without a private key.

config system certificate remote

edit <name>

set remote "<cert>"

end

Variable

Description

Default

name

Name for the certificate

No default

remote "<cert>"

PEM-format certificate

No default

config system console

Use this command to set the console command mode, the number of lines displayed by the console, and the baud rate.

Syntax

config system console

set baudrate <speed>

set mode {batch | line}

set output {standard | more}

end

Variable

Description

Default

baudrate <speed>

Set the console port baudrate. Select one of 9600, 19200, 38400, 57600, or 115200.

115200

mode {batch | line}

Set the console mode to line or batch. Used for autotesting only.

line

output {standard | more}

Set console output to standard (no pause) or more (pause after each screen is full and resume when a key is pressed).

This setting applies to show or get commands only.

more

Example

This example shows how to configure the console:

config system console

set baudrate 57600

set mode batch

set output standard

end

config system dhcp server

Use this command to configure DHCP servers.

Syntax

config system dhcp server

edit <id>

set auto-configuration {enable | disable}

set conflicted-ip-timeout <integer>

set default-gateway <xxx.xxx.xxx.xxx>

set dns-server1 <xxx.xxx.xxx.xxx>

set dns-server2 <xxx.xxx.xxx.xxx>

set dns-server3 <xxx.xxx.xxx.xxx>

set dns-service {default | local | specify

set domain <string>

set filename <string>

set interface <string>

set lease-time <integer>

set netmask <xxx.xxx.xxx.xxx>

set next-server <xxx.xxx.xxx.xxx>

set ntp-server1 <xxx.xxx.xxx.xxx>

set ntp-server2 <xxx.xxx.xxx.xxx>

set ntp-server3 <xxx.xxx.xxx.xxx>

set ntp-service {default | local | specify}

set status {enable | disable}

set tftp-server <xxx.xxx.xxx.xxx>

set timezone <00-75>

set timezone-option {default | disable | specify}

set vci-match {enable | disable}

set vci-string <VCI_strings>

set wifi-ac1 <xxx.xxx.xxx.xxx>

set wifi-ac2 <xxx.xxx.xxx.xxx>

set wifi-ac3 <xxx.xxx.xxx.xxx>

set wins-server1 <xxx.xxx.xxx.xxx>

set wins-server2 <xxx.xxx.xxx.xxx>

config exclude-range

edit <id>

set end-ip <xxx.xxx.xxx.xxx>

set start-ip <xxx.xxx.xxx.xxx>

next

end

config ip-range

edit <id>

set end-ip <xxx.xxx.xxx.xxx>

set start-ip <xxx.xxx.xxx.xxx>

next

end

config options

edit <id>

set code <integer>

set ip <IP_addresses>

set type {fqdn | hex | ip | string}

set value <string>

next

end

config reserved-address

edit <id>

set action {assign | block | reserved}

set circuit-id {<string> | <hex>}

set circuit-id-type {hex | string}

set description <string>

set ip <xxx.xxx.xxx.xxx>

set mac <xx:xx:xx:xx:xx:xx>

set remote-id {<string> | <hex>}

set remote-id-type {hex | string}

set type {mac | option82}

next

end

next

end

Variable

Description

Default

<id>

Enter the identifier.

No default

auto-configuration {enable | disable}

Enable or disable automatic configuration. Auto configuration allows the DHCP server to dynamically assign IP addresses to hosts on the network connected to the interface

enable

conflicted-ip-timeout <integer>

Enter the number of seconds before a conflicted IP address is removed from the DHCP range and is available to be reused. The range is 60-8640000 seconds.

1800

default-gateway <xxx.xxx.xxx.xxx>

Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.

0.0.0.0

dns-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 1. This option is only available when dns-service is set to specify.

0.0.0.0

dns-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 2. This option is only available when dns-service is set to specify.

0.0.0.0

dns-server3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 3. This option is only available when dns-service is set to specify.

0.0.0.0

dns-service {default | local | specify}

Select how DNS servers are assigned to DHCP clients. Select local to use the IP address of the DHCP server interface for the clientʼs DNS server IP address. Select default for clients to be assigned the FortiSwitch unitʼs configured DNS servers. Select specify to enter the IPv4 address for up to three DNS servers.

specify

domain <string>

Enter the domain name suffix for the IP addresses that the DHCP server assigns to the clients.

