Converting to FortiSwitch standalone mode

Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no longer be managed by a FortiGate:

• execute switch-controller factory-reset <switch-id>

This command returns the FortiSwitch to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example:

execute switch-controller factory-reset S1234567890

• execute switch-controller set-standalone <switch-id>

This command returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from automatically detecting and authorizing the FortiSwitch. For example: execute switch-controller set-standalone S1234567890

You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:

config switch-controller global set disable-discovery <switch-id>

end

For example:

config switch-controller global set disable-discovery S1234567890

end

You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using the following commands:

config switch-controller global append disable-discovery <switch-id> unselect disable-discovery <switch-id>

end

For example:

config switch-controller global append disable-discovery S012345678 unselect disable-discovery S1234567890

end

Changing the admin password on the FortiGate for all managed FortiSwitch units

By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:

config switch-controller switch-profile edit default

set login-passwd-override {enable | disable} set login-passwd <password>

next

end

If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set password will remain in the FortiSwitch. For example:

config switch-controller switch-profile edit default set login-passwd-override enable unset login-passwd

next

end

Enabling network-assisted device detection

Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by the managed FortiSwitch unit.

To enable network-assisted device detection on a VDOM:

config switch-controller network-monitor-settings set network-monitoring enable

end

You can display a list of detected devices from the Device Inventory menu in the GUI. To list the detected devices in the CLI, enter the following command: diagnose user device list

Limiting the number of parallel process for FortiSwitch configuration

Use the following CLI commands to reduce the number of parallel process that the switch controller uses for configuring FortiSwitch units:

config global

config switch-controller system

set parallel-process-override enable

set parallel-process <1-300>

end end

FortiSwitch features configuration

Configure VLANs

Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs.)

From the FortiGate unit, you can centrally configure and manage VLANs for the managed FortiSwitch units.

In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 14095) to each of the VLANs.

You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch port.

FortiSwitch VLANs display

The WiFi & Switch Controller> FortiSwitch VLANs page displays VLAN information for the managed switches.

Each entry in the VLAN list displays the following information: l Name—name of the VLAN l VLAN ID—the VLAN number

l IP/Netmask—address and mask of the subnetwork that corresponds to this VLAN l Access—administrative access settings for the VLAN l Ref—number of configuration objects referencing this VLAN

Enabling and disabling switch-controller access VLANs through the FortiGate unit

Access VLANs are VLANs that aggregate client traffic solely to the FortiGate unit. This prevents direct client-toclient traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client’s network VLAN as appropriate.

NOTE: IPv6 is not supported between clients within a switch-controller access VLAN.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

config system interface edit <VLAN name> set switch-controller-access-vlan {enable | disable}

next

end

NOTE: You must configure the proxy ARP with the config system proxy-arp CLI command to be able to use the access VLANs. For example:

config system proxy-arp edit 1 set interface “V100” set ip 1.1.1.1 set end-ip 1.1.1.200

next

end

Creating VLANs

Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either the Web GUI or CLI. Using the Web administration GUI

To create the VLAN:

1. Go to WiFi & Switch Controller> FortiSwitch VLANS, select Create New, and change the following settings:

2. Enable DHCP Server and set the IP range.
3. Set the Admission Control options as required.
4. Select OK.

To assign FortiSwitch ports to the VLAN:

1. Go to WiFi & Switch Controller> FortiSwitch Ports.
2. Click the desired port row.
3. Click the Native VLAN column in one of the selected entries to change the native VLAN.
4. Select a VLAN from the displayed list. The new value is assigned to the selected ports.
5. Click the + icon in the Allowed VLANs column to change the allowed VLANs.
6. Select one or more of the VLANs (or the value all) from the displayed list. The new value is assigned to the selected port.

Using the FortiSwitch CLI

1. Create the marketing VLAN.

config system interface edit <vlan name> set vlanid <1-4094> set color <1-32>

set interface <FortiLink-enabled interface>

end

2. Set the VLAN’s IP address.

config system interface edit <vlan name> set ip <IP address> <Network mask> end

Configure IGMP settings

3. Enable a DHCP Server.

config system dhcp server edit 1 set default-gateway <IP address> set dns-service default set interface <vlan name> config ip-range set start-ip <IP address> set end-ip <IP address>

end

set netmask <Network mask>

end

4. Assign ports to the VLAN.

config switch-controller managed-switch edit <Switch ID> config ports edit <port name> set vlan <vlan name> set allowed-vlans <vlan name> or

set allowed-vlans-all enable

next

end

end

Assign untagged VLANs to a managed FortiSwitch port:

config switch-controller managed-switch edit <managed-switch> config ports edit <port> set untagged-vlans <VLAN-name>

next

end

next

end

Configure IGMP settings

Use the following command to configure the global IGMP settings.

Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer value from 15 to 3600. The default value is 300.

Flood-unknown-multicast controls whether the system will flood unknown multicast messages within the VLAN.

config switch-controller igmp-snooping set aging-time <15-3600>

set flood-unknown-multicast {enable | disable} end

LLDP-MED

Configure LLDP-MED

To configure LLDP profiles:

config switch-controller lldp-profile

edit <profile number>

set 802.1-tlvs port-vlan-id set 802.3-tlvs max-frame-size set auto-isl {enable | disable} set auto-isl-hello-timer <1-30> set auto-isl-port-group <0-9> set auto-isl-receive-timeout <3-90> set med-tlvs (inventory-management | network-policy)

end

To configure LLDP settings:

config switch-controller lldp-settings

set status < enable | disable >

set tx-hold <int> set tx-interval <int> set fast-start-interval <int>

set management-interface {internal | management}

end

Create LLDP asset tags for each managed FortiSwitch

You can use the following commands to add an LLDP asset tag for a managed FortiSwitch:

config switch-controller managed-switch

edit <fsw> set switch-device-tag <string>

Configure LLDP-MED

end

Add media endpoint discovery (MED) to an LLDP configuration

You can use the following commands to add media endpoint discovery (MED) features to an LLDP profile:

config switch-controller lldp-profile edit <lldp-profle> config med-network-policy edit guest-voice set status {disable | enable}

next

edit guest-voice-signaling set status {disable | enable}

next

edit guest-voice-signaling set status {disable | enable}

next

edit softphone-voice set status {disable | enable}

next

edit streaming-video set status {disable | enable}

next

edit video-conferencing set status {disable | enable}

next

edit video-signaling set status {disable | enable}

next edit voice set status {disable | enable}

next

edit voice-signaling set status {disable | enable}

end

config custom-tlvs edit <name> set oui <identifier> set subtype <subtype> set information-string <string>

end

end

Display LLDP information

You can use the following commands to display LLDP information:

diagnose switch-controller dump lldp stats <switch> <port> diagnose switch-controller dump lldp neighbors-summary <switch> diagnose switch-controller dump lldp neighbors-detail <switch>

the MAC sync interval

Configure the MAC sync interval

Use the following commands to configure the global MAC synch interval.

