execute

Use the execute commands perform immediate operations on the FortiSwitch unit:

• execute 802-1x clear mac
• execute 802-1x clear interface
• execute 802-1x dacl-clr-stat
• execute 802-1x dacl-reinstall
• execute acl clear-counter
• execute acl key-compaction
• execute alias configure
• execute alias script
• execute backup config
• execute acl key-compaction
• execute backup memory
• execute batch
• execute bpdu-guard
• execute cfg reload
• execute cfg save
• execute clear switch igmp-snooping
• execute clear switch mld-snooping
• execute clear system arp table
• execute cli check-template-status
• execute cli status-msg-only
• execute date
• execute dhcp lease-clear
• execute dhcp lease-list
• execute dhcp-snooping
• execute disconnect-admin-session
• execute factoryreset
• execute factoryresetfull
• execute flapguard reset
• execute interface dhcpclient-renew
• execute interface dhcp6client-renew
• execute interface pppoe-reconnect
• execute license add
• execute license enhanced-debugging
• execute license status
• execute log delete
• execute log delete-all
• execute log display
• execute log filter
• execute log-report reset
• execute loop-guard reset
• execute mac clear
• execute mac-limit-violation reset
• execute macsec clearstat physical-port
• execute macsec reset physical-port
• execute macsec toggle physical-port
• execute mtraceroute
• execute ping
• execute ping-options
• execute ping6
• execute ping6-options
• execute poe-reset
• execute reboot
• execute rest list
• execute rest login
• execute rest logout
• execute rest run
• execute rest schema
• execute restore
• execute revision
• execute router clear bgp
• execute router clear ospf
• execute router tech-support
• execute set-next-reboot
• execute shutdown
• execute source-guard-violation reset
• execute ssh
• execute stage
• execute sticky-mac
• execute switch-controller clear-nac-mac-cache
• execute switch-controller delete-nac-mac-cache
• execute switch-controller get-conn-status
• execute switch-controller get-nac-mac-cache
• execute system admin account-convert-sha1
• execute system admin account-convert-sha256
• execute system certificate crl import auto
• execute system certificate local export tftp
• execute system certificate local generate
• execute system certificate local import tftp
• execute system certificate remote
• execute system sniffer-profile delete-capture
• execute system sniffer-profile pause
• execute system sniffer-profile start
• execute system sniffer-profile stop
• execute system sniffer-profile upload
• execute telnet
• execute time
• execute traceroute
• execute tracert6
• execute upload config
• execute verify image
• execute wake-on-lan

execute 802-1x clear mac

Use this command to clear the authorized session associated with the specified MAC address:

execute 802-1x clear mac <MAC_address>

Example

This example shows how to remove the authorized session associated with 00:21:cc:d2:76:72:

execute 802-1x clear mac 00:21:cc:d2:76:72

execute 802-1x clear interface

Use this command to clear the authorized sessions associated with the specified interface:

execute 802-1x clear interface {internal | <port_name>}

Example

This example shows how to remove the authorized sessions associated with port1:

execute 802-1x clear interface port1

execute 802-1x dacl-clr-stat

Use this command to clear the dynamic access control lists (DACLs) from the specified interface. If the interface is not specified, the DACLs are cleared from all interfaces.

execute 802-1x dacl-clr-stat [<interface_name>]

Example

This example shows how to remove DACLs from port 1:

execute 802-1x dacl-clr-stat port1

execute 802-1x dacl-reinstall

Use this command to reinstall the DACLs on a specified interface. If the interface is not specified, the DACLs are reinstalled on all interfaces.

execute 802-1x dacl-reinstall [<interface_name>]

Example

This example shows how to reinstall the DACLs on port 1:

execute 802-1x dacl-reinstall port1

execute acl clear-counter

Use this command to clear the ACL counters associated with the specified policy:

execute acl clear-counter {all | ingress | egress | prelookup}

Variable	Description
all	Delete the ACL counters for all policies.
ingress	Delete the ACL counters for ingress policies.
egress	Delete the ACL counters for egress policies.
prelookup	Delete the ACL counters for lookup policies.

Example

This example deletes all ACL counters:

execute acl clear-counter all

execute acl key-compaction

NOTE: This command currently only works on the ingress policy.

Use the following command to clear the unused classifiers on ASIC hardware associated with ingress, egress, prelookup, or all policies for a particular group:

execute acl key-compaction {all | ingress | egress | prelookup} <group_ID>

Variable	Description
all	Delete all unused classifiers for the specified group.
ingress	Delete the unused classifiers for ingress policies for the specified group.
egress	Delete the unused classifiers for egress policies for the specified group.
prelookup	Delete the unused classifiers for lookup policies for the specified group.
<group_ID>	Enter the group identifier. Group identifiers are defined in the config switch acl ingress command.

Example

This example deletes all unused classifiers from group 5:

execute acl key-compaction all 5

execute alias configure

Use the execute alias configure commands to execute different actions with an alias. The alias is created with the config system alias command command with the type set to configuration.

Syntax

execute alias configure get <alias_name> <table-entry-id-if-needed>

execute alias configure set <alias_name> <table-entry-id-if-needed> <attribute-value>

execute alias configure show <alias_name> <table-entry-id-if-needed>

execute alias configure show-full-configuration <alias_name> <table-entry-id-if-needed>

execute alias configure unset <alias_name> <table-entry-id-if-needed>

Variable	Description
get <alias_name> <table-entry-id-if-needed>	Display the current settings.
set <alias_name> <table-entry-id-if-needed> <attribute-value>	Change the attribute to the specified value.
show <alias_name> <table-entry-id-if-needed>	Display an abbreviated version of the current configuration.
show-full-configuration <alias_name> <table-entry-id-if-needed>	Display the full current configuration.
unset <alias_name> <table-entry-id-if-needed>	Reset the attribute to its default value.

Examples

The following example runs the port-status alias, which displays only the name and status of the specified port (port1 in this example).

S548DF5018000776 # execute alias configure get port-status port1
name                : port1 
description         : (null)
status              : up

The following example changes the value for the port2 table entry to up.

S548DF5018000776 # execute alias configure set port-status port2 up

Command to be run:

------------------------------------------------------------------------------

config switch physical-port

edit "port2"

set status "up"

next

end

------------------------------------------------------------------------------

Do you want to continue? (y/n)y

The following example displays an abbreviated version of the current configuration for the config switch physical-port command.

S548DF5018000776 # execute alias configure show port-status port3

config switch physical-port

edit "port3"

next

end

The following example displays the full configuration for the config switch physical-port command.

S548DF5018000776 # execute alias configure show-full-configuration port-status port4

config switch physical-port

edit "port4"

set description ''

set status up

next

end

The following example toggles the status of port4.

548DF5018000776 # execute alias configure unset port-status port4

Command to be run:

------------------------------------------------------------------------------

config switch physical-port

edit "port4"

unset status

next

end

execute alias script

Use the execute alias script command to run a script that was created with the config system alias command command with the type set to script.

Syntax

execute alias script <script_name> <values…>

Example

This example shows how to run a script named mac-list for VLAN 4092.

S524DF4K15000024 # execute alias script mac-list 4092

Command to be run:

------------------------------------------------------------------------------

diag switch mac-address filter clear

diag switch mac-address filter vlan-map "4092"

diag switch mac-address list | grep -i mac

diag switch mac-address filter clear

------------------------------------------------------------------------------

Do you want to continue? (y/n)y

MAC: 08:5b:0e:f1:95:e5 VLAN: 4092 Port: internal(port-id 31)

execute backup config

Use the execute backup config commands to perform a partial backup of the FortiSwitch configuration to a flash disk, FTP server, SFTP server, or TFTP server.