No default

filename <string>

Enter the name of the boot file on the TFTP server.

No default

interface <string>

Enter the name of the interface. The DHCP server can assign IP configurations to clients connected to this interface.

No default

lease-time <integer>

The lease time determines the length of time an IP address remains assigned to a client. After the lease expires, the address is released for allocation to the next client that requests an IP address.

Enter the lease time in seconds. The range is 300-8640000. The default lease time is seven days.

604800

netmask <xxx.xxx.xxx.xxx>

Enter the netmask of the addresses that the DHCP server assigns.

0.0.0.0

next-server <xxx.xxx.xxx.xxx>

Enter the IPv4 address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from.

0.0.0.0

ntp-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 1. This option is only available when ntp-service is set to specify.

0.0.0.0

ntp-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 2. This option is only available when ntp-service is set to specify.

0.0.0.0

ntp-server3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 3. This option is only available when ntp-service is set to specify.

0.0.0.0

ntp-service {default | local | specify}

Select how Network Time Protocol (NTP) servers are assigned to DHCP clients. Select local to use the IP address of the DHCP server interface for the clientʼs NTP server IP address. Select default for clients to be assigned the FortiSwitch unitʼs configured NTP servers. Select specify to enter the IPv4 address for up to three NTP servers.

specify

status {enable | disable}

Enable or disable this DHCP configuration.

enable

tftp-server <string>

You can configure multiple Trivial File Transfer Protocol (TFTP) servers for a Dynamic Host Configuration Protocol (DHCP) server. For example, you may want to configure a main TFTP server and a backup TFTP server.

Enter the hostname or IP address of each TFTP server in quotes. Separate multiple server entries with spaces.

No default

timezone <00-75>

Enter the time zone to be assigned to DHCP clients. This option is only available if timezone-option is set to specify.

(GMT+12:00)Eniwetok,Kwajalein)

timezone-option {default | disable | specify}

Select how the DHCP server sets the clientʼs time zone. Select disable for the DHCP server to not set the clientʼs time zone. Select default for clients to be assigned the FortiSwitch unitʼs configured time zone. Select specify to enter the time zone to be assigned to DHCP clients.

disable

vci-match {enable | disable}

Enable or disable vendor class identifier (VCI) matching. When enabled, only DHCP requests with a matching VCI are served.

disable

vci-string <VCI_strings>

Enter one or more VCI strings. This option is only available if vci-match is set to enable.

No default

wifi-ac1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 1 (DHCP option 138, RFC 5417).

0.0.0.0

wifi-ac2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 2 (DHCP option 138, RFC 5417).

0.0.0.0

wifi-ac3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 3 (DHCP option 138, RFC 5417).

0.0.0.0

wins-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WINS server 1.

0.0.0.0

wins-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WINS server 2.

0.0.0.0

config exclude-range

<id>

Enter the identifier.

No default

end-ip <xxx.xxx.xxx.xxx>

Enter the end of the IP address range that will not be assigned to clients.

0.0.0.0

start-ip <xxx.xxx.xxx.xxx>

Enter the start of the IP address range that will not be assigned to clients.

0.0.0.0

config ip-range

<id>

Enter the identifier.

No default

end-ip <xxx.xxx.xxx.xxx>

Enter the end of the DHCP IP address range.

0.0.0.0

start-ip <xxx.xxx.xxx.xxx>

Enter the start of the DHCP IP address range.

0.0.0.0

config options

<id>

Enter the identifier.

No default

code <integer>

Select the DHCP option code. The range is 0-255.

9

ip <IP_addresses>

If type is set to ip, enter the IP addresses.

No default

type {fqdn | hex | ip | string}

Select the format of the DHCP option: fully qualified domain name, hexadecimal, IP address, or string.

hex

value <string>

Enter the DHCP option value. This option is available when type is set to fqdn, hex, or string.

No default

config reserved-address

<id>

Enter the identifier.