The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the default value is 60.

config switch-controller mac-sync-settings set mac-sync-interval <30-600>

end

Configure STP settings

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

Use the following CLI commands for global STP configuration. This configuration applies to all managed FortiSwitch units:

config switch-controller stp-settings set name <name> set revision <stp revision> set hello-time <hello time> set forward-time <forwarding delay> set max-age <maximum aging time> set max-hops <maximum number of hops>

end

You can override the global STP settings for a FortiSwitch unit using the following commands:

config switch-controller managed-switch edit <switch-id> config stp-settings set local-override enable

Quarantines

Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit.

Quarantined MAC addresses are isolated from the rest of the network and LAN by using a separate VLAN.

Quarantining MAC addresses

You can use the FortiGate GUI or CLI to quarantine a MAC address.

NOTE: If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.

Using the FortiGate GUI

In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.

1. Select the host to quarantine.
   • Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
   • Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
   • Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on FortiSwitch.
2. Select Accept to confirm that you want to quarantine the host.

Using the FortiGate CLI

NOTE: Previously, this feature used the config switch-controller quarantine CLI command.

By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was disabled in the older configuration, it will be disabled after the upgrade.

You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.

The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined per quarantine entry.

config user quarantine set quarantine enable config targets edit <quarantine_entry_name> set description <string> config macs edit <MAC_address_1> next

edit <MAC_address_2> next

edit <MAC_address_3> next

end end

Quarantines

end

For example:

config user quarantine set quarantine enable config targets edit quarantine1 config macs set description “infected by virus”

edit 00:00:00:aa:bb:cc next

edit 00:11:22:33:44:55 next

edit 00:01:02:03:04:05 next

end

end

end

Viewing quarantine entries

Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.

Using the FortiGate GUI

1. Go to Monitor> Quarantine Monitor.
2. Click Quarantined on FortiSwitch.

The Quarantined on FortiSwitch button is only available if a device is detected behind the FortiSwitch unit, which requires Device Detection to be enabled.

Using the FortiGate CLI

Use the following command to view the quarantine list of MAC addresses: show user quarantine

For example: show user quarantine config user quarantine

set quarantine enable config targets edit quarantine1 config macs set description “infected by virus”

edit 00:00:00:aa:bb:cc next

edit 00:11:22:33:44:55 next

edit 00:01:02:03:04:05 next

end

end

end

When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_ name>) and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.

Use the following command to view the quarantine VLAN: show system interface qtn.<FortiLink_port_name>

For example:

show system interface qtn.port7

config system interface edit “qtn.port7” set vdom “vdom1” set ip 10.254.254.254 255.255.255.0 set description “Quarantine VLAN” set security-mode captive-portal

set replacemsg-override-group “auth-intf-qtn.port7” set device-identification enable set device-identification-active-scan enable set snmp-index 34

set switch-controller-access-vlan enable

set color 6 set interface “port7” set vlanid 4093

next

end

Use the following commands to view the quarantine DHCP server:

show system dhcp server config system dhcp server

edit 2 set dns-service default set default-gateway 10.254.254.254 set netmask 255.255.255.0 set interface “qtn.port7” config ip-range

edit 1 set start-ip 10.254.254.192 set end-ip 10.254.254.253 next

Quarantines

end

set timezone-option default

next

end

Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports: show switch-controller managed-switch

For example: show switch-controller managed-switch

config switch-controller managed-switch edit “FS1D483Z15000036” set fsw-wan1-peer “port7” set fsw-wan1-admin enable set version 1 set dynamic-capability 503 config ports edit “port1” set vlan “vsw.port7” set allowed-vlans “qtn.port7” set untagged-vlans “qtn.port7”

next edit “port2” set vlan “vsw.port7” set allowed-vlans “qtn.port7” set untagged-vlans “qtn.port7”

next edit “port3” set vlan “vsw.port7” set allowed-vlans “qtn.port7” set untagged-vlans “qtn.port7”

next …

end

end

Releasing MAC addresses from quarantine

Using the FortiGate GUI

1. Go to Monitor> Quarantine Monitor.
2. Click Quarantined on FortiSwitch.
3. Right-click on one of the entries and select Delete or Remove All.
4. Click OK to confirm your choice.

Using the FortiGate CLI

To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all quarantined MAC addresses from quarantine.

To delete a single quarantined MAC address:

config user quarantine config targets edit <quarantine_entry_name> config macs delete <MAC_address_1>

end

end

end

To delete all MAC addresses in a quarantine entry:

config user quarantine config targets delete <quarantine_entry_name>

end

end

To disable the quarantine feature:

config user quarantine set quarantine disable end

FortiSwitch port features

You can configure the FortiSwitch port feature settings from the FortiGate using the FortiSwitch CLI or web administration GUI.

FortiSwitch ports display

The WiFi & Switch Controller> FortiSwitch Ports page displays port information about each of the managed switches.

The following figure shows the display for a FortiSwitch 524D-FPOE:

The switch faceplate displays:

• active ports (green) l PoE-enabled ports (blue rectangle) l FortiLink port (link icon)

PoE Status displays the total power budget and the actual power currently allocated.

The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved power (power available for additional devices on the POE ports). See the following figures:

GUI

Each entry in the port list displays the following information:

• Port status (red for down, green for up) l Port name l Native VLAN l Allowed VLANs l Device information l PoE status
• Bytes sent and received by the port

Configuring ports using the GUI

You can use the WiFi & Switch Controller> FortiSwitch Ports page to do the following with FortiSwitch switch ports:

l Set the native VLAN and add more VLANs l Edit the description of the port l Enable or disable the port l Enable or disable PoE for the port l Enable or disable DHCP blocking (if supported by the port) l Enable or disable IGMP snooping (if supported by the port) l Enable or disable whether a port is an edge port l Enable or disable STP (if supported by the port) l Enable or disable loop guard (if supported by the port) l Enable or disable STP BPDU guard (if supported by the port) l Enable or disable STP root guard (if supported by the port)

Resetting PoE-enabled ports

If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

Configuring ports using the FortiGate CLI

Configuring port speed and status

Use the following commands to set port speed and other base port settings:

config switch-controller managed-switch edit <switch> config ports edit <port> set description <text> set speed <speed> set status {down | up}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set description “First port” set speed auto set status up

end

end

Sharing FortiSwitch ports between VDOMs

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

NOTE: You cannot use the quarantine feature while sharing FortiSwitch ports between VDOMs.

To share FortiSwitch ports between VDOMs:

1. Create one or more VDOMs.
2. Assign VLANs to each VDOM as required.

3. From these VLANs, select one VLAN to be the default VLAN for the ports in the virtual switch:

config switch-controller global

set default-virtual-switch-vlan <VLAN>

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

When you add a new port to the VDOM, the new port will be automatically assigned to the default VLAN. You can reassign the ports to other VLANs later.

