Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

get

The get commands provide information about the operation of the FortiSwitch unit:

get hardware cpu

Use this command to display detailed information about the CPUs installed in your FortiSwitch unit.

Syntax

get hardware cpu

Example output

S524DF4K15000024 # get hardware cpu
Processor       : ARMv7 Processor rev 0 (v7l)
processor       : 0
BogoMIPS        : 1993.93

processor       : 1
BogoMIPS        : 1993.93

Features        : swp half thumb fastmult edsp tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc09
CPU revision    : 0

Hardware        : Broadcom iProc
Revision        : 0000
Serial          : 0000000000000000

get hardware memory

Use this command to display information about FortiSwitch memory use. Information includes the total memory, memory in use, and free memory.

Syntax

get hardware memory

Example output

S524DF4K15000024 # get hardware memory
MemTotal:        2026080 kB
MemFree:         1725840 kB
Buffers:            1336 kB
Cached:            68548 kB
SwapCached:            0 kB
Active:            42724 kB
Inactive:          59596 kB
Active(anon):      32436 kB
Inactive(anon):        0 kB
Active(file):      10288 kB
Inactive(file):    59596 kB
Unevictable:           0 kB
Mlocked:               0 kB
HighTotal:        221184 kB
HighFree:         119468 kB
LowTotal:        1804896 kB
LowFree:         1606372 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:         32436 kB
Mapped:            14680 kB
Shmem:                 0 kB
Slab:              15348 kB
SReclaimable:       3800 kB
SUnreclaim:        11548 kB
KernelStack:         776 kB
PageTables:         3556 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:     1013040 kB
Committed_AS:     594696 kB
VmallocTotal:     245760 kB
VmallocUsed:       66276 kB
VmallocChunk:     163772 kB

get hardware status

Report information about the FortiSwitch hardware including ASIC version, CPU type, amount of memory, flash drive size, hard disk size (if present), and USB flash size (if present). Use this information to troubleshoot, to provide to Fortinet Support, or to confirm the features that your FortiSwitch model supports.

Syntax

get hardware status

Example output

S524DF4K15000024 # get hardware status
Model name: FortiSwitch-524D-FPOE
CPU: ARMv7 Processor rev 0 (v7l)
RAM: 1978 MB
MTD Flash: 52 MB /dev/mtd
Hard disk: not available
Switch CPLD Version: V0.4
Poe Firmware Version:2.6.3

get log custom-field

Use this command to get information about custom log fields that have been created. To create custom log fields, see config log custom-field.

Syntax

get log custom-field

Example output

S524DF4K15000024 # get log custom-field
== [ 1 ]
id: 1
== [ 2 ]
id: 2

This output shows that two custom fields have been created.

get log eventfilter

Use this command to find out which logs are enabled:

  • Event logs show configuration changes and allow you to monitor the activities administrators perform.
  • Router logs allow you to review all router activity. Router logs are available only on supported platforms if you have the advanced features license.
  • System logs show system-level activity such as IP conflicts.
  • User logs show user activity such as who is logged on and when.

To enable event logging, see config log eventfilter.

Syntax

get log eventfilter

Example output

S524DF4K15000024 # get log eventfilter
			
event               : enable
router              : enable
system              : enable
user                : enable

get log gui

Use this command to find out which device is being used to display logs in the Web-based manager.

Syntax

get log gui

Example output

S524DF4K15000024 # get log gui
log-device          : memory

This output shows that logs are being displayed from memory.

get log memory

Use this command to find out the current settings for logging to system memory.

Syntax

get log memory filter

get log memory global-setting

get log memory setting

Variable

Description

filter

Find out the severity level of log entries made in system memory. The system logs all messages at and above the selected severity level. For example, if the severity is error, the system logs error, critical, alert, and emergency level messages.
  • emergency — The system is unusable.
  • alert — Immediate action is required.
  • critical — Functionality is affected.
  • error — An erroneous condition exists and functionality is probably affected.
  • warning— Functionality might be affected.
  • notification — Information about normal events.
  • information — General information about system operations.
  • debug — Information used for diagnosing or debugging the system.

global-setting

Find out the global settings for logging to system memory:
  • full-final-warning-threshold — the number of log entries saved before a final warning is sent. When all memory is filled, the system overwrites the oldest log entries.
  • full-first-warning-threshold — the number of log entries saved before receiving the first warning.
  • full-second-warning-threshold — the number of log entries saved for receiving the second warning.
  • hourly-upload — whether the log is uploaded hourly.
  • max-size — the maximum size of the memory buffer log, in bytes.

setting

Find out the general settings for logging to system memory:
  • diskfull — whether the oldest log entries are overwritten when the system memory is full.
  • status — whether logging to system memory is enabled.

Example output

S524DF4K15000024 # get log memory filter
severity            : information

S524DF4K15000024 # get log memory global-setting
full-final-warning-threshold: 95
full-first-warning-threshold: 75
full-second-warning-threshold: 90
hourly-upload       : disable
max-size            : 98304

S524DF4K15000024 # get log memory setting
diskfull            : overwrite
status              : enable

get log syslogd

Use this command to get information about your system log 1 settings.

Syntax

get log syslogd {filter | setting}

Variable

Description

filter

Find out the severity level of system log 1 entries. The system logs all messages at and above the selected severity level. For example, if the severity is error, the system logs error, critical, alert, and emergency level messages.
  • emergency — The system is unusable.
  • alert — Immediate action is required.
  • critical — Functionality is affected.
  • error — An erroneous condition exists and functionality is probably affected.
  • warning— Functionality might be affected.
  • notification — Information about normal events.
  • information — General information about system operations.
  • debug — Information used for diagnosing or debugging the system.

setting

Find out the general settings for the system log 1:
  • diskfull — whether the oldest log entries are overwritten when the system memory is full.
  • status — whether logging to system memory is enabled.

Example output

S524DF4K15000024 # get log syslogd filter
severity            : information

S524DF4K15000024 # get log syslogd setting
status              : disable	

get log syslogd2

Use this command to get information about your system log 2 settings.

Syntax

get log syslogd2 {filter | setting}

Variable

Description

filter

Find out the severity level of system log 2 entries. The system logs all messages at and above the selected severity level. For example, if the severity is error, the system logs error, critical, alert, and emergency level messages.
  • emergency — The system is unusable.
  • alert — Immediate action is required.
  • critical — Functionality is affected.
  • error — An erroneous condition exists and functionality is probably affected.
  • warning— Functionality might be affected.
  • notification — Information about normal events.
  • information — General information about system operations.
  • debug — Information used for diagnosing or debugging the system.

setting

Find out the general settings for the system log 2:
  • diskfull — whether the oldest log entries are overwritten when the system memory is full.
  • status — whether logging to system memory is enabled.

Example output

S524DF4K15000024 # get log syslogd2 filter
severity            : information

S524DF4K15000024 # get log syslogd2 setting
status              : disable	

get log syslogd3

Use this command to get information about your system log 3 settings.

Syntax

get log syslogd3 {filter | setting}

Variable

Description

filter

Find out the severity level of system log 3 entries. The system logs all messages at and above the selected severity level. For example, if the severity is error, the system logs error, critical, alert, and emergency level messages.
  • emergency — The system is unusable.
  • alert — Immediate action is required.
  • critical — Functionality is affected.
  • error — An erroneous condition exists and functionality is probably affected.
  • warning— Functionality might be affected.
  • notification — Information about normal events.
  • information — General information about system operations.
  • debug — Information used for diagnosing or debugging the system.

setting

Find out the general settings for the system log 3:
  • diskfull — whether the oldest log entries are overwritten when the system memory is full.
  • status — whether logging to system memory is enabled.

Example output

S524DF4K15000024 # get log syslogd3 filter
severity            : information

S524DF4K15000024 # get log syslogd3 setting
status              : disable	

get router info bfd neighbor

Use this command to find out where bidirectional forwarding detection (BFD) has been enabled. If you do not specify the BFD peer IPv4 address or interface, all BFD peers are returned.

Syntax

get router info bfd neighbor [<BFD_local_IPv4_address>] [<BFD_peer_interface>]

Example output

S524DF4K15000024 # get router info bfd neighbor
OurAddr         NeighAddr       LD/RD   State   Int
192.168.15.2    192.168.15.1    1/4     UP      vlan2000
192.168.16.2    192.168.16.1    2/2     UP      vlan2001

get router info bgp

Use this command to get information about the Border Gateway Protocol (BGP) routing configuration.

Syntax

get router info bgp {cidr-only | community | community-info | community-list | dampening | filter-list | inconsistent-as | neighbors | network | network-longer-prefixes | paths | prefix-list | regexp | quote-regexp | route-map | scan | summary | memory}

Variable

Description

cidr-only

Display routes with nonnatural netmasks.

community

Display routes matching the communities.

community-info

List all BGP community information.

community-list

Display routes matching the community list.

dampening

Display router dampening infomation.

filter-list

Display routes conforming to the filter list.

inconsistent-as

Display routes with inconsistent AS paths.

neighbors

Show BGP neighbors for IPv4 and IPv6.

network

Show the BGP information for the network.

network-longer-prefixes

Show the BGP information for routes and more specific routes.

paths

Display the BGP path information for IPv4 and IPv6.

prefix-list

Display routes conforming to the prefix list.

regexp

Display routes matching the AS path with regular expressions.

quote-regexp

Display routes matching the AS path with regular expressions within quotation marks.

route-map

Display routes conforming to the route map.

scan

Display the BGP scan status.

summary

Display a summary of the BGP neighbor status for IPv4 and IPv6.

memory

Display the BGP memory table.

get router info gwdetect

Use this command to get information about the gwdetect status.

Syntax

get router info gwdetect

get router info isis

Use this command to get information about the Intermediate System to Intermediate System Protocol (IS-IS) routing configuration for IPv4 traffic.

Syntax

get router info isis {interface | neighbor | database | route | summary | summary-table | topology}

Variable

Description

interface

Show the IS-IS interfaces.

neighbor

Show the IS-IS neighbor adjacencies.

database

Show the IS-IS link state database.

route

Show the IS-IS IP routing table.

summary

Show the IS-IS summary.

summary-table

Show the IS-IS IPv4 summary table.

topology

Show the IS-IS paths.

get router info kernel

Use this command to get information about the IPv4 kernel routing table. The IPv4 kernel routing table displays information about all of the routes in the kernel.

Syntax

get router info kernel <routing_type>

get router info multicast

Use this command to get information about the Protocol Independent Multicast (PIM) routing configuration.

Syntax

get router info multicast {config | igmp | pim | table | table-count}

Variable

Description

config

Show the multicast routing configuration.

igmp

Show the multicast routing IGMP information.

pim

Show PIM information.

table

Show the multicast routing table.

table-count

Show the multicast route and packet count.

get router info ospf

Use this command to get information about any IPv4 open shortest path first (OSPF) routing that has been configured. To set up IPv4 OSPF routing, see config router ospf.

Syntax

get router info ospf config

get router info ospf redist-route

get router info ospf summary

get router info ospf database {brief | self-originate | router | network | summary | asbr-summary| external | nssa-external | opaque-link | opaque-area | opaque-as | max-age}

get router info ospf interface [<interface_name>]

get router info ospf route

get router info ospf neighbor {<neighbor_ID> | all | detail | detail all | <interface_IP_address>}

get router info ospf border-routers

get router info ospf status

get router info ospf vrf <VRF_name>

Variable

Description

config

Display detailed information about the current OSPF configuration, including interfaces, areas, access lists, and IP addresses.

redist-route

Display information about the OSPF redistributed routes.

summary

Display summary table information.

database {brief | self-originate | router | network | summary | asbr-summary| external | nssa-external | opaque-link | opaque-area | opaque-as | max-age}

Display information about the OSPF database.

interface [<interface_name>]

Display information about the specified OSPF interface. If the interface is not specified, information about all OSPF interfaces is returned.

route

Display the OSPF routing table.

neighbor {<neighbor_ID> | all | detail | detail all | <interface_IP_address>}

Display information about OSPF neighbors.

border-routers

Display information about OSPF border routers.

status

Display the current status of the OSPF routing, including router identifier, flags, timers, and areas.

vrf <VRF_name> {rdist-route | summary | database | interface | route | neighbor | border-routers | status}

Display virtual routing and forwarding (VRF) information within OSPF.

Example output

S524DF4K15000024 # get router info ospf status
			
OSPF Routing Process, OSPF Router ID: 1.1.1.2
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is disabled
Initial SPF scheduling delay 5000 millisec(s)
Minimum hold time between consecutive SPFs 10000 millisec(s)
Maximum hold time between consecutive SPFs 10000 millisec(s)
Hold time multiplier is currently 1
SPF algorithm last executed 2d07h22m ago
Last SPF duration 105 usecs
SPF timer is inactive
Refresh timer 10 secs  PacketsSent: 0 PacketsRecv: 0
Number of external LSA 0. Checksum Sum 0x00000000
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
Adjacency changes are logged

Area ID: 0.0.0.4 (NSSA)
Shortcutting mode: Default, S-bit consensus: ok
Number of interfaces in this area: Total: 0, Active: 0
It is an NSSA configuration.
Elected NSSA/ABR performs type-7/type-5 LSA translation.
It is not ABR, therefore not Translator.
Number of fully adjacent neighbors in this area: 0
Area has message digest authentication
Number of full virtual adjacencies going through this area: 0
SPF algorithm executed 1 times
Default-Route Cost: 1
Number of LSA 1
Number of router LSA 1. Checksum Sum 0x0000ebf8
Number of network LSA 0. Checksum Sum 0x00000000
Number of summary LSA 0. Checksum Sum 0x00000000
Number of ASBR summary LSA 0. Checksum Sum 0x00000000
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000

get router info rip

Use this command to get information about any Routing Information Protocol (RIP) routing that has been configured. To set up RIP routing, see config router rip.

Syntax

get router info rip {config | database | status}

Variable

Description

config

Display detailed information about the current RIP configuration, including keys in the keychain, interfaces, access lists, and IP addresses.

database

Display information about the RIP database.

status

Display the current status of the RIP routing, including filter lists, redistribution, RIP version, and interfaces.

Example output

S524DF4K15000024 # get router info rip status
			
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 21 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: static
Default version control: send version 2, receive version 2
Interface        Send  Recv   UpdSend Key-chain
vlan35           2     2      9
vlan85           2     2      8
Routing for Networks:
170.38.65.0/24
180.1.1.0/24
0.0.0.0
Distance: (default is 120)

get router info routing-table

Use these commands to get information about the IPv4 routing table.

Syntax

get router info routing-table summary

get router info routing-table details <A.B.C.D/M>

get router info routing-table all

get router info routing-table rip

get router info routing-table ospf

get router info routing-table bgp

get router info routing-table isis

get router info routing-table static

get router info routing-table connected

get router info routing-table dump <A.B.C.D>

Variable

Description

summary

Display a summary of the existing routes.

details <A.B.C.D/M>

Display the routing table entries that include the specified IP address or route prefix.

all

Display all routing table entries.

rip

Display the RIP routes in the routing table.

ospf

Display the OSPF routes in the routing table.

bgp

Display the BGP routess in the routing table.

isis

Display the IS-IS routes in the routing table.

static

Display the static routes in the routing table.

connected

Display the connected routes in the routing table.

dump <A.B.C.D>

Display the details of routing table entries that include the specified IP address or route prefix.

Example output

S524DF4K15000024 # get router info routing-table summary
Route Source         Routes               FIB  (vrf default)
connected            3                    3
static               1                    1
------
Totals               4                    4

S524DF4K15000024 # get router info routing-table all
Codes: K - kernel route, C - connected, S - static, R - RIP,
	O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
	T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
	F - PBR, f - OpenFabric,
	> - selected route, * - FIB route, q - queued route, r - rejected route ^ - HW install failed

S>*  0.0.0.0/0 [5/0] via 169.254.1.1, internal, 00:36:02
C>*  10.254.252.0/23 is directly connected, rspan, 00:34:37
C>*  169.254.1.0/24 is directly connected, internal, 1d00h57m
C>*  192.168.2.0/24 is directly connected, mgmt, 01:51:05

get router info vrrp

Use this command to get information about Virtual Router Redundancy Protocol (VRRP) groups for IPv4.

Syntax

get router info vrrp

Example output

S524DF4K15000024 # get router info vrrp
Interface: vlan-8, primary IP address: 10.10.10.1
UseVMAC: 1
VRID: 5
vrip: 11.1.1.100, priority: 255, state: MASTER
adv_interval: 1, preempt: 1, start_time: 3
vrmac: 00:00:5e:00:01:05
vrdst:
vrgrp: 50

get router info6 bfd neighbor

Use this command to find out where bidirectional forwarding detection (BFD). If you do not specify the BFD peer IPv6 address, all BFD peers are returned.

Syntax

get router info6 bfd neighbor [<X:X::X:X>]

get router info6 bgp

Use this command to get information about the Border Gateway Protocol (BGP) routing configuration.