Syntax

execute backup config flash <comment>

execute backup config ftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

execute backup config sftp <filename_str> <server_ipv4_ipv6_fqdn> [<username_str> [<password_str>]] [<backup_password_str>]

execute backup config tftp <filename_str> <server_ipv4_ipv6_fqdn> [<backup_password_str>]

Variable	Description
config flash <comment>	Back up the system configuration to the flash disk. Optionally, include a comment.
config ftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]	Back up the system configuration to an FTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the FTP server. Optionally, you can specify a password to protect the saved data.
config sftp <filename_str> <server_ipv4_ipv6_fqdn> [<username_str> [<password_str>]] [<backup_password_str>]	Back up the system configuration to an SFTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the SFTP server. Optionally, you can specify a password to protect the saved data.
config tftp <filename_str> <server_ipv4_ipv6_fqdn> [<backup_password_str>]	Back up the system configuration to a file on a TFTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the TFTP server. Optionally, you can specify a password to protect the saved data.

Example

This example shows how to perform a partial backup of the FortiSwitch configuration to a file named fgt.cfg on a TFTP server at IP address 192.168.1.23.

execute backup config tftp fgt.cfg 192.168.1.23

execute backup full-config

Use the execute backup full-config commands to back up the full FortiSwitch configuration to an FTP, SFTP, or TFTP server.

Syntax

execute backup full-config ftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

execute backup full-config sftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

execute backup full-config tftp <filename_str> <server_ipv4_ipv6_fqdn> [<backup_password_str>]

Variable	Description
full-config ftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]	Back up the full system configuration to a file on an FTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the FTP server. You can optionally specify a password to protect the saved data.
full-config sftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]	Back up the full system configuration to a file on an SFTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the SFTP server. You can optionally specify a password to protect the saved data.
full-config tftp <filename_str> <server_ipv4_ipv6_fqdn> [<backup_password_str>]	Back up the full system configuration to a file on a TFTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the TFTP server. You can optionally specify a password to protect the saved data.

Example

This example shows how to back up the full FortiSwitch configuration to a file named fgt.cfg on a TFTP server at IP address 192.168.1.23.

execute backup full-config tftp fgt.cfg 192.168.1.23

execute backup memory

Use the execute backup memory commands to back up the FortiSwitch logs to an FTP, SFTP, or TFTP server.

Syntax

execute backup memory alllogs ftp <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]

execute backup memory alllogs sftp <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]

execute backup memory alllogs tftp <server_ipv4_ipv6_fqdn>

execute backup memory log ftp <server_ipv4_ipv6_fqdn[:port_int]> <username_str> <password_str> {app-ctrl | event | ids | im | spam | virus | voip | webfilter}

execute backup memory log sftp <server_ipv4_ipv6_fqdn[:port_int]> <username_str> <password_str> event

execute backup memory log tftp <server_ipv4_ipv6_fqdn> {app‑ctrl | event | ids | im | spam | virus | voip | webfilter}

Variable	Description
memory alllogs ftp <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]	Back up either all memory or all hard disk log files for to an FTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the FTP server. The disk option is available on FortiSwitch models that log to a hard disk.
memory alllogs sftp <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]	Back up either all memory or all hard disk log files for to an SFTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the SFTP server. The disk option is available on FortiSwitch models that log to a hard disk.
memory alllogs tftp <server_ipv4_ipv6_fqdn>	Back up either all memory or all hard disk log files for this FortiSwitch to a TFTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the TFTP server. The disk option is available on FortiSwitch models that log to a hard disk.
memory log ftp <server_ipv4_ipv6_fqdn[:port_int]> <username_str> <password_str> {app-ctrl | event | ids | im | spam | virus | voip | webfilter}	Back up the specified type of log file from either hard disk or memory to an FTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the FTP server. The disk option is available on FortiSwitch models that log to a hard disk.
memory log sftp <server_ipv4_ipv6_fqdn[:port_int]> <username_str> <password_str> event	Back up the event log file from either hard disk or memory to an SFTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the SFTP server. The disk option is available on FortiSwitch models that log to a hard disk.
memory log tftp <server_ipv4_ipv6_fqdn> {app‑ctrl | event | ids | im | spam | virus | voip | webfilter}	Back up the specified type of log file from either hard disk or memory to a TFTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the TFTP server. The disk option is available on FortiSwitch models that log to a hard disk.

Example

This example shows how to back up all FortiSwitch log files to a file named fgt.cfg on a TFTP server at IP address 192.168.1.23.

execute backup memory alllogs tftp fgt.cfg 192.168.1.23

execute batch

Use the execute batch commands to execute a series of CLI commands.

The execute batch commands are controlled by the Maintenance (mntgrp) access control group.

Syntax

execute batch [<cmd_cue>]

The parameter <cmd_cue> includes the following values:

• end — exit session and run the batch commands
• lastlog — read the result of the last batch commands
• start — start batch mode
• status— batch mode status reporting if batch mode is running or stopped

Example

To start batch mode:

execute batch start

Enter batch mode...

To enter commands to run in batch mode:

config system global

set refresh 5

end

To execute the batch commands:

execute batch end

Exit and run batch commands...

execute bpdu-guard

Use this command to reset a port that goes down after receiving a BPDU:

execute bpdu-guard reset {internal | port<number>}

Example

This example shows how to reset port 1 after it receives a BPDU and goes down:

execute bpdu-guard reset port1

execute cfg reload

Use this command to restore the saved configuration when the configuration change mode is manual or revert. This command has no effect if the mode is automatic, the default. The set cfg-save command in system global sets the configuration change mode.

When you reload the saved system configuration, the your session ends and the FortiSwitch performs a restart.

In the default configuration change mode, automatic, CLI commands become part of the saved system configuration when you execute them by entering either next or end.

In manual mode, commands take effect but do not become part of the saved configuration unless you execute the execute cfg save command. When the system restarts, the saved configuration is loaded. Configuration changes that were not saved are lost.

The revert mode is similar to manual mode, except that configuration changes are saved automatically if the administrative session is idle for more than a specified timeout period. This provides a way to recover from an erroneous configuration change, such as changing the IP address of the interface you are using for administration. You set the timeout in system global using the set cfg-revert-timeout command.

Syntax

execute cfg reload

Example

This is sample output from the command when successful:

# execute cfg reload

configs reloaded. system will reboot. This is sample output from the command when not in runtime-only configuration mode:

# execute cfg reload

no config to be reloaded.

execute cfg save

Use this command to save configuration changes when the configuration change mode is manual or revert. If the mode is automatic, the default, all changes are added to the saved configuration as you make them and this command has no effect. The set cfg-save command in system global sets the configuration change mode.

In manual mode, commands take effect but do not become part of the saved configuration unless you execute the execute cfg save command. When the system restarts, the saved configuration is loaded. Configuration changes that were not saved are lost.

The revert mode is similar to manual mode, except that configuration changes are reverted automatically if the administrative session is idle for more than a specified timeout period. This provides a way to recover from an erroneous configuration change, such as changing the IP address of the interface you are using for administration. To change the timeout from the default of 600 seconds, go to system global and use the set cfg-revert-timeout command.

Syntax

execute cfg save

Example

This is sample output from the command:

# execute cfg save

config saved.

This is sample output when not in runtime-only configuration mode. It also occurs when in runtime-only configuration mode and no changes have been made:

# execute cfg save

no config to be saved.

execute clear switch igmp-snooping

Use these commands to clear the learned and configured IPv4 multicast groups from the FortiSwitch unit. You can combine the commands for more control.

Syntax

execute clear switch igmp-snooping all

execute clear switch igmp-snooping group <multicast_IPv4_address>

execute clear switch igmp-snooping interface <interface_name>

execute clear switch igmp-snooping vlan <VLAN_ID>

Variable	Description
all	Clear all IGMP-snooping groups.
group <multicast_IPv4_address>	Clear the specified IGMP-snooping group.
interface <interface_name>	Clear all IGMP-snooping groups on the specified switch interface.
vlan <VLAN_ID>	Clear all IGMP-snooping groups on the specified VLAN.

