FortiSwitch-7.0.0-FortiSwitch Managed by FortiOS 7.0

FortiSwitch Managed by FortiOS
7.0
FortiSwitch 7.0.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
May 13, 2021

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0
11-700-691897-20210513
TABLE OF CONTENTS
Change log 8
Whatʼs new in FortiOS 7.0.0 9
GUI changes 9
CLI changes 9
GUI and CLI changes 11
Introduction 12
Supported models 12
Support of FortiLink features 13
Before you begin 13
Special notices 14
FortiSwitch management 15
Configuring FortiLink 15
1. Enabling the switch controller on the FortiGate unit 15
2. Configuring the FortiLink interface 16
3. Auto-discovery of the FortiSwitch ports 19
Deleting a FortiLink interface 21
Optional FortiLink configuration required before discovering and authorizing FortiSwitch
units 21
Migrating the configuration of standalone FortiSwitch units 21
VLAN interface templates for FortiSwitch units 22
Automatic provisioning of FortiSwitch firmware upon authorization 25
Discovering 27
Authorizing 27
Preparing the FortiSwitch unit 28
Optional FortiLink configuration 28
Using the FortiSwitch serial number for automatic name resolution 28
Changing the admin password on the FortiGate for all managed FortiSwitch units 29
Using automatic network detection and configuration 29
Limiting the number of parallel processes for FortiSwitch configuration 30
Configuring access to management and internal interfaces 30
Enabling FortiLink VLAN optimization 31
Configuring the MAC sync interval 31
Configuring the FortiSwitch management port 31
Multiple FortiLink interfaces 32
Grouping FortiSwitch units 32
Disabling stacking 38
Determining the network topology 39
Single FortiGate managing a single FortiSwitch unit 39
Single FortiGate unit managing a stack of several FortiSwitch units 40
HA-mode FortiGate units managing a single FortiSwitch unit 41
HA-mode FortiGate units managing a stack of several FortiSwitch units 42
HA-mode FortiGate units managing a FortiSwitch two-tier topology 43
Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software 44
FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 3

Fortinet, Inc.
switch interface)
HA-mode FortiGate units using hardware-switch interfaces and STP 44
FortiLink over a point-to-point layer-2 network 45
FortiLink mode over a layer-3 network 46
In-band management 46
Out-of-band management 48
Other topologies 49
Limitations 50
Switch redundancy with MCLAG 50
Standalone FortiGate unit with dual-homed FortiSwitch access 50
HA-mode FortiGate units with dual-homed FortiSwitch access 51
HA-mode one-tier MCLAG 52
FortiLink with an HA cluster of four FortiGate units 53
HA-mode FortiGate units in different sites 54
Isolated LAN/WAN with multiple FortiLink interfaces 55
Three-tier FortiLink MCLAG configuration 56
Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG 57
MCLAG peer groups 59
MCLAG requirements 59
Transitioning from a FortiLink split interface to a FortiLink MCLAG 59
Deploying MCLAG topologies 61
Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG 62
Multi-tiered MCLAG with HA-mode FortiGate units 63
HA-mode FortiGate units in different sites 65
Configuring FortiSwitch VLANs and ports 69
Configuring VLANs 69
Creating VLANs 69
Viewing FortiSwitch VLANs 71
Changing the VLAN configuration mode 72
Configuring ports using the GUI 72
Configuring port speed and status 72
Configuring PoE 73
Enabling PoE on the port 73
Enabling PoE pre-standard detection 73
Resetting the PoE port 74
Displaying general PoE status 74
Adding 802.3ad link aggregation groups (trunks) 75
MCLAG trunks 76
Configuring FortiSwitch split ports (phy-mode) in FortiLink mode 78
Configuring split ports on a previously discovered FortiSwitch unit 78
Configuring split ports with a new FortiSwitch unit 79
Configuring forward error correction on switch ports 79
Configuring a split port on the FortiSwitch unit 80
Restricting the type of frames allowed through IEEE 802.1Q ports 81
Multitenancy and VDOMs 82
FortiSwitch ports dedicated to VDOMs 82
FortiSwitch VLANs from different VDOMs sharing the same FortiSwitch ports 85

