<profile-name>

Enter the name for the profile.

admingrp {none | read | read-write}

Set the permission for administrative access.

alias-commands {all | <list>}

Specify the aliases and alias groups to include in the access profile or specify all. The aliases and alias groups specified for this access profile control which commands an administrator can run using the execute alias commands. Use a space to separate multiple items.

exec-alias-grp {none | read | read-write}

Specify one of the following options:

• Select none to prevent access to the execute alias configure commands.

• Select read to provide access to the execute alias configure {get | show | show-full-configuration} command.

• Select read-write to provide access to the execute alias configure {get | show | show-full-configuration | set | unset} and execute alias script commands.

loggrp {none | read | read-write}

Set the permission for logging access.

mntgrp {none | read | read-write}

Set the permission for critical system maintenance access .

netgrp {none | read | read-write}

Set the permission for network access.

pktmongrp {none | read | read-write}

Set the access permission for packet and flow capture functionality.

routegrp {none | read | read-write}

Set the permission for routing access.

swcoregrp {none | read | read-write}

Set the permission for switch core access.

swmonguardgrp {none | read | read-write}

Set the access permission for switch monitor and guard features.

sysgrp {none | read | read-write}

Set the permission for system access.

<admin_name>

Enter the name for the admin account.

accprofile <profile‑name>

Enter the name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiSwitch features.

accprofile-override {enable | disable}

Enable or disable whether the remote authentication server can override the accesss profile.

allow-remove-admin-session {enable | disable}

Allow admin session to be removed by privileged admin users

comments <comments_string>

Enter the last name, first name, email address, phone number, mobile phone number, and pager number for this administrator. Separate each attribute with a comma, and enclose the string in double-quotes. The total length of the string can be up to 128 characters. (Optional)

force-password-change{enable | disable}

Enable or disable whether the admistrator is forced to change the password when logging in next.

gui-detail-panel-location {bottom | hide | side}

Choose the position of the log detail window.

{ip6-trusthost1 | ip6‑trusthost2 | ip6‑trusthost3 | ip6‑trusthost4 | ip6‑trusthost5 | ip6‑trusthost6 | ip6‑trusthost7 | ip6‑trusthost8 | ip6‑trusthost9 | ip6‑trusthost10}

<address_ipv6mask>

Any IPv6 address and netmask from which the administrator can connect to the FortiSwitch unit.

If you want the administrator to be able to access the system from any address, set the trusted hosts to ::/0.

password

<admin_password>

Enter the password for this administrator. It can be up to 256 characters in length.

If you want to include the “?” character as part of the password:

1. Press Ctrl+v.

2. Type the “?” character .

peer-auth {disable | enable}

Set to enable peer certificate authentication (for HTTPS admin access).

peer-group <peer-grp>

Name of peer group defined under config user peergrp or user group defined under config user group. Used for peer certificate authentication (for HTTPS admin access). This option is available only when peer-auth has been enabled.

remote-auth

{enable | disable}

Enable or disable authentication of this administrator using a remote RADIUS, LDAP, or TACACS+ server.

remote-group <name>

Enter the administrator user group name, if you are using RADIUS, LDAP, or TACACS+ authentication.

This is available only when remote-auth is enabled.

wildcard {enable | disable}

Enable or disable wildcard RADIUS authentication. This option is available only when remote-auth is enabled.

Starting in FortiSwitchOS 7.4.0, you can add multiple administrators with wildcards in their names.

wildcard-fallback {enable | disable}

Enable or disable attempting authentication against wildcard accounts if authenticating this account fails.

This option is available only when remote-auth is enabled and when wildcard is disabled.

schedule <schedule-name>

Restrict times that an administrator can log in. Defined in config firewall schedule. No default indicates that the administrator can log in at any time.

ssh-public-key1 "<key‑type> <key‑value>"

You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.

<key type> is ssh-dss for a DSA key or ssh-rsa for an RSA key.

<key-value> is the public key string of the SSH client.

ssh-public-key2 "<key‑type> <key‑value>"

ssh-public-key3 "<key‑type> <key‑value>"

{trusthost1 | trusthost2 |

trusthost3 | trusthost4 |

trusthost5 | trusthost6 |

trusthost7 | trusthost8 |

trusthost9 | trusthost10}

<address_ipv4mask>

Any IPv4 address or subnet address and netmask from which the administrator can connect to the system.

If you want the administrator to be able to access the system from any address, set the trusted hosts to 0.0.0.0 and the netmask to 0.0.0.0.

If the type will be configuration, enter an alias name for the command in this configuration. If the type will be script,enter a script name.

The alias or script name cannot be all or match an alias group name.

If the type will be configuration, enter a description of the command or a help message. It can be up to 80-characters long. The description is displayed with the alias name when you enter execute alias configure {get | show | show-full-configuration | set | unset} ?.

If the type will be script, enter a description of the script. It can be up to 80-characters long. The description is displayed with the script name when you enter execute alias script ?.

The configuration type provides configuration-specific functionality to control get, show, show-full-configuration, set, and unset commands. You can also use the configuration type to limit accessible table entries and limit displayed attributes.

The script type allows the administrator to create a list of CLI commands to run.

Required. Enter the period-separated path to the CLI command.

For example, enter set path switch.lldp.profile to apply the configuration to the config switch lldp profile command. Enter set path system.interface to apply the configuration to the config system interface command. You can specify only top-level objects, such as system.interface, router.bgp, or system.snmp.settings. If you specify child objects or child tables (such as system.interface.ipv6, router.bgp.neighbor, or switch.lldp.profile.custom-tlv), FortiSwitch returns an error.

attribute <attibute-name>

Required. Enter the attribute that can be retrieved or modified.

Enter set attribute ? to see the list of valid attributes. If you enter an invalid value, FortiSwitchOS returns an error.

This option is available only when path has been set.

permission {read | read-write}

Select read to allow this alias to be used by the execute alias configure {get | show | show-full-configuration} command. Select read-write to allow this alias to be used by the execute alias configure {get | show | show-full-configuration | set | unset} command.

table-listing {allow | deny}

Allow or prevent the listing of all entries by the execute alias configure {get | show | show-full-configuration} command commands.

• Select allow to permit all entries to be listed.

• Select deny to prevent the entries from being listed except for the entries specified in the table-ids-allowed setting. If table-ids-allowed is empty, a valid entry must be provided for listing.

This option is available only when path has been set.

limit-shown-attributes {disable | enable}

Enable or disable whether to limit the attributes displayed with the show and get commands. Selecting disable displays all attributes for the show and get commands. Selecting enable displays only the attributes listed in attributes and read-only-attributes.

read-only-attributes <attribute-name>

When limit-shown-attributes is enabled, you can enter additional attributes to display with the show and get commands. When you enter read-only-attributes ? to see a list of valid attributes, more attributes are available than when you enter set attribute ?. Read-only attributes can include child tables, child objects, and get-only attributes. You can list up to 31 attributes.

table-ids-allowed <table-ID-value>

Specify which entries can be accepted by the execute alias configure {get | show | show-full-configuration | set | unset} command.

Enter set table-ids-allowed ? to see a list of valid entries. You can specify entries that do not currently exist; they can be created later.

If table-listing is set to deny, the table-ids-allowed entries are displayed when the user runs the execute alias configure {get | show | show-full-configuration} command without specifying any entry.

This option is available only when path has been set.

command <string>

Enter the script command (within quotation marks) to be run. You can use the Enter key to separate command lines. Enter set command ? for formatting details.

This option is available only when type has been set to script.

table-entry-create {allow | deny}

Allow or deny the creation of new table (or sub-table) entries.

This option is available only when type has been set to script. When type has been set to configuration, you cannot create any new table entries.