Example

The following example clears one IGMP-snooping group from one VLAN for all interfaces:

execute clear switch igmp-snooping group 1.2.3.4 100

The following example clears one IGMP-snooping group from one VLAN on one interface:

execute clear switch igmp-snooping group 1.2.3.4 100 port1

The following example clears all IGMP-snooping groups from one interface for one VLAN:

execute clear switch igmp-snooping interface port1 100

execute clear switch mld-snooping

Use this command to clear the learned and configured IPv6 multicast groups from the FortiSwitch unit. You can combine the commands for more control.

Syntax

execute clear switch mld-snooping all

execute clear switch mld-snooping group <multicast_IPv6_address>

execute clear switch mld-snooping interface <interface_name>

execute clear switch mld-snooping vlan <VLAN_ID>

Variable	Description
all	Clear all MLD-snooping groups.
group <multicast_IPv6_address>	Clear the specified MLD-snooping group.
interface <interface_name>	Clear all MLD-snooping groups on the specified switch interface.
vlan <VLAN_ID>	Clear all MLD-snooping groups on the specified VLAN.

Example

The following example clears one MLD-snooping group from one VLAN for all interfaces:

execute clear switch mld-snooping group ff3f::1 100

The following example clears one MLD-snooping group from one VLAN on one interface:

execute clear switch mld-snooping group ff3f::1 100 port1

The following example clears all MLD-snooping groups from one interface for one VLAN:

execute clear switch mld-snooping interface port1 100

execute clear system arp table

Use this command to cslear all the entries in the ARP table.

Syntax

execute clear system arp table

execute cli check-template-status

Use this command to report the status of the secure copy protocol (SCP) script template.

Syntax

execute cli check-template-status

execute cli status-msg-only

Use this command to enable or disable the display of standardized CLI error output messages. If executed, this command stops other debug messages from displaying in the current CLI session.

Syntax

execute cli status-msg-only {enable | disable}

Variable	Description	Default
status-msg-only {enable | disable}	Enable or disable standardized CLI error output messages. Entering the command without enable or disable disables displaying standardized output.	enable

execute date

Use this command to display or set the system date.

Syntax

execute date [<date_str>]

date_str has the form yyyy-mm-dd, where:

• yyyy is the year. The range is: 2001 to 2037
• mm is the month. The range is 01 to 12
• dd is the day of the month. The range is 01 to 31

If you do not specify a date, the command returns the current system date. Shortened values, such as “06” instead of “2006” for the year or “1” instead of “01” for month or day, are not valid.

Example

This example sets the date to 17 September 2016:

execute date 2016-09-17

execute dhcp lease-clear

Use these commands to clear DHCP leases:

execute dhcp lease-clear all

execute dhcp lease-clear <xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...>

Variable	Description	Default
lease-clear all	Clear all DHCP leases.	No default
lease-clear <xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...>	Clear the DHCP leases for the specified IPv4 addresses. Use a comma to separate IPv4 addresses.	No default

Example

This example shows how to clear all DHCP leases on the specified IPv4 addresses:

execute dhcp lease-clear 1.2.3.4,5.6.7.8

execute dhcp lease-list

Use these commands to list DHCP leases:

execute dhcp lease-list

execute dhcp lease-list <interface>

Variable	Description	Default
lease-list	List all DHCP leases.	No default
lease-list <interface>	List the DHCP leases for the specified interface.	No default

Example

This example shows how to list all DHCP leases:

execute dhcp lease-list

execute dhcp-snooping

Use this command to remove an IP address from the DHCP-snooping client or server database on a specific VLAN:

execute dhcp-snooping expire-client <VLAN-ID> <xx:xx:xx:xx:xx:xx>

execute dhcp-snooping expire-server <VLAN-ID> <xx:xx:xx:xx:xx:xx>

Variable	Description	Default
<VLAN-ID>	Enter the VLAN identifier. The value range is 1-4095.	No default
<xx:xx:xx:xx:xx:xx>	Enter the MAC address for the IP address to remove.	No default

Example

This example shows how to remove the IP address that corresponds to VLAN 100 and to the MAC address 01:23:45:67:89:01 from the DHCP-snooping client database:

execute dhcp-snooping expire-client 100 01:23:45:67:89:01

execute disconnect-admin-session

Use this command to disconnect an administrator who is logged in.

Syntax

execute disconnect-admin-session <index_number>

To determine the index of the administrator that you want to disconnect, view the list of logged-in administrators with the following command:

execute disconnect‑admin-session ?

The list of logged-in administrators looks like this:

Connected:

INDEX USERNAME TYPE FROM TIME

0 admin WEB 172.20.120.51 Mon Aug 14 12:57:23 2006

1 admin2 CLI ssh(172.20.120.54) Mon Aug 14 12:57:23 2006

Example

This example shows how to disconnect the logged administrator admin2:

execute disconnect-admin-session 1

execute factoryreset

Use this command to reset the FortiSwitch configuration to factory default settings.

Syntax

execute factoryreset

This procedure deletes all changes that you have made to the FortiSwitch configuration and reverts the system to its original configuration, including resetting interface addresses.

execute factoryresetfull

Use this command to fully reset the FortiSwitch configuration to factory default settings.

Syntax

execute factoryresetfull

This procedure removes all configurations, saved user and application data, and licenses and resets the BIOS environment to the default. Images saved to the partitions are not removed.

execute flapguard reset

Use this command to reset the specified port if flap guard was triggered on that port:

execute flapguard reset <port_name>

Example

This example shows how to reset port 1 after flap guard was triggered on it:

execute flapguard reset port1

execute interface dhcpclient-renew

Use this command to renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no DHCP connection on the specified port, there is no output.

Syntax

execute interface dhcpclient-renew <interface>

Example output

This is the output for renewing the DHCP client on port 1 before the session closes:

# execute interface dhcpclient-renew port1

renewing dhcp lease on port1

execute interface dhcp6client-renew

Use this command to renew the DHCPv6 client for the specified DHCPv6 interface and close the CLI session. If there is no DHCPv6 connection on the specified port, there is no output.

Syntax

execute interface dhcp6client-renew <interface>

execute interface pppoe-reconnect

Use this command to reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If there is no PPPoE connection on the specified port, there is no output.

Syntax

execute interface pppoe-reconnect <interface>

execute license add

Use this command to add a new license.

Syntax

execute license add <key>

execute license enhanced-debugging

Use this command to get information about the enhanced debugging license or to remove it.

Syntax

execute license enhanced-debugging {clear | description | get | status}

Variable	Description
clear	Remove the current enhanced debugging license key.
description	Get a general description of the enhanced debugging license key.
get	Retrieve the enhanced debugging license key.
status	Check whether the enhanced debugging license is active.

Example output

S524DF4K15000024 # execute license enhanced-debugging description
This license will enable potentially hazardous debug, such as shells and other features.
			
S524DF4K15000024 # execute license enhanced-debugging status
enhanced-debugging: Active
Debug license flags: 0x01

execute license status

Use this command to display the status of all installed licenses.

Syntax

execute license status

Example output

S524DF4K15000024 # execute license status
License            | Status
enhanced-debugging : Active
FS-SW-LIC-500      : Active

execute log delete

Use this command to clear all traffic log entries in memory. You will be prompted to confirm the command.

Syntax

execute log delete

execute log delete-all

Use this command to clear all log entries in memory and current log files on hard disk. If your system has no hard disk, only log entries in system memory are cleared. You will be prompted to confirm the command.

Syntax

execute log delete-all

execute log display

Use this command to display log messages that you have selected with the execute log filter command.

Syntax

execute log display

The console displays the first 10 log messages. To view more messages, run the command again. You can do this until you have seen all of the selected log messages. To restart viewing the list from the beginning, use the following commands:

execute log filter start-line 1

execute log display

You can restore the log filters to their default values using the following command:

execute log filter reset

execute log filter

Use this command to select log messages for viewing or deletion. You can view one log category on one device at a time. Optionally, you can filter the messages to select only specified date ranges or severities of log messages. For traffic logs, you can filter log messages by source or destination IP address.

