Replacing a managed FortiSwitch unit

If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.

NOTE:

Both FortiSwitch units must be of the same model.
The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL trunk.
After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.
The best way to replace a MCLAG FortiSwitch unit in FortiLink:

Back up the configuration of the failed FortiSwitch unit.
Restore the configuration to the replaced Fortiswitch unit while it is offline.
Enter the replace-device command in FortiOS.
Physically replace the failed FortiSwitch unit.

To replace a managed FortiSwitch unit:

Unplug the failed FortiSwitch unit.
Plug in the replacement FortiSwitch unit.
Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version.
Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
Check the serial number of the replacement FortiSwitch unit.
From the FortiGate unit, go to WiFi & Switch Controller > Managed FortiSwitch.
Select the faceplate of the failed FortiSwitch unit.
Select Deauthorize.
Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.
NOTE: If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.
If the failed FortiSwitch unit was part of a VDOM, enter the following commands:
config vdom

edit <VDOM_name>

execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>

For example:

config vdom

edit vdom_new

execute replace-device fortiswitch S124DN3W16002025 S124DN3W16002026

If the failed FortiSwitch unit was not part of a VDOM, enter the following command:

execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>

An error is returned if the replacement FortiSwitch unit is authorized.
Authorize the replaced managed FortiSwitch unit.
Connect the rest of the cables required for the uplinks and downlinks for the MCLAG FortiSwitch units.

To rename the MCLAG-ICL trunk:

After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name.

Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You need a maintenance window for the change.

Shut down the FortiLink interface on the FortiGate unit.
1. On the FortiGate unit, execute the show system interface command. For example:
  
  FG3K2D3Z17800156 # show system interface root-lag config system interface edit "root-lag" set vdom "root" set fortilink enable set ip 10.105.60.254 255.255.255.0 set allowaccess ping capwap set type aggregate set member "port45" "port48" config managed-device
2. Write down the member port information. In this example, port45 and port48 are the member ports.
3. Shut down the member ports with the config system interface, edit <member-port#>, set status down, and end commands. For example:
  
  FG3K2D3Z17800156 # config system interface FG3K2D3Z17800156 (interface) # edit port48 FG3K2D3Z17800156 (port48) # set status down FG3K2D3Z17800156 (port48) # next // repeat for each member port FG3K2D3Z17800156 (interface) # edit port45 FG3K2D3Z17800156 (port45) # set status down FG3K2D3Z17800156 (port45) # end
4. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For example:
  
  FG3K2D3Z17800156 # exec switch-controller get-conn-status Managed-devices in current vdom root: STACK-NAME: FortiSwitch-Stack-root-lag SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2 FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1
Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.
1. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that includes the set mclag-icl enable command in its configuration and write down the member ports and configuration information. For example:
  
  icl-sw1 # show switch trunk config switch trunk ... edit "D483Z17000282-0" set mode lacp-active set auto-isl 1 set mclag-icl enable // look for this line set members "port27" "port28" // note the member ports next end
2. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For example:
  
  icl-sw1 # show switch interface D483Z17000282-0 config switch interface edit "D483Z17000282-0" set native-vlan 4094 set allowed-vlans 1,100,2001-2060,4093 set dhcp-snooping trusted set stp-state disabled set edge-port disabled set igmps-flood-reports enable set igmps-flood-traffic enable set snmp-index 57 next end icl-sw1 # diag switch mclag icl D483Z17000282-0 icl-ports 27-28 egress-block-ports 3-4,7-12,47-48 interface-mac 70:4c:a5:86:6d:e5 lacp-serial-number FS1D483Z17000348 peer-mac 70:4c:a5:49:50:53 peer-serial-number FS1D483Z17000282 Local uptime 0 days 1h:49m:24s Peer uptime 0 days 1h:49m:17s MCLAG-STP-mac 70:4c:a5:49:50:52 keepalive interval 1 keepalive timeout 60 Counters received keepalive packets 4852 transmited keepalive packets 5293 received keepalive drop packets 20 receive keepalive miss 1 icl-sw1 # diagnose switch trunk sum D483Z17000282-0 Trunk Name Mode PSC MAC Status Up Time ________________ _________________________ ___________ _________________ ___________ _________________________________ D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,0 hours,16 mins,4 secs
3. Shut down the ICL member ports using the config switch physical-port, edit <member port#>, set status down, next, and end commands. For example:
  