4. Create a virtual port pool (VPP) to contain the ports to be shared:

config switch-controller virtual-port-pool edit <VPP_name> description <string>

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example:

config switch-controller virtual-port-pool edit “pool3” description “pool for port3”

next

end

5. Share a FortiSwitch port from the VDOM that the FortiSwitch belongs to with another VDOM or export the FortiSwitch port to a VPP where it can be used by any VDOM:

config switch-controller managed-switch edit <switch.id> config ports edit <port_name> set {export-to-pool <VPP_name> | export-to <VDOM_name>} set export-tags <string1,string2,string3,…>

next

end

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example, if you want to export a port to the VPP named pool3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to-pool “pool3” set export-tags “Pool 3”

next

end

next end

For example, if you want to export a port to the VDOM named vdom3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to “vdom3” set export-tags “VDOM 3”

next

end

next

end

6. Request a port in a VPP: execute switch-controller virtual-port-pool request <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that is requesting the port.

For example:

execute switch-controller virtual-port-pool request S524DF4K15000024h port3

7. Return a port to a VPP: execute switch-controller virtual-port-pool return <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that owns the port.

For example: execute switch-controller virtual-port-pool return S524DF4K15000024h port3

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP: execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents: execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features: l LLDP

• 1x l STP l BPDU guard l Root guard l DHCP snooping l IGMP snooping l QoS
• Port security l MCLAG

Limiting the number of learned MAC addresses on a FortiSwitch interface

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan edit <integer> set switch-controller-learning-limit <limit>

end

end

For example:

config switch vlan edit 100 set switch-controller-learning-limit 20

end

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config ports edit <port> set learning-limit <limit>

next

end

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set learning-limit 50

next

end

end

end

You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after 300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.

config switch-controller global set mac-aging-interval <10 to 1000000> end

For example:

config switch-controller global set mac-aging-interval 500

end

If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.

By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses are save:

config switch-controller global set mac-violation-timer <0-1500>

set log-mac-limit-violations {enable | disable}

end

For example:

config switch-controller global set mac-violation-timer 1000 set log-mac-limit-violations enable

end

To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

• diagnose switch-controller dump mac-limit-violations all <FortiSwitch_serial_ number>
• diagnose switch-controller dump mac-limit-violations interface <FortiSwitch_ serial_number> <port_name>
• diagnose switch-controller dump mac-limit-violations vlan <FortiSwitch_serial_ number> <VLAN_ID>

For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit: diagnose switch-controller dump mac-limit-violations vlan S124DP3XS12345678 5

To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

• execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_ number>
• execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_ number> <VLAN_ID>
• execute switch-controller mac-limit-violation reset interface <FortiSwitch_ serial_number> <port_name>

For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:

execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5

Configuring the DHCP trust setting

The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.

Set the port as a trusted or untrusted DHCP-snooping interface:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set dhcp-snooping {trusted | untrusted}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set dhcp-snooping trusted

end

end

Configuring PoE

The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.

Enable PoE on the port

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set poe-status {enable | disable}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set poe-status enable

end

end

Reset the PoE port

Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example, wireless access points, IP cameras, and VoIP phones).

The following command resets PoE on the port:

execute switch-controller poe-reset <fortiswitch-id> <port>

Display general PoE status get switch-controller <fortiswitch-id> <port>

The following example displays the PoE status for port 6 on the specified switch:

# get switch-controller poe FS108D3W14000967 port6

Port(6) Power:3.90W, Power-Status: Delivering Power

Power-Up Mode: Normal Mode

Remote Power Device Type: IEEE802.3AT PD

Power Class: 4

Defined Max Power: 30.0W, Priority:3

Voltage: 54.00V

Current: 78mA

Configuring edge ports

Use the following commands to enable or disable an interface as an edge port:

config switch-controller managed-switch edit <switch> config ports edit <port> set edge-port {enable | disable}

end end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set edge-port enable

end

end

Configuring STP

Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

To configure global STP settings, see Configure STP settings on page 71.

Use the following commands to enable or disable STP on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-state {enabled | disabled} end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-state enabled

end

end

To check the STP configuration on a FortiSwitch, use the following command: diagnose switch-controller dump stp <FortiSwitch_serial_number> <instance_number>

For example:

Configuring STP root guard

Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Use the following commands to enable or disable STP root guard on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-root-guard {enabled | disabled}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-root-guard enabled

end

end

Configuring STP BPDU guard

Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced. There are two prerequisites for using BPDU guard:

l You must define the port as an edge port with the set edge-port enable command. l You must enable STP on the switch interface with the set stp-state enabled command.

You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id>

config ports edit <port name> set stp-bpdu-guard {enabled | disabled} set stp-bpdu-guard-time <0-120>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-bpdu-guard enabled set stp-bpdu-guard-time 10

end

end

To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command: diagnose switch-controller dump bpdu-guard-status <FortiSwitch_serial_number>

For example:

Configuring loop guard

A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. By default, loop guard is disabled on all ports.

Use the following commands to configure loop guard on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set loop-guard {enabled | disabled} set loop-guard-timeout <0-120 minutes>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set loop-guard enabled set loop-guard-timeout 10

end

end

Configuring LLDP settings

The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent information from adjacent layer-2 peers.

Use the following commands to configure LLDP on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set lldp-status {rx-only | tx-only | tx-rx | disable} set lldp-profile <profile name>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024

config ports edit port2 set lldp-status tx-rx set lldp-profile default

end

end

Configuring IGMP settings

IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.

Use the following commands to configure IGMP settings on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set igmp-snooping {enable | disable} set igmps-flood-reports {enable | disable}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set igmp-snooping enable set igmps-flood-reports enable

end

end

Configuring sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs.

NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.

sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.

The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.

sFlow can monitor network traffic in two ways:

l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample. l Counter samples—You specify how often (in seconds) the network device sends interface counters.

Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.

config switch-controller sflow collector-ip <x.x.x.x> collector-port <port_number>

end

Use the following CLI commands to configure sFlow:

config switch-controller managed-switch <FortiSwitch_serial_number> config ports edit <port_name> set sflow-sampler <disabled | enabled> set sflow-sample-rate <0-99999> set sflow-counter-interval <1-255>

next

next

end

For example:

config switch-controller sflow collector-ip 1.2.3.4 collector-port 10

end

config switch-controller managed-switch S524DF4K15000024 config ports edit port5 set sflow-sampler enabled set sflow-sample-rate 10 set sflow-counter-interval 60

next

next

end

Configuring Dynamic ARP inspection (DAI)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface edit vsw.test set switch-controller-arp-inpsection <enable | disable>

end config switch-controller managed-switch edit <sn> config ports edit <VLAN_ID> arp-inspection-trust <untrusted | trusted>

next

end

next

end

Use the following CLI command to check DAI statistics for a FortiSwitch unit: diagnose switch arp-inspection stats <FortiSwitch_Serial_Number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch arp-inspection stats clear <VLAN_ID> <FortiSwitch_Serial_Number>

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port mirroring and is typically used for external analysis and capture.

Use the following CLI commands to configure FortiSwitch port mirroring:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config mirror edit <mirror_name> set status <active | inactive> set dst <port_name>

set switching-packet <enable | disable> set src-ingress <port_name> set src-egress <port_name>

next

end

next

NOTE: The set status and set dst commands are mandatory for port mirroring.