Commands are cumulative. If you omit a required variable, the command displays the current setting.

Use as many execute log filter commands as you need to define the log messages that you want to view.

execute log filter category <category_name>

execute log filter device {0 | 1}

execute log filter dump

execute log filter field <name>

execute log filter ha-member <unitsn_str>

execute log filter max-checklines <int>

execute log filter reset

execute log filter start-line <line_number>

execute log filter view-lines <count>

Variable	Description	Default
category <category_name>	Enter the type of log you want to select. For SQL logging and memory logging, one of: utm, content, event, or traffic	event
device {0 | 1}	Device where the logs are stored. Select 0 for memory or 1 for flash.	0
dump	Display current filter settings.	No default
field <name>	Press Enter to view the fields that are available for the associated category. Enter the fields you want, using commas to separate multiple fields.	No default
ha-member <unitsn_str>	Select logs from the specified HA cluster member. Enter the serial number of the system.	No default
max-checklines <int>	Set maximum number lines to check. Range 100 to 1,000,000. A value of 0 disables the feature.	No default
reset	Execute this command to reset all filter settings.	No default
start-line <line_number>	Select logs starting at specified line number. The value must be 1 or higher.	1
view-lines <count>	Set lines per view. The value range is 5 to 1000.	10

execute log-report reset

Use this command to delete all logs, archives, and user configured report templates.

Syntax

execute log-report reset

execute loop-guard reset

Use this command to reset a port that has been put out of service by loop-guard.

execute loop-guard reset <interface>

Example

This example shows how to reset port 1 after loop guard was triggered on it:

execute loop-guard reset port1

execute mac clear

Use this command to clear MAC addresses.

Syntax

execute mac clear all

execute mac clear by-interface <interface>

execute mac clear by-mac-address <mac_address>

execute mac clear by-vlan <vlan_int>

execute mac clear by-vlan-and-interface <vlan_int> <interface>

execute mac clear by-vlan-and-mac-address <vlan_int> <mac_address>

Variable	Description
all	Clear all MAC entries.
by-interface <interface>	Clear all MAC entries on the specified interface.
by-mac-address <mac_address>	Clear all MAC entries for a specified MAC address.
by-vlan <vlan_int>	Clear all MAC entries for a specified VLAN.
by-vlan-and-interface <vlan_int> <interface>	Clear all MAC entries for a specified VLAN on a specified interface.
by-vlan-and-mac-address <vlan_int> <mac_address>	Clear all MAC entries for a specified VLAN that match the specified MAC address.

execute mac-limit-violation reset

Use these commands to reset the learning limit violation log.

To enable or disable the learning limit violation log for a FortiSwitch unit, see config switch global.

Syntax

execute mac-limit-violation reset all

execute mac-limit-violation reset interface <interface_name>

execute mac-limit-violation reset vlan <VLAN_ID>

Variable	Description
all	Clear all learning limit violation logs.
interface <interface_name>	Clear the learning limit violation log for a specific interface.
vlan <VLAN_ID>	Clear the learning limit violation log for a specific VLAN.

Example

This example shows how to clear the learning limit violation log for VLAN 5:

execute mac-limit-violation reset vlan 5

execute macsec clearstat physical-port

Use this command to clear all MACsec statistics on a single port.

Syntax

execute macsec clearstat physical-port <port_name>

Example

This example shows how to clear the MACsec statistics on port5.

#execute macsec clearstat physical-port port5

execute macsec reset physical-port

Use this command to reset the MACsec session on a single port on the server side or the client side.

Syntax

execute macsec reset physical-port <port_name>

Example

This example shows how to reset the MACsec session on port5.

#execute macsec reset physical-port port5

execute macsec toggle physical-port

Use this command to change the link status and reset the MACsec session on a single port on both the server side and the client side. This command applies to the dynamic-CAK mode.

Syntax

execute macsec toggle physical-port <port_name>

Example

This example shows how to change the link status and reset the MACsec session on port5.

#execute macsec toggle physical-port port5

execute mtraceroute

Use this command to find all the routers that perform load balancing between the FortiSwitch unit and destination.

Syntax

execute mtraceroute <IP_address> <confidence_level> <flow_ID> <maximum_hops>

Variable	Description
<IP_address>	Enter the IP address to test the connection to.
<confidence_level>	Select the confidence level in percent. You can select 90, 95, or 99. The default value is 95.
<flow_ID>	Select the flow identifier to use. If you selected an IPv4 address to test, you can select icmp-chk, icmp-dst, udp-sport, udp-dst, tcp-sport, or tcp-dst as the flow identifier with udp-sport as the default value. If you selected an IPv6 address to test, you can select icmp-chk, icmp-dst, icmp-fl, icmp-tc, udp-sport, udp-dst, udp-fl, udp-tc, tcp-sport, tcp-dst, tcp-fl, or tcp-tc as the flow identifier with udp-sport as the default value.
<maximum_hops>	Enter the maximum number of hops to test. The range of values is 0-255. The default is 30.

Example

S108FFTV21000010 # execute mtraceroute 1.2.3.4 90 icmp-chk 50
Run mtraceroute to 1.2.3.4 - max-ttl: 50, flow-id: icmp-chk, confidence: 90
0  root:  10.105.201.133 (0.767220 ms)
1  10.105.201.133:  192.168.201.1 (0.296219 ms)
2  192.168.201.1:  10.64.254.33 (0.306219 ms)
3  10.64.254.33:  96.45.36.3 (0.501219 ms)
4  96.45.36.3:  *
...

execute ping

The execute ping command sends one or more ICMP echo request (ping) to test the network connection between the FortiSwitch and another network device.

Syntax

execute ping <address_ipv4>

<address_ipv4> is an IP address.

Example

This example shows how to ping a host with the IP address 172.20.120.16.

#execute ping 172.20.120.16

PING 172.20.120.16 (172.20.120.16): 56 data bytes

64 bytes from 172.20.120.16: icmp_seq=0 ttl=128 time=0.5 ms

64 bytes from 172.20.120.16: icmp_seq=1 ttl=128 time=0.2 ms

64 bytes from 172.20.120.16: icmp_seq=2 ttl=128 time=0.2 ms

64 bytes from 172.20.120.16: icmp_seq=3 ttl=128 time=0.2 ms

64 bytes from 172.20.120.16: icmp_seq=4 ttl=128 time=0.2 ms

--- 172.20.120.16 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.2/0.2/0.5 ms

execute ping-options

Use this command to set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiSwitch and another network device.

Syntax

execute ping-options adaptive-ping {enable | disable}

execute ping-options data-size <bytes>

execute ping-options df-bit {yes | no}

execute ping-options interface {Auto | <outgoing_interface>}

execute ping-options interval <seconds>

execute ping-options pattern <2-byte_hex>

execute ping-options repeat-count <repeats>

execute ping-options reset

execute ping-options source {auto | <source-intf_ip>}

execute ping-options timeout <seconds>

execute ping-options tos <service_type>

execute ping-options ttl <hops>

execute ping-options validate-reply {yes | no}

execute ping-options view-settings

Variable	Description	Default
adaptive-ping {enable | disable}	Enable or disable adaptive ping.	disable
data-size <bytes>	Specify the datagram size in bytes.	56
df-bit {yes | no}	Set df-bit to yes to prevent the ICMP packet from being fragmented. Set df-bit to no to allow the ICMP packet to be fragmented.	no
interface {Auto | <outgoing_interface>}	Specify the source interface or select auto for the source interface to be automatically assigned.	auto
interval <seconds>	Specify the number of seconds between two pings. The value must be greater than 0.	No default
pattern <2-byte_hex>	Used to fill in the optional data buffer at the end of the ICMP packet. The size of the buffer is specified using the data_size parameter. This allows you to send out packets of different sizes for testing the effect of packet size on the connection.	No default
repeat-count <repeats>	Specify how many times to repeat ping.	5
reset	Reset the ping options to their default settings.	No default
source {auto | <source-intf_ip>}	Specify the FortiSwitch interface from which to send the ping. If you specify auto, the system selects the source address and interface based on the route to the <host-name_str> or <host_ip>. Specifying the IP address of a FortiSwitch interface tests connections to different network segments from the specified interface.	auto
timeout <seconds>	Specify, in seconds, how long to wait until ping times out.	2
tos <service_type>	Set the ToS (Type of Service) field in the packet header to provide an indication of the quality of service wanted: lowdelay — minimize delay throughput — maximize throughput reliability — maximize reliability lowcost — minimize cost	0
ttl <hops>	Specify the time to live. Time to live is the number of hops the ping packet should be allowed to make before being discarded or returned.	64
validate-reply {yes | no}	Select yes to validate reply data.	no
view-settings	Display the current ping option settings.	No default

Example

Use the following command to increase the number of pings sent:

execute ping-options repeat-count 10

Use the following command to send all pings from the FortiSwitch interface with IP address 192.168.10.23:

execute ping-options source 192.168.10.23

execute ping6

The ping6 command sends one or more ICMP echo request (ping) to test the network connection between the FortiSwitch and an IPv6-capable network device.