No default

action {assign | block | reserved}

Select how the DHCP server configures the client with the reserved MAC address. Select assign for the DHCP server to configure the client with this MAC address like any other client. Select block to prevent the DHCP server from assigning IP settings to the client with this MAC address. Select reserved for the DHCP server to assign the reserved IP address to the client with this MAC address.

reserved

circuit-id {<string> | <hex>}

Enter the DHCP option-82 Circuit ID of the client that will get the reserved IP address. The circuit-id format is controlled by the circuit-id-type setting. This option is only available when type is set to option82.

No default

circuit-id-type {hex | string}

Select whether the format of circuit-id is hexadecimal or string. This option is only available when type is set to option82.

string

description <string>

Enter a description of this entry.

No default

ip <xxx.xxx.xxx.xxx>

Enter the IPv4 address to be reserved for the MAC address. This option is only available when action is set to reserved.

0.0.0.0

mac <xx:xx:xx:xx:xx:xx>.

Enter the MAC address of the client that will get the reserved IP address. This option is only available when type is set to mac.

00:00:00:00:00:00

remote-id {<string> | <hex>}

Enter the DHCP option-82 Remote ID of the client that will get the reserved IP address. This option is only available when type is set to option82.

No default

remote-id-type {hex | string}

Select whether the format of remote-id is hexadecimal or string. This option is only available when type is set to option82.

string

type {mac | option82}

Select whether to match the IP address with the MAC address or DHCP option 82.

mac

Example

This example shows how to configure a DHCP server:

config system dhcp server

edit 1

set default-gateway 50.50.50.2

set domain "FortiswitchTest.com"

set filename "text1.conf"

set interface "svi10"

config ip-range

edit 1

set end-ip 50.50.0.10

set start-ip 50.50.0.5

next

end

set lease-time 360

set netmask 255.255.0.0

set next-server 60.60.60.2

config options

edit 1

set value "dddd"

next

end

set tftp-server "1.2.3.4"

set timezone-option specify

set wifi-ac1 5.5.5.1

set wifi-ac2 5.5.5.2

set wifi-ac3 5.5.5.3

set wins-server1 6.6.6.1

set wins-server2 6.6.6.2

set dns-server1 7.7.7.1

set dns-server2 7.7.7.2

set dns-server3 7.7.7.3

set ntp-server1 8.8.8.1

set ntp-server2 8.8.8.2

set ntp-server3 8.8.8.3

next

end

config system dns

Use this command to set the DNS server addresses. Several FortiSwitch functions, including sending email alerts and URL blocking, use DNS.

Syntax

config system dns

set cache-notfound-responses {enable | disable}

set dns-cache-limit <integer>

set dns-cache-ttl <int>

set domain <domain_name>

set ip6-primary <dns_ipv6>

set ip6-secondary <dns_ip6>

set primary <dns_ipv4>

set secondary <dns_ip4>

set source-ip <ipv4_addr>

end

Variable

Description

Default

cache-notfound-responses {enable | disable}

Enable to cache NOTFOUND responses from the DNS server.

disable

dns-cache-limit <integer>

Set maximum number of entries in the DNS cache.

5000

dns-cache-ttl <int>

Enter the duration, in seconds, that the DNS cache retains information.

1800

domain <domain_name>

Set the local domain name (optional).

No default

ip6-primary <dns_ipv6>

Enter the primary IPv6 DNS server IP address.

::

ip6-secondary <dns_ip6>

Enter the secondary IPv6 DNS server IP address.

::

primary <dns_ipv4>

Enter the primary DNS server IP address.

0.0.0.0

secondary <dns_ip4>

Enter the secondary DNS IP server address.

0.0.0.0

source-ip <ipv4_addr>

Enter the IP address for communications to DNS server.

0.0.0.0

Example

This example shows how to set the DNS server addresses:

config system dns

set cache-notfound-responses enable

set dns-cache-limit 2000

set dns-cache-ttl 900

set domain fortinet.com

set primary 172.91.112.53

set secondary 172.91.112.52

end

config system fips-cc

Use this command to configure Federal Information Processing Standards (FIPS) mode.

caution icon Back up your FortiSwitch configuration before enabling or disabling FIPS mode. When you enable or disable FIPS mode, your switch configuration is deleted.