For example:

config switch-controller managed-switch edit S524DF4K15000024 config mirror edit 2 set status active set dst port1 set switching-packet enable set src-ingress port2 port3 set src-egress port4 port5

next

end next

FortiSwitch port security policy

To control network access, the managed FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The supplicant and the authentication server communicate using the switch using the EAP protocol. The managed FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the managed FortiSwitch unit.

NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1x authentication from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through the FortiGate.

The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

Optionally, you can configure a guest VLAN for unauthorized users. Alternatively, you can specify a VLAN for users whose authentication was unsuccessful.

When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

This chapter covers the following topics:

Configure the 802.1X settings for a virtual domain

To configure the 802.1X security policy for a virtual domain, use the following commands:

config switch-controller 802-1X-settings set reauth-period < int > set max-reauth-attempt < int >

set link-down-auth < *set-unauth | no-action > end

Override the virtual domain settings

Override the virtual domain settings

You can override the virtual domain settings for the 802.1X security policy.

Using the FortiGate GUI

To override the 802.1X settings for a virtual domain:

1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Click on a FortiSwitch faceplate and select Edit.
3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.
5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does not need to be reauthenticated when a link is down.
7. Select OK.

Using the FortiGate CLI

To override the 802.1X settings for a virtual domain, use the following commands:

config switch-controller managed-switch edit < switch > config 802-1X-settings set local-override [ enable | *disable ] set reauth-period < int >                 // visible if override enabled set max-reauth-attempt < int >             // visible if override enabled set link-down-auth < *set-unauth | no-action >   // visible if override enabled

end

next end

Define an 802.1X

For a description of the options, see Configure the 802.1X settings for a virtual domain.

Define an 802.1X security policy

You can define multiple 802.1X security policies.

Using the FortiGate GUI

To create an 802.1X security policy:

1. Go to WiFi & Switch Controller> FortiSwitch Security Policies.
2. Select Create New.
3. Enter a name for the new FortiSwitch security policy.
4. For the security mode, select Port-based or MAC-based.
5. Select + to select which user groups will have access.
6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
7. Enter the number of seconds for authentication delay for guest VLANs. The range is 1-900 seconds.
8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
9. Enable or disable MAC authentication bypass (MAB) on this interface.
10. Enable or disable EAP pass-through mode on this interface.
11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
12. Select OK.

Using the FortiGate CLI

To create an 802.1X security policy, use the following commands:

config switch-controller security-policy 802-1X edit “<policy.name>” set security-mode {802.1X | 802.1X-mac-based)

set user-group <*group_name | Guest-group | SSO_Guest_Users> set mac-auth-bypass [enable | *disable] set eap-passthru [enable | disable] set guest-vlan [enable | *disable] set guest-vlan-id “guest-VLAN-name” set guest-auth-delay <integer> set auth-fail-vlan [enable | *disable] set auth-fail-vlan-id “auth-fail-VLAN-name” set radius-timeout-overwrite [enable | *disable] set policy-type 802.1X

end end

Apply an 802.1X security policy to a FortiSwitch port

You can apply a different 802.1X security policy to each FortiSwitch port.

Using the FortiGate GUI

To apply an 802.1X security policy to a managed FortiSwitch port:

1. Go to WiFi & Switch Controller> FortiSwitch Ports.
2. Select the + next to a FortiSwitch unit.
3. In the Security Policy column for a port, click + to select a security policy.
4. Select OK to apply the security policy to that port.

Using the FortiGate CLI

To apply an 802.1X security policy to a managed FortiSwitch port, use the following commands:

config switch-controller managed-switch edit <managed-switch> config ports

edit <port> set port-security-policy <802.1X-policy>

Test 802.1x authentication with monitor mode

next

end

next

end

Test 802.1x authentication with monitor mode

Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.

To enable or disable monitor mode, use the following commands:

config switch-controller security-policy 802-1X edit “<policy_name>” set open-auth {enable | disable}

next

end

Restrict the type of frames allowed through IEEE 802.1Q ports

You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or allows all frames access to the port. By default, all frames have access to each FortiSwitch port.

Use the following CLI commands:

config switch-controller managed-switch <SN> config ports edit <port_name> set discard-mode <none | all-tagged | all-untagged>

next

next

end

RADIUS accounting support

The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

l START—The FortiSwitch has been successfully authenticated, and the session has started. l STOP—The FortiSwitch session has ended. l INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command. l ON—FortiSwitch will send this message when the switch is turned on. l OFF—FortiSwitch will send this message when the switch is shut down.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units: config user radius

edit <RADIUS_server_name> set acct-interim-interval <seconds> config accounting-server edit <entry_ID> set status {enable | disable} set server <server_IP_address> set secret <secret_key> set port <port_number>

next

end

next end

Additional capabilities

Execute custom FortiSwitch commands

From the FortiGate, you can execute FortiSwitch commands on the managed FortiSwitch.

This feature adds a simple scripting mechanism for users to execute generic commands on the switch.

NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch.

Create a command

Use the following syntax to create a command file:

config switch-controller custom-command edit <cmd-name> set command ” <FortiSwitch commands>”

Next, create a command file to set the STP max-age parameter:

config switch-controller custom-command edit “stp-age-10” set command “config switch stp setting set max-age 10

end

” next

end

Execute a command

After you have created a command file, use the following command on the FortiGate to execute the command file on the target switch: exec switch-controller custom-command <cmd-name> <target-switch>

The following example runs the stp-age-10 command on the specified target FortiSwitch:

# exec switch-controller custom-command stp-age-10 S124DP3X15000118

View and upgrade the FortiSwitch firmware version

View and upgrade the FortiSwitch firmware version

You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch to a new firmware version. The FortiGate unit will suggest an upgrade when a new version is available in FortiGuard.

Using the FortiGate web interface

To view the FortiSwitch firmware version:

1. Go to WiFi & Switch Controller > Managed FortiSwitch.
2. In the main panel, select the FortiSwitch faceplate and click Edit.
3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.

To upgrade the firmware on multiple FortiSwitch units at the same time:

1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Select the faceplates of the FortiSwitch units that you want to upgrade.
3. Click Upgrade.

The Upgrade FortiSwitches page opens.

4. Select FortiGuard or select Upload and then select the firmware file to upload.

If you select FortiGuard, all FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at a time for upgrading.

5. Select Upgrade.

Using the CLI

Use the following command to display the latest version: diagnose fdsm fortisw-latest-ver <model>

Use the following command to download the image: diagnose fdsm fortisw-download <image id>

The following example shows how to download the latest image for FS224D:

FG100D3G15801204 (global) # diagnose fdsm fortisw-latest-ver FS224D FS224D – 3.4.2 b192 03004000FIMG0900904002FG100D3G15801204 (global) # diagnose fdsm fortisw-download 03004000FIMG0900904002

Download image-03004000FIMG0900904002:

################################################################################ Result=Success

Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:

config switch-controller global set https-image-push enable end

FortiSwitch log export

From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model using a single execute command. The command includes the name of a firmware image file and all of the managed FortiSwitch units compatible with that firmware image file are upgraded. For example: execute switch-controller stage-tiered-swtp-image ALL <firmware-image-file>

You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.

execute switch-controller restart-swtp-delayed ALL

FortiSwitch log export

You can enable and disable the managed FortiSwitch units to export their syslogs to the FortiGate. The setting is global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch logs.