<argument_ID>

Enter an identifier for the argument. The identifier must match the identifier used in the script.

type {integer | string | table-id}

Enter the data type that the argument accepts.

name <string>

Enter the display name for the argument. You can use uppercase and lowercase letters, numbers, and hyphens. The display name is shown when the user runs the execute alias script command.

help <string>

Enter a help message for the argument. You can use uppercase and lowercase letters, numbers, slashes, parentheses, brackets, commas, underscores, and hyphens. The help message is displayed when the user runs the execute alias script command.

optional {enable | disable}

Enable this option to allow the user to omit entering a value for this argument. Disable this option to force the user to specify a value for this argument.

range {enable | disable}

Enable this option to allow a range of integers, a range of table identifiers, or a comma-separated list of strings. Disable this option to allow only a single value for this argument.

range-delay <0-172800>

Enter the number of seconds to delay between values when executing.

This option is available only when range has been set to enable.

<table_value>

Enter the identification number for the table.

interface {<string> | internal | mgmt}

Enter the interface to associate with this ARP entry

ip <address_ipv4>

Enter the IP address of the ARP entry.

Select the type of action to perform:

• alert—Display an alert in the console.

• cli-script—Run a CLI script.

• email—Send a notification email.

• snmp-trap—Generate an SNMP trap.

• webhook—Send data to a uniform resource identifier (URI), such as an IP address or URL.

accprofile <string>

Specify the access profile required to run the CLI script.

This option is available only when action-type is set to cli-script.

email-body <string>

Enter the body of the email. By default, the log message is sent.

This option is available only when action-type is set to email.

email-from <string>

Enter the name of the sender of the email.

This option is available only when action-type is set to email.

email-subject <string>

Enter the subject of the email.

This option is available only when action-type is set to email.

email-to <email_address>

Enter the email address or addresses that the email will be sent to when automation stitch is triggered.

This option is available only when action-type is set to email.

headers <string>

Enter the request headers.

This option is available only when action-type is set to webhook.

http-body <string>

If necessary, enter the request body. Use a serialized JSON string.

This option is available only when action-type is set to webhook.

method {delete | get | patch | post | put}

Select the request method: DELETE, GET, PATCH, POST, or PUT.

This option is available only when action-type is set to webhook.

minimum-interval <0-2592000>

Select how many seconds must pass before the action can be performed again.

port <1-65535>

Enter the port number that this protocol will use.

If the protocol is set to http, the default port is 80. If the protocol is set to https, the default port is 443.

This option is available only when action-type is set to webhook.

protocol {http | https}

Enter the request protocol, either HTTP or HTTPS.

This option is available only when action-type is set to webhook.

script <string>

Specify the name and path to the CLI script.

This option is available only when action-type is set to cli-script.

snmp-trap {cpu-high | mem-low | syslog-full | test-trap}

Select which SNMP trap is generated:

• cpu-high—CPU usage too high.

• mem-low—Available memory is low.

• syslog-full—Available log space is low.

• test-trap—Used for testing.

This option is available only when action-type is set to snmp-trap.

<name>

Name of the automation-stitch configuration.

status {enable | disable}

Enable or disable this automation stitch.

trigger-type

Select the type of trigger:

• event-based—Event-based trigger.

• scheduled—Scheduled trigger.

Select the type of event to trigger the automation-stitch action:

• config-change—Configuration change.

• event-log—Use the log ID as the trigger.

• reboot—After the switch restarts, the action is triggered.

This option is available only when the trigger-type is set to event-based.

logid <log_ID>

Enter the log ID to trigger the action. The range of values is 1-65535. If you use the full 10-digit entry, the first four digits are truncated.

This option is available only when the trigger-type is set to event-based and event-type is set to event-log.

trigger-frequency {daily | hourly | monthly | weekly}

Select whether the automation-stitch action is performed on a daily, hourly, monthly, or weekly basis.

This option is available only when the trigger-type is set to scheduled.

trigger-hour <0-23>

Select which hour of the day the automation-stitch action is performed.

This option is available only when the trigger-type is set to scheduled and the trigger-frequency is set to daily or monthly, or weekly.

trigger-minute <0-59>

Select which minute of the hour the automation-stitch action is performed.

This option is available only when the trigger-type is set to scheduled.

trigger-day <1-31>

Select which day of the month the automation-stitch action is performed.

This option is available only when the trigger-type is set to scheduled and the trigger-frequency is set to monthly.

trigger-weekday <friday | monday | saturday | sunday | thrusday | tuesday | wednesday>

Select which day of the weekthe automation-stitch action is performed.

This option is available only when the trigger-type is set to scheduled and the trigger-frequency is set to weekly.

config fields

This option is available only when the event-type is event-log and the logid is set.

Starting in FortiSwitchOS 7.2.2, you can configure multiple fields for the automation trigger. The action is only performed if all conditions are valid (using AND logic).

<entry_ID>

Enter an identifer for this entry.

name <string>

Enter a name for this field.

pin <string>

Enter the Bluetooth pair personal identification number (PIN).

auth {no | yes}

Enter yes if the SMTP server requires authentication or no if it does not.

mailto <email_address>

The email address for bug reports.

password <password>

If the SMTP server requires authentication, enter the required password.

server <servername>

The SMTP server to use for sending bug report email.

username <name>

A valid user name on the specified SMTP server.

name

Enter the name of the certificate.

certificate

PEM format CA certificate. Paste the contents of a CA certificate file between quotation marks as shown in the example.

name

Name of the certificate revocation list

crl

PEM format CRL. Paste the contents of a CRL file between quotation marks.

http-url

URL of HTTP server for CRL update

ldap-server

LDAP server

scep-cert

Local certificate used for CRL update using SCEP

name

Enter the name of the certificate.

comments

Optional administrator note.

password

Password that was used to encrypt the file. The FortiCore system uses the password to decrypt and install the certificate.

private-key

Paste the contents of a key file between quotation marks as shown in the example.

cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

Enter the name of the certificate or select one of the listed certificates.

unavail-action {ignore | revoke}

Set if the FortiSwitch should ignore the OCSP check or revoke the certificate if the server is unavailable.

name

Name for the certificate

baudrate <speed>

Set the console port baud rate. Select one of 9600, 19200, 38400, 57600, or 115200.

hostname-display-length <4-35>

Set the maximum number of characters shown for the host name in the CLI prompt.

login {enable | disable}

Enable or disable whether users can log in with the FortiSwitchOS console port.

mode {batch | line}

Set the console mode to line or batch. Used for autotesting only.

<id>

Enter the identifier.

auto-configuration {enable | disable}

Enable or disable automatic configuration. Auto configuration allows the DHCP server to dynamically assign IP addresses to hosts on the network connected to the interface

conflicted-ip-timeout <integer>

Enter the number of seconds before a conflicted IP address is removed from the DHCP range and is available to be reused. The range is 60-8640000 seconds.

default-gateway <xxx.xxx.xxx.xxx>

Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.

dns-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 1. This option is only available when dns-service is set to specify.

dns-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 2. This option is only available when dns-service is set to specify.

dns-server3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 3. This option is only available when dns-service is set to specify.

dns-service {default | local | specify}

Select how DNS servers are assigned to DHCP clients. Select local to use the IP address of the DHCP server interface for the clientʼs DNS server IP address. Select default for clients to be assigned the FortiSwitch unitʼs configured DNS servers. Select specify to enter the IPv4 address for up to three DNS servers.

domain <string>

Enter the domain name suffix for the IP addresses that the DHCP server assigns to the clients.

filename <string>

Enter the name of the boot file on the TFTP server.

interface <string>

Enter the name of the interface. The DHCP server can assign IP configurations to clients connected to this interface.

lease-time <integer>

The lease time determines the length of time an IP address remains assigned to a client. After the lease expires, the address is released for allocation to the next client that requests an IP address.