Syntax

config system fips-cc

set entropy-token {disable | dynamic | enable}

set reseed-interval <0-1440 minutes>

set self-test-interval <0-1440 minutes>

set status {disable | enable}

end

Variable

Description

Default

entropy-token {disable | dynamic | enable}

Specify whether to use the entropy seed:

  • disable—Do not use the entropy seed.
  • dynamic—The FortiSwitch unit detects whether the entropy seed is present when the switch starts.
  • enable—Use the entropy seed when the switch starts. This setting is required for FIPS mode.
dynamic
reseed-interval <0-1440 minutes> Set the number of minutes between reseeding the entropy token. 1440
self-test-interval <0-1440 minutes> Set the number of minutes between self-tests of the system. Set this option to 0 to disable system self-tests. 0
status {disable | enable} Enable or disable FIPS mode. disable

Example

This example shows how to configure FIPS mode:

config system fips-cc

set entropy-token enable

set reseed-interval 720

set self-test-interval 720

set status enable

end

config system flow-export

You can sample IP packets on a FortiSwitch unit and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format.

The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.

Syntax

config system flow-export

set filter <string>

set format {netflow1 | netflow5 | netflow9 | ipfix}

set identity <hexadecimal>

set level {ip | mac | port | proto | vlan}

set max-export-pkt-size <integer>

set template-export-period <1-60>

set timeout-general <integer>

set timeout-icmp <integer>

set timeout-max <integer>

set timeout-tcp <integer>

set timeout-tcp-fin <integer>

set timeout-tcp-rst <integer>

set timeout-udp <integer>

config collectors

edit <collector_name>

set ip <IPv4_address>

set port <port_number>

set transport {sctp | tcp | udp}

end

config aggregates

edit <aggregate_ID>

set ip <IPv4_address_mask>

end

end

Variable

Description

Default

filter <string>

Specify the Berkeley packet filter (BPF) to use. For example, set filter "host 33.33.33.2".

No default

format {netflow1 | netflow5 | netflow9 | ipfix}

You can set the format of the exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.

 

NOTE: When the export format is NetFlow version 5, the sample rate used in the exported packets is derived from the lowest port number where sampling is enabled. Fortinet recommends that administrators using NetFlow version 5 set the sample rate consistently across all ports.

netflow9

identity <hexadecimal>

Required. Enter a unique number to identify which FortiSwitch unit the data originates from. The range of values is 0x00000000-0xFFFFFFFF. If identity is not specified, the “Burn in MAC” value is used instead (see get system status).

0x00000000

level {ip | mac | port | proto | vlan}

You can set the flow-tracking level to one of the following: - ip—The FortiSwitch unit collects the source IP address and destination IP address from the sample packet.

  • mac—The FortiSwitch unit collects the source MAC address and destination MAC address from the sample packet.
  • port—The FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
  • proto—The FortiSwitch unit collects the source IP address, destination IP address, and protocol from the sample packet.
  • vlan—The FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, protocol, and VLAN from the sample packet.

ip

max-export-pkt-size <integer>

Set the maximum size in bytes of exported packets in the application level. The range of values is 512-9216.

512

template-export-period <1-60>

Set the number of minutes before the template is exported.

5

timeout-general <integer>

Set the general timeout in seconds for the flow session. The range of values is 60-604800.

3600

timeout-icmp <integer>

Set the ICMP timeout for the flow session. The range of values is 60-604800.

300

timeout-max <integer>

Set the maximum number of seconds before the flow session times out. The range of values is 60-604800.

604800

timeout-tcp <integer>

Set the TCP timeout for the flow session. The range of values is 60-604800.

3600

timeout-tcp-fin <integer>

Set the TCP FIN flag timeout for the flow session. The range of values is 60-604800.

300

timeout-tcp-rst <integer>

Set the TCP RST flag timeout for the flow session. The range of values is 60-604800.

120

timeout-udp <integer>

Set the UDP timeout for the flow session. The range of values is 60-604800.

300

config collectors

<collector_name>

Enter the name of the flow-export collector.

No default

ip <IPv4_address>

Enter the IP address for the collector.

 

The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.

0.0.0.0

port <port_number>

Enter the port number for the collector.

 

The range of values is 0-65535. The default port for NetFlow is 2055; the default port for IPFIX is 4739.