Syntax

get router info6 bgp {community | community-list | dampening | filter-list | neighbors | network | network-longer-prefixes | paths | prefix-list | regexp | route-map | summary}

Variable

Description

community

Display routes matching the communities.

community-list

Display routes matching the community list.

dampening

Display router dampening infomation.

filter-list

Display routes conforming to the filter list.

neighbors

Show BGP neighbors.

network

Show the BGP information for the network.

network-longer-prefixes

Show the BGP information for routes and more specific routes.

paths

Display the BGP path information.

prefix-list

Display routes conforming to the prefix list.

regexp

Display routes matching the AS path with regular expressions.

route-map

Display routes conforming to the route map.

summary

Display a summary of the BGP neighbor status.

get router info6 isis

Use this command to get information about the Intermediate System to Intermediate System Protocol (IS-IS) routing configuration for IPv6 traffic.

Syntax

get router info6 isis {interface | neighbor | database | route | summary | summary-table6 | topology}

Variable

Description

interface

Show the IS-IS interfaces.

neighbor

Show the IS-IS neighbor adjacencies.

database

Show the IS-IS link state database.

route

Show the IS-IS IP routing table.

summary

Show the IS-IS summary.

summary-table 6

Show the IS-IS IPv6 summary table.

topology

Show the IS-IS paths.

get router info6 kernel

Use this command to get information about the IPv6 kernel routing table. The IPv6 kernel routing table displays information about all of the routes in the kernel.

Syntax

get router info6 kernel

Example output

S524DF4K15000024 # get router info6 kernel
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:::1/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e4/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0
type=01 protocol=kernel flag=00000000 oif=42(internal) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=2(mgmt) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=49(rspan) dst:fe80::/64 prio=100
type=01 protocol=boot flag=00000000 oif=42(internal) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=2(mgmt) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=49(rspan) dst:ff00::/8 prio=100
type=07 protocol=kernel flag=00000000 oif=1(lo) prio=ffffffff

get router info6 ospf

Use this command to get information about any IPv6 open shortest path first (OSPF) routing that has been configured. To set up IPv6 OSPF routing, see config router ospf6.

Syntax

get router info6 ospf database [{router | network | inter-prefix | inter-router | external | link | intra-prefix}]

get router info6 ospf interface [<interface_name>]

get router info6 ospf route [<IPv6_address>]

get router info6 ospf redistribute

get router info6 ospf border-route [detail]

get router info6 ospf neighbor {<A.B.C.D> | detail}

get router info6 ospf status

Variable

Description

database [{router | network | inter-prefix | inter-router | external | link | intra-prefix}]

Display information about the OSPF link state advertisement (LSA) database. Specify the router LSA, network LSA, inter-prefix LSA, inter-router LSA, external LSA, link LSA, or intra-prefix LSA database. If you do not specify which LSA database, information about all LSA databases is returned.

interface [<interface_name>]

Display information about the OSPF interface. If you do not specify the interface, information about all interfaces is returned.

route [<IPv6_address>]

Display the OSPF routing table. If you do not specify an IPv6 address, all IPv6 routes are returned.

redistribute

Display redistributing external information.

border-route [detail]

Display general or detailed information about OSPF border routers.

neighbor {<A.B.C.D> | detail}

Display information about OSPF neighbors in general or in detail or specify a neighbor ID.

status

Display the current status of the OSPF routing, including router identifier, flags, timers, and areas.

get router info6 rip

Use this command to get information about any IPv6 Routing Information Protocol (RIP) routing that has been configured. To set up IPv6 RIP routing, see config router ripng.

Syntax

get router info6 rip config

get router info6 rip database

get router info6 rip status

Variable

Description

config

Display information about the RIP confguration.

database

Display information about the RIP routes.

status

Display the current status of the RIP routing, including timers, filter lists, and neighbors.

get router info6 routing-table

Use these commands to get information about the IPv6 routing table. If you do not specify which IPv6 routing table, information about all IPv6 routing tables is returned.

Syntax

get router info6 routing-table rip

get router info6 routing-table ospf

get router info6 routing-table bgp

get router info6 routing-table static

get router info6 routing-table connected

Variable

Description

rip

Display the RIP routes in the routing table.

ospf

Display the OSPF routes in the routing table.

bgp

Display the BGP routes in the routing table.

static

Display the static routes in the routing table.

connected

Display the connected routes in the routing table.

Example output

S524DF4K15000024 # get router info6 routing-table
Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route ^ - HW install failed

C *  fe80::/64 is directly connected, rspan, 02:41:19
C *  fe80::/64 is directly connected, mgmt, 03:56:28
C>*  fe80::/64 is directly connected, internal, 1d03h03m
K>*  ff00::/8 [0/256] is directly connected, rspan, 02:41:20

get router info6 vrrp

Use this command to get information about Virtual Router Redundancy Protocol (VRRP) groups for IPv6.

Syntax

get router info6 vrrp

get switch acl

Use these commands to display the ACL settings.

Syntax

get switch acl counters {all | egress | ingress | prelookup}

get switch acl egress

get switch acl ingress

get switch acl policer

get switch acl prelookup

get switch acl service custom

get switch acl settings

get switch acl usage

Variable

Description

counters {all | egress | ingress | prelookup}

Display information about all ACL policies, egress ACL policies, ingress ACL policies, or lookup ACL policies.

egress

Display information about the ACL policy for the egress stage.

ingress

Display information about the ACL policy for the ingress stage.

policer

List which ACL policers are available for different types of traffic.

prelookup

Display information about the ACL policy for the lookup stage.

service custom

Display a list of preconfigured service entries .

settings

Display the global ACL settings for the FortiSwitch unit.

usage

Display how much of available resources are used by ACL.

Example output

S524DF4K15000024 # get switch acl policer
== [ 1 ]
id: 1   description: policer1

S524DF4K15000024 # get switch acl settings
density-mode        : disable
trunk-load-balance  : enable

S524DF4K15000024 # get switch acl usage 
Device    RULES         COUNTERS       POLICERS       STAGE 
(total/free)   (total/free)  (total/free)            
________________________________________________________________
0        2048  /2023   4096  /4071   4096  /4096   ingress 
0        512   /511    1024  /1024   768   /768    egress  
0        768   /767    0     /0      0     /0      prelookup
			
S524DF4K15000024 # get switch acl counters ingress
ingress: 
ID     Packets                Bytes           description
___________________________________________________________
0001 0                    0                    cnt_n_mirror13                                                   
0002 0                    0                    cnt_n_mirror31                                                   
0003 0                    0                    cnt_n_mirror41    

get switch dhcp-snooping

Use these commands to display more information about the IPv4 or IPv6 DHCP-snooping databases.

Syntax

get switch dhcp-snooping allowed-sever-list

get switch dhcp-snooping client-db-details

get switch dhcp-snooping client6-db-details

get switch dhcp-snooping database-summary

get limit-db-details

get switch dhcp-snooping server-db-details

get switch dhcp-snooping server6-db-details

get switch dhcp-snooping status

Variable

Description

allowed-sever-list

Display the allowed DHCP server list.

client-db-details

Display details about the IPv4 DHCP-snooping client database.

client6-db-details

Display details about the IPv6 DHCP-snooping client database.

database-summary

List the number of VLANs with various features enabled, list trusted and untrusted ports, and report how much of the databases are used.

limit-db-details

Display details about the DHCP-snooping lease-count database.

server-db-details

Display details about the IPv4 DHCP-snooping server database.

If the dhcp-server-access-list is enabled globally and the server is configured for the dhcp-server-access-list, the svr-list column displays allowed for that server. If the dhcp-server-access-list is enabled globally and the server is not configured in the dhcp-server-access-list, the svr-list column displays blocked for that server.

server6-db-details

Display details about the IPv6 DHCP-snooping server database.

If the dhcp-server-access-list is enabled globally and the server is configured for the dhcp-server-access-list, the svr-list column displays allowed for that server. If the dhcp-server-access-list is enabled globally and the server is not configured in the dhcp-server-access-list, the svr-list column displays blocked for that server.

status

Display details about the DHCP-snooping client and server database.

Example output

S548DF5018000776 # get switch dhcp-snooping allowed-server-list 

	vlan             ip         
	10          xxx.x.x.x      
			

FS1D243Z14000027 # get switch dhcp-snooping client-db-details

       mac        vlan     ip     lease(sec) expiry(sec) interface hostname  domainname vendor server-ip

00:01:00:00:00:01 100 xxx.x.x.xxx   86400       86398      port3   

00:03:00:00:00:03 100 xxx.x.x.x     86400       86394      port5   

00:03:00:00:00:04 100 xxx.x.x.x     86400       86394      port5   

FS1D243Z14000027 # get switch dhcp-snooping server-db-details

   mac           vlan   ip  interface status svr-list last-seen-time expiry-time OFFER/ACK/NAK/OTHER

00:11:01:00:00:01 10 xxx.x.x.x port1 trusted allowed 2018-09-11 11:21:09 2018-09-12 11:21:09  7/5/0/0

get switch flapguard settings

Use this command to display the flap guard settings.

Syntax

get switch flapguard settings

Example output

S524DF4K15000024 # get switch flapguard settings
			
flap-duration       : 30
flap-rate           : 5
status              : disable

get switch global

Use this command to get information about the global settings of your FortiSwitch unit.

Syntax

get switch global

Example output

S524DF4K15000024 # get switch global
name                : (null)
mac-aging-interval  : 150
poe-alarm-threshold : 40
poe-power-mode      : first-come-first-served
poe-guard-band      : 10
ip-mac-binding      : enable
dmi-global-all      : enable
poe-pre-standard-detect: enable
poe-power-budget    : 200
trunk-hash-mode     : enhanced
trunk-hash-unkunicast-src-dst: enable
auto-fortilink-discovery: enable
auto-isl            : enable
mclag-peer-info-timeout: 300
auto-isl-port-group : 0
max-path-in-ecmp-group: 4
virtual-wire-tpid   : 0xdee5
loop-guard-tx-interval: 15
dhcp-snooping-database-export: enable
forti-trunk-dmac    : 02:80:c2:00:00:02
port-security:
link-down-auth      : set-unauth
reauth-period       : 60
max-reauth-attempt  : 2

get switch igmp-snooping

Use this command to get the IGMP-snooping settings of your FortiSwitch unit.

Syntax

get switch igmp-snooping {globals | group | static-group | status}

Variable

Description

globals

Display the global IGMP-snooping configuration on the FortiSwitch unit.

group

Display a list of learned multicast groups.

static-group

Display the list of configured static groups.

status

Display the status of IGMP-snooping VLANs and group

Example output

S524DF4K15000024 # get switch igmp-snooping globals

aging-time : 300

leave-response-timeout: 10

query-interval : 120

 

FS1D243Z13000023 # get switch igmp-snooping group

Number of Groups: 7

port of-port VLAN GROUP Age

(__port__9) 1 23 231.8.5.4 16

(__port__9) 1 23 231.8.5.5 16

(__port__9) 1 23 231.8.5.6 16

(__port__9) 1 23 231.8.5.7 16

(__port__9) 1 23 231.8.5.8 16

(__port__9) 1 23 231.8.5.9 16

(__port__9) 1 23 231.8.5.10 16

(__port__43) 3 23 querier 17

(__port__14) 8 --- flood-reports ---

(__port__10) 2 --- flood-traffic ---

 

FS1D243Z13000023 # get switch igmp-snooping static-group

 

VLAN ID Group-Name     Multicast-addr  Member-interface

_______ ______________ _______________ _________________________

11      g239-1         239:1:1:1       port6 trunk-2

11      g239-11        239:2:2:11      port26 port48 trunk-2

40      g239-1         239:1:1:1       port5 port25 trunk-2

40      g239-2         239:2:2:2       port25 port26

 

S524DF4K15000048 # get switch igmp-snooping status

 

IGMP-SNOOPING enabled vlans:

-------------------------------

100

 

IGMP-Proxy enabled vlans:

-------------------------------

 

Max multicast snooping groups 1022

 

Total IGMP groups 0 (Learned 0, Static 0)

Total MLD groups 0 (Learned 0, Static 0)

 

Remaining allowed mcast snooping groups: 1022

get switch interface

Use this command to get information about the interfaces, including the class of service (CoS) value, whether sFlow is enabled on the interface, and whether dynamically learned MAC addresses are persistent on the interface.

Syntax

get switch interface

Example output

S524DF4K15000024 # get switch interface
			
== [ port1 ]
name: port1    sflow-sampler: disabled    port-security:
default-cos: 0   sticky-mac: disable
== [ port2 ]
name: port2    sflow-sampler: disabled    port-security:
default-cos: 0   sticky-mac: disable
== [ port3 ]
name: port3    sflow-sampler: disabled    port-security:
default-cos: 0   sticky-mac: disable
...

get switch ip-mac-binding

Use this command to get information about IP MAC binding.

Syntax

get switch ip-mac-binding

Example output

get switch ip-mac-binding
			
== [ 1 ]
seq-num: 1

get switch ip-source-guard

Use this command to get information about the IP source-guard entries.

Syntax

get switch ip-source-guard

get switch ip-source-guard-violations

Use these commands to get source-guard violations.

Syntax

get switch ip-source-guard-violations all

get switch ip-source-guard-violations interface <interface_name>

Variable

Description

all

Display all source-guard violations.

interface <interface_name>

Display source-guard violations for the specified interface.

get switch lldp

Use this command to get information about LLDP.

Syntax

get switch lldp {auto-isl-status | neighbors-detail <physical port name>| neighbors-summary | profile | settings | stats}

Variable

Description

auto-isl-status

Display statistics and staus for the automatic ISL configuration.

neighbors-detail <physical port name>

Display details about a specific LLDP port.

neighbors-summary

Display a summary of LLDP neighbors.

profile

Display the name of available LLDP profiles.

settings

Display whether LLDP is enabled globally, the number of tx-intervals before the local LLDP data expires, the frequency of LLDP PDU transmission, how often the FortiSwitch transmits the first four LLDP packets when a link comes up, and the primary management interface advertised in LLDP and CDP PDUs.

stats

Display the number of packets transmitted, received, and discarded; the number of neighbors added, deleted, and expired; and the number of unknown TLVs.

Example output

S524DF4K15000024 # get switch lldp profile
== [ default ]
name: default    802.1-tlvs:    802.3-tlvs:    med-tlvs: inventory-management network-policy
== [ default-auto-isl ]
name: default-auto-isl    802.1-tlvs:    802.3-tlvs:    med-tlvs:
== [ 1 ]
name: 1    802.1-tlvs:    802.3-tlvs:    med-tlvs: inventory-management network-policy
== [ Forti670i ]
name: Forti670i    802.1-tlvs:    802.3-tlvs:    med-tlvs: inventory-management network-policy

S524DF4K15000024 # get switch lldp settings
status              : enable
tx-hold             : 8
tx-interval         : 2000
fast-start-interval : 3
management-interface: internal

get switch mac-limit-violations

Use this command to see the first MAC address that exceeded the learning limit for an interface or VLAN.

To enable the learning limit violation log for a FortiSwitch unit, see config switch global.

Syntax

get switch mac-limit-violations {all | interface <interface_name> | vlan <VLAN_ID>}

Variable

Description

all

Display the first MAC address that exceeded the learning limit on any interface or VLAN. An asterisk by the interface name indicates that the interface-based learning limit was exceeded. An asterisk by the VLAN identifier indicates the VLAN-based learning limit was exceeded.

interface <interface_name>

Display the first MAC address that exceeded the learning limit on a specific interface

vlan <VLAN_ID>

Display the first MAC address that exceeded the learning limit on a specific VLAN.

Example output

S524DF4K16000028 # get switch mac-limit-violations all
Port            VLAN ID         MAC Address              Timestamp
----------------------------------------------------------------------------------
port3*          5               00:00:01:00:00:01        2017-12-05 15:55:20
port15          9*              0a:c1:08:bf:cc:80        2017-12-05 15:55:44

S524DF4K16000028 # get switch mac-limit-violations interface port3
Port            VLAN ID         MAC Address              Timestamp
----------------------------------------------------------------------------------
port3*          5               00:00:01:00:00:01        2017-12-05 15:55:20

S524DF4K16000028 # get switch mac-limit-violations vlan 9			
Port            VLAN ID         MAC Address              Timestamp
----------------------------------------------------------------------------------
port15          9*              0a:c1:08:bf:cc:80        2017-12-05 15:55:44

get switch mirror status

Use this command to get information about the ERSPAN-auto mirror sessions of your FortiSwitch unit. To configure a packet mirror, see config switch mirror.

Syntax

get switch mirror status <session>

Example output

# get switch mirror status flink.sniffer

 

flink.sniffer

Mode : ERSPAN-auto

Status : Inactive

Source-Ports:

Ingress: port2, port3

Egress : port8, port9

Used-by-ACLs : False

Auto-config-state : N/A

Last-update : never

Issues : None

Collector-IP : 0.0.0.0

Source-IP : N/A

Source-MAC : N/A

Next-Hop :

IP : N/A

MAC : N/A

Via-System-Interface : N/A

VLAN : N/A

Via-Switch-Interface : N/A

get switch mld-snooping

Use this command to get the MLD-snooping settings of your FortiSwitch unit.