Fortinet, Inc.
Configuring switching features 86
Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports 86
Configuring edge ports 87
Configuring loop guard 88
Configuring STP settings 88
Configuring STP on FortiSwitch ports 89
Configuring STP root guard 91
Configuring STP BPDU guard 92
Configuring interoperation with per-VLAN RSTP 93
Dynamic MAC address learning 94
Limiting the number of learned MAC addresses on a FortiSwitch interface 95
Controlling how long learned MAC addresses are saved 96
Logging violations of the MAC address learning limit 96
Persistent (sticky) MAC addresses 97
Logging changes to MAC addresses 97
Configuring storm control 98
Configuring IGMP-snooping settings 99
Configuring global IGMP-snooping settings 99
Configuring IGMP-snooping settings on a switch 99
Configuring IGMP proxy 100
Configuring PTP transparent-clock mode 101
Device detection 103
Enabling network-assisted device detection 103
Voice device detection 103
Configuring IoT detection 110
Configuring LLDP-MED settings 111
Creating LLDP asset tags for each managed FortiSwitch 113
Adding media endpoint discovery (MED) to an LLDP configuration 114
Displaying LLDP information 114
Configuring the LLDP settings 115
FortiSwitch security 117
FortiSwitch network access control 117
Summary of the procedure 117
Defining a FortiSwitch NAC VLAN 117
Configuring the FortiSwitch NAC settings 119
Defining a FortiSwitch NAC policy 120
Viewing the devices that match the NAC policy 124
Using the FortiSwitch NAC VLAN widget 125
Configuring dynamic port policy rules 126
Set the access mode and port policy for the port 126
Set the FortiLink policy settings to the FortiLink interface 127
Create the FortiLink policy settings 127
Create the dynamic port policy rule 128
Set how often the dynamic port policy engine runs 129
FortiSwitch security policies 129
Number of devices supported per port for 802.1x MAC-based authentication 130
Configuring the 802.1x settings for a virtual domain 131

Fortinet, Inc.
Overriding the virtual domain settings 131
Defining an 802.1x security policy 132
Applying an 802.1x security policy to a FortiSwitch port 134
Testing 802.1x authentication with monitor mode 134
RADIUS accounting support 134
RADIUS change of authorization (CoA) support 135
802.1x authentication deployment example 138
Detailed deployment notes 139
Configuring the DHCP trust setting 140
Configuring dynamic ARP inspection (DAI) 141
Configuring IPv4 source guard 141
Enabling IPv4 source guard 142
Creating static entries 142
Checking the IPv4 source-guard entries 143
Security Fabric showing 143
Blocking intra-VLAN traffic 144
Quarantines 146
Quarantining MAC addresses 146
Using quarantine with DHCP 149
Using quarantine with 802.1x MAC-based authentication 150
Viewing quarantine entries 152
Releasing MAC addresses from quarantine 154
Optimizing the FortiSwitch network 156
Configuring QoS with managed FortiSwitch units 158
Configuring ECN for managed FortiSwitch devices 160
Logging and monitoring 161
FortiSwitch log settings 161
Exporting logs to FortiGate 161
Sending logs to a remote Syslog server 162
Configuring FortiSwitch port mirroring 162
Configuring SNMP 165
Configuring SNMP globally 165
Configuring SNMP locally 167
Configuring sFlow 168
Configuring flow tracking and export 170
Configuring flow control and ingress pause metering 171
Operation and maintenance 173
Discovering, authorizing, and deauthorizing FortiSwitch units 173
Editing a managed FortiSwitch unit 173
Adding preauthorized FortiSwitch units 174
Authorizing the FortiSwitch unit 174
Deauthorizing FortiSwitch units 174
Converting to FortiSwitch standalone mode 175
Managed FortiSwitch display 175
Cloud icon indicates that the FortiSwitch unit is managed over layer 3 176
Diagnostics and tools 177

Fortinet, Inc.
Making the LEDs blink 179
Runnng the cable test 179
FortiSwitch ports display 180
FortiSwitch per-port device visibility 180
Displaying, resetting, and restoring port statistics 181
Network interface display 182
Data statistics 182
Sample topology 183
Synchronizing the FortiGate unit with the managed FortiSwitch units 184
Viewing and upgrading the FortiSwitch firmware version 184
Canceling pending or downloading FortiSwitch upgrades 185
Registering FortiSwitch to FortiCloud 185
Replacing a managed FortiSwitch unit 188
Executing custom FortiSwitch scripts 194
Creating a custom script 194
Executing a custom script once 194
Binding a custom script to a managed switch 194
Resetting PoE-enabled ports 195