  icl-sw1 # config switch physical-port icl-sw1 (physical-port) # edit port27 icl-sw1 (port27) # set status down icl-sw1 (port27) # n // repeat for each ICL member port icl-sw1 (physical-port) # edit port28 icl-sw1 (port28) # set status down icl-sw1 (port28) # next icl-sw1 (physical-port) # end
4. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete <mclag-icl-trunk-name>, and end commands. For example:
  
  icl-sw1 # config switch trunk icl-sw1 (trunk) # delete D483Z17000282-0
5. Use the show switch trunk command to verify that the trunk is deleted.
6. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the set auto-isl 0 command in the configuration. For example:
  
  icl-sw1 # config switch trunk icl-sw1 (trunk) # edit MCLAG-ICL new entry 'MCLAG-ICL' added icl-sw1 (MCLAG-ICL) #set mode lacp-active icl-sw1 (MCLAG-ICL) #set members "port27" "port28" icl-sw1 (MCLAG-ICL) #set mclag-icl enable icl-sw1 (MCLAG-ICL) # end
7. Use the show switch trunk command to check the trunk configuration.
8. Start the trunk member ports by using the config switch physical-port, edit <member port#>, set status up, next, and end commands. For example:
  
  icl-sw1 # config switch physical-port icl-sw1 (physical-port) # edit port27 icl-sw1 (port27) # set status up icl-sw1 (port27) # next // repeat for each trunk member port icl-sw1 (physical-port) # edit port28 icl-sw1 (port28) # set status up icl-sw1 (port28) # end
  
  NOTE: Follow steps 2a through 2h on both switches.
Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit <interface-member-port>, set status up, next, and end commands. For example:

FG3K2D3Z17800156 # config system interface FG3K2D3Z17800156 (interface) # edit port45 FG3K2D3Z17800156 (port45) # set status up FG3K2D3Z17800156 (port45) # next // repeat on all member ports FG3K2D3Z17800156 (interface) # edit port48 FG3K2D3Z17800156 (port48) # set status up FG3K2D3Z17800156 (port48) # next FG3K2D3Z17800156 (interface) # end
Check the configuration and status on both MCLAG-ICL switches
1. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk summary <new-trunk-name> commands. For example:
  icl-sw1 # show switch trunk config switch trunk <snip> edit "MCLAG-ICL" set mode lacp-active set mclag-icl enable set members "port27" "port28" next end icl-sw1 # show switch interface MCLAG-ICL config switch interface edit "MCLAG-ICL" set native-vlan 4094 set allowed-vlans 1,100,2001-2060,4093 set dhcp-snooping trusted set stp-state disabled set igmps-flood-reports enable set igmps-flood-traffic enable set snmp-index 56 next end icl-sw1 # diagnose switch mclag icl MCLAG-ICL icl-ports 27-28 egress-block-ports 3-4,7-12,47-48 interface-mac 70:4c:a5:86:6d:e5 lacp-serial-number FS1D483Z17000348 peer-mac 70:4c:a5:49:50:5 peer-serial-number FS1D483Z17000282 Local uptime 0 days 2h:11m:13s Peer uptime 0 days 2h:11m: 7s MCLAG-STP-mac 70:4c:a5:49:50:52 keepalive interval 1 keepalive timeout 60 Counters received keepalive packets 5838 transmited keepalive packets 6279 received keepalive drop packets 27 receive keepalive miss 1 icl-sw1 # diagnose switch trunk summary MCLAG-ICL Trunk Name Mode PSC MAC Status Up Time ________________ _________________________ ___________ _________________ ___________ _________________________________ MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,1 hours,4 mins,57 secs
2. Compare the command results in step 4a with the command results in step 2b.

