Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSwitch 7.0.3 Administration Guide
    7.0.3
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.11
    6.4.6
    6.4.5
    6.4.3
    6.4.2
    6.4.0
    6.2.5
    6.2.2
    6.2.1
    6.2.0

    Flap guard

    Flap guard

    A flapping port is a port that changes status rapidly from up to down. A flapping port can create instability in protocols such as STP. If a port is flapping, STP must continually recalculate the role for each port. Flap guard also prevents unwanted access to the physical ports.

    The port flap guard detects how many times a port changes status during a specified number of seconds, and the system shuts down the port if necessary. You can manually reset the port and restore it to the active state.

    This section covers the following topics:

    Retaining the triggered state

    When the flap guard is triggered, the status for the port is shown as “triggered” in the output of the diagnose flapguard status command. By default, rebooting the switch resets the state of the flap guard and removes the “triggered” state. You can change the setting so that the triggered state remains after a switch is rebooting until the port is reset. See Resetting a port.

    Using the GUI:
    1. Go to Switch > Flap Guard.
    2. Select Retain Triggered State Across Reboot.
    3. Select Update to save the change.
    Using the CLI:

    config switch global

    set flapguard-retain-trigger enable

    end

    Configuring the port flap guard

    The port flap guard is configured and enabled on each port. The default setting is disabled.

    The flap rate counts how many times a port changes status during a specified number of seconds. The range is 1 to 30 with a default setting of 5.

    The flap duration is the number of seconds during which the flap rate is counted. The range is 5 to 300 seconds with a default setting of 30 seconds.

    The flap timeout (CLI only) is the number of minutes before the flap guard is reset. The range is 0 to 120 minutes. The default setting of 0 means that there is no timeout.

    NOTE:

    • If a triggered port times out while the switch is in a down state, the port is initially in a triggered state until the switch has fully booted up and calculated that the timeout has occurred.
    • The following models do not store time across reboot; therefore, any triggered port is initially in a triggered state until the switch has fully booted up—at which point the trigger is cleared:
      • FS-1xxE
      • FS-2xxD/E
      • FS-4xxD
      • FS-4xxE
    Using the GUI:
    1. Go to Switch > Port > Physical.
    2. Select a port.
    3. Select Edit.
    4. Under Flap Guard, select Enable.
    5. Enter values for Flap Duration (Seconds) and Flap Rate.
    6. Select Update to save the changes.
    Using the CLI:

    config switch physical-port

    edit <port_name>

    set flapguard {enabled | disabled}

    set flap-rate <1-30>

    set flap-duration <5-300 seconds>

    set flap-timeout <0-120 minutes>

    end

    For example:

    config switch physical-port

    edit port10

    set flapguard enabled

    set flap-rate 15

    set flap-duration 100

    set flap-timeout 30

    end

    Resetting a port

    After the flap guard detects that a port is changing status rapidly and the system shuts down the port, you can reset the port and restore it to service.

    Using the GUI:
    1. Go to Switch > Port > Physical.
    2. Select the port that was shut down.
    3. Select Reset.
    Using the CLI:

    execute flapguard reset <port_name>

    For example:

    execute flapguard reset port15

    Viewing the port flap guard configuration

    Use the following command to check if the flap guard is enabled on a specific port:

    show switch physical-port <port_name>

    For example:

    show switch physical-port port10

    Use the following command to display the port flap guard information for all ports:

    diagnose flapguard status

    Previous
    Next

    Flap guard

    Flap guard

    A flapping port is a port that changes status rapidly from up to down. A flapping port can create instability in protocols such as STP. If a port is flapping, STP must continually recalculate the role for each port. Flap guard also prevents unwanted access to the physical ports.

    The port flap guard detects how many times a port changes status during a specified number of seconds, and the system shuts down the port if necessary. You can manually reset the port and restore it to the active state.

    This section covers the following topics:

    Retaining the triggered state

    When the flap guard is triggered, the status for the port is shown as “triggered” in the output of the diagnose flapguard status command. By default, rebooting the switch resets the state of the flap guard and removes the “triggered” state. You can change the setting so that the triggered state remains after a switch is rebooting until the port is reset. See Resetting a port.

    Using the GUI:
    1. Go to Switch > Flap Guard.
    2. Select Retain Triggered State Across Reboot.
    3. Select Update to save the change.
    Using the CLI:

    config switch global

    set flapguard-retain-trigger enable

    end

    Configuring the port flap guard

    The port flap guard is configured and enabled on each port. The default setting is disabled.

    The flap rate counts how many times a port changes status during a specified number of seconds. The range is 1 to 30 with a default setting of 5.

    The flap duration is the number of seconds during which the flap rate is counted. The range is 5 to 300 seconds with a default setting of 30 seconds.

    The flap timeout (CLI only) is the number of minutes before the flap guard is reset. The range is 0 to 120 minutes. The default setting of 0 means that there is no timeout.

    NOTE:

    • If a triggered port times out while the switch is in a down state, the port is initially in a triggered state until the switch has fully booted up and calculated that the timeout has occurred.
    • The following models do not store time across reboot; therefore, any triggered port is initially in a triggered state until the switch has fully booted up—at which point the trigger is cleared:
      • FS-1xxE
      • FS-2xxD/E
      • FS-4xxD
      • FS-4xxE
    Using the GUI:
    1. Go to Switch > Port > Physical.
    2. Select a port.
    3. Select Edit.
    4. Under Flap Guard, select Enable.
    5. Enter values for Flap Duration (Seconds) and Flap Rate.
    6. Select Update to save the changes.
    Using the CLI:

    config switch physical-port

    edit <port_name>

    set flapguard {enabled | disabled}

    set flap-rate <1-30>

    set flap-duration <5-300 seconds>

    set flap-timeout <0-120 minutes>

    end

    For example:

    config switch physical-port

    edit port10

    set flapguard enabled

    set flap-rate 15

    set flap-duration 100

    set flap-timeout 30

    end

    Resetting a port

    After the flap guard detects that a port is changing status rapidly and the system shuts down the port, you can reset the port and restore it to service.

    Using the GUI:
    1. Go to Switch > Port > Physical.
    2. Select the port that was shut down.
    3. Select Reset.
    Using the CLI:

    execute flapguard reset <port_name>

    For example:

    execute flapguard reset port15

    Viewing the port flap guard configuration

    Use the following command to check if the flap guard is enabled on a specific port:

    show switch physical-port <port_name>

    For example:

    show switch physical-port port10

    Use the following command to display the port flap guard information for all ports:

    diagnose flapguard status

    Previous
    Next