Syntax

execute ping6 {<address_ipv6> | <host-name_str>}

Example

This example shows how to ping a host with the IPv6 address 12AB:0:0:CD30:123:4567:89AB:CDEF.

execute ping6 12AB:0:0:CD30:123:4567:89AB:CDEF

execute ping6-options

Use this command to set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiSwitch and an IPv6-capable network device.

Syntax

execute ping6-options data-size <bytes>

execute ping6-options interval <seconds>

execute ping6-options pattern <2-byte_hex>

execute ping6-options repeat-count <repeats>

execute ping6-options source {auto | <source-intf_ip>}

execute ping6-options timeout <seconds>

execute ping6-options tos <service_type>

execute ping6-options ttl <hops>

execute ping6-options validate-reply {yes | no}

execute ping6-options view-settings

Variable	Description	Default
data-size <bytes>	Specify the datagram size in bytes.	56
df-bit {yes | no}	Set df-bit to yes to prevent the ICMP packet from being fragmented. Set df-bit to no to allow the ICMP packet to be fragmented.	no
interval <seconds>	Specify the number of seconds between two pings. The value must be greater than 0.	No default
pattern <2-byte_hex>	Used to fill in the optional data buffer at the end of the ICMP packet. The size of the buffer is specified using the data_size parameter. This allows you to send out packets of different sizes for testing the effect of packet size on the connection.	No default
repeat-count <repeats>	Specify how many times to repeat ping.	5
source {auto | <source-intf_ip>}	Specify the FortiSwitch interface from which to send the ping. If you specify auto, the system selects the source address and interface based on the route to the <host-name_str> or <host_ip>. Specifying the IP address of a FortiSwitch interface tests connections to different network segments from the specified interface.	auto
timeout <seconds>	Specify, in seconds, how long to wait until ping times out.	2
tos <service_type>	Set the ToS (Type of Service) field in the packet header to provide an indication of the quality of service wanted: lowdelay — minimize delay throughput — maximize throughput reliability — maximize reliability lowcost — minimize cost	0
ttl <hops>	Specify the time to live. Time to live is the number of hops the ping packet should be allowed to make before being discarded or returned.	64
validate-reply {yes | no}	Select yes to validate reply data.	no
view-settings	Display the current ping option settings.	No default

Example

Use the following command to validate reply data:

execute ping6-options validate-reply yes

execute poe-reset

This command performs a PoE reset on the specified port.

Syntax

execute poe-reset <port_number>

Example

Use the following command to reset the PoE power on port 1:

execute poe-reset port1

execute reboot

Use this command to restart the system.

Abruptly powering off your system may corrupt its configuration. Use the reboot or shutdown commands to ensure proper shutdown procedures are followed to prevent any loss of configuration.

Syntax

execute reboot [comment “comment_string”>]

[comment <“comment_string”>]enables you to optionally add a message that will appear in the hard disk log indicating the reason for the reboot. If the message is more than one word it must be enclosed in quotation marks.

Example

This example shows the reboot command with a message included:

execute reboot comment “December monthly maintenance”

execute rest list

Use this command to list CMDB, Monitor, or Execute API endpoints or to find out which endpoints contain a text string.

NOTE: You must use the execute rest login command before using this command.

Syntax

execute rest list cmdb <[string_to_match]>

execute rest list monitor <[string_to_match]>

execute rest list execute <[string_to_match]>

Example

This example shows how to list all endpoints with the string hardware in them.

S524DN4K15000001 # execute rest list monitor hardware
--------------------------------------------------------------------------------------------
  No. | Path                                     | Description
--------------------------------------------------------------------------------------------
[  1] | system/hardware-status                   | Retrieve Hardware Status of System.
[  2] | hardware/cpu                             | Retrieve CPU Info of Hardware.
[  3] | hardware/memory                          | Retrieve Memory Info of Hardware.
--------------------------------------------------------------------------------------------

execute rest login

Use this command to log in before using the execute rest commands. You will be prompted for the administrator user name and the corresponding password.

Syntax

execute rest login

Example

This example shows how to log in to use the execute rest commands.

S524DN4K15000001 # execute rest login

Enter admin : admin

Enter password : ************

Login success!

execute rest logout

Use this command to log out of the execute rest commands.

NOTE: You must use the execute rest login command before using this command.

Syntax

execute rest logout

Example

This example shows how to log out of the execute rest commands.

S524DN4K15000001 # execute rest logout

Logged out successfully!

execute rest run

Use this command to run a REST API endpoint.

NOTE: You must use the execute rest login command before using this command.

Syntax

execute rest run /api/v2/{cmdb | monitor | execute}/<path>/<name> {get | post | put | delete} <content>

Example

This example shows how to run the GET /api/v2/monitor/hardware/cpu endpoint.

S524DN4K15000001 # execute rest run /api/v2/monitor/hardware/cpu get

{
	"http_method": "GET",
	"results": [
		{
			"processor": "0"
		},
		{
			"model name": "ARMv7 Processor rev 0 (v7l)"
		},
		{
			"BogoMIPS": "1000.00"
		},
		{
			"Features": "half thumb fastmult edsp tls "
		},
		{
			"CPU implementer": "0x41"
		},
		{
			"CPU architecture": "7"
		},
		{
			"CPU variant": "0x3"
		},
		{
			"CPU part": "0xc09"
		},
		{
			"CPU revision": "0"
		},
		{
			"processor": "1"
		},
		{
			"model name": "ARMv7 Processor rev 0 (v7l)"
		},
		{
			"BogoMIPS": "1000.00"
		},
		{
			"Features": "half thumb fastmult edsp tls "
		},
		{
			"CPU implementer": "0x41"
		},
		{
			"CPU architecture": "7"
		},
		{
			"CPU variant": "0x3"
		},
		{
			"CPU part": "0xc09"
		},
		{
			"CPU revision": "0"
		},
		{
			"Hardware": "BRCM XGS iProc"
		},
		{
			"Revision": "0000"
		},
		{
			"Serial": "0000000000000000"
		}
	],
	"vdom": "root",
	"path": "hardware",
	"name": "cpu",
	"status": "success",
	"cmdb-index": "700",
	"cmdb-checksum": "7209412920166404071",
	"serial": "S524DN4K15000001",
	"version": "v7.2.0",
	"build": 393,
	"timestamp": "2022-09-13T23:56:12Z"
}

execute rest schema

Use this command to display the schema for the CMDB, Monitor, or Execute API endpoints or for a specific endpoint.

NOTE: You must use the execute rest login command before using this command.