To allow a level of filtering, FortiGate sets the user field to “fortiswitch-syslog” for each entry.

The following is the CLI command syntax:

config switch-controller switch-log set status (*enable | disable)

set severity [emergency | alert | critical | error | warning | notification |

*information | debug] end

You can override the global log settings for a FortiSwitch, using the following commands:

config switch-controller managed-switch edit <switch-id> config switch-log set local-override enable

At this point, you can configure the log settings that apply to this specific switch.

FortiSwitch per-port device visibility

In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port).

From the CLI, the following command displays information about the host devices: diagnose switch-controller dump mac-hosts_switch-ports

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

You can configure the following FortiSwitch features from the FortiGate CLI.

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

Configuring a link aggregation group (LAG)

You can configure a link aggregation group (LAG) for non-FortiLink ports on a FortiSwitch. You cannot configure ports from different FortiSwitch units in one LAG.

config switch-controller managed-switch edit <switch-id> config ports it <trunk name> set type trunk

set mode < static | lacp > Link Aggregation mode set bundle (enable | disable) set min-bundle <int> set max-bundle <int> set members < port1 port2 …>

next

end

end

end

Configuring an MCLAG with managed FortiSwitch units

A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP). For the network topology, see Dual-homed servers connected to FortiLink tier-1 FortiSwitch units using an MCLAG on page 48 and Standalone FortiGate unit with dual-homed FortiSwitch access on page 49. Notes

• Both peer switches should be of the same hardware model and same software version. Mismatched configurations might work but are unsupported. l There is a maximum of two FortiSwitch models per MCLAG. l The routing feature is not available within an MCLAG.
• For static MAC addresses within an MCLAG, if one FortiSwitch learns the MAC address, the second FortiSwitch will automatically learn the MAC address.

To configure an MCLAG with managed FortiSwitch unis:

1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:

config switch trunk edit “LAG-member” set mode lacp-active set mclag-icl enable set members “<port>” “<port>”

next

2. Enable the MCLAG on each managed FortiSwitch:

config switch-controller managed-switch edit “<switch-id>” config ports edit “<trunk name>”

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

set type trunk

set mode {static | lacp-passive | lacp-active} set bundle {enable | disable} set members “<port>,<port>” set mclag {enable | disable}

next

end

next

3. Log into each managed FortiSwitch to check the MCLAG configuration:

diagnose switch mclag

After the FortiSwitch units are configured as MCLAG peer switches, any port that supports advanced features on the FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member ports on the peer FortiSwitch.

Configuring storm control

Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.

When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of traffic to drop: broadcast, unknown unicast, or multicast.

The storm control settings are global to all of the non-FortiLink ports on the managed switches. Use the following CLI commands to configure storm control:

config switch-controller storm-control set rate <rate> set unknown-unicast (enable | disable) set unknown-multicast (enable | disable) set broadcast (enable | disable)

end

You can override the global storm control settings for a FortiSwitch using the following commands:

config switch-controller managed-switch edit <switch-id> config storm-control set local-override enable

At this point, you can configure the storm control settings that apply to this specific switch.

Displaying port statistics

Port statistics will be accessed using the following FortiSwitch CLI command:

FG100D3G15804763 # diagnose switch-controller dump port-stats S124DP3X16000413 port8 S124DP3X16000413 0 :

{

“port8”:{

“tx-bytes”:823526672,

“tx-packets”:1402390,

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

“tx-ucast”:49047,

“tx-mcast”:804545,

“tx-bcast”:548798,

“tx-errors”:0,

“tx-drops”:3,

“tx-oversize”:0,

“rx-bytes”:13941793,

“rx-packets”:160303,

“rx-ucast”:148652,

“rx-mcast”:7509,

“rx-bcast”:4142,

“rx-errors”:0,

“rx-drops”:720,

“rx-oversize”:0,

“undersize”:0,

“fragments”:0,

“jabbers”:0,

“collisions”:0,

“crc-alignments”:0,

“l3packets”:0

}

}

Configuring QoS with managed FortiSwitch units

Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.

NOTE: The FortiGate unit does not support QoS for hard or soft switch ports. The FortiSwitch unit supports the following QoS configuration capabilities:

• Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
• Providing eight egress queues on each port. l Policing the maximum data rate of egress traffic on the interface.

To configure the QoS for managed FortiSwitch units:

1. Configure a Dot1p map.

A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value.

config switch-controller qos dot1p-map edit <Dot1p map name> set description <text> set priority-0 <queue number> set priority-1 <queue number> set priority-2 <queue number>

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

set priority-3 <queue number> set priority-4 <queue number> set priority-5 <queue number> set priority-6 <queue number> set priority-7 <queue number>

next

end

2. Configure a DSCP map.

A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP precedence, you have the following choices: o network-control—Network control o internetwork-control—Internetwork control o critic-ecp—Critic and emergency call processing (ECP) o flashoverride—Flash override o flash—Flash o immediate—Immediate

o priority—Priority o routine—Routine

config switch-controller qos ip-dscp-map edit <DSCP map name> set description <text> configure map <map_name> edit <entry name> set cos-queue <COS queue number>

set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF |

CS6 | CS7} set ip-precedence {network-control | internetwork-control | critic-ecp

| flashoverride | flash | immediate | priority | routine} set value <DSCP raw value>

next

end

end

3. Configure the egress QoS policy.

In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:

• With strict scheduling, the queues are served in descending order (of queue number), so higher number queues receive higher priority.
• In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one.
• In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to 63.

config switch-controller qos queue-policy edit <QoS egress policy name> set schedule {strict | round-robin | weighted} config cos-queue

Synchronizing the FortiGate unit with the managed FortiSwitch units

edit [queue-<number>] set description <text> set min-rate <rate in kbps> set max-rate <rate in kbps>

set drop-policy {taildrop | random-early-detection} set weight <weight value>

next

end

next

end

4. Configure the overall policy that will be applied to the switch ports.

config switch-controller qos qos-policy edit <QoS egress policy name> set default-cos <default CoS value 0-7> set trust-dot1p-map <Dot1p map name> set trust-ip-dscp-map <DSCP map name> set queue-policy <queue policy name>

next

end

Configure each switch port.

config switch-controller managed-switch edit <switch-id> config ports edit <port> set qos-policy <CoS policy>

next

end

next

end

Synchronizing the FortiGate unit with the managed FortiSwitch units

You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.