0

transport {sctp | tcp | udp}

You can set exported packets to use UDP, TCP, or SCTP for transport.

udp

config aggregates

<id>

Enter the identifier.

No default

<IPv4_address_mask>

Enter the IPv4 address and mask to match. All matching sessions are aggregated into the same flow.

No default

Example

This example shows how to configure flow export:

config system flow-export

set format ipfix

set level ip

config collectors

edit flowone

set ip 169.254.3.1

set port 5

set transport tcp

next

end

end

config system fsw-cloud

Use this command to configure the FortiSwitch Cloud. The FortiSwitch Cloud allows you to quickly check the status and to configure multiple FortiSwitch units through a single management portal.

NOTE: To use the FortiSwitch Cloud, you must have a Cloud Management license, and your FortiSwitch unit must be in standalone mode, connected to the Internet, and the system time must be accurate. To set the time on your FortiSwitch unit, see config system ntp.

Syntax

config system fsw-cloud

set interval <integer>

set name <string>

set port <port_number>

set status {enable | disable}

end

Variable

Description

Default

interval <integer>

The time in seconds allowed for domain name system (DNS) resolution. The value range is 3-300 seconds.

45

name <string>

The domain name for the FortiSwitch Cloud.

fortiswitch-dispatch.forticloud.com

port <port_number>

Port number used to connect to the FortiSwitch Cloud.

443

status {enable | disable}

Whether the FortiSwitch Cloud is enabled or disabled.

disable

Example

This example shows how to configure the FortiSwitch Cloud:

config system fsw-cloud

set interval 150

set name fortiswitch-dispatch.forticloud.com

set port 443

set status enable

end

config system global

Use this command to configure global settings that affect various FortiSwitch systems and configurations.

Syntax

config system global

set 802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set 802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

set admin-concurrent {enable | disable}

set admin-https-pki-required {enable | disable}

set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | tlsv1-3}

set admin-lockout-duration <time_int>

set admin-lockout-threshold <failed_int>

set admin-port <port_number>

set admin-scp {enable | disable}

set admin-server-cert {self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

set admin-sport <port_number>

set admin-ssh-grace-time <time_int>

set admin-ssh-port <port_number>

set admin-ssh-v1 {enable | disable}

set admin-telnet-port <port_number>

set admintimeout <admin_timeout_minutes>

set alertd-relog {enable | disable}

set alert-interval <1-1440 minutes>

set allow-subnet-overlap {enable | disable}

set arp-timeout <seconds>

set asset-tag <string>

set cfg-save {automatic | manual | revert}

set clt-cert-req {enable | disable}

set csr-ca-attribute {enable | disable}

set daily-restart {enable | disable}

set detect_ip_conflict {enable | disable}

set dhcp-client-location {description | hostname | intfname | mode | vlan}

set dhcp-option-format {ascii | legacy}

set dhcp-remote-id {hostname | ip | mac}

set dhcp-server-access-list {enable | disable}

set dhcp-snoop-client-req {drop-untrusted | forward-untrusted}

set dhcps-db-exp <number_of_seconds>

set dhcps-db-per-port-learn-limit <number_of_entries>

set dst {enable | disable}

set hostname <unithostname>

set image-rotation {enable | disable}

set ip-conflict-ignore-default {enable | disable}

set ipv6-accept-dad <0 | 1 | 2>

set ipv6-all-forwarding {enable | disable}

set kernel-crashlog {enable | disable}

set kernel-devicelog {enable | disable}

set l3-host-expiry {enable | disable}

set language <language>

set ldapconntimeout <ldaptimeout_msec>

set post-login-banner "<string>"

set pre-login-banner "<string>"

set private-data-encryption {enable | disable}

set radius-coa-port <port_number>

set radius-port <radius_port>

set remoteauthtimeout <timeout_sec>

set revision-backup-on-logout {enable | disable}

set revision-backup-on-upgrade {enable | disable}

set strong-crypto {enable | disable}

set switch-mgmt-mode {fortilink | local}

set tcp-mss-min <48-10000>

set tcp6-mss-min<48-10000>

set timezone <timezone_number>

end

Variable

Description

Default

802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

Set the CA certificate for port security (802.1x):
  • Entrust_802.1x_CA—Select this CA if you are using 802.1x authentication.
  • Entrust_802.1x_G2_CA—Select this CA if you want to use the Google Internet Authority G2.
  • Entrust_802.1x_L1K_CA—Select this CA if you want to use http://ocsp.entrust.net.
  • Fortinet_CA—Select this CA if you want to use the factory-installed certificate.
  • Fortinet_CA2—Select this CA if you want to use the factory-installed certificate.