Syntax

execute rest schema /api/v2/{cmdb | monitor | execute}[/<path>/<name>]

Example

This example shows how to display the schema for the /api/v2/monitor/hardware/cpu endpoint.

execute rest schema /api/v2/monitor/hardware/cpu

{
	"schema": [
		{
			"url": "/api/v7.2.0/monitor/hardware/cpu",
			"path": "hardware",
			"name": "cpu",
			"schema": {
				"name": "cpu",
				"category": "table",
				"help": "Retrieve CPU Info of Hardware.",
				"children": {
					"name": {
						"name": "name",
						"category": "unitary",
						"type": "string",
						"help": "Hardware's CPU Attribute Name."
					},
					"value": {
						"name": "value",
						"category": "unitary",
						"type": "string",
						"help": "Hardware's CPU Attribute Value."
					}
				}
			}
		}
	],
	"cmdb-index": "700",
	"cmdb-checksum": "7209412920166404071",
	"serial": "S524DN4K15000001",
	"version": "v7.2.0",
	"build": 393,
	"timestamp": "2022-09-13T23:08:51Z",
	"action": "schema",
	"status": "success"
}

execute restore

Use this command to do the following:

• Restore the configuration from a file.
• Change the FortiSwitch firmware.
• Restore the BIOS from a file.

Syntax

execute restore bios tftp <filename_str> <server_ipv4_ipv6_fqdn>

execute restore config flash <revision>

execute restore config ftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>] [<backup_password_str>]

execute restore config sftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>] [<backup_password_str>]

execute restore config tftp <filename_str> <server_ipv4_ipv6_fqdn> [<backup_password_str>]

execute restore image ftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]

execute restore image management-station <version_int>

execute restore image sftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]

execute restore image tftp <filename_str> <server_ipv4_ipv6_fqdn>

Variable	Description
bios tftp <filename_str> <server_ipv4_ipv6_fqdn>	Restore the BIOS. Download the restore file from a TFTP server. You can use an IPv4 address, IPv6 address, or FQDN to specify the TFTP server.
config flash <revision>	Restore the specified revision of the system configuration from the flash disk.
config ftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>] [<backup_password_str>]	Restore the system configuration from an FTP server. The new configuration replaces the existing configuration, including administrator accounts and passwords. You can use an IPv4 address, IPv6 address, or FQDN to specify the FTP server. If the backup file was created with a password, you must specify the password.
config sftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>] [<backup_password_str>]	Restore the system configuration from an SFTP server. The new configuration replaces the existing configuration, including administrator accounts and passwords. You can use an IPv4 address, IPv6 address, or FQDN to specify the SFTP server. If the backup file was created with a password, you must specify the password.
config tftp <filename_str> <server_ipv4_ipv6_fqdn> [<backup_password_str>]	Restore the system configuration from a file on a TFTP server. The new configuration replaces the existing configuration, including administrator accounts and passwords. You can use an IPv4 address, IPv6 address, or FQDN to specify the TFTP server. If the backup file was created with a password, you must specify the password.
image ftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]	Download a firmware image from an FTP server to the FortiSwitch unit. The FortiSwitch unit reboots, loading the new firmware. You can use an IPv4 address, IPv6 address, or FQDN to specify the FTP server.
image management-station <version_int>	Download a firmware image from the central management station. This is available if you have configured a FortiManager unit as a central management server. This is also available if your account with FortiGuard Analysis and Management Service allows you to upload firmware images.
image sftp <filename_str> <server_ipv4_ipv6_fqdn[:port_int]> [<username_str> <password_str>]	Download a firmware image from an SFTP server to the FortiSwitch unit. The FortiSwitch unit reboots, loading the new firmware. You can use an IPv4 address, IPv6 address, or FQDN to specify the SFTP server.
image tftp <filename_str> <server_ipv4_ipv6_fqdn>	Download a firmware image from a TFTP server to the FortiSwitch unit. The FortiSwitch unit reboots, loading the new firmware. You can use an IPv4 address, IPv6 address, or FQDN to specify the TFTP server

Example

This example shows how to upload a configuration file from a TFTP server to the FortiSwitch and restart the FortiSwitch with this configuration. The name of the configuration file on the TFTP server is backupconfig. The IP address of the TFTP server is 192.168.1.23.

execute restore config tftp backupconfig 192.168.1.23

The following example shows how to upload a configuration file from an SFTP server to the FortiSwitch unit and restart the FortiSwitch unit with this configuration. The name of the configuration file on the SFTP server is backupconfig. The IPv6 address of the SFTP server is 6001:7:7:7::2, and the port number is 2222. To access the SFTP server, you need to add the user name, admin, and the password, adminpassword.

execute restore config sftp backupconfig [6001:7:7:7::2]:2222 admin adminpassword

execute revision

Use this command to manage configuration and firmware image files on the local disk.

Syntax

execute revision delete config <revision>

execute revision list config

execute revision show config

Variable	Description
delete config <revision>	Delete the specified configuration revision on the local disk.
list config	List the configuration revisions on the local disk.
show config	Display the details of the configuration revision on the local disk.

Example

Use the following command to delete revision 1 of the configuration file on the local disk:

execute revision delete config 1

execute router clear bgp

Use this command to clear the BGP routing configuration.

Syntax

execute router clear bgp {all | as | dampening | external | ip | ipv6}

Variable	Description
all <arguments>	Clear all BGP peers
as <arguments>	Clear a BGP peer by AS number.
dampening {<IP_address> | <IP_address/length>}	Clear the BGP flap-dampening information.
external <arguments>	Clear all external BGP peers.
ip <A.B.C.D|X:X::X:X|*>	Clear a BGP peer by IPv4 or IPv6 address. Use * to clear all BGP peers.
ipv6 <A.B.C.D|X:X::X:X|*>	Clear a BGP peer by IPv4 or IPv6 address. Use * to clear all BGP peers.

Example

Use the following command to delete the BGP flap-dampening information:

execute router clear bgp dampening 1.2.3.4

execute router clear ospf

Use this command to clear the OSPF routing configuration from the specified interface.

Syntax

execute router clear ospf interface <interface_name>

Example

Use the following command to delete the OSPF routing configuration from the VLAN interface:

execute router clear ospf interface vlan20

execute router tech-support

Use this command to display the specified routing configuration and troubleshooting information.

Syntax

execute router tech-support {ospf | rip | bgp | isis | static}

Example

Use the following command to display the BGP routing configuration and troubleshooting information:

execute router tech-support bgp

execute set-next-reboot

Use this command to specify the flash partition for the next reboot. The system can use the boot image from either the primary or the secondary flash partition.

NOTE: You must disable image rotation before you can use the execute set-next-reboot command.

Syntax

execute set-next-reboot <primary | secondary>

Example

This example specifies that the next reboot will use the secondary flash partition:

execute set-next-reboot secondary

Set next reboot partition to secondary

execute shutdown

Use this command to shut down the system immediately. You will be prompted to confirm this command.

Abruptly powering off your system might corrupt its configuration. Using the reboot and shutdown options in the CLI or in the Web-based manager ensure proper shutdown procedures are followed to prevent any loss of configuration.

Syntax

execute shutdown [comment <"comment_string">]

The comment field is optional. Use it to add a message that will appear in the event log message that records the shutdown. The comment message does not appear on the Alert Message console. If the message is more than one word it must be enclosed in quotation marks.

Example

This example shows the reboot command with a message included:

execute shutdown comment “emergency facility shutdown”

An event log message similar to the following is recorded:

2009-09-08 11:12:31 critical admin 41986 ssh(172.20.120.11) shutdown User admin shutdown the device from ssh(172.20.120.11). The reason is 'emergency facility shutdown'

execute source-guard-violation reset

Use these commands to reset the source-guard violations.

Syntax

execute source-guard-violation reset all

execute source-guard-violation reset interface <interface_name>

Variable	Description
all	Reset all source-guard violations.
interface <interface_name>	Reset source-guard violations for the specified switch interface.

execute ssh

Use this command to establish an SSH session with another system.

Syntax

execute ssh <destination>

<destination> is the destination in the form user@IPv4_address, user@iPv6_address, or user@DNS_name. If the IPv6 address is a link-local address, you must specify an output interface using %.