Syntax

get switch mld-snooping {globals | group | static-group | status}

Variable

Description

globals

Display the global MLD-snooping configuration on the FortiSwitch unit.

group

Display a list of learned multicast groups.

static-group

Display the list of configured static groups.

status

Display the status of MLD-snooping VLANs and group

Example output

S548DF5018000776 # get switch mld-snooping globals

 

aging-time : 300

leave-response-timeout: 10

query-interval : 125

 

S548DF5018000776 # get switch mld-snooping group

 

MLD-SNOOPING mcast-groups:

Max Entries: 1022

 

port VLAN GROUP Age-timeout MLD-Version

 

Total Number of Learned MLD groups: 0

 

S548DF5018000776 # get switch mld-snooping static-group

 

VLAN ID Group-Name Multicast-addr Member-interface

_______ ______________ _______________ _________________________

 

S548DF5018000776 # get switch mld-snooping status

 

MLD-SNOOPING enabled vlans:

-------------------------------

40

 

MLD-Proxy enabled vlans:

-------------------------------

40

 

Max multicast snooping groups 1022

 

Total MLD groups 0 (Learned 0, Static 0)

Total IGMP groups 0 (Learned 0, Static 0)

 

Remaining allowed mcast snooping groups: 1022

get switch modules

Use this command to get information about the modules in your FortiSwitch unit.

Syntax

get switch modules {detail | limits | status | summary} [<port>]

Variable

Description

detail [<port>]

Display module details for a specific port, split port, or all available ports.

limits [<port>]

Display module limits for a specific port, split port, or all available ports.

status [<port>]

Display module status for a specific port, split port, or all available ports.

summary [<port>]

Display summary information of all modules for a specific port or all available ports and split ports.

Example output

FS108D3W14000720 # get switch modules detail port10

____________________________________________________________

Port(port10)

identifier SFP/SFP+

connector Unk (0x00)

transceiver 1000-Base-T

encoding 8B/10B

Length Decode Common

length_smf_1km N/A

length_cable 100 meter

SFP Specific

length_smf_100m N/A

length_50um_om2 N/A

length_62um_om1 N/A

length_50um_om3 N/A

vendor FINISAR CORP.

vendor_oid 0x009065

vendor_pn FCLF-8521-3

vendor_rev A

vendor_sn PBR1X35

manuf_date 06/20/2007

 

FS1E48T419000036 # get switch modules status port51.2

___________________________________________________________

Port(port51.2)

temperature 23.777344 C

voltage 3.303100 volts

alarm_flags 0x0000

warning_flags 0x0000

laser_bias 0.758000 mAmps

tx_power -2.379219 dBm

rx_power -2.201871 dBm

options 0x000F ( TX_DISABLE TX_FAULT RX_LOSS TX_POWER_LEVEL1 )

options_status 0x0008 ( TX_POWER_LEVEL1 )

get switch network-monitor

Use this command to get information about network monitoring on the FortiSwitch unit.

Syntax

get switch network-monitor {directed | settings}

Variable

Description

directed

List the static entries for network monitoring on the switch.

settings

Display the global settings for network monitoring on the switch.

Example output

S524DF4K15000024 # get switch network-monitor directed
== [ 1 ]
id: 1

S524DF4K15000024 # get switch network-monitor settings
db-aging-interval   : 3600
status              : disable
survey-mode         : disable
survey-mode-interval: 120

get switch mrp

Use these commands to get information about the Media Redundancy Protocol (MRP) configuration.

Syntax

get switch mrp {profile | settings}

Variable

Description

profile

List the available MRP profiles.

settings

Display the MRP settings.

Example output

SR24DN4416000049 # get switch mrp profile 
== [ 500ms ]
name: 500ms    
== [ MRPprofile1 ]
name: MRPprofile1 
SR24DN4416000049 # get switch mrp settings 
status              : disable 
role                : client 
domain-id           : FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF 
domain-name         : domain1 
vlan-id             : 1
priority            : 40960
ring-port1          : (null)
ring-port2          : (null)
profile-name        : 500ms

get switch phy-mode

Use this command to find out which split ports have been configured. to configure split ports, see config switch phy-mode.

Syntax

get switch phy-mode

Example output

S524DF4K15000024 # get switch phy-mode
port29-phy-mode     : 1x40G
port30-phy-mode     : 1x40G

get switch physical-port

Use this command to get information about the physical ports of your FortiSwitch unit. To configure physical ports, see config switch physical-port.

Syntax

get switch physical-port

Example output

S524DF4K15000024 # get switch physical-port
== [ port1 ]
name: port1    egress-drop-mode: enabled    link-status: down   status: up
== [ port2 ]
name: port2    egress-drop-mode: enabled    link-status: down   status: up
== [ port3 ]
name: port3    egress-drop-mode: enabled    link-status: down   status: up
...

get switch poe inline

Use this command to get information about the system’s power over Ethernet (PoE) functions.

Syntax

get switch poe inline

Example output

S524DF4K15000024 # get switch poe inline
			
Unit Power Budget: 10.00W
Unit Guard Band: 10.00W
Unit Power Consumption: 0.00W
Unit Poe Power Mode : First come first served based.

Interface   Status    State         Max-Power(W)   Power-consumption(W)Class Error
----------------------------------------------------------------------------------
port1       Enabled   Searching         0.00           0.00                   0
port2       Enabled   Searching         0.00           0.00                   0
port3       Enabled   Searching         0.00           0.00                   0
port4       Enabled   Searching         0.00           0.00                   0
port5       Enabled   Searching         0.00           0.00                   0
port6       Enabled   Searching         0.00           0.00                   0
port7       Enabled   Searching         0.00           0.00                   0
port8       Enabled   Searching         0.00           0.00                   0
port9       Enabled   Searching         0.00           0.00                   0
port10      Enabled   Searching         0.00           0.00                   0
port11      Enabled   Searching         0.00           0.00                   0
port12      Enabled   Searching         0.00           0.00                   0
port13      Enabled   Searching         0.00           0.00                   0
port14      Enabled   Searching         0.00           0.00                   0
port15      Enabled   Searching         0.00           0.00                   0
port16      Enabled   Searching         0.00           0.00                   0
port17      Enabled   Searching         0.00           0.00                   0
port18      Enabled   Searching         0.00           0.00                   0
port19      Enabled   Searching         0.00           0.00                   0
port20      Enabled   Searching         0.00           0.00                   0
port21      Enabled   Searching         0.00           0.00                   0
port22      Enabled   Searching         0.00           0.00                   0
port23      Enabled   Searching         0.00           0.00                   0
port24      Enabled   Searching         0.00           0.00                   0

get switch qos

Use this command to get information about the QoS configuration:

Syntax

get switch qos (dot1p-map | ip-dscp-map | qos-policy)

Variable

Description

dot1p-map

List the available dot1p maps, as well as the CoS values.

ip-dscp-map

List the available DSCP maps.

qos-policy

List the available QoS policies.

Example output

S524DF4K15000024 # get switch qos dot1p-map
== [ test1 ]
name: test1    priority-0: queue-2    priority-1: queue-0    priority-2: queue-1    priority-3: queue-3    priority-4: queue-4    priority-5: queue-5    priority-6: queue-6    priority-7: queue-7

S524DF4K15000024 # get switch qos ip-dscp-map
== [ m1 ]
name: m1
				
S524DF4K15000024 # get switch qos qos-policy
== [ default ]
name: default
== [ policy1 ]
name: policy1

get switch raguard-policy

Use the following command to list the available IPv6 RA-guard policies. To create an IPv6 RA-guard policy, see config switch raguard-policy.

Syntax

get switch raguard-policy

Example output

S524DF4K15000024 # get switch raguard-policy

== [ RApolicy1 ]

name: RApolicy1

get switch security-feature

Use this command to display the security-feature settings. To configure security checks for incoming TCP/UDP packets, see config switch security-feature.

Syntax

get switch security-feature

Example output

S524DF4K15000024 # get switch security-feature
sip-eq-dip          : enable
tcp-flag            : enable
tcp-port-eq         : enable
tcp-flag-FUP        : enable
tcp-flag-SF         : enable
v4-first-frag       : enable
udp-port-eq         : enable
tcp-hdr-partial     : enable
macsa-eq-macda      : enable
allow-mcast-sa      : enable
allow-sa-mac-all-zero: enable

get switch static-mac

Use this command to display the static MAC addresses.

Syntax

get switch static-mac

Example output

S524DF4K15000024 # get switch static-mac
			
== [ 1 ]
seq-num: 1   interface: port5    mac: 00:21:cc:d2:76:72   vlan-id: 35

get switch storm-control

Use this command to display storm control settings on your FortiSwitch unit. To configure storm control, see config switch storm-control.

Syntax

get switch storm-control

Example output

S524DF4K15000024 # get switch storm-control
			
broadcast           : enable
rate                : 1000
unknown-multicast   : enable
unknown-unicast     : enable

get switch stp instance

Use this command to get information about STP instances on your FortiSwitch unit. To configure an STP instance, see config switch stp instance.

Syntax

get switch stp instance

Example output

# get switch stp instance

== [ 0 ]

id: 0

== [ 1 ]

id: 1

get switch stp settings

Use this command to get information about STP settings on your FortiSwitch unit. To configure STP settings, see config switch stp settings.

Syntax

get switch stp settings

Example output

S524DF4K15000024 # get switch stp settings
			
forward-time        : 15
hello-time          : 5
max-age             : 20
max-hops            : 20
name                : region1
revision            : 1
status              : enable

get switch trunk

Use this command to get information about which trunks on the FortiSwitch unit have been configured for link aggregation. To configure link aggregation, see config switch trunk.

Syntax

get switch trunk

Example output

# get switch trunk

== [ 1 ]

name: 1 members:

== [ port3 ]

member-name: port3

== [ port10 ]

member-name: port10

== [ port1 ]

member-name: port1

get switch virtual-wire

Virtual wire allows you to forward traffic between two ports with minimal filtering or packet modifications. To configure a virtual wire, see config switch virtual-wire.

Syntax

get switch virtual-wire

Example output

S524DF4K15000024 # get switch virtual-wire
			
== [ 1 ]
name: 1

get switch vlan

Use this command to get information about VLANs on the FortiSwitch unit. To configure a VLAN, see config switch vlan.

Syntax

get switch vlan

Example output

# get switch vlan

== [ 1 ]

id: 1 private-vlan-type: primary isolated-vlan: 2 community-vlans: 3

== [ 2 ]

id: 2 private-vlan-type: isolated sub-VLAN primary-vlan: 1

== [ 3 ]

id: 3 private-vlan-type: community sub-VLAN primary-vlan: 1

get system accprofile

Use this command to view a list of all the system administration access groups. To add an access profile group, see config system accprofile.

Syntax

get system admin accprofile

Example output

S524DF4K15000024 # get system accprofile
			
== [ prof_admin ]
name: prof_admin
== [ profile1 ]
name: profile1

get system admin list

Use this command to view a list of all the current administration sessions.

Syntax

get system admin list

Example output

# get system admin list

 

username local  device                   remote               started

admin    sshv2  port1:172.20.120.148:22  172.20.120.16:4167   2006-08-09 12:24:20

admin    https  port1:172.20.120.148:443 172.20.120.161:56365 2006-08-09 12:24:20

admin    https  port1:172.20.120.148:443 172.20.120.16:4214   2006-08-09 12:25:29

Variable

Description

username

Name of the admin account for this session

local

The protocol this session used to connect to the system.

device

The interface, IP address, and port used by this session to connect to the system.

remote

The IP address and port used by the originating computer to connect to the system.

started

The time the current session started.

get system admin status

Use this command to view the status of the currently logged in admin and their session. To configure an administrator account, see config system admin.

Syntax

get system admin status

Example Output

# get system admin status

 

username: admin

login local: sshv2

login device: port1:172.20.120.148:22

login remote: 172.20.120.16:4167

login vdom: root

login started: 2006-08-09 12:24:20

current time: 2006-08-09 12:32:12

Variable

Description

username

Name of the admin account currently logged in.

login local

The protocol used to start the current session.

login device

The login information from the FortiSwitch including interface, IP address, and port number.

login remote

The computer the user is logging in from including the IP address and port number.

login vdom

The virtual domain the admin is current logged into.

login started

The time the current session started.

current time

The current time of day on the system

get system arp

Use this command to view the ARP table entries on the FortiSwitch unit. To manually add ARP table entries to the FortiSwitch unit, see config system arp-table.

Syntax

get system arp

Example output

S524DF4K15000024 # get system arp
			
Address           Age(min)   Hardware Addr      Interface
10.105.16.1       0          90:6c:ac:15:2f:94  mgmt
11.1.1.100        -          00:00:5e:00:01:05  vlan-8 (proxy)

get system arp-table

Use this command to view the ARP tables on the FortiSwitch unit.

Syntax

get system arp-table

Example output

# get system arp-table

== [ 1 ]

id: 1 interface: internal ip: 10.10.10.10 mac: 01:02:03:04:05:aa

get system bug-report

Use this command to get information about configuration related to bug reporting. To configure a custom email relay for sending problem reports to Fortinet customer support, see config system bug-report.

Syntax

get system bug-report

Example output

S524DF4K15000024 # get system bug-report
auth                : no
mailto              : fortiswitch@fortinet.com
password            : (null)
server              : fortinet.com
username            : bug_report
username-smtp       : bug_report

get system certificate

Use this command to display configuration related to central management service:

Syntax

get system certificate (ca | crl | local | oscp | remote)

Variable

Description

ca

List available CA certificates.

crl

Display the certificate revocation lists available.

local

List available local keys and certificates.

ocsp

Display the OCSP (Online Certificate Status Protocol) server certificate, the action to take when the server is unavailable, and the URL to the OCSP server.

remote

List available remote certificates.

Example output

S524DF4K15000024 # get system certificate ca
== [ Fortinet_CA ]
name: Fortinet_CA
== [ Fortinet_CA2 ]
name: Fortinet_CA2
== [ Entrust_802.1x_CA ]
name: Entrust_802.1x_CA
== [ Entrust_802.1x_L1K_CA ]
name: Entrust_802.1x_L1K_CA
== [ Entrust_802.1x_G2_CA ]
name: Entrust_802.1x_G2_CA

S524DF4K15000024 # get system certificate crl
== [ 1 ]
name: 1

S524DF4K15000024 # get system certificate local
== [ Fortinet_Factory ]
name: Fortinet_Factory
== [ Fortinet_Firmware ]
name: Fortinet_Firmware
== [ Entrust_802.1x ]
name: Entrust_802.1x

S524DF4K15000024 # get system certificate ocsp
cert                : (null)
unavail-action      : revoke
url                 : (null)

S524DF4K15000024 # get system certificate remote
== [ 1 ]
name: 1

get system cmdb status

Use this command to view information about configuration management database (CMDB) on the FortiSwitch unit.

Syntax

get system cmdb status

Variable

Description

version

Version of the CMDB software.

owner id

Process identifier of the CMDB server daemon.

update index

The updated index shows how many changes have been made in the CMDB.

config checksum

The configuration file version used by FortiManager.

last request pid

The last process to access the CMDB.

last request type

Type of the last attempted access of the CMDB.

last request

The number of the last attempted access of the CMDB.

Example output

# get system cmdb status

version: 1

owner id: 18

update index: 6070

config checksum: 12879299049430971535

last request pid: 68

last request type: 29

last request: 78

get system console

Use this command to get information about the console connection. To configure the console, see config system console.

Syntax

get system console

Example output

S524DF4K15000024 # get system console
baudrate            : 115200
mode                : line
output              : more

get system dns

Use this command to get information about the DNS settings. To configure DNS, see config system dns.

Syntax

get system dns

Example output

S524DF4K15000024 # get system dns
primary             : 208.91.112.53
secondary           : 208.91.112.52
domain              : (null)
ip6-primary         : ::
ip6-secondary       : ::
dns-cache-limit     : 5000
dns-cache-ttl       : 1800
cache-notfound-responses: disable
source-ip           : 0.0.0.0

get system flow-export

Use this command to display the flow-export configuration. To configure flow export, see config system flow-export.

Syntax

get system flow-export

Example output

S524DF4K15000024 # get system flow-export 
aggregates:
collector-ip        : 0.0.0.0
collector-port      : 0
format              : ipfix 
identity            : 0x00000000
level               : ip 
max-export-pkt-size : 512
timeout-general     : 3600
timeout-icmp        : 300
timeout-max         : 604800
timeout-tcp         : 3600
timeout-tcp-fin     : 300
timeout-tcp-rst     : 120
timeout-udp         : 300
transport           : tcp 

get system flow-export-data

Use this command to display the flow-export data. To configure flow export, see config system flow-export.

