Discovering, authorizing, and deauthorizing FortiSwitch units
This section covers the following topics:
- Editing a managed FortiSwitch unit
- Adding preauthorized FortiSwitch units
- Using wildcard serial numbers to pre-authorize FortiSwitch units
- Authorizing the FortiSwitch unit
- Deauthorizing FortiSwitch units
- Converting to FortiSwitch standalone mode
Editing a managed FortiSwitch unit
To edit a managed FortiSwitch unit:
- Go to WiFi & Switch Controller > Managed FortiSwitch.
- Click on the FortiSwitch unit and then click Edit or right-click on a FortiSwitch unit and select Edit.
From the Edit Managed FortiSwitch form, you can:
- Change the Name and Description of the FortiSwitch unit.
- View the Status of the FortiSwitch unit.
- Restart the FortiSwitch.
- Authorize or deauthorize the FortiSwitch unit.
- Update the firmware running on the switch.
- Override 802.1x settings, including the reauthentication interval, maximum reauthentication attempts, and link-down action.
Adding preauthorized FortiSwitch units
After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.
To preauthorize a FortiSwitch:
- Go to WiFi & Switch Controller > Managed FortiSwitch.
- Click Create New.
- In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
- Move the Authorized slider to the right.
- Select OK. The Managed FortiSwitch page lists the preauthorized switch.
Using wildcard serial numbers to pre-authorize FortiSwitch units
You can now use asterisks as a wildcard character when you pre-authorize FortiSwitch units. Using a FortiSwitch template, you can name the managed switch and configure the ports. When the FortiSwitch unit is turned on and discovered by the FortiGate device, the wildcard serial number is replaced by the actual serial number and the settings in the FortiSwitch template are applied to the discovered FortiSwitch unit.
When you create the FortiSwitch template, use the following format for the wildcard serial number:
PREFIX****nnnnnn
|
PREFIX |
The first six digits of a valid FortiSwitch serial number, such as S248EP, S124EN, S548DF, and S524DF. |
|
**** |
Asterisks are the only wildcard characters allowed. You can have any number of asterisks, as long as ****nnnnnn is no longer than 10 characters. |
|
nnnnnn |
You can have any number of valid alphanumeric characters, as long as ****nnnnnn is no longer than 10 characters. |
To pre-authorize FortiSwitch units using a FortiSwitch template:
-
Create a FortiSwitch template.
config switch-controller managed-switch
edit <PREFIX****nnnnnn>
...
next
end
For example:
config switch-controller managed-switch
edit "S248EP****000000"
set name "fortilink-FSW248EP1"
set fsw-wan1-peer "fortilink"
.......
config ports
edit "port1"
set vlan "onboarding"
set allowed-vlans "quarantine" "nac_segment"
set untagged-vlans "quarantine" "nac_segment"
set access-mode nac
set export-to "root"
next
edit "port2"
set vlan "_default"
set allowed-vlans "quarantine"
set untagged-vlans "quarantine"
set access-mode dynamic
set port-policy "aggr1"
set export-to "root"
next
end
next
end
-
Turn on the FortiSwitch unit so that the FortiGate device will discover it.
The FortiSwitch unit is matched with the FortiSwitch template using the order of entries in the CMDB table from top to bottom. The settings in the FortiSwitch template are applied to the discovered FortiSwitch unit. Once a match is made for a wildcard entry, that particular entry is consumed.
Authorizing the FortiSwitch unit
If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the following steps:
- Go to WiFi & Switch Controller > Managed FortiSwitch.
- Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.
Deauthorizing FortiSwitch units
A device can be deauthorized to remove it from the Security Fabric.
To deauthorize a device:
- On the root FortiGate, go to Security Fabric > Fabric Connectors
- In the topology tree, click the device and select Deauthorize.
After devices are deauthorized, the devicesʼ serial numbers are saved in a trusted list that can be viewed in the CLI using the show system csf command. For example, this result shows a deauthorized FortiSwitch:
show system csf
config system csf
set status enable
set group-name "Office-Security-Fabric"
set group-password ENC 1Z2X345V678
config trusted-list
edit "FGT6HD391806070"
next
edit "S248DF3X17000482"
set action deny
next
end
end
end
Converting to FortiSwitch standalone mode
Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no longer be managed by a FortiGate:
execute switch-controller factory-reset <switch-id>—This command returns the FortiSwitch to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example:execute switch-controller factory-reset S1234567890
execute switch-controller switch-action set-standalone <switch-id>—This command returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from automatically detecting and authorizing the FortiSwitch. For example:execute switch-controller set-standalone S1234567890
You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:
config switch-controller global
set disable-discovery <switch-id>
end
For example:
config switch-controller global
set disable-discovery S1234567890
end
You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using the following commands:
config switch-controller global
append disable-discovery <switch-id>
unselect disable-discovery <switch-id>
end
For example:
config switch-controller global
append disable-discovery S012345678
unselect disable-discovery S1234567890
end