Entrust_802.1x_CA

802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

Set the certificate for port security (802.1x):
  • Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA. This is the default certificate for 802.1x authentication.
  • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.

Entrust_802.1x

admin-concurrent {enable | disable}

Enable to enforce concurrent administrator logins. When enabled, the FortiSwitch restricts concurrent access from the same admin user name but on different IP addresses. Use policy-auth-concurrent for firewall authenticated users.

enable

admin-https-pki-required {enable | disable}

Enable to allow user to log in by providing a valid certificate if PKI is enabled for HTTPS administrative access. The default setting of disable allows admin users to log in by providing a valid certificate or password.

disable

admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | tlsv1-3}

Set the allowed SSL/TLS versions for Web administration.

tlsv1-1 tlsv1-2 tlsv1-3

admin-lockout-duration <time_int>

Set the administration account’s lockout duration in seconds for the firewall. Repeated failed login attempts will enable the lockout. Use admin-lockout-threshold to set the number of failed attempts that will trigger the lockout.

60

admin-lockout-threshold

<failed_int>

Set the threshold, or number of failed attempts, before the account is locked out for the admin-lockout-duration.

3

admin-port <port_number>

Enter the port to use for HTTP administrative access.

80

admin-scp {enable | disable}

Enable to allow system configuration download by the secure copy (SCP) protocol.

disable

admin-server-cert

{self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

Select the administration HTTPS server certificate to use:
  • self-sign—Use a self-signed security certificate. Self-signed certificates are free and will encrypt the data just as securely as a purchased certificate. Self-signed certificates, however, are not likely to be recognized by the CA certificate store so will be considered by any checks against that store as invalid.
  • Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA.
  • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.

Fortinet_Firmware

admin-sport <port_number>

Enter the port to use for HTTPS administrative access.

443

admin-ssh-grace-time

<time_int>

Enter the maximum time permitted between making an SSH connection to the FortiSwitch and authenticating. Range is 10 to 3600 seconds.

120

admin-ssh-port <port_number>

Enter the port to use for SSH administrative access.

22

admin-ssh-v1 {enable | disable}

Enable compatibility with SSH v1.0.

disable

admin-telnet-port

<port_number>

Enter the port to use for telnet administrative access.

23

admintimeout <admin_timeout_minutes>

Set the number of minutes before an idle administrator times out. This controls the amount of inactive time before the administrator must log in again. The maximum admintimeout interval is 480 minutes (8 hours).

To improve security, keep the idle timeout at the default value of 5 minutes.

5

alertd-relog {enable | disable}

Enable or disable re-logs when a sensor exceeds its threshold.

disable

alert-interval

NOTE: This command is only available after the alertd-relog option has been enabled.

Set how often an alert is generated for temperature sensors when they exceed their set thresholds.

30

allow-subnet-overlap {enable | disable}

Use this command to allow two interfaces to include the same IP address in the same subnet. The command applies only between the mgmt interface and an internal interface.

Note: Different interfaces cannot have overlapping IP addresses or subnets.

Caution: For advanced users only. Use this only for existing network configurations that cannot be changed to eliminate IP address overlapping.

disable

arp-timeout <seconds>

Set the number of seconds before dynamic ARP entries are removed from the cache.

300

asset-tag

LLDP uses the asset tag to help identify the unit. The asset tag can be up to 32 characters, and will be added to the LLDP-MED inventory TLV (when that TLV is enabled).

No default

cfg-save {automatic | manual | revert}

Set the method for saving the FortiSwitch system configuration and enter into runtime-only configuration mode. Methods for saving the configuration are:
  • automatic automatically save the configuration after every change.
  • manual manually save the configuration using the execute acl key-compaction command.
  • revert manually save the current configuration and then revert to that saved configuration after cfg-revert-timeout expires.
Swit