Syntax

get system flow-export-data flows {all | <count>} {ip | subnet | mac | all} <switch_interface_name>

get system flow-export-data flows-raw {all | <count>} {ip | subnet | mac | all} <switch_interface_name>

get system flow-export-data statistics

 

NOTE: Layer-2 flows for netflow 1 and netflow 5 are not supported. For the output of the get system flow-export-data statistics command, the Incompatible Type field displays how many flows are not exported because they are not supported.

Variable

Description

flows {all | <count>} {ip | subnet | mac | all} <switch_interface_name>

Display the specified number of records or all records of flow data for the specified IP address, subnet (class IP address and netmask), MAC address, or all.

flows-raw {all | <count>} {ip | subnet | mac | all} <switch_interface_name>

Display the specified number of records or all records of raw flow data for the specified IP address, subnet (class IP address and netmask), MAC address, or all.

statistics

Display the statistics for the flow data.

get system fsw-cloud

Use this command to display the configuration of the FortiSwitch Cloud. To configure the FortiSwitch Cloud, see config system fsw-cloud.

Syntax

get system fsw-cloud

Example output

S524DF4K15000024 # get system fsw-cloud
			
interval            : 15
name                : fortiswitch-dispatch.forticloud.com
port                : 443
status              : enable

get system fsw-cloud-mgr connection-info

Use this command to check your connections to the FortiSwitch Cloud.

Syntax

get system fsw-cloud-mgr connection-info

Example output

S1D243Z14000027 # get system fsw-cloud-mgr connection-info

Dispatch Service : IP= xx.xxx.xxx.xx
Access Service : IP= xx.xxx.xxx.xxx, Port= 443, Connected on: 2017-10-25 18:03:33
State-Machine : State= FSMGR_STATE_READY, Event= EV_READY_HBEAT_GOOD

Bootstrap Service : hostname= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com, Port= 8000
Bootstrap State : State= OK, api-ver= v1

SSL verify Code : ok
SSL Tunnel Uptime : Days: 0 Hours: 20 Mins: 5
SSL Tunnel stats : restart-count= 5, Reason= HTTP Response data error

Stats:
========
Switch Keep Alive Tx/Reply := 2408 / 2408
Manager Keep Alive Rx/Error := 2410 / 0

Socks Req Rx/Last Stream-ID := 10131 / 490
Reset Req Rx/last Stream-ID := 247 / 490
Goaway Req Rx := 0
Unknown Req Rx := 0

Syslog Tx/Err := 199 / 0

Used SOCKS stream-id:
=======================
SID SockFd State Description
___ ______ _____ _______________
5 0 DATA SYSLOG DATA

get system global

Use this command to get the global settings of your FortiSwitch unit. To configure global settings, config system global.

Syntax

get system global

Example output

S524DF4K15000024 # get system global
802.1x-ca-certificate: Entrust_802.1x_CA
802.1x-certificate  : Entrust_802.1x
admin-concurrent    : enable
admin-https-pki-required: disable
admin-https-ssl-versions: tlsv1-1 tlsv1-2
admin-lockout-duration: 60
admin-lockout-threshold: 3
admin-port          : 80
admin-scp           : disable
admin-server-cert   : Fortinet_Firmware
admin-sport         : 443
admin-ssh-grace-time: 120
admin-ssh-port      : 22
admin-ssh-v1        : disable
admin-telnet-port   : 23
admintimeout        : 5
allow-subnet-overlap: disable
asset-tag           : (null)
cfg-save            : automatic
csr-ca-attribute    : enable
daily-restart       : disable
detect-ip-conflict  : enable
dst                 : enable
gui-lines-per-page  : 50
hostname            : S524DF4K15000024
image-rotation      : disable
kernel-crashlog     : enable
language            : english
ldapconntimeout     : 500
radius-port         : 1812
refresh             : 0
remoteauthtimeout   : 5
revision-backup-on-logout: enable
revision-backup-on-upgrade: enable
strong-crypto       : disable
switch-mgmt-mode    : local
timezone            : (GMT-8:00)Pacific Time(US&Canada).
user-server-cert    : Fortinet_Factory

get system info admin ssh

Use this command to display information about the SSH configuration on the FortiSwitch unit such as:

  • the SSH port number
  • the interfaces with SSH enabled
  • the hostkey DSA fingerprint
  • the hostkey RSA fingerprint

Syntax

get system info admin ssh

Example output

# get system info admin ssh

SSH v2 is enabled on port 22

SSH is enabled on the following 1 interfaces:

mgmt

SSH hostkey DSA fingerprint = cd:e1:87:70:bb:f0:9c:7d:e3:7b:73:f7:44:23:a5:99

SSH hostkey RSA fingerprint = c9:5b:49:1d:7c:ba:be:f3:9d:39:33:4d:48:9d:b8:49

get system info admin status

Use this command to display administrators that are logged into the FortiSwitch unit.

Syntax

get system info admin status

Variable

Description

Index

The order the administrators logged in.

User name

The name of the user account logged in.

Login type

Which interface was used to log in.

From

The IP address this user logged in from.

Example output

Index User name Login type From

0 admin CLI ssh(172.20.120.16)

1 admin WEB 172.20.120.16

get system interface physical

Use this command to list information about the physical network interfaces.

Syntax

get system interface physical

Example output

S524DF4K15000024 # get system interface physical
			
== [onboard]
	==[internal]
		mode: static
		ip: 0.0.0.0 0.0.0.0
		ipv6: ::/0
		status: up
		speed: n/a (Duplex: n/a)
		rx : 0 bytes  0 packets
		tx : 8405158 bytes  160742 packets
	==[mgmt]
		mode: dhcp
		ip: 10.105.19.3 255.255.252.0
		ipv6: ::/0
		status: up
		speed: 1000Mbps (Duplex: full)
		rx : 11558117 bytes  85986 packets
		tx : 7048800 bytes  39380 packet

get system ipv6-neighbor-cache

Use this command to list information about the IPv6 neighbor cache table. To configure the IPv6 neighbor cache table, see config system ipv6-neighbor-cache.

Syntax

get system ipv6-neighbor-cache

get system link-monitor

Use this command to list information about the physical network interfaces. To configure the link health monitor, see config system link-monitor .

Syntax

get system link-monitor

get system location

Use this command to get information about the location table used by LLDP-MED for enhanced 911 emergency calls. To configure a location table, see config system location.

Syntax

get system location

Example output

S548DF5018000776 # get system location

== [ Fortinet ]

name: Fortinet

get system ntp

Use this command to get information about the NTP settings. To configure an NTP server, see config system ntp.

Syntax

get system ntp

Example output

ntpserver:

== [ 1 ]

id: 1

== [ 2 ]

id: 2

ntpsync : enable

source-ip : 0.0.0.0

syncinterval : 1

get system password-policy

Use this command to view the password policy. To create a password policy, see config system password-policy.

Syntax

get system password-policy

Example output

# get system password-policy

status : enable

apply-to : admin-password

minimum-length : 8

min-lower-case-letter: 2

min-upper-case-letter: 2

min-non-alphanumeric: 0

min-number : 2

change-4-characters : disable

expire-status : disable

get system performance firewall statistics

Use this command to display a list of traffic types (such as browsing, email, and DNS) and the number of packets and number of payload bytes accepted by the firewall for each type since the system was restarted.

Syntax

get system performance firewall statistics

Example output

get system performance firewall statistics

getting traffic statistics...

Browsing: 623738 packets, 484357448 bytes

DNS: 5129187383836672 packets, 182703613804544 bytes

E-Mail: 23053606 packets, 2 bytes

FTP: 0 packets, 0 bytes

Gaming: 0 packets, 0 bytes

IM: 0 packets, 0 bytes

Newsgroups: 0 packets, 0 bytes

P2P: 0 packets, 0 bytes

Streaming: 0 packets, 0 bytes

TFTP: 654722117362778112 packets, 674223966126080 bytes

VoIP: 16834455 packets, 10 bytes

Generic TCP: 266287972352 packets, 8521215115264 bytes

Generic UDP: 0 packets, 0 bytes

Generic ICMP: 0 packets, 0 bytes

Generic IP: 0 packets, 0 bytes

get system performance status

Use this command to display FortiSwitch CPU usage, memory usage, network usage, sessions, virus, IPS attacks, and system up time.

Syntax

get system performance status

Example output

S524DF4K15000024 # get system performance status
			
CPU states: 0% user 16% system 0% nice 84% idle
Memory states: 10% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes
Uptime: 0 days,  22 hours,  5 minutes

Variable

Description

CPU states

The percentages of CPU cycles used by user, system, nice and idle categories of processes. These categories are:

user -CPU usage of normal user-space processes

system -CPU usage of kernel

nice - CPU usage of user-space processes having other-than-normal running priority

idle - Idle CPU cycles

Adding user, system, and nice produces the total CPU usage as seen on the CPU widget on the web-based system status dashboard.

Memory states

The percentage of memory used.

Average network usage

The average amount of network traffic in kbps in the last 1, 10 and 30 minutes.

Uptime

How long since the system has been restarted.

get system performance top

Use this command to display the list of processes running on the system (similar to the Linux top command).

The following commands are available when get system performance top is running:

  • Press Q or Ctrl+C to quit.
  • Press P to sort the processes by the amount of CPU that the processes are using.
  • Press M to sort the processes by the amount of memory that the processes are using.

Syntax

get system performance top [<delay_int>] <max_lines_int>]]

Variable

Description

<delay_int>

The delay, in seconds, between updating the process list. The default is 5 seconds.

<max_lines_int>

The maximum number of processes displayed in the output. The default is 20 lines.

Example output

S524DF4K15000024 # get system performance top

Run Time:  0 days, 22 hours and 13 minutes
0U, 7S, 93I; 1978T, 1684F
newcli           3424      R <     0.1     0.4
pyfcgid           770      S       0.0     0.7
pyfcgid           898      S       0.0     0.7
pyfcgid           899      S       0.0     0.7
cmdbsvr           610      S       0.0     0.6
httpsd            771      S       0.0     0.6
httpsd           1998      S       0.0     0.5
httpsd            901      S       0.0     0.5
miglogd           773      S       0.0     0.5
initXXXXXXXXXXX     1      S       0.0     0.5
newcli           1040      S <     0.0     0.5
ipconflictd       799      S       0.0     0.5
httpsd            900      S       0.0     0.4
fsmgrd            806      S       0.0     0.4
lldpmedd          800      S       0.0     0.4
eap_proxy         804      S       0.0     0.4
authd             803      S       0.0     0.4
router_launcher   768      S       0.0     0.4
sshd              790      S       0.0     0.4
stpd              795      S       0.0     0.4

get system schedule group

Use this command to list available schedule groups for when an access control list (ACL) will be active. To configure a schedule group, see config system schedule group.

Syntax

get system schedule group

Example output

S548DF5018000776 # get system schedule group

== [ group1 ]

name: group1

get system schedule onetime

Use this command to list available one-time schedules for when an access control list (ACL) will be active. To configure a one-time schedule, see config system schedule onetime.

Syntax

get system schedule onetime

Example output

S548DF5018000776 # get system schedule onetime

== [ schedule1 ]

name: schedule1

get system schedule recurring

Use this command to list schedules for when an access control list (ACL) will be active every week. To configure a recurring schedule, see config system schedule recurring.

Syntax

get system schedule recurring

Example output

S548DF5018000776 # get system schedule recurring

== [ schedule2 ]

name: schedule2

get system settings

Use this command to get information about equal cost multi-path (ECMP) routing. To configure ECMP routing, see config system settings.

Syntax

get system settings

Example output

#get system settings

v4-ecmp-mode : source-ip-based

get system sflow

Use this command to display the sFlow settings. To configure sFlow, see config system sflow.

Syntax

get system sflow

Example output

S524DF4K15000024 # get system sflow
collector-ip        : 0.0.0.0
collector-port      : 6343

get system sniffer-profile capture

Use this command to display the packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

get system sniffer-profile capture <profile_name>

get system sniffer-profile summary

Use this command to display the status of all configured packet-capture profiles. To create a packet-capture profile, see config system sniffer-profile.

Syntax

get system sniffer-profile summary

Example output

S524DF4K15000024 # get system sniffer-profile summary

 

Maximum memory available for storing packet-capture: 100 MB.

 

Name | Status | Pkt-Count |Snap Len | Size (KB) | Filter

=========================================================================================

profile1 | Stop | No Capture | 100 | 0.00 | none

get system snmp sysinfo

Use this command to get information about your system’s SNMP settings. To configure the SNMP agent, see config system snmp sysinfo.

Syntax

get system snmp sysinfo

Example output

S524DF4K15000024 # get system snmp sysinfo
			
contact-info        : (null)
description         : (null)
engine-id           : (null)
location            : (null)
status              : disable
trap-high-cpu-threshold: 80
trap-log-full-threshold: 90
trap-low-memory-threshold: 80
trap-temp-alarm-threshold: 60
trap-temp-warning-threshold: 50

get system source-ip status

Use this command to list defined source IP addresses.

Syntax

get system source-ip status

Example output

# get sys source-ip status

The following services force their communication to use

a specific source IP address:

 

service=NTP source-ip=172.18.19.101

service=DNS source-ip=172.18.19.101

vdom=root service=RADIUS name=server-pc25 source-ip=10.1.100.101

vdom=root service=TACACS+ name=tac_plus_pc25 source-ip=10.1.100.101

vdom=root service=FSAE name=pc26 source-ip=172.18.19.101

vdom=V1 service=RADIUS name=pc25-Radius source-ip=172.16.200.101

vdom=V1 service=TACACS+ name=pc25-tacacs+ source-ip=172.16.200.101

vdom=V1 service=FSAE name=pc16 source-ip=172.16.200.101

get system startup-error-log

Use this command to display information about system startup errors. This command only displays information if an error occurs when the system starts up.

Syntax

get system startup-error-log

get system status

Use this command to display FortiSwitch status information including:

  • firmware version, build number, and branch point
  • serial number
  • host name
  • system time and date and related settings

Syntax

get system status

Example output

S524DF4K15000024 # get system status
			
Version: FortiSwitch-524D-FPOE v3.6.2,build0382,170829 (GA)
Serial-Number: S524DF4K15000024
BIOS version: 04000013
System Part-Number: P18045-04
Burn in MAC: 08:5b:0e:f1:95:e4
Hostname: S524DF4K15000024
Distribution: International
Branch point: 382
System time: Tue Sep 12 16:16:40 2017

get test

Use this command to display information about applications on this FortiSwitch unit:

Syntax

get test {dnsproxy | fpmd | radiusd | sflowd | snmpd} <test_level_int>

Variable

Description

{dnsproxy | fpmd | radiusd | sflowd | snmpd}

Set the application to be tested.

Tests can be run on the following applications:

  • dnsproxy — DNS proxy
  • fpmd — FPM daemon
  • radiusd— RADIUS daemon
  • sflowd — sFlow daemon
  • snmpd— SNMP daemon

<test_level_int>

Set the level for the test.

Example output

S524DF4K15000024 # get test fpmd 1
ROUTE_V4_ADD                  : 9
INTF_V4_ADDR_ADD              : 14
ROUTE_V4_MGMT_FWD_DISABLED    : 4
ROUTE_ADD_INVALID_FAMILY      : 3
ROUTE_ADD_INET127             : 1

S524DF4K15000024 # get test sflowd 1
cmf sflow collector:0.0.0.0:[6343]
sflowd collector:0.0.0.0:[6343]

get user group

Use this command to list all user groups. To add a user group, see config user group.

Syntax

get user group

Example output

S524DF4K15000024 # get user group
== [ group1 ]
name: group1
== [ radgroup ]
name: radgroup

get user ldap

Use this command to list LDAP users. To add an LDAP user, see config user ldap.

Syntax

get user ldap

get user local

Use this command to list local users. To add a local user, see config user local.

Syntax

get user local

Example output

S524DF4K15000024 # get user local
			
== [ user1 ]
name: user1

get user radius

Use this command to list RADIUS users. To add a RADIUS user, see config user radius.

Syntax

get user radius

Example output

S524DF4K15000024 # get user radius
			
== [ serve2 ]
name: serve2
== [ radone ]
name: radone

get user setting

Use this command to get information about all the system’s user settings.

Syntax

get user setting

Example output

S524DF4K15000024 # get user setting
			
auth-blackout-time  : 0
auth-cert           : (null)
auth-http-basic     : disable
auth-invalid-max    : 5
auth-multi-group    : enable
auth-ports:
	== [ 1 ]
	id: 1
auth-secure-http    : disable
auth-timeout        : 5
auth-timeout-type   : idle-timeout
auth-type           : http https ftp telnet

get user tacacs+

Use this command to get information about tacacs+ users.

Syntax

get user tacacs+

Example output

S524DF4K15000024 # get user tacacs+
			
== [ tacserver ]
name: tacserver

get

The get commands provide information about the operation of the FortiSwitch unit:

get hardware cpu

Use this command to display detailed information about the CPUs installed in your FortiSwitch unit.

