Discovering, authorizing, and deauthorizing FortiSwitch units
This section covers the following topics:
- Editing a managed FortiSwitch unit
- Adding preauthorized FortiSwitch units
- Authorizing the FortiSwitch unit
- Deauthorizing FortiSwitch units
- Converting to FortiSwitch standalone mode
Editing a managed FortiSwitch unit
To edit a managed FortiSwitch unit:
- Go to WiFi & Switch Controller > Managed FortiSwitch.
- Click on the FortiSwitch unit and then click Edit or right-click on a FortiSwitch unit and select Edit.
From the Edit Managed FortiSwitch form, you can:
- Change the Name and Description of the FortiSwitch unit.
- View the Status of the FortiSwitch unit.
- Restart the FortiSwitch.
- Authorize or deauthorize the FortiSwitch unit.
- Update the firmware running on the switch.
- Override 802.1x settings, including the reauthentication interval, maximum reauthentication attempts, and link-down action.
Adding preauthorized FortiSwitch units
After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.
To preauthorize a FortiSwitch:
- Go to WiFi & Switch Controller > Managed FortiSwitch.
- Click Create New.
- In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
- Move the Authorized slider to the right.
- Select OK. The Managed FortiSwitch page lists the preauthorized switch.
Authorizing the FortiSwitch unit
If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the following steps:
- Go to WiFi & Switch Controller > Managed FortiSwitch.
- Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.
Deauthorizing FortiSwitch units
A device can be deauthorized to remove it from the Security Fabric.
To deauthorize a device:
- On the root FortiGate, go to Security Fabric > Fabric Connectors
- In the topology tree, click the device and select Deauthorize.
After devices are deauthorized, the devicesʼ serial numbers are saved in a trusted list that can be viewed in the CLI using the show system csf
command. For example, this result shows a deauthorized FortiSwitch:
show system csf
config system csf
set status enable
set group-name "Office-Security-Fabric"
set group-password ENC 1Z2X345V678
config trusted-list
edit "FGT6HD391806070"
next
edit "S248DF3X17000482"
set action deny
next
end
end
end
Converting to FortiSwitch standalone mode
Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no longer be managed by a FortiGate:
-
execute switch-controller factory-reset <switch-id>
—This command returns the FortiSwitch to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example:execute switch-controller factory-reset S1234567890
-
execute switch-controller switch-action set-standalone <switch-id>
—This command returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from automatically detecting and authorizing the FortiSwitch. For example:execute switch-controller set-standalone S1234567890
You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:
config switch-controller global
set disable-discovery <switch-id>
end
For example:
config switch-controller global
set disable-discovery S1234567890
end
You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using the following commands:
config switch-controller global
append disable-discovery <switch-id>
unselect disable-discovery <switch-id>
end
For example:
config switch-controller global
append disable-discovery S012345678
unselect disable-discovery S1234567890
end