Use the following command to synchronize the full configuration of a FortiGate unit with the managed FortiSwitch unit:

execute switch-controller trigger-config-sync <FortiSwitch_serial_number>

Use one of the following commands to display the synchronization state of a FortiGate unit with a specific managed FortiSwitch unit:

execute switch-controller get-sync-status switch-id <FortiSwitch_serial_number> execute switch-controller get-sync-status name <FortiSwitch_name>

Use the following command to display the synchronization state of a FortiGate unit with a group of managed FortiSwitch units:

execute switch-controller get-sync-status group <FortiSwitch_group_name>

Replacing a managed FortiSwitch unit

Use the following command to check the synchronization state of all managed FortiSwitch units in the current VDOM: execute switch-controller get-sync-status all

For example:

FG100D3G14813513 (root) # execute switch-controller get-sync-status all Managed-devices in current vdom root:

STACK-NAME: FortiSwitch-Stack-port5

SWITCH (NAME)                               STATUS CONFIG             MAC-SYNC          UPGRADE

FS1D243Z14000173                           Up       Idle               Idle               Idle

S124DP3X16006228 (Desktop-Switch)       Up       Idle               Idle               Idle

Replacing a managed FortiSwitch unit

If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.

NOTE: Both FortiSwitch units must be of the same model. The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.

To replace a managed FortiSwitch unit:

1. Unplug the failed FortiSwitch unit.
2. Plug in the replacement FortiSwitch unit.
3. Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See View and upgrade the FortiSwitch firmware version on page 100.
4. Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset
5. Check the serial number of the replacement FortiSwitch unit.
6. From the FortiGate unit, go to WiFi & Switch Controller> Managed FortiSwitch.
7. Select the faceplate of the failed FortiSwitch unit.
8. Select Deauthorize.
9. Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.
10. If the failed FortiSwitch unit was part of a VDOM, enter the following commands:

config vdom edit <VDOM_name> execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>

For example:

config vdom edit vdom_new execute replace-device fortiswitch fortiswitch S124DN3W16002025 S124DN3W16002026

If the failed FortiSwitch unit was not part of a VDOM, enter the following command:

Replacing a managed FortiSwitch unit

execute replace-device fortiswitch <failed_FortiSwitch_serial_number>

<replacement_FortiSwitch_serial_number>

An error is returned if the replacement FortiSwitch unit is authorized.

Troubleshooting

Troubleshooting FortiLink issues

If the FortiGate does not establish the FortiLink connection with the FortiSwitch, perform the following troubleshooting checks.

Check the FortiGate configuration

To use the FortiGate GUI to check the FortiLink interface configuration:

1. In Network > Interfaces, double-click the interface used for FortiLink.
2. Ensure that Dedicated to FortiSwitch is set for this interface.

To use the FortiGate CLI to verify that you have configured the DHCP and NTP settings correctly:

1. Verify that the NTP server is enabled and that the FortiLink interface has been added to the list:

show system ntp

2. Ensure that the DHCP server on the Fortilink interface is configured correctly:

show system dhcp

Check the FortiSwitch configuration

To use FortiSwitch CLI commands to check the FortiSwitch configuration:

1. Verify that the switch system time matches the time on the FortiGate:

get system status

2. Verify that FortiGate has sent an IP address to the FortiSwitch (anticipate an IP address in the range 169.254.x.x):

get system interfaces

3. Verify that you can ping the FortiGate IP address:

exec ping x.x.x.x

To use FortiGate CLI commands to check the FortiSwitch configuration:

1. Verify that the connections from the FortiGate to the FortiSwitch units are up:

exec switch-controller get-conn-status

2. Verify that ports for a specific FortiSwitch stack are connected to the correct locations:

exec switch-controller get-physical-conn <FortiSwitch-Stack-ID>

3. Verify that all the ports for a specific FortiSwitch are up:

exec switch-controller get-conn-status <FortiSwitch-device-ID>

Check FortiSwitch connections

Use the following CLI command for detailed diagnostic information on the managed FortiSwitch connections: execute switch-controller diagnose-connection <FortiSwitch_serial_number>

If the FortiSwitch serial number is omitted, only the FortiLink configuration is checked.

Differences between models

Not all FortiGates have the same features, particularly entry-level models (models 30 to 90). A number of features on this models are only available in the CLI.

FortiGate models differ principally by the names used and the features available:

• Naming conventions may vary between FortiGate models. For example, on some models the hardware switch interface used for the local area network is called lan, while on other units it is called internal.
• Certain features are not available on all models. Additionally, a particular feature may be available only through the CLI on some models, while that same feature may be viewed in the GUI on other models.

If you believe your FortiGate model supports a feature that does not appear in the GUI, go to System > Feature Visibility and confirm that the feature is enabled.

Menus

If you believe your FortiGate model supports a menu that does not appear in the GUI as expected, go to System > Feature Visibility and ensure the feature is enabled. For more information, see Feature Visibility on page 18.

The GUI contains the following main menus, which provide access to configuration options for most FortiOS features:

Dashboard

The FortiOS Dashboard consists of a Network Operations Center (NOC) view with a focus on alerts. Widgets are interactive. By clicking or hovering over most widgets, the user can see additional information or follow links to other pages.

The dashboard and its widgets include:

• Multiple dashboard support l VDOM and global dashboards l Widget resize control l Notifications on the top header bar

The following widgets are displayed by default:

The following optional widgets are also available:

• FortiView l Host Scan Summary
• Vulnerabilities Summary l Botnet Activity l HA Status l Log Rate l Session Rate l Security Fabric Score l Advanced Threat Protection Statistics l Interface Bandwidth

Modifying dashboard widget titles

Dashboard widget titles can be modified so that widgets with different filters applied can be easily differentiated. The widget has a default title unless you set a new title.

Syntax

config system admin edit <name> config gui-dashboard config widget edit 9 set type fortiview …

set title “test source by bytes”

end

end

end

Feature Visibility

Feature Visibility is used to control which features are visible in the GUI. This allows you to hide features that are not being used. Some features are also disabled by default and must be enabled in order to configure them through the GUI.

Feature Visibility only alters the visibility of these features, rather than their functionality. For example, disabling web filtering on the Feature Visibility page does not remove web filtering from the FortiGate, but removes the option of configuring web filtering from the GUI. Configuration options will still be available using the CLI.

Enabling/disabling features

Feature Visibility can be found at System > Feature Visibility. Ensure that all features you wish to configure in the GUI are turned on, and that features you wish to hide are turned off. When you have finished, select Apply. Security feature presets

The main security features can be toggled individually, however six system presets (or Feature Sets) are available:

• NGFW should be chosen for networks that require application control and protection from external attacks. l ATP should be chosen for networks that require protection from viruses and other external threats. l WF should be chosen for networks that require web filtering. l NGFW + ATP should be chosen for networks that require protection from external threats and attacks.
• UTM should be chosen for networks that require protection from external threats and wish to use security features that control network usage. This is the default setting.
• Custom should be chosen for networks that require customization of available features (including the ability to select all features).

Tables

Many of the GUI pages contain tables of information that you can filter to display specific information. Administrators with read and write access can define the filters.

Navigation

Some tables contain information and lists that span multiple pages. Navigation controls appear at the bottom of the page.

Filters

Filters are used to locate a specific set of information or content within multiple pages. These are especially useful in locating specific log entries. The specific filtering options vary, depending on the type of information in the log.

To create a filter, select Add Filter at the top of the page. A list of the available fields for filtering will be shown.

Column settings

Column settings are used to select the types of information displayed on a certain page. Some pages have large amounts of information available and not all content can be displayed on a single screen. Some pages may even contain content that is irrelevant to you. Using column settings, you can choose to display only relevant content.