Syntax

get hardware cpu

Example output

S524DF4K15000024 # get hardware cpu
Processor       : ARMv7 Processor rev 0 (v7l)
processor       : 0
BogoMIPS        : 1993.93

processor       : 1
BogoMIPS        : 1993.93

Features        : swp half thumb fastmult edsp tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc09
CPU revision    : 0

Hardware        : Broadcom iProc
Revision        : 0000
Serial          : 0000000000000000

get hardware memory

Use this command to display information about FortiSwitch memory use. Information includes the total memory, memory in use, and free memory.

Syntax

get hardware memory

Example output

S524DF4K15000024 # get hardware memory
MemTotal:        2026080 kB
MemFree:         1725840 kB
Buffers:            1336 kB
Cached:            68548 kB
SwapCached:            0 kB
Active:            42724 kB
Inactive:          59596 kB
Active(anon):      32436 kB
Inactive(anon):        0 kB
Active(file):      10288 kB
Inactive(file):    59596 kB
Unevictable:           0 kB
Mlocked:               0 kB
HighTotal:        221184 kB
HighFree:         119468 kB
LowTotal:        1804896 kB
LowFree:         1606372 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:         32436 kB
Mapped:            14680 kB
Shmem:                 0 kB
Slab:              15348 kB
SReclaimable:       3800 kB
SUnreclaim:        11548 kB
KernelStack:         776 kB
PageTables:         3556 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:     1013040 kB
Committed_AS:     594696 kB
VmallocTotal:     245760 kB
VmallocUsed:       66276 kB
VmallocChunk:     163772 kB

get hardware status

Report information about the FortiSwitch hardware including ASIC version, CPU type, amount of memory, flash drive size, hard disk size (if present), and USB flash size (if present). Use this information to troubleshoot, to provide to Fortinet Support, or to confirm the features that your FortiSwitch model supports.

Syntax

get hardware status

Example output

S524DF4K15000024 # get hardware status
Model name: FortiSwitch-524D-FPOE
CPU: ARMv7 Processor rev 0 (v7l)
RAM: 1978 MB
MTD Flash: 52 MB /dev/mtd
Hard disk: not available
Switch CPLD Version: V0.4
Poe Firmware Version:2.6.3

get log custom-field

Use this command to get information about custom log fields that have been created. To create custom log fields, see config log custom-field.

Syntax

get log custom-field

Example output

S524DF4K15000024 # get log custom-field
== [ 1 ]
id: 1
== [ 2 ]
id: 2

This output shows that two custom fields have been created.

get log eventfilter

Use this command to find out which logs are enabled:

  • Event logs show configuration changes and allow you to monitor the activities administrators perform.
  • Router logs allow you to review all router activity. Router logs are available only on supported platforms if you have the advanced features license.
  • System logs show system-level activity such as IP conflicts.
  • User logs show user activity such as who is logged on and when.

To enable event logging, see config log eventfilter.

Syntax

get log eventfilter

Example output

S524DF4K15000024 # get log eventfilter
			
event               : enable
router              : enable
system              : enable
user                : enable

get log gui

Use this command to find out which device is being used to display logs in the Web-based manager.

Syntax

get log gui

Example output

S524DF4K15000024 # get log gui
log-device          : memory

This output shows that logs are being displayed from memory.

get log memory

Use this command to find out the current settings for logging to system memory.

Syntax

get log memory filter

get log memory global-setting

get log memory setting

Variable

Description

filter

Find out the severity level of log entries made in system memory. The system logs all messages at and above the selected severity level. For example, if the severity is error, the system logs error, critical, alert, and emergency level messages.
  • emergency — The system is unusable.
  • alert — Immediate action is required.
  • critical — Functionality is affected.
  • error — An erroneous condition exists and functionality is probably affected.
  • warning— Functionality might be affected.
  • notification — Information about normal events.
  • information — General information about system operations.
  • debug — Information used for diagnosing or debugging the system.

global-setting

Find out the global settings for logging to system memory:
  • full-final-warning-threshold — the number of log entries saved before a final warning is sent. When all memory is filled, the system overwrites the oldest log entries.
  • full-first-warning-threshold — the number of log entries saved before receiving the first warning.
  • full-second-warning-threshold — the number of log entries saved for receiving the second warning.
  • hourly-upload — whether the log is uploaded hourly.
  • max-size — the maximum size of the memory buffer log, in bytes.

setting

Find out the general settings for logging to system memory:
  • diskfull — whether the oldest log entries are overwritten when the system memory is full.
  • status — whether logging to system memory is enabled.

Example output

S524DF4K15000024 # get log memory filter
severity            : information

S524DF4K15000024 # get log memory global-setting
full-final-warning-threshold: 95
full-first-warning-threshold: 75
full-second-warning-threshold: 90
hourly-upload       : disable
max-size            : 98304

S524DF4K15000024 # get log memory setting
diskfull            : overwrite
status              : enable

get log syslogd

Use this command to get information about your system log 1 settings.

Syntax

get log syslogd {filter | setting}

Variable

Description

filter

Find out the severity level of system log 1 entries. The system logs all messages at and above the selected severity level. For example, if the severity is error, the system logs error, critical, alert, and emergency level messages.
  • emergency — The system is unusable.
  • alert — Immediate action is required.
  • critical — Functionality is affected.
  • error — An erroneous condition exists and functionality is probably affected.
  • warning— Functionality might be affected.
  • notification — Information about normal events.
  • information — General information about system operations.
  • debug — Information used for diagnosing or debugging the system.

setting

Find out the general settings for the system log 1:
  • diskfull — whether the oldest log entries are overwritten when the system memory is full.
  • status — whether logging to system memory is enabled.

Example output

S524DF4K15000024 # get log syslogd filter
severity            : information

S524DF4K15000024 # get log syslogd setting
status              : disable	

get log syslogd2

Use this command to get information about your system log 2 settings.

Syntax

get log syslogd2 {filter | setting}

Variable

Description

filter

Find out the severity level of system log 2 entries. The system logs all messages at and above the selected severity level. For example, if the severity is error, the system logs error, critical, alert, and emergency level messages.
  • emergency — The system is unusable.
  • alert — Immediate action is required.
  • critical — Functionality is affected.
  • error — An erroneous condition exists and functionality is probably affected.
  • warning— Functionality might be affected.
  • notification — Information about normal events.
  • information — General information about system operations.
  • debug — Information used for diagnosing or debugging the system.

setting

Find out the general settings for the system log 2:
  • diskfull — whether the oldest log entries are overwritten when the system memory is full.
  • status — whether logging to system memory is enabled.

Example output

S524DF4K15000024 # get log syslogd2 filter
severity            : information

S524DF4K15000024 # get log syslogd2 setting
status              : disable	

get log syslogd3

Use this command to get information about your system log 3 settings.

Syntax

get log syslogd3 {filter | setting}

Variable

Description

filter

Find out the severity level of system log 3 entries. The system logs all messages at and above the selected severity level. For example, if the severity is error, the system logs error, critical, alert, and emergency level messages.
  • emergency — The system is unusable.
  • alert — Immediate action is required.
  • critical — Functionality is affected.
  • error — An erroneous condition exists and functionality is probably affected.
  • warning— Functionality might be affected.
  • notification — Information about normal events.
  • information — General information about system operations.
  • debug — Information used for diagnosing or debugging the system.

setting

Find out the general settings for the system log 3:
  • diskfull — whether the oldest log entries are overwritten when the system memory is full.
  • status — whether logging to system memory is enabled.

Example output

S524DF4K15000024 # get log syslogd3 filter
severity            : information

S524DF4K15000024 # get log syslogd3 setting
status              : disable	

get router info bfd neighbor

Use this command to find out where bidirectional forwarding detection (BFD) has been enabled. If you do not specify the BFD peer IPv4 address or interface, all BFD peers are returned.

Syntax

get router info bfd neighbor [<BFD_local_IPv4_address>] [<BFD_peer_interface>]

Example output

S524DF4K15000024 # get router info bfd neighbor
OurAddr         NeighAddr       LD/RD   State   Int
192.168.15.2    192.168.15.1    1/4     UP      vlan2000
192.168.16.2    192.168.16.1    2/2     UP      vlan2001

get router info bgp

Use this command to get information about the Border Gateway Protocol (BGP) routing configuration.

Syntax

get router info bgp {cidr-only | community | community-info | community-list | dampening | filter-list | inconsistent-as | neighbors | network | network-longer-prefixes | paths | prefix-list | regexp | quote-regexp | route-map | scan | summary | memory}

Variable

Description

cidr-only

Display routes with nonnatural netmasks.

community

Display routes matching the communities.

community-info

List all BGP community information.

community-list

Display routes matching the community list.

dampening

Display router dampening infomation.

filter-list

Display routes conforming to the filter list.

inconsistent-as

Display routes with inconsistent AS paths.

neighbors

Show BGP neighbors for IPv4 and IPv6.

network

Show the BGP information for the network.

network-longer-prefixes

Show the BGP information for routes and more specific routes.

paths

Display the BGP path information for IPv4 and IPv6.

prefix-list

Display routes conforming to the prefix list.

regexp

Display routes matching the AS path with regular expressions.

quote-regexp

Display routes matching the AS path with regular expressions within quotation marks.

route-map

Display routes conforming to the route map.

scan

Display the BGP scan status.

summary

Display a summary of the BGP neighbor status for IPv4 and IPv6.

memory

Display the BGP memory table.

get router info gwdetect

Use this command to get information about the gwdetect status.

Syntax

get router info gwdetect

get router info isis

Use this command to get information about the Intermediate System to Intermediate System Protocol (IS-IS) routing configuration for IPv4 traffic.

Syntax

get router info isis {interface | neighbor | database | route | summary | summary-table | topology}

Variable

Description

interface

Show the IS-IS interfaces.

neighbor

Show the IS-IS neighbor adjacencies.

database

Show the IS-IS link state database.

route

Show the IS-IS IP routing table.

summary

Show the IS-IS summary.

summary-table

Show the IS-IS IPv4 summary table.

topology

Show the IS-IS paths.

get router info kernel

Use this command to get information about the IPv4 kernel routing table. The IPv4 kernel routing table displays information about all of the routes in the kernel.

Syntax

get router info kernel <routing_type>

get router info multicast

Use this command to get information about the Protocol Independent Multicast (PIM) routing configuration.

Syntax

get router info multicast {config | igmp | pim | table | table-count}

Variable

Description

config

Show the multicast routing configuration.

igmp

Show the multicast routing IGMP information.

pim

Show PIM information.

table

Show the multicast routing table.

table-count

Show the multicast route and packet count.

get router info ospf

Use this command to get information about any IPv4 open shortest path first (OSPF) routing that has been configured. To set up IPv4 OSPF routing, see config router ospf.

Syntax

get router info ospf config

get router info ospf redist-route

get router info ospf summary

get router info ospf database {brief | self-originate | router | network | summary | asbr-summary| external | nssa-external | opaque-link | opaque-area | opaque-as | max-age}

get router info ospf interface [<interface_name>]

get router info ospf route

get router info ospf neighbor {<neighbor_ID> | all | detail | detail all | <interface_IP_address>}

get router info ospf border-routers

get router info ospf status

get router info ospf vrf <VRF_name>

Variable

Description

config

Display detailed information about the current OSPF configuration, including interfaces, areas, access lists, and IP addresses.

redist-route

Display information about the OSPF redistributed routes.

summary

Display summary table information.

database {brief | self-originate | router | network | summary | asbr-summary| external | nssa-external | opaque-link | opaque-area | opaque-as | max-age}

Display information about the OSPF database.

interface [<interface_name>]

Display information about the specified OSPF interface. If the interface is not specified, information about all OSPF interfaces is returned.

route

Display the OSPF routing table.

neighbor {<neighbor_ID> | all | detail | detail all | <interface_IP_address>}

Display information about OSPF neighbors.

border-routers

Display information about OSPF border routers.

status

Display the current status of the OSPF routing, including router identifier, flags, timers, and areas.

vrf <VRF_name> {rdist-route | summary | database | interface | route | neighbor | border-routers | status}

Display virtual routing and forwarding (VRF) information within OSPF.

Example output

S524DF4K15000024 # get router info ospf status
			
OSPF Routing Process, OSPF Router ID: 1.1.1.2
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is disabled
Initial SPF scheduling delay 5000 millisec(s)
Minimum hold time between consecutive SPFs 10000 millisec(s)
Maximum hold time between consecutive SPFs 10000 millisec(s)
Hold time multiplier is currently 1
SPF algorithm last executed 2d07h22m ago
Last SPF duration 105 usecs
SPF timer is inactive
Refresh timer 10 secs  PacketsSent: 0 PacketsRecv: 0
Number of external LSA 0. Checksum Sum 0x00000000
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
Adjacency changes are logged

Area ID: 0.0.0.4 (NSSA)
Shortcutting mode: Default, S-bit consensus: ok
Number of interfaces in this area: Total: 0, Active: 0
It is an NSSA configuration.
Elected NSSA/ABR performs type-7/type-5 LSA translation.
It is not ABR, therefore not Translator.
Number of fully adjacent neighbors in this area: 0
Area has message digest authentication
Number of full virtual adjacencies going through this area: 0
SPF algorithm executed 1 times
Default-Route Cost: 1
Number of LSA 1
Number of router LSA 1. Checksum Sum 0x0000ebf8
Number of network LSA 0. Checksum Sum 0x00000000
Number of summary LSA 0. Checksum Sum 0x00000000
Number of ASBR summary LSA 0. Checksum Sum 0x00000000
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000

get router info rip

Use this command to get information about any Routing Information Protocol (RIP) routing that has been configured. To set up RIP routing, see config router rip.

Syntax

get router info rip {config | database | status}

Variable

Description

config

Display detailed information about the current RIP configuration, including keys in the keychain, interfaces, access lists, and IP addresses.

database

Display information about the RIP database.

status

Display the current status of the RIP routing, including filter lists, redistribution, RIP version, and interfaces.

Example output

S524DF4K15000024 # get router info rip status
			
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 21 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: static
Default version control: send version 2, receive version 2
Interface        Send  Recv   UpdSend Key-chain
vlan35           2     2      9
vlan85           2     2      8
Routing for Networks:
170.38.65.0/24
180.1.1.0/24
0.0.0.0
Distance: (default is 120)

get router info routing-table

Use these commands to get information about the IPv4 routing table.

Syntax

get router info routing-table summary

get router info routing-table details <A.B.C.D/M>

get router info routing-table all

get router info routing-table rip

get router info routing-table ospf

get router info routing-table bgp

get router info routing-table isis

get router info routing-table static

get router info routing-table connected

get router info routing-table dump <A.B.C.D>

Variable

Description

summary

Display a summary of the existing routes.

details <A.B.C.D/M>

Display the routing table entries that include the specified IP address or route prefix.

all

Display all routing table entries.

rip

Display the RIP routes in the routing table.

ospf

Display the OSPF routes in the routing table.

bgp

Display the BGP routess in the routing table.

isis

Display the IS-IS routes in the routing table.

static

Display the static routes in the routing table.

connected

Display the connected routes in the routing table.

dump <A.B.C.D>

Display the details of routing table entries that include the specified IP address or route prefix.

Example output

S524DF4K15000024 # get router info routing-table summary
Route Source         Routes               FIB  (vrf default)
connected            3                    3
static               1                    1
------
Totals               4                    4

S524DF4K15000024 # get router info routing-table all
Codes: K - kernel route, C - connected, S - static, R - RIP,
	O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
	T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
	F - PBR, f - OpenFabric,
	> - selected route, * - FIB route, q - queued route, r - rejected route ^ - HW install failed

S>*  0.0.0.0/0 [5/0] via 169.254.1.1, internal, 00:36:02
C>*  10.254.252.0/23 is directly connected, rspan, 00:34:37
C>*  169.254.1.0/24 is directly connected, internal, 1d00h57m
C>*  192.168.2.0/24 is directly connected, mgmt, 01:51:05

get router info vrrp

Use this command to get information about Virtual Router Redundancy Protocol (VRRP) groups for IPv4.

Syntax

get router info vrrp

Example output

S524DF4K15000024 # get router info vrrp
Interface: vlan-8, primary IP address: 10.10.10.1
UseVMAC: 1
VRID: 5
vrip: 11.1.1.100, priority: 255, state: MASTER
adv_interval: 1, preempt: 1, start_time: 3
vrmac: 00:00:5e:00:01:05
vrdst:
vrgrp: 50

get router info6 bfd neighbor

Use this command to find out where bidirectional forwarding detection (BFD). If you do not specify the BFD peer IPv6 address, all BFD peers are returned.

Syntax

get router info6 bfd neighbor [<X:X::X:X>]

get router info6 bgp

Use this command to get information about the Border Gateway Protocol (BGP) routing configuration.

