Fortinet black logo

Devices Managed by FortiOS

Home FortiSwitch 7.0.2 Devices Managed by FortiOS

Discovering, authorizing, and deauthorizing FortiSwitch units

7.0.2
7.0.8
7.0.4
7.0.2
7.0.1
7.0.0
6.4.5
6.4.3
6.4.2
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0
6.0.4
6.0.3
6.0.1
6.0.0
6.0.0
3.6.3
3.6.0
3.5.4
Copy Link
Copy Doc ID 84215897-2c3a-11ec-9c99-00505692583a:173266
Download PDF

Discovering, authorizing, and deauthorizing FortiSwitch units

This section covers the following topics:

Editing a managed FortiSwitch unit

To edit a managed FortiSwitch unit:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on the FortiSwitch unit and then click Edit or right-click on a FortiSwitch unit and select Edit.

From the Edit Managed FortiSwitch form, you can:

  • Change the Name and Description of the FortiSwitch unit.
  • View the Status of the FortiSwitch unit.
  • Restart the FortiSwitch.
  • Authorize or deauthorize the FortiSwitch unit.
  • Update the firmware running on the switch.
  • Override 802.1x settings, including the reauthentication interval, maximum reauthentication attempts, and link-down action.

Adding preauthorized FortiSwitch units

After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.

To preauthorize a FortiSwitch:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click Create New.
  3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
  4. Move the Authorized slider to the right.
  5. Select OK. The Managed FortiSwitch page lists the preauthorized switch.

Authorizing the FortiSwitch unit

If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the following steps:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.

Deauthorizing FortiSwitch units

A device can be deauthorized to remove it from the Security Fabric.

To deauthorize a device:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors
  2. In the topology tree, click the device and select Deauthorize.

After devices are deauthorized, the devicesʼ serial numbers are saved in a trusted list that can be viewed in the CLI using the show system csf command. For example, this result shows a deauthorized FortiSwitch:

show system csf

config system csf

set status enable

set group-name "Office-Security-Fabric"

set group-password ENC 1Z2X345V678

config trusted-list

edit "FGT6HD391806070"

next

edit "S248DF3X17000482"

set action deny

next

end

end

end

Converting to FortiSwitch standalone mode

Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no longer be managed by a FortiGate:

  • execute switch-controller factory-reset <switch-id>—This command returns the FortiSwitch to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example:execute switch-controller factory-reset S1234567890
  • execute switch-controller switch-action set-standalone <switch-id>—This command returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from automatically detecting and authorizing the FortiSwitch. For example:execute switch-controller set-standalone S1234567890

You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:

config switch-controller global

set disable-discovery <switch-id>

end

For example:

config switch-controller global

set disable-discovery S1234567890

end

You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using the following commands:

config switch-controller global

append disable-discovery <switch-id>

unselect disable-discovery <switch-id>

end

For example:

config switch-controller global

append disable-discovery S012345678

unselect disable-discovery S1234567890

end

Previous
Next

Discovering, authorizing, and deauthorizing FortiSwitch units

This section covers the following topics:

Editing a managed FortiSwitch unit

To edit a managed FortiSwitch unit:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on the FortiSwitch unit and then click Edit or right-click on a FortiSwitch unit and select Edit.

From the Edit Managed FortiSwitch form, you can:

  • Change the Name and Description of the FortiSwitch unit.
  • View the Status of the FortiSwitch unit.
  • Restart the FortiSwitch.
  • Authorize or deauthorize the FortiSwitch unit.
  • Update the firmware running on the switch.
  • Override 802.1x settings, including the reauthentication interval, maximum reauthentication attempts, and link-down action.

Adding preauthorized FortiSwitch units

After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.

To preauthorize a FortiSwitch:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click Create New.
  3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
  4. Move the Authorized slider to the right.
  5. Select OK. The Managed FortiSwitch page lists the preauthorized switch.

Authorizing the FortiSwitch unit

If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the following steps:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.

Deauthorizing FortiSwitch units

A device can be deauthorized to remove it from the Security Fabric.

To deauthorize a device:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors
  2. In the topology tree, click the device and select Deauthorize.

After devices are deauthorized, the devicesʼ serial numbers are saved in a trusted list that can be viewed in the CLI using the show system csf command. For example, this result shows a deauthorized FortiSwitch:

show system csf

config system csf

set status enable

set group-name "Office-Security-Fabric"

set group-password ENC 1Z2X345V678

config trusted-list

edit "FGT6HD391806070"

next

edit "S248DF3X17000482"

set action deny

next

end

end

end

Converting to FortiSwitch standalone mode

Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no longer be managed by a FortiGate:

  • execute switch-controller factory-reset <switch-id>—This command returns the FortiSwitch to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example:execute switch-controller factory-reset S1234567890
  • execute switch-controller switch-action set-standalone <switch-id>—This command returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from automatically detecting and authorizing the FortiSwitch. For example:execute switch-controller set-standalone S1234567890

You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:

config switch-controller global

set disable-discovery <switch-id>

end

For example:

config switch-controller global

set disable-discovery S1234567890

end

You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using the following commands:

config switch-controller global

append disable-discovery <switch-id>

unselect disable-discovery <switch-id>

end

For example:

config switch-controller global

append disable-discovery S012345678

unselect disable-discovery S1234567890

end

Previous
Next