To view configure column settings, right-click the header of a column and select the columns you wish to view and deselect any you wish to hide. After you have finished making your selections, click Apply (you may need to scroll down the list to do so).

Any changes that you make to the column settings are stored in the unit’s configuration. To return columns to the default state for any given page, right-click any header and select Reset Table.

Copying objects

In tables containing configuration objects, such as the policy table found at Policy & Objects > IPv4 Policy, you have the option to copy an object. This allows you to create a copy of that object, which you can then configure as needed.

You can also reverse copy a policy to change the direction of the traffic impacted by that policy.

To copy an object:

1. Select that object, then right-click to make a menu appear and select the Copy
2. Right-click the row in the table that is either above or below where you want the copied object to be placed, select the Paste option and indicate Above or Below.

Reverse cloning works much the same way. Instead of selecting Copy, select Clone Reverse.

Once the policy is copied, you must give it a name, configure as needed, and enable it.

Editing objects

Some tables allow you to edit parts of the configuration directly on the table itself. For example, security features can be added to an existing firewall policy from the policy list by clicking on the plus sign in the Security Profiles column and selecting the desired profiles.

If this option is not immediately available, check to see that the column is not hidden (see Column settings). Otherwise, you must select the object and open the policy by selecting the Edit option found at the top of the page.

Text strings

The configuration of a FortiGate is stored in the FortiOS configuration database. To change the configuration, you can use the GUI or CLI to add, delete, or change configuration settings. These changes are stored in the database as you make them. Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable) settings.

Entering text strings (names)

Text strings are used to name entities in the configuration. For example, the name of a firewall address, the name of an administrative user, and so on. You can enter any character in a FortiGate configuration text string, except the following characters that present cross-site scripting (XSS) vulnerabilities: l “ (double quote) l & (ampersand) l ‘ (single quote) l < (less than) l > (greater than)

Most GUI text string fields make it easy to add an acceptable number of characters and prevent you from adding the XSS vulnerability characters.

You can also use the tree command in the CLI to view the number of characters allowed in a name field. For example, firewall address names can contain up to 64 characters. When you add a firewall address to the GUI, you are limited to entering 64 characters in the firewall address name field. From the CLI you can enter the following tree command to confirm that the firewall address name field allows 64 characters.

config firewall address tree

— [address] –*name (64)

|- uuid

|- subnet

|- type

|- start-ip

|- end-ip

|- fqdn (256)

|- country (3)

|- cache-ttl (0,86400)

|- wildcard

|- comment

|- visibility

|- associated-interface (36)

|- color (0,32)

|- [tags] –*name (65)

+- allow-routing

The tree command output also shows the number of characters allowed for other firewall address name settings. For example, the fully qualified domain name (fqdn) field can contain up to 256 characters.

Entering numeric values

Numeric values set various sizes, rates, addresses, and other numeric values (e.g. a static routing priority of 10, a port number of 8080, an IP address of 10.10.10.1). Numeric values can be entered as a series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the IP address 10.10.10.1) or, as in the case of MAC or IPv6 addresses, separated by colons (e.g. the MAC address 00:09:0F:B7:37:00). Most numeric values are standard base 10 numbers, but some fields, such as MAC addresses, require hexadecimal numbers.

Most GUI numeric value fields make it easy to add the acceptable number of digits within the allowed range. CLI help text includes information about allowed numeric value ranges. Both the GUI and the CLI prevent you from entering invalid numbers.

Connecting to the CLI

You can access the CLI in three ways:

• Local console — Connect your computer directly to the console port of your FortiGate. Local access is required in some cases:
• If you are installing your FortiGate for the first time and it is not yet configured to connect to your network, you may only be able to connect to the CLI using a local serial console connection, unless you reconfigure your computer’s network settings for a peer connection.
• Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process has completed, making local CLI access the only viable option.
• SSH or Telnet access — Connect your computer through any network interface attached to one of the network ports on your FortiGate. The network interface must have enabled Telnet or SSH administrative access if you connect using an SSH/Telnet client, or HTTP/HTTPS administrative access if you connect by accessing the CLI Console in the GUI. The CLI console can be accessed from the upper-right hand corner of the screen and appears as a slide-out window. l — Use the FortiExplorer app on your iOS device to configure, manage, and monitor your FortiGate.

Local console

Local console connections to the CLI are formed by directly connecting your management computer or console to the FortiGate unit, using its DB-9 or RJ-45 console port. To connect to the local console you need:

• A computer with an available serial communications (COM) port.
• The RJ-45-to-DB-9 or null modem cable included in your FortiGate package.
• Terminal emulation software such as HyperTerminal for Microsoft Windows.

The following procedure describes the connection using Microsoft HyperTerminal software; steps may vary with other terminal emulators.

To connect to the CLI using a local serial console connection

1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your management computer.
2. On your management computer, start HyperTerminal.
3. For the Connection Description, enter a Name for the connection, and select OK.
4. On the Connect using drop-down, select the communications (COM) port on your management computer you are using to connect to the FortiGate unit.
5. Select OK.
6. Select the following Port settings and select OK.

7. Press Enter or Return on your keyboard to connect to the CLI.
8. Type a valid administrator account name (such as admin) and press Enter.
9. Type the password for that administrator account and press Enter. (In its default state, there is no password for the admin )

The CLI displays the following text:

Welcome!

Type ? to list available commands.

You can now enter CLI commands, including configuring access to the CLI through SSH or Telnet.

SSH or Telnet access

SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate unit using one of its RJ-45 network ports. You can either connect directly, using a peer connection between the two, or through any intermediary network.

You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your computer is not connected directly or through a switch, you must also configure the FortiGate unit with a static route to a router that can forward packets from the FortiGate unit to your computer. You can do this using either a local console connection or the GUI.

Requirements

l A computer with an available serial communications (COM) port and RJ-45 port l Terminal emulation software such as HyperTerminal for Microsoft Windows l The RJ-45-to-DB-9 or null modem cable included in your FortiGate package l A network cable l Prior configuration of the operating mode, network interface, and static route.

To enable SSH or Telnet access to the CLI using a local console connection

1. Using the network cable, connect the FortiGate unit’s network port either directly to your computer’s network port, or to a network through which your computer can reach the FortiGate unit.
2. Note the number of the physical network port.
3. Using a local console connection, connect and log into the CLI.
4. Enter the following command:

config system interface edit <interface_str> set allowaccess <protocols_list>

end

where:

• <interface_str> is the name of the network interface associated with the physical network port and containing its number, such as port1.
• <protocols_list> is the complete, space-delimited list of permitted administrative access protocols, such as https ssh telnet.

5. To confirm the configuration, enter the command to display the network interface’s settings:

show system interface <interface_str>

6. The CLI displays the settings, including the allowed administrative access protocols, for the network interfaces.

Connecting using SSH

Once the FortiGate unit is configured to accept SSH connections, you can use an SSH client on your management computer to connect to the CLI.

Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. FortiGate units support 3DES and Blowfish encryption algorithms for SSH.