Syntax

get router info6 bgp {community | community-list | dampening | filter-list | neighbors | network | network-longer-prefixes | paths | prefix-list | regexp | route-map | summary}

Variable

Description

community

Display routes matching the communities.

community-list

Display routes matching the community list.

dampening

Display router dampening infomation.

filter-list

Display routes conforming to the filter list.

neighbors

Show BGP neighbors.

network

Show the BGP information for the network.

network-longer-prefixes

Show the BGP information for routes and more specific routes.

paths

Display the BGP path information.

prefix-list

Display routes conforming to the prefix list.

regexp

Display routes matching the AS path with regular expressions.

route-map

Display routes conforming to the route map.

summary

Display a summary of the BGP neighbor status.

get router info6 isis

Use this command to get information about the Intermediate System to Intermediate System Protocol (IS-IS) routing configuration for IPv6 traffic.

Syntax

get router info6 isis {interface | neighbor | database | route | summary | summary-table6 | topology}

Variable

Description

interface

Show the IS-IS interfaces.

neighbor

Show the IS-IS neighbor adjacencies.

database

Show the IS-IS link state database.

route

Show the IS-IS IP routing table.

summary

Show the IS-IS summary.

summary-table 6

Show the IS-IS IPv6 summary table.

topology

Show the IS-IS paths.

get router info6 kernel

Use this command to get information about the IPv6 kernel routing table. The IPv6 kernel routing table displays information about all of the routes in the kernel.

Syntax

get router info6 kernel

Example output

S524DF4K15000024 # get router info6 kernel
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:::1/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e4/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0
type=02 protocol=unspec flag=00000000 oif=1(lo) dst:fe80::a5b:eff:fef1:95e5/128 gwy::: prio=0
type=01 protocol=kernel flag=00000000 oif=42(internal) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=2(mgmt) dst:fe80::/64 prio=100
type=01 protocol=kernel flag=00000000 oif=49(rspan) dst:fe80::/64 prio=100
type=01 protocol=boot flag=00000000 oif=42(internal) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=2(mgmt) dst:ff00::/8 prio=100
type=01 protocol=boot flag=00000000 oif=49(rspan) dst:ff00::/8 prio=100
type=07 protocol=kernel flag=00000000 oif=1(lo) prio=ffffffff

get router info6 ospf

Use this command to get information about any IPv6 open shortest path first (OSPF) routing that has been configured. To set up IPv6 OSPF routing, see config router ospf6.

Syntax

get router info6 ospf database [{router | network | inter-prefix | inter-router | external | link | intra-prefix}]

get router info6 ospf interface [<interface_name>]

get router info6 ospf route [<IPv6_address>]

get router info6 ospf redistribute

get router info6 ospf border-route [detail]

get router info6 ospf neighbor {<A.B.C.D> | detail}

get router info6 ospf status

Variable

Description

database [{router | network | inter-prefix | inter-router | external | link | intra-prefix}]

Display information about the OSPF link state advertisement (LSA) database. Specify the router LSA, network LSA, inter-prefix LSA, inter-router LSA, external LSA, link LSA, or intra-prefix LSA database. If you do not specify which LSA database, information about all LSA databases is returned.

interface [<interface_name>]

Display information about the OSPF interface. If you do not specify the interface, information about all interfaces is returned.

route [<IPv6_address>]

Display the OSPF routing table. If you do not specify an IPv6 address, all IPv6 routes are returned.

redistribute

Display redistributing external information.

border-route [detail]

Display general or detailed information about OSPF border routers.

neighbor {<A.B.C.D> | detail}

Display information about OSPF neighbors in general or in detail or specify a neighbor ID.

status

Display the current status of the OSPF routing, including router identifier, flags, timers, and areas.

get router info6 rip

Use this command to get information about any IPv6 Routing Information Protocol (RIP) routing that has been configured. To set up IPv6 RIP routing, see config router ripng.

Syntax

get router info6 rip config

get router info6 rip database

get router info6 rip status

Variable

Description

config

Display information about the RIP confguration.

database

Display information about the RIP routes.

status

Display the current status of the RIP routing, including timers, filter lists, and neighbors.

get router info6 routing-table

Use these commands to get information about the IPv6 routing table. If you do not specify which IPv6 routing table, information about all IPv6 routing tables is returned.

Syntax

get router info6 routing-table rip

get router info6 routing-table ospf

get router info6 routing-table bgp

get router info6 routing-table static

get router info6 routing-table connected

Variable

Description

rip

Display the RIP routes in the routing table.

ospf

Display the OSPF routes in the routing table.

bgp

Display the BGP routes in the routing table.

static

Display the static routes in the routing table.

connected

Display the connected routes in the routing table.

Example output

S524DF4K15000024 # get router info6 routing-table
Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route ^ - HW install failed

C *  fe80::/64 is directly connected, rspan, 02:41:19
C *  fe80::/64 is directly connected, mgmt, 03:56:28
C>*  fe80::/64 is directly connected, internal, 1d03h03m
K>*  ff00::/8 [0/256] is directly connected, rspan, 02:41:20

get router info6 vrrp

Use this command to get information about Virtual Router Redundancy Protocol (VRRP) groups for IPv6.

Syntax

get router info6 vrrp

get switch acl

Use these commands to display the ACL settings.

Syntax

get switch acl counters {all | egress | ingress | prelookup}

get switch acl egress

get switch acl ingress

get switch acl policer

get switch acl prelookup

get switch acl service custom

get switch acl settings

get switch acl usage

Variable

Description

counters {all | egress | ingress | prelookup}

Display information about all ACL policies, egress ACL policies, ingress ACL policies, or lookup ACL policies.

egress

Display information about the ACL policy for the egress stage.

ingress

Display information about the ACL policy for the ingress stage.

policer

List which ACL policers are available for different types of traffic.

prelookup

Display information about the ACL policy for the lookup stage.

service custom

Display a list of preconfigured service entries .

settings

Display the global ACL settings for the FortiSwitch unit.

usage

Display how much of available resources are used by ACL.

Example output

S524DF4K15000024 # get switch acl policer
== [ 1 ]
id: 1   description: policer1

S524DF4K15000024 # get switch acl settings
density-mode        : disable
trunk-load-balance  : enable

S524DF4K15000024 # get switch acl usage 
Device    RULES         COUNTERS       POLICERS       STAGE 
(total/free)   (total/free)  (total/free)            
________________________________________________________________
0        2048  /2023   4096  /4071   4096  /4096   ingress 
0        512   /511    1024  /1024   768   /768    egress  
0        768   /767    0     /0      0     /0      prelookup
			
S524DF4K15000024 # get switch acl counters ingress
ingress: 
ID     Packets                Bytes           description
___________________________________________________________
0001 0                    0                    cnt_n_mirror13                                                   
0002 0                    0                    cnt_n_mirror31                                                   
0003 0                    0                    cnt_n_mirror41    

get switch dhcp-snooping

Use these commands to display more information about the IPv4 or IPv6 DHCP-snooping databases.

Syntax

get switch dhcp-snooping allowed-sever-list

get switch dhcp-snooping client-db-details

get switch dhcp-snooping client6-db-details

get switch dhcp-snooping database-summary

get limit-db-details

get switch dhcp-snooping server-db-details

get switch dhcp-snooping server6-db-details

get switch dhcp-snooping status

Variable

Description

allowed-sever-list

Display the allowed DHCP server list.

client-db-details

Display details about the IPv4 DHCP-snooping client database.

client6-db-details

Display details about the IPv6 DHCP-snooping client database.

database-summary

List the number of VLANs with various features enabled, list trusted and untrusted ports, and report how much of the databases are used.

limit-db-details

Display details about the DHCP-snooping lease-count database.

server-db-details

Display details about the IPv4 DHCP-snooping server database.

If the dhcp-server-access-list is enabled globally and the server is configured for the dhcp-server-access-list, the svr-list column displays allowed for that server. If the dhcp-server-access-list is enabled globally and the server is not configured in the dhcp-server-access-list, the svr-list column displays blocked for that server.

server6-db-details

Display details about the IPv6 DHCP-snooping server database.

If the dhcp-server-access-list is enabled globally and the server is configured for the dhcp-server-access-list, the svr-list column displays allowed for that server. If the dhcp-server-access-list is enabled globally and the server is not configured in the dhcp-server-access-list, the svr-list column displays blocked for that server.

status

Display details about the DHCP-snooping client and server database.

Example output

S548DF5018000776 # get switch dhcp-snooping allowed-server-list 

	vlan             ip         
	10          xxx.x.x.x      
			

FS1D243Z14000027 # get switch dhcp-snooping client-db-details

       mac        vlan     ip     lease(sec) expiry(sec) interface hostname  domainname vendor server-ip

00:01:00:00:00:01 100 xxx.x.x.xxx   86400       86398      port3   

00:03:00:00:00:03 100 xxx.x.x.x     86400       86394      port5   

00:03:00:00:00:04 100 xxx.x.x.x     86400       86394      port5   

FS1D243Z14000027 # get switch dhcp-snooping server-db-details

   mac           vlan   ip  interface status svr-list last-seen-time expiry-time OFFER/ACK/NAK/OTHER

00:11:01:00:00:01 10 xxx.x.x.x port1 trusted allowed 2018-09-11 11:21:09 2018-09-12 11:21:09  7/5/0/0

get switch flapguard settings

Use this command to display the flap guard settings.

Syntax

get switch flapguard settings

Example output

S524DF4K15000024 # get switch flapguard settings
			
flap-duration       : 30
flap-rate           : 5
status              : disable

get switch global

Use this command to get information about the global settings of your FortiSwitch unit.

Syntax

get switch global

Example output

S524DF4K15000024 # get switch global
name                : (null)
mac-aging-interval  : 150
poe-alarm-threshold : 40
poe-power-mode      : first-come-first-served
poe-guard-band      : 10
ip-mac-binding      : enable
dmi-global-all      : enable
poe-pre-standard-detect: enable
poe-power-budget    : 200
trunk-hash-mode     : enhanced
trunk-hash-unkunicast-src-dst: enable
auto-fortilink-discovery: enable
auto-isl            : enable
mclag-peer-info-timeout: 300
auto-isl-port-group : 0
max-path-in-ecmp-group: 4
virtual-wire-tpid   : 0xdee5
loop-guard-tx-interval: 15
dhcp-snooping-database-export: enable
forti-trunk-dmac    : 02:80:c2:00:00:02
port-security:
link-down-auth      : set-unauth
reauth-period       : 60
max-reauth-attempt  : 2

get switch igmp-snooping

Use this command to get the IGMP-snooping settings of your FortiSwitch unit.

Syntax

get switch igmp-snooping {globals | group | static-group | status}

Variable

Description

globals

Display the global IGMP-snooping configuration on the FortiSwitch unit.

group

Display a list of learned multicast groups.

static-group

Display the list of configured static groups.

status

Display the status of IGMP-snooping VLANs and group

Example output

S524DF4K15000024 # get switch igmp-snooping globals

aging-time : 300

leave-response-timeout: 10

query-interval : 120

 

FS1D243Z13000023 # get switch igmp-snooping group

Number of Groups: 7

port of-port VLAN GROUP Age

(__port__9) 1 23 231.8.5.4 16

(__port__9) 1 23 231.8.5.5 16

(__port__9) 1 23 231.8.5.6 16

(__port__9) 1 23 231.8.5.7 16

(__port__9) 1 23 231.8.5.8 16

(__port__9) 1 23 231.8.5.9 16

(__port__9) 1 23 231.8.5.10 16

(__port__43) 3 23 querier 17

(__port__14) 8 --- flood-reports ---

(__port__10) 2 --- flood-traffic ---

 

FS1D243Z13000023 # get switch igmp-snooping static-group

 

VLAN ID Group-Name     Multicast-addr  Member-interface

_______ ______________ _______________ _________________________

11      g239-1         239:1:1:1       port6 trunk-2

11      g239-11        239:2:2:11      port26 port48 trunk-2

40      g239-1         239:1:1:1       port5 port25 trunk-2

40      g239-2         239:2:2:2       port25 port26

 

S524DF4K15000048 # get switch igmp-snooping status

 

IGMP-SNOOPING enabled vlans:

-------------------------------

100

 

IGMP-Proxy enabled vlans:

-------------------------------

 

Max multicast snooping groups 1022

 

Total IGMP groups 0 (Learned 0, Static 0)

Total MLD groups 0 (Learned 0, Static 0)

 

Remaining allowed mcast snooping groups: 1022

get switch interface

Use this command to get information about the interfaces, including the class of service (CoS) value, whether sFlow is enabled on the interface, and whether dynamically learned MAC addresses are persistent on the interface.

Syntax

get switch interface

Example output

S524DF4K15000024 # get switch interface
			
== [ port1 ]
name: port1    sflow-sampler: disabled    port-security:
default-cos: 0   sticky-mac: disable
== [ port2 ]
name: port2    sflow-sampler: disabled    port-security:
default-cos: 0   sticky-mac: disable
== [ port3 ]
name: port3    sflow-sampler: disabled    port-security:
default-cos: 0   sticky-mac: disable
...

get switch ip-mac-binding

Use this command to get information about IP MAC binding.

Syntax

get switch ip-mac-binding

Example output

get switch ip-mac-binding
			
== [ 1 ]
seq-num: 1

get switch ip-source-guard

Use this command to get information about the IP source-guard entries.

Syntax

get switch ip-source-guard

get switch ip-source-guard-violations

Use these commands to get source-guard violations.

Syntax

get switch ip-source-guard-violations all

get switch ip-source-guard-violations interface <interface_name>

Variable

Description

all

Display all source-guard violations.

interface <interface_name>

Display source-guard violations for the specified interface.

get switch lldp

Use this command to get information about LLDP.

Syntax

get switch lldp {auto-isl-status | neighbors-detail <physical port name>| neighbors-summary | profile | settings | stats}

Variable

Description

auto-isl-status

Display statistics and staus for the automatic ISL configuration.

neighbors-detail <physical port name>

Display details about a specific LLDP port.

neighbors-summary

Display a summary of LLDP neighbors.

profile

Display the name of available LLDP profiles.

settings

Display whether LLDP is enabled globally, the number of tx-intervals before the local LLDP data expires, the frequency of LLDP PDU transmission, how often the FortiSwitch transmits the first four LLDP packets when a link comes up, and the primary management interface advertised in LLDP and CDP PDUs.

stats

Display the number of packets transmitted, received, and discarded; the number of neighbors added, deleted, and expired; and the number of unknown TLVs.

Example output

S524DF4K15000024 # get switch lldp profile
== [ default ]
name: default    802.1-tlvs:    802.3-tlvs:    med-tlvs: inventory-management network-policy
== [ default-auto-isl ]
name: default-auto-isl    802.1-tlvs:    802.3-tlvs:    med-tlvs:
== [ 1 ]
name: 1    802.1-tlvs:    802.3-tlvs:    med-tlvs: inventory-management network-policy
== [ Forti670i ]
name: Forti670i    802.1-tlvs:    802.3-tlvs:    med-tlvs: inventory-management network-policy

S524DF4K15000024 # get switch lldp settings
status              : enable
tx-hold             : 8
tx-interval         : 2000
fast-start-interval : 3
management-interface: internal

get switch mac-limit-violations

Use this command to see the first MAC address that exceeded the learning limit for an interface or VLAN.

To enable the learning limit violation log for a FortiSwitch unit, see config switch global.

Syntax

get switch mac-limit-violations {all | interface <interface_name> | vlan <VLAN_ID>}

Variable

Description

all

Display the first MAC address that exceeded the learning limit on any interface or VLAN. An asterisk by the interface name indicates that the interface-based learning limit was exceeded. An asterisk by the VLAN identifier indicates the VLAN-based learning limit was exceeded.

interface <interface_name>

Display the first MAC address that exceeded the learning limit on a specific interface

vlan <VLAN_ID>

Display the first MAC address that exceeded the learning limit on a specific VLAN.

Example output

S524DF4K16000028 # get switch mac-limit-violations all
Port            VLAN ID         MAC Address              Timestamp
----------------------------------------------------------------------------------
port3*          5               00:00:01:00:00:01        2017-12-05 15:55:20
port15          9*              0a:c1:08:bf:cc:80        2017-12-05 15:55:44

S524DF4K16000028 # get switch mac-limit-violations interface port3
Port            VLAN ID         MAC Address              Timestamp
----------------------------------------------------------------------------------
port3*          5               00:00:01:00:00:01        2017-12-05 15:55:20

S524DF4K16000028 # get switch mac-limit-violations vlan 9			
Port            VLAN ID         MAC Address              Timestamp
----------------------------------------------------------------------------------
port15          9*              0a:c1:08:bf:cc:80        2017-12-05 15:55:44

get switch mirror status

Use this command to get information about the ERSPAN-auto mirror sessions of your FortiSwitch unit. To configure a packet mirror, see config switch mirror.