Enter the lease time in seconds. The range is 300-8640000. The default lease time is seven days.

netmask <xxx.xxx.xxx.xxx>

Enter the netmask of the addresses that the DHCP server assigns.

next-server <xxx.xxx.xxx.xxx>

Enter the IPv4 address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from.

ntp-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 1. This option is only available when ntp-service is set to specify.

ntp-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 2. This option is only available when ntp-service is set to specify.

ntp-server3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 3. This option is only available when ntp-service is set to specify.

ntp-service {default | local | specify}

Select how Network Time Protocol (NTP) servers are assigned to DHCP clients. Select local to use the IP address of the DHCP server interface for the clientʼs NTP server IP address. Select default for clients to be assigned the FortiSwitch unitʼs configured NTP servers. Select specify to enter the IPv4 address for up to three NTP servers.

status {enable | disable}

Enable or disable this DHCP configuration.

tftp-server <string>

You can configure multiple Trivial File Transfer Protocol (TFTP) servers for a Dynamic Host Configuration Protocol (DHCP) server. For example, you may want to configure a main TFTP server and a backup TFTP server.

Enter the hostname or IP address of each TFTP server in quotes. Separate multiple server entries with spaces.

timezone <00-75>

Enter the time zone to be assigned to DHCP clients. This option is only available if timezone-option is set to specify.

timezone-option {default | disable | specify}

Select how the DHCP server sets the clientʼs time zone. Select disable for the DHCP server to not set the clientʼs time zone. Select default for clients to be assigned the FortiSwitch unitʼs configured time zone. Select specify to enter the time zone to be assigned to DHCP clients.

vci-match {enable | disable}

Enable or disable vendor class identifier (VCI) matching. When enabled, only DHCP requests with a matching VCI are served.

vci-string <VCI_strings>

Enter one or more VCI strings. This option is only available if vci-match is set to enable.

wifi-ac1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 1 (DHCP option 138, RFC 5417).

wifi-ac2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 2 (DHCP option 138, RFC 5417).

wifi-ac3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 3 (DHCP option 138, RFC 5417).

wins-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WINS server 1.

wins-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WINS server 2.

<id>

Enter the identifier.

end-ip <xxx.xxx.xxx.xxx>

Enter the end of the IP address range that will not be assigned to clients.

start-ip <xxx.xxx.xxx.xxx>

Enter the start of the IP address range that will not be assigned to clients.

<id>

Enter the identifier.

end-ip <xxx.xxx.xxx.xxx>

Enter the end of the DHCP IP address range.

start-ip <xxx.xxx.xxx.xxx>

Enter the start of the DHCP IP address range.

<id>

Enter the identifier.

code <integer>

Select the DHCP option code. The range is 0-255.

ip <IP_addresses>

If type is set to ip, enter the IP addresses.

type {fqdn | hex | ip | string}

Select the format of the DHCP option: fully qualified domain name, hexadecimal, IP address, or string.

value <string>

Enter the DHCP option value. This option is available when type is set to fqdn, hex, or string.

<id>

Enter the identifier.

action {assign | block | reserved}

Select how the DHCP server configures the client with the reserved MAC address. Select assign for the DHCP server to configure the client with this MAC address like any other client. Select block to prevent the DHCP server from assigning IP settings to the client with this MAC address. Select reserved for the DHCP server to assign the reserved IP address to the client with this MAC address.

circuit-id {<string> | <hex>}

Enter the DHCP option-82 Circuit ID of the client that will get the reserved IP address. The circuit-id format is controlled by the circuit-id-type setting. This option is only available when type is set to option82.

circuit-id-type {hex | string}

Select whether the format of circuit-id is hexadecimal or string. This option is only available when type is set to option82.

description <string>

Enter a description of this entry.

ip <xxx.xxx.xxx.xxx>

Enter the IPv4 address to be reserved for the MAC address. This option is only available when action is set to reserved.

mac <xx:xx:xx:xx:xx:xx>.

Enter the MAC address of the client that will get the reserved IP address. This option is only available when type is set to mac.

remote-id {<string> | <hex>}

Enter the DHCP option-82 Remote ID of the client that will get the reserved IP address. This option is only available when type is set to option82.

remote-id-type {hex | string}

Select whether the format of remote-id is hexadecimal or string. This option is only available when type is set to option82.

cache-notfound-responses {enable | disable}

Enable to cache NOTFOUND responses from the DNS server.

dns-cache-limit <integer>

Set maximum number of entries in the DNS cache.

dns-cache-ttl <int>

Enter the duration, in seconds, that the DNS cache retains information.

domain <domain_name>

Set the local domain name (optional).

ip6-primary <dns_ipv6>

Enter the primary IPv6 DNS server IP address.

ip6-secondary <dns_ip6>

Enter the secondary IPv6 DNS server IP address.

primary <dns_ipv4>

Enter the primary DNS server IP address.

secondary <dns_ip4>

Enter the secondary DNS IP server address.

interval <integer>

The time in seconds allowed for domain name system (DNS) resolution. The value range is 3-300 seconds.

name <FortiLAN_Cloud_FQDN_IP_address | FortiLink_IPv4_address>

If you are using FortiLAN Cloud, enter the fully qualified domain name or IP address for the FortiLAN Cloud.

If you are using FortiLink with HTTPS, enter the FortiLink IPv4 address.

port <port_number>

Port number used to connect to FortiLAN Cloud.

service-type {flan-cloud | fortilink-https}

If you are using FortiLAN Cloud, set service-type to flan-cloud.

If you are using FortiLink with HTTPS, set service-type to fortilink-https.

filter <string>

Specify the Berkeley packet filter (BPF) to use. For example, set filter "host 33.33.33.2".

format {netflow1 | netflow5 | netflow9 | ipfix}

You can set the format of the exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.

NOTE: When the export format is NetFlow version 5, the sample rate used in the exported packets is derived from the lowest port number where sampling is enabled. Fortinet recommends that administrators using NetFlow version 5 set the sample rate consistently across all ports.

identity <hexadecimal>

Required. Enter a unique number to identify which FortiSwitch unit the data originates from. The range of values is 0x00000000-0xFFFFFFFF. If identity is not specified, the “Burn in MAC” value is used instead (see get system status).

level {ip | mac | port | proto | vlan}

You can set the flow-tracking level to one of the following: - ip—The FortiSwitch unit collects the source IP address and destination IP address from the sample packet.

• mac—The FortiSwitch unit collects the source MAC address and destination MAC address from the sample packet.
• port—The FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
• proto—The FortiSwitch unit collects the source IP address, destination IP address, and protocol from the sample packet.
• vlan—The FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, protocol, and VLAN from the sample packet.

max-export-pkt-size <integer>

Set the maximum size in bytes of exported packets in the application level. The range of values is 512-9216.

template-export-period <1-60>

Set the number of minutes before the template is exported.

timeout-general <integer>

Set the general timeout in seconds for the flow session. The range of values is 60-604800.

timeout-icmp <integer>

Set the ICMP timeout for the flow session. The range of values is 60-604800.

timeout-max <integer>

Set the maximum number of seconds before the flow session times out. The range of values is 60-604800.

timeout-tcp <integer>

Set the TCP timeout for the flow session. The range of values is 60-604800.

timeout-tcp-fin <integer>

Set the TCP FIN flag timeout for the flow session. The range of values is 60-604800.

timeout-tcp-rst <integer>

Set the TCP RST flag timeout for the flow session. The range of values is 60-604800.

timeout-udp <integer>

Set the UDP timeout for the flow session. The range of values is 60-604800.

<collector_name>

Enter the name of the flow-export collector.

ip <IPv4_address>

Enter the IP address for the collector.

The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.

port <port_number>

Enter the port number for the collector.

The range of values is 0-65535. The default port for NetFlow is 2055; the default port for IPFIX is 4739.

transport {sctp | tcp | udp}

You can set exported packets to use UDP, TCP, or SCTP for transport.