Replacing a managed FortiSwitch unit

NOTE:

Both FortiSwitch units must be of the same model.
The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL trunk.
After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.
The best way to replace a MCLAG FortiSwitch unit in FortiLink:

Back up the configuration of the failed FortiSwitch unit.
Restore the configuration to the replaced Fortiswitch unit while it is offline.
Enter the replace-device command in FortiOS.
Physically replace the failed FortiSwitch unit.

To replace a managed FortiSwitch unit:

Unplug the failed FortiSwitch unit.
Plug in the replacement FortiSwitch unit.
Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version.
Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
Check the serial number of the replacement FortiSwitch unit.
From the FortiGate unit, go to WiFi & Switch Controller > Managed FortiSwitch.
Select the faceplate of the failed FortiSwitch unit.
Select Deauthorize.
Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.
NOTE: If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.
If the failed FortiSwitch unit was part of a VDOM, enter the following commands:
config vdom

edit <VDOM_name>

execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>

For example:

config vdom

edit vdom_new

execute replace-device fortiswitch S124DN3W16002025 S124DN3W16002026

If the failed FortiSwitch unit was not part of a VDOM, enter the following command:

execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>

An error is returned if the replacement FortiSwitch unit is authorized.
Authorize the replaced managed FortiSwitch unit.
Connect the rest of the cables required for the uplinks and downlinks for the MCLAG FortiSwitch units.

To rename the MCLAG-ICL trunk:

Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You need a maintenance window for the change.

Shut down the FortiLink interface on the FortiGate unit.
1. On the FortiGate unit, execute the show system interface command. For example:
  
  FG3K2D3Z17800156 # show system interface root-lag config system interface edit "root-lag" set vdom "root" set fortilink enable set ip 10.105.60.254 255.255.255.0 set allowaccess ping capwap set type aggregate set member "port45" "port48" config managed-device
2. Write down the member port information. In this example, port45 and port48 are the member ports.
3. Shut down the member ports with the config system interface, edit <member-port#>, set status down, and end commands. For example:
  
  FG3K2D3Z17800156 # config system interface FG3K2D3Z17800156 (interface) # edit port48 FG3K2D3Z17800156 (port48) # set status down FG3K2D3Z17800156 (port48) # next // repeat for each member port FG3K2D3Z17800156 (interface) # edit port45 FG3K2D3Z17800156 (port45) # set status down FG3K2D3Z17800156 (port45) # end
4. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For example:
  
  FG3K2D3Z17800156 # exec switch-controller get-conn-status Managed-devices in current vdom root: STACK-NAME: FortiSwitch-Stack-root-lag SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2 FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1
Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.
1. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that includes the set mclag-icl enable command in its configuration and write down the member ports and configuration information. For example:
  
  icl-sw1 # show switch trunk config switch trunk ... edit "D483Z17000282-0" set mode lacp-active set auto-isl 1 set mclag-icl enable // look for this line set members "port27" "port28" // note the member ports next end
2. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For example:
  
  icl-sw1 # show switch interface D483Z17000282-0 config switch interface edit "D483Z17000282-0" set native-vlan 4094 set allowed-vlans 1,100,2001-2060,4093 set dhcp-snooping trusted set stp-state disabled set edge-port disabled set igmps-flood-reports enable set igmps-flood-traffic enable set snmp-index 57 next end icl-sw1 # diag switch mclag icl D483Z17000282-0 icl-ports 27-28 egress-block-ports 3-4,7-12,47-48 interface-mac 70:4c:a5:86:6d:e5 lacp-serial-number FS1D483Z17000348 peer-mac 70:4c:a5:49:50:53 peer-serial-number FS1D483Z17000282 Local uptime 0 days 1h:49m:24s Peer uptime 0 days 1h:49m:17s MCLAG-STP-mac 70:4c:a5:49:50:52 keepalive interval 1 keepalive timeout 60 Counters received keepalive packets 4852 transmited keepalive packets 5293 received keepalive drop packets 20 receive keepalive miss 1 icl-sw1 # diagnose switch trunk sum D483Z17000282-0 Trunk Name Mode PSC MAC Status Up Time ________________ _________________________ ___________ _________________ ___________ _________________________________ D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,0 hours,16 mins,4 secs
3. Shut down the ICL member ports using the config switch physical-port, edit <member port#>, set status down, next, and end commands. For example:
  