Examples

execute ssh admin@fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.

execute ssh admin@172.20.120.122

execute ssh 1002::21

execute ssh 12.345.6.78

To end an SSH session, type exit:

S524DF4K15000024 # exit

Connection to 172.20.120.122 closed.

S524DF4K15000024 #

execute stage

Use this command to stage an image from an FTP or TFTP server.

Syntax

execute stage image ftp <string> <ftp server>[:ftp port]

execute stage image tftp <string> <ip>

image is the image file name (including path) on the remote server.

execute sticky-mac

Use this command to manage MAC addresses that were dynamically learned and are persistent when the status of a FortiSwitch port changes (goes down or up).

Syntax

execute sticky-mac delete-unsaved {all | interface <interface_name>}

execute sticky-mac save {all | interface <interface_name>}

Variable	Description
delete-unsaved {all | interface <interface_name>}	Delete all persistent MAC entries (instead of saving them in the FortiSwitch configuration file) for all interfaces or for the specified interface.
save {all | interface <interface_name>}	Save all persistent MAC entries in the FortiSwitch configuration file for all interfaces or for the specified interface.

execute switch-controller clear-nac-mac-cache

Use this command to delete the FortiSwitch cache of network access control (NAC) MAC addresses.

Syntax

execute switch-controller clear-nac-mac-cache

execute switch-controller delete-nac-mac-cache

Use this command to delete a specify MAC address in the FortiSwitch NAC cache.

Syntax

execute switch-controller delete-nac-mac-cache <MAC_address>

Example

S524DF4K15000024 # execute switch-controller delete-nac-mac-cache 00:00:02:00:0d:00

execute switch-controller get-conn-status

Use this command to display the status of the FortiLink connection. This command is valid only when the FortiSwitch unit is managed by a FortiGate device.

Syntax

execute switch-controller get-conn-status

Example

S524DF4K15000024 # execute switch-controller get-conn-status

Get managed-switch S524DF4K15000024 connection status:

Connection: Connected

Image Version: FG100D-v6.2-build849

Remote Address: xxx.xxx.x.x

Join Time: Wed Mar 13 08:38:57 2019

DTLS Version: DTLSv1.2

execute switch-controller get-nac-mac-cache

Use this command to list the MAC addresses in the FortiSwitch NAC cache.

Syntax

execute switch-controller get-nac-mac-cache

Example

S548DN5018000532 # execute switch-controller get-nac-mac-cache

MAC-ADDRESS VLAN ACT SYNC INTERFACE

00:00:02:00:0d:00 4089 1 0 port2
00:00:02:00:0d:01 4089 1 0 port2
00:00:02:00:0d:02 4089 1 0 port2

execute system admin account-convert-sha1

Use this command to convert the password for a system administrator account to SHA1 encryption.

Syntax

execute system admin account-convert-sha1 <admin_name>

Example

S524DF4K15000024 # execute system admin account-convert-sha1 localadmin

execute system admin account-convert-sha256

Use this command to convert the password for a system administrator account to SHA256 encryption.

Syntax

execute system admin account-convert-sha256 <admin_name>

Example

S524DF4K15000024 # execute system admin account-convert-sha256 localadmin

execute system certificate ca

Use this command to import a CA certificate from a TFTP or SCEP server to the FortiSwitch or to export a CA certificate from the FortiSwitch to a TFTP server.

Before using this command, you must obtain a CA certificate issued by a Certificate Authority.

Syntax

execute system certificate ca export tftp <name> <file-name> <tftp_ip>

execute system certificate ca import auto <ca_server_url> [ca_identifier_str]

execute system certificate ca import tftp <file-name> <tftp_ip>

Variable	Description
import	Import the CA certificate from a TFTP server to the FortiSwitch unit.
export	Export or copy the CA certificate from the FortiSwitch to a file on the TFTP server. The available CA certificates are Entrust_802.1x_CA, Entrust_802.1x_G2_CA, Entrust_802.1x_L1K_CA, Fortinet_CA, and Fortinet_CA2.
<name>	Enter the name of the CA certificate.
<file-name>	Enter the file name on the TFTP server.
<tftp_ip>	Enter the TFTP server address.
auto	Retrieve a CA certificate from a SCEP server.
tftp	Import the CA certificate to the FortiSwitch from a file on a TFTP server (local administrator PC).
<ca_server_url>	Enter the URL of the CA certificate server.
<ca_identifier_str>	CA identifier on CA certificate server (optional).

execute system certificate crl import auto

Use this command to get a certificate revocation list via LDAP, HTTP, or SCEP protocol, depending on the autoupdate configuration.

To use this command, the authentication servers must already be configured.

Syntax

execute system certificate crl import auto <crl-name>

Variable	Description
import	Import the CRL from the configured LDAP, HTTP, or SCEP authentication server to the FortiSwitch unit.
<crl-name>	Enter the name of the CRL.
auto	Trigger an auto-update of the CRL from the configured authentication server.

execute system certificate local export tftp

Use this command to export a local certificate from the FortiSwitch to a TFTP server.

Syntax

execute system certificate local export tftp <name> <file-name> <tftp_ip>

Variable	Description
export	Export or copy the local certificate from the FortiSwitch unit to a file on the TFTP server.
<name>	Enter the name of the local certificate. Available local certificates are Entrust_802.1x, Fortinet_Factory, and Fortinet_Firmware.
<file-name>	Enter the file name on the TFTP server.
<tftp_ip>	Enter the TFTP server address.

execute system certificate local generate

Use this command to generate a local certificate.

When you generate a certificate request, you create a private and public key pair for the local FortiSwitch unit. The public key accompanies the certificate request. The private key remains confidential.

When you receive the signed certificate from the CA, use the system certificate local import command to install it on the FortiSwitch unit.

Syntax

execute system certificate local generate <name> <key-length> <subject_str> <country> <state> <city> <organization> <bu> <email> <SAN> <URL> <challenge> <source_IP> <CA_id> <password>

Variable	Description
<name>	Enter the local certificate name.
<key-length>	Enter the key size, which can be 1024, 1536, or 2048.
<subject_str>	Enter the subject (host IP address/domain name/e-mail address).
<country>	Enter the country name (such as canada), country code (such as ca), or null for none.
<state>	Enter the state.
<city>	Enter the city.
<organization>	Enter the company name.
<bu>	Enter the business unit.
<email>	Enter the email address.
<SAN>	This field is optional. Enter a subject alternative name.
<URL>	This field is optional. Enter the URL of the CA server for signing using SCEP.
<challenge>	Enter the challenge password for signing using SCEP.
<source_IP>	This field is optional. Enter the source IP address for communicating with the CA server.
<CA_id>	This field is optional. Enter the CA identifier of the CA server for sign using SCEP.
<password>	This field is optional. Enter the password if you are using a private key.

execute system certificate local import tftp

Use this command to import a local certificate to the FortiSwitch from a TFTP server.

Syntax

execute system certificate local import tftp <file-name> <tftp_ip>

Variable	Description
<name>	Enter the name of the local certificate.
<file-name>	Enter the file name on the TFTP server.
<tftp_ip>	Enter the TFTP server address.

execute system certificate remote

Use this command to import a remote certificate from a TFTP server or to export a remote certificate from the FortiSwitch unit to a TFTP server. The remote certificates are public certificates without a private key. They are used as OCSP (Online Certificate Status Protocol) server certificates.