<id>

Enter the identifier.

802.1x-ca-certificate {Fortinet_802.1x_CA | Fortinet_CA | Fortinet_CA2 | Fortinet_Sub_CA2 | Fortinet_fsw_cloud}

• Fortinet_802.1x_CA—Select this CA if you are using 802.1x authentication.
• Fortinet_CA—Select this CA if you want to use the factory-installed certificate.
• Fortinet_CA2—Select this CA if you want to use the factory-installed certificate.
• Fortinet_Sub_CA2—Select this CA if you want to use the factory-installed certificate.
• Fortinet_fsw_cloud—Select this CA if you are using FortiLAN Cloud.

802.1x-certificate {Fortinet_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

• Fortinet_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA. This is the default certificate for 802.1x authentication.
• Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
• Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
• Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.

admin-concurrent {enable | disable}

Enable to enforce concurrent administrator logins. When enabled, the FortiSwitch restricts concurrent access from the same admin user name but on different IP addresses. Use policy-auth-concurrent for firewall authenticated users.

admin-lockout-duration <time_int>

Set the administration account’s lockout duration in seconds for the firewall. Repeated failed login attempts will enable the lockout. Use admin-lockout-threshold to set the number of failed attempts that will trigger the lockout.

admin-lockout-threshold

<failed_int>

Set the threshold, or number of failed attempts, before the account is locked out for the admin-lockout-duration.

admin-password-hash {pbkdf2 | pbkdf2-high | sha1 | sha256}

Select which hash algorithm is used to encode passwords for new administrator accounts:

• pbkdf2—Use the PBKDF2 hash algorithm with a lower iteration count.

• pbkdf2-high—Use the PBKDF2 hash algorithm with a higher iteration count.

• sha1—Use the SHA1 hash algorithm.

• sha256—Use the SHA256 hash algorithm.

admin-scp {enable | disable}

Enable to allow system configuration download by the secure copy (SCP) protocol.

admin-ssh-grace-time

<time_int>

Enter the maximum time permitted between making an SSH connection to the FortiSwitch and authenticating. Range is 10 to 3600 seconds.

admin-ssh-port <port_number>

Enter the port to use for SSH administrative access.

admin-ssh-v1 {enable | disable}

Enable compatibility with SSH v1.0.

admin-telnet-port

<port_number>

Enter the port to use for telnet administrative access.

admintimeout <admin_timeout_minutes>

Set the number of minutes before an idle administrator times out. This controls the amount of inactive time before the administrator must log in again. The maximum admintimeout interval is 480 minutes (8 hours).

To improve security, keep the idle timeout at the default value of 5 minutes.

alertd-relog {enable | disable}

Enable or disable re-logs when a sensor exceeds its threshold.

alert-interval

NOTE: This command is only available after the alertd-relog option has been enabled.

Set how often an alert is generated for temperature sensors when they exceed their set thresholds.

allow-subnet-overlap {enable | disable}

Use this command to allow two interfaces to include the same IP address in the same subnet. The command applies only between the mgmt interface and an internal interface.

Note: Different interfaces cannot have overlapping IP addresses or subnets.

Caution: For advanced users only. Use this only for existing network configurations that cannot be changed to eliminate IP address overlapping.

arp-timeout <seconds>

Set the number of seconds before dynamic ARP entries are removed from the cache.

asset-tag

LLDP uses the asset tag to help identify the unit. The asset tag can be up to 32 characters, and will be added to the LLDP-MED inventory TLV (when that TLV is enabled).

cfg-save {automatic | manual | revert}

• automatic automatically save the configuration after every change.
• manual manually save the configuration using the execute acl key-compaction command.
• revert manually save the current configuration and then revert to that saved configuration after cfg-revert-timeout expires.

cfg-revert-timeout <10-2147483647>

After the configuration change, wait the specified number of seconds, restart the FortiSwitch unit, and revert to the last saved configuration if the configuration is not manually saved within the period.

Before FortiSwitchOS 7.2.1, there was no reboot before the configuration was reverted.

This command is available only when cfg-save is set to revert.

clt-cert-req {enable | disable}

Enable or disable the requirement to have a client certificate to log in to the GUI.

csr-ca-attribute {enable | disable}

Enable to use the CA attribute in your certificate. Some CA servers reject CSRs that have the CA attribute.

daily-restart {enable | disable}

Enable to restart the FortiSwitch unit every day.

The time of the restart is controlled by restart-time.

detect_ip_conflict {enable | disable}

Enable the Detect IP Conflict feature.

dhcp-client-location {description | hostname | intfname | mode | vlan}

• description—Include the interface description.
• hostname—Include the host name.
• intfname—Include the interface name.
• mode—Include the mode.
• vlan—Include the VLAN.

dhcp-option-format {ascii | legacy}

• ascii—This format allows the user to choose the values for the circuit-id and remote-id fields.
• legacy—This format generates a predefined fixed format for the circuit-id and remote-id fields.

dhcp-remote-id {hostname | ip | mac}

• hostname—Include the host name.
• ip—Include the IP address.
• mac—Include the MAC address.

dhcp-server-access-list {enable | disable}

Set to disable for DHCP snooping to allow any DHCP server from trusted interfaces. Set to enable for DHCP snooping to allow only DHCP servers that are included in the allowed server list.

dhcp-snoop-client-req {drop-untrusted | forward-untrusted}

• drop-untrusted—Client packets are broadcasted on trusted ports in the VLAN.
• forward-untrusted—By default, client packets are broadcasted on all ports in the VLAN.

dhcps-db-exp <number_of_seconds>

Set the number of seconds for a DHCP-snooping server database entry to be kept. The range of values is 300-259200.

dhcps-db-per-port-learn-limit <number_of_entries>

Set the maximum number of DHCP server entries that are learned per interface. The range of values is 0-1024.

dst {enable | disable}

Enable or disable daylight saving time.

If you enable daylight saving time, the FortiSwitch unit adjusts the system time when the time zone changes to daylight saving time and back to standard time.

hostname <unithostname>

Enter a name to identify this FortiSwitch unit. A hostname can only include letters, numbers, hyphens, and underlines. No spaces are allowed.

While the hostname can be longer than 16 characters, if it is longer than 16 characters it will be truncated and end with a “~” to indicate it has been truncated. This shortened hostname will be displayed in the CLI, and other locations the hostname is used.

Some models support hostnames up to 35 characters.

By default the hostname of your system is its serial number which includes the model.

image-rotation {enable | disable}

Enable or disable the rotation of the partition used to upgrade the FortiSwitch image.

ip-conflict-ignore-default {enable | disable}

Enable or disable IP conflict detection for the default IP address.

ipv6-accept-dad <0 | 1 | 2>

Specify whether to accept IPv6 duplicat address detection (DAD). Set to 0 to disable DAD. Set to 1 to enable DAD. Set to 2 to enable DAD and disable IPv6 operation if a MAC-based duplicate link-local address is found.

ipv6-all-forwarding {enable | disable

Enable or disable IPv6 forwarding.

kernel-crashlog {enable | disable}

Enable or disable whether to log a kernel crash.

kernel-devicelog {enable | disable}

Enable or disable the capture of kernel device messages to the log.

l3-host-expiry {enable | disable}

Enable or disable layer-3 host expiry.

ldapconntimeout <ldaptimeout_msec>

LDAP connection timeout in msec

post-login-banner "<string>"

Enter a message for the system post-login banner.

pre-login-banner "<string>"

Enter a message for the system pre-login banner.

private-data-encryption {enable | disable}

Enable or disable private data encryption using an AES 128-bit key.

radius-coa-port <port_number>

Set the port number to be used for the RADIUS change of authorization (CoA).

radius-port <radius_port>

Change the default RADIUS port. The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port on your system.

remoteauthtimeout

<timeout_sec>

The number of seconds that the FortiSwitch waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. The range is 0 to 300 seconds, 0 means no timeout.

To improve security keep the remote authentication timeout at the default value of 5 seconds. However, if a RADIUS request needs to traverse multiple hops or several RADIUS requests are made, the default timeout of 5 seconds may not be long enough to receive a response.

revision-backup-on-logout {disable | enable}

Enable or disable backing up the latest configuration revision when the administrator logs out of the CLI or Web GUI.

revision-backup-on-upgrade {enable | disable}

Enable or disable backing up the latest configuration revision when the administrator starts an upgrade.

single-psu-fault {enable | disable}

Enable this option to have the ALARM LED turn red when only one power supply unit (PSU) is connected. If you disable this option, the ALARM LED will not turn red, even when one or two PSUs are connected.

NOTE: This option is only available for the FSR-112D-POE model, system part number P17080-04 or later. You can check the system part number with the get system status command.

strong-crypto {enable | disable}

Strong encryption only allows strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access. When strong encryption is enabled, HTTPS is supported by Firefox.

tcp-mss-min <48-10000>

Enter the minimum allowed TCP MSS value in bytes.

tcp6-mss-min <48-10000>

Enter the minimum allowed TCP MSS value in bytes.

<interface_name>

Edit an existing interface or create a new VLAN interface.

allowaccess <access_types>

Enter the types of management access permitted on this interface or secondary IP address. Valid types are:

http https ping radius-acct snmp ssh telnet.

Separate each type with a space.

To add or remove an option from the list, retype the complete list as required.

alias <name_string>

Enter an alias name for the interface. Once configured, the alias will be displayed with the interface name to make it easier to distinguish. The alias can be a maximum of 25 characters. This option is available only when the interface type is physical.

bfd {enable | disable | global}

• enable — enable BFD and ignore global BFD configuration.
• disable — disable BFD on this interface.
• global — use the BFD configuration in system settings for the virtual domain to which this interface belongs.

bfd-desired-min-tx <interval_msec>

Enter the minimum desired interval for the BFD transmit interval. Valid range is from 1 to 100 000 msec. This option is available only when bfd is enabled.

bfd-detect-mult <multiplier>

Select the BFD detection multiplier. This option is available only when bfd is enabled.

bfd-required-min-rx <interval_msec>

Enter the minimum required interface for the BFD receive interval. Valid range is from 1 to 100 000 msec. This is available only when bfd is enabled.

description <text>

Optionally, enter up to 63 characters to describe this interface.

dhcp-relay-service {enable | disable}

Enable to provide DHCP relay service on this interface. The DHCP type relayed depends on the setting of dhcp-relay-type.

There must be no other DHCP server of the same type (regular or ipsec) configured on this interface.

dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}

Set DHCP relay IP addresses. You can specify up to eight DHCP relay servers for DHCP coverage of subnets. Replies from all DHCP servers are forwarded back to the client. The client responds to the offer it wants to accept.

Do not set dhcp-relay-ip to 0.0.0.0. This option is available only when dhcp-relay-service is enabled.

dhcp-relay-option82 {enable | disable}

Enable to allow option-82 insertion in the DHCP relay. This option is available only when dhcp-relay-service is enabled.

dhcp-vendor-specific-option <string>

Set the value for DHCP vendor-specific option 43.

external {enable | disable)

Enable to indicate that an interface is an external interface connected to an external network. This option is used for SIP NAT when the config VoIP profile SIP contact-fixup option is disabled.

fail-detect {enable | disable}

Enable interface failure detection.

fail-detect-option {link-down | detectserver}

Select whether the system detects interface failure by port detection (link-down) or ping server (detectserver). This option is available only when fail-detect is enabled.

fail-alert-method

{link‑down | link‑failed‑signal}

Select the signal that the system uses to signal the link failure: Link Down or Link Failed. This option is available only when fail-detect is enabled.

fail-alert-interfaces {port1 port2 ...}

Select the interfaces to which failure detection applies. This option is available only when fail-detect is enabled.

icmp-redirect {enable | disable}

Disable to stop ICMP redirect from sending from this interface. ICMP redirect messages are sent by a router to notify the original sender of packets that there is a better route available.

interface <interface_name>

Enter the name of the interface. This option is available ony when vlanid is set.

ip <interface_ipv4mask>

Enter the interface IP address and netmask. This option is not available if mode is set to dhcp. You can set the IP and netmask, but they are not displayed. This is only available in NAT/Route mode. The IP address cannot be on the same subnet as any other interface.

log {enable | disable}

Enable or disable traffic logging of connections to this interface. Traffic will be logged only when it is on an administrative port. All other traffic will not be logged. Enabling this setting may reduce system performance, and is normally used only for troubleshooting.

l2-interface <interface_name>

Enter the name of the layer-2 interface.

This option is available only when the interface type is physical.

mode <interface_mode>

Configure the connection mode for the interface as one of:

• static—Configure a static IP address for the interface.
• dhcp—Configure the interface to receive its IP address from an external DHCP server.

dhcp-client-identifier

Override the default DHCP client identifier used by this interface. The DHCP client identifier is used by DHCP to identify individual DHCP clients (in this case individual interfaces). By default, the DHCP client identifier for each interface is created based on the model name and the interface MAC address. In some cases, you might want to specify your own DHCP client identifier using this command. This option is available only when the mode is set to dhcp.

distance <1-255>

Enter the distance of learned routes.

This command is available only when mode is set to dhcp.

defaultgw {enable | disable}

Enable to get the gateway IP address from the DHCP server. This option is available only when the mode is set to dhcp.

dns-server-override {enable | disable}

Disable to prevent this interface from using DNS server addresses it acquires by DHCP. This option is available only when the mode is set to dhcp.

mtu-override {enable | disable}

Select enable to use custom MTU size instead of default (1 500). This is available only for physical interfaces and some tunnel interfaces (not IPsec). If you change the MTU size, you must reboot the FortiSwitch to update the MTU values of the VLANs on this interface. Some models support MTU sizes larger than the standard 1,500 bytes.

secondary-IP {enable | disable}

Enable to add a secondary IP address to the interface. This option must be enabled before configuring a secondary IP address. When disabled, the Web-based manager interface displays only the option to enable secondary IP.

snmp-index <integer>

Configure the SNMP index

src-check {disable | loose | strict}

Set to disable if you do not want to use unicast reverse-path forwarding (uRPF).

Set to strict to ensure that the packet was received on the same interface that the router uses to forward the return packet.

Set to loose to ensure that the routing table includes the source IP address of the packet.

src-check-allow-default {enable | disable}

If you disable the src-default-route-check option, the packet is dropped if the source IP address is not found in the routing table. If you enable the src-default-route-check option, the packet is allowed even if the source IP address is not found in the routing table, but the default route is found in the routing table.

This option is available only when src-check is set to loose.

status {down | up}

Start or stop the interface. If the interface is stopped, it does not accept or send packets. If you stop a physical interface, associated virtual interfaces such as VLAN interfaces will also stop.

type {loopback | physical | vlan | vxlan}

• loopback—a virtual interface that is always up. This interface’s status and link status are not affected by external changes. It is primarily used for blackhole routing - dropping all packets that match this route. This route is advertised to neighbors through dynamic routing protocols as any other static route. Loopback interfaces have no DHCP settings, no forwarding, no mode, or DNS settings. You can create a loopback interface from the CLI or Web-based manager.
• physical—a physical interface.
• vlan—a virtual LAN interface. This is the type of interface created by default on any existing physical interface. VLANs increase the number of network interfaces beyond the physical connections on the system. VLANs cannot be configured on a switch mode interface in Transparent mode.
• vxlan— a virtual extensible LAN interface.

vlanid <id_number>

Enter a VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. The VLAN ID can be any number between 1 and 4094, as 0 and 4095 are reserved, but it must match the VLAN ID added by the IEEE 802.1Q-compliant router on the other end of the connection. Two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN ID to different physical interfaces, and you can add more multiple VLANs with different VLAN IDs to the same physical interface. This is available only when editing an interface with a type of VLAN.

vrf <string>

Assign this virtual routing and forwarding (VRF) instance to a switch virtual interface (SVI).

After the SVI is created, the VRF instance cannot be changed or unset. The VRF instance cannot be assigned to an internal SVI.

<interface_name>

Edit an existing interface or create a new VLAN interface.

ip6-address <ipv6_netmask>

The interface IPv6 address and netmask. The format for IPv6 addresses and netmasks is described in RFC 3513.

This command is only available in NAT/Route mode.

ip6-allowaccess <access_types>

Enter the types of management access permitted on this IPv6 interface. Valid types are: fgfm, http, https, ping, snmp, ssh, and telnet. Separate the types with spaces. If you want to add or remove an option from the list, retype the list as required.

autoconf {disable | enable}

Enable or disable the automatic address configuration.

ip6-unknown-mcast-to-cpu {disable | enable}

Enable or disable the sending of unknown multicast addresses to the CPU.

ip6-mode {dhcp | static}

Set the addressing mode to be static or DHCP.

DHCP addressing mode is available only when autoconf is disabled.

ip6-dns-server-override {disable | enable}

Enable or disable using the DNS server acquired by DHCP.

This command is available only when the ip6-mode is set to dhcp.

dhcp6-information-request {disable | enable}

Enable or disable the DHCPv6 infomation request.

ip6-send-adv {disable | enable}

Enable or disable the sending of the IPv6 router advertisement.

This command is only available when autoconf is disabled.

ip6-manage-flag {disable | enable}

Enable or disable the sending of the IPv6 managed flag.

ip6-other-flag {disable | enable}

Enable or disable the sending of the IPv6 other flag.

ip6-max-interval <4-1800>

Specify the maximum number of seconds before the RA is sent.

ip6-min-interval <3-1350>

Specify the minium number of seconds before the RA is sent.

ip6-link-mtu <integer>

Specify the IPv6 link maximum transmission unit.

ip6-reachable-time <0-3600000>

Specify the IPv6 reachable time in milliseconds.

ip6-retrans-time <0-2147483647>

Specify the IPv6 retransmit time in milliseconds.

ip6-default-life <0-9000>

Specify the IPv6 default life in seconds.

ip6-hop-limit <0-255>

Specify the maximum number of IPv6 hops.

vrip6_link_local {enable | disable}

Enter the link-local IPv6 address of virtual router.

vrrp-virtual-mac6 {enable | disable}

Enable VRRP virtual MAC addresses for the IPv6 VRRP routers added to this interface. See RFC 5798 for information about the VRRP virtual MAC addresses.

<prefix_ipv6>

IPv6 address prefix. Configure addditonal IPv6 prefixes for this IPv6 interface.

<virtual_router_identifier 1-255>

Enter the VRRP virtual router identifier. The range of values is 1-255.

accept-mode {enable | disable}

Enable or disable the VRRP accept mode.

adv-interval <1-255>

Enter the VRRP advertisement interval. The range of values is 1-255 seconds.

preempt {enable | disable}

Enable or disable VRRP preempt mode. In preempt mode a higher priority backup system can preempt a lower priority master system.

priority <1-255>

Enter the priority of this virtual router. The VRRP virtual router on a network with the highest priority becomes the master. The range of values is 1-255.

start-time <1-255>

The startup time of this virtual router. The startup time is the maximum time that the backup system waits between receiving advertisement messages from the master system. The range of values is 1-255 seconds.

status {enable | disable}

Enable or disable this virtual router.

vrdst6 <IPv6_address>

Monitor the route to this destination.

vrgrp <1-65535>

Enter the VRRP group identifier. The value range is 1-65535.

vrip6 <IPv6_address>

Required. Enter the IPv6 address of the virtual router.

<prefix_ipv6>

IPv6 advertised prefix list. Configure which IPv6 prefixes are advertised.

autonomous-flag {disable | enable}

Enable or disable the autonomous flag.

onlink-flag {disable | enable}

Enable or disable the onlink flag.

preferred-life-time <0-2147483647>

Specify the preferred lifetime in seconds for the advertised IPv6 prefix.

<interface_name>

Edit an existing interface or create a new VLAN interface.

<id>

Identifier.

ip <IP_address_and_netmask>

Enter the IP address and netmask.

<interface_name>

Edit an existing interface or create a new VLAN interface.

<VRID_int>

VRRP virtual router ID (1 to 255). Identifies the VRRP virtual router.

adv-interval <seconds_int>

VRRP advertisement interval (1-255 seconds).

backup-vmac-fwd {enable | disable }

Enable or disable whether virtual MAC addresses are forwarded for VRRP backup.

preempt {enable | disable}

Enable or disable VRRP preempt mode. In preempt mode a higher priority backup system can preempt a lower priority master system.

priority <prio_int>

Priority of this virtual router (1-255). The VRRP virtual router on a network with the highest priority becomes the master.

start-time <seconds_int>

The startup time of this virtual router (1-255 seconds). The startup time is the maximum time that the backup system waits between receiving advertisement messages from the master system.

status {enable | disable}

Enable or disable this virtual router.

version {2 | 3}

Set the VRRP version to VRRP version 2 or VRRP version 3.

vrdst <ipv4_addr>

Monitor the route to this destination.

vrgrp <integer>

VRRP group identifier. The value range is 1-65535.

<id>

Enter a unique integer to create a new entry.

interface <interface_name>

Required. Enter the interface.

ipv6 <IPv6_address>

Enter the IPv6 addresss in the following format:

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

<link monitor name>

Enter the link monitor name.

addr-mode {ipv4 | ipv6}

Select whether to use IPv4 or IPv6 addresses.

srcintf <string>

Interface where the monitor traffic is sent.

server <IP_address1>, <IP_address2>, ..

The IP address(es) of the server(s). Use a comma to separate multiple IP addresses.

protocol {arp | ping}

Protocols used to detect the server. Select ARP or ping.

gateway-ip <IPv4 address>

Gateway IPv4 address used to PING the server. This option is available only when addr-mode is set to ipv4.

gateway-ip6 <IPv6 address>

Gateway IPv6 address used to PING the server. This option is available only when addr-mode is set to ipv6.

source-ip <IPv4 address>

Source IPv4 address used in packet to the server. This option is available only when addr-mode is set to ipv4.

source-ip6 <IPv6 address>

Source IPv6 address used in packet to the server. This option is available only when addr-mode is set to ipv6.

interval <integer>

Detection interval in seconds. The range is 1-3600.

timeout <integer>

Detect request timeout in seconds. The range is 1-255.

failtime <integer>

Number of retry attempts before bringing server down. The range is 1-10.

recoverytime <integer>

Number of retry attempts before bringing server up. The range is 1-10.

update-static-route {enable | disable}

Enable or disable update static route.

<name>

Enter a unique name for the location entry.

additional <string>

Enter additional location information, for example, west wing.

additional-code <string>

Enter the additional country-specific code for the location. In Japan, use the Japan Industry Standard (JIS) address code.

block <string>

Enter the neighborhood (Korea) or block.

branch-road <string>

Enter the branch road name. This value is used when side streets do not have unique names so that both the primary road and side street are used to identify the correct road.

building <string>

Enter the name of the building (structure) if the address includes more than one building, for example, Law Library.

city <string>

Enter the city (Germany), township, or shi (Japan).

city-division <string>

Enter the city division, borough, city district (Germany), ward, or chou (Japan).

country <string>

Enter the two-letter ISO 3166 country code in capital ASCII letters, for example, US, CA, DK, and DE.

country-subdivision <string>

Enter the national subdivision (such as state, canton, region, province, or prefecture). In Canada, the subdivision is province. In Germany, the subdivision is state. In Japan, the subdivision is metropolis. In Korea, the subdivision is province. In the United States, the subdivision is state.

county <string>

Enter the county (Canada, Germany, Korea, and United States), parish, gun (Japan), or district (India).

direction <string>

Enter N, E, S, W, NE, NW, SE, or SW for the leading street direction.

floor <string>

Enter the floor number, for example, 4.

landmark <string>

Enter the nickname, landmark, or vanity address, for example, UC Berkeley.

language <string>

Enter the ISO 639 language code used for the address information.

name <string>

Enter the person or organization associated with the address, for example, Fortinet or Textures Beauty Salon.

number <string>

Enter the street address, for example, 1560.

number-suffix <string>

Enter any modifier to the street address. For example, if the full street address is 1560A, enter 1560 for the number and A for the number-suffix.

place-type <string>

Enter the type of place, for example, home, office, or street.

post-office-box <string>

Enter the post office box, for example, P.O. Box 1543. When the post-office-box value is set, the street address components are replaced with this value.

postal-community <string>

Enter the postal community name, for example, Alviso. When the postal-community name is set, the civic community name is replaced by this value.

primary-road <string>

Enter the primary road or street name for the address.

road-section <string>

Enter the specific section or stretch of a primary road. This field is used when the same street number appears more than once on the primary road.

room <string>

Enter the room number, for example, 7A.

script <string>

Enter the script used to present the address information, for example, Latn.

seat <string>

Enter the seat number in a stadium or theater or a cubicle number in an office or a booth in a trade show.

street <string>

Enter the street (Canada, Germany, Korea, and United States).

street-name-post-mod <string>

Enter an optional part of the street name that appears after the actual street name. If the full street name is East End Avenue Extended, the street-name-post-mod is Extended.

street-name-pre-mod <string>

Enter an optional part of the street name that appears before the actual street name. If the full street name is Old North First Street, the street-name-pre-mod is Old.

street-suffix <string>

Enter the type of street, for example, Ave or Place. Valid values are listed in the United States Postal Service Publication 28 [18], Appendix C.

sub-branch-road <string>

Enter the name of a street that branches off of a branch road. This value is used when the primary road, branch road, and subbranch road names are needed to identify the correct street.

trailing-str-suffix <string>

Enter N, E, S, W, NE, NW, SE, or SW for the trailing street direction.

unit <string>

Enter the unit (apartment or suite), for example, Apt 27.

zip <string>

Enter the postal or zip code for the address, for example, 94089-1345.

altitude <string>

Enter the vertical height of a location using the altitude-unit to specify the unit used. The format is +/- floating point number, for example, 117.47.

altitude-unit {f | m}

Select whether the altitude is measured in m (meters) or f (floors).

datum {NAD83 | NAD83/MLLW | WGS84}

Select which map is used for the location: WGS84, NAD83, or NAD83/MLLW.

latitude <string>

Enter the latitude. The format is floating point starting with +/- or ending with N/S, for example, +/-16.67 or 16.67N.

longitude <string>

Enter the longitude. The format is floating point starting with +/- or ending with E/W, for example, +/-26.789 or 26.789E.

allow-unsync-source {enable | disable}

Enable or disable whether an unsynchronized NTP server source is allowed.

authentication {enable | diable}

Enable or disable authentication.

log-time-adjustments {enable | disable}

Enable or disable whether FortiSwitch logs when NTP adjusts the system time.

ntpsync {enable | disable}

Enable or disable whether the system time is synchronized with the NTP server.

source-ip <ipv4_addr>

Enter the source IPv4 address for communication with the NTP server.

source-ip6 <ipv6_addr>

Enter the source IPv6 address for communication with the NTP server.

syncinterval <interval_int>

Enter the interval in minutes between contacting the NTP server to synchronize time. The range is from 1 to 1,440 minutes.

This option is availabe only when ntpsync is enabled.

<serverid_int>

Enter the number for this NTP server entry.

authentication {enable | diable}

Enable or disable authentication. If you enable authenication and use the NTPv3 protocol, MD5 authentication is used. If you enable authentication and use the NTPv4 protocol, SHA1 authentication is used.

key <string>

If authentication is enabled, enter a key for authentication.

key-id <integer>

If authentication is enabled, enter a key identifier for authentication.

ntpv3 {enable | disable}

Enable this option to use the NTPv3 protocol. Disable this option to use the NTPv4 protocol.

status enable

Enable password policy. The password policy cannot be disabled.

apply-to [admin‑password ipsec-preshared-key]

Select where the policy applies: administrator passwords or IPSec preshared keys. This option is available only when status is enabled.

change-4-characters {enable | disable}

Enable to require the new password to differ from the old password by at least four characters. This option is available only when status is enabled.

minimum-length <chars>

Set the minimum length of password in characters. Range 8 to 32. This option is available only when status is enabled.

min-lower-case-letter

<num_int>

Enter the minimum number of required lower case letters in every password. This option is available only when status is enabled.

min-upper-case-letter

<num_int>

Enter the minimum number of required upper case letters in every password. This option is available only when status is enabled.

min-non-alphanumeric <num_int>

Enter the minimum number of required non-alphanumeric characters in every password. This option is available only when status is enabled.

min-number <num_int>

Enter the minimum number of number characters required in every password. This option is available only when status is enabled.

expire-status {enable | disable}

Enable to have passwords expire. This option is available only when status is enabled.

{default | PTP_policy_name}

Name of the PTP policy.

description <description_of_PTP_policy>

Description of the PTP policy.

vlan <0-4094>

The VLAN that will use the PTP policy. The range of values is 0-4094. Setting vlan to 0 means that the native VLAN is used for PDelayXXX messages.

NOTE: The VLAN must be a valid VLAN that the interface belongs to. Selecting an invalid VLAN can affect the performance.

{default | name_of_PTP_profile}

Name of the PTP profile.

default

description <description_of_PTP_profile>

Description of the PTP profile.

No default

domain <0-255>

PTP domain number. The range of values is 0-255.

This option is available only when mode is set to transparent-p2p.

Not applicable

mode {transparent-e2e | transparent-p2p}

PTP mode. You can select the end-to-end transparent clock or the peer-to-peer transparent clock. By default, the PTP mode is transparent-e2e.

transparent-e2e

pdelay-req-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

The time between PDelay_Req messages. You can select 0.25, 0.5, 1, 2, or 4 seconds. The default value is 1 second.

This option is available only when mode is set to transparent-p2p.

Not applicable

ptp-profile C37.238-2017

PTP profile. Only the power profile is available.

This option is available only when mode is set to transparent-p2p.

Not applicable

<schedule_group_name>

Enter the name of the schedule group.

<schedule_name>

Enter the name of the schedule.

start <time_date>

Enter the start time and date for the schedule in the following format: hh:mm yyyy/mm/dd

<schedule_name>

Enter the name of the schedule.

day {monday | tuesday | wednesday | thursday | friday | saturday | sunday}

Enter one or more days for the ACL to be enforced. Separate days with a space.

start <time>

Enter the start time for the schedule in the following format: hh:mm

<collector_name>

Enter a name for the sFlow collector.

ip <collector_IPv4_address>

The sFlow agents send sFlow datagrams to the sFlow collector at this IPv4 address.

<profile_name>

The name of the packet-capture profile.

filter {<string> | none}

Enter none or enter the filter for selecting which packets to capture. For example, if you want packets using UDP port 1812 between hosts named forti1 and either forti2 or forti3:

'udp and port 1812 and host forti1 and \( forti2 or forti3 \)'

max-pkt-count <1-maximum>

Enter how many packets to be captured on the selected interface. The maximum number of packets that can be captured differs according to platform. See the FortiSwitchOS Adminstration Guide for details.

max-pkt-len <64-1534>

Enter the maximum packet length in bytes to be captured on the interface.

switch-interface <switch_interface_name>

Enter the switch interface name that you want to capture packets on. You cannot select both a switch interface and a system interface.