  icl-sw1 # config switch physical-port icl-sw1 (physical-port) # edit port27 icl-sw1 (port27) # set status down icl-sw1 (port27) # n // repeat for each ICL member port icl-sw1 (physical-port) # edit port28 icl-sw1 (port28) # set status down icl-sw1 (port28) # next icl-sw1 (physical-port) # end
4. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete <mclag-icl-trunk-name>, and end commands. For example:
  
  icl-sw1 # config switch trunk icl-sw1 (trunk) # delete D483Z17000282-0
5. Use the show switch trunk command to verify that the trunk is deleted.
6. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the set auto-isl 0 command in the configuration. For example:
  
  icl-sw1 # config switch trunk icl-sw1 (trunk) # edit MCLAG-ICL new entry 'MCLAG-ICL' added icl-sw1 (MCLAG-ICL) #set mode lacp-active icl-sw1 (MCLAG-ICL) #set members "port27" "port28" icl-sw1 (MCLAG-ICL) #set mclag-icl enable icl-sw1 (MCLAG-ICL) # end
7. Use the show switch trunk command to check the trunk configuration.
8. Start the trunk member ports by using the config switch physical-port, edit <member port#>, set status up, next, and end commands. For example:
  
  icl-sw1 # config switch physical-port icl-sw1 (physical-port) # edit port27 icl-sw1 (port27) # set status up icl-sw1 (port27) # next // repeat for each trunk member port icl-sw1 (physical-port) # edit port28 icl-sw1 (port28) # set status up icl-sw1 (port28) # end
  
  NOTE: Follow steps 2a through 2h on both switches.
Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit <interface-member-port>, set status up, next, and end commands. For example:

FG3K2D3Z17800156 # config system interface FG3K2D3Z17800156 (interface) # edit port45 FG3K2D3Z17800156 (port45) # set status up FG3K2D3Z17800156 (port45) # next // repeat on all member ports FG3K2D3Z17800156 (interface) # edit port48 FG3K2D3Z17800156 (port48) # set status up FG3K2D3Z17800156 (port48) # next FG3K2D3Z17800156 (interface) # end
Check the configuration and status on both MCLAG-ICL switches
1. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk summary <new-trunk-name> commands. For example:
  icl-sw1 # show switch trunk config switch trunk <snip> edit "MCLAG-ICL" set mode lacp-active set mclag-icl enable set members "port27" "port28" next end icl-sw1 # show switch interface MCLAG-ICL config switch interface edit "MCLAG-ICL" set native-vlan 4094 set allowed-vlans 1,100,2001-2060,4093 set dhcp-snooping trusted set stp-state disabled set igmps-flood-reports enable set igmps-flood-traffic enable set snmp-index 56 next end icl-sw1 # diagnose switch mclag icl MCLAG-ICL icl-ports 27-28 egress-block-ports 3-4,7-12,47-48 interface-mac 70:4c:a5:86:6d:e5 lacp-serial-number FS1D483Z17000348 peer-mac 70:4c:a5:49:50:5 peer-serial-number FS1D483Z17000282 Local uptime 0 days 2h:11m:13s Peer uptime 0 days 2h:11m: 7s MCLAG-STP-mac 70:4c:a5:49:50:52 keepalive interval 1 keepalive timeout 60 Counters received keepalive packets 5838 transmited keepalive packets 6279 received keepalive drop packets 27 receive keepalive miss 1 icl-sw1 # diagnose switch trunk summary MCLAG-ICL Trunk Name Mode PSC MAC Status Up Time ________________ _________________________ ___________ _________________ ___________ _________________________________ MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,1 hours,4 mins,57 secs
2. Compare the command results in step 4a with the command results in step 2b.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Devices Managed by FortiOS

Replacing a managed FortiSwitch unit

Replacing a managed FortiSwitch unit

To replace a managed FortiSwitch unit:

To rename the MCLAG-ICL trunk:

Replacing a managed FortiSwitch unit

Replacing a managed FortiSwitch unit

To replace a managed FortiSwitch unit:

To rename the MCLAG-ICL trunk: