Fortinet white logo
Fortinet white logo

config system

config system

Use the config system commands to configure options related to the overall operation of the FortiSwitch unit:

config system accprofile

Use this command to add access profiles that control administrator access to FortiSwitch features. Each FortiSwitch administrator account must include an access profile. You can create access profiles that deny access, allow read only, or allow both read and write access to FortiSwitch features.

Syntax

config system accprofile

edit <profile-name>

set admingrp {none | read | read-write}

set alias-commands {<command-name> | all}

set exec-alias-grp {none | read | read-write}

set loggrp {none | read | read-write}

set mntgrp {none | read | read-write}

set netgrp {none | read | read-write}

set pktmongrp {none | read | read-write}

set routegrp {none | read | read-write}

set swcoregrp {none | read | read-write}

set swmonguardgrp {none | read | read-write}

set sysgrp {none | read | read-write}

set utilgrp {none | read | read-write}

end

Variable

Description

Default

<profile-name>

Enter the name for the profile.

No default

admingrp {none | read | read-write}

Set the permission for administrative access.

none

alias-commands {all | <list>}

Specify the aliases and alias groups to include in the access profile or specify all. The aliases and alias groups specified for this access profile control which commands an administrator can run using the execute alias commands. Use a space to separate multiple items.

none

exec-alias-grp {none | read | read-write}

Specify one of the following options:

  • Select none to prevent access to the execute alias configure commands.

  • Select read to provide access to the execute alias configure {get | show | show-full-configuration} command.
  • Select read-write to provide access to the execute alias configure {get | show | show-full-configuration | set | unset} and execute alias script commands.

none

loggrp {none | read | read-write}

Set the permission for logging access.

none

mntgrp {none | read | read-write}

Set the permission for critical system maintenance access .

none

netgrp {none | read | read-write}

Set the permission for network access.

none

pktmongrp {none | read | read-write}

Set the access permission for packet and flow capture functionality.

none

routegrp {none | read | read-write}

Set the permission for routing access.

none

swcoregrp {none | read | read-write}

Set the permission for switch core access.

none

swmonguardgrp {none | read | read-write}

Set the access permission for switch monitor and guard features.

none

sysgrp {none | read | read-write}

Set the permission for system access.

none

utilgrp {none | read | read-write}

Set the permission for utilities access.

none

Example

This example shows how to configure an access profile with just read-only permission:

config system accprofile

edit profile1

set admingrp read

set loggrp read

set netgrp read

set routegrp read

set sysgrp read

end

config system admin

Use the default admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels.

Syntax

config system admin

edit <admin_name>

set accprofile <profile-name>

set accprofile-override {enable | disable}

set allow-remove-admin-session {enable | disable}

set comments <comments_string>

set force-password-change{enable | disable}

set gui-detail-panel-location {bottom | ide | side}

set {ip6-trusthost1 | ip6-trusthost2 | ip6-trusthost3 |

ip6-trusthost4 | ip6-tru sthost5 | ip6-trusthost6 |

ip6-trusthost7 | ip6-trusthost8 | ip6-trusthost9 |

ip6-trusthost10} <address_ipv6mask>

set password <admin_password>

set peer-auth {disable | enable}

set peer-group <peer-grp>

set remote-auth {enable | disable}

set remote-group <name>

set wildcard {enable | disable}

set wildcard-fallback {enable | disable}

set schedule <schedule-name>

set ssh-public-key1 "<key-type> <key-value>"

set ssh-public-key2 "<key-type> <key-value>"

set ssh-public-key3 "<key-type> <key-value>"

set {trusthost1 | trusthost2 | trusthost3 | trusthost4 |

trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9

| trusthost10} <address_ipv4mask>

next

end

Variable

Description

Default

<admin_name>

Enter the name for the admin account.

No default

accprofile <profile‑name>

Enter the name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiSwitch features.

No default

accprofile-override {enable | disable}

Enable or disable whether the remote authentication server can override the accesss profile.

disable

allow-remove-admin-session {enable | disable}

Allow admin session to be removed by privileged admin users

disable

comments <comments_string>

Enter the last name, first name, email address, phone number, mobile phone number, and pager number for this administrator. Separate each attribute with a comma, and enclose the string in double-quotes. The total length of the string can be up to 128 characters. (Optional)

No default

force-password-change{enable | disable}

Enable or disable whether the admistrator is forced to change the password when logging in next.

disable

gui-detail-panel-location {bottom | hide | side}

Choose the position of the log detail window.

bottom

{ip6-trusthost1 | ip6‑trusthost2 | ip6‑trusthost3 | ip6‑trusthost4 | ip6‑trusthost5 | ip6‑trusthost6 | ip6‑trusthost7 | ip6‑trusthost8 | ip6‑trusthost9 | ip6‑trusthost10}

<address_ipv6mask>

Any IPv6 address and netmask from which the administrator can connect to the FortiSwitch unit.

If you want the administrator to be able to access the system from any address, set the trusted hosts to ::/0.

::/0

password

<admin_password>

Enter the password for this administrator. It can be up to 256 characters in length.

If you want to include the “?” character as part of the password:

  1. Press Ctrl+v.

  2. Type the “?” character .

No default

peer-auth {disable | enable}

Set to enable peer certificate authentication (for HTTPS admin access).

disable

peer-group <peer-grp>

Name of peer group defined under config user peergrp or user group defined under config user group. Used for peer certificate authentication (for HTTPS admin access). This option is available only when peer-auth has been enabled.

No default

remote-auth

{enable | disable}

Enable or disable authentication of this administrator using a remote RADIUS, LDAP, or TACACS+ server.

disable

remote-group <name>

Enter the administrator user group name, if you are using RADIUS, LDAP, or TACACS+ authentication.

This is available only when remote-auth is enabled.

No default

wildcard {enable | disable}

Enable or disable wildcard RADIUS authentication. This option is available only when remote-auth is enabled.

Starting in FortiSwitchOS 7.4.0, you can add multiple administrators with wildcards in their names.

disable

wildcard-fallback {enable | disable}

Enable or disable attempting authentication against wildcard accounts if authenticating this account fails.

This option is available only when remote-auth is enabled and when wildcard is disabled.

disable

schedule <schedule-name>

Restrict times that an administrator can log in. Defined in config firewall schedule. No default indicates that the administrator can log in at any time.

No default

ssh-public-key1 "<key‑type> <key‑value>"

You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.

<key type> is ssh-dss for a DSA key or ssh-rsa for an RSA key.

<key-value> is the public key string of the SSH client.

No default

ssh-public-key2 "<key‑type> <key‑value>"

No default

ssh-public-key3 "<key‑type> <key‑value>"

No default

{trusthost1 | trusthost2 |

trusthost3 | trusthost4 |

trusthost5 | trusthost6 |

trusthost7 | trusthost8 |

trusthost9 | trusthost10}

<address_ipv4mask>

Any IPv4 address or subnet address and netmask from which the administrator can connect to the system.

If you want the administrator to be able to access the system from any address, set the trusted hosts to 0.0.0.0 and the netmask to 0.0.0.0.

0.0.0.0

0.0.0.0

Example

The following example creates a RADIUS system admin group:

config system admin

edit "RADIUS_Admins"

set remote-auth enable

set accprofile "super_admin"

set wildcard enable

set remote-group "RADIUS_Admins"

next

end

config system alias command

Use this command to grant an administrator access to individual configuration attributes, table entries, or CLI commands. You can also use this command to create a script to run multiple commands. Scripts are a simpler way to manage a large number of commands.

Notes:
  • Configuration-type aliases cannot create or delete table entries. For example, under the config switch interface command, you cannot create a new interface name with the edit <interface_name> command.
  • The super_admin administrator profile has access to all command aliases.

Syntax

config system alias command

edit <alias_name or script_name>

set description <string>

set type {configuration | script}

set path <path>

set attribute <attibute-name>

set permission {read | read-write}

set table-listing {allow | deny}

set limit-shown-attributes {disable | enable}

set read-only-attributes <attribute-name>

set table-ids-allowed <table-ID-value>

set command <string>

set table-entry-create {allow | deny}

config script-arguments

edit <argument_ID>

set type {integer | string | table-id}

set name <string>

set help <string>

set optional {enable | disable}

set range {enable | disable}

set range-delay <0-172800>

set allowed-values <string>

next

end

next

end

Variable

Description

Default

<alias_name or script_name>

If the type will be configuration, enter an alias name for the command in this configuration. If the type will be script,enter a script name.

The alias or script name cannot be all or match an alias group name.

No default
description <string>

If the type will be configuration, enter a description of the command or a help message. It can be up to 80-characters long. The description is displayed with the alias name when you enter execute alias configure {get | show | show-full-configuration | set | unset} ?.

If the type will be script, enter a description of the script. It can be up to 80-characters long. The description is displayed with the script name when you enter execute alias script ?.

No default
type {configuration | script}

The configuration type provides configuration-specific functionality to control get, show, show-full-configuration, set, and unset commands. You can also use the configuration type to limit accessible table entries and limit displayed attributes.

The script type allows the administrator to create a list of CLI commands to run.

configuration
path <path>

Required. Enter the period-separated path to the CLI command.

For example, enter set path switch.lldp.profile to apply the configuration to the config switch lldp profile command. Enter set path system.interface to apply the configuration to the config system interface command. You can specify only top-level objects, such as system.interface, router.bgp, or system.snmp.settings. If you specify child objects or child tables (such as system.interface.ipv6, router.bgp.neighbor, or switch.lldp.profile.custom-tlv), FortiSwitch returns an error.

No default

attribute <attibute-name>

Required. Enter the attribute that can be retrieved or modified.

Enter set attribute ? to see the list of valid attributes. If you enter an invalid value, FortiSwitchOS returns an error.

This option is available only when path has been set.

No default

permission {read | read-write}

Select read to allow this alias to be used by the execute alias configure {get | show | show-full-configuration} command. Select read-write to allow this alias to be used by the execute alias configure {get | show | show-full-configuration | set | unset} command.

read

table-listing {allow | deny}

Allow or prevent the listing of all entries by the execute alias configure {get | show | show-full-configuration} command commands.

  • Select allow to permit all entries to be listed.

  • Select deny to prevent the entries from being listed except for the entries specified in the table-ids-allowed setting. If table-ids-allowed is empty, a valid entry must be provided for listing.

This option is available only when path has been set.

deny

limit-shown-attributes {disable | enable}

Enable or disable whether to limit the attributes displayed with the show and get commands. Selecting disable displays all attributes for the show and get commands. Selecting enable displays only the attributes listed in attributes and read-only-attributes.

enable

read-only-attributes <attribute-name>

When limit-shown-attributes is enabled, you can enter additional attributes to display with the show and get commands. When you enter read-only-attributes ? to see a list of valid attributes, more attributes are available than when you enter set attribute ?. Read-only attributes can include child tables, child objects, and get-only attributes. You can list up to 31 attributes.

No default

table-ids-allowed <table-ID-value>

Specify which entries can be accepted by the execute alias configure {get | show | show-full-configuration | set | unset} command.

Enter set table-ids-allowed ? to see a list of valid entries. You can specify entries that do not currently exist; they can be created later.

If table-listing is set to deny, the table-ids-allowed entries are displayed when the user runs the execute alias configure {get | show | show-full-configuration} command without specifying any entry.

This option is available only when path has been set.

No default

command <string>

Enter the script command (within quotation marks) to be run. You can use the Enter key to separate command lines. Enter set command ? for formatting details.

This option is available only when type has been set to script.

No default

table-entry-create {allow | deny}

Allow or deny the creation of new table (or sub-table) entries.

This option is available only when type has been set to script. When type has been set to configuration, you cannot create any new table entries.

deny

config script-arguments

<argument_ID>

Enter an identifier for the argument. The identifier must match the identifier used in the script.

No default

type {integer | string | table-id}

Enter the data type that the argument accepts.

string

name <string>

Enter the display name for the argument. You can use uppercase and lowercase letters, numbers, and hyphens. The display name is shown when the user runs the execute alias script command.

No default

help <string>

Enter a help message for the argument. You can use uppercase and lowercase letters, numbers, slashes, parentheses, brackets, commas, underscores, and hyphens. The help message is displayed when the user runs the execute alias script command.

No default

optional {enable | disable}

Enable this option to allow the user to omit entering a value for this argument. Disable this option to force the user to specify a value for this argument.

disable

range {enable | disable}

Enable this option to allow a range of integers, a range of table identifiers, or a comma-separated list of strings. Disable this option to allow only a single value for this argument.

disable

range-delay <0-172800>

Enter the number of seconds to delay between values when executing.

This option is available only when range has been set to enable.

0

allowed-values <string>

Enter the values allowed for this argument.

  • If type is set to string, separate values with a space. For example: set allowed-values port1 port3 port7
  • If type is set to integer, you can use ranges and comma-separated values, such as “1-10” or “1-10,3,11,55”.
  • If type is set to table-id and the table identifiers are integers, you can use both ranges and comma-separated values, such as “1-10” or “1-10,3,11,55”.

No default

Examples

The following example creates two aliases for the config switch physical-port command.

  • The port-description alias allows an administrator to change the set description value; when running a get or show command, the administrator will see only the description configuration.
  • The port-status alias allows an administrator to change the set status value; the administrator will see both the description and port status configuration when running get or show commands.

config system alias command

edit "port-status"

set description "View or change the port status."

set type configuration

set path "switch.physical-port"

set attribute "status"

set permission read-write

set limit-shown-attributes enable

set read-only-attributes "description"

next

edit "port-description"

set description "View or change the port description."

set type configuration

set path "switch.physical-port"

set attribute "description"

set permission read-write

set limit-shown-attributes enable

next

end

The following example creates two scripts. Both scripts list the switch mac-address table.

  • The mac-list script is more flexible because it requires that the user specify the VLANs to list the MAC addresses from.
  • The list-mac-by-port-and-vlan-customer-AAA script is more controlled because it allows the user to see the MAC addresses learned on the specified VLANs.

config system alias command

edit "list-mac-by-port-and-vlan-customer-AAA"

set description "List MAC addresses on your VLANs and ports."

set type script

set command "diag switch mac-address filter clear

diag switch mac-address filter port-id-map 3-8

diag switch mac-address filter vlan-map 1000-1010

diag switch mac-address list

diag switch mac-address filter clear"

next

edit "mac-list"

set description "List MAC addresses learned on the provided VLANs"

set type script

set command "diag switch mac-address filter clear

diag switch mac-address filter vlan-map $1

diag switch mac-address list | grep -i mac

diag switch mac-address filter clear"

config script-arguments

edit 1

set name "VLAN-ID-map"

set help "List of VLANs to check"

next

end

next

end

config system alias group

Use this command to specify alias groups to bundle different alias commands together for easy assignment.

Syntax

config system alias group

edit <alias_group_name>

set description <string>

set commands <alias_command_list>

end

Variable

Description

Default

<alias_group_name> Enter a name for the alias group. The name cannot be all or match an alias name. No default
description <string> Enter a description of the command alias group. It can be up to 80-characters long. No default
commands <alias_command_name> Enter a list of command aliases. Use a space to separate them. No default

Example

This example shows how to create a group of two command aliases:

config system alias group

edit aliasgroup1

set description "Alias group for config switch physical-port."

set commands port-status port-description

end

config system arp-table

Use this command to manually add ARP table entries to the FortiSwitch unit. ARP table entries consist of a interface name, an IP address, and a MAC address.

Syntax

config system arp-table

edit <table_value>

set interface {<string> | internal | mgmt}

set ip <address_ipv4>

set mac <mac_address>

end

Variable

Description

Default

<table_value>

Enter the identification number for the table.

No default

interface {<string> | internal | mgmt}

Enter the interface to associate with this ARP entry

No default

ip <address_ipv4>

Enter the IP address of the ARP entry.

0.0.0.0

mac <mac_address>

Enter the MAC address of the device entered in the table, in the form of xx:xx:xx:xx:xx:xx.

00:00:00:00:00:00

Example

This example shows how to add an entry to an ARP table:

config system arp-table

edit 1

set interface internal

set ip 172.168.20.1

set mac 00:21:cc:d2:76:72

end

config system automation-action

Use this command to configure the action that is performed when the trigger of an automation stitch occurs.

Syntax

config system automation-action

edit <name>

set action-type {alert | cli-script | email | snmp-trap | webhook}

set accprofile <string>

set email-body <string>

set email-from <string>

set email-subject <string>

set email-to <email_address>

set headers <string>

set http-body <string>

set method {delete | get | patch | post | put}

set minimum-interval <0-2592000>

set port <1-65535>

set protocol {http | https}

set script <string>

set snmp-trap {fsStitchTrap1 | fsStitchTrap2 | fsStitchTrap3 | fsStitchTrap4 | fsStitchTrap5}

set uri <string>

next

end

Variable

Description

Default

<name> Name of the action configuration. No default
action-type {alert | cli-script | email | snmp-trap | webhook}

Select the type of action to perform:

  • alert—Display an alert in the console.

  • cli-script—Run a CLI script.

  • email—Send a notification email.

  • snmp-trap—Generate an SNMP trap.

  • webhook—Send data to a uniform resource identifier (URI), such as an IP address or URL.

alert

accprofile <string>

Specify the access profile required to run the CLI script.

This option is available only when action-type is set to cli-script.

No default

email-body <string>

Enter the body of the email. By default, the log message is sent.

This option is available only when action-type is set to email.

%%log%%

email-from <string>

Enter the name of the sender of the email.

This option is available only when action-type is set to email.

No default

email-subject <string>

Enter the subject of the email.

This option is available only when action-type is set to email.

No default

email-to <email_address>

Enter the email address or addresses that the email will be sent to when automation stitch is triggered.

This option is available only when action-type is set to email.

none

headers <string>

Enter the request headers.

This option is available only when action-type is set to webhook.

none

http-body <string>

If necessary, enter the request body. Use a serialized JSON string.

This option is available only when action-type is set to webhook.

No default

method {delete | get | patch | post | put}

Select the request method: DELETE, GET, PATCH, POST, or PUT.

This option is available only when action-type is set to webhook.

post

minimum-interval <0-2592000>

Select how many seconds must pass before the action can be performed again.

0

port <1-65535>

Enter the port number that this protocol will use.

If the protocol is set to http, the default port is 80. If the protocol is set to https, the default port is 443.

This option is available only when action-type is set to webhook.

80

protocol {http | https}

Enter the request protocol, either HTTP or HTTPS.

This option is available only when action-type is set to webhook.

http

script <string>

Specify the name and path to the CLI script.

This option is available only when action-type is set to cli-script.

No default

snmp-trap {fsStitchTrap1 | fsStitchTrap2 | fsStitchTrap3 | fsStitchTrap4 | fsStitchTrap5}

Select which SNMP trap is generated:

  • fsStitchTrap1—This custom SNMP trap can be triggered from automation stitch.

  • fsStitchTrap2—This custom SNMP trap can be triggered from automation stitch.

  • fsStitchTrap3—This custom SNMP trap can be triggered from automation stitch.

  • fsStitchTrap4—This custom SNMP trap can be triggered from automation stitch.

  • fsStitchTrap5—This custom SNMP trap can be triggered from automation stitch.

This option is available only when action-type is set to snmp-trap.

No default

uri <string>

Required. Enter the uniform resource identifier (URI), such as an IP address or URL.

This option is available only when action-type is set to webhook.

No default

Example

This example shows how to display an alert in the console when the automation stitch is triggered:

config system automation-action

edit testaction

set action-type alert

set minimum-interval 1200

next

end

config system automation-stitch

Use this command to specify the trigger and action for an atuomation stitch.

Syntax

config system automation-stitch

edit <name>

set status {enable | disable}

set trigger <trigger_name>

set action <action_name>

next

end

Variable

Description

Default

<name>

Name of the automation-stitch configuration.

No default

status {enable | disable}

Enable or disable this automation stitch.

enable

trigger <trigger_name> Enter the name of the trigger for this automation stitch. No default
action <action_name> Enter the name of the action configuration for this automation stitch. none

Example

This example shows how to specify the trigger, action, and status for an automation stitch:

config system automation-stitch

edit teststitch

set status enable

set trigger testtrigger

set action testaction

next

end

config system automation-trigger

Use this command to specify the trigger for an automation stitch. The trigger causes an action to be performed.

Syntax

config system automation-trigger

edit <trigger_name>

set trigger-type {event-based | scheduled}

set event-type {config-change | event-log | reboot}

set logid <log_ID>

set trigger-frequency {daily | hourly | monthly | weekly}

set trigger-hour <0-23>

set trigger-minute <0-59>

set trigger-day <1-31>

set trigger-weekday <friday | monday | saturday | sunday | thrusday | tuesday | wednesday>

config fields

edit <entry_ID>

set name <string>

set value <string>

next

end

next

end

Variable

Description

Default

<trigger_name> Name of the trigger configuration. No default

trigger-type

Select the type of trigger:

  • event-based—Event-based trigger.

  • scheduled—Scheduled trigger.

event-based

event-type

Select the type of event to trigger the automation-stitch action:

  • config-change—Configuration change.

  • event-log—Use the log ID as the trigger.

  • reboot—After the switch restarts, the action is triggered.

This option is available only when the trigger-type is set to event-based.

config-change

logid <log_ID>

Enter the log ID to trigger the action. The range of values is 1-65535. If you use the full 10-digit entry, the first four digits are truncated.

This option is available only when the trigger-type is set to event-based and event-type is set to event-log.

0

trigger-frequency {daily | hourly | monthly | weekly}

Select whether the automation-stitch action is performed on a daily, hourly, monthly, or weekly basis.

This option is available only when the trigger-type is set to scheduled.

daily

trigger-hour <0-23>

Select which hour of the day the automation-stitch action is performed.

This option is available only when the trigger-type is set to scheduled and the trigger-frequency is set to daily or monthly, or weekly.

0

trigger-minute <0-59>

Select which minute of the hour the automation-stitch action is performed.

This option is available only when the trigger-type is set to scheduled.

0

trigger-day <1-31>

Select which day of the month the automation-stitch action is performed.

This option is available only when the trigger-type is set to scheduled and the trigger-frequency is set to monthly.

1

trigger-weekday <friday | monday | saturday | sunday | thrusday | tuesday | wednesday>

Select which day of the weekthe automation-stitch action is performed.

This option is available only when the trigger-type is set to scheduled and the trigger-frequency is set to weekly.

No default

config fields

This option is available only when the event-type is event-log and the logid is set.

Starting in FortiSwitchOS 7.2.2, you can configure multiple fields for the automation trigger. The action is only performed if all conditions are valid (using AND logic).

<entry_ID>

Enter an identifer for this entry.

No default

name <string>

Enter a name for this field.

No default

value <string>

Enter a value for this field.

  • Use an asterisk to match any character string of any length, including 0-characters long. For example, use set value "*1567*" to match values of 81567 and 156789.

  • Use square brackets to match one of the multiple characters. For example, use set value "[aA]dmin" to match values of admin and Admin.

No default

Example

This example shows how to generate a log entry when port1 is down:

config system automation-trigger

edit "port1Down"

set event-type event-log

set logid 100001401

config fields

edit 1

set name "switch.physical-port"

set value "port1"

next

end

next

end

This example shows how to configure the action to be triggered on an hourly basis, 30 minutes into the hour:

config system automation-trigger

edit testtrigger

set trigger-type scheduled

set trigger-frequency hourly

set trigger-minute 30

next

end

config system bluetooth

Use this command to configure Bluetooth.

Syntax

config system bluetooth

set pin <string>

set status {disable | enable}

end

Variable

Description

Default

pin <string>

Enter the Bluetooth pair personal identification number (PIN).

1234

status {disable | enable}

Enable or disable support for Bluetooth.

disable

config system bug-report

Use this command to configure a custom email relay for sending problem reports to Fortinet customer support.

Syntax

config system bug-report

set auth {no | yes}

set mailto <email_address>

set password <password>

set server <servername>

set username <name>

set username-smtp <account_name>

end

Variable

Description

Default

auth {no | yes}

Enter yes if the SMTP server requires authentication or no if it does not.

no

mailto <email_address>

The email address for bug reports.

fortiswitch@fortinet.com

password <password>

If the SMTP server requires authentication, enter the required password.

No default

server <servername>

The SMTP server to use for sending bug report email.

fortinet.com

username <name>

A valid user name on the specified SMTP server.

bug_report

username-smtp <account_name>

A valid user name for authentication on the specified SMTP server.

bug_report

Example

This example shows how to configure a custom email relay:

config system bug-report

set auth yes

set mailto techdocs@fortinet.com

set password 123abc

set server fortinet.com

set username techdocs

set username-smtp techdocs

end

config system certificate ca

Use this command to configure CA certificates.

FortiSwitch includes a reserved entry named Fortinet_CA. You cannot modify this entry.

Syntax

config system certificate ca

edit <name>

set ca <certificate>

set scep-url <string>

next

end

Variable

Description

Default

name

Enter the name of the certificate.

No default

certificate

PEM format CA certificate. Paste the contents of a CA certificate file between quotation marks as shown in the example.

No default

set scep-url

Full URL (such as http://www.test.com)

No default

Example

	# config system certificate ca
	# get
	== [ Fortinet_CA ]
	== [ OracleSSLCA ]
	== [ ca ]
	FortiCore-VM # config system certificate ca
	FortiCore-VM (ca) # edit ca-new
	FortiCore-VM (ca-new) # set certificate "-----BEGIN CERTIFICATE-----
	> MIID0TCCArmgAwIBAgIJAKr1/WtE48FeMA0GCSqGSIb3DQEBCwUAMGgxEzARBgoJ
	> kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG
	> EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0Eg
	> MTAeFw0xNDA0MzAxNDE4MDhaFw0zNDA0MzAxNDE4MDhaMGgxEzARBgoJkiaJk/Is
	> ZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJVUzEQ
	> MA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0EgMTCCASIw
	> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQQzsB9Uc37VuIyt5xJxcYYkc6K
	> XpYihHgskTQp6YYB4XHVimouHafMYyoFsnenrcgf2NGFDvi9l9x9mnL77920JqGr
	> LijieMiFEyP1nhGW8C6nJjkSsXLbgZNh9u6U+0oAbspsFRwdHDZOI7gIHSJ2zuiY
	> CkMAvjw9TN44Q4IFCvSIf7mfzZgBH7AW1sbgznqnAJsWQhQGTpxZAxubItesyduD
	> vj8tz9eb5u8JO3iQ/LYhMspNnxcpTFdaLn2v82NAFTtCrZdCd7aLj1DM0DPEX7Nw
	> V/rt/l+tlscglYyEoUnlPYuSQN0Q6Aj5i1GcKPvnFS0Oy9lGY1lT1vZJ4F0CAwEA
	> AaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
	> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
	> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
	> edJiQpuHMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3DQEBCwUA
	> A4IBAQCq5KUHQNg51uh1pxKMXQ98ADj2bNzQbswdAFslPow8tTZIBMwhdrq02ZHC
	> XPyp2IHxfv+G+pMV1JFtdR0fy8ivilMNyjObEGh1Ss3kvvU7d1z3XwPxqpNcwDqs
	> 1K6RRg4zpNWCFPcliAkPDsDbaN1B6A6zJXqOpGgzwocU3dZbPe5sYLgkWZO2/8MI
	> eAEk7zoU1ZPSZiu5HghPafKuE1HYshvsak090tRgC6VLvaSLoNZlwR0GuFVGdewH
	> 4jR1HpENH7QiLCB1NGCoJgDi3qiFosw3M2+0ExevE1afj2Usm4oZir+Uty0rvR8D
	> 03RHH8yYbZ9rw0kuwTkJEo3bYDxH
	> -----END CERTIFICATE-----"

config system certificate crl

Use this command to configure the certificate revocation list.

Syntax

config system certificate crl

edit <name>

set crl <crl>

set http-url <string>

set ldap-server <LDAP>

set scep-cert <certificate>

set scep-url <string>

end

Variable

Description

Default

name

Name of the certificate revocation list

No default

crl

PEM format CRL. Paste the contents of a CRL file between quotation marks.

No default

http-url

URL of HTTP server for CRL update

No default

ldap-server

LDAP server

No default

scep-cert

Local certificate used for CRL update using SCEP

Fortinet_Factory

scep-url

URL of CA server for CRL update using SCEP

No default

config system certificate local

Use this command to manage local certificates. FortiSwitch includes a reserved entry named “Factory”. You cannot modify this entry.

Syntax

config system certificate local

edit <name>

set comments <string>

set password <passwd>

set private-key <key>

set scep-url <string>

next

end

Variable

Description

Default

name

Enter the name of the certificate.

No default

comments

Optional administrator note.

No default

password

Password that was used to encrypt the file. The FortiCore system uses the password to decrypt and install the certificate.

*

private-key

Paste the contents of a key file between quotation marks as shown in the example.

No default

scep-url

URL of SCEP server

No default

Example

 # config system certificate local
 # get
	== [ Factory ]
	== [ csr_name_test ]
# show
config system certificate local
edit "csr_name_test"
t7e4fiX6Sd6T5426Gg/HQXRH41mBwGmjKdBSHUbVUZTka2FtD1oLMWE2mTq1c9GMUz0DokPfoqxkjkmja5mWv4/w
A5XdQ00lQmTeMZK/X5OSFmSS
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5/vf1VQB/28CAggA
MBQGCCqGSIb3DQMHBAgZorM0zlnPNASCAViZk4wTZYYMPl0e7NwyxqvLND3LxUaV
UG1XpUSPfnUP4YgrV2d0Uijclj5M7MS341cMVKZ7G1pS/6jvxUr0NamQv4j7JsJ0
t3G7LMkzcTiep26GUCy55Qt+iob7lh0iiKa+4uPOq/Mzy+84AWnRNLfIhevHPsYb
rk4UbwNOFb0ZD9i06+UrFLsRGmtp/vlDyBgAoBojKxB/4j0G299QamnzPz4qneBc
HtPqTMPELyqtT6w4cmnwp6Ti2OOAr9c44mKdyyAVZKie+Iu/4pSVBNSfuC+jjtmC
k8OrCrG14NwrhbTY9zEnGxBRR1NMTEBBTqAQNYWtjUEQVjmY1GAJA3/oBQe7l8C/
G/IUVvc/aaqMvsKSNfDpgZaudTDe1Wxi1792ADGh7zslls+ykH9nmqh7BPfm30Nv
f8O1hXgq01Lvo4v1xdC0w5oAeCyGlbTY5ZnXJFm0HCp0kA==
-----END ENCRYPTED PRIVATE KEY-----
"
set csr "-----BEGIN CERTIFICATE REQUEST-----
MIIBNzCB4gIBADBqMQswCQYDVQQIEwJjYTESMBAGA1UEBxMJc3Vubnl2YWxlMREw
DwYDVQQKEwhmb3J0aW5ldDENMAsGA1UECxMEZmFkYzEQMA4GA1UEAxMHZXhhbXBs
ZTETMBEGCSqGSIb3DQEJARYEcm9vdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDK
XH/MC1KTkkZJiQDFb6IXHLYsSVbJzF0K30s3CVmKZvJQSBnmV8aq3fJjN281rrFT
iUovVdBzwCF5jKbxsrPLAgMBAAGgEzARBgNVHRMxChMIQ0E6RkFMU0UwDQYJKoZI
hvcNAQEFBQADQQB96NU+xjds83/6VRSzsyxeVxAGVD7F9Npuji8r/MpxPiMT0PQM
G8Wg//26ZqpwjuPq2V1+7QU4MDk3B5VUJSEF
-----END CERTIFICATE REQUEST-----
"

config system certificate ocsp

Use this command to configure the OCSP server certificate.

Syntax

config system certificate ocsp

set cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set unavail-action {ignore | revoke}

set url <string>

end

Variable

Description

Default

cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

Enter the name of the certificate or select one of the listed certificates.

No default

unavail-action {ignore | revoke}

Set if the FortiSwitch should ignore the OCSP check or revoke the certificate if the server is unavailable.

revoke

url <string>

Enter the URL for the OCSP server.

No default

Example

This example shows how to configure the OCSP server certificate:

config system certificate ocsp

set cert Fortinet_CA

set unavail-action ignore

set url https://www.fortinet.com

end

config system certificate remote

Use this command to install remote certificates. The remote certificates are public certificates without a private key.

config system certificate remote

edit <name>

set remote "<cert>"

end

Variable

Description

Default

name

Name for the certificate

No default

remote "<cert>"

PEM-format certificate

No default

config system console

Use this command to configure the FortiSwitchOS console.

Syntax

config system console

set baudrate <speed>

set hostname-display-length <4-35>

set login {enable | disable}

set mode {batch | line}

set output {standard | more}

end

Variable

Description

Default

baudrate <speed>

Set the console port baud rate. Select one of 9600, 19200, 38400, 57600, or 115200.

115200

hostname-display-length <4-35>

Set the maximum number of characters shown for the host name in the CLI prompt.

17

login {enable | disable}

Enable or disable whether users can log in with the FortiSwitchOS console port.

enable

mode {batch | line}

Set the console mode to line or batch. Used for autotesting only.

line

output {standard | more}

Set console output to standard (no pause) or more (pause after each screen is full and resume when a key is pressed).

This setting applies to show or get commands only.

standard

Example

This example shows how to configure the console:

config system console

set hostname-display-length 30

set baudrate 57600

set login enable

set mode batch

set output standard

end

config system dhcp server

Use this command to configure DHCP servers.

Syntax

config system dhcp server

edit <id>

set auto-configuration {enable | disable}

set conflicted-ip-timeout <integer>

set default-gateway <xxx.xxx.xxx.xxx>

set dns-server1 <xxx.xxx.xxx.xxx>

set dns-server2 <xxx.xxx.xxx.xxx>

set dns-server3 <xxx.xxx.xxx.xxx>

set dns-service {default | local | specify

set domain <string>

set filename <string>

set interface <string>

set lease-time <integer>

set netmask <xxx.xxx.xxx.xxx>

set next-server <xxx.xxx.xxx.xxx>

set ntp-server1 <xxx.xxx.xxx.xxx>

set ntp-server2 <xxx.xxx.xxx.xxx>

set ntp-server3 <xxx.xxx.xxx.xxx>

set ntp-service {default | local | specify}

set status {enable | disable}

set tftp-server <xxx.xxx.xxx.xxx>

set timezone <00-75>

set timezone-option {default | disable | specify}

set vci-match {enable | disable}

set vci-string <VCI_strings>

set wifi-ac1 <xxx.xxx.xxx.xxx>

set wifi-ac2 <xxx.xxx.xxx.xxx>

set wifi-ac3 <xxx.xxx.xxx.xxx>

set wins-server1 <xxx.xxx.xxx.xxx>

set wins-server2 <xxx.xxx.xxx.xxx>

config exclude-range

edit <id>

set end-ip <xxx.xxx.xxx.xxx>

set start-ip <xxx.xxx.xxx.xxx>

next

end

config ip-range

edit <id>

set end-ip <xxx.xxx.xxx.xxx>

set start-ip <xxx.xxx.xxx.xxx>

next

end

config options

edit <id>

set code <integer>

set ip <IP_addresses>

set type {fqdn | hex | ip | string}

set value <string>

next

end

config reserved-address

edit <id>

set action {assign | block | reserved}

set circuit-id {<string> | <hex>}

set circuit-id-type {hex | string}

set description <string>

set ip <xxx.xxx.xxx.xxx>

set mac <xx:xx:xx:xx:xx:xx>

set remote-id {<string> | <hex>}

set remote-id-type {hex | string}

set type {mac | option82}

next

end

next

end

Variable

Description

Default

<id>

Enter the identifier.

No default

auto-configuration {enable | disable}

Enable or disable automatic configuration. Auto configuration allows the DHCP server to dynamically assign IP addresses to hosts on the network connected to the interface

enable

conflicted-ip-timeout <integer>

Enter the number of seconds before a conflicted IP address is removed from the DHCP range and is available to be reused. The range is 60-8640000 seconds.

1800

default-gateway <xxx.xxx.xxx.xxx>

Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.

0.0.0.0

dns-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 1. This option is only available when dns-service is set to specify.

0.0.0.0

dns-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 2. This option is only available when dns-service is set to specify.

0.0.0.0

dns-server3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 3. This option is only available when dns-service is set to specify.

0.0.0.0

dns-service {default | local | specify}

Select how DNS servers are assigned to DHCP clients. Select local to use the IP address of the DHCP server interface for the clientʼs DNS server IP address. Select default for clients to be assigned the FortiSwitch unitʼs configured DNS servers. Select specify to enter the IPv4 address for up to three DNS servers.

specify

domain <string>

Enter the domain name suffix for the IP addresses that the DHCP server assigns to the clients.

No default

filename <string>

Enter the name of the boot file on the TFTP server.

No default

interface <string>

Enter the name of the interface. The DHCP server can assign IP configurations to clients connected to this interface.

No default

lease-time <integer>

The lease time determines the length of time an IP address remains assigned to a client. After the lease expires, the address is released for allocation to the next client that requests an IP address.

Enter the lease time in seconds. The range is 300-8640000. The default lease time is seven days.

604800

netmask <xxx.xxx.xxx.xxx>

Enter the netmask of the addresses that the DHCP server assigns.

0.0.0.0

next-server <xxx.xxx.xxx.xxx>

Enter the IPv4 address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from.

0.0.0.0

ntp-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 1. This option is only available when ntp-service is set to specify.

0.0.0.0

ntp-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 2. This option is only available when ntp-service is set to specify.

0.0.0.0

ntp-server3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 3. This option is only available when ntp-service is set to specify.

0.0.0.0

ntp-service {default | local | specify}

Select how Network Time Protocol (NTP) servers are assigned to DHCP clients. Select local to use the IP address of the DHCP server interface for the clientʼs NTP server IP address. Select default for clients to be assigned the FortiSwitch unitʼs configured NTP servers. Select specify to enter the IPv4 address for up to three NTP servers.

specify

status {enable | disable}

Enable or disable this DHCP configuration.

enable

tftp-server <string>

You can configure multiple Trivial File Transfer Protocol (TFTP) servers for a Dynamic Host Configuration Protocol (DHCP) server. For example, you may want to configure a main TFTP server and a backup TFTP server.

Enter the hostname or IP address of each TFTP server in quotes. Separate multiple server entries with spaces.

No default

timezone <00-75>

Enter the time zone to be assigned to DHCP clients. This option is only available if timezone-option is set to specify.

(GMT+12:00)Eniwetok,Kwajalein)

timezone-option {default | disable | specify}

Select how the DHCP server sets the clientʼs time zone. Select disable for the DHCP server to not set the clientʼs time zone. Select default for clients to be assigned the FortiSwitch unitʼs configured time zone. Select specify to enter the time zone to be assigned to DHCP clients.

disable

vci-match {enable | disable}

Enable or disable vendor class identifier (VCI) matching. When enabled, only DHCP requests with a matching VCI are served.

disable

vci-string <VCI_strings>

Enter one or more VCI strings. This option is only available if vci-match is set to enable.

No default

wifi-ac1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 1 (DHCP option 138, RFC 5417).

0.0.0.0

wifi-ac2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 2 (DHCP option 138, RFC 5417).

0.0.0.0

wifi-ac3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 3 (DHCP option 138, RFC 5417).

0.0.0.0

wins-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WINS server 1.

0.0.0.0

wins-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WINS server 2.

0.0.0.0

config exclude-range

<id>

Enter the identifier.

No default

end-ip <xxx.xxx.xxx.xxx>

Enter the end of the IP address range that will not be assigned to clients.

0.0.0.0

start-ip <xxx.xxx.xxx.xxx>

Enter the start of the IP address range that will not be assigned to clients.

0.0.0.0

config ip-range

<id>

Enter the identifier.

No default

end-ip <xxx.xxx.xxx.xxx>

Enter the end of the DHCP IP address range.

0.0.0.0

start-ip <xxx.xxx.xxx.xxx>

Enter the start of the DHCP IP address range.

0.0.0.0

config options

<id>

Enter the identifier.

No default

code <integer>

Select the DHCP option code. The range is 0-255.

9

ip <IP_addresses>

If type is set to ip, enter the IP addresses.

No default

type {fqdn | hex | ip | string}

Select the format of the DHCP option: fully qualified domain name, hexadecimal, IP address, or string.

hex

value <string>

Enter the DHCP option value. This option is available when type is set to fqdn, hex, or string.

No default

config reserved-address

<id>

Enter the identifier.

No default

action {assign | block | reserved}

Select how the DHCP server configures the client with the reserved MAC address. Select assign for the DHCP server to configure the client with this MAC address like any other client. Select block to prevent the DHCP server from assigning IP settings to the client with this MAC address. Select reserved for the DHCP server to assign the reserved IP address to the client with this MAC address.

reserved

circuit-id {<string> | <hex>}

Enter the DHCP option-82 Circuit ID of the client that will get the reserved IP address. The circuit-id format is controlled by the circuit-id-type setting. This option is only available when type is set to option82.

No default

circuit-id-type {hex | string}

Select whether the format of circuit-id is hexadecimal or string. This option is only available when type is set to option82.

string

description <string>

Enter a description of this entry.

No default

ip <xxx.xxx.xxx.xxx>

Enter the IPv4 address to be reserved for the MAC address. This option is only available when action is set to reserved.

0.0.0.0

mac <xx:xx:xx:xx:xx:xx>.

Enter the MAC address of the client that will get the reserved IP address. This option is only available when type is set to mac.

00:00:00:00:00:00

remote-id {<string> | <hex>}

Enter the DHCP option-82 Remote ID of the client that will get the reserved IP address. This option is only available when type is set to option82.

No default

remote-id-type {hex | string}

Select whether the format of remote-id is hexadecimal or string. This option is only available when type is set to option82.

string

type {mac | option82}

Select whether to match the IP address with the MAC address or DHCP option 82.

mac

Example

This example shows how to configure a DHCP server:

config system dhcp server

edit 1

set default-gateway 50.50.50.2

set domain "FortiswitchTest.com"

set filename "text1.conf"

set interface "svi10"

config ip-range

edit 1

set end-ip 50.50.0.10

set start-ip 50.50.0.5

next

end

set lease-time 360

set netmask 255.255.0.0

set next-server 60.60.60.2

config options

edit 1

set value "dddd"

next

end

set tftp-server "1.2.3.4"

set timezone-option specify

set wifi-ac1 5.5.5.1

set wifi-ac2 5.5.5.2

set wifi-ac3 5.5.5.3

set wins-server1 6.6.6.1

set wins-server2 6.6.6.2

set dns-server1 7.7.7.1

set dns-server2 7.7.7.2

set dns-server3 7.7.7.3

set ntp-server1 8.8.8.1

set ntp-server2 8.8.8.2

set ntp-server3 8.8.8.3

next

end

config system dns

Use this command to set the DNS server addresses. Several FortiSwitch functions, including sending email alerts and URL blocking, use DNS.

Syntax

config system dns

set cache-notfound-responses {enable | disable}

set dns-cache-limit <integer>

set dns-cache-ttl <int>

set domain <domain_name>

set ip6-primary <dns_ipv6>

set ip6-secondary <dns_ip6>

set primary <dns_ipv4>

set secondary <dns_ip4>

set source-ip <ipv4_addr>

end

Variable

Description

Default

cache-notfound-responses {enable | disable}

Enable to cache NOTFOUND responses from the DNS server.

disable

dns-cache-limit <integer>

Set maximum number of entries in the DNS cache.

5000

dns-cache-ttl <int>

Enter the duration, in seconds, that the DNS cache retains information.

1800

domain <domain_name>

Set the local domain name (optional).

No default

ip6-primary <dns_ipv6>

Enter the primary IPv6 DNS server IP address.

::

ip6-secondary <dns_ip6>

Enter the secondary IPv6 DNS server IP address.

::

primary <dns_ipv4>

Enter the primary DNS server IP address.

0.0.0.0

secondary <dns_ip4>

Enter the secondary DNS IP server address.

0.0.0.0

source-ip <ipv4_addr>

Enter the IP address for communications to DNS server.

0.0.0.0

Example

This example shows how to set the DNS server addresses:

config system dns

set cache-notfound-responses enable

set dns-cache-limit 2000

set dns-cache-ttl 900

set domain fortinet.com

set primary 172.91.112.53

set secondary 172.91.112.52

end

config system flan-cloud

Use this command to configure FortiLAN Cloud or FortiLink over HTTPS.

Syntax

config system flan-cloud

set interval <integer>

set name <FortiLAN_Cloud_FQDN_IP_address | FortiLink_IPv4_address>

set port <port_number>

set service-type {flan-cloud | fortilink-https}

set status {enable | disable}

end

Variable

Description

Default

interval <integer>

The time in seconds allowed for domain name system (DNS) resolution. The value range is 3-300 seconds.

3

name <FortiLAN_Cloud_FQDN_IP_address | FortiLink_IPv4_address>

If you are using FortiLAN Cloud, enter the fully qualified domain name or IP address for the FortiLAN Cloud.

If you are using FortiLink with HTTPS, enter the FortiLink IPv4 address.

fortiswitch-dispatch.forticloud.com

port <port_number>

Port number used to connect to FortiLAN Cloud.

443

service-type {flan-cloud | fortilink-https}

If you are using FortiLAN Cloud, set service-type to flan-cloud.

If you are using FortiLink with HTTPS, set service-type to fortilink-https.

flan-cloud

status {enable | disable}

Select whether FortiLAN Cloud or FortiLink with HTTPS is active or inactive.

disable

Example

This example shows how to configure FortiLAN Cloud:

config system flan-cloud

set interval 150

set name fortiswitch-dispatch.forticloud.com

set port 443

set service-type flan-cloud

set status enable

end

config system flow-export

You can sample IP packets on a FortiSwitch unit and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format.

The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.

Syntax

config system flow-export

set filter <string>

set format {netflow1 | netflow5 | netflow9 | ipfix}

set identity <hexadecimal>

set level {ip | mac | port | proto | vlan}

set max-export-pkt-size <integer>

set template-export-period <1-60>

set timeout-general <integer>

set timeout-icmp <integer>

set timeout-max <integer>

set timeout-tcp <integer>

set timeout-tcp-fin <integer>

set timeout-tcp-rst <integer>

set timeout-udp <integer>

config collectors

edit <collector_name>

set ip <IPv4_address>

set port <port_number>

set transport {sctp | tcp | udp}

end

config aggregates

edit <aggregate_ID>

set ip <IPv4_address_mask>

end

end

Variable

Description

Default

filter <string>

Specify the Berkeley packet filter (BPF) to use. For example, set filter "host 33.33.33.2".

No default

format {netflow1 | netflow5 | netflow9 | ipfix}

You can set the format of the exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.

NOTE: When the export format is NetFlow version 5, the sample rate used in the exported packets is derived from the lowest port number where sampling is enabled. Fortinet recommends that administrators using NetFlow version 5 set the sample rate consistently across all ports.

netflow9

identity <hexadecimal>

Required. Enter a unique number to identify which FortiSwitch unit the data originates from. The range of values is 0x00000000-0xFFFFFFFF. If identity is not specified, the “Burn in MAC” value is used instead (see get system status).

0x00000000

level {ip | mac | port | proto | vlan}

You can set the flow-tracking level to one of the following: - ip—The FortiSwitch unit collects the source IP address and destination IP address from the sample packet.

  • mac—The FortiSwitch unit collects the source MAC address and destination MAC address from the sample packet.
  • port—The FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
  • proto—The FortiSwitch unit collects the source IP address, destination IP address, and protocol from the sample packet.
  • vlan—The FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, protocol, and VLAN from the sample packet.

ip

max-export-pkt-size <integer>

Set the maximum size in bytes of exported packets in the application level. The range of values is 512-9216.

512

template-export-period <1-60>

Set the number of minutes before the template is exported.

5

timeout-general <integer>

Set the general timeout in seconds for the flow session. The range of values is 60-604800.

3600

timeout-icmp <integer>

Set the ICMP timeout for the flow session. The range of values is 60-604800.

300

timeout-max <integer>

Set the maximum number of seconds before the flow session times out. The range of values is 60-604800.

604800

timeout-tcp <integer>

Set the TCP timeout for the flow session. The range of values is 60-604800.

3600

timeout-tcp-fin <integer>

Set the TCP FIN flag timeout for the flow session. The range of values is 60-604800.

300

timeout-tcp-rst <integer>

Set the TCP RST flag timeout for the flow session. The range of values is 60-604800.

120

timeout-udp <integer>

Set the UDP timeout for the flow session. The range of values is 60-604800.

300

config collectors

<collector_name>

Enter the name of the flow-export collector.

No default

ip <IPv4_address>

Enter the IP address for the collector.

The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.

0.0.0.0

port <port_number>

Enter the port number for the collector.

The range of values is 0-65535. The default port for NetFlow is 2055; the default port for IPFIX is 4739.

0

transport {sctp | tcp | udp}

You can set exported packets to use UDP, TCP, or SCTP for transport.

udp

config aggregates

<id>

Enter the identifier.

No default

<IPv4_address_mask>

Enter the IPv4 address and mask to match. All matching sessions are aggregated into the same flow.

No default

Example

This example shows how to configure flow export:

config system flow-export

set format ipfix

set level ip

config collectors

edit flowone

set ip 169.254.3.1

set port 5

set transport tcp

next

end

end

config system global

Use this command to configure global settings that affect various FortiSwitch systems and configurations.

Syntax

config system global

set 802.1x-ca-certificate {Fortinet_802.1x_CA | Fortinet_CA | Fortinet_CA2 | Fortinet_Sub_CA2 | Fortinet_fsw_cloud_CA}

set 802.1x-certificate {Fortinet_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

set admin-concurrent {enable | disable}

set admin-lockout-duration <time_int>

set admin-lockout-threshold <failed_int>

set admin-password-hash {pbkdf2 | pbkdf2-high | sha1 | sha256}

set admin-restrict-local {enable | disable}

set admin-scp {enable | disable}

set admin-ssh-grace-time <time_int>

set admin-ssh-port <port_number>

set admin-ssh-v1 {enable | disable}

set admin-telnet-port <port_number>

set admintimeout <admin_timeout_minutes>

set alertd-relog {enable | disable}

set alert-interval <1-1440 minutes>

set allow-subnet-overlap {enable | disable}

set arp-inspection-monitor-timeout <5-10080 minutes>

set arp-timeout <seconds>

set asset-tag <string>

set cfg-save {automatic | manual | revert}

set cfg-revert-timeout <10-2147483647>

set clt-cert-req {enable | disable}

set csr-ca-attribute {enable | disable}

set daily-restart {enable | disable}

set detect_ip_conflict {enable | disable}

set dhcp-client-location {description | hostname | intfname | mode | vlan}

set dhcp-option-format {ascii | legacy}

set dhcp-remote-id {hostname | ip | mac}

set dhcp-server-access-list {enable | disable}

set dhcp-snoop-client-req {drop-untrusted | forward-untrusted}

set dhcps-db-exp <number_of_seconds>

set dhcps-db-per-port-learn-limit <number_of_entries>

set dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}

set dst {enable | disable}

set hostname <unithostname>

set image-rotation {enable | disable}

set ip-conflict-ignore-default {enable | disable}

set ipv6-accept-dad <0 | 1 | 2>

set ipv6-all-forwarding {enable | disable}

set kernel-crashlog {enable | disable}

set kernel-devicelog {enable | disable}

set l3-host-expiry {enable | disable}

set ldapconntimeout <ldaptimeout_msec>

set post-login-banner "<string>"

set pre-login-banner "<string>"

set private-data-encryption {enable | disable}

set radius-coa-port <port_number>

set radius-port <radius_port>

set remoteauthtimeout <timeout_sec>

set reset-button {enable | disable}

set revision-backup-on-logout {enable | disable}

set revision-backup-on-upgrade {enable | disable}

set single-psu-fault {enable | disable}

set strong-crypto {enable | disable}

set tcp-mss-min <48-10000>

set tcp6-mss-min<48-10000>

set timezone <timezone_number>

end

Variable

Description

Default

802.1x-ca-certificate {Fortinet_802.1x_CA | Fortinet_CA | Fortinet_CA2 | Fortinet_Sub_CA2 | Fortinet_fsw_cloud}

Set the CA certificate for port security (802.1x):
  • Fortinet_802.1x_CA—Select this CA if you are using 802.1x authentication.
  • Fortinet_CA—Select this CA if you want to use the factory-installed certificate.
  • Fortinet_CA2—Select this CA if you want to use the factory-installed certificate.
  • Fortinet_Sub_CA2—Select this CA if you want to use the factory-installed certificate.
  • Fortinet_fsw_cloud—Select this CA if you are using FortiLAN Cloud.

Fortinet_802.1x_CA

802.1x-certificate {Fortinet_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

Set the certificate for port security (802.1x):
  • Fortinet_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA. This is the default certificate for 802.1x authentication.
  • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.

Fortinet_802.1x

admin-concurrent {enable | disable}

Enable to enforce concurrent administrator logins. When enabled, the FortiSwitch restricts concurrent access from the same admin user name but on different IP addresses. Use policy-auth-concurrent for firewall authenticated users.

enable

admin-lockout-duration <time_int>

Set the administration account’s lockout duration in seconds for the firewall. Repeated failed login attempts will enable the lockout. Use admin-lockout-threshold to set the number of failed attempts that will trigger the lockout.

60

admin-lockout-threshold

<failed_int>

Set the threshold, or number of failed attempts, before the account is locked out for the admin-lockout-duration.

3

admin-password-hash {pbkdf2 | pbkdf2-high | sha1 | sha256}

Select which hash algorithm is used to encode passwords for new administrator accounts:

  • pbkdf2—Use the PBKDF2 hash algorithm with a lower iteration count.

  • pbkdf2-high—Use the PBKDF2 hash algorithm with a higher iteration count.

  • sha1—Use the SHA1 hash algorithm.

  • sha256—Use the SHA256 hash algorithm.

sha256

admin-restrict-local {enable | disable}

Enable/disable local admin authentication restriction when remote authenticator is up and running.

  • enable—Enable local admin authentication restriction.

  • disable—Disable local admin authentication restriction.

disable

admin-scp {enable | disable}

Enable to allow system configuration download by the secure copy (SCP) protocol.

disable

admin-ssh-grace-time

<time_int>

Enter the maximum time permitted between making an SSH connection to the FortiSwitch and authenticating. Range is 10 to 3600 seconds.

120

admin-ssh-port <port_number>

Enter the port to use for SSH administrative access.

22

admin-ssh-v1 {enable | disable}

Enable compatibility with SSH v1.0.

disable

admin-telnet-port

<port_number>

Enter the port to use for telnet administrative access.

23

admintimeout <admin_timeout_minutes>

Set the number of minutes before an idle administrator times out. This controls the amount of inactive time before the administrator must log in again. The maximum admintimeout interval is 480 minutes (8 hours).

To improve security, keep the idle timeout at the default value of 5 minutes.

5

alertd-relog {enable | disable}

Enable or disable re-logs when a sensor exceeds its threshold.

disable

alert-interval

NOTE: This command is only available after the alertd-relog option has been enabled.

Set how often an alert is generated for temperature sensors when they exceed their set thresholds.

30

allow-subnet-overlap {enable | disable}

Use this command to allow two interfaces to include the same IP address in the same subnet. The command applies only between the mgmt interface and an internal interface.

Note: Different interfaces cannot have overlapping IP addresses or subnets.

Caution: For advanced users only. Use this only for existing network configurations that cannot be changed to eliminate IP address overlapping.

disable

arp-inspection-monitor-timeout <5-10080 minutes>

Set the number of minutes before the MAC addresses, VLAN identifiers, and IP addresses that were learned from ARP traffic are removed from the DHCP-snooping database. When arp-inspection-monitor-timeout is set to 0, the ARP traffic entries do not expire and are not removed from the DHCP-snooping database.

1440

arp-timeout <seconds>

Set the number of seconds before dynamic ARP entries are removed from the cache.

180

asset-tag

LLDP uses the asset tag to help identify the unit. The asset tag can be up to 32 characters, and will be added to the LLDP-MED inventory TLV (when that TLV is enabled).

No default

cfg-save {automatic | manual | revert}

Set the method for saving the FortiSwitch system configuration and enter into runtime-only configuration mode. Methods for saving the configuration are:
  • automatic automatically save the configuration after every change.
  • manual manually save the configuration using the execute acl key-compaction command.
  • revert manually save the current configuration and then revert to that saved configuration after cfg-revert-timeout expires.
Switching to automatic mode disconnects your session. This command is used as part of the runtime-only configuration mode.

automatic

cfg-revert-timeout <10-2147483647>

After the configuration change, wait the specified number of seconds, restart the FortiSwitch unit, and revert to the last saved configuration if the configuration is not manually saved within the period.

Before FortiSwitchOS 7.2.1, there was no reboot before the configuration was reverted.

This command is available only when cfg-save is set to revert.

600

clt-cert-req {enable | disable}

Enable or disable the requirement to have a client certificate to log in to the GUI.

disable

csr-ca-attribute {enable | disable}

Enable to use the CA attribute in your certificate. Some CA servers reject CSRs that have the CA attribute.

enable

daily-restart {enable | disable}

Enable to restart the FortiSwitch unit every day.

The time of the restart is controlled by restart-time.

disable

detect_ip_conflict {enable | disable}

Enable the Detect IP Conflict feature.

enable

dhcp-client-location {description | hostname | intfname | mode | vlan}

Select which parameters to include to describe the client location. Separate multiple parameters with a space.
  • description—Include the interface description.
  • hostname—Include the host name.
  • intfname—Include the interface name.
  • mode—Include the mode.
  • vlan—Include the VLAN.

intfname vlan mode

dhcp-option-format {ascii | legacy}

Select the format for the DHCP string:
  • ascii—This format allows the user to choose the values for the circuit-id and remote-id fields.
  • legacy—This format generates a predefined fixed format for the circuit-id and remote-id fields.

ascii

dhcp-remote-id {hostname | ip | mac}

Select which parameters to include in the remote-id field:
  • hostname—Include the host name.
  • ip—Include the IP address.
  • mac—Include the MAC address.

mac

dhcp-server-access-list {enable | disable}

Set to disable for DHCP snooping to allow any DHCP server from trusted interfaces. Set to enable for DHCP snooping to allow only DHCP servers that are included in the allowed server list.

disable

dhcp-snoop-client-req {drop-untrusted | forward-untrusted}

Select which transmission mode to use for broadcasting client DHCP packets:
  • drop-untrusted—Client packets are broadcasted on trusted ports in the VLAN.
  • forward-untrusted—By default, client packets are broadcasted on all ports in the VLAN.

drop-untrusted

dhcps-db-exp <number_of_seconds>

Set the number of seconds for a DHCP-snooping server database entry to be kept. The range of values is 300-259200.

86400

dhcps-db-per-port-learn-limit <number_of_entries>

Set the maximum number of DHCP server entries that are learned per interface. The range of values is 0-1024.

64

dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}

Specify the minimum size (in bits) of the Diffie-Hellman prime for SSH/HTTPS.

2048

dst {enable | disable}

Enable or disable daylight saving time.

If you enable daylight saving time, the FortiSwitch unit adjusts the system time when the time zone changes to daylight saving time and back to standard time.

enable

hostname <unithostname>

Enter a name to identify this FortiSwitch unit. A hostname can only include letters, numbers, hyphens, and underlines. No spaces are allowed.

While the hostname can be longer than 16 characters, if it is longer than 16 characters it will be truncated and end with a “~” to indicate it has been truncated. This shortened hostname will be displayed in the CLI, and other locations the hostname is used.

Some models support hostnames up to 35 characters.

By default the hostname of your system is its serial number which includes the model.

FortiSwitch serial number.

image-rotation {enable | disable}

Enable or disable the rotation of the partition used to upgrade the FortiSwitch image.

enable

ip-conflict-ignore-default {enable | disable}

Enable or disable IP conflict detection for the default IP address.

enable

ipv6-accept-dad <0 | 1 | 2>

Specify whether to accept IPv6 duplicat address detection (DAD). Set to 0 to disable DAD. Set to 1 to enable DAD. Set to 2 to enable DAD and disable IPv6 operation if a MAC-based duplicate link-local address is found.

1

ipv6-all-forwarding {enable | disable

Enable or disable IPv6 forwarding.

enable

kernel-crashlog {enable | disable}

Enable or disable whether to log a kernel crash.

enable

kernel-devicelog {enable | disable}

Enable or disable the capture of kernel device messages to the log.

enable

l3-host-expiry {enable | disable}

Enable or disable layer-3 host expiry.

disable

ldapconntimeout <ldaptimeout_msec>

LDAP connection timeout in msec

500

post-login-banner "<string>"

Enter a message for the system post-login banner.

No default

pre-login-banner "<string>"

Enter a message for the system pre-login banner.

No default

private-data-encryption {enable | disable}

Enable or disable private data encryption using an AES 128-bit key.

disable

radius-coa-port <port_number>

Set the port number to be used for the RADIUS change of authorization (CoA).

3799

radius-port <radius_port>

Change the default RADIUS port. The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port on your system.

1812

remoteauthtimeout

<timeout_sec>

The number of seconds that the FortiSwitch waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. The range is 0 to 300 seconds, 0 means no timeout.

To improve security keep the remote authentication timeout at the default value of 5 seconds. However, if a RADIUS request needs to traverse multiple hops or several RADIUS requests are made, the default timeout of 5 seconds may not be long enough to receive a response.

5

reset-button {enable | disable}

Enable or disable the FortiSwitch hardware Reset button:

  • Set this option to enable to be able to use the FortiSwitch hardware Reset button, even if the OS is running.

  • Set this option to disable to disable the FortiSwitch hardware Reset button while the OS is running.

enable

revision-backup-on-logout {disable | enable}

Enable or disable backing up the latest configuration revision when the administrator logs out of the CLI or Web GUI.

enable

revision-backup-on-upgrade {enable | disable}

Enable or disable backing up the latest configuration revision when the administrator starts an upgrade.

enable

single-psu-fault {enable | disable}

Enable this option to have the ALARM LED turn red when only one power supply unit (PSU) is connected. If you disable this option, the ALARM LED will not turn red, even when one or two PSUs are connected.

NOTE: This option is only available for the FSR-112D-POE (system part number P17080-04 or later) and FSR-216F-POE models. You can check the system part number with the get system status command.

disable

strong-crypto {enable | disable}

Strong encryption only allows strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access. When strong encryption is enabled, HTTPS is supported by Firefox.

enable

tcp-mss-min <48-10000>

Enter the minimum allowed TCP MSS value in bytes.

48

tcp6-mss-min <48-10000>

Enter the minimum allowed TCP MSS value in bytes.

48

timezone <timezone_number>

The number corresponding to your time zone from 00 to 72. Press ? to list time zones and their numbers. Choose the time zone for the FortiSwitch from the list and enter the correct number.

00

Example

This example shows how to set your private data encryption key:

S548DN5018000535 # config system global

S548DN5018000535 (global) # set private-data-encryption enable

S548DN5018000535 (global) # end

Please type your private data encryption key (32 hexadecimal numbers):

0123456789abcdefabcdef0123456789

Please re-enter your private data encryption key (32 hexadecimal numbers) again:

0123456789abcdefabcdef0123456789

Your private data encryption key is accepted.

This example shows how to set the lockout threshold to one attempt and the duration before the administrator can try again to log in to five minutes:

config system global

set admin-lockout-threshold 1

set admin-lockout-duration 300

end

config system interface

Use this command to edit the configuration of an interface.

If you enter a name string in the edit command that is not the name of a physical interface, the command creates a VLAN subinterface.

Syntax

config system interface

edit <interface_name>

set allowaccess <access_types>

set alias <name_string>

set bfd {enable | disable | global}

set bfd-desired-min-tx <interval_msec>

set bfd-detect-mult <multiplier>

set bfd-required-min-rx <interval_msec>

set description <text>

set dhcp-relay-service {enable | disable}

set dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}

set dhcp-relay-option82 {enable | disable}

set dhcp-vendor-specific-option <string>

set external {enable | disable)

set fail-detect {enable | disable}

set fail-detect-option {link-down | detectserver}

set fail-alert-method {link-d own | link-failed-signal}

set fail-alert-interfaces {port1 port2 ...}

set icmp-redirect {enable | disable}

set interface <interface_name>

set ip <interface_ipv4mask>

set log {enable | disable}

set l2-interface <interface_name>

set mode <static | dhcp>

set dhcp-client-identifier <client_name_str>

set distance <1-255>

set defaultgw {enable | disable}

set dns-server-override {enable | disable}

set mtu-override {enable | disable}

set secondary-IP {enable | disable}

set snmp-index <integer>

set src-check {disable | loose | strict}

set src-check-allow-default {enable | disable}

set status {down | up}

set type {loopback | physical | vlan | vxlan}

set vlanid <id_number>

set vrf <string>

set vrrp-virtual-mac {enable | disable}

config ipv6

set ip6-address <ipv6_netmask>

set ip6-allowaccess <access_types>

set autoconf {disable | enable}

set ip6-unknown-mcast-to-cpu {disable | enable}

set ip6-mode {dhcp | static}

set ip6-dns-server-override {disable | enable}

set dhcp6-information-request {disable | enable}

set ip6-send-adv {disable | enable}

set ip6-manage-flag {disable | enable}

set ip6-other-flag {disable | enable}

set ip6-max-interval <4-1800>

set ip6-min-interval <3-1350>

set ip6-link-mtu <integer>

set ip6-reachable-time <0-3600000>

set ip6-retrans-time <0-2147483647>

set ip6-default-life <0-9000>

set ip6-hop-limit <0-255>

set vrip6_link_local {enable | disable}

set vrrp-virtual-mac6 {enable | disable}

config ip6-extra-address

edit <prefix_ipv6>

next

end

config vrrp6

edit <virtual_router_identifier>

set accept-mode {enable | disable}

set adv-interval <1-255>

set preempt {enable | disable}

set priority <1-255>

set start-time <1-255>

set status {enable | disable}

set vrdst6 <IPv6_address>

set vrgrp <1-65535>

set vrip6 <IPv6_address>

next

end

config ip6-prefix-list

edit <prefix_ipv6>

set autonomous-flag {disable | enable}

set onlink-flag {disable | enable}

set preferred-life-time <0-2147483647>

set valid-life-time <0-2147483647>

end

end

config secondaryip

edit <id>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

config vrrp

edit <VRID_int>

set adv-interval <seconds_int>

set backup-vmac-fwd {enable | disable}

set preempt {enable | disable}

set priority <prio_int>

set start-time <seconds_int>

set status {enable | disable}

set version {2 | 3}

set vrdst <ipv4_addr>

set vrgrp <integer>

set vrip <ipv4_addr>

next

end

A VLAN cannot have the same name as a zone or a virtual domain.

Variable

Description

Default

<interface_name>

Edit an existing interface or create a new VLAN interface.

No default

allowaccess <access_types>

Enter the types of management access permitted on this interface or secondary IP address. Valid types are:

http https ping radius-acct snmp ssh telnet.

Separate each type with a space.

To add or remove an option from the list, retype the complete list as required.

Varies for each interface.

alias <name_string>

Enter an alias name for the interface. Once configured, the alias will be displayed with the interface name to make it easier to distinguish. The alias can be a maximum of 25 characters. This option is available only when the interface type is physical.

No default.

bfd {enable | disable | global}

The status of bidirectional forwarding detection (bfd) on this interface:
  • enable — enable BFD and ignore global BFD configuration.
  • disable — disable BFD on this interface.
  • global — use the BFD configuration in system settings for the virtual domain to which this interface belongs.

global

bfd-desired-min-tx <interval_msec>

Enter the minimum desired interval for the BFD transmit interval. Valid range is from 1 to 100 000 msec. This option is available only when bfd is enabled.

50

bfd-detect-mult <multiplier>

Select the BFD detection multiplier. This option is available only when bfd is enabled.

3

bfd-required-min-rx <interval_msec>

Enter the minimum required interface for the BFD receive interval. Valid range is from 1 to 100 000 msec. This is available only when bfd is enabled.

50

description <text>

Optionally, enter up to 63 characters to describe this interface.

No default

dhcp-relay-service {enable | disable}

Enable to provide DHCP relay service on this interface. The DHCP type relayed depends on the setting of dhcp-relay-type.

There must be no other DHCP server of the same type (regular or ipsec) configured on this interface.

disable

dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}

Set DHCP relay IP addresses. You can specify up to eight DHCP relay servers for DHCP coverage of subnets. Replies from all DHCP servers are forwarded back to the client. The client responds to the offer it wants to accept.

Do not set dhcp-relay-ip to 0.0.0.0. This option is available only when dhcp-relay-service is enabled.

No default

dhcp-relay-option82 {enable | disable}

Enable to allow option-82 insertion in the DHCP relay. This option is available only when dhcp-relay-service is enabled.

disable

dhcp-vendor-specific-option <string>

Set the value for DHCP vendor-specific option 43.

No default

external {enable | disable)

Enable to indicate that an interface is an external interface connected to an external network. This option is used for SIP NAT when the config VoIP profile SIP contact-fixup option is disabled.

disable

fail-detect {enable | disable}

Enable interface failure detection.

disable

fail-detect-option {link-down | detectserver}

Select whether the system detects interface failure by port detection (link-down) or ping server (detectserver). This option is available only when fail-detect is enabled.

link‑down

fail-alert-method

{link‑down | link‑failed‑signal}

Select the signal that the system uses to signal the link failure: Link Down or Link Failed. This option is available only when fail-detect is enabled.

link‑down

fail-alert-interfaces {port1 port2 ...}

Select the interfaces to which failure detection applies. This option is available only when fail-detect is enabled.

No default

icmp-redirect {enable | disable}

Disable to stop ICMP redirect from sending from this interface. ICMP redirect messages are sent by a router to notify the original sender of packets that there is a better route available.

enable

interface <interface_name>

Enter the name of the interface. This option is available ony when vlanid is set.

internal

ip <interface_ipv4mask>

Enter the interface IP address and netmask. This option is not available if mode is set to dhcp. You can set the IP and netmask, but they are not displayed. This is only available in NAT/Route mode. The IP address cannot be on the same subnet as any other interface.

Varies for each interface.

log {enable | disable}

Enable or disable traffic logging of connections to this interface. Traffic will be logged only when it is on an administrative port. All other traffic will not be logged. Enabling this setting may reduce system performance, and is normally used only for troubleshooting.

disable

l2-interface <interface_name>

Enter the name of the layer-2 interface.

This option is available only when the interface type is physical.

No default

mode <interface_mode>

Configure the connection mode for the interface as one of:

  • static—Configure a static IP address for the interface.
  • dhcp—Configure the interface to receive its IP address from an external DHCP server.

static

dhcp-client-identifier

Override the default DHCP client identifier used by this interface. The DHCP client identifier is used by DHCP to identify individual DHCP clients (in this case individual interfaces). By default, the DHCP client identifier for each interface is created based on the model name and the interface MAC address. In some cases, you might want to specify your own DHCP client identifier using this command. This option is available only when the mode is set to dhcp.

No default

distance <1-255>

Enter the distance of learned routes.

This command is available only when mode is set to dhcp.

5

defaultgw {enable | disable}

Enable to get the gateway IP address from the DHCP server. This option is available only when the mode is set to dhcp.

disable

dns-server-override {enable | disable}

Disable to prevent this interface from using DNS server addresses it acquires by DHCP. This option is available only when the mode is set to dhcp.

enable

mtu-override {enable | disable}

Select enable to use custom MTU size instead of default (1 500). This is available only for physical interfaces and some tunnel interfaces (not IPsec). If you change the MTU size, you must reboot the FortiSwitch to update the MTU values of the VLANs on this interface. Some models support MTU sizes larger than the standard 1,500 bytes.

disable

secondary-IP {enable | disable}

Enable to add a secondary IP address to the interface. This option must be enabled before configuring a secondary IP address. When disabled, the Web-based manager interface displays only the option to enable secondary IP.

disable

snmp-index <integer>

Configure the SNMP index

src-check {disable | loose | strict}

Set to disable if you do not want to use unicast reverse-path forwarding (uRPF).

Set to strict to ensure that the packet was received on the same interface that the router uses to forward the return packet.

Set to loose to ensure that the routing table includes the source IP address of the packet.

disable

src-check-allow-default {enable | disable}

If you disable the src-default-route-check option, the packet is dropped if the source IP address is not found in the routing table. If you enable the src-default-route-check option, the packet is allowed even if the source IP address is not found in the routing table, but the default route is found in the routing table.

This option is available only when src-check is set to loose.

disable

status {down | up}

Start or stop the interface. If the interface is stopped, it does not accept or send packets. If you stop a physical interface, associated virtual interfaces such as VLAN interfaces will also stop.

up(down for VLANs)

type {loopback | physical | vlan | vxlan}

Enter the type of interface. NOTE: Some types are read only and are set automatically by hardware.
  • loopback—a virtual interface that is always up. This interface’s status and link status are not affected by external changes. It is primarily used for blackhole routing - dropping all packets that match this route. This route is advertised to neighbors through dynamic routing protocols as any other static route. Loopback interfaces have no DHCP settings, no forwarding, no mode, or DNS settings. You can create a loopback interface from the CLI or Web-based manager.
  • physical—a physical interface.
  • vlan—a virtual LAN interface. This is the type of interface created by default on any existing physical interface. VLANs increase the number of network interfaces beyond the physical connections on the system. VLANs cannot be configured on a switch mode interface in Transparent mode.
  • vxlan— a virtual extensible LAN interface.

vlan

vlanid <id_number>

Enter a VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. The VLAN ID can be any number between 1 and 4094, as 0 and 4095 are reserved, but it must match the VLAN ID added by the IEEE 802.1Q-compliant router on the other end of the connection. Two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN ID to different physical interfaces, and you can add more multiple VLANs with different VLAN IDs to the same physical interface. This is available only when editing an interface with a type of VLAN.

No default

vrf <string>

Assign this virtual routing and forwarding (VRF) instance to a switch virtual interface (SVI).

After the SVI is created, the VRF instance cannot be changed or unset. The VRF instance cannot be assigned to an internal SVI.

No default

vrrp-virtual-mac {enable | disable}

Enable VRRP virtual MAC addresses for the IPv4 VRRP routers added to this interface.See RFC 5798 for information about the VRRP virtual MAC addresses.

disable

config ipv6

Configure IPv6 settings for the interface.

Syntax

config system interface

edit <interface_name>

config ipv6

set ip6-address <ipv6_netmask>

set ip6-allowaccess <access_types>

set autoconf {disable | enable}

set ip6-unknown-mcast-to-cpu {disable | enable}

set ip6-mode {dhcp | static}

set ip6-dns-server-override {disable | enable}

set dhcp6-information-request {disable | enable}

set ip6-send-adv {disable | enable}

set ip6-manage-flag {disable | enable}

set ip6-other-flag {disable | enable}

set ip6-max-interval <4-1800>

set ip6-min-interval <3-1350>

set ip6-link-mtu <integer>

set ip6-reachable-time <0-3600000>

set ip6-retrans-time <0-2147483647>

set ip6-default-life <0-9000>

set ip6-hop-limit <0-255>

set vrip6_link_local {enable | disable}

set vrrp-virtual-mac6 {enable | disable}

config ip6-extra-address

edit <prefix_ipv6>

next

end

config vrrp6

edit <virtual_router_identifier 1-255>

set accept-mode {enable | disable} ----Enable/disable accept mode. (enable by default)

set adv-interval <1-255> ----Advertisement interval (1 - 255 seconds). (1 by default)

set preempt {enable | disable} --Enable/disable preempt mode. (enable by default)

set priority <1-255> --Priority of the virtual router (1 - 255). (100 by default)

set start-time <1-255> --Startup time (1 - 255 seconds). (3 by default)

set status {enable | disable} --Enable/disable VRRP. (enable by default)

set vrdst6 <IPv6_address> ----Monitor the route to this destination. (no default)

set vrgrp <1-65535> -----VRRP group ID (1 - 65535). (0 by default)

set vrip6 <IPv6_address> ----IPv6 address of the virtual router. (no default) Required.

next

end

config ip6-prefix-list

edit <prefix_ipv6>

set autonomous-flag {disable | enable}

set onlink-flag {disable | enable}

set preferred-life-time <0-2147483647>

set valid-life-time <0-2147483647>

end

end

end

Variable

Description

Default

<interface_name>

Edit an existing interface or create a new VLAN interface.

No default

ip6-address <ipv6_netmask>

The interface IPv6 address and netmask. The format for IPv6 addresses and netmasks is described in RFC 3513.

This command is only available in NAT/Route mode.

::/0

ip6-allowaccess <access_types>

Enter the types of management access permitted on this IPv6 interface. Valid types are: fgfm, http, https, ping, snmp, ssh, and telnet. Separate the types with spaces. If you want to add or remove an option from the list, retype the list as required.

Varies for each interface.

autoconf {disable | enable}

Enable or disable the automatic address configuration.

disable

ip6-unknown-mcast-to-cpu {disable | enable}

Enable or disable the sending of unknown multicast addresses to the CPU.

disable

ip6-mode {dhcp | static}

Set the addressing mode to be static or DHCP.

DHCP addressing mode is available only when autoconf is disabled.

static

ip6-dns-server-override {disable | enable}

Enable or disable using the DNS server acquired by DHCP.

This command is available only when the ip6-mode is set to dhcp.

enable

dhcp6-information-request {disable | enable}

Enable or disable the DHCPv6 infomation request.

disable

ip6-send-adv {disable | enable}

Enable or disable the sending of the IPv6 router advertisement.

This command is only available when autoconf is disabled.

disable

ip6-manage-flag {disable | enable}

Enable or disable the sending of the IPv6 managed flag.

disable

ip6-other-flag {disable | enable}

Enable or disable the sending of the IPv6 other flag.

disable

ip6-max-interval <4-1800>

Specify the maximum number of seconds before the RA is sent.

600

ip6-min-interval <3-1350>

Specify the minium number of seconds before the RA is sent.

198

ip6-link-mtu <integer>

Specify the IPv6 link maximum transmission unit.

0

ip6-reachable-time <0-3600000>

Specify the IPv6 reachable time in milliseconds.

0

ip6-retrans-time <0-2147483647>

Specify the IPv6 retransmit time in milliseconds.

0

ip6-default-life <0-9000>

Specify the IPv6 default life in seconds.

1800

ip6-hop-limit <0-255>

Specify the maximum number of IPv6 hops.

0

vrip6_link_local {enable | disable}

Enter the link-local IPv6 address of virtual router.

No default

vrrp-virtual-mac6 {enable | disable}

Enable VRRP virtual MAC addresses for the IPv6 VRRP routers added to this interface. See RFC 5798 for information about the VRRP virtual MAC addresses.

disable

config ip6-extra-addr

<prefix_ipv6>

IPv6 address prefix. Configure addditonal IPv6 prefixes for this IPv6 interface.

No default

config vrrp6

<virtual_router_identifier 1-255>

Enter the VRRP virtual router identifier. The range of values is 1-255.

No default

accept-mode {enable | disable}

Enable or disable the VRRP accept mode.

enable

adv-interval <1-255>

Enter the VRRP advertisement interval. The range of values is 1-255 seconds.

1

preempt {enable | disable}

Enable or disable VRRP preempt mode. In preempt mode a higher priority backup system can preempt a lower priority master system.

enable

priority <1-255>

Enter the priority of this virtual router. The VRRP virtual router on a network with the highest priority becomes the master. The range of values is 1-255.

100

start-time <1-255>

The startup time of this virtual router. The startup time is the maximum time that the backup system waits between receiving advertisement messages from the master system. The range of values is 1-255 seconds.

3

status {enable | disable}

Enable or disable this virtual router.

enable

vrdst6 <IPv6_address>

Monitor the route to this destination.

No default

vrgrp <1-65535>

Enter the VRRP group identifier. The value range is 1-65535.

0

vrip6 <IPv6_address>

Required. Enter the IPv6 address of the virtual router.

No default

config ip6-prefix-list

<prefix_ipv6>

IPv6 advertised prefix list. Configure which IPv6 prefixes are advertised.

No default

autonomous-flag {disable | enable}

Enable or disable the autonomous flag.

enable

onlink-flag {disable | enable}

Enable or disable the onlink flag.

disable

preferred-life-time <0-2147483647>

Specify the preferred lifetime in seconds for the advertised IPv6 prefix.

604800

valid-life-time <0-2147483647>

Specify the valid lifetime in seconds for the advertised IPv6 prefix.

2592000

Example

This example shows how to configure VRRP using IPv6:

config system interface

edit "vlan30"

set ip 30.0.0.5 255.255.255.0

set allowaccess ping https http ssh telnet

config vrrp

edit 10

set vrip 30.0.0.1

next

end

set snmp-index 82

config ipv6

set ip6-address 2000::30:0:0:5/120

config ip6-extra-addr

edit 2000::30:3:3:5/120

next

edit 2000::30:3:4:5/120

next

end

set ip6-allowaccess ping https http ssh telnet

set vrrp-virtual-mac6 enable

set vrip6_link_local fe80::30:0:0:1

config vrrp6

edit 10

set vrip6 2000::30:0:0:1

next

end

end

set vlanid 30

set interface "internal"

next

end

config system interface

edit "port26"

set ip 30.44.0.5 255.255.255.0

set allowaccess ping https http ssh telnet

set type physical

set l2-interface "port26"

set vrrp-virtual-mac enable

config vrrp

edit 10

set vrip 30.44.0.1

next

end

set snmp-index 102

config ipv6

set ip6-address 2000::30:44:0:5/120

set ip6-allowaccess ping https http ssh telnet

set vrrp-virtual-mac6 enable

set vrip6_link_local fe80::30:44:0:1

config vrrp6

edit 10

set vrip6 2000::30:44:0:1

next

end

end

next

end

config secondaryip

Configure a second IP address for the interface.

Syntax

config system interface

edit <interface_name>

config secondaryip

edit <id>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

end

end

Variable

Description

Default

<interface_name>

Edit an existing interface or create a new VLAN interface.

No default

<id>

Identifier.

No default

ip <IP_address_and_netmask>

Enter the IP address and netmask.

0.0.0.0 0.0.0.0

allowaccess <access_types>

Enter the types of management access permitted on this interface or secondary IP address. Valid types are:

http https ping radius-acct snmp ssh telnet.

Separate each type with a space.

To add or remove an option from the list, retype the complete list as required.

No default

config vrrp

Add one or more VRRP virtual routers to a interface. For information about VRRP, see RFC 5798.

Syntax

config system interface

edit <interface_name>

config vrrp

edit <VRID_int>

set adv-interval <seconds_int>

set backup-vmac-fwd {enable | disable}

set preempt {enable | disable}

set priority <prio_int>

set start-time <seconds_int>

set status {enable | disable}

set version {2 | 3}

set vrdst <ipv4_addr>

set vrgrp <integer>

set vrip <ipv4_addr>

end

Variable

Description

Default

<interface_name>

Edit an existing interface or create a new VLAN interface.

No default

<VRID_int>

VRRP virtual router ID (1 to 255). Identifies the VRRP virtual router.

None

adv-interval <seconds_int>

VRRP advertisement interval (1-255 seconds).

1

backup-vmac-fwd {enable | disable }

Enable or disable whether virtual MAC addresses are forwarded for VRRP backup.

enable

preempt {enable | disable}

Enable or disable VRRP preempt mode. In preempt mode a higher priority backup system can preempt a lower priority master system.

enable

priority <prio_int>

Priority of this virtual router (1-255). The VRRP virtual router on a network with the highest priority becomes the master.

100

start-time <seconds_int>

The startup time of this virtual router (1-255 seconds). The startup time is the maximum time that the backup system waits between receiving advertisement messages from the master system.

3

status {enable | disable}

Enable or disable this virtual router.

enable

version {2 | 3}

Set the VRRP version to VRRP version 2 or VRRP version 3.

2

vrdst <ipv4_addr>

Monitor the route to this destination.

0.0.0.0

vrgrp <integer>

VRRP group identifier. The value range is 1-65535.

0

vrip <ipv4_addr>

IP address of the virtual router.

0.0.0.0

Example

This example shows how to configure VRRP:

config system interface

edit "vlan-8"

set ip 10.10.10.1 255.255.255.0

set allowaccess ping https http ssh

set vrrp-virtual-mac enable

config vrrp

edit 5

set priority 255

set vrgrp 50

set vrip 11.1.1.100

next

edit 6

set priority 200

set vrgrp 50

set vrip 11.1.1.100

next

edit 7

set priority 150

set vrgrp 50

set vrip 11.1.1.100

next

end

set snmp-index 20

set vlanid 8

set interface "internal"

next

end

config system ipv6-neighbor-cache

Use this command to configure the IPv6 neighbor cache table:

config system ipv6-neighbor-cache

edit <id>

set interface {<string> | internal | mgmt}

set ipv6 <IPv6_address>

set mac <MAC_address>

end

Variable

Description

Default

<id>

Enter a unique integer to create a new entry.

No default

interface <interface_name>

Required. Enter the interface.

No default

ipv6 <IPv6_address>

Enter the IPv6 addresss in the following format:

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

::

mac <MAC_address>

Enter the MAC address in the following format:

xx:xx:xx:xx:xx:xx

00:00:00:00:00:00

Example

This example shows how to configure an entry in the IPv6 neighbor cache table.

config system ipv6-neighbor-cache

edit id

set interface internal

set ipv6 e80::a5b:eff:fef1:95e4

set mac 00:21:cc:d2:76:72

end

config system link-monitor

Use this command to configure the link health monitor.

config system link-monitor

edit <link monitor name>

set addr-mode {ipv4 | ipv6}

set srcintf <string>

set server <IP_address1>, <IP_address2>, ...

set protocol {arp | ping}

set gateway-ip <IPv4 address>

set gateway-ip6 <IPv6 address>

set source-ip <IPv4 address>

set source-ip6 <IPv6 address>

set interval <integer>

set timeout <integer>

set failtime <integer>

set recoverytime <integer>

set update-static-route {enable | disable}

set status {enable | disable}

next

end

Variable

Description

Default

<link monitor name>

Enter the link monitor name.

No default

addr-mode {ipv4 | ipv6}

Select whether to use IPv4 or IPv6 addresses.

ipv4

srcintf <string>

Interface where the monitor traffic is sent.

No default

server <IP_address1>, <IP_address2>, ..

The IP address(es) of the server(s). Use a comma to separate multiple IP addresses.

No default

protocol {arp | ping}

Protocols used to detect the server. Select ARP or ping.

ping

gateway-ip <IPv4 address>

Gateway IPv4 address used to PING the server. This option is available only when addr-mode is set to ipv4.

0.0.0.0

gateway-ip6 <IPv6 address>

Gateway IPv6 address used to PING the server. This option is available only when addr-mode is set to ipv6.

No default

source-ip <IPv4 address>

Source IPv4 address used in packet to the server. This option is available only when addr-mode is set to ipv4.

0.0.0.0

source-ip6 <IPv6 address>

Source IPv6 address used in packet to the server. This option is available only when addr-mode is set to ipv6.

No default

interval <integer>

Detection interval in seconds. The range is 1-3600.

5

timeout <integer>

Detect request timeout in seconds. The range is 1-255.

1

failtime <integer>

Number of retry attempts before bringing server down. The range is 1-10.

5

recoverytime <integer>

Number of retry attempts before bringing server up. The range is 1-10.

5

update-static-route {enable | disable}

Enable or disable update static route.

enable

status {enable | disable}

Enable or disable link monitor administrative status.

enable

config system location

Use this command to configure the location table used by LLDP-MED for enhanced 911 emergency calls.

config system location

edit <name>

config address-civic

set additional <string>

set additional-code <string>

set block <string>

set branch-road <string>

set building <string>

set city <string>

set city-division <string>

set country <string>

set country-subdivision <string>

set county <string>

set direction <string>

set floor <string>

set landmark <string>

set language <string>

set name <string>

set number <string>

set number-suffix <string>

set place-type <string>

set post-office-box <string>

set postal-community <string>

set primary-road <string>

set road-section <string>

set room <string>

set script <string>

set seat <string>

set street <string>

set street-name-post-mod <string>

set street-name-pre-mod <string>

set street-suffix <string>

set sub-branch-road <string>

set trailing-str-suffix <string>

set unit <string>

set zip <string>

end

config coordinates

set altitude <string>

set altitude-unit {f | m}

set datum {NAD83 | NAD83/MLLW | WGS84}

set latitude <string>

set longitude <string>

end

config elin-number

set elin-number <number>

end

Variable

Description

Default

<name>

Enter a unique name for the location entry.

No default

config address-civic

additional <string>

Enter additional location information, for example, west wing.

No default

additional-code <string>

Enter the additional country-specific code for the location. In Japan, use the Japan Industry Standard (JIS) address code.

No default

block <string>

Enter the neighborhood (Korea) or block.

No default

branch-road <string>

Enter the branch road name. This value is used when side streets do not have unique names so that both the primary road and side street are used to identify the correct road.

No default

building <string>

Enter the name of the building (structure) if the address includes more than one building, for example, Law Library.

No default

city <string>

Enter the city (Germany), township, or shi (Japan).

No default

city-division <string>

Enter the city division, borough, city district (Germany), ward, or chou (Japan).

No default

country <string>

Enter the two-letter ISO 3166 country code in capital ASCII letters, for example, US, CA, DK, and DE.

No default

country-subdivision <string>

Enter the national subdivision (such as state, canton, region, province, or prefecture). In Canada, the subdivision is province. In Germany, the subdivision is state. In Japan, the subdivision is metropolis. In Korea, the subdivision is province. In the United States, the subdivision is state.

No default

county <string>

Enter the county (Canada, Germany, Korea, and United States), parish, gun (Japan), or district (India).

No default

direction <string>

Enter N, E, S, W, NE, NW, SE, or SW for the leading street direction.

No default

floor <string>

Enter the floor number, for example, 4.

No default

landmark <string>

Enter the nickname, landmark, or vanity address, for example, UC Berkeley.

No default

language <string>

Enter the ISO 639 language code used for the address information.

No default

name <string>

Enter the person or organization associated with the address, for example, Fortinet or Textures Beauty Salon.

No default

number <string>

Enter the street address, for example, 1560.

No default

number-suffix <string>

Enter any modifier to the street address. For example, if the full street address is 1560A, enter 1560 for the number and A for the number-suffix.

No default

place-type <string>

Enter the type of place, for example, home, office, or street.

No default

post-office-box <string>

Enter the post office box, for example, P.O. Box 1543. When the post-office-box value is set, the street address components are replaced with this value.

No default

postal-community <string>

Enter the postal community name, for example, Alviso. When the postal-community name is set, the civic community name is replaced by this value.

No default

primary-road <string>

Enter the primary road or street name for the address.

No default

road-section <string>

Enter the specific section or stretch of a primary road. This field is used when the same street number appears more than once on the primary road.

No default

room <string>

Enter the room number, for example, 7A.

No default

script <string>

Enter the script used to present the address information, for example, Latn.

No default

seat <string>

Enter the seat number in a stadium or theater or a cubicle number in an office or a booth in a trade show.

No default

street <string>

Enter the street (Canada, Germany, Korea, and United States).

No default

street-name-post-mod <string>

Enter an optional part of the street name that appears after the actual street name. If the full street name is East End Avenue Extended, the street-name-post-mod is Extended.

No default

street-name-pre-mod <string>

Enter an optional part of the street name that appears before the actual street name. If the full street name is Old North First Street, the street-name-pre-mod is Old.

No default

street-suffix <string>

Enter the type of street, for example, Ave or Place. Valid values are listed in the United States Postal Service Publication 28 [18], Appendix C.

No default

sub-branch-road <string>

Enter the name of a street that branches off of a branch road. This value is used when the primary road, branch road, and subbranch road names are needed to identify the correct street.

No default

trailing-str-suffix <string>

Enter N, E, S, W, NE, NW, SE, or SW for the trailing street direction.

No default

unit <string>

Enter the unit (apartment or suite), for example, Apt 27.

No default

zip <string>

Enter the postal or zip code for the address, for example, 94089-1345.

No default

config coordinates

altitude <string>

Enter the vertical height of a location using the altitude-unit to specify the unit used. The format is +/- floating point number, for example, 117.47.

No default

altitude-unit {f | m}

Select whether the altitude is measured in m (meters) or f (floors).

m

datum {NAD83 | NAD83/MLLW | WGS84}

Select which map is used for the location: WGS84, NAD83, or NAD83/MLLW.

WGS84

latitude <string>

Enter the latitude. The format is floating point starting with +/- or ending with N/S, for example, +/-16.67 or 16.67N.

No default

longitude <string>

Enter the longitude. The format is floating point starting with +/- or ending with E/W, for example, +/-26.789 or 26.789E.

No default

config elin-number

elin-number <number>

Enter the emergency location identification number (ELIN), which is a unique phone number. The value is a 10 to 20 byte numerical string.

No default

Example

This example shows how to configure the location table for Fortinet.

config system location

edit Fortinet

config address-civic

set country "US"

set language "English"

set county "Santa Clara"

set city "Sunnyvale"

set street "Kifer"

set street-suffix "Road"

set number "899"

set zip "94086"

set building "1"

set floor "1"

set seat "1293"

end

next

edit "Fortinet"

config elin-number

set elin-number "14082357700"

end

end

config system ntp

Use this command to configure Network Time Protocol (NTP) servers.

Syntax

config system ntp

set allow-unsync-source {enable | disable}

set authentication {enable | disable}

set log-time-adjustments {enable | disable}

set ntpsync {enable | disable}

set source-ip <ipv4_addr>

set source-ip6 <ipv6_addr>

set syncinterval <interval_int>

config ntpserver

edit <serverid_int>

set authentication {enable | disable}

set key <string>

set key-id <integer>

set ntpv3 {enable | disable}

set server {<ipv4_addr>| <ipv6_addr>}

end

end

Variable

Description

Default

allow-unsync-source {enable | disable}

Enable or disable whether an unsynchronized NTP server source is allowed.

disable

authentication {enable | diable}

Enable or disable authentication.

disable

log-time-adjustments {enable | disable}

Enable or disable whether FortiSwitch logs when NTP adjusts the system time.

enable

ntpsync {enable | disable}

Enable or disable whether the system time is synchronized with the NTP server.

enable

source-ip <ipv4_addr>

Enter the source IPv4 address for communication with the NTP server.

0.0.0.0

source-ip6 <ipv6_addr>

Enter the source IPv6 address for communication with the NTP server.

No default

syncinterval <interval_int>

Enter the interval in minutes between contacting the NTP server to synchronize time. The range is from 1 to 1,440 minutes.

This option is availabe only when ntpsync is enabled.

10

<serverid_int>

Enter the number for this NTP server entry.

No default

authentication {enable | diable}

Enable or disable authentication. If you enable authenication and use the NTPv3 protocol, MD5 authentication is used. If you enable authentication and use the NTPv4 protocol, SHA1 authentication is used.

disable

key <string>

If authentication is enabled, enter a key for authentication.

No default

key-id <integer>

If authentication is enabled, enter a key identifier for authentication.

0

ntpv3 {enable | disable}

Enable this option to use the NTPv3 protocol. Disable this option to use the NTPv4 protocol.

disable

server {<ipv4_addr> | <ipv6_addr>}

Enter the IPv4 or IPv6 address for this NTP server.

No default

Example

This example shows how to configure an NTP server:

config system ntp

set authentication enable

set ntpsyn enable

set syncinterval 5

set source-ip 192.168.4.5

end

config system password-policy

Use this command to configure higher security requirements for administrator passwords and IPsec VPN pre-shared keys.

Syntax

config system password-policy

set status enable

set apply-to [admin-password ipsec-preshared-key]

set change-4-characters {enable | disable}

set minimum-length <chars>

set min-lower-case-letter <num_int>

set min-upper-case-letter <num_int>

set min-non-alphanumeric <num_int>

set min-number <num_int>

set expire-status {enable | disable}

set expire-day <num_int>

end

Variable

Description

Default

status enable

Enable password policy. The password policy cannot be disabled.

enable

apply-to [admin‑password ipsec-preshared-key]

Select where the policy applies: administrator passwords or IPSec preshared keys. This option is available only when status is enabled.

admin‑password

change-4-characters {enable | disable}

Enable to require the new password to differ from the old password by at least four characters. This option is available only when status is enabled.

disable

minimum-length <chars>

Set the minimum length of password in characters. Range 8 to 32. This option is available only when status is enabled.

8

min-lower-case-letter

<num_int>

Enter the minimum number of required lower case letters in every password. This option is available only when status is enabled.

0

min-upper-case-letter

<num_int>

Enter the minimum number of required upper case letters in every password. This option is available only when status is enabled.

0

min-non-alphanumeric <num_int>

Enter the minimum number of required non-alphanumeric characters in every password. This option is available only when status is enabled.

0

min-number <num_int>

Enter the minimum number of number characters required in every password. This option is available only when status is enabled.

0

expire-status {enable | disable}

Enable to have passwords expire. This option is available only when status is enabled.

enable

expire-day <num_int>

Enter the number of days before the current password is expired and the user will be required to change their password. This option is available only when status is enabled and expire-status is enabled.

90

Example

This example shows how to configure a password policy for administrator passwords:

config system password-policy

set status enable

set apply-to admin-password

set change-4-characters enable

set minimum-length 10

set min-lower-case-letter 1

set min-upper-case-letter 1

set min-non-alphanumeric 1

set min-number 1

set expire-status enable

set expire-day 30

end

config system ptp interface-policy

Use this command to configure the default Precision Time Protocol (PTP) policy or create a custom PTP policy.

Syntax

config system ptp interface-policy

edit {default | PTP_policy_name}

set description <description_of_PTP_policy>

set vlan <0-4094>

set vlan-pri <0-7>

next

end

Parameter

Description

Default value

{default | PTP_policy_name}

Name of the PTP policy.

default

description <description_of_PTP_policy>

Description of the PTP policy.

No default

vlan <0-4094>

The VLAN that will use the PTP policy. The range of values is 0-4094. Setting vlan to 0 means that the native VLAN is used for PDelayXXX messages.

NOTE: The VLAN must be a valid VLAN that the interface belongs to. Selecting an invalid VLAN can affect the performance.

0

vlan-pri <0-7>

The priority of the PTP VLAN; it corresponds to the 802.1p priority. The VLAN priority is used only when there is traffic congestion.

The range of values is 0-7. Set vlan-pri to 7 for the highest priority.

4

Example

This example shows how to create a custom PTP policy:

config system ptp interface-policy

edit newPTPpolicy

set description "PTP policy for VLAN 100"

set vlan 100

set vlan-pri 3

next

end

config system ptp profile

Use this command to configure a PTP profile.

Syntax

config system ptp profile

edit {default | name_of_PTP_profile}

set announce-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

set announce-timeout <2-10>

set description <description_of_PTP_profile>

set domain <0-255>

set min-delay-req-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

set mode {boundary-e2e | boundary-p2p | transparent-e2e | transparent-p2p}

set pdelay-req-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

set priority1 <0-255>

set priority2 <0-255>

set ptp-profile {default | C37.238-2017}

set sync-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

set transport l2-mcast

next

end

Parameter

Description

Default value in end-to-end mode

Default value in peer-to-peer mode

{default | name_of_PTP_profile}

Name of the PTP profile.

No default

No default

announce-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

Select the number of seconds between Announce messages.

This option is available only when mode is set to boundary-e2e or boundary-p2p.

1sec

1sec

announce-timeout <2-10>

Select how many seconds before the PTP Annouce message expires.

This option is available only when mode is set to boundary-e2e or boundary-p2p.

3

3

description <description_of_PTP_profile>

Description of the PTP profile.

No default

No default

domain <0-255>

PTP domain number. The range of values is 0-255.

This option is available only when mode is set to transparent-p2p, boundary-e2e, or boundary-p2p.

1

For the transparent clock, the default value is 1 if using the default PTP profile or 254 if using the power PTP profile.

min-delay-req-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

Select the number of seconds between Delay_Req messages.

This option is available only when mode is set to boundary-e2e.

1sec

Not applicable

mode {boundary-e2e | boundary-p2p | transparent-e2e | transparent-p2p}

PTP mode. You can select from the following modes:

  • boundary-e2e—Boundary clock using the end-to-end mode.

  • boundary-p2p—Boundary clock using the peer-to-peer mode.

  • transparent-e2e—Transparent clock using the end-to-end mode.

  • transparent-p2p—Transparent clock using the peer-to-peer mode.

transparent-e2e

Not applicable. You need to create a profile and set the mode to boundary-p2p or tranparent-p2p.

pdelay-req-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

The time between PDelay_Req messages. You can select 0.25, 0.5, 1, 2, or 4 seconds. The default value is 1 second.

This option is available only when mode is set to transparent-p2p or boundary-p2p.

Not applicable

1sec

priority1 <0-255>

Set the PTP priority 1. Use a smaller number for a higher priority.

This option is available only when mode is set to boundary-e2e or boundary-p2p.

128

128

priority2 <0-255>

Set the PTP priority 2. Use a smaller number for a higher priority.

This option is available only when mode is set to boundary-e2e or boundary-p2p.

128

128

ptp-profile {default | C37.238-2017}

PTP profile. Select default for the IEEE 1588 default profile or C37.238-2017 for the power profile.

C37.238-2017 is available only when mode is set to transparent-p2p.

default

default

sync-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

Select how many seconds between clock synchronization.

1sec

1sec

transport l2-mcast

PTP message transmission.

This option is available only when mode is set to transparent-p2p, boundary-e2e, or boundary-p2p.

Layer-2 and layer-3 multicast are supported for end-to end transparent clock. All other modes support layer-2 multicast only.

Layer-2 multicast

Example

This example shows how to configure a PTP profile:

config system ptp profile

edit newprofile

set description "New PTP profile"

set domain 1

next

end

config system schedule group

Use this command to define a schedule group. A schedule group can contain both one-time schedules and recurring schedules. To create one-time and recurring schedules, see config system schedule onetime and config system schedule recurring.

Syntax

config system schedule group

edit <schedule_group_name>

set member <schedule_name1> <schedule_name2> ...

end

Variable

Description

Default

<schedule_group_name>

Enter the name of the schedule group.

No default

member <schedule_name1> <schedule_name2> ...

Enter the names of the schedules to include. Separate multiple names with a space.

The schedules must already be defined with the config system schedule onetime or config system schedule recurring command.

No default

Example

This example shows how to create a schedule group:

config system schedule group

edit group1

set member schedule1 schedule2

end

config system schedule onetime

Use this command to define a one-time schedule for when a policy will be enforced.

Syntax

config system schedule onetime

edit <schedule_name>

set start <time_date>

set end <time_date>

end

Variable

Description

Default

<schedule_name>

Enter the name of the schedule.

No default

start <time_date>

Enter the start time and date for the schedule in the following format: hh:mm yyyy/mm/dd

00:00 1900/01/01

end <time_date>

Enter the end time and date for the schedule in the following format: hh:mm yyyy/mm/dd

00:00 1900/01/01

Example

This example shows how to create a one-time schedule:

config system schedule onetime

edit schedule1

set start 07:00 2019/03/22

set end 07:00 2019/03/29

end

config system schedule recurring

Use this command to define a schedule for specified hours every week.

Syntax

config system schedule recurring

edit <schedule_name>

set day {monday | tuesday | wednesday | thursday | friday | saturday | sunday}

set start <time>

set end <time>

end

Variable

Description

Default

<schedule_name>

Enter the name of the schedule.

No default

day {monday | tuesday | wednesday | thursday | friday | saturday | sunday}

Enter one or more days for the ACL to be enforced. Separate days with a space.

monday tuesday wednesday thursday friday

start <time>

Enter the start time for the schedule in the following format: hh:mm

24:00

end <time>

Enter the end time for the schedule in the following format: hh:mm

24:00

Example

This example shows how to create a recurring schedule:

config system schedule recurring

edit schedule2

set day monday wednesday friday

set start 07:00

set end 08:00

end

config system settings

Use this comand to configure equal cost multi-path (ECMP) routing.

ECMP is a forwarding mechanism that enables load-sharing of traffic to multiple paths of equal cost. An ECMP set is formed when the routing table contains multiple next-hop address for the same destination with equal cost. Routes of equal cost have the same preference and metric value. If there is an ECMP set for an active route, the switch uses a hash algorithm to choose one of the next-hop addresses. As input to the hash, the switch uses one or more of the following fields in the packet to be routed:

  • Source IP
  • Destination IP
  • Input port

Syntax

config system settings

set ip-ecmp-mode {source-ip-based | dst-ip-based | port-based}

end

Variable

Description

Default

ip-ecmp-mode {source-ip-based | dst-ip-based | port-based}

Select the IPv4 ECMP mode:

  • dst-ip-based — Select the next hop based on the destination IP address.
  • port-based — Select the next hop based on the TCP/UDP port.
  • source-ip-based — Select the next hop based on the source IP address.

source-ip-based

Example

This example shows how to configure ECMP:

config system settings

set ip-ecmp-mode port-based

end

config system sflow

Use this command to add or change the IP address and UDP port that FortiSwitch sFlow agents use to send sFlow datagrams to sFlow collectors.

sFlow is a network monitoring protocol described in http://www.sflow.org. FortiSwitch implements sFlow version 5. You can configure one or more FortiSwitch interfaces as sFlow agents that monitor network traffic and send sFlow datagrams containing information about traffic flow to sFlow collectors.

sFlow is normally used to provide an overall traffic flow picture of your network. You would usually operate sFlow agents on switches, routers, and firewall on your network, collect traffic data from all of them and use collectors to show traffic flows and patterns.

Syntax

config system sflow

config collectors

edit <collector_name>

set ip <collector_IPv4_address>

set port <collector_port>

next

end

end

Variable

Description

Default

<collector_name>

Enter a name for the sFlow collector.

No default

ip <collector_IPv4_address>

The sFlow agents send sFlow datagrams to the sFlow collector at this IPv4 address.

0.0.0.0

port <collector_port>

The UDP port number used for sending sFlow datagrams. Change this setting only if required by your sFlow collector or your network configuration. The value range is 0-65535.

6343

Example

This example shows how to configure sFlow:

config system sflow

config collectors

edit collector1

set ip 20.20.20.0

set port 200

next

end

end

config system sniffer-profile

Use this command to define a packet-capture profile to select which packets to examine. To start, stop, and pause the packet capture, see the execute system sniffer-profile commands.

Syntax

config system sniffer-profile

edit <profile_name>

set filter {<string> | none}

set max-pkt-count <1-maximum>

set max-pkt-len <64-1534>

set switch-interface <switch_interface_name>

set system-interface <system_interface_name>

end

Variable

Description

Default

<profile_name>

The name of the packet-capture profile.

No default

filter {<string> | none}

Enter none or enter the filter for selecting which packets to capture. For example, if you want packets using UDP port 1812 between hosts named forti1 and either forti2 or forti3:

'udp and port 1812 and host forti1 and \( forti2 or forti3 \)'

none

max-pkt-count <1-maximum>

Enter how many packets to be captured on the selected interface. The maximum number of packets that can be captured differs according to platform. See the FortiSwitchOS Adminstration Guide for details.

4000

max-pkt-len <64-1534>

Enter the maximum packet length in bytes to be captured on the interface.

128

switch-interface <switch_interface_name>

Enter the switch interface name that you want to capture packets on. You cannot select both a switch interface and a system interface.

No default

system-interface <system_interface_name>

Enter the system interface name that you want to capture packets on. You cannot select both a switch interface and a system interface.

No default

Example

This example shows how to create a packet-capture profile:

config system sniffer-profile

edit profile1

set filter none

set max-pkt-count 100

set max-pkt-len 100

set system-interface mgmt

end

config system snmp community

Use this command to configure SNMP communities on your FortiSwitch unit.

Syntax

config system snmp community

edit <index_number>

set events <events_list>

set name <community_name>

set query-v1-port <port_number>

set query-v1-status {enable | disable}

set query-v2c-port <port_number>

set query-v2c-status {enable | disable}

set status {enable | disable}

set trap-v1-lport <port_number>

set trap-v1-rport <port_number>

set trap-v1-status {enable | disable}

set trap-v2c-lport <port_number>

set trap-v2c-rport <port_number>

set trap-v2c-status {enable | disable}

config hosts

edit <host_number>

set interface <interface_name>

set ip <IPv4_address/mask>

set source-ip <IPv4_address>

end

config hosts6

edit <host_number>

set interface <interface_name>

set ip6 <IPv6_address>

set source-ip6 <IPv6_address>

end

end

Variable

Description

Default

<index_number>

Enter the index number of the community in the SNMP communities table. Enter an unused index number to create a new SNMP community.

No default

events <events_list>

Enable the events for which the system should send traps to the SNMP managers in this community. The following events can be enabled:

  • cpu-high—The CPU usage is too high.
  • ent-conf-change—The entityʼs configuration was changed (RFC 4133).
  • fan-detect—The fan was detected, not detected, resumed, or failed.
  • fsTrapStitch1—Custom SNMP trap 1. Use this event as a trigger for an automation stitch.

  • fsTrapStitch2—Custom SNMP trap 2. Use this event as a trigger for an automation stitch.

  • fsTrapStitch3—Custom SNMP trap 3. Use this event as a trigger for an automation stitch.

  • fsTrapStitch4—Custom SNMP trap 4. Use this event as a trigger for an automation stitch.

  • fsTrapStitch5—Custom SNMP trap 5. Use this event as a trigger for an automation stitch.

  • intf-ip—The interfaceʼs IP address was changed.
  • ip-conflict—There is a conflict between IP addresses.
  • l2mac—A layer-2 MAC address has been added, deleted, or moved. NOTE: This SNMP trap applies only to dynamic MAC addresses learned on the port. MAC events can be lost by the hardware or software.

  • llv—Learning-limit violation.
  • log-full—The available log space is low.
  • mem-low—The available memory is low.
  • psu-status—The status of the power supply unit has changed.
  • sensor-alarm—The sensor triggered an alarm.
  • sensor-fault—The sensor is faulty.
  • storm-control—There has been a change in the storm-control status. NOTE: You must specify one or more IP addresses of the host(s) to monitor.
  • tkmem-hb-oo-sync—The trunk memberʼs heart beat is unsynchronized.

All events enabled, except for l2mac.

name <community_name>

Enter the name of the SNMP community.

NOTE: After you run the execute factoryreset command, FortiSwitchOS creates an SNMP community with the name set to public.

No default

query-v1-port <port_number>

Enter the SNMP v1 query port number used for SNMP manager queries.

161

query-v1-status {enable | disable}

Enable or disable SNMP v1 queries for this SNMP community.

enable

query-v2c-port <port_number>

Enter the SNMP v2c query port number used for SNMP manager queries.

161

query-v2c-status {enable | disable}

Enable or disable SNMP v2c queries for this SNMP community.

enable

status {enable | disable}

Enable or disable the SNMP community.

enable

trap-v1-lport <port_number>

Enter the SNMP v1 local port number used for sending traps to the SNMP managers.

162

trap-v1-rport <port_number>

Enter the SNMP v1 remote port number used for sending traps to the SNMP managers.

162

trap-v1-status {enable | disable}

Enable or disable SNMP v1 traps for this SNMP community.

enable

trap-v2c-lport <port_number>

Enter the SNMP v2c local port number used for sending traps to the SNMP managers.

162

trap-v2c-rport <port_number>

Enter the SNMP v2c remote port number used for sending traps to the SNMP managers.

162

trap-v2c-status

{enable | disable}

Enable or disable SNMP v2c traps for this SNMP community.

enable

config hosts and hosts6

<host_number>

Enter the index number of the host in the table. Enter an unused index number to create a new host.

No Default

interface <interface_name>

Enter the name of the FortiSwitch interface to which the SNMP manager connects.

No default

ip <IPv4_address/mask>

Enter the IPv4 IP address and mask of the SNMP manager (for hosts).

0.0.0.0

ip6 <IPv6_address>

Enter the IPv6 IP address of the SNMP manager (for hosts6).

::

source-ip <IPv4_address>

Enter the source IPv4 IP address for SNMP traps sent by the FortiSwitch (for hosts).

0.0.0.0/ 0.0.0.0

source-ip6 <IPv6_address>

Enter the source IPv6 IP address for SNMP traps sent by the FortiSwitch (for hosts6).

::

config system snmp sysinfo

Use this command to enable the FortiSwitch SNMP agent and to enter basic system information used by the SNMP agent. Enter information about the system to identify it. When your SNMP manager receives traps from this FortiSwitch unit, you will know which system sent the information. Some SNMP traps indicate high CPU usage, log full, or low memory.

Syntax

config system snmp sysinfo

set contact-info <info_str>

set description <description>

set engine-id <engine-id_str>

set location <location>

set status {enable | disable}

set trap-high-cpu-interval {1min | 10min | 30min | 1hr | 12hr | 24hr}

set trap-high-cpu-threshold <percentage>

set trap-log-full-threshold <percentage>

set trap-low-memory-threshold <percentage>

set trap-temp-alarm-threshold <temperature in degrees Celsius>

set trap-temp-warning-threshold <temperature in degrees Celsius>

end

Variable

Description

Default

contact-info <info_str>

Add the contact information for the person responsible for this FortiSwitch unit. The contact information can be up to 35 characters long.

No default

description <description>

Add a name or description of the system. The description can be up to 35 characters long.

No default

engine-id <engine-id_str>

Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is included in each message sent to or from the SNMP engine. In FortiOS, the snmpEngineID is composed of two parts:
  • Fortinet prefix 0x8000304404
  • the optional engine-id string, 24 characters maximum, defined in this command

Optionally, enter an engine-id value.

No default

location <location>

Describe the physical location of the system. The system location description can be up to 35 characters long.

No default

status {enable | disable}

Enable or disable the FortiSwitch SNMP agent.

disable

trap-high-cpu-interval {1min | 10min | 30min | 1hr | 12hr | 24hr}

Set how long the FortiSwitch CPU usage must be higher than the specified threshold before an SNMP v3 notification (trap) is reported.

1min

trap-high-cpu-threshold

<percentage>

Enter the percentage of CPU used that will trigger the threshold SNMP trap for the high-cpu.

There is some smoothing of the high CPU trap to ensure the CPU usage is constant rather than a momentary spike. This feature prevents frequent and unnecessary traps.

80

trap-log-full-threshold

<percentage>

Enter the percentage of disk space used that will trigger the threshold SNMP trap for the log-full.

90

trap-low-memory-threshold <percentage>

Enter the percentage of memory used that will be the threshold SNMP trap for the low-memory.

80

trap-temp-alarm-threshold <temperature in degrees Celsius>

Set an alarm for when the system temperature reaches the specified temperature.

60

trap-temp-warning-threshold <temperature in degrees Celsius>

Set a warning for when the system temperature reaches the specified temperature. The warning threshold must be lower than the alarm threshold.

50

Example

This example shows how to set a warning and an alarm for specified system temperatures:

config system snmp sysinfo

set status enable

set trap-temp-alarm-threshold 80

set trap-temp-warning-threshold 70

end

config system snmp user

Use this command to configure an SNMP user including which SNMP events the user wants to be notified about, which hosts will be notified, and, if queries are enabled, which port to listen on for them.

FortiSwitchOS implements the user security model of RFC 3414. You can require the user to authenticate with a password and you can use encryption to protect the communication with the user.

Syntax

config system snmp user

edit <user_name>

set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}

set auth-pwd <password>

set events {events_list}

set notify-hosts <IP_address>

set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}

set priv-pwd <password>

set queries {enable | disable}

set query-port <port_int>

set security-level {no-auth-no-priv | auth-no-priv | auth-priv}

end

Variable

Description

Default

<user_name>

Edit or add selected user.

No default

auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}

Select the authentication protocol.
  • md5—HMAC-MD5-96 authentication protocol
  • sha1—HMAC-SHA-1 authentication protocol
  • sha224—HMAC-SHA-224 authentication protocol
  • sha256—HMAC-SHA-256 authentication protocol
  • sha384—HMAC-SHA-384 authentication protocol
  • sha512—HMAC-SHA-512 authentication protocol
This option is available only when security-level is set to auth-priv or auth-no-priv.

sha1

auth-pwd <password>

Enter the password for the authentication protocol. his option is available only when security-level is set to auth-priv or auth-no-priv.

No default

events {events_list}

Specify one or more SNMP notifications (traps) to send. Separate multiple values with a space. The following notifications are available:

  • cpu-high—The CPU usage is too high.
  • ent-conf-change—The entityʼs configuration was changed (RFC 4133).
  • fan-detect—The fan was detected, not detected, resumed, or failed.
  • fsTrapStitch1—Custom SNMP trap 1. Use this event as a trigger for an automation stitch.
  • fsTrapStitch2—Custom SNMP trap 2. Use this event as a trigger for an automation stitch.

  • fsTrapStitch3—Custom SNMP trap 3. Use this event as a trigger for an automation stitch.

  • fsTrapStitch4—Custom SNMP trap 4. Use this event as a trigger for an automation stitch.

  • fsTrapStitch5—Custom SNMP trap 5. Use this event as a trigger for an automation stitch.

  • intf-ip—The interfaceʼs IP address was changed.
  • ip-conflict—There is a conflict between IP addresses.
  • l2mac—A layer-2 MAC address has been added, deleted, or moved. NOTE: This SNMP trap applies only to dynamic MAC addresses learned on the port. MAC events can be lost by the hardware or software.

  • llv—Learning-limit violation.
  • log-full—The available log space is low.
  • mem-low—The available memory is low.
  • psu-status—The status of the power supply unit has changed.
  • sensor-alarm—The sensor triggered an alarm.
  • sensor-fault—The sensor is faulty.
  • storm-control—There has been a change in the storm-control status.
  • tkmem-hb-oo-sync—The trunk memberʼs heart beat is unsynchronized.

All events enabled, except for l2mac.

notify-hosts <IP_address>

Specify one or more IPv4 addresses to send notifications (traps) to.

No default

priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}

Select the encryption protocol.
  • aes128—CFB128-AES-128 symmetric encryption protocol
  • aes192—CFB128-AES-192 symmetric encryption protocol
  • aes192c—CFB128-AES-192-C symmetric encryption protocol (required for certain clients)
  • aes256—CFB128-AES-256 symmetric encryption protocol
  • aes256c—CFB128-AES-256-C symmetric encryption protocol (required for certain clients)
  • des—CBC-DES symmetric encryption protocol
This option is available only when security-level is set to auth-priv.

aes128

priv-pwd <password>

Enter the password for the encryption protocol. This option is available only when security-level is set to auth-priv.

No default

queries {enable | disable}

Enable or disable SNMP v3 queries for this user. Queries are used to determine the status of SNMP variables.

enable

query-port <port_int>

Enter the number of the port used for SNMP v3 queries. If multiple versions of SNMP are being supported, each version should listen on a different port.

161

security-level {no-auth-no-priv | auth-no-priv | auth-priv}

Set the security level to one of:
  • no-auth-no-priv—no authentication or privacy
  • auth-no-priv—authentication but no privacy
  • auth-priv—authentication and privacy

no-auth-no-priv

config system vxlan

Use this command to configure VXLAN interfaces.

Syntax

config system vxlan

edit <VXLAN_interface_name>

set vni <integer>

set vlanid <integer>

set evpn {disable | enable}

set arp-nd-supression {disable | enable}

set interface <interface_name>

set ip-version {ipv4-multicast | ipv4-unicast}

set remote-ip <IPv4_address>

set tagged-vlans <VLAN_list>

set tunnel-loopback <interface_name>

next

end

Variable

Description

Default

<VXLAN_interface_name> Enter a name for the VXLAN interface No default
vni <integer> Required. Set the VXLAN network identifier (VNI). The range of values is 1-16777215. 0
vlanid <integer>

Required. Set the VLAN identifier that is mapped to the VNI.

When tunnel-loopback is set, VLAN 4087 is reserved.

0

evpn {disable | enable}

Enable or disable the Ethernet Virtual Private Network (EVPN).

disable

arp-nd-supression {disable | enable}

Enable or disable ARP and ND suppression.

This command is available only when evpn is enabled.

disable

interface <interface_name> Required. Enter the name of the outgoing interface for the VXLAN tunnel. Starting in FortiSwitchOS 7.2.1, you can specify a routed VLAN interface (RVI). No default
ip-version {ipv4-multicast | ipv4-unicast}

Required. Select the type of IPv4 address to use to communicate over the VXLAN tunnel.

  • ipv4-multicast—Use IPv4 multicast addressing over the VXLAN tunnel.

  • ipv4-unicast—Use IPv4 unicast addressing over the VXLAN tunnel.

ipv4-unicast
remote-ip <IPv4_address> Required. Enter the source and destination IPv4 addresses of the VXLAN interface. The VXLAN tunnel destination must match the remote-ip setting of the VXLAN tunnel initiator. Starting in FortiSwitchOS 7.2.1, you can specify an RVI as the source or destination IPv4 address. No default

tagged-vlans <VLAN_list>

User traffic is sent with the specified inner VLAN tags.

This command is available only when the switch is managed by a FortiGate device.

No default

tunnel-loopback <interface_name>

Enter the name of the tunnel-loopback interface. The tunnel-loopback can be set only on FS-1024E, FS-T1024E, and FS-1048E. When tunnel-loopback is set, VLAN 4087 is reserved.

This command is available only when the switch is managed by a FortiGate device.

No default

Example

This example shows how to configure a VXLAN interface:

config system vxlan

edit "newvxlan"

set vni 50

set vlanid 50

set interface "vlan40"

set remote-ip "1.2.3.4" "5.6.7.8"

next

end

config system web

Use this command to configure web attributes.

Syntax

config system web

set gui-language {browser | english | french | german | japanese | korean | portuguese | simch | spanish | trach}

set http-port <1-65535>

set https-pki-required {enable | disable}

set https-port <1-65535>

set https-server-cert {self-sign | Fortinet_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

set https-ssl-versions {tlsv1-1 | tlsv1-2 | tlsv1-3}

end

Variable

Description

Default

gui-language {browser | english | french | german | japanese | korean | portuguese | simch | spanish | trach} Set the display language to the language used in the browser (browser), English, French, German, Japanese, Korean, Portuguese, simplified Chinese (simch), Spanish, or traditional Chinese(trach). browser
http-port <1-65535> Enter the port to use for HTTP administrative access. 80
https-pki-required {enable | disable} Enable to allow users to log in by providing a valid certificate if PKI is enabled for HTTPS administrative access. The default setting of disable allows admin users to log in by providing a valid certificate or password. disable
https-port <1-65535> Enter the port to use for HTTPS administrative access. 443
https-server-cert {self-sign | Fortinet_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware} Select the administration HTTPS server certificate to use:
  • self-sign—Use a self-signed security certificate. Self-signed certificates are free and will encrypt the data just as securely as a purchased certificate. Self-signed certificates, however, are not likely to be recognized by the CA certificate store so will be considered by any checks against that store as invalid.
  • Fortinet_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA.
  • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.
Fortinet_Firmware

https-ssl-versions {tlsv1-1 | tlsv1-2 | tlsv1-3}

Set the allowed SSL/TLS versions for web administration.

tlsv1-1 tlsv1-2 tlsv1-3

config system

config system

Use the config system commands to configure options related to the overall operation of the FortiSwitch unit:

config system accprofile

Use this command to add access profiles that control administrator access to FortiSwitch features. Each FortiSwitch administrator account must include an access profile. You can create access profiles that deny access, allow read only, or allow both read and write access to FortiSwitch features.

Syntax

config system accprofile

edit <profile-name>

set admingrp {none | read | read-write}

set alias-commands {<command-name> | all}

set exec-alias-grp {none | read | read-write}

set loggrp {none | read | read-write}

set mntgrp {none | read | read-write}

set netgrp {none | read | read-write}

set pktmongrp {none | read | read-write}

set routegrp {none | read | read-write}

set swcoregrp {none | read | read-write}

set swmonguardgrp {none | read | read-write}

set sysgrp {none | read | read-write}

set utilgrp {none | read | read-write}

end

Variable

Description

Default

<profile-name>

Enter the name for the profile.

No default

admingrp {none | read | read-write}

Set the permission for administrative access.

none

alias-commands {all | <list>}

Specify the aliases and alias groups to include in the access profile or specify all. The aliases and alias groups specified for this access profile control which commands an administrator can run using the execute alias commands. Use a space to separate multiple items.

none

exec-alias-grp {none | read | read-write}

Specify one of the following options:

  • Select none to prevent access to the execute alias configure commands.

  • Select read to provide access to the execute alias configure {get | show | show-full-configuration} command.
  • Select read-write to provide access to the execute alias configure {get | show | show-full-configuration | set | unset} and execute alias script commands.

none

loggrp {none | read | read-write}

Set the permission for logging access.

none

mntgrp {none | read | read-write}

Set the permission for critical system maintenance access .

none

netgrp {none | read | read-write}

Set the permission for network access.

none

pktmongrp {none | read | read-write}

Set the access permission for packet and flow capture functionality.

none

routegrp {none | read | read-write}

Set the permission for routing access.

none

swcoregrp {none | read | read-write}

Set the permission for switch core access.

none

swmonguardgrp {none | read | read-write}

Set the access permission for switch monitor and guard features.

none

sysgrp {none | read | read-write}

Set the permission for system access.

none

utilgrp {none | read | read-write}

Set the permission for utilities access.

none

Example

This example shows how to configure an access profile with just read-only permission:

config system accprofile

edit profile1

set admingrp read

set loggrp read

set netgrp read

set routegrp read

set sysgrp read

end

config system admin

Use the default admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels.

Syntax

config system admin

edit <admin_name>

set accprofile <profile-name>

set accprofile-override {enable | disable}

set allow-remove-admin-session {enable | disable}

set comments <comments_string>

set force-password-change{enable | disable}

set gui-detail-panel-location {bottom | ide | side}

set {ip6-trusthost1 | ip6-trusthost2 | ip6-trusthost3 |

ip6-trusthost4 | ip6-tru sthost5 | ip6-trusthost6 |

ip6-trusthost7 | ip6-trusthost8 | ip6-trusthost9 |

ip6-trusthost10} <address_ipv6mask>

set password <admin_password>

set peer-auth {disable | enable}

set peer-group <peer-grp>

set remote-auth {enable | disable}

set remote-group <name>

set wildcard {enable | disable}

set wildcard-fallback {enable | disable}

set schedule <schedule-name>

set ssh-public-key1 "<key-type> <key-value>"

set ssh-public-key2 "<key-type> <key-value>"

set ssh-public-key3 "<key-type> <key-value>"

set {trusthost1 | trusthost2 | trusthost3 | trusthost4 |

trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9

| trusthost10} <address_ipv4mask>

next

end

Variable

Description

Default

<admin_name>

Enter the name for the admin account.

No default

accprofile <profile‑name>

Enter the name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiSwitch features.

No default

accprofile-override {enable | disable}

Enable or disable whether the remote authentication server can override the accesss profile.

disable

allow-remove-admin-session {enable | disable}

Allow admin session to be removed by privileged admin users

disable

comments <comments_string>

Enter the last name, first name, email address, phone number, mobile phone number, and pager number for this administrator. Separate each attribute with a comma, and enclose the string in double-quotes. The total length of the string can be up to 128 characters. (Optional)

No default

force-password-change{enable | disable}

Enable or disable whether the admistrator is forced to change the password when logging in next.

disable

gui-detail-panel-location {bottom | hide | side}

Choose the position of the log detail window.

bottom

{ip6-trusthost1 | ip6‑trusthost2 | ip6‑trusthost3 | ip6‑trusthost4 | ip6‑trusthost5 | ip6‑trusthost6 | ip6‑trusthost7 | ip6‑trusthost8 | ip6‑trusthost9 | ip6‑trusthost10}

<address_ipv6mask>

Any IPv6 address and netmask from which the administrator can connect to the FortiSwitch unit.

If you want the administrator to be able to access the system from any address, set the trusted hosts to ::/0.

::/0

password

<admin_password>

Enter the password for this administrator. It can be up to 256 characters in length.

If you want to include the “?” character as part of the password:

  1. Press Ctrl+v.

  2. Type the “?” character .

No default

peer-auth {disable | enable}

Set to enable peer certificate authentication (for HTTPS admin access).

disable

peer-group <peer-grp>

Name of peer group defined under config user peergrp or user group defined under config user group. Used for peer certificate authentication (for HTTPS admin access). This option is available only when peer-auth has been enabled.

No default

remote-auth

{enable | disable}

Enable or disable authentication of this administrator using a remote RADIUS, LDAP, or TACACS+ server.

disable

remote-group <name>

Enter the administrator user group name, if you are using RADIUS, LDAP, or TACACS+ authentication.

This is available only when remote-auth is enabled.

No default

wildcard {enable | disable}

Enable or disable wildcard RADIUS authentication. This option is available only when remote-auth is enabled.

Starting in FortiSwitchOS 7.4.0, you can add multiple administrators with wildcards in their names.

disable

wildcard-fallback {enable | disable}

Enable or disable attempting authentication against wildcard accounts if authenticating this account fails.

This option is available only when remote-auth is enabled and when wildcard is disabled.

disable

schedule <schedule-name>

Restrict times that an administrator can log in. Defined in config firewall schedule. No default indicates that the administrator can log in at any time.

No default

ssh-public-key1 "<key‑type> <key‑value>"

You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.

<key type> is ssh-dss for a DSA key or ssh-rsa for an RSA key.

<key-value> is the public key string of the SSH client.

No default

ssh-public-key2 "<key‑type> <key‑value>"

No default

ssh-public-key3 "<key‑type> <key‑value>"

No default

{trusthost1 | trusthost2 |

trusthost3 | trusthost4 |

trusthost5 | trusthost6 |

trusthost7 | trusthost8 |

trusthost9 | trusthost10}

<address_ipv4mask>

Any IPv4 address or subnet address and netmask from which the administrator can connect to the system.

If you want the administrator to be able to access the system from any address, set the trusted hosts to 0.0.0.0 and the netmask to 0.0.0.0.

0.0.0.0

0.0.0.0

Example

The following example creates a RADIUS system admin group:

config system admin

edit "RADIUS_Admins"

set remote-auth enable

set accprofile "super_admin"

set wildcard enable

set remote-group "RADIUS_Admins"

next

end

config system alias command

Use this command to grant an administrator access to individual configuration attributes, table entries, or CLI commands. You can also use this command to create a script to run multiple commands. Scripts are a simpler way to manage a large number of commands.

Notes:
  • Configuration-type aliases cannot create or delete table entries. For example, under the config switch interface command, you cannot create a new interface name with the edit <interface_name> command.
  • The super_admin administrator profile has access to all command aliases.

Syntax

config system alias command

edit <alias_name or script_name>

set description <string>

set type {configuration | script}

set path <path>

set attribute <attibute-name>

set permission {read | read-write}

set table-listing {allow | deny}

set limit-shown-attributes {disable | enable}

set read-only-attributes <attribute-name>

set table-ids-allowed <table-ID-value>

set command <string>

set table-entry-create {allow | deny}

config script-arguments

edit <argument_ID>

set type {integer | string | table-id}

set name <string>

set help <string>

set optional {enable | disable}

set range {enable | disable}

set range-delay <0-172800>

set allowed-values <string>

next

end

next

end

Variable

Description

Default

<alias_name or script_name>

If the type will be configuration, enter an alias name for the command in this configuration. If the type will be script,enter a script name.

The alias or script name cannot be all or match an alias group name.

No default
description <string>

If the type will be configuration, enter a description of the command or a help message. It can be up to 80-characters long. The description is displayed with the alias name when you enter execute alias configure {get | show | show-full-configuration | set | unset} ?.

If the type will be script, enter a description of the script. It can be up to 80-characters long. The description is displayed with the script name when you enter execute alias script ?.

No default
type {configuration | script}

The configuration type provides configuration-specific functionality to control get, show, show-full-configuration, set, and unset commands. You can also use the configuration type to limit accessible table entries and limit displayed attributes.

The script type allows the administrator to create a list of CLI commands to run.

configuration
path <path>

Required. Enter the period-separated path to the CLI command.

For example, enter set path switch.lldp.profile to apply the configuration to the config switch lldp profile command. Enter set path system.interface to apply the configuration to the config system interface command. You can specify only top-level objects, such as system.interface, router.bgp, or system.snmp.settings. If you specify child objects or child tables (such as system.interface.ipv6, router.bgp.neighbor, or switch.lldp.profile.custom-tlv), FortiSwitch returns an error.

No default

attribute <attibute-name>

Required. Enter the attribute that can be retrieved or modified.

Enter set attribute ? to see the list of valid attributes. If you enter an invalid value, FortiSwitchOS returns an error.

This option is available only when path has been set.

No default

permission {read | read-write}

Select read to allow this alias to be used by the execute alias configure {get | show | show-full-configuration} command. Select read-write to allow this alias to be used by the execute alias configure {get | show | show-full-configuration | set | unset} command.

read

table-listing {allow | deny}

Allow or prevent the listing of all entries by the execute alias configure {get | show | show-full-configuration} command commands.

  • Select allow to permit all entries to be listed.

  • Select deny to prevent the entries from being listed except for the entries specified in the table-ids-allowed setting. If table-ids-allowed is empty, a valid entry must be provided for listing.

This option is available only when path has been set.

deny

limit-shown-attributes {disable | enable}

Enable or disable whether to limit the attributes displayed with the show and get commands. Selecting disable displays all attributes for the show and get commands. Selecting enable displays only the attributes listed in attributes and read-only-attributes.

enable

read-only-attributes <attribute-name>

When limit-shown-attributes is enabled, you can enter additional attributes to display with the show and get commands. When you enter read-only-attributes ? to see a list of valid attributes, more attributes are available than when you enter set attribute ?. Read-only attributes can include child tables, child objects, and get-only attributes. You can list up to 31 attributes.

No default

table-ids-allowed <table-ID-value>

Specify which entries can be accepted by the execute alias configure {get | show | show-full-configuration | set | unset} command.

Enter set table-ids-allowed ? to see a list of valid entries. You can specify entries that do not currently exist; they can be created later.

If table-listing is set to deny, the table-ids-allowed entries are displayed when the user runs the execute alias configure {get | show | show-full-configuration} command without specifying any entry.

This option is available only when path has been set.

No default

command <string>

Enter the script command (within quotation marks) to be run. You can use the Enter key to separate command lines. Enter set command ? for formatting details.

This option is available only when type has been set to script.

No default

table-entry-create {allow | deny}

Allow or deny the creation of new table (or sub-table) entries.

This option is available only when type has been set to script. When type has been set to configuration, you cannot create any new table entries.

deny

config script-arguments

<argument_ID>

Enter an identifier for the argument. The identifier must match the identifier used in the script.

No default

type {integer | string | table-id}

Enter the data type that the argument accepts.

string

name <string>

Enter the display name for the argument. You can use uppercase and lowercase letters, numbers, and hyphens. The display name is shown when the user runs the execute alias script command.

No default

help <string>

Enter a help message for the argument. You can use uppercase and lowercase letters, numbers, slashes, parentheses, brackets, commas, underscores, and hyphens. The help message is displayed when the user runs the execute alias script command.

No default

optional {enable | disable}

Enable this option to allow the user to omit entering a value for this argument. Disable this option to force the user to specify a value for this argument.

disable

range {enable | disable}

Enable this option to allow a range of integers, a range of table identifiers, or a comma-separated list of strings. Disable this option to allow only a single value for this argument.

disable

range-delay <0-172800>

Enter the number of seconds to delay between values when executing.

This option is available only when range has been set to enable.

0

allowed-values <string>

Enter the values allowed for this argument.

  • If type is set to string, separate values with a space. For example: set allowed-values port1 port3 port7
  • If type is set to integer, you can use ranges and comma-separated values, such as “1-10” or “1-10,3,11,55”.
  • If type is set to table-id and the table identifiers are integers, you can use both ranges and comma-separated values, such as “1-10” or “1-10,3,11,55”.

No default

Examples

The following example creates two aliases for the config switch physical-port command.

  • The port-description alias allows an administrator to change the set description value; when running a get or show command, the administrator will see only the description configuration.
  • The port-status alias allows an administrator to change the set status value; the administrator will see both the description and port status configuration when running get or show commands.

config system alias command

edit "port-status"

set description "View or change the port status."

set type configuration

set path "switch.physical-port"

set attribute "status"

set permission read-write

set limit-shown-attributes enable

set read-only-attributes "description"

next

edit "port-description"

set description "View or change the port description."

set type configuration

set path "switch.physical-port"

set attribute "description"

set permission read-write

set limit-shown-attributes enable

next

end

The following example creates two scripts. Both scripts list the switch mac-address table.

  • The mac-list script is more flexible because it requires that the user specify the VLANs to list the MAC addresses from.
  • The list-mac-by-port-and-vlan-customer-AAA script is more controlled because it allows the user to see the MAC addresses learned on the specified VLANs.

config system alias command

edit "list-mac-by-port-and-vlan-customer-AAA"

set description "List MAC addresses on your VLANs and ports."

set type script

set command "diag switch mac-address filter clear

diag switch mac-address filter port-id-map 3-8

diag switch mac-address filter vlan-map 1000-1010

diag switch mac-address list

diag switch mac-address filter clear"

next

edit "mac-list"

set description "List MAC addresses learned on the provided VLANs"

set type script

set command "diag switch mac-address filter clear

diag switch mac-address filter vlan-map $1

diag switch mac-address list | grep -i mac

diag switch mac-address filter clear"

config script-arguments

edit 1

set name "VLAN-ID-map"

set help "List of VLANs to check"

next

end

next

end

config system alias group

Use this command to specify alias groups to bundle different alias commands together for easy assignment.

Syntax

config system alias group

edit <alias_group_name>

set description <string>

set commands <alias_command_list>

end

Variable

Description

Default

<alias_group_name> Enter a name for the alias group. The name cannot be all or match an alias name. No default
description <string> Enter a description of the command alias group. It can be up to 80-characters long. No default
commands <alias_command_name> Enter a list of command aliases. Use a space to separate them. No default

Example

This example shows how to create a group of two command aliases:

config system alias group

edit aliasgroup1

set description "Alias group for config switch physical-port."

set commands port-status port-description

end

config system arp-table

Use this command to manually add ARP table entries to the FortiSwitch unit. ARP table entries consist of a interface name, an IP address, and a MAC address.

Syntax

config system arp-table

edit <table_value>

set interface {<string> | internal | mgmt}

set ip <address_ipv4>

set mac <mac_address>

end

Variable

Description

Default

<table_value>

Enter the identification number for the table.

No default

interface {<string> | internal | mgmt}

Enter the interface to associate with this ARP entry

No default

ip <address_ipv4>

Enter the IP address of the ARP entry.

0.0.0.0

mac <mac_address>

Enter the MAC address of the device entered in the table, in the form of xx:xx:xx:xx:xx:xx.

00:00:00:00:00:00

Example

This example shows how to add an entry to an ARP table:

config system arp-table

edit 1

set interface internal

set ip 172.168.20.1

set mac 00:21:cc:d2:76:72

end

config system automation-action

Use this command to configure the action that is performed when the trigger of an automation stitch occurs.

Syntax

config system automation-action

edit <name>

set action-type {alert | cli-script | email | snmp-trap | webhook}

set accprofile <string>

set email-body <string>

set email-from <string>

set email-subject <string>

set email-to <email_address>

set headers <string>

set http-body <string>

set method {delete | get | patch | post | put}

set minimum-interval <0-2592000>

set port <1-65535>

set protocol {http | https}

set script <string>

set snmp-trap {fsStitchTrap1 | fsStitchTrap2 | fsStitchTrap3 | fsStitchTrap4 | fsStitchTrap5}

set uri <string>

next

end

Variable

Description

Default

<name> Name of the action configuration. No default
action-type {alert | cli-script | email | snmp-trap | webhook}

Select the type of action to perform:

  • alert—Display an alert in the console.

  • cli-script—Run a CLI script.

  • email—Send a notification email.

  • snmp-trap—Generate an SNMP trap.

  • webhook—Send data to a uniform resource identifier (URI), such as an IP address or URL.

alert

accprofile <string>

Specify the access profile required to run the CLI script.

This option is available only when action-type is set to cli-script.

No default

email-body <string>

Enter the body of the email. By default, the log message is sent.

This option is available only when action-type is set to email.

%%log%%

email-from <string>

Enter the name of the sender of the email.

This option is available only when action-type is set to email.

No default

email-subject <string>

Enter the subject of the email.

This option is available only when action-type is set to email.

No default

email-to <email_address>

Enter the email address or addresses that the email will be sent to when automation stitch is triggered.

This option is available only when action-type is set to email.

none

headers <string>

Enter the request headers.

This option is available only when action-type is set to webhook.

none

http-body <string>

If necessary, enter the request body. Use a serialized JSON string.

This option is available only when action-type is set to webhook.

No default

method {delete | get | patch | post | put}

Select the request method: DELETE, GET, PATCH, POST, or PUT.

This option is available only when action-type is set to webhook.

post

minimum-interval <0-2592000>

Select how many seconds must pass before the action can be performed again.

0

port <1-65535>

Enter the port number that this protocol will use.

If the protocol is set to http, the default port is 80. If the protocol is set to https, the default port is 443.

This option is available only when action-type is set to webhook.

80

protocol {http | https}

Enter the request protocol, either HTTP or HTTPS.

This option is available only when action-type is set to webhook.

http

script <string>

Specify the name and path to the CLI script.

This option is available only when action-type is set to cli-script.

No default

snmp-trap {fsStitchTrap1 | fsStitchTrap2 | fsStitchTrap3 | fsStitchTrap4 | fsStitchTrap5}

Select which SNMP trap is generated:

  • fsStitchTrap1—This custom SNMP trap can be triggered from automation stitch.

  • fsStitchTrap2—This custom SNMP trap can be triggered from automation stitch.

  • fsStitchTrap3—This custom SNMP trap can be triggered from automation stitch.

  • fsStitchTrap4—This custom SNMP trap can be triggered from automation stitch.

  • fsStitchTrap5—This custom SNMP trap can be triggered from automation stitch.

This option is available only when action-type is set to snmp-trap.

No default

uri <string>

Required. Enter the uniform resource identifier (URI), such as an IP address or URL.

This option is available only when action-type is set to webhook.

No default

Example

This example shows how to display an alert in the console when the automation stitch is triggered:

config system automation-action

edit testaction

set action-type alert

set minimum-interval 1200

next

end

config system automation-stitch

Use this command to specify the trigger and action for an atuomation stitch.

Syntax

config system automation-stitch

edit <name>

set status {enable | disable}

set trigger <trigger_name>

set action <action_name>

next

end

Variable

Description

Default

<name>

Name of the automation-stitch configuration.

No default

status {enable | disable}

Enable or disable this automation stitch.

enable

trigger <trigger_name> Enter the name of the trigger for this automation stitch. No default
action <action_name> Enter the name of the action configuration for this automation stitch. none

Example

This example shows how to specify the trigger, action, and status for an automation stitch:

config system automation-stitch

edit teststitch

set status enable

set trigger testtrigger

set action testaction

next

end

config system automation-trigger

Use this command to specify the trigger for an automation stitch. The trigger causes an action to be performed.

Syntax

config system automation-trigger

edit <trigger_name>

set trigger-type {event-based | scheduled}

set event-type {config-change | event-log | reboot}

set logid <log_ID>

set trigger-frequency {daily | hourly | monthly | weekly}

set trigger-hour <0-23>

set trigger-minute <0-59>

set trigger-day <1-31>

set trigger-weekday <friday | monday | saturday | sunday | thrusday | tuesday | wednesday>

config fields

edit <entry_ID>

set name <string>

set value <string>

next

end

next

end

Variable

Description

Default

<trigger_name> Name of the trigger configuration. No default

trigger-type

Select the type of trigger:

  • event-based—Event-based trigger.

  • scheduled—Scheduled trigger.

event-based

event-type

Select the type of event to trigger the automation-stitch action:

  • config-change—Configuration change.

  • event-log—Use the log ID as the trigger.

  • reboot—After the switch restarts, the action is triggered.

This option is available only when the trigger-type is set to event-based.

config-change

logid <log_ID>

Enter the log ID to trigger the action. The range of values is 1-65535. If you use the full 10-digit entry, the first four digits are truncated.

This option is available only when the trigger-type is set to event-based and event-type is set to event-log.

0

trigger-frequency {daily | hourly | monthly | weekly}

Select whether the automation-stitch action is performed on a daily, hourly, monthly, or weekly basis.

This option is available only when the trigger-type is set to scheduled.

daily

trigger-hour <0-23>

Select which hour of the day the automation-stitch action is performed.

This option is available only when the trigger-type is set to scheduled and the trigger-frequency is set to daily or monthly, or weekly.

0

trigger-minute <0-59>

Select which minute of the hour the automation-stitch action is performed.

This option is available only when the trigger-type is set to scheduled.

0

trigger-day <1-31>

Select which day of the month the automation-stitch action is performed.

This option is available only when the trigger-type is set to scheduled and the trigger-frequency is set to monthly.

1

trigger-weekday <friday | monday | saturday | sunday | thrusday | tuesday | wednesday>

Select which day of the weekthe automation-stitch action is performed.

This option is available only when the trigger-type is set to scheduled and the trigger-frequency is set to weekly.

No default

config fields

This option is available only when the event-type is event-log and the logid is set.

Starting in FortiSwitchOS 7.2.2, you can configure multiple fields for the automation trigger. The action is only performed if all conditions are valid (using AND logic).

<entry_ID>

Enter an identifer for this entry.

No default

name <string>

Enter a name for this field.

No default

value <string>

Enter a value for this field.

  • Use an asterisk to match any character string of any length, including 0-characters long. For example, use set value "*1567*" to match values of 81567 and 156789.

  • Use square brackets to match one of the multiple characters. For example, use set value "[aA]dmin" to match values of admin and Admin.

No default

Example

This example shows how to generate a log entry when port1 is down:

config system automation-trigger

edit "port1Down"

set event-type event-log

set logid 100001401

config fields

edit 1

set name "switch.physical-port"

set value "port1"

next

end

next

end

This example shows how to configure the action to be triggered on an hourly basis, 30 minutes into the hour:

config system automation-trigger

edit testtrigger

set trigger-type scheduled

set trigger-frequency hourly

set trigger-minute 30

next

end

config system bluetooth

Use this command to configure Bluetooth.

Syntax

config system bluetooth

set pin <string>

set status {disable | enable}

end

Variable

Description

Default

pin <string>

Enter the Bluetooth pair personal identification number (PIN).

1234

status {disable | enable}

Enable or disable support for Bluetooth.

disable

config system bug-report

Use this command to configure a custom email relay for sending problem reports to Fortinet customer support.

Syntax

config system bug-report

set auth {no | yes}

set mailto <email_address>

set password <password>

set server <servername>

set username <name>

set username-smtp <account_name>

end

Variable

Description

Default

auth {no | yes}

Enter yes if the SMTP server requires authentication or no if it does not.

no

mailto <email_address>

The email address for bug reports.

fortiswitch@fortinet.com

password <password>

If the SMTP server requires authentication, enter the required password.

No default

server <servername>

The SMTP server to use for sending bug report email.

fortinet.com

username <name>

A valid user name on the specified SMTP server.

bug_report

username-smtp <account_name>

A valid user name for authentication on the specified SMTP server.

bug_report

Example

This example shows how to configure a custom email relay:

config system bug-report

set auth yes

set mailto techdocs@fortinet.com

set password 123abc

set server fortinet.com

set username techdocs

set username-smtp techdocs

end

config system certificate ca

Use this command to configure CA certificates.

FortiSwitch includes a reserved entry named Fortinet_CA. You cannot modify this entry.

Syntax

config system certificate ca

edit <name>

set ca <certificate>

set scep-url <string>

next

end

Variable

Description

Default

name

Enter the name of the certificate.

No default

certificate

PEM format CA certificate. Paste the contents of a CA certificate file between quotation marks as shown in the example.

No default

set scep-url

Full URL (such as http://www.test.com)

No default

Example

	# config system certificate ca
	# get
	== [ Fortinet_CA ]
	== [ OracleSSLCA ]
	== [ ca ]
	FortiCore-VM # config system certificate ca
	FortiCore-VM (ca) # edit ca-new
	FortiCore-VM (ca-new) # set certificate "-----BEGIN CERTIFICATE-----
	> MIID0TCCArmgAwIBAgIJAKr1/WtE48FeMA0GCSqGSIb3DQEBCwUAMGgxEzARBgoJ
	> kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG
	> EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0Eg
	> MTAeFw0xNDA0MzAxNDE4MDhaFw0zNDA0MzAxNDE4MDhaMGgxEzARBgoJkiaJk/Is
	> ZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJVUzEQ
	> MA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0EgMTCCASIw
	> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQQzsB9Uc37VuIyt5xJxcYYkc6K
	> XpYihHgskTQp6YYB4XHVimouHafMYyoFsnenrcgf2NGFDvi9l9x9mnL77920JqGr
	> LijieMiFEyP1nhGW8C6nJjkSsXLbgZNh9u6U+0oAbspsFRwdHDZOI7gIHSJ2zuiY
	> CkMAvjw9TN44Q4IFCvSIf7mfzZgBH7AW1sbgznqnAJsWQhQGTpxZAxubItesyduD
	> vj8tz9eb5u8JO3iQ/LYhMspNnxcpTFdaLn2v82NAFTtCrZdCd7aLj1DM0DPEX7Nw
	> V/rt/l+tlscglYyEoUnlPYuSQN0Q6Aj5i1GcKPvnFS0Oy9lGY1lT1vZJ4F0CAwEA
	> AaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
	> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
	> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
	> edJiQpuHMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3DQEBCwUA
	> A4IBAQCq5KUHQNg51uh1pxKMXQ98ADj2bNzQbswdAFslPow8tTZIBMwhdrq02ZHC
	> XPyp2IHxfv+G+pMV1JFtdR0fy8ivilMNyjObEGh1Ss3kvvU7d1z3XwPxqpNcwDqs
	> 1K6RRg4zpNWCFPcliAkPDsDbaN1B6A6zJXqOpGgzwocU3dZbPe5sYLgkWZO2/8MI
	> eAEk7zoU1ZPSZiu5HghPafKuE1HYshvsak090tRgC6VLvaSLoNZlwR0GuFVGdewH
	> 4jR1HpENH7QiLCB1NGCoJgDi3qiFosw3M2+0ExevE1afj2Usm4oZir+Uty0rvR8D
	> 03RHH8yYbZ9rw0kuwTkJEo3bYDxH
	> -----END CERTIFICATE-----"

config system certificate crl

Use this command to configure the certificate revocation list.

Syntax

config system certificate crl

edit <name>

set crl <crl>

set http-url <string>

set ldap-server <LDAP>

set scep-cert <certificate>

set scep-url <string>

end

Variable

Description

Default

name

Name of the certificate revocation list

No default

crl

PEM format CRL. Paste the contents of a CRL file between quotation marks.

No default

http-url

URL of HTTP server for CRL update

No default

ldap-server

LDAP server

No default

scep-cert

Local certificate used for CRL update using SCEP

Fortinet_Factory

scep-url

URL of CA server for CRL update using SCEP

No default

config system certificate local

Use this command to manage local certificates. FortiSwitch includes a reserved entry named “Factory”. You cannot modify this entry.

Syntax

config system certificate local

edit <name>

set comments <string>

set password <passwd>

set private-key <key>

set scep-url <string>

next

end

Variable

Description

Default

name

Enter the name of the certificate.

No default

comments

Optional administrator note.

No default

password

Password that was used to encrypt the file. The FortiCore system uses the password to decrypt and install the certificate.

*

private-key

Paste the contents of a key file between quotation marks as shown in the example.

No default

scep-url

URL of SCEP server

No default

Example

 # config system certificate local
 # get
	== [ Factory ]
	== [ csr_name_test ]
# show
config system certificate local
edit "csr_name_test"
t7e4fiX6Sd6T5426Gg/HQXRH41mBwGmjKdBSHUbVUZTka2FtD1oLMWE2mTq1c9GMUz0DokPfoqxkjkmja5mWv4/w
A5XdQ00lQmTeMZK/X5OSFmSS
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5/vf1VQB/28CAggA
MBQGCCqGSIb3DQMHBAgZorM0zlnPNASCAViZk4wTZYYMPl0e7NwyxqvLND3LxUaV
UG1XpUSPfnUP4YgrV2d0Uijclj5M7MS341cMVKZ7G1pS/6jvxUr0NamQv4j7JsJ0
t3G7LMkzcTiep26GUCy55Qt+iob7lh0iiKa+4uPOq/Mzy+84AWnRNLfIhevHPsYb
rk4UbwNOFb0ZD9i06+UrFLsRGmtp/vlDyBgAoBojKxB/4j0G299QamnzPz4qneBc
HtPqTMPELyqtT6w4cmnwp6Ti2OOAr9c44mKdyyAVZKie+Iu/4pSVBNSfuC+jjtmC
k8OrCrG14NwrhbTY9zEnGxBRR1NMTEBBTqAQNYWtjUEQVjmY1GAJA3/oBQe7l8C/
G/IUVvc/aaqMvsKSNfDpgZaudTDe1Wxi1792ADGh7zslls+ykH9nmqh7BPfm30Nv
f8O1hXgq01Lvo4v1xdC0w5oAeCyGlbTY5ZnXJFm0HCp0kA==
-----END ENCRYPTED PRIVATE KEY-----
"
set csr "-----BEGIN CERTIFICATE REQUEST-----
MIIBNzCB4gIBADBqMQswCQYDVQQIEwJjYTESMBAGA1UEBxMJc3Vubnl2YWxlMREw
DwYDVQQKEwhmb3J0aW5ldDENMAsGA1UECxMEZmFkYzEQMA4GA1UEAxMHZXhhbXBs
ZTETMBEGCSqGSIb3DQEJARYEcm9vdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDK
XH/MC1KTkkZJiQDFb6IXHLYsSVbJzF0K30s3CVmKZvJQSBnmV8aq3fJjN281rrFT
iUovVdBzwCF5jKbxsrPLAgMBAAGgEzARBgNVHRMxChMIQ0E6RkFMU0UwDQYJKoZI
hvcNAQEFBQADQQB96NU+xjds83/6VRSzsyxeVxAGVD7F9Npuji8r/MpxPiMT0PQM
G8Wg//26ZqpwjuPq2V1+7QU4MDk3B5VUJSEF
-----END CERTIFICATE REQUEST-----
"

config system certificate ocsp

Use this command to configure the OCSP server certificate.

Syntax

config system certificate ocsp

set cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set unavail-action {ignore | revoke}

set url <string>

end

Variable

Description

Default

cert {<string> | Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

Enter the name of the certificate or select one of the listed certificates.

No default

unavail-action {ignore | revoke}

Set if the FortiSwitch should ignore the OCSP check or revoke the certificate if the server is unavailable.

revoke

url <string>

Enter the URL for the OCSP server.

No default

Example

This example shows how to configure the OCSP server certificate:

config system certificate ocsp

set cert Fortinet_CA

set unavail-action ignore

set url https://www.fortinet.com

end

config system certificate remote

Use this command to install remote certificates. The remote certificates are public certificates without a private key.

config system certificate remote

edit <name>

set remote "<cert>"

end

Variable

Description

Default

name

Name for the certificate

No default

remote "<cert>"

PEM-format certificate

No default

config system console

Use this command to configure the FortiSwitchOS console.

Syntax

config system console

set baudrate <speed>

set hostname-display-length <4-35>

set login {enable | disable}

set mode {batch | line}

set output {standard | more}

end

Variable

Description

Default

baudrate <speed>

Set the console port baud rate. Select one of 9600, 19200, 38400, 57600, or 115200.

115200

hostname-display-length <4-35>

Set the maximum number of characters shown for the host name in the CLI prompt.

17

login {enable | disable}

Enable or disable whether users can log in with the FortiSwitchOS console port.

enable

mode {batch | line}

Set the console mode to line or batch. Used for autotesting only.

line

output {standard | more}

Set console output to standard (no pause) or more (pause after each screen is full and resume when a key is pressed).

This setting applies to show or get commands only.

standard

Example

This example shows how to configure the console:

config system console

set hostname-display-length 30

set baudrate 57600

set login enable

set mode batch

set output standard

end

config system dhcp server

Use this command to configure DHCP servers.

Syntax

config system dhcp server

edit <id>

set auto-configuration {enable | disable}

set conflicted-ip-timeout <integer>

set default-gateway <xxx.xxx.xxx.xxx>

set dns-server1 <xxx.xxx.xxx.xxx>

set dns-server2 <xxx.xxx.xxx.xxx>

set dns-server3 <xxx.xxx.xxx.xxx>

set dns-service {default | local | specify

set domain <string>

set filename <string>

set interface <string>

set lease-time <integer>

set netmask <xxx.xxx.xxx.xxx>

set next-server <xxx.xxx.xxx.xxx>

set ntp-server1 <xxx.xxx.xxx.xxx>

set ntp-server2 <xxx.xxx.xxx.xxx>

set ntp-server3 <xxx.xxx.xxx.xxx>

set ntp-service {default | local | specify}

set status {enable | disable}

set tftp-server <xxx.xxx.xxx.xxx>

set timezone <00-75>

set timezone-option {default | disable | specify}

set vci-match {enable | disable}

set vci-string <VCI_strings>

set wifi-ac1 <xxx.xxx.xxx.xxx>

set wifi-ac2 <xxx.xxx.xxx.xxx>

set wifi-ac3 <xxx.xxx.xxx.xxx>

set wins-server1 <xxx.xxx.xxx.xxx>

set wins-server2 <xxx.xxx.xxx.xxx>

config exclude-range

edit <id>

set end-ip <xxx.xxx.xxx.xxx>

set start-ip <xxx.xxx.xxx.xxx>

next

end

config ip-range

edit <id>

set end-ip <xxx.xxx.xxx.xxx>

set start-ip <xxx.xxx.xxx.xxx>

next

end

config options

edit <id>

set code <integer>

set ip <IP_addresses>

set type {fqdn | hex | ip | string}

set value <string>

next

end

config reserved-address

edit <id>

set action {assign | block | reserved}

set circuit-id {<string> | <hex>}

set circuit-id-type {hex | string}

set description <string>

set ip <xxx.xxx.xxx.xxx>

set mac <xx:xx:xx:xx:xx:xx>

set remote-id {<string> | <hex>}

set remote-id-type {hex | string}

set type {mac | option82}

next

end

next

end

Variable

Description

Default

<id>

Enter the identifier.

No default

auto-configuration {enable | disable}

Enable or disable automatic configuration. Auto configuration allows the DHCP server to dynamically assign IP addresses to hosts on the network connected to the interface

enable

conflicted-ip-timeout <integer>

Enter the number of seconds before a conflicted IP address is removed from the DHCP range and is available to be reused. The range is 60-8640000 seconds.

1800

default-gateway <xxx.xxx.xxx.xxx>

Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.

0.0.0.0

dns-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 1. This option is only available when dns-service is set to specify.

0.0.0.0

dns-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 2. This option is only available when dns-service is set to specify.

0.0.0.0

dns-server3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the DNS server 3. This option is only available when dns-service is set to specify.

0.0.0.0

dns-service {default | local | specify}

Select how DNS servers are assigned to DHCP clients. Select local to use the IP address of the DHCP server interface for the clientʼs DNS server IP address. Select default for clients to be assigned the FortiSwitch unitʼs configured DNS servers. Select specify to enter the IPv4 address for up to three DNS servers.

specify

domain <string>

Enter the domain name suffix for the IP addresses that the DHCP server assigns to the clients.

No default

filename <string>

Enter the name of the boot file on the TFTP server.

No default

interface <string>

Enter the name of the interface. The DHCP server can assign IP configurations to clients connected to this interface.

No default

lease-time <integer>

The lease time determines the length of time an IP address remains assigned to a client. After the lease expires, the address is released for allocation to the next client that requests an IP address.

Enter the lease time in seconds. The range is 300-8640000. The default lease time is seven days.

604800

netmask <xxx.xxx.xxx.xxx>

Enter the netmask of the addresses that the DHCP server assigns.

0.0.0.0

next-server <xxx.xxx.xxx.xxx>

Enter the IPv4 address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from.

0.0.0.0

ntp-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 1. This option is only available when ntp-service is set to specify.

0.0.0.0

ntp-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 2. This option is only available when ntp-service is set to specify.

0.0.0.0

ntp-server3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the NTP server 3. This option is only available when ntp-service is set to specify.

0.0.0.0

ntp-service {default | local | specify}

Select how Network Time Protocol (NTP) servers are assigned to DHCP clients. Select local to use the IP address of the DHCP server interface for the clientʼs NTP server IP address. Select default for clients to be assigned the FortiSwitch unitʼs configured NTP servers. Select specify to enter the IPv4 address for up to three NTP servers.

specify

status {enable | disable}

Enable or disable this DHCP configuration.

enable

tftp-server <string>

You can configure multiple Trivial File Transfer Protocol (TFTP) servers for a Dynamic Host Configuration Protocol (DHCP) server. For example, you may want to configure a main TFTP server and a backup TFTP server.

Enter the hostname or IP address of each TFTP server in quotes. Separate multiple server entries with spaces.

No default

timezone <00-75>

Enter the time zone to be assigned to DHCP clients. This option is only available if timezone-option is set to specify.

(GMT+12:00)Eniwetok,Kwajalein)

timezone-option {default | disable | specify}

Select how the DHCP server sets the clientʼs time zone. Select disable for the DHCP server to not set the clientʼs time zone. Select default for clients to be assigned the FortiSwitch unitʼs configured time zone. Select specify to enter the time zone to be assigned to DHCP clients.

disable

vci-match {enable | disable}

Enable or disable vendor class identifier (VCI) matching. When enabled, only DHCP requests with a matching VCI are served.

disable

vci-string <VCI_strings>

Enter one or more VCI strings. This option is only available if vci-match is set to enable.

No default

wifi-ac1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 1 (DHCP option 138, RFC 5417).

0.0.0.0

wifi-ac2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 2 (DHCP option 138, RFC 5417).

0.0.0.0

wifi-ac3 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WiFi Access Controller 3 (DHCP option 138, RFC 5417).

0.0.0.0

wins-server1 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WINS server 1.

0.0.0.0

wins-server2 <xxx.xxx.xxx.xxx>

Enter the IPv4 address for the WINS server 2.

0.0.0.0

config exclude-range

<id>

Enter the identifier.

No default

end-ip <xxx.xxx.xxx.xxx>

Enter the end of the IP address range that will not be assigned to clients.

0.0.0.0

start-ip <xxx.xxx.xxx.xxx>

Enter the start of the IP address range that will not be assigned to clients.

0.0.0.0

config ip-range

<id>

Enter the identifier.

No default

end-ip <xxx.xxx.xxx.xxx>

Enter the end of the DHCP IP address range.

0.0.0.0

start-ip <xxx.xxx.xxx.xxx>

Enter the start of the DHCP IP address range.

0.0.0.0

config options

<id>

Enter the identifier.

No default

code <integer>

Select the DHCP option code. The range is 0-255.

9

ip <IP_addresses>

If type is set to ip, enter the IP addresses.

No default

type {fqdn | hex | ip | string}

Select the format of the DHCP option: fully qualified domain name, hexadecimal, IP address, or string.

hex

value <string>

Enter the DHCP option value. This option is available when type is set to fqdn, hex, or string.

No default

config reserved-address

<id>

Enter the identifier.

No default

action {assign | block | reserved}

Select how the DHCP server configures the client with the reserved MAC address. Select assign for the DHCP server to configure the client with this MAC address like any other client. Select block to prevent the DHCP server from assigning IP settings to the client with this MAC address. Select reserved for the DHCP server to assign the reserved IP address to the client with this MAC address.

reserved

circuit-id {<string> | <hex>}

Enter the DHCP option-82 Circuit ID of the client that will get the reserved IP address. The circuit-id format is controlled by the circuit-id-type setting. This option is only available when type is set to option82.

No default

circuit-id-type {hex | string}

Select whether the format of circuit-id is hexadecimal or string. This option is only available when type is set to option82.

string

description <string>

Enter a description of this entry.

No default

ip <xxx.xxx.xxx.xxx>

Enter the IPv4 address to be reserved for the MAC address. This option is only available when action is set to reserved.

0.0.0.0

mac <xx:xx:xx:xx:xx:xx>.

Enter the MAC address of the client that will get the reserved IP address. This option is only available when type is set to mac.

00:00:00:00:00:00

remote-id {<string> | <hex>}

Enter the DHCP option-82 Remote ID of the client that will get the reserved IP address. This option is only available when type is set to option82.

No default

remote-id-type {hex | string}

Select whether the format of remote-id is hexadecimal or string. This option is only available when type is set to option82.

string

type {mac | option82}

Select whether to match the IP address with the MAC address or DHCP option 82.

mac

Example

This example shows how to configure a DHCP server:

config system dhcp server

edit 1

set default-gateway 50.50.50.2

set domain "FortiswitchTest.com"

set filename "text1.conf"

set interface "svi10"

config ip-range

edit 1

set end-ip 50.50.0.10

set start-ip 50.50.0.5

next

end

set lease-time 360

set netmask 255.255.0.0

set next-server 60.60.60.2

config options

edit 1

set value "dddd"

next

end

set tftp-server "1.2.3.4"

set timezone-option specify

set wifi-ac1 5.5.5.1

set wifi-ac2 5.5.5.2

set wifi-ac3 5.5.5.3

set wins-server1 6.6.6.1

set wins-server2 6.6.6.2

set dns-server1 7.7.7.1

set dns-server2 7.7.7.2

set dns-server3 7.7.7.3

set ntp-server1 8.8.8.1

set ntp-server2 8.8.8.2

set ntp-server3 8.8.8.3

next

end

config system dns

Use this command to set the DNS server addresses. Several FortiSwitch functions, including sending email alerts and URL blocking, use DNS.

Syntax

config system dns

set cache-notfound-responses {enable | disable}

set dns-cache-limit <integer>

set dns-cache-ttl <int>

set domain <domain_name>

set ip6-primary <dns_ipv6>

set ip6-secondary <dns_ip6>

set primary <dns_ipv4>

set secondary <dns_ip4>

set source-ip <ipv4_addr>

end

Variable

Description

Default

cache-notfound-responses {enable | disable}

Enable to cache NOTFOUND responses from the DNS server.

disable

dns-cache-limit <integer>

Set maximum number of entries in the DNS cache.

5000

dns-cache-ttl <int>

Enter the duration, in seconds, that the DNS cache retains information.

1800

domain <domain_name>

Set the local domain name (optional).

No default

ip6-primary <dns_ipv6>

Enter the primary IPv6 DNS server IP address.

::

ip6-secondary <dns_ip6>

Enter the secondary IPv6 DNS server IP address.

::

primary <dns_ipv4>

Enter the primary DNS server IP address.

0.0.0.0

secondary <dns_ip4>

Enter the secondary DNS IP server address.

0.0.0.0

source-ip <ipv4_addr>

Enter the IP address for communications to DNS server.

0.0.0.0

Example

This example shows how to set the DNS server addresses:

config system dns

set cache-notfound-responses enable

set dns-cache-limit 2000

set dns-cache-ttl 900

set domain fortinet.com

set primary 172.91.112.53

set secondary 172.91.112.52

end

config system flan-cloud

Use this command to configure FortiLAN Cloud or FortiLink over HTTPS.

Syntax

config system flan-cloud

set interval <integer>

set name <FortiLAN_Cloud_FQDN_IP_address | FortiLink_IPv4_address>

set port <port_number>

set service-type {flan-cloud | fortilink-https}

set status {enable | disable}

end

Variable

Description

Default

interval <integer>

The time in seconds allowed for domain name system (DNS) resolution. The value range is 3-300 seconds.

3

name <FortiLAN_Cloud_FQDN_IP_address | FortiLink_IPv4_address>

If you are using FortiLAN Cloud, enter the fully qualified domain name or IP address for the FortiLAN Cloud.

If you are using FortiLink with HTTPS, enter the FortiLink IPv4 address.

fortiswitch-dispatch.forticloud.com

port <port_number>

Port number used to connect to FortiLAN Cloud.

443

service-type {flan-cloud | fortilink-https}

If you are using FortiLAN Cloud, set service-type to flan-cloud.

If you are using FortiLink with HTTPS, set service-type to fortilink-https.

flan-cloud

status {enable | disable}

Select whether FortiLAN Cloud or FortiLink with HTTPS is active or inactive.

disable

Example

This example shows how to configure FortiLAN Cloud:

config system flan-cloud

set interval 150

set name fortiswitch-dispatch.forticloud.com

set port 443

set service-type flan-cloud

set status enable

end

config system flow-export

You can sample IP packets on a FortiSwitch unit and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format.

The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.

Syntax

config system flow-export

set filter <string>

set format {netflow1 | netflow5 | netflow9 | ipfix}

set identity <hexadecimal>

set level {ip | mac | port | proto | vlan}

set max-export-pkt-size <integer>

set template-export-period <1-60>

set timeout-general <integer>

set timeout-icmp <integer>

set timeout-max <integer>

set timeout-tcp <integer>

set timeout-tcp-fin <integer>

set timeout-tcp-rst <integer>

set timeout-udp <integer>

config collectors

edit <collector_name>

set ip <IPv4_address>

set port <port_number>

set transport {sctp | tcp | udp}

end

config aggregates

edit <aggregate_ID>

set ip <IPv4_address_mask>

end

end

Variable

Description

Default

filter <string>

Specify the Berkeley packet filter (BPF) to use. For example, set filter "host 33.33.33.2".

No default

format {netflow1 | netflow5 | netflow9 | ipfix}

You can set the format of the exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.

NOTE: When the export format is NetFlow version 5, the sample rate used in the exported packets is derived from the lowest port number where sampling is enabled. Fortinet recommends that administrators using NetFlow version 5 set the sample rate consistently across all ports.

netflow9

identity <hexadecimal>

Required. Enter a unique number to identify which FortiSwitch unit the data originates from. The range of values is 0x00000000-0xFFFFFFFF. If identity is not specified, the “Burn in MAC” value is used instead (see get system status).

0x00000000

level {ip | mac | port | proto | vlan}

You can set the flow-tracking level to one of the following: - ip—The FortiSwitch unit collects the source IP address and destination IP address from the sample packet.

  • mac—The FortiSwitch unit collects the source MAC address and destination MAC address from the sample packet.
  • port—The FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
  • proto—The FortiSwitch unit collects the source IP address, destination IP address, and protocol from the sample packet.
  • vlan—The FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, protocol, and VLAN from the sample packet.

ip

max-export-pkt-size <integer>

Set the maximum size in bytes of exported packets in the application level. The range of values is 512-9216.

512

template-export-period <1-60>

Set the number of minutes before the template is exported.

5

timeout-general <integer>

Set the general timeout in seconds for the flow session. The range of values is 60-604800.

3600

timeout-icmp <integer>

Set the ICMP timeout for the flow session. The range of values is 60-604800.

300

timeout-max <integer>

Set the maximum number of seconds before the flow session times out. The range of values is 60-604800.

604800

timeout-tcp <integer>

Set the TCP timeout for the flow session. The range of values is 60-604800.

3600

timeout-tcp-fin <integer>

Set the TCP FIN flag timeout for the flow session. The range of values is 60-604800.

300

timeout-tcp-rst <integer>

Set the TCP RST flag timeout for the flow session. The range of values is 60-604800.

120

timeout-udp <integer>

Set the UDP timeout for the flow session. The range of values is 60-604800.

300

config collectors

<collector_name>

Enter the name of the flow-export collector.

No default

ip <IPv4_address>

Enter the IP address for the collector.

The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.

0.0.0.0

port <port_number>

Enter the port number for the collector.

The range of values is 0-65535. The default port for NetFlow is 2055; the default port for IPFIX is 4739.

0

transport {sctp | tcp | udp}

You can set exported packets to use UDP, TCP, or SCTP for transport.

udp

config aggregates

<id>

Enter the identifier.

No default

<IPv4_address_mask>

Enter the IPv4 address and mask to match. All matching sessions are aggregated into the same flow.

No default

Example

This example shows how to configure flow export:

config system flow-export

set format ipfix

set level ip

config collectors

edit flowone

set ip 169.254.3.1

set port 5

set transport tcp

next

end

end

config system global

Use this command to configure global settings that affect various FortiSwitch systems and configurations.

Syntax

config system global

set 802.1x-ca-certificate {Fortinet_802.1x_CA | Fortinet_CA | Fortinet_CA2 | Fortinet_Sub_CA2 | Fortinet_fsw_cloud_CA}

set 802.1x-certificate {Fortinet_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

set admin-concurrent {enable | disable}

set admin-lockout-duration <time_int>

set admin-lockout-threshold <failed_int>

set admin-password-hash {pbkdf2 | pbkdf2-high | sha1 | sha256}

set admin-restrict-local {enable | disable}

set admin-scp {enable | disable}

set admin-ssh-grace-time <time_int>

set admin-ssh-port <port_number>

set admin-ssh-v1 {enable | disable}

set admin-telnet-port <port_number>

set admintimeout <admin_timeout_minutes>

set alertd-relog {enable | disable}

set alert-interval <1-1440 minutes>

set allow-subnet-overlap {enable | disable}

set arp-inspection-monitor-timeout <5-10080 minutes>

set arp-timeout <seconds>

set asset-tag <string>

set cfg-save {automatic | manual | revert}

set cfg-revert-timeout <10-2147483647>

set clt-cert-req {enable | disable}

set csr-ca-attribute {enable | disable}

set daily-restart {enable | disable}

set detect_ip_conflict {enable | disable}

set dhcp-client-location {description | hostname | intfname | mode | vlan}

set dhcp-option-format {ascii | legacy}

set dhcp-remote-id {hostname | ip | mac}

set dhcp-server-access-list {enable | disable}

set dhcp-snoop-client-req {drop-untrusted | forward-untrusted}

set dhcps-db-exp <number_of_seconds>

set dhcps-db-per-port-learn-limit <number_of_entries>

set dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}

set dst {enable | disable}

set hostname <unithostname>

set image-rotation {enable | disable}

set ip-conflict-ignore-default {enable | disable}

set ipv6-accept-dad <0 | 1 | 2>

set ipv6-all-forwarding {enable | disable}

set kernel-crashlog {enable | disable}

set kernel-devicelog {enable | disable}

set l3-host-expiry {enable | disable}

set ldapconntimeout <ldaptimeout_msec>

set post-login-banner "<string>"

set pre-login-banner "<string>"

set private-data-encryption {enable | disable}

set radius-coa-port <port_number>

set radius-port <radius_port>

set remoteauthtimeout <timeout_sec>

set reset-button {enable | disable}

set revision-backup-on-logout {enable | disable}

set revision-backup-on-upgrade {enable | disable}

set single-psu-fault {enable | disable}

set strong-crypto {enable | disable}

set tcp-mss-min <48-10000>

set tcp6-mss-min<48-10000>

set timezone <timezone_number>

end

Variable

Description

Default

802.1x-ca-certificate {Fortinet_802.1x_CA | Fortinet_CA | Fortinet_CA2 | Fortinet_Sub_CA2 | Fortinet_fsw_cloud}

Set the CA certificate for port security (802.1x):
  • Fortinet_802.1x_CA—Select this CA if you are using 802.1x authentication.
  • Fortinet_CA—Select this CA if you want to use the factory-installed certificate.
  • Fortinet_CA2—Select this CA if you want to use the factory-installed certificate.
  • Fortinet_Sub_CA2—Select this CA if you want to use the factory-installed certificate.
  • Fortinet_fsw_cloud—Select this CA if you are using FortiLAN Cloud.

Fortinet_802.1x_CA

802.1x-certificate {Fortinet_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

Set the certificate for port security (802.1x):
  • Fortinet_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA. This is the default certificate for 802.1x authentication.
  • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.

Fortinet_802.1x

admin-concurrent {enable | disable}

Enable to enforce concurrent administrator logins. When enabled, the FortiSwitch restricts concurrent access from the same admin user name but on different IP addresses. Use policy-auth-concurrent for firewall authenticated users.

enable

admin-lockout-duration <time_int>

Set the administration account’s lockout duration in seconds for the firewall. Repeated failed login attempts will enable the lockout. Use admin-lockout-threshold to set the number of failed attempts that will trigger the lockout.

60

admin-lockout-threshold

<failed_int>

Set the threshold, or number of failed attempts, before the account is locked out for the admin-lockout-duration.

3

admin-password-hash {pbkdf2 | pbkdf2-high | sha1 | sha256}

Select which hash algorithm is used to encode passwords for new administrator accounts:

  • pbkdf2—Use the PBKDF2 hash algorithm with a lower iteration count.

  • pbkdf2-high—Use the PBKDF2 hash algorithm with a higher iteration count.

  • sha1—Use the SHA1 hash algorithm.

  • sha256—Use the SHA256 hash algorithm.

sha256

admin-restrict-local {enable | disable}

Enable/disable local admin authentication restriction when remote authenticator is up and running.

  • enable—Enable local admin authentication restriction.

  • disable—Disable local admin authentication restriction.

disable

admin-scp {enable | disable}

Enable to allow system configuration download by the secure copy (SCP) protocol.

disable

admin-ssh-grace-time

<time_int>

Enter the maximum time permitted between making an SSH connection to the FortiSwitch and authenticating. Range is 10 to 3600 seconds.

120

admin-ssh-port <port_number>

Enter the port to use for SSH administrative access.

22

admin-ssh-v1 {enable | disable}

Enable compatibility with SSH v1.0.

disable

admin-telnet-port

<port_number>

Enter the port to use for telnet administrative access.

23

admintimeout <admin_timeout_minutes>

Set the number of minutes before an idle administrator times out. This controls the amount of inactive time before the administrator must log in again. The maximum admintimeout interval is 480 minutes (8 hours).

To improve security, keep the idle timeout at the default value of 5 minutes.

5

alertd-relog {enable | disable}

Enable or disable re-logs when a sensor exceeds its threshold.

disable

alert-interval

NOTE: This command is only available after the alertd-relog option has been enabled.

Set how often an alert is generated for temperature sensors when they exceed their set thresholds.

30

allow-subnet-overlap {enable | disable}

Use this command to allow two interfaces to include the same IP address in the same subnet. The command applies only between the mgmt interface and an internal interface.

Note: Different interfaces cannot have overlapping IP addresses or subnets.

Caution: For advanced users only. Use this only for existing network configurations that cannot be changed to eliminate IP address overlapping.

disable

arp-inspection-monitor-timeout <5-10080 minutes>

Set the number of minutes before the MAC addresses, VLAN identifiers, and IP addresses that were learned from ARP traffic are removed from the DHCP-snooping database. When arp-inspection-monitor-timeout is set to 0, the ARP traffic entries do not expire and are not removed from the DHCP-snooping database.

1440

arp-timeout <seconds>

Set the number of seconds before dynamic ARP entries are removed from the cache.

180

asset-tag

LLDP uses the asset tag to help identify the unit. The asset tag can be up to 32 characters, and will be added to the LLDP-MED inventory TLV (when that TLV is enabled).

No default

cfg-save {automatic | manual | revert}

Set the method for saving the FortiSwitch system configuration and enter into runtime-only configuration mode. Methods for saving the configuration are:
  • automatic automatically save the configuration after every change.
  • manual manually save the configuration using the execute acl key-compaction command.
  • revert manually save the current configuration and then revert to that saved configuration after cfg-revert-timeout expires.
Switching to automatic mode disconnects your session. This command is used as part of the runtime-only configuration mode.

automatic

cfg-revert-timeout <10-2147483647>

After the configuration change, wait the specified number of seconds, restart the FortiSwitch unit, and revert to the last saved configuration if the configuration is not manually saved within the period.

Before FortiSwitchOS 7.2.1, there was no reboot before the configuration was reverted.

This command is available only when cfg-save is set to revert.

600

clt-cert-req {enable | disable}

Enable or disable the requirement to have a client certificate to log in to the GUI.

disable

csr-ca-attribute {enable | disable}

Enable to use the CA attribute in your certificate. Some CA servers reject CSRs that have the CA attribute.

enable

daily-restart {enable | disable}

Enable to restart the FortiSwitch unit every day.

The time of the restart is controlled by restart-time.

disable

detect_ip_conflict {enable | disable}

Enable the Detect IP Conflict feature.

enable

dhcp-client-location {description | hostname | intfname | mode | vlan}

Select which parameters to include to describe the client location. Separate multiple parameters with a space.
  • description—Include the interface description.
  • hostname—Include the host name.
  • intfname—Include the interface name.
  • mode—Include the mode.
  • vlan—Include the VLAN.

intfname vlan mode

dhcp-option-format {ascii | legacy}

Select the format for the DHCP string:
  • ascii—This format allows the user to choose the values for the circuit-id and remote-id fields.
  • legacy—This format generates a predefined fixed format for the circuit-id and remote-id fields.

ascii

dhcp-remote-id {hostname | ip | mac}

Select which parameters to include in the remote-id field:
  • hostname—Include the host name.
  • ip—Include the IP address.
  • mac—Include the MAC address.

mac

dhcp-server-access-list {enable | disable}

Set to disable for DHCP snooping to allow any DHCP server from trusted interfaces. Set to enable for DHCP snooping to allow only DHCP servers that are included in the allowed server list.

disable

dhcp-snoop-client-req {drop-untrusted | forward-untrusted}

Select which transmission mode to use for broadcasting client DHCP packets:
  • drop-untrusted—Client packets are broadcasted on trusted ports in the VLAN.
  • forward-untrusted—By default, client packets are broadcasted on all ports in the VLAN.

drop-untrusted

dhcps-db-exp <number_of_seconds>

Set the number of seconds for a DHCP-snooping server database entry to be kept. The range of values is 300-259200.

86400

dhcps-db-per-port-learn-limit <number_of_entries>

Set the maximum number of DHCP server entries that are learned per interface. The range of values is 0-1024.

64

dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}

Specify the minimum size (in bits) of the Diffie-Hellman prime for SSH/HTTPS.

2048

dst {enable | disable}

Enable or disable daylight saving time.

If you enable daylight saving time, the FortiSwitch unit adjusts the system time when the time zone changes to daylight saving time and back to standard time.

enable

hostname <unithostname>

Enter a name to identify this FortiSwitch unit. A hostname can only include letters, numbers, hyphens, and underlines. No spaces are allowed.

While the hostname can be longer than 16 characters, if it is longer than 16 characters it will be truncated and end with a “~” to indicate it has been truncated. This shortened hostname will be displayed in the CLI, and other locations the hostname is used.

Some models support hostnames up to 35 characters.

By default the hostname of your system is its serial number which includes the model.

FortiSwitch serial number.

image-rotation {enable | disable}

Enable or disable the rotation of the partition used to upgrade the FortiSwitch image.

enable

ip-conflict-ignore-default {enable | disable}

Enable or disable IP conflict detection for the default IP address.

enable

ipv6-accept-dad <0 | 1 | 2>

Specify whether to accept IPv6 duplicat address detection (DAD). Set to 0 to disable DAD. Set to 1 to enable DAD. Set to 2 to enable DAD and disable IPv6 operation if a MAC-based duplicate link-local address is found.

1

ipv6-all-forwarding {enable | disable

Enable or disable IPv6 forwarding.

enable

kernel-crashlog {enable | disable}

Enable or disable whether to log a kernel crash.

enable

kernel-devicelog {enable | disable}

Enable or disable the capture of kernel device messages to the log.

enable

l3-host-expiry {enable | disable}

Enable or disable layer-3 host expiry.

disable

ldapconntimeout <ldaptimeout_msec>

LDAP connection timeout in msec

500

post-login-banner "<string>"

Enter a message for the system post-login banner.

No default

pre-login-banner "<string>"

Enter a message for the system pre-login banner.

No default

private-data-encryption {enable | disable}

Enable or disable private data encryption using an AES 128-bit key.

disable

radius-coa-port <port_number>

Set the port number to be used for the RADIUS change of authorization (CoA).

3799

radius-port <radius_port>

Change the default RADIUS port. The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port on your system.

1812

remoteauthtimeout

<timeout_sec>

The number of seconds that the FortiSwitch waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. The range is 0 to 300 seconds, 0 means no timeout.

To improve security keep the remote authentication timeout at the default value of 5 seconds. However, if a RADIUS request needs to traverse multiple hops or several RADIUS requests are made, the default timeout of 5 seconds may not be long enough to receive a response.

5

reset-button {enable | disable}

Enable or disable the FortiSwitch hardware Reset button:

  • Set this option to enable to be able to use the FortiSwitch hardware Reset button, even if the OS is running.

  • Set this option to disable to disable the FortiSwitch hardware Reset button while the OS is running.

enable

revision-backup-on-logout {disable | enable}

Enable or disable backing up the latest configuration revision when the administrator logs out of the CLI or Web GUI.

enable

revision-backup-on-upgrade {enable | disable}

Enable or disable backing up the latest configuration revision when the administrator starts an upgrade.

enable

single-psu-fault {enable | disable}

Enable this option to have the ALARM LED turn red when only one power supply unit (PSU) is connected. If you disable this option, the ALARM LED will not turn red, even when one or two PSUs are connected.

NOTE: This option is only available for the FSR-112D-POE (system part number P17080-04 or later) and FSR-216F-POE models. You can check the system part number with the get system status command.

disable

strong-crypto {enable | disable}

Strong encryption only allows strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access. When strong encryption is enabled, HTTPS is supported by Firefox.

enable

tcp-mss-min <48-10000>

Enter the minimum allowed TCP MSS value in bytes.

48

tcp6-mss-min <48-10000>

Enter the minimum allowed TCP MSS value in bytes.

48

timezone <timezone_number>

The number corresponding to your time zone from 00 to 72. Press ? to list time zones and their numbers. Choose the time zone for the FortiSwitch from the list and enter the correct number.

00

Example

This example shows how to set your private data encryption key:

S548DN5018000535 # config system global

S548DN5018000535 (global) # set private-data-encryption enable

S548DN5018000535 (global) # end

Please type your private data encryption key (32 hexadecimal numbers):

0123456789abcdefabcdef0123456789

Please re-enter your private data encryption key (32 hexadecimal numbers) again:

0123456789abcdefabcdef0123456789

Your private data encryption key is accepted.

This example shows how to set the lockout threshold to one attempt and the duration before the administrator can try again to log in to five minutes:

config system global

set admin-lockout-threshold 1

set admin-lockout-duration 300

end

config system interface

Use this command to edit the configuration of an interface.

If you enter a name string in the edit command that is not the name of a physical interface, the command creates a VLAN subinterface.

Syntax

config system interface

edit <interface_name>

set allowaccess <access_types>

set alias <name_string>

set bfd {enable | disable | global}

set bfd-desired-min-tx <interval_msec>

set bfd-detect-mult <multiplier>

set bfd-required-min-rx <interval_msec>

set description <text>

set dhcp-relay-service {enable | disable}

set dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}

set dhcp-relay-option82 {enable | disable}

set dhcp-vendor-specific-option <string>

set external {enable | disable)

set fail-detect {enable | disable}

set fail-detect-option {link-down | detectserver}

set fail-alert-method {link-d own | link-failed-signal}

set fail-alert-interfaces {port1 port2 ...}

set icmp-redirect {enable | disable}

set interface <interface_name>

set ip <interface_ipv4mask>

set log {enable | disable}

set l2-interface <interface_name>

set mode <static | dhcp>

set dhcp-client-identifier <client_name_str>

set distance <1-255>

set defaultgw {enable | disable}

set dns-server-override {enable | disable}

set mtu-override {enable | disable}

set secondary-IP {enable | disable}

set snmp-index <integer>

set src-check {disable | loose | strict}

set src-check-allow-default {enable | disable}

set status {down | up}

set type {loopback | physical | vlan | vxlan}

set vlanid <id_number>

set vrf <string>

set vrrp-virtual-mac {enable | disable}

config ipv6

set ip6-address <ipv6_netmask>

set ip6-allowaccess <access_types>

set autoconf {disable | enable}

set ip6-unknown-mcast-to-cpu {disable | enable}

set ip6-mode {dhcp | static}

set ip6-dns-server-override {disable | enable}

set dhcp6-information-request {disable | enable}

set ip6-send-adv {disable | enable}

set ip6-manage-flag {disable | enable}

set ip6-other-flag {disable | enable}

set ip6-max-interval <4-1800>

set ip6-min-interval <3-1350>

set ip6-link-mtu <integer>

set ip6-reachable-time <0-3600000>

set ip6-retrans-time <0-2147483647>

set ip6-default-life <0-9000>

set ip6-hop-limit <0-255>

set vrip6_link_local {enable | disable}

set vrrp-virtual-mac6 {enable | disable}

config ip6-extra-address

edit <prefix_ipv6>

next

end

config vrrp6

edit <virtual_router_identifier>

set accept-mode {enable | disable}

set adv-interval <1-255>

set preempt {enable | disable}

set priority <1-255>

set start-time <1-255>

set status {enable | disable}

set vrdst6 <IPv6_address>

set vrgrp <1-65535>

set vrip6 <IPv6_address>

next

end

config ip6-prefix-list

edit <prefix_ipv6>

set autonomous-flag {disable | enable}

set onlink-flag {disable | enable}

set preferred-life-time <0-2147483647>

set valid-life-time <0-2147483647>

end

end

config secondaryip

edit <id>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

config vrrp

edit <VRID_int>

set adv-interval <seconds_int>

set backup-vmac-fwd {enable | disable}

set preempt {enable | disable}

set priority <prio_int>

set start-time <seconds_int>

set status {enable | disable}

set version {2 | 3}

set vrdst <ipv4_addr>

set vrgrp <integer>

set vrip <ipv4_addr>

next

end

A VLAN cannot have the same name as a zone or a virtual domain.

Variable

Description

Default

<interface_name>

Edit an existing interface or create a new VLAN interface.

No default

allowaccess <access_types>

Enter the types of management access permitted on this interface or secondary IP address. Valid types are:

http https ping radius-acct snmp ssh telnet.

Separate each type with a space.

To add or remove an option from the list, retype the complete list as required.

Varies for each interface.

alias <name_string>

Enter an alias name for the interface. Once configured, the alias will be displayed with the interface name to make it easier to distinguish. The alias can be a maximum of 25 characters. This option is available only when the interface type is physical.

No default.

bfd {enable | disable | global}

The status of bidirectional forwarding detection (bfd) on this interface:
  • enable — enable BFD and ignore global BFD configuration.
  • disable — disable BFD on this interface.
  • global — use the BFD configuration in system settings for the virtual domain to which this interface belongs.

global

bfd-desired-min-tx <interval_msec>

Enter the minimum desired interval for the BFD transmit interval. Valid range is from 1 to 100 000 msec. This option is available only when bfd is enabled.

50

bfd-detect-mult <multiplier>

Select the BFD detection multiplier. This option is available only when bfd is enabled.

3

bfd-required-min-rx <interval_msec>

Enter the minimum required interface for the BFD receive interval. Valid range is from 1 to 100 000 msec. This is available only when bfd is enabled.

50

description <text>

Optionally, enter up to 63 characters to describe this interface.

No default

dhcp-relay-service {enable | disable}

Enable to provide DHCP relay service on this interface. The DHCP type relayed depends on the setting of dhcp-relay-type.

There must be no other DHCP server of the same type (regular or ipsec) configured on this interface.

disable

dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}

Set DHCP relay IP addresses. You can specify up to eight DHCP relay servers for DHCP coverage of subnets. Replies from all DHCP servers are forwarded back to the client. The client responds to the offer it wants to accept.

Do not set dhcp-relay-ip to 0.0.0.0. This option is available only when dhcp-relay-service is enabled.

No default

dhcp-relay-option82 {enable | disable}

Enable to allow option-82 insertion in the DHCP relay. This option is available only when dhcp-relay-service is enabled.

disable

dhcp-vendor-specific-option <string>

Set the value for DHCP vendor-specific option 43.

No default

external {enable | disable)

Enable to indicate that an interface is an external interface connected to an external network. This option is used for SIP NAT when the config VoIP profile SIP contact-fixup option is disabled.

disable

fail-detect {enable | disable}

Enable interface failure detection.

disable

fail-detect-option {link-down | detectserver}

Select whether the system detects interface failure by port detection (link-down) or ping server (detectserver). This option is available only when fail-detect is enabled.

link‑down

fail-alert-method

{link‑down | link‑failed‑signal}

Select the signal that the system uses to signal the link failure: Link Down or Link Failed. This option is available only when fail-detect is enabled.

link‑down

fail-alert-interfaces {port1 port2 ...}

Select the interfaces to which failure detection applies. This option is available only when fail-detect is enabled.

No default

icmp-redirect {enable | disable}

Disable to stop ICMP redirect from sending from this interface. ICMP redirect messages are sent by a router to notify the original sender of packets that there is a better route available.

enable

interface <interface_name>

Enter the name of the interface. This option is available ony when vlanid is set.

internal

ip <interface_ipv4mask>

Enter the interface IP address and netmask. This option is not available if mode is set to dhcp. You can set the IP and netmask, but they are not displayed. This is only available in NAT/Route mode. The IP address cannot be on the same subnet as any other interface.

Varies for each interface.

log {enable | disable}

Enable or disable traffic logging of connections to this interface. Traffic will be logged only when it is on an administrative port. All other traffic will not be logged. Enabling this setting may reduce system performance, and is normally used only for troubleshooting.

disable

l2-interface <interface_name>

Enter the name of the layer-2 interface.

This option is available only when the interface type is physical.

No default

mode <interface_mode>

Configure the connection mode for the interface as one of:

  • static—Configure a static IP address for the interface.
  • dhcp—Configure the interface to receive its IP address from an external DHCP server.

static

dhcp-client-identifier

Override the default DHCP client identifier used by this interface. The DHCP client identifier is used by DHCP to identify individual DHCP clients (in this case individual interfaces). By default, the DHCP client identifier for each interface is created based on the model name and the interface MAC address. In some cases, you might want to specify your own DHCP client identifier using this command. This option is available only when the mode is set to dhcp.

No default

distance <1-255>

Enter the distance of learned routes.

This command is available only when mode is set to dhcp.

5

defaultgw {enable | disable}

Enable to get the gateway IP address from the DHCP server. This option is available only when the mode is set to dhcp.

disable

dns-server-override {enable | disable}

Disable to prevent this interface from using DNS server addresses it acquires by DHCP. This option is available only when the mode is set to dhcp.

enable

mtu-override {enable | disable}

Select enable to use custom MTU size instead of default (1 500). This is available only for physical interfaces and some tunnel interfaces (not IPsec). If you change the MTU size, you must reboot the FortiSwitch to update the MTU values of the VLANs on this interface. Some models support MTU sizes larger than the standard 1,500 bytes.

disable

secondary-IP {enable | disable}

Enable to add a secondary IP address to the interface. This option must be enabled before configuring a secondary IP address. When disabled, the Web-based manager interface displays only the option to enable secondary IP.

disable

snmp-index <integer>

Configure the SNMP index

src-check {disable | loose | strict}

Set to disable if you do not want to use unicast reverse-path forwarding (uRPF).

Set to strict to ensure that the packet was received on the same interface that the router uses to forward the return packet.

Set to loose to ensure that the routing table includes the source IP address of the packet.

disable

src-check-allow-default {enable | disable}

If you disable the src-default-route-check option, the packet is dropped if the source IP address is not found in the routing table. If you enable the src-default-route-check option, the packet is allowed even if the source IP address is not found in the routing table, but the default route is found in the routing table.

This option is available only when src-check is set to loose.

disable

status {down | up}

Start or stop the interface. If the interface is stopped, it does not accept or send packets. If you stop a physical interface, associated virtual interfaces such as VLAN interfaces will also stop.

up(down for VLANs)

type {loopback | physical | vlan | vxlan}

Enter the type of interface. NOTE: Some types are read only and are set automatically by hardware.
  • loopback—a virtual interface that is always up. This interface’s status and link status are not affected by external changes. It is primarily used for blackhole routing - dropping all packets that match this route. This route is advertised to neighbors through dynamic routing protocols as any other static route. Loopback interfaces have no DHCP settings, no forwarding, no mode, or DNS settings. You can create a loopback interface from the CLI or Web-based manager.
  • physical—a physical interface.
  • vlan—a virtual LAN interface. This is the type of interface created by default on any existing physical interface. VLANs increase the number of network interfaces beyond the physical connections on the system. VLANs cannot be configured on a switch mode interface in Transparent mode.
  • vxlan— a virtual extensible LAN interface.

vlan

vlanid <id_number>

Enter a VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. The VLAN ID can be any number between 1 and 4094, as 0 and 4095 are reserved, but it must match the VLAN ID added by the IEEE 802.1Q-compliant router on the other end of the connection. Two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN ID to different physical interfaces, and you can add more multiple VLANs with different VLAN IDs to the same physical interface. This is available only when editing an interface with a type of VLAN.

No default

vrf <string>

Assign this virtual routing and forwarding (VRF) instance to a switch virtual interface (SVI).

After the SVI is created, the VRF instance cannot be changed or unset. The VRF instance cannot be assigned to an internal SVI.

No default

vrrp-virtual-mac {enable | disable}

Enable VRRP virtual MAC addresses for the IPv4 VRRP routers added to this interface.See RFC 5798 for information about the VRRP virtual MAC addresses.

disable

config ipv6

Configure IPv6 settings for the interface.

Syntax

config system interface

edit <interface_name>

config ipv6

set ip6-address <ipv6_netmask>

set ip6-allowaccess <access_types>

set autoconf {disable | enable}

set ip6-unknown-mcast-to-cpu {disable | enable}

set ip6-mode {dhcp | static}

set ip6-dns-server-override {disable | enable}

set dhcp6-information-request {disable | enable}

set ip6-send-adv {disable | enable}

set ip6-manage-flag {disable | enable}

set ip6-other-flag {disable | enable}

set ip6-max-interval <4-1800>

set ip6-min-interval <3-1350>

set ip6-link-mtu <integer>

set ip6-reachable-time <0-3600000>

set ip6-retrans-time <0-2147483647>

set ip6-default-life <0-9000>

set ip6-hop-limit <0-255>

set vrip6_link_local {enable | disable}

set vrrp-virtual-mac6 {enable | disable}

config ip6-extra-address

edit <prefix_ipv6>

next

end

config vrrp6

edit <virtual_router_identifier 1-255>

set accept-mode {enable | disable} ----Enable/disable accept mode. (enable by default)

set adv-interval <1-255> ----Advertisement interval (1 - 255 seconds). (1 by default)

set preempt {enable | disable} --Enable/disable preempt mode. (enable by default)

set priority <1-255> --Priority of the virtual router (1 - 255). (100 by default)

set start-time <1-255> --Startup time (1 - 255 seconds). (3 by default)

set status {enable | disable} --Enable/disable VRRP. (enable by default)

set vrdst6 <IPv6_address> ----Monitor the route to this destination. (no default)

set vrgrp <1-65535> -----VRRP group ID (1 - 65535). (0 by default)

set vrip6 <IPv6_address> ----IPv6 address of the virtual router. (no default) Required.

next

end

config ip6-prefix-list

edit <prefix_ipv6>

set autonomous-flag {disable | enable}

set onlink-flag {disable | enable}

set preferred-life-time <0-2147483647>

set valid-life-time <0-2147483647>

end

end

end

Variable

Description

Default

<interface_name>

Edit an existing interface or create a new VLAN interface.

No default

ip6-address <ipv6_netmask>

The interface IPv6 address and netmask. The format for IPv6 addresses and netmasks is described in RFC 3513.

This command is only available in NAT/Route mode.

::/0

ip6-allowaccess <access_types>

Enter the types of management access permitted on this IPv6 interface. Valid types are: fgfm, http, https, ping, snmp, ssh, and telnet. Separate the types with spaces. If you want to add or remove an option from the list, retype the list as required.

Varies for each interface.

autoconf {disable | enable}

Enable or disable the automatic address configuration.

disable

ip6-unknown-mcast-to-cpu {disable | enable}

Enable or disable the sending of unknown multicast addresses to the CPU.

disable

ip6-mode {dhcp | static}

Set the addressing mode to be static or DHCP.

DHCP addressing mode is available only when autoconf is disabled.

static

ip6-dns-server-override {disable | enable}

Enable or disable using the DNS server acquired by DHCP.

This command is available only when the ip6-mode is set to dhcp.

enable

dhcp6-information-request {disable | enable}

Enable or disable the DHCPv6 infomation request.

disable

ip6-send-adv {disable | enable}

Enable or disable the sending of the IPv6 router advertisement.

This command is only available when autoconf is disabled.

disable

ip6-manage-flag {disable | enable}

Enable or disable the sending of the IPv6 managed flag.

disable

ip6-other-flag {disable | enable}

Enable or disable the sending of the IPv6 other flag.

disable

ip6-max-interval <4-1800>

Specify the maximum number of seconds before the RA is sent.

600

ip6-min-interval <3-1350>

Specify the minium number of seconds before the RA is sent.

198

ip6-link-mtu <integer>

Specify the IPv6 link maximum transmission unit.

0

ip6-reachable-time <0-3600000>

Specify the IPv6 reachable time in milliseconds.

0

ip6-retrans-time <0-2147483647>

Specify the IPv6 retransmit time in milliseconds.

0

ip6-default-life <0-9000>

Specify the IPv6 default life in seconds.

1800

ip6-hop-limit <0-255>

Specify the maximum number of IPv6 hops.

0

vrip6_link_local {enable | disable}

Enter the link-local IPv6 address of virtual router.

No default

vrrp-virtual-mac6 {enable | disable}

Enable VRRP virtual MAC addresses for the IPv6 VRRP routers added to this interface. See RFC 5798 for information about the VRRP virtual MAC addresses.

disable

config ip6-extra-addr

<prefix_ipv6>

IPv6 address prefix. Configure addditonal IPv6 prefixes for this IPv6 interface.

No default

config vrrp6

<virtual_router_identifier 1-255>

Enter the VRRP virtual router identifier. The range of values is 1-255.

No default

accept-mode {enable | disable}

Enable or disable the VRRP accept mode.

enable

adv-interval <1-255>

Enter the VRRP advertisement interval. The range of values is 1-255 seconds.

1

preempt {enable | disable}

Enable or disable VRRP preempt mode. In preempt mode a higher priority backup system can preempt a lower priority master system.

enable

priority <1-255>

Enter the priority of this virtual router. The VRRP virtual router on a network with the highest priority becomes the master. The range of values is 1-255.

100

start-time <1-255>

The startup time of this virtual router. The startup time is the maximum time that the backup system waits between receiving advertisement messages from the master system. The range of values is 1-255 seconds.

3

status {enable | disable}

Enable or disable this virtual router.

enable

vrdst6 <IPv6_address>

Monitor the route to this destination.

No default

vrgrp <1-65535>

Enter the VRRP group identifier. The value range is 1-65535.

0

vrip6 <IPv6_address>

Required. Enter the IPv6 address of the virtual router.

No default

config ip6-prefix-list

<prefix_ipv6>

IPv6 advertised prefix list. Configure which IPv6 prefixes are advertised.

No default

autonomous-flag {disable | enable}

Enable or disable the autonomous flag.

enable

onlink-flag {disable | enable}

Enable or disable the onlink flag.

disable

preferred-life-time <0-2147483647>

Specify the preferred lifetime in seconds for the advertised IPv6 prefix.

604800

valid-life-time <0-2147483647>

Specify the valid lifetime in seconds for the advertised IPv6 prefix.

2592000

Example

This example shows how to configure VRRP using IPv6:

config system interface

edit "vlan30"

set ip 30.0.0.5 255.255.255.0

set allowaccess ping https http ssh telnet

config vrrp

edit 10

set vrip 30.0.0.1

next

end

set snmp-index 82

config ipv6

set ip6-address 2000::30:0:0:5/120

config ip6-extra-addr

edit 2000::30:3:3:5/120

next

edit 2000::30:3:4:5/120

next

end

set ip6-allowaccess ping https http ssh telnet

set vrrp-virtual-mac6 enable

set vrip6_link_local fe80::30:0:0:1

config vrrp6

edit 10

set vrip6 2000::30:0:0:1

next

end

end

set vlanid 30

set interface "internal"

next

end

config system interface

edit "port26"

set ip 30.44.0.5 255.255.255.0

set allowaccess ping https http ssh telnet

set type physical

set l2-interface "port26"

set vrrp-virtual-mac enable

config vrrp

edit 10

set vrip 30.44.0.1

next

end

set snmp-index 102

config ipv6

set ip6-address 2000::30:44:0:5/120

set ip6-allowaccess ping https http ssh telnet

set vrrp-virtual-mac6 enable

set vrip6_link_local fe80::30:44:0:1

config vrrp6

edit 10

set vrip6 2000::30:44:0:1

next

end

end

next

end

config secondaryip

Configure a second IP address for the interface.

Syntax

config system interface

edit <interface_name>

config secondaryip

edit <id>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

end

end

Variable

Description

Default

<interface_name>

Edit an existing interface or create a new VLAN interface.

No default

<id>

Identifier.

No default

ip <IP_address_and_netmask>

Enter the IP address and netmask.

0.0.0.0 0.0.0.0

allowaccess <access_types>

Enter the types of management access permitted on this interface or secondary IP address. Valid types are:

http https ping radius-acct snmp ssh telnet.

Separate each type with a space.

To add or remove an option from the list, retype the complete list as required.

No default

config vrrp

Add one or more VRRP virtual routers to a interface. For information about VRRP, see RFC 5798.

Syntax

config system interface

edit <interface_name>

config vrrp

edit <VRID_int>

set adv-interval <seconds_int>

set backup-vmac-fwd {enable | disable}

set preempt {enable | disable}

set priority <prio_int>

set start-time <seconds_int>

set status {enable | disable}

set version {2 | 3}

set vrdst <ipv4_addr>

set vrgrp <integer>

set vrip <ipv4_addr>

end

Variable

Description

Default

<interface_name>

Edit an existing interface or create a new VLAN interface.

No default

<VRID_int>

VRRP virtual router ID (1 to 255). Identifies the VRRP virtual router.

None

adv-interval <seconds_int>

VRRP advertisement interval (1-255 seconds).

1

backup-vmac-fwd {enable | disable }

Enable or disable whether virtual MAC addresses are forwarded for VRRP backup.

enable

preempt {enable | disable}

Enable or disable VRRP preempt mode. In preempt mode a higher priority backup system can preempt a lower priority master system.

enable

priority <prio_int>

Priority of this virtual router (1-255). The VRRP virtual router on a network with the highest priority becomes the master.

100

start-time <seconds_int>

The startup time of this virtual router (1-255 seconds). The startup time is the maximum time that the backup system waits between receiving advertisement messages from the master system.

3

status {enable | disable}

Enable or disable this virtual router.

enable

version {2 | 3}

Set the VRRP version to VRRP version 2 or VRRP version 3.

2

vrdst <ipv4_addr>

Monitor the route to this destination.

0.0.0.0

vrgrp <integer>

VRRP group identifier. The value range is 1-65535.

0

vrip <ipv4_addr>

IP address of the virtual router.

0.0.0.0

Example

This example shows how to configure VRRP:

config system interface

edit "vlan-8"

set ip 10.10.10.1 255.255.255.0

set allowaccess ping https http ssh

set vrrp-virtual-mac enable

config vrrp

edit 5

set priority 255

set vrgrp 50

set vrip 11.1.1.100

next

edit 6

set priority 200

set vrgrp 50

set vrip 11.1.1.100

next

edit 7

set priority 150

set vrgrp 50

set vrip 11.1.1.100

next

end

set snmp-index 20

set vlanid 8

set interface "internal"

next

end

config system ipv6-neighbor-cache

Use this command to configure the IPv6 neighbor cache table:

config system ipv6-neighbor-cache

edit <id>

set interface {<string> | internal | mgmt}

set ipv6 <IPv6_address>

set mac <MAC_address>

end

Variable

Description

Default

<id>

Enter a unique integer to create a new entry.

No default

interface <interface_name>

Required. Enter the interface.

No default

ipv6 <IPv6_address>

Enter the IPv6 addresss in the following format:

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

::

mac <MAC_address>

Enter the MAC address in the following format:

xx:xx:xx:xx:xx:xx

00:00:00:00:00:00

Example

This example shows how to configure an entry in the IPv6 neighbor cache table.

config system ipv6-neighbor-cache

edit id

set interface internal

set ipv6 e80::a5b:eff:fef1:95e4

set mac 00:21:cc:d2:76:72

end

config system link-monitor

Use this command to configure the link health monitor.

config system link-monitor

edit <link monitor name>

set addr-mode {ipv4 | ipv6}

set srcintf <string>

set server <IP_address1>, <IP_address2>, ...

set protocol {arp | ping}

set gateway-ip <IPv4 address>

set gateway-ip6 <IPv6 address>

set source-ip <IPv4 address>

set source-ip6 <IPv6 address>

set interval <integer>

set timeout <integer>

set failtime <integer>

set recoverytime <integer>

set update-static-route {enable | disable}

set status {enable | disable}

next

end

Variable

Description

Default

<link monitor name>

Enter the link monitor name.

No default

addr-mode {ipv4 | ipv6}

Select whether to use IPv4 or IPv6 addresses.

ipv4

srcintf <string>

Interface where the monitor traffic is sent.

No default

server <IP_address1>, <IP_address2>, ..

The IP address(es) of the server(s). Use a comma to separate multiple IP addresses.

No default

protocol {arp | ping}

Protocols used to detect the server. Select ARP or ping.

ping

gateway-ip <IPv4 address>

Gateway IPv4 address used to PING the server. This option is available only when addr-mode is set to ipv4.

0.0.0.0

gateway-ip6 <IPv6 address>

Gateway IPv6 address used to PING the server. This option is available only when addr-mode is set to ipv6.

No default

source-ip <IPv4 address>

Source IPv4 address used in packet to the server. This option is available only when addr-mode is set to ipv4.

0.0.0.0

source-ip6 <IPv6 address>

Source IPv6 address used in packet to the server. This option is available only when addr-mode is set to ipv6.

No default

interval <integer>

Detection interval in seconds. The range is 1-3600.

5

timeout <integer>

Detect request timeout in seconds. The range is 1-255.

1

failtime <integer>

Number of retry attempts before bringing server down. The range is 1-10.

5

recoverytime <integer>

Number of retry attempts before bringing server up. The range is 1-10.

5

update-static-route {enable | disable}

Enable or disable update static route.

enable

status {enable | disable}

Enable or disable link monitor administrative status.

enable

config system location

Use this command to configure the location table used by LLDP-MED for enhanced 911 emergency calls.

config system location

edit <name>

config address-civic

set additional <string>

set additional-code <string>

set block <string>

set branch-road <string>

set building <string>

set city <string>

set city-division <string>

set country <string>

set country-subdivision <string>

set county <string>

set direction <string>

set floor <string>

set landmark <string>

set language <string>

set name <string>

set number <string>

set number-suffix <string>

set place-type <string>

set post-office-box <string>

set postal-community <string>

set primary-road <string>

set road-section <string>

set room <string>

set script <string>

set seat <string>

set street <string>

set street-name-post-mod <string>

set street-name-pre-mod <string>

set street-suffix <string>

set sub-branch-road <string>

set trailing-str-suffix <string>

set unit <string>

set zip <string>

end

config coordinates

set altitude <string>

set altitude-unit {f | m}

set datum {NAD83 | NAD83/MLLW | WGS84}

set latitude <string>

set longitude <string>

end

config elin-number

set elin-number <number>

end

Variable

Description

Default

<name>

Enter a unique name for the location entry.

No default

config address-civic

additional <string>

Enter additional location information, for example, west wing.

No default

additional-code <string>

Enter the additional country-specific code for the location. In Japan, use the Japan Industry Standard (JIS) address code.

No default

block <string>

Enter the neighborhood (Korea) or block.

No default

branch-road <string>

Enter the branch road name. This value is used when side streets do not have unique names so that both the primary road and side street are used to identify the correct road.

No default

building <string>

Enter the name of the building (structure) if the address includes more than one building, for example, Law Library.

No default

city <string>

Enter the city (Germany), township, or shi (Japan).

No default

city-division <string>

Enter the city division, borough, city district (Germany), ward, or chou (Japan).

No default

country <string>

Enter the two-letter ISO 3166 country code in capital ASCII letters, for example, US, CA, DK, and DE.

No default

country-subdivision <string>

Enter the national subdivision (such as state, canton, region, province, or prefecture). In Canada, the subdivision is province. In Germany, the subdivision is state. In Japan, the subdivision is metropolis. In Korea, the subdivision is province. In the United States, the subdivision is state.

No default

county <string>

Enter the county (Canada, Germany, Korea, and United States), parish, gun (Japan), or district (India).

No default

direction <string>

Enter N, E, S, W, NE, NW, SE, or SW for the leading street direction.

No default

floor <string>

Enter the floor number, for example, 4.

No default

landmark <string>

Enter the nickname, landmark, or vanity address, for example, UC Berkeley.

No default

language <string>

Enter the ISO 639 language code used for the address information.

No default

name <string>

Enter the person or organization associated with the address, for example, Fortinet or Textures Beauty Salon.

No default

number <string>

Enter the street address, for example, 1560.

No default

number-suffix <string>

Enter any modifier to the street address. For example, if the full street address is 1560A, enter 1560 for the number and A for the number-suffix.

No default

place-type <string>

Enter the type of place, for example, home, office, or street.

No default

post-office-box <string>

Enter the post office box, for example, P.O. Box 1543. When the post-office-box value is set, the street address components are replaced with this value.

No default

postal-community <string>

Enter the postal community name, for example, Alviso. When the postal-community name is set, the civic community name is replaced by this value.

No default

primary-road <string>

Enter the primary road or street name for the address.

No default

road-section <string>

Enter the specific section or stretch of a primary road. This field is used when the same street number appears more than once on the primary road.

No default

room <string>

Enter the room number, for example, 7A.

No default

script <string>

Enter the script used to present the address information, for example, Latn.

No default

seat <string>

Enter the seat number in a stadium or theater or a cubicle number in an office or a booth in a trade show.

No default

street <string>

Enter the street (Canada, Germany, Korea, and United States).

No default

street-name-post-mod <string>

Enter an optional part of the street name that appears after the actual street name. If the full street name is East End Avenue Extended, the street-name-post-mod is Extended.

No default

street-name-pre-mod <string>

Enter an optional part of the street name that appears before the actual street name. If the full street name is Old North First Street, the street-name-pre-mod is Old.

No default

street-suffix <string>

Enter the type of street, for example, Ave or Place. Valid values are listed in the United States Postal Service Publication 28 [18], Appendix C.

No default

sub-branch-road <string>

Enter the name of a street that branches off of a branch road. This value is used when the primary road, branch road, and subbranch road names are needed to identify the correct street.

No default

trailing-str-suffix <string>

Enter N, E, S, W, NE, NW, SE, or SW for the trailing street direction.

No default

unit <string>

Enter the unit (apartment or suite), for example, Apt 27.

No default

zip <string>

Enter the postal or zip code for the address, for example, 94089-1345.

No default

config coordinates

altitude <string>

Enter the vertical height of a location using the altitude-unit to specify the unit used. The format is +/- floating point number, for example, 117.47.

No default

altitude-unit {f | m}

Select whether the altitude is measured in m (meters) or f (floors).

m

datum {NAD83 | NAD83/MLLW | WGS84}

Select which map is used for the location: WGS84, NAD83, or NAD83/MLLW.

WGS84

latitude <string>

Enter the latitude. The format is floating point starting with +/- or ending with N/S, for example, +/-16.67 or 16.67N.

No default

longitude <string>

Enter the longitude. The format is floating point starting with +/- or ending with E/W, for example, +/-26.789 or 26.789E.

No default

config elin-number

elin-number <number>

Enter the emergency location identification number (ELIN), which is a unique phone number. The value is a 10 to 20 byte numerical string.

No default

Example

This example shows how to configure the location table for Fortinet.

config system location

edit Fortinet

config address-civic

set country "US"

set language "English"

set county "Santa Clara"

set city "Sunnyvale"

set street "Kifer"

set street-suffix "Road"

set number "899"

set zip "94086"

set building "1"

set floor "1"

set seat "1293"

end

next

edit "Fortinet"

config elin-number

set elin-number "14082357700"

end

end

config system ntp

Use this command to configure Network Time Protocol (NTP) servers.

Syntax

config system ntp

set allow-unsync-source {enable | disable}

set authentication {enable | disable}

set log-time-adjustments {enable | disable}

set ntpsync {enable | disable}

set source-ip <ipv4_addr>

set source-ip6 <ipv6_addr>

set syncinterval <interval_int>

config ntpserver

edit <serverid_int>

set authentication {enable | disable}

set key <string>

set key-id <integer>

set ntpv3 {enable | disable}

set server {<ipv4_addr>| <ipv6_addr>}

end

end

Variable

Description

Default

allow-unsync-source {enable | disable}

Enable or disable whether an unsynchronized NTP server source is allowed.

disable

authentication {enable | diable}

Enable or disable authentication.

disable

log-time-adjustments {enable | disable}

Enable or disable whether FortiSwitch logs when NTP adjusts the system time.

enable

ntpsync {enable | disable}

Enable or disable whether the system time is synchronized with the NTP server.

enable

source-ip <ipv4_addr>

Enter the source IPv4 address for communication with the NTP server.

0.0.0.0

source-ip6 <ipv6_addr>

Enter the source IPv6 address for communication with the NTP server.

No default

syncinterval <interval_int>

Enter the interval in minutes between contacting the NTP server to synchronize time. The range is from 1 to 1,440 minutes.

This option is availabe only when ntpsync is enabled.

10

<serverid_int>

Enter the number for this NTP server entry.

No default

authentication {enable | diable}

Enable or disable authentication. If you enable authenication and use the NTPv3 protocol, MD5 authentication is used. If you enable authentication and use the NTPv4 protocol, SHA1 authentication is used.

disable

key <string>

If authentication is enabled, enter a key for authentication.

No default

key-id <integer>

If authentication is enabled, enter a key identifier for authentication.

0

ntpv3 {enable | disable}

Enable this option to use the NTPv3 protocol. Disable this option to use the NTPv4 protocol.

disable

server {<ipv4_addr> | <ipv6_addr>}

Enter the IPv4 or IPv6 address for this NTP server.

No default

Example

This example shows how to configure an NTP server:

config system ntp

set authentication enable

set ntpsyn enable

set syncinterval 5

set source-ip 192.168.4.5

end

config system password-policy

Use this command to configure higher security requirements for administrator passwords and IPsec VPN pre-shared keys.

Syntax

config system password-policy

set status enable

set apply-to [admin-password ipsec-preshared-key]

set change-4-characters {enable | disable}

set minimum-length <chars>

set min-lower-case-letter <num_int>

set min-upper-case-letter <num_int>

set min-non-alphanumeric <num_int>

set min-number <num_int>

set expire-status {enable | disable}

set expire-day <num_int>

end

Variable

Description

Default

status enable

Enable password policy. The password policy cannot be disabled.

enable

apply-to [admin‑password ipsec-preshared-key]

Select where the policy applies: administrator passwords or IPSec preshared keys. This option is available only when status is enabled.

admin‑password

change-4-characters {enable | disable}

Enable to require the new password to differ from the old password by at least four characters. This option is available only when status is enabled.

disable

minimum-length <chars>

Set the minimum length of password in characters. Range 8 to 32. This option is available only when status is enabled.

8

min-lower-case-letter

<num_int>

Enter the minimum number of required lower case letters in every password. This option is available only when status is enabled.

0

min-upper-case-letter

<num_int>

Enter the minimum number of required upper case letters in every password. This option is available only when status is enabled.

0

min-non-alphanumeric <num_int>

Enter the minimum number of required non-alphanumeric characters in every password. This option is available only when status is enabled.

0

min-number <num_int>

Enter the minimum number of number characters required in every password. This option is available only when status is enabled.

0

expire-status {enable | disable}

Enable to have passwords expire. This option is available only when status is enabled.

enable

expire-day <num_int>

Enter the number of days before the current password is expired and the user will be required to change their password. This option is available only when status is enabled and expire-status is enabled.

90

Example

This example shows how to configure a password policy for administrator passwords:

config system password-policy

set status enable

set apply-to admin-password

set change-4-characters enable

set minimum-length 10

set min-lower-case-letter 1

set min-upper-case-letter 1

set min-non-alphanumeric 1

set min-number 1

set expire-status enable

set expire-day 30

end

config system ptp interface-policy

Use this command to configure the default Precision Time Protocol (PTP) policy or create a custom PTP policy.

Syntax

config system ptp interface-policy

edit {default | PTP_policy_name}

set description <description_of_PTP_policy>

set vlan <0-4094>

set vlan-pri <0-7>

next

end

Parameter

Description

Default value

{default | PTP_policy_name}

Name of the PTP policy.

default

description <description_of_PTP_policy>

Description of the PTP policy.

No default

vlan <0-4094>

The VLAN that will use the PTP policy. The range of values is 0-4094. Setting vlan to 0 means that the native VLAN is used for PDelayXXX messages.

NOTE: The VLAN must be a valid VLAN that the interface belongs to. Selecting an invalid VLAN can affect the performance.

0

vlan-pri <0-7>

The priority of the PTP VLAN; it corresponds to the 802.1p priority. The VLAN priority is used only when there is traffic congestion.

The range of values is 0-7. Set vlan-pri to 7 for the highest priority.

4

Example

This example shows how to create a custom PTP policy:

config system ptp interface-policy

edit newPTPpolicy

set description "PTP policy for VLAN 100"

set vlan 100

set vlan-pri 3

next

end

config system ptp profile

Use this command to configure a PTP profile.

Syntax

config system ptp profile

edit {default | name_of_PTP_profile}

set announce-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

set announce-timeout <2-10>

set description <description_of_PTP_profile>

set domain <0-255>

set min-delay-req-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

set mode {boundary-e2e | boundary-p2p | transparent-e2e | transparent-p2p}

set pdelay-req-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

set priority1 <0-255>

set priority2 <0-255>

set ptp-profile {default | C37.238-2017}

set sync-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

set transport l2-mcast

next

end

Parameter

Description

Default value in end-to-end mode

Default value in peer-to-peer mode

{default | name_of_PTP_profile}

Name of the PTP profile.

No default

No default

announce-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

Select the number of seconds between Announce messages.

This option is available only when mode is set to boundary-e2e or boundary-p2p.

1sec

1sec

announce-timeout <2-10>

Select how many seconds before the PTP Annouce message expires.

This option is available only when mode is set to boundary-e2e or boundary-p2p.

3

3

description <description_of_PTP_profile>

Description of the PTP profile.

No default

No default

domain <0-255>

PTP domain number. The range of values is 0-255.

This option is available only when mode is set to transparent-p2p, boundary-e2e, or boundary-p2p.

1

For the transparent clock, the default value is 1 if using the default PTP profile or 254 if using the power PTP profile.

min-delay-req-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

Select the number of seconds between Delay_Req messages.

This option is available only when mode is set to boundary-e2e.

1sec

Not applicable

mode {boundary-e2e | boundary-p2p | transparent-e2e | transparent-p2p}

PTP mode. You can select from the following modes:

  • boundary-e2e—Boundary clock using the end-to-end mode.

  • boundary-p2p—Boundary clock using the peer-to-peer mode.

  • transparent-e2e—Transparent clock using the end-to-end mode.

  • transparent-p2p—Transparent clock using the peer-to-peer mode.

transparent-e2e

Not applicable. You need to create a profile and set the mode to boundary-p2p or tranparent-p2p.

pdelay-req-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

The time between PDelay_Req messages. You can select 0.25, 0.5, 1, 2, or 4 seconds. The default value is 1 second.

This option is available only when mode is set to transparent-p2p or boundary-p2p.

Not applicable

1sec

priority1 <0-255>

Set the PTP priority 1. Use a smaller number for a higher priority.

This option is available only when mode is set to boundary-e2e or boundary-p2p.

128

128

priority2 <0-255>

Set the PTP priority 2. Use a smaller number for a higher priority.

This option is available only when mode is set to boundary-e2e or boundary-p2p.

128

128

ptp-profile {default | C37.238-2017}

PTP profile. Select default for the IEEE 1588 default profile or C37.238-2017 for the power profile.

C37.238-2017 is available only when mode is set to transparent-p2p.

default

default

sync-interval {0.25sec | 0.5sec | 1sec | 2sec | 4sec}

Select how many seconds between clock synchronization.

1sec

1sec

transport l2-mcast

PTP message transmission.

This option is available only when mode is set to transparent-p2p, boundary-e2e, or boundary-p2p.

Layer-2 and layer-3 multicast are supported for end-to end transparent clock. All other modes support layer-2 multicast only.

Layer-2 multicast

Example

This example shows how to configure a PTP profile:

config system ptp profile

edit newprofile

set description "New PTP profile"

set domain 1

next

end

config system schedule group

Use this command to define a schedule group. A schedule group can contain both one-time schedules and recurring schedules. To create one-time and recurring schedules, see config system schedule onetime and config system schedule recurring.

Syntax

config system schedule group

edit <schedule_group_name>

set member <schedule_name1> <schedule_name2> ...

end

Variable

Description

Default

<schedule_group_name>

Enter the name of the schedule group.

No default

member <schedule_name1> <schedule_name2> ...

Enter the names of the schedules to include. Separate multiple names with a space.

The schedules must already be defined with the config system schedule onetime or config system schedule recurring command.

No default

Example

This example shows how to create a schedule group:

config system schedule group

edit group1

set member schedule1 schedule2

end

config system schedule onetime

Use this command to define a one-time schedule for when a policy will be enforced.

Syntax

config system schedule onetime

edit <schedule_name>

set start <time_date>

set end <time_date>

end

Variable

Description

Default

<schedule_name>

Enter the name of the schedule.

No default

start <time_date>

Enter the start time and date for the schedule in the following format: hh:mm yyyy/mm/dd

00:00 1900/01/01

end <time_date>

Enter the end time and date for the schedule in the following format: hh:mm yyyy/mm/dd

00:00 1900/01/01

Example

This example shows how to create a one-time schedule:

config system schedule onetime

edit schedule1

set start 07:00 2019/03/22

set end 07:00 2019/03/29

end

config system schedule recurring

Use this command to define a schedule for specified hours every week.

Syntax

config system schedule recurring

edit <schedule_name>

set day {monday | tuesday | wednesday | thursday | friday | saturday | sunday}

set start <time>

set end <time>

end

Variable

Description

Default

<schedule_name>

Enter the name of the schedule.

No default

day {monday | tuesday | wednesday | thursday | friday | saturday | sunday}

Enter one or more days for the ACL to be enforced. Separate days with a space.

monday tuesday wednesday thursday friday

start <time>

Enter the start time for the schedule in the following format: hh:mm

24:00

end <time>

Enter the end time for the schedule in the following format: hh:mm

24:00

Example

This example shows how to create a recurring schedule:

config system schedule recurring

edit schedule2

set day monday wednesday friday

set start 07:00

set end 08:00

end

config system settings

Use this comand to configure equal cost multi-path (ECMP) routing.

ECMP is a forwarding mechanism that enables load-sharing of traffic to multiple paths of equal cost. An ECMP set is formed when the routing table contains multiple next-hop address for the same destination with equal cost. Routes of equal cost have the same preference and metric value. If there is an ECMP set for an active route, the switch uses a hash algorithm to choose one of the next-hop addresses. As input to the hash, the switch uses one or more of the following fields in the packet to be routed:

  • Source IP
  • Destination IP
  • Input port

Syntax

config system settings

set ip-ecmp-mode {source-ip-based | dst-ip-based | port-based}

end

Variable

Description

Default

ip-ecmp-mode {source-ip-based | dst-ip-based | port-based}

Select the IPv4 ECMP mode:

  • dst-ip-based — Select the next hop based on the destination IP address.
  • port-based — Select the next hop based on the TCP/UDP port.
  • source-ip-based — Select the next hop based on the source IP address.

source-ip-based

Example

This example shows how to configure ECMP:

config system settings

set ip-ecmp-mode port-based

end

config system sflow

Use this command to add or change the IP address and UDP port that FortiSwitch sFlow agents use to send sFlow datagrams to sFlow collectors.

sFlow is a network monitoring protocol described in http://www.sflow.org. FortiSwitch implements sFlow version 5. You can configure one or more FortiSwitch interfaces as sFlow agents that monitor network traffic and send sFlow datagrams containing information about traffic flow to sFlow collectors.

sFlow is normally used to provide an overall traffic flow picture of your network. You would usually operate sFlow agents on switches, routers, and firewall on your network, collect traffic data from all of them and use collectors to show traffic flows and patterns.

Syntax

config system sflow

config collectors

edit <collector_name>

set ip <collector_IPv4_address>

set port <collector_port>

next

end

end

Variable

Description

Default

<collector_name>

Enter a name for the sFlow collector.

No default

ip <collector_IPv4_address>

The sFlow agents send sFlow datagrams to the sFlow collector at this IPv4 address.

0.0.0.0

port <collector_port>

The UDP port number used for sending sFlow datagrams. Change this setting only if required by your sFlow collector or your network configuration. The value range is 0-65535.

6343

Example

This example shows how to configure sFlow:

config system sflow

config collectors

edit collector1

set ip 20.20.20.0

set port 200

next

end

end

config system sniffer-profile

Use this command to define a packet-capture profile to select which packets to examine. To start, stop, and pause the packet capture, see the execute system sniffer-profile commands.

Syntax

config system sniffer-profile

edit <profile_name>

set filter {<string> | none}

set max-pkt-count <1-maximum>

set max-pkt-len <64-1534>

set switch-interface <switch_interface_name>

set system-interface <system_interface_name>

end

Variable

Description

Default

<profile_name>

The name of the packet-capture profile.

No default

filter {<string> | none}

Enter none or enter the filter for selecting which packets to capture. For example, if you want packets using UDP port 1812 between hosts named forti1 and either forti2 or forti3:

'udp and port 1812 and host forti1 and \( forti2 or forti3 \)'

none

max-pkt-count <1-maximum>

Enter how many packets to be captured on the selected interface. The maximum number of packets that can be captured differs according to platform. See the FortiSwitchOS Adminstration Guide for details.

4000

max-pkt-len <64-1534>

Enter the maximum packet length in bytes to be captured on the interface.

128

switch-interface <switch_interface_name>

Enter the switch interface name that you want to capture packets on. You cannot select both a switch interface and a system interface.

No default

system-interface <system_interface_name>

Enter the system interface name that you want to capture packets on. You cannot select both a switch interface and a system interface.

No default

Example

This example shows how to create a packet-capture profile:

config system sniffer-profile

edit profile1

set filter none

set max-pkt-count 100

set max-pkt-len 100

set system-interface mgmt

end

config system snmp community

Use this command to configure SNMP communities on your FortiSwitch unit.

Syntax

config system snmp community

edit <index_number>

set events <events_list>

set name <community_name>

set query-v1-port <port_number>

set query-v1-status {enable | disable}

set query-v2c-port <port_number>

set query-v2c-status {enable | disable}

set status {enable | disable}

set trap-v1-lport <port_number>

set trap-v1-rport <port_number>

set trap-v1-status {enable | disable}

set trap-v2c-lport <port_number>

set trap-v2c-rport <port_number>

set trap-v2c-status {enable | disable}

config hosts

edit <host_number>

set interface <interface_name>

set ip <IPv4_address/mask>

set source-ip <IPv4_address>

end

config hosts6

edit <host_number>

set interface <interface_name>

set ip6 <IPv6_address>

set source-ip6 <IPv6_address>

end

end

Variable

Description

Default

<index_number>

Enter the index number of the community in the SNMP communities table. Enter an unused index number to create a new SNMP community.

No default

events <events_list>

Enable the events for which the system should send traps to the SNMP managers in this community. The following events can be enabled:

  • cpu-high—The CPU usage is too high.
  • ent-conf-change—The entityʼs configuration was changed (RFC 4133).
  • fan-detect—The fan was detected, not detected, resumed, or failed.
  • fsTrapStitch1—Custom SNMP trap 1. Use this event as a trigger for an automation stitch.

  • fsTrapStitch2—Custom SNMP trap 2. Use this event as a trigger for an automation stitch.

  • fsTrapStitch3—Custom SNMP trap 3. Use this event as a trigger for an automation stitch.

  • fsTrapStitch4—Custom SNMP trap 4. Use this event as a trigger for an automation stitch.

  • fsTrapStitch5—Custom SNMP trap 5. Use this event as a trigger for an automation stitch.

  • intf-ip—The interfaceʼs IP address was changed.
  • ip-conflict—There is a conflict between IP addresses.
  • l2mac—A layer-2 MAC address has been added, deleted, or moved. NOTE: This SNMP trap applies only to dynamic MAC addresses learned on the port. MAC events can be lost by the hardware or software.

  • llv—Learning-limit violation.
  • log-full—The available log space is low.
  • mem-low—The available memory is low.
  • psu-status—The status of the power supply unit has changed.
  • sensor-alarm—The sensor triggered an alarm.
  • sensor-fault—The sensor is faulty.
  • storm-control—There has been a change in the storm-control status. NOTE: You must specify one or more IP addresses of the host(s) to monitor.
  • tkmem-hb-oo-sync—The trunk memberʼs heart beat is unsynchronized.

All events enabled, except for l2mac.

name <community_name>

Enter the name of the SNMP community.

NOTE: After you run the execute factoryreset command, FortiSwitchOS creates an SNMP community with the name set to public.

No default

query-v1-port <port_number>

Enter the SNMP v1 query port number used for SNMP manager queries.

161

query-v1-status {enable | disable}

Enable or disable SNMP v1 queries for this SNMP community.

enable

query-v2c-port <port_number>

Enter the SNMP v2c query port number used for SNMP manager queries.

161

query-v2c-status {enable | disable}

Enable or disable SNMP v2c queries for this SNMP community.

enable

status {enable | disable}

Enable or disable the SNMP community.

enable

trap-v1-lport <port_number>

Enter the SNMP v1 local port number used for sending traps to the SNMP managers.

162

trap-v1-rport <port_number>

Enter the SNMP v1 remote port number used for sending traps to the SNMP managers.

162

trap-v1-status {enable | disable}

Enable or disable SNMP v1 traps for this SNMP community.

enable

trap-v2c-lport <port_number>

Enter the SNMP v2c local port number used for sending traps to the SNMP managers.

162

trap-v2c-rport <port_number>

Enter the SNMP v2c remote port number used for sending traps to the SNMP managers.

162

trap-v2c-status

{enable | disable}

Enable or disable SNMP v2c traps for this SNMP community.

enable

config hosts and hosts6

<host_number>

Enter the index number of the host in the table. Enter an unused index number to create a new host.

No Default

interface <interface_name>

Enter the name of the FortiSwitch interface to which the SNMP manager connects.

No default

ip <IPv4_address/mask>

Enter the IPv4 IP address and mask of the SNMP manager (for hosts).

0.0.0.0

ip6 <IPv6_address>

Enter the IPv6 IP address of the SNMP manager (for hosts6).

::

source-ip <IPv4_address>

Enter the source IPv4 IP address for SNMP traps sent by the FortiSwitch (for hosts).

0.0.0.0/ 0.0.0.0

source-ip6 <IPv6_address>

Enter the source IPv6 IP address for SNMP traps sent by the FortiSwitch (for hosts6).

::

config system snmp sysinfo

Use this command to enable the FortiSwitch SNMP agent and to enter basic system information used by the SNMP agent. Enter information about the system to identify it. When your SNMP manager receives traps from this FortiSwitch unit, you will know which system sent the information. Some SNMP traps indicate high CPU usage, log full, or low memory.

Syntax

config system snmp sysinfo

set contact-info <info_str>

set description <description>

set engine-id <engine-id_str>

set location <location>

set status {enable | disable}

set trap-high-cpu-interval {1min | 10min | 30min | 1hr | 12hr | 24hr}

set trap-high-cpu-threshold <percentage>

set trap-log-full-threshold <percentage>

set trap-low-memory-threshold <percentage>

set trap-temp-alarm-threshold <temperature in degrees Celsius>

set trap-temp-warning-threshold <temperature in degrees Celsius>

end

Variable

Description

Default

contact-info <info_str>

Add the contact information for the person responsible for this FortiSwitch unit. The contact information can be up to 35 characters long.

No default

description <description>

Add a name or description of the system. The description can be up to 35 characters long.

No default

engine-id <engine-id_str>

Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is included in each message sent to or from the SNMP engine. In FortiOS, the snmpEngineID is composed of two parts:
  • Fortinet prefix 0x8000304404
  • the optional engine-id string, 24 characters maximum, defined in this command

Optionally, enter an engine-id value.

No default

location <location>

Describe the physical location of the system. The system location description can be up to 35 characters long.

No default

status {enable | disable}

Enable or disable the FortiSwitch SNMP agent.

disable

trap-high-cpu-interval {1min | 10min | 30min | 1hr | 12hr | 24hr}

Set how long the FortiSwitch CPU usage must be higher than the specified threshold before an SNMP v3 notification (trap) is reported.

1min

trap-high-cpu-threshold

<percentage>

Enter the percentage of CPU used that will trigger the threshold SNMP trap for the high-cpu.

There is some smoothing of the high CPU trap to ensure the CPU usage is constant rather than a momentary spike. This feature prevents frequent and unnecessary traps.

80

trap-log-full-threshold

<percentage>

Enter the percentage of disk space used that will trigger the threshold SNMP trap for the log-full.

90

trap-low-memory-threshold <percentage>

Enter the percentage of memory used that will be the threshold SNMP trap for the low-memory.

80

trap-temp-alarm-threshold <temperature in degrees Celsius>

Set an alarm for when the system temperature reaches the specified temperature.

60

trap-temp-warning-threshold <temperature in degrees Celsius>

Set a warning for when the system temperature reaches the specified temperature. The warning threshold must be lower than the alarm threshold.

50

Example

This example shows how to set a warning and an alarm for specified system temperatures:

config system snmp sysinfo

set status enable

set trap-temp-alarm-threshold 80

set trap-temp-warning-threshold 70

end

config system snmp user

Use this command to configure an SNMP user including which SNMP events the user wants to be notified about, which hosts will be notified, and, if queries are enabled, which port to listen on for them.

FortiSwitchOS implements the user security model of RFC 3414. You can require the user to authenticate with a password and you can use encryption to protect the communication with the user.

Syntax

config system snmp user

edit <user_name>

set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}

set auth-pwd <password>

set events {events_list}

set notify-hosts <IP_address>

set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}

set priv-pwd <password>

set queries {enable | disable}

set query-port <port_int>

set security-level {no-auth-no-priv | auth-no-priv | auth-priv}

end

Variable

Description

Default

<user_name>

Edit or add selected user.

No default

auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}

Select the authentication protocol.
  • md5—HMAC-MD5-96 authentication protocol
  • sha1—HMAC-SHA-1 authentication protocol
  • sha224—HMAC-SHA-224 authentication protocol
  • sha256—HMAC-SHA-256 authentication protocol
  • sha384—HMAC-SHA-384 authentication protocol
  • sha512—HMAC-SHA-512 authentication protocol
This option is available only when security-level is set to auth-priv or auth-no-priv.

sha1

auth-pwd <password>

Enter the password for the authentication protocol. his option is available only when security-level is set to auth-priv or auth-no-priv.

No default

events {events_list}

Specify one or more SNMP notifications (traps) to send. Separate multiple values with a space. The following notifications are available:

  • cpu-high—The CPU usage is too high.
  • ent-conf-change—The entityʼs configuration was changed (RFC 4133).
  • fan-detect—The fan was detected, not detected, resumed, or failed.
  • fsTrapStitch1—Custom SNMP trap 1. Use this event as a trigger for an automation stitch.
  • fsTrapStitch2—Custom SNMP trap 2. Use this event as a trigger for an automation stitch.

  • fsTrapStitch3—Custom SNMP trap 3. Use this event as a trigger for an automation stitch.

  • fsTrapStitch4—Custom SNMP trap 4. Use this event as a trigger for an automation stitch.

  • fsTrapStitch5—Custom SNMP trap 5. Use this event as a trigger for an automation stitch.

  • intf-ip—The interfaceʼs IP address was changed.
  • ip-conflict—There is a conflict between IP addresses.
  • l2mac—A layer-2 MAC address has been added, deleted, or moved. NOTE: This SNMP trap applies only to dynamic MAC addresses learned on the port. MAC events can be lost by the hardware or software.

  • llv—Learning-limit violation.
  • log-full—The available log space is low.
  • mem-low—The available memory is low.
  • psu-status—The status of the power supply unit has changed.
  • sensor-alarm—The sensor triggered an alarm.
  • sensor-fault—The sensor is faulty.
  • storm-control—There has been a change in the storm-control status.
  • tkmem-hb-oo-sync—The trunk memberʼs heart beat is unsynchronized.

All events enabled, except for l2mac.

notify-hosts <IP_address>

Specify one or more IPv4 addresses to send notifications (traps) to.

No default

priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}

Select the encryption protocol.
  • aes128—CFB128-AES-128 symmetric encryption protocol
  • aes192—CFB128-AES-192 symmetric encryption protocol
  • aes192c—CFB128-AES-192-C symmetric encryption protocol (required for certain clients)
  • aes256—CFB128-AES-256 symmetric encryption protocol
  • aes256c—CFB128-AES-256-C symmetric encryption protocol (required for certain clients)
  • des—CBC-DES symmetric encryption protocol
This option is available only when security-level is set to auth-priv.

aes128

priv-pwd <password>

Enter the password for the encryption protocol. This option is available only when security-level is set to auth-priv.

No default

queries {enable | disable}

Enable or disable SNMP v3 queries for this user. Queries are used to determine the status of SNMP variables.

enable

query-port <port_int>

Enter the number of the port used for SNMP v3 queries. If multiple versions of SNMP are being supported, each version should listen on a different port.

161

security-level {no-auth-no-priv | auth-no-priv | auth-priv}

Set the security level to one of:
  • no-auth-no-priv—no authentication or privacy
  • auth-no-priv—authentication but no privacy
  • auth-priv—authentication and privacy

no-auth-no-priv

config system vxlan

Use this command to configure VXLAN interfaces.

Syntax

config system vxlan

edit <VXLAN_interface_name>

set vni <integer>

set vlanid <integer>

set evpn {disable | enable}

set arp-nd-supression {disable | enable}

set interface <interface_name>

set ip-version {ipv4-multicast | ipv4-unicast}

set remote-ip <IPv4_address>

set tagged-vlans <VLAN_list>

set tunnel-loopback <interface_name>

next

end

Variable

Description

Default

<VXLAN_interface_name> Enter a name for the VXLAN interface No default
vni <integer> Required. Set the VXLAN network identifier (VNI). The range of values is 1-16777215. 0
vlanid <integer>

Required. Set the VLAN identifier that is mapped to the VNI.

When tunnel-loopback is set, VLAN 4087 is reserved.

0

evpn {disable | enable}

Enable or disable the Ethernet Virtual Private Network (EVPN).

disable

arp-nd-supression {disable | enable}

Enable or disable ARP and ND suppression.

This command is available only when evpn is enabled.

disable

interface <interface_name> Required. Enter the name of the outgoing interface for the VXLAN tunnel. Starting in FortiSwitchOS 7.2.1, you can specify a routed VLAN interface (RVI). No default
ip-version {ipv4-multicast | ipv4-unicast}

Required. Select the type of IPv4 address to use to communicate over the VXLAN tunnel.

  • ipv4-multicast—Use IPv4 multicast addressing over the VXLAN tunnel.

  • ipv4-unicast—Use IPv4 unicast addressing over the VXLAN tunnel.

ipv4-unicast
remote-ip <IPv4_address> Required. Enter the source and destination IPv4 addresses of the VXLAN interface. The VXLAN tunnel destination must match the remote-ip setting of the VXLAN tunnel initiator. Starting in FortiSwitchOS 7.2.1, you can specify an RVI as the source or destination IPv4 address. No default

tagged-vlans <VLAN_list>

User traffic is sent with the specified inner VLAN tags.

This command is available only when the switch is managed by a FortiGate device.

No default

tunnel-loopback <interface_name>

Enter the name of the tunnel-loopback interface. The tunnel-loopback can be set only on FS-1024E, FS-T1024E, and FS-1048E. When tunnel-loopback is set, VLAN 4087 is reserved.

This command is available only when the switch is managed by a FortiGate device.

No default

Example

This example shows how to configure a VXLAN interface:

config system vxlan

edit "newvxlan"

set vni 50

set vlanid 50

set interface "vlan40"

set remote-ip "1.2.3.4" "5.6.7.8"

next

end

config system web

Use this command to configure web attributes.

Syntax

config system web

set gui-language {browser | english | french | german | japanese | korean | portuguese | simch | spanish | trach}

set http-port <1-65535>

set https-pki-required {enable | disable}

set https-port <1-65535>

set https-server-cert {self-sign | Fortinet_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

set https-ssl-versions {tlsv1-1 | tlsv1-2 | tlsv1-3}

end

Variable

Description

Default

gui-language {browser | english | french | german | japanese | korean | portuguese | simch | spanish | trach} Set the display language to the language used in the browser (browser), English, French, German, Japanese, Korean, Portuguese, simplified Chinese (simch), Spanish, or traditional Chinese(trach). browser
http-port <1-65535> Enter the port to use for HTTP administrative access. 80
https-pki-required {enable | disable} Enable to allow users to log in by providing a valid certificate if PKI is enabled for HTTPS administrative access. The default setting of disable allows admin users to log in by providing a valid certificate or password. disable
https-port <1-65535> Enter the port to use for HTTPS administrative access. 443
https-server-cert {self-sign | Fortinet_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware} Select the administration HTTPS server certificate to use:
  • self-sign—Use a self-signed security certificate. Self-signed certificates are free and will encrypt the data just as securely as a purchased certificate. Self-signed certificates, however, are not likely to be recognized by the CA certificate store so will be considered by any checks against that store as invalid.
  • Fortinet_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA.
  • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
  • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.
Fortinet_Firmware

https-ssl-versions {tlsv1-1 | tlsv1-2 | tlsv1-3}

Set the allowed SSL/TLS versions for web administration.

tlsv1-1 tlsv1-2 tlsv1-3