Syntax

execute system certificate remote import tftp <file-name> <tftp_ip>

execute system certificate remote export tftp <name> <file-name> <tftp_ip>

Variable	Description
import	Import the remote certificate from the TFTP server to the FortiSwitch unit.
export	Export or copy the remote certificate from the FortiSwitch to a file on the TFTP server. To view a list of the certificates, use the following command: execute system certificate remote export tftp ?
<name>	Enter the name of the remote certificate.
<file-name>	Enter the file name on the TFTP server.
<tftp_ip>	Enter the TFTP server address.

execute system sniffer-profile delete-capture

Use this command to delete the .pcap file for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile delete-capture <profile_name>

Example

execute system sniffer-profile delete-capture profile1

execute system sniffer-profile pause

Use this command to pause a packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile pause <profile_name>

Example

execute system sniffer-profile pause profile1

execute system sniffer-profile start

Use this command to start a packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile start <profile-name>

Example

execute system sniffer-profile start profile1

execute system sniffer-profile stop

Use this command to stop a packet capture for a specific packet-capture profile. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile stop <profile-name>

Examples

execute system sniffer-profile stop profile1

execute system sniffer-profile upload

Use this command to upload the .pcap file for a specific packet-capture profile to a TFTP or FTP server. To create a packet-capture profile, see config system sniffer-profile.

Syntax

execute system sniffer-profile upload ftp <profile_name> <file_name> <FTP_server_IP_address:<optional_port>>

execute system sniffer-profile upload tftp <profile_name> <file_name> <TFTP_server_IP_address:<optional_port>>

Variable	Description
<profile_name>	Enter the name of the packet-capture profile.
<file_name>	Enter the name of the .pcap file and the path where it is located.
<FTP_server_IP_address:<optional_port>>	Enter the IP address of the FTP server and optionally enter the port number.
<TFTP_server_IP_address:<optional_port>>	Enter the IP address of the TFTP server and optionally enter the port number.

Examples

execute system sniffer-profile upload ftp profile profile1.pcap 192.168.1.23

execute telnet

Use this command to create a Telnet client. You can use this tool to test network connectivity.

Syntax

execute telnet <telnet_ipv4 or telnet_ipv6>

<telnet_ipv4 or telnet_ipv6> is the IPv4 or IPv6 address to connect with. If the IPv6 address is a link-local address, you must specify an output interface using %.

Type exit to close the Telnet session.

Examples

execute telnet fe80::926c:acff:fe7b:e059%vlan20 // vlan20 is the output interface.

execute telnet 1002::21

execute telnet 12.345.6.78

execute time

Use this command to display or set the system time.

Syntax

execute time [<time_str>]

time_str has the form hh:mm:ss, where:

• hh is the hour. The range is 00 to 23.
• mm is the minutes. The range is 00 to 59.
• ss is the seconds. The range is 00 to 59.

If you do not specify a time, the command returns the current system time.

You are allowed to shorten numbers to only one digit when setting the time. For example both 01:01:01 and 1:1:1 are allowed.

Example

This example sets the system time to 15:31:03:

execute time 15:31:03

execute traceroute

Use this command to test the connection between the FortiSwitch and another network device, and display information about the network hops between the FortiSwitch and the device.

Syntax

execute traceroute {<IPv4_address> | <host-name>} <maximum_number_of_hops> <number_of_probes> <maximum_number_of_milliseconds>

Variable	Description	Default
{<IPv4_address> | <host-name>}	Enter the IPv4 address or host name to trace the route to.
<maximum_number_of_hops>	Enter the maximum number of hops that the route can take.	32
<number_of_probes>	Enter the number of probes to use to trace the route.	3
<maximum_number_of_milliseconds>	Enter thow many milliseconds a route can take before the trace route is stopped.	5 seconds

Example

This example shows how to test the connection with http://docs.forticare.com. In this example, the traceroute command times out after the fifth hop indicating a possible problem.

S548DF5018000776 # execute traceroute docs.forticare.com 10 5 10 
traceroute to docs.forticare.com (208.91.114.175), 10 hops max, 5 probe count, 10 timeout, 72 byte packets
1  10.105.16.1  0.765 ms  0.415 ms  0.170 ms  0.164 ms  6.952 ms
2  10.64.254.33  1.687 ms  0.666 ms  2.438 ms  2.048 ms  0.289 ms
3  96.45.36.3  1.767 ms  0.630 ms  0.281 ms  0.323 ms  0.257 ms
4  96.45.47.219  21.311 ms  21.403 ms  23.585 ms  21.232 ms  21.414 ms
5  96.45.47.14  20.783 ms  20.730 ms  21.269 ms  20.747 ms  20.730 ms
6  * * * *_

If your FortiSwitch is not connected to a working DNS server, you will not be able to connect to remote host-named locations with the traceroute command.

execute tracert6

Use this command to test the connection between the FortiSwitch and another network device using the IPv6 protocol and to display information about the network hops between the FortiSwitch and the device.

Syntax

tracert6 [-Fdn] [-f first_ttl] [-i interface] [-m max_ttl]

[-s src_addr] [-q nprobes] [-w waittime] [-z sendwait]

host [paddatalen]

Variable	Description
-F	Set the Don’t Fragment bit.
-d	Enable debugging.
-n	Do not resolve numeric address to domain name.
-f <first_ttl>	Set the initial time-to-live used in the first outgoing probe packet.
-i <interface>	Select interface to use for tracert.
-m <max_ttl>	Set the max time-to-live (max number of hops) used in outgoing probe packets.
-s <src_addr>	Set the source IP address to use in outgoing probe packets.
-q <nprobes>	Set the number probes per hop.
-w <waittime>	Set the time in seconds to wait for response to a probe. Default is 5.
-z <sendwait>	Set the time in milliseconds to pause between probes.
host	Enter the IP address or FQDN to probe.
<paddatalen>	Set the packet size to use when probing.

execute upload config

Use this command to upload system configurations to the flash disk from FTP or TFTP sources.

Syntax

execute upload config ftp <filename_str> <comment> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

execute upload config tftp <filename_str> <comment> <server_ipv4>

Variable	Description
<comment>	Comment string.
<filename_str>	Filename to upload.
<server_fqdn[:port_int]>	Server fully qualified domain name and optional port.
<server_ipv4[:port_int]>	Server IP address and optional port number.
<username_str>	User name required on server.
<password_str>	Password required on server.
<backup_password_str>	Password for backup file.

execute verify image

Use this command to verify the integrity of the image in the primary or secondary (if applicable) flash partition.

Syntax

execute verify image {primary | secondary}

Example

execute verify image primary

Verifying the image in flash......100%

No issue found!

execute verify image secondary

Verifying the image in flash......100%

Bad/corrupted image found in flash!

Command fail. Return code -1

execute wake-on-lan

Use this command to send Wake-on-LAN (WoL) packets to a specific MAC address to remotely turn on a computer.

Syntax

execute wake-on-lan <interface_type> <interface_or_port> <host_MAC_address> <protocol> <port> <IP_address> <password>

Variable	Description
<interface_type>	Select the interface type that will send the WoL packets. Select 1 if to use the system interface or 2 to use the switch port. The default is 1.
<interface_or_port>	If you selected 1 for the interface type, specify which system interface to use (required). If you selected 2 for the interface type, specify which switch port to use (optional).
<host_MAC_address>	Required. Enter the MAC address (XX:XX:XX:XX:XX:XX) of the computer that needs to be turned on.
<protocol>	Optional. Select which protocol to use to send the WoL packets. Select 1 for WoL or 2 for UDP. The default is 2.
<port>	Optional. If you selected 2 for the protocol, select which port the WoL packets will use. You can select 0, 7, or 9. The default is 9.
<IP_address>	Optional. If you selected 2 for the protocol, enter the broadcast IP address used by the WoL packets.
<password>	Optional. Enter the password if a 6-byte SecureOn password is enabled on the destination host. The password can be a string or 0x plus a hexadecimal value.

Examples

If you are sending the WoL packets by UDP from the FortiSwitch port3 to a MAC address of aa:bb:cc:00:11:22:

execute wake-on-lan 2 port3 aa:bb:cc:00:11:22 2 9 1.2.3.4

If you are sending the WoL packets by UDP from the FortiSwitch port10 to a MAC address of 10:20:30:40:50:60 and the destination host is protected by a SecureOn password:

execute wake-on-lan 2 port10 10:20:30:40:50:60 2 9 10.10.10.10 passwd