Before you can connect to the CLI using SSH, you must first configure a network interface to accept SSH connections. The following procedure uses PuTTY. Steps may vary with other SSH clients.

To connect to the CLI using SSH

1. On your management computer, start an SSH client.
2. In Host Name (or IP address), enter the IP address of a network interface on which you have enabled SSH administrative access.
3. Set Port to 22.
4. For the Connection type, select SSH.
5. Select Open. The SSH client connects to the FortiGate unit.

The SSH client may display a warning if this is the first time you are connecting to the FortiGate unit and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiGate unit but used a different IP address or SSH key. This is normal if your management computer is directly connected to the FortiGate unit with no network hosts between them.

6. Click Yes to verify the fingerprint and accept the FortiGate unit’s SSH key. You will not be able to log in until you have accepted the key.
7. The CLI displays a login prompt.
8. Type a valid administrator account name (such as admin) and press Enter.
9. Type the password for this administrator account and press Enter.

The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

Connecting using Telnet

Once the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client on your management computer to connect to the CLI.

Before you can connect to the CLI using Telnet, you must first configure a network interface to accept Telnet connections.

To connect to the CLI using Telnet

1. On your management computer, start a Telnet client.
2. Connect to a FortiGate network interface on which you have enabled Telnet.
3. Type a valid administrator account name (such as admin) and press Enter.
4. Type the password for this administrator account and press Enter. The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.

CLI-only features

As you can see in the Feature / Platform Matrix, the entry level models have a number of features that are only available using the CLI, rather than appearing in the GUI.

You can open the CLI console so that it automatically opens to the object you wish to configure. For example, to edit a firewall policy, right-click on the policy in the policy list (Policy & Objects > IPv4 Policy) and select Edit in CLI. The CLI console will appear, with the commands to access this part of the configuration added automatically.

Once you have access to the CLI, you can enter instructions for specific tasks that can be found throughout the FortiOS Handbook. Options are also available at the top of the CLI Console to Clear console, Download, and Copy to clipboard.

Refer to the CLI Reference for a list of the available commands.

Command syntax

When entering a command, the CLI console requires that you use valid syntax and conform to expected input constraints. It will reject invalid commands.

Fortinet documentation uses the conventions below to describe valid command syntax.

Terminology

Each command line consists of a command word that is usually followed by configuration data or other specific item that the command uses or affects.

To describe the function of each word in the command line, especially if that nature has changed between firmware versions, Fortinet uses terms with the following definitions:

• Command — A word that begins the command line and indicates an action that the FortiGate should perform on a part of the configuration or host on the network, such as config or execute. Together with other words, such as fields or values, that end when you press the Enter key, it forms a command line. Exceptions include multiline command lines, which can be entered using an escape sequence. Valid command lines must be unambiguous if abbreviated. Optional words or other command line permutations are indicated by syntax notation.
• Sub-command — A config sub-command that is available only when nested within the scope of another command. After entering a command, its applicable sub-commands are available to you until you exit the scope of the command, or until you descend an additional level into another sub-command. Indentation is used to indicate levels of nested commands.Not all top-level commands have sub-commands. Available sub-commands vary by their containing scope.
• Object — A part of the configuration that contains tables and /or fields. Valid command lines must be specific enough to indicate an individual object.
• Table — A set of fields that is one of possibly multiple similar sets which each have a name or number, such as an administrator account, policy, or network interface. These named or numbered sets are sometimes referenced by other parts of the configuration that use them.
• Field — The name of a setting, such as ip or hostname. Fields in some tables must be configured with values. Failure to configure a required field will result in an invalid object configuration error message, and the FortiGate will discard the invalid table.
• Value — A number, letter, IP address, or other type of input that is usually your configuration setting held by a field. Some commands, however, require multiple input values which may not be named but are simply entered in sequential order in the same command line. Valid input types are indicated by constraint notation. l Option — A kind of value that must be one or more words from of a fixed set of options.

Indentation

Indentation indicates levels of nested commands, which indicate what other sub-commands are available from within the scope. The “next” and “end” lines are used to maintain a hierarchy and flow to CLI commands, especially helping to distinguish those commands with extensive sub-commands.

The “next” line is entered at the same indentation-level as the previous “edit”, to mark where you would like to finish that table entry and move on to the next table entry; doing so will not mean that you have “left” that sub-command.

next

Below is an example command, with a sub-command of entries:

After entering settings for <2> and entering next, the <2> table entry has been saved, and you be set back one level of indentation so you can continue to create more entries (if you wish).

This hierarchy is best indicated in the CLI console, as the example below is what displays in the console after entering

end

Below is the same command and sub-command, except end has been entered instead of next after the subcommand:

Entering end will save the <2> table entry, but bring you out of the sub-command entirely; in this example, you would enter this when you don’t wish to continue creating new entries.

Again, your hierarchy is best indicated by the CLI console. Below is what displays in the console after entering end:

Notation

Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.

All syntax uses the following conventions:

Optional values and ranges

Any field that is optional will use square-brackets, such as set comment. This is because it doesn’t matter whether it’s set or not. The overall config command will still successfully be taken.

Another example of where square-brackets would be used is to show that multiple options can be set, even intermixed with ranges. The example below shows a field that can be set to either a specific value or range, or multiple instances:

config firewall service custom

set iprange <range1> [<range2> <range3> …]

end

Sub-commands

Each command line consists of a command word that is usually followed by configuration data or other specific item that the command uses or affects:

get system admin

Sub-commands are available from within the scope of some commands. When you enter a sub-command level, the command prompt changes to indicate the name of the current command scope. For example, after entering:

config system admin

the command prompt becomes:

(admin)#

Applicable sub-commands are available to you until you exit the scope of the command, or until you descend an additional level into another sub-command.

For example, the edit sub-command is available only within a command that affects tables; the next sub-command is available only from within the edit sub-command:

config system interface edit port1 set status up

next

end

Sub-command scope is indicated by indentation.

Available sub-commands vary by command. From a command prompt within config, two types of sub-commands might become available:

l commands affecting fields l commands affecting tables

Commands for tables

Example of table commands

From within the system admin object, you might enter:

edit admin_1

The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1 table:

new entry ‘admin_1’ added

(admin_1)#

Commands for fields

Example of field commands

To assign the value my1stExamplePassword to the password field, enter the following command from within the admin_1 table:

set password my1stExamplePassword

Next, to save the changes and edit the next administrator’s table, enter the next command.

Permissions

Access profiles control which CLI commands an administrator account can access. Access profiles assign either read, write, or no access to each area of FortiOS. To view configurations, you must have read access. To make changes, you must have write access. So, depending on the account used to log in to the FortiGate, you may not have complete access to all CLI commands. For complete access to all commands, you must log in with an administrator account that has the super_admin access profile. By default the admin administrator account has the super_admin access profile.

Administrator accounts, with the super_admin access profile are similar to a root administrator account that always has full permission to view and change all FortiGate configuration options, including viewing and changing all other administrator accounts and including changing other administrator account passwords.

Increasing the security of administrator accounts

Set strong passwords for all administrator accounts (including the admin account) and change passwords regularly.