Syntax

get switch mirror status <session>

Example output

# get switch mirror status flink.sniffer

 

flink.sniffer

Mode : ERSPAN-auto

Status : Inactive

Source-Ports:

Ingress: port2, port3

Egress : port8, port9

Used-by-ACLs : False

Auto-config-state : N/A

Last-update : never

Issues : None

Collector-IP : 0.0.0.0

Source-IP : N/A

Source-MAC : N/A

Next-Hop :

IP : N/A

MAC : N/A

Via-System-Interface : N/A

VLAN : N/A

Via-Switch-Interface : N/A

get switch mld-snooping

Use this command to get the MLD-snooping settings of your FortiSwitch unit.

Syntax

get switch mld-snooping {globals | group | static-group | status}

Variable

Description

globals

Display the global MLD-snooping configuration on the FortiSwitch unit.

group

Display a list of learned multicast groups.

static-group

Display the list of configured static groups.

status

Display the status of MLD-snooping VLANs and group

Example output

S548DF5018000776 # get switch mld-snooping globals

 

aging-time : 300

leave-response-timeout: 10

query-interval : 125

 

S548DF5018000776 # get switch mld-snooping group

 

MLD-SNOOPING mcast-groups:

Max Entries: 1022

 

port VLAN GROUP Age-timeout MLD-Version

 

Total Number of Learned MLD groups: 0

 

S548DF5018000776 # get switch mld-snooping static-group

 

VLAN ID Group-Name Multicast-addr Member-interface

_______ ______________ _______________ _________________________

 

S548DF5018000776 # get switch mld-snooping status

 

MLD-SNOOPING enabled vlans:

-------------------------------

40

 

MLD-Proxy enabled vlans:

-------------------------------

40

 

Max multicast snooping groups 1022

 

Total MLD groups 0 (Learned 0, Static 0)

Total IGMP groups 0 (Learned 0, Static 0)

 

Remaining allowed mcast snooping groups: 1022

get switch modules

Use this command to get information about the modules in your FortiSwitch unit.

Syntax

get switch modules {detail | limits | status | summary} [<port>]

Variable

Description

detail [<port>]

Display module details for a specific port, split port, or all available ports.

limits [<port>]

Display module limits for a specific port, split port, or all available ports.

status [<port>]

Display module status for a specific port, split port, or all available ports.

summary [<port>]

Display summary information of all modules for a specific port or all available ports and split ports.

Example output

FS108D3W14000720 # get switch modules detail port10

____________________________________________________________

Port(port10)

identifier SFP/SFP+

connector Unk (0x00)

transceiver 1000-Base-T

encoding 8B/10B

Length Decode Common

length_smf_1km N/A

length_cable 100 meter

SFP Specific

length_smf_100m N/A

length_50um_om2 N/A

length_62um_om1 N/A

length_50um_om3 N/A

vendor FINISAR CORP.

vendor_oid 0x009065

vendor_pn FCLF-8521-3

vendor_rev A

vendor_sn PBR1X35

manuf_date 06/20/2007

 

FS1E48T419000036 # get switch modules status port51.2

___________________________________________________________

Port(port51.2)

temperature 23.777344 C

voltage 3.303100 volts

alarm_flags 0x0000

warning_flags 0x0000

laser_bias 0.758000 mAmps

tx_power -2.379219 dBm

rx_power -2.201871 dBm

options 0x000F ( TX_DISABLE TX_FAULT RX_LOSS TX_POWER_LEVEL1 )

options_status 0x0008 ( TX_POWER_LEVEL1 )

get switch network-monitor

Use this command to get information about network monitoring on the FortiSwitch unit.

Syntax

get switch network-monitor {directed | settings}

Variable

Description

directed

List the static entries for network monitoring on the switch.

settings

Display the global settings for network monitoring on the switch.

Example output

S524DF4K15000024 # get switch network-monitor directed
== [ 1 ]
id: 1

S524DF4K15000024 # get switch network-monitor settings
db-aging-interval   : 3600
status              : disable
survey-mode         : disable
survey-mode-interval: 120

get switch mrp

Use these commands to get information about the Media Redundancy Protocol (MRP) configuration.

Syntax

get switch mrp {profile | settings}

Variable

Description

profile

List the available MRP profiles.

settings

Display the MRP settings.

Example output

SR24DN4416000049 # get switch mrp profile 
== [ 500ms ]
name: 500ms    
== [ MRPprofile1 ]
name: MRPprofile1 
SR24DN4416000049 # get switch mrp settings 
status              : disable 
role                : client 
domain-id           : FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF 
domain-name         : domain1 
vlan-id             : 1
priority            : 40960
ring-port1          : (null)
ring-port2          : (null)
profile-name        : 500ms

get switch phy-mode

Use this command to find out which split ports have been configured. to configure split ports, see config switch phy-mode.

Syntax

get switch phy-mode

Example output

S524DF4K15000024 # get switch phy-mode
port29-phy-mode     : 1x40G
port30-phy-mode     : 1x40G

get switch physical-port

Use this command to get information about the physical ports of your FortiSwitch unit. To configure physical ports, see config switch physical-port.

Syntax

get switch physical-port

Example output

S524DF4K15000024 # get switch physical-port
== [ port1 ]
name: port1    egress-drop-mode: enabled    link-status: down   status: up
== [ port2 ]
name: port2    egress-drop-mode: enabled    link-status: down   status: up
== [ port3 ]
name: port3    egress-drop-mode: enabled    link-status: down   status: up
...

get switch poe inline

Use this command to get information about the system’s power over Ethernet (PoE) functions.

Syntax

get switch poe inline

Example output

S524DF4K15000024 # get switch poe inline
			
Unit Power Budget: 10.00W
Unit Guard Band: 10.00W
Unit Power Consumption: 0.00W
Unit Poe Power Mode : First come first served based.

Interface   Status    State         Max-Power(W)   Power-consumption(W)Class Error
----------------------------------------------------------------------------------
port1       Enabled   Searching         0.00           0.00                   0
port2       Enabled   Searching         0.00           0.00                   0
port3       Enabled   Searching         0.00           0.00                   0
port4       Enabled   Searching         0.00           0.00                   0
port5       Enabled   Searching         0.00           0.00                   0
port6       Enabled   Searching         0.00           0.00                   0
port7       Enabled   Searching         0.00           0.00                   0
port8       Enabled   Searching         0.00           0.00                   0
port9       Enabled   Searching         0.00           0.00                   0
port10      Enabled   Searching         0.00           0.00                   0
port11      Enabled   Searching         0.00           0.00                   0
port12      Enabled   Searching         0.00           0.00                   0
port13      Enabled   Searching         0.00           0.00                   0
port14      Enabled   Searching         0.00           0.00                   0
port15      Enabled   Searching         0.00           0.00                   0
port16      Enabled   Searching         0.00           0.00                   0
port17      Enabled   Searching         0.00           0.00                   0
port18      Enabled   Searching         0.00           0.00                   0
port19      Enabled   Searching         0.00           0.00                   0
port20      Enabled   Searching         0.00           0.00                   0
port21      Enabled   Searching         0.00           0.00                   0
port22      Enabled   Searching         0.00           0.00                   0
port23      Enabled   Searching         0.00           0.00                   0
port24      Enabled   Searching         0.00           0.00                   0

get switch qos

Use this command to get information about the QoS configuration:

Syntax

get switch qos (dot1p-map | ip-dscp-map | qos-policy)

Variable

Description

dot1p-map

List the available dot1p maps, as well as the CoS values.

ip-dscp-map

List the available DSCP maps.

qos-policy

List the available QoS policies.

Example output

S524DF4K15000024 # get switch qos dot1p-map
== [ test1 ]
name: test1    priority-0: queue-2    priority-1: queue-0    priority-2: queue-1    priority-3: queue-3    priority-4: queue-4    priority-5: queue-5    priority-6: queue-6    priority-7: queue-7

S524DF4K15000024 # get switch qos ip-dscp-map
== [ m1 ]
name: m1
				
S524DF4K15000024 # get switch qos qos-policy
== [ default ]
name: default
== [ policy1 ]
name: policy1

get switch raguard-policy

Use the following command to list the available IPv6 RA-guard policies. To create an IPv6 RA-guard policy, see config switch raguard-policy.

Syntax

get switch raguard-policy

Example output

S524DF4K15000024 # get switch raguard-policy

== [ RApolicy1 ]

name: RApolicy1

get switch security-feature

Use this command to display the security-feature settings. To configure security checks for incoming TCP/UDP packets, see config switch security-feature.

Syntax

get switch security-feature

Example output

S524DF4K15000024 # get switch security-feature
sip-eq-dip          : enable
tcp-flag            : enable
tcp-port-eq         : enable
tcp-flag-FUP        : enable
tcp-flag-SF         : enable
v4-first-frag       : enable
udp-port-eq         : enable
tcp-hdr-partial     : enable
macsa-eq-macda      : enable
allow-mcast-sa      : enable
allow-sa-mac-all-zero: enable

get switch static-mac

Use this command to display the static MAC addresses.

Syntax

get switch static-mac

Example output

S524DF4K15000024 # get switch static-mac
			
== [ 1 ]
seq-num: 1   interface: port5    mac: 00:21:cc:d2:76:72   vlan-id: 35

get switch storm-control

Use this command to display storm control settings on your FortiSwitch unit. To configure storm control, see config switch storm-control.

Syntax

get switch storm-control

Example output

S524DF4K15000024 # get switch storm-control
			
broadcast           : enable
rate                : 1000
unknown-multicast   : enable
unknown-unicast     : enable

get switch stp instance

Use this command to get information about STP instances on your FortiSwitch unit. To configure an STP instance, see config switch stp instance.

Syntax

get switch stp instance

Example output

# get switch stp instance

== [ 0 ]

id: 0

== [ 1 ]

id: 1

get switch stp settings

Use this command to get information about STP settings on your FortiSwitch unit. To configure STP settings, see config switch stp settings.

Syntax

get switch stp settings

Example output

S524DF4K15000024 # get switch stp settings
			
forward-time        : 15
hello-time          : 5
max-age             : 20
max-hops            : 20
name                : region1
revision            : 1
status              : enable

get switch trunk

Use this command to get information about which trunks on the FortiSwitch unit have been configured for link aggregation. To configure link aggregation, see config switch trunk.

Syntax

get switch trunk

Example output

# get switch trunk

== [ 1 ]

name: 1 members:

== [ port3 ]

member-name: port3

== [ port10 ]

member-name: port10

== [ port1 ]

member-name: port1

get switch virtual-wire

Virtual wire allows you to forward traffic between two ports with minimal filtering or packet modifications. To configure a virtual wire, see config switch virtual-wire.

Syntax

get switch virtual-wire

Example output

S524DF4K15000024 # get switch virtual-wire
			
== [ 1 ]
name: 1

get switch vlan

Use this command to get information about VLANs on the FortiSwitch unit. To configure a VLAN, see config switch vlan.

Syntax

get switch vlan

Example output

# get switch vlan

== [ 1 ]

id: 1 private-vlan-type: primary isolated-vlan: 2 community-vlans: 3

== [ 2 ]

id: 2 private-vlan-type: isolated sub-VLAN primary-vlan: 1

== [ 3 ]

id: 3 private-vlan-type: community sub-VLAN primary-vlan: 1

get system accprofile

Use this command to view a list of all the system administration access groups. To add an access profile group, see config system accprofile.

Syntax

get system admin accprofile

Example output

S524DF4K15000024 # get system accprofile
			
== [ prof_admin ]
name: prof_admin
== [ profile1 ]
name: profile1

get system admin list

Use this command to view a list of all the current administration sessions.

Syntax

get system admin list

Example output

# get system admin list

 

username local  device                   remote               started

admin    sshv2  port1:172.20.120.148:22  172.20.120.16:4167   2006-08-09 12:24:20

admin    https  port1:172.20.120.148:443 172.20.120.161:56365 2006-08-09 12:24:20

admin    https  port1:172.20.120.148:443 172.20.120.16:4214   2006-08-09 12:25:29

Variable

Description

username

Name of the admin account for this session

local

The protocol this session used to connect to the system.

device

The interface, IP address, and port used by this session to connect to the system.

remote

The IP address and port used by the originating computer to connect to the system.

started

The time the current session started.

get system admin status

Use this command to view the status of the currently logged in admin and their session. To configure an administrator account, see config system admin.

Syntax

get system admin status

Example Output

# get system admin status

 

username: admin

login local: sshv2

login device: port1:172.20.120.148:22

login remote: 172.20.120.16:4167

login vdom: root

login started: 2006-08-09 12:24:20

current time: 2006-08-09 12:32:12

Variable

Description

username

Name of the admin account currently logged in.

login local

The protocol used to start the current session.

login device

The login information from the FortiSwitch including interface, IP address, and port number.

login remote

The computer the user is logging in from including the IP address and port number.

login vdom

The virtual domain the admin is current logged into.

login started

The time the current session started.

current time

The current time of day on the system

get system arp

Use this command to view the ARP table entries on the FortiSwitch unit. To manually add ARP table entries to the FortiSwitch unit, see config system arp-table.

Syntax

get system arp

Example output

S524DF4K15000024 # get system arp
			
Address           Age(min)   Hardware Addr      Interface
10.105.16.1       0          90:6c:ac:15:2f:94  mgmt
11.1.1.100        -          00:00:5e:00:01:05  vlan-8 (proxy)

get system arp-table

Use this command to view the ARP tables on the FortiSwitch unit.

Syntax

get system arp-table

Example output

# get system arp-table

== [ 1 ]

id: 1 interface: internal ip: 10.10.10.10 mac: 01:02:03:04:05:aa

get system bug-report

Use this command to get information about configuration related to bug reporting. To configure a custom email relay for sending problem reports to Fortinet customer support, see config system bug-report.

Syntax

get system bug-report

Example output

S524DF4K15000024 # get system bug-report
auth                : no
mailto              : fortiswitch@fortinet.com
password            : (null)
server              : fortinet.com
username            : bug_report
username-smtp       : bug_report

get system certificate

Use this command to display configuration related to central management service:

Syntax

get system certificate (ca | crl | local | oscp | remote)

Variable

Description

ca

List available CA certificates.

crl

Display the certificate revocation lists available.

local

List available local keys and certificates.

ocsp

Display the OCSP (Online Certificate Status Protocol) server certificate, the action to take when the server is unavailable, and the URL to the OCSP server.

remote

List available remote certificates.

Example output

S524DF4K15000024 # get system certificate ca
== [ Fortinet_CA ]
name: Fortinet_CA
== [ Fortinet_CA2 ]
name: Fortinet_CA2
== [ Entrust_802.1x_CA ]
name: Entrust_802.1x_CA
== [ Entrust_802.1x_L1K_CA ]
name: Entrust_802.1x_L1K_CA
== [ Entrust_802.1x_G2_CA ]
name: Entrust_802.1x_G2_CA

S524DF4K15000024 # get system certificate crl
== [ 1 ]
name: 1

S524DF4K15000024 # get system certificate local
== [ Fortinet_Factory ]
name: Fortinet_Factory
== [ Fortinet_Firmware ]
name: Fortinet_Firmware
== [ Entrust_802.1x ]
name: Entrust_802.1x

S524DF4K15000024 # get system certificate ocsp
cert                : (null)
unavail-action      : revoke
url                 : (null)

S524DF4K15000024 # get system certificate remote
== [ 1 ]
name: 1

get system cmdb status

Use this command to view information about configuration management database (CMDB) on the FortiSwitch unit.

Syntax

get system cmdb status

Variable

Description

version

Version of the CMDB software.

owner id

Process identifier of the CMDB server daemon.

update index

The updated index shows how many changes have been made in the CMDB.

config checksum

The configuration file version used by FortiManager.

last request pid

The last process to access the CMDB.

last request type

Type of the last attempted access of the CMDB.

last request

The number of the last attempted access of the CMDB.

Example output

# get system cmdb status

version: 1

owner id: 18

update index: 6070

config checksum: 12879299049430971535

last request pid: 68

last request type: 29

last request: 78

get system console

Use this command to get information about the console connection. To configure the console, see config system console.

Syntax

get system console

Example output

S524DF4K15000024 # get system console
baudrate            : 115200
mode                : line
output              : more

get system dns

Use this command to get information about the DNS settings. To configure DNS, see config system dns.

Syntax

get system dns

Example output

S524DF4K15000024 # get system dns
primary             : 208.91.112.53
secondary           : 208.91.112.52
domain              : (null)
ip6-primary         : ::
ip6-secondary       : ::
dns-cache-limit     : 5000
dns-cache-ttl       : 1800
cache-notfound-responses: disable
source-ip           : 0.0.0.0

get system flow-export

Use this command to display the flow-export configuration. To configure flow export, see config system flow-export.

Syntax

get system flow-export

Example output

S524DF4K15000024 # get system flow-export 
aggregates:
collector-ip        : 0.0.0.0
collector-port      : 0
format              : ipfix 
identity            : 0x00000000
level               : ip 
max-export-pkt-size : 512
timeout-general     : 3600
timeout-icmp        : 300
timeout-max         : 604800
timeout-tcp         : 3600
timeout-tcp-fin     : 300
timeout-tcp-rst     : 120
timeout-udp         : 300
transport           : tcp 

get system flow-export-data

Use this command to display the flow-export data. To configure flow export, see config system flow-export.