<index_number>

Enter the index number of the community in the SNMP communities table. Enter an unused index number to create a new SNMP community.

events <events_list>

Enable the events for which the system should send traps to the SNMP managers in this community. The following events can be enabled:

• cpu-high—The CPU usage is too high.
• ent-conf-change—The entityʼs configuration was changed (RFC 4133).
• fan-detect—The fan was detected, not detected, resumed, or failed.
• intf-ip—The interfaceʼs IP address was changed.
• ip-conflict—There is a conflict between IP addresses.

• l2mac—A layer-2 MAC address has been added, deleted, or moved. NOTE: This SNMP trap applies only to dynamic MAC addresses learned on the port. MAC events can be lost by the hardware or software.

• llv—Learning-limit violation.
• log-full—The available log space is low.
• mem-low—The available memory is low.
• psu-status—The status of the power supply unit has changed.
• sensor-alarm—The sensor triggered an alarm.
• sensor-fault—The sensor is faulty.
• tkmem-hb-oo-sync—The trunk memberʼs heart beat is unsynchronized.

name <community_name>

Enter the name of the SNMP community.

NOTE: After you run the execute factoryreset command, FortiSwitchOS creates an SNMP community with the name set to public.

query-v1-port <port_number>

Enter the SNMP v1 query port number used for SNMP manager queries.

query-v1-status {enable | disable}

Enable or disable SNMP v1 queries for this SNMP community.

query-v2c-port <port_number>

Enter the SNMP v2c query port number used for SNMP manager queries.

query-v2c-status {enable | disable}

Enable or disable SNMP v2c queries for this SNMP community.

status {enable | disable}

Enable or disable the SNMP community.

trap-v1-lport <port_number>

Enter the SNMP v1 local port number used for sending traps to the SNMP managers.

trap-v1-rport <port_number>

Enter the SNMP v1 remote port number used for sending traps to the SNMP managers.

trap-v1-status {enable | disable}

Enable or disable SNMP v1 traps for this SNMP community.

trap-v2c-lport <port_number>

Enter the SNMP v2c local port number used for sending traps to the SNMP managers.

trap-v2c-rport <port_number>

Enter the SNMP v2c remote port number used for sending traps to the SNMP managers.

trap-v2c-status

{enable | disable}

Enable or disable SNMP v2c traps for this SNMP community.

<host_number>

Enter the index number of the host in the table. Enter an unused index number to create a new host.

interface <interface_name>

Enter the name of the FortiSwitch interface to which the SNMP manager connects.

ip <IPv4_address/mask>

Enter the IPv4 IP address and mask of the SNMP manager (for hosts).

ip6 <IPv6_address>

Enter the IPv6 IP address of the SNMP manager (for hosts6).

source-ip <IPv4_address>

Enter the source IPv4 IP address for SNMP traps sent by the FortiSwitch (for hosts).

contact-info <info_str>

Add the contact information for the person responsible for this FortiSwitch unit. The contact information can be up to 35 characters long.

description <description>

Add a name or description of the system. The description can be up to 35 characters long.

engine-id <engine-id_str>

• Fortinet prefix 0x8000304404
• the optional engine-id string, 24 characters maximum, defined in this command

Optionally, enter an engine-id value.

location <location>

Describe the physical location of the system. The system location description can be up to 35 characters long.

status {enable | disable}

Enable or disable the FortiSwitch SNMP agent.

trap-high-cpu-interval {1min | 10min | 30min | 1hr | 12hr | 24hr}

Set how long the FortiSwitch CPU usage must be higher than the specified threshold before an SNMP v3 notification (trap) is reported.

trap-high-cpu-threshold

<percentage>

Enter the percentage of CPU used that will trigger the threshold SNMP trap for the high-cpu.

There is some smoothing of the high CPU trap to ensure the CPU usage is constant rather than a momentary spike. This feature prevents frequent and unnecessary traps.

trap-log-full-threshold

<percentage>

Enter the percentage of disk space used that will trigger the threshold SNMP trap for the log-full.

trap-low-memory-threshold <percentage>

Enter the percentage of memory used that will be the threshold SNMP trap for the low-memory.

trap-temp-alarm-threshold <temperature in degrees Celsius>

Set an alarm for when the system temperature reaches the specified temperature.

<user_name>

Edit or add selected user.

auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}

• md5—HMAC-MD5-96 authentication protocol
• sha1—HMAC-SHA-1 authentication protocol
• sha224—HMAC-SHA-224 authentication protocol
• sha256—HMAC-SHA-256 authentication protocol
• sha384—HMAC-SHA-384 authentication protocol
• sha512—HMAC-SHA-512 authentication protocol

auth-pwd <password>

Enter the password for the authentication protocol. his option is available only when security-level is set to auth-priv or auth-no-priv.

events {events_list}

Specify one or more SNMP notifications (traps) to send. Separate multiple values with a space. The following notifications are available:

• cpu-high—The CPU usage is too high.
• ent-conf-change—The entityʼs configuration was changed (RFC 4133).
• fan-detect—The fan was detected, not detected, resumed, or failed.
• intf-ip—The interfaceʼs IP address was changed.
• ip-conflict—There is a conflict between IP addresses.

• l2mac—A layer-2 MAC address has been added, deleted, or moved. NOTE: This SNMP trap applies only to dynamic MAC addresses learned on the port. MAC events can be lost by the hardware or software.

• llv—Learning-limit violation.
• log-full—The available log space is low.
• mem-low—The available memory is low.
• psu-status—The status of the power supply unit has changed.
• sensor-alarm—The sensor triggered an alarm.
• sensor-fault—The sensor is faulty.
• tkmem-hb-oo-sync—The trunk memberʼs heart beat is unsynchronized.

notify-hosts <IP_address>

Specify one or more IPv4 addresses to send notifications (traps) to.

priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}

• aes128—CFB128-AES-128 symmetric encryption protocol
• aes192—CFB128-AES-192 symmetric encryption protocol
• aes192c—CFB128-AES-192-C symmetric encryption protocol (required for certain clients)
• aes256—CFB128-AES-256 symmetric encryption protocol
• aes256c—CFB128-AES-256-C symmetric encryption protocol (required for certain clients)
• des—CBC-DES symmetric encryption protocol

priv-pwd <password>

Enter the password for the encryption protocol. This option is available only when security-level is set to auth-priv.

queries {enable | disable}

Enable or disable SNMP v3 queries for this user. Queries are used to determine the status of SNMP variables.

query-port <port_int>

Enter the number of the port used for SNMP v3 queries. If multiple versions of SNMP are being supported, each version should listen on a different port.

Required. Set the VLAN identifier that is mapped to the VNI.

When tunnel-loopback is set, VLAN 4087 is reserved.

evpn {disable | enable}

Enable or disable the Ethernet Virtual Private Network (EVPN).

arp-nd-supression {disable | enable}

Enable or disable ARP and ND suppression.

This command is available only when evpn is enabled.

Required. Select the type of IPv4 address to use to communicate over the VXLAN tunnel.

• ipv4-multicast—Use IPv4 multicast addressing over the VXLAN tunnel.

• ipv4-unicast—Use IPv4 unicast addressing over the VXLAN tunnel.

tagged-vlans <VLAN_list>

User traffic is sent with the specified inner VLAN tags.

This command is available only when the switch is managed by a FortiGate device.

• self-sign—Use a self-signed security certificate. Self-signed certificates are free and will encrypt the data just as securely as a purchased certificate. Self-signed certificates, however, are not likely to be recognized by the CA certificate store so will be considered by any checks against that store as invalid.
• Fortinet_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA.
• Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
• Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
• Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.