Syntax

get system flow-export-data flows {all | <count>} {ip | subnet | mac | all} <switch_interface_name>

get system flow-export-data flows-raw {all | <count>} {ip | subnet | mac | all} <switch_interface_name>

get system flow-export-data statistics

 

NOTE: Layer-2 flows for netflow 1 and netflow 5 are not supported. For the output of the get system flow-export-data statistics command, the Incompatible Type field displays how many flows are not exported because they are not supported.

Variable

Description

flows {all | <count>} {ip | subnet | mac | all} <switch_interface_name>

Display the specified number of records or all records of flow data for the specified IP address, subnet (class IP address and netmask), MAC address, or all.

flows-raw {all | <count>} {ip | subnet | mac | all} <switch_interface_name>

Display the specified number of records or all records of raw flow data for the specified IP address, subnet (class IP address and netmask), MAC address, or all.

statistics

Display the statistics for the flow data.

get system fsw-cloud

Use this command to display the configuration of the FortiSwitch Cloud. To configure the FortiSwitch Cloud, see config system fsw-cloud.

Syntax

get system fsw-cloud

Example output

S524DF4K15000024 # get system fsw-cloud
			
interval            : 15
name                : fortiswitch-dispatch.forticloud.com
port                : 443
status              : enable

get system fsw-cloud-mgr connection-info

Use this command to check your connections to the FortiSwitch Cloud.

Syntax

get system fsw-cloud-mgr connection-info

Example output

S1D243Z14000027 # get system fsw-cloud-mgr connection-info

Dispatch Service : IP= xx.xxx.xxx.xx
Access Service : IP= xx.xxx.xxx.xxx, Port= 443, Connected on: 2017-10-25 18:03:33
State-Machine : State= FSMGR_STATE_READY, Event= EV_READY_HBEAT_GOOD

Bootstrap Service : hostname= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com, Port= 8000
Bootstrap State : State= OK, api-ver= v1

SSL verify Code : ok
SSL Tunnel Uptime : Days: 0 Hours: 20 Mins: 5
SSL Tunnel stats : restart-count= 5, Reason= HTTP Response data error

Stats:
========
Switch Keep Alive Tx/Reply := 2408 / 2408
Manager Keep Alive Rx/Error := 2410 / 0

Socks Req Rx/Last Stream-ID := 10131 / 490
Reset Req Rx/last Stream-ID := 247 / 490
Goaway Req Rx := 0
Unknown Req Rx := 0

Syslog Tx/Err := 199 / 0

Used SOCKS stream-id:
=======================
SID SockFd State Description
___ ______ _____ _______________
5 0 DATA SYSLOG DATA

get system global

Use this command to get the global settings of your FortiSwitch unit. To configure global settings, config system global.

Syntax

get system global

Example output

S524DF4K15000024 # get system global
802.1x-ca-certificate: Entrust_802.1x_CA
802.1x-certificate  : Entrust_802.1x
admin-concurrent    : enable
admin-https-pki-required: disable
admin-https-ssl-versions: tlsv1-1 tlsv1-2
admin-lockout-duration: 60
admin-lockout-threshold: 3
admin-port          : 80
admin-scp           : disable
admin-server-cert   : Fortinet_Firmware
admin-sport         : 443
admin-ssh-grace-time: 120
admin-ssh-port      : 22
admin-ssh-v1        : disable
admin-telnet-port   : 23
admintimeout        : 5
allow-subnet-overlap: disable
asset-tag           : (null)
cfg-save            : automatic
csr-ca-attribute    : enable
daily-restart       : disable
detect-ip-conflict  : enable
dst                 : enable
gui-lines-per-page  : 50
hostname            : S524DF4K15000024
image-rotation      : disable
kernel-crashlog     : enable
language            : english
ldapconntimeout     : 500
radius-port         : 1812
refresh             : 0
remoteauthtimeout   : 5
revision-backup-on-logout: enable
revision-backup-on-upgrade: enable
strong-crypto       : disable
switch-mgmt-mode    : local
timezone            : (GMT-8:00)Pacific Time(US&Canada).
user-server-cert    : Fortinet_Factory

get system info admin ssh

Use this command to display information about the SSH configuration on the FortiSwitch unit such as:

  • the SSH port number
  • the interfaces with SSH enabled
  • the hostkey DSA fingerprint
  • the hostkey RSA fingerprint

Syntax

get system info admin ssh

Example output

# get system info admin ssh

SSH v2 is enabled on port 22

SSH is enabled on the following 1 interfaces:

mgmt

SSH hostkey DSA fingerprint = cd:e1:87:70:bb:f0:9c:7d:e3:7b:73:f7:44:23:a5:99

SSH hostkey RSA fingerprint = c9:5b:49:1d:7c:ba:be:f3:9d:39:33:4d:48:9d:b8:49

get system info admin status

Use this command to display administrators that are logged into the FortiSwitch unit.

Syntax

get system info admin status

Variable

Description

Index

The order the administrators logged in.

User name

The name of the user account logged in.

Login type

Which interface was used to log in.

From

The IP address this user logged in from.

Example output

Index User name Login type From

0 admin CLI ssh(172.20.120.16)

1 admin WEB 172.20.120.16

get system interface physical

Use this command to list information about the physical network interfaces.

Syntax

get system interface physical

Example output

S524DF4K15000024 # get system interface physical
			
== [onboard]
	==[internal]
		mode: static
		ip: 0.0.0.0 0.0.0.0
		ipv6: ::/0
		status: up
		speed: n/a (Duplex: n/a)
		rx : 0 bytes  0 packets
		tx : 8405158 bytes  160742 packets
	==[mgmt]
		mode: dhcp
		ip: 10.105.19.3 255.255.252.0
		ipv6: ::/0
		status: up
		speed: 1000Mbps (Duplex: full)
		rx : 11558117 bytes  85986 packets
		tx : 7048800 bytes  39380 packet

get system ipv6-neighbor-cache

Use this command to list information about the IPv6 neighbor cache table. To configure the IPv6 neighbor cache table, see config system ipv6-neighbor-cache.

Syntax

get system ipv6-neighbor-cache

get system link-monitor

Use this command to list information about the physical network interfaces. To configure the link health monitor, see config system link-monitor .

Syntax

get system link-monitor

get system location

Use this command to get information about the location table used by LLDP-MED for enhanced 911 emergency calls. To configure a location table, see config system location.

Syntax

get system location

Example output

S548DF5018000776 # get system location

== [ Fortinet ]

name: Fortinet

get system ntp

Use this command to get information about the NTP settings. To configure an NTP server, see config system ntp.

Syntax

get system ntp

Example output

ntpserver:

== [ 1 ]

id: 1

== [ 2 ]

id: 2

ntpsync : enable

source-ip : 0.0.0.0

syncinterval : 1

get system password-policy

Use this command to view the password policy. To create a password policy, see config system password-policy.

Syntax

get system password-policy

Example output

# get system password-policy

status : enable

apply-to : admin-password

minimum-length : 8

min-lower-case-letter: 2

min-upper-case-letter: 2

min-non-alphanumeric: 0

min-number : 2

change-4-characters : disable

expire-status : disable

get system performance firewall statistics

Use this command to display a list of traffic types (such as browsing, email, and DNS) and the number of packets and number of payload bytes accepted by the firewall for each type since the system was restarted.

Syntax

get system performance firewall statistics

Example output

get system performance firewall statistics

getting traffic statistics...

Browsing: 623738 packets, 484357448 bytes

DNS: 5129187383836672 packets, 182703613804544 bytes

E-Mail: 23053606 packets, 2 bytes

FTP: 0 packets, 0 bytes

Gaming: 0 packets, 0 bytes

IM: 0 packets, 0 bytes

Newsgroups: 0 packets, 0 bytes

P2P: 0 packets, 0 bytes

Streaming: 0 packets, 0 bytes

TFTP: 654722117362778112 packets, 674223966126080 bytes

VoIP: 16834455 packets, 10 bytes

Generic TCP: 266287972352 packets, 8521215115264 bytes

Generic UDP: 0 packets, 0 bytes

Generic ICMP: 0 packets, 0 bytes

Generic IP: 0 packets, 0 bytes

get system performance status

Use this command to display FortiSwitch CPU usage, memory usage, network usage, sessions, virus, IPS attacks, and system up time.

Syntax

get system performance status

Example output

S524DF4K15000024 # get system performance status
			
CPU states: 0% user 16% system 0% nice 84% idle
Memory states: 10% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 0 kbps in 30 minutes
Uptime: 0 days,  22 hours,  5 minutes

Variable

Description

CPU states

The percentages of CPU cycles used by user, system, nice and idle categories of processes. These categories are:

user -CPU usage of normal user-space processes

system -CPU usage of kernel

nice - CPU usage of user-space processes having other-than-normal running priority

idle - Idle CPU cycles

Adding user, system, and nice produces the total CPU usage as seen on the CPU widget on the web-based system status dashboard.

Memory states

The percentage of memory used.

Average network usage

The average amount of network traffic in kbps in the last 1, 10 and 30 minutes.

Uptime

How long since the system has been restarted.

get system performance top

Use this command to display the list of processes running on the system (similar to the Linux top command).

The following commands are available when get system performance top is running:

  • Press Q or Ctrl+C to quit.
  • Press P to sort the processes by the amount of CPU that the processes are using.
  • Press M to sort the processes by the amount of memory that the processes are using.

Syntax

get system performance top [<delay_int>] <max_lines_int>]]

Variable

Description

<delay_int>

The delay, in seconds, between updating the process list. The default is 5 seconds.

<max_lines_int>

The maximum number of processes displayed in the output. The default is 20 lines.

Example output

S524DF4K15000024 # get system performance top

Run Time:  0 days, 22 hours and 13 minutes
0U, 7S, 93I; 1978T, 1684F
newcli           3424      R <     0.1     0.4
pyfcgid           770      S       0.0     0.7
pyfcgid           898      S       0.0     0.7
pyfcgid           899      S       0.0     0.7
cmdbsvr           610      S       0.0     0.6
httpsd            771      S       0.0     0.6
httpsd           1998      S       0.0     0.5
httpsd            901      S       0.0     0.5
miglogd           773      S       0.0     0.5
initXXXXXXXXXXX     1      S       0.0     0.5
newcli           1040      S <     0.0     0.5
ipconflictd       799      S       0.0     0.5
httpsd            900      S       0.0     0.4
fsmgrd            806      S       0.0     0.4
lldpmedd          800      S       0.0     0.4
eap_proxy         804      S       0.0     0.4
authd             803      S       0.0     0.4
router_launcher   768      S       0.0     0.4
sshd              790      S       0.0     0.4
stpd              795      S       0.0     0.4

get system schedule group

Use this command to list available schedule groups for when an access control list (ACL) will be active. To configure a schedule group, see config system schedule group.

Syntax

get system schedule group

Example output

S548DF5018000776 # get system schedule group

== [ group1 ]

name: group1

get system schedule onetime

Use this command to list available one-time schedules for when an access control list (ACL) will be active. To configure a one-time schedule, see config system schedule onetime.

Syntax

get system schedule onetime

Example output

S548DF5018000776 # get system schedule onetime

== [ schedule1 ]

name: schedule1

get system schedule recurring

Use this command to list schedules for when an access control list (ACL) will be active every week. To configure a recurring schedule, see config system schedule recurring.

Syntax

get system schedule recurring

Example output

S548DF5018000776 # get system schedule recurring

== [ schedule2 ]

name: schedule2

get system settings

Use this command to get information about equal cost multi-path (ECMP) routing. To configure ECMP routing, see config system settings.

Syntax

get system settings

Example output

#get system settings

v4-ecmp-mode : source-ip-based

get system sflow

Use this command to display the sFlow settings. To configure sFlow, see config system sflow.

Syntax

get system sflow

Example output

S524DF4K15000024 # get system sflow
collector-ip        : 0.0.0.0
collector-port      : 6343

get system sniffer-profile capture

Use this command to display the packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

get system sniffer-profile capture <profile_name>

get system sniffer-profile summary

Use this command to display the status of all configured packet-capture profiles. To create a packet-capture profile, see config system sniffer-profile.

Syntax

get system sniffer-profile summary

Example output

S524DF4K15000024 # get system sniffer-profile summary

 

Maximum memory available for storing packet-capture: 100 MB.

 

Name | Status | Pkt-Count |Snap Len | Size (KB) | Filter

=========================================================================================

profile1 | Stop | No Capture | 100 | 0.00 | none

get system snmp sysinfo

Use this command to get information about your system’s SNMP settings. To configure the SNMP agent, see config system snmp sysinfo.

Syntax

get system snmp sysinfo

Example output

S524DF4K15000024 # get system snmp sysinfo
			
contact-info        : (null)
description         : (null)
engine-id           : (null)
location            : (null)
status              : disable
trap-high-cpu-threshold: 80
trap-log-full-threshold: 90
trap-low-memory-threshold: 80
trap-temp-alarm-threshold: 60
trap-temp-warning-threshold: 50

get system source-ip status

Use this command to list defined source IP addresses.

Syntax

get system source-ip status

Example output

# get sys source-ip status

The following services force their communication to use

a specific source IP address:

 

service=NTP source-ip=172.18.19.101

service=DNS source-ip=172.18.19.101

vdom=root service=RADIUS name=server-pc25 source-ip=10.1.100.101

vdom=root service=TACACS+ name=tac_plus_pc25 source-ip=10.1.100.101

vdom=root service=FSAE name=pc26 source-ip=172.18.19.101

vdom=V1 service=RADIUS name=pc25-Radius source-ip=172.16.200.101

vdom=V1 service=TACACS+ name=pc25-tacacs+ source-ip=172.16.200.101

vdom=V1 service=FSAE name=pc16 source-ip=172.16.200.101

get system startup-error-log

Use this command to display information about system startup errors. This command only displays information if an error occurs when the system starts up.

Syntax

get system startup-error-log

get system status

Use this command to display FortiSwitch status information including:

  • firmware version, build number, and branch point
  • serial number
  • host name
  • system time and date and related settings

Syntax

get system status

Example output

S524DF4K15000024 # get system status
			
Version: FortiSwitch-524D-FPOE v3.6.2,build0382,170829 (GA)
Serial-Number: S524DF4K15000024
BIOS version: 04000013
System Part-Number: P18045-04
Burn in MAC: 08:5b:0e:f1:95:e4
Hostname: S524DF4K15000024
Distribution: International
Branch point: 382
System time: Tue Sep 12 16:16:40 2017

get test

Use this command to display information about applications on this FortiSwitch unit:

Syntax

get test {dnsproxy | fpmd | radiusd | sflowd | snmpd} <test_level_int>

Variable

Description

{dnsproxy | fpmd | radiusd | sflowd | snmpd}

Set the application to be tested.

Tests can be run on the following applications:

  • dnsproxy — DNS proxy
  • fpmd — FPM daemon
  • radiusd— RADIUS daemon
  • sflowd — sFlow daemon
  • snmpd— SNMP daemon

<test_level_int>

Set the level for the test.

Example output

S524DF4K15000024 # get test fpmd 1
ROUTE_V4_ADD                  : 9
INTF_V4_ADDR_ADD              : 14
ROUTE_V4_MGMT_FWD_DISABLED    : 4
ROUTE_ADD_INVALID_FAMILY      : 3
ROUTE_ADD_INET127             : 1

S524DF4K15000024 # get test sflowd 1
cmf sflow collector:0.0.0.0:[6343]
sflowd collector:0.0.0.0:[6343]

get user group

Use this command to list all user groups. To add a user group, see config user group.

Syntax

get user group

Example output

S524DF4K15000024 # get user group
== [ group1 ]
name: group1
== [ radgroup ]
name: radgroup

get user ldap

Use this command to list LDAP users. To add an LDAP user, see config user ldap.

Syntax

get user ldap

get user local

Use this command to list local users. To add a local user, see config user local.

Syntax

get user local

Example output

S524DF4K15000024 # get user local
			
== [ user1 ]
name: user1

get user radius

Use this command to list RADIUS users. To add a RADIUS user, see config user radius.

Syntax

get user radius

Example output

S524DF4K15000024 # get user radius
			
== [ serve2 ]
name: serve2
== [ radone ]
name: radone

get user setting

Use this command to get information about all the system’s user settings.

Syntax

get user setting

Example output

S524DF4K15000024 # get user setting
			
auth-blackout-time  : 0
auth-cert           : (null)
auth-http-basic     : disable
auth-invalid-max    : 5
auth-multi-group    : enable
auth-ports:
	== [ 1 ]
	id: 1
auth-secure-http    : disable
auth-timeout        : 5
auth-timeout-type   : idle-timeout
auth-type           : http https ftp telnet

get user tacacs+

Use this command to get information about tacacs+ users.

Syntax

get user tacacs+

Example output

S524DF4K15000024 # get user tacacs+
			
== [ tacserver ]
name: tacserver