Fortinet, Inc.
Change log
Date Change Description
March 30, 2021 Initial document release for FortiOS 7.0.0
April 2, 2021 Updated the following sections:
l “What’s new in FortiOS 7.0.0”
l “FIPS 140-2 support in FortiLink mode”
l “FortiSwitch network access control”
April 5, 2021 Removed the “FIPS 140-2 support in FortiLink mode” section.
April 7, 2021 Updated the “What’s new in FortiOS 7.0.0” section.
April 9, 2021 Updated the following sections:
l “What’s new in FortiOS 7.0.0”
l “Using the FortiSwitch NAC VLAN widget”
April 26, 2021 Added link for the FortiSwitchOS feature matrix. Updated the “Configuring SNMP locally”
section.
April 29, 2021 l Updated the “Configuring SNMP” section.
l Added the “Configuring IGMP proxy” section.
l Updated the “Voice device detection” section.
May 10, 2021 Updated the “Creating a device policy” and “Configuring dynamic port policy rules” sections.
May 13, 2021 Updated the “Configuring ports using the GUI” section.

Fortinet, Inc.
Whatʼs new in FortiOS 7.0.0
The following list contains new managed FortiSwitch features added in FortiOS 7.0.0. Click on a link to navigate to that
section for further information.
GUI changes
l Three new tests have been added to the FortiSwitch recommendations in the Security Fabric > Security Rating

page to help optimize your network:
l Check if the quarantine bounce port option is enabled.
l Check if the PoE status of the switch controller auto-config default policy is enabled.
l Check if PoE pre-standard detection for all user ports is enabled.
See Optimizing the FortiSwitch network on page 156.
l You can now use the GUI to view and configure FortiSwitch ports that are shared between VDOMs. To share
FortiSwitch ports between VDOMs, you must use the CLI. Go to WiFi & Switch Controller > FortiSwitch Ports to view
the shared FortiSwitch ports and edit them. See FortiSwitch VLANs from different VDOMs sharing the same
FortiSwitch ports on page 85.
l A new cloud icon indicates when the FortiSwitch unit is being managed over layer 3. See Cloud icon indicates that
the FortiSwitch unit is managed over layer 3 on page 176.
l The new FortiSwitch NAC VLANs widget shows a pie chart of the assigned FortiSwitch NAC VLANs. When
expanded to the full screen, the widget shows a full list of devices grouped by VLAN, NAC policy, or last seen. See
Using the FortiSwitch NAC VLAN widget on page 125.
l There have been GUI updates to the FortiSwitch Ports, FortiLink Interface, and FortiSwitch NAC Policies pages to
simplify the configuration of NAC policies.
Previously, dynamic port policies had to be configured in the FortiSwitch Ports, FortiLink Interface, and FortiSwitch
NAC Policies pages. Now, configuring dynamic port polices is under the Dynamic Port Policies tab on the
FortiSwitch Port Policies page. For more information about dynamic port policies, see Configuring dynamic port
policy rules on page 126.
l The FortiSwitch NAC Policies page is now the NAC Policies page.
l The access mode of each FortiSwitch port is listed in the Mode column in the FortiSwitch Ports page. Right-click in
the Mode column to select the access mode of the port:
l Static—The port does not use a dynamic port policy or FortiSwitch NAC policy.
l Assign Port Policy—The port uses a dynamic port policy.
l NAC—The port uses a FortiSwitch NAC policy.
CLI changes
l New FortiOS commands allow you to enable the automatic provisioning of FortiSwitch firmware after authorization.
On FortiGate models with a disk, up to four images of the same FortiSwitch model can be uploaded. On FortiGate
models without a disk, one FortiSwitchOS image can be uploaded. See Automatic provisioning of FortiSwitch
firmware upon authorization on page 25.

Fortinet, Inc.
l When a FortiSwitch upgrade cannot be completed (because of connectivity issues, for example), you can cancel
the upgrade with a new FortiOS command:

execute switch-controller switch-software cancel {all | sn <FortiSwitch_serial_ number>
| switch-group <switch_group_ID>}

See Canceling pending or downloading FortiSwitch upgrades on page 185.
l Supported managed-switch ports can be configured with a forward error correction (FEC) state of Clause 74 FC-
FEC for 25-Gbps ports and Clause 91 RS-FEC for 100-Gbps ports. See Configuring forward error correction on
switch ports on page 79.
l A new FortiOS command allows you to control the cipher used by the switch-controller CAPWAP:

config switch-controller system
set tunnel-mode {compatible | strict}
end

By default, tunnel-mode is set to compatible, which lets the switch-controller CAPWAP use AES128-
SHA:DES-CBC3-SHA. If you set tunnel-mode to strict, the switch-controller CAPWAP uses the cipher set in
FortiOS.
l You can now manually create an inter-switch link (ISL) trunk. You can also enable or disable automatic VLAN
configuration on the manually created (static) ISL trunk. See Static ISL trunks on page 21.
l Fortinet now supports Federal Information Processing Standard Publication (FIPS) 140-2 (Level 2) for the following
managed FortiSwitch models:
l FS-424E
l FS-424E-FPOE
l FS-M426E-FPOE
l FS-424E-Fiber
l FS-448E
l FS-448E-FPOE
l FS-1048E
l FS-3032E
l There are more authentication protocols and privacy (encryption) protocols supported under the config switch-
controller snmp-user command. The following authentication protocols are available for the set auth-
proto command:
l HMAC-MD5-96
l HMAC-SHA-1
l HMAC-SHA-224
l HMAC-SHA-256
l HMAC-SHA-384
l HMAC-SHA-512
The following privacy (encryption) protocols are available for the set priv-proto command:
l CFB128-AES-128 symmetric encryption protocol
l CFB128-AES-192-C symmetric encryption protocol
l CFB128-AES-256-C symmetric encryption protocol
l CBC-DES symmetric encryption protocol
See Configuring SNMP on page 165.

Fortinet, Inc.
l There were some FortiOS CLI changes for the FortiSwitch network access control. The set switch-port-
policy command under config user nac-policy was removed. The config switch-controller nac-
settings command is now the config switch-controller fortilink-settings command. See
FortiSwitch network access control on page 117.
GUI and CLI changes
l You can now specify rules that dynamically determine port policies. After you create the FortiLink policy settings,
you define the dynamic port policy rules. When a rule matches the specified device patterns, the switch-controller
actions control the portʼs properties. See Configuring dynamic port policy rules on page 126.
l The FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy when
a device first connects to a switch port or when a device goes from offline to online. This process has been
optimized to shorten the amount of time it takes for a new device to be recognized and assigned to the VLAN.
These optimizations include the following:
l A new event-based approach.
l A new NAC MAC cache table that populates MAC addresses from the FortiSwitch unit immediately after an
event.
l NAC inactive timers are now applied to the NAC MAC cache table.
l Added nac-periodic-interval to run the NAC engine at intervals in case any events are missed. The
range is 5 to 60 seconds, and the default setting is 15 seconds.
Before these optimizations, the process took approximately 65 seconds from the time the device links to a switch
port to matching the device to a NAC policy. After optimization, the process takes a maximum of 16 seconds with a
minimum nac-periodic-interval of 5 seconds. See FortiSwitch network access control on page 117.

Fortinet, Inc.
Introduction
Introduction
This section provides information about how to set up and configure managed FortiSwitch units using the FortiGate unit
(termed “using FortiSwitch in FortiLink mode”).
NOTE: FortiLink is not supported in transparent mode.
The maximum number of supported FortiSwitch units depends on the FortiGate model:
FortiGate Model Range Number of

FortiSwitch Units
Supported
FortiGate 40F, 91E, FortiGate-VM01, 8
FortiGate 60F, 6xE, 80F, 8xE, 90E 16
FortiGate 100D, FortiGate-VM02 24
FortiGate 100E, 100EF, 100F, 101E, 140E, 140E-POE 32
FortiGate 200E, 201E 64
FortiGate 300D to 500D 48
FortiGate 300E to 500E 72
FortiGate 600D to 900D and FortiGate-VM04 64
FortiGate 600E to 900E 96
FortiGate 1000D to 15xxD 128
FortiGate 1100E to 25xxE 196
FortiGate-3xxx and up and FortiGate-VM08 and up 300
Supported models
Refer to the FortiLink Compatibility table to find which FortiSwitchOS versions support which FortiOS versions.

New models (NPI releases) might not support FortiLink. Contact Customer Service & Support
to check support for FortiLink.

Fortinet, Inc.
Introduction
Support of FortiLink features
Refer to the FortiSwitchOS feature matrix for details about the FortiLink features supported by each FortiSwitch model.
Before you begin
Before you configure the managed FortiSwitch unit, the following assumptions have been made in the writing of this
manual:
l You have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your
FortiSwitch model, and you have administrative access to the FortiSwitch GUI and CLI.
l You have installed a FortiGate unit on your network and have administrative access to the FortiGate GUI and CLI.

Fortinet, Inc.
Special notices
Special notices
There is an additional command available only on the FG-92D model:
config system global
set hw-switch-ether-filter {enable | disable}
end

By default, the hw-switch-ether-filter command is enabled. When the command is enabled:
l ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed.
l BPDUs are dropped, and no STP loop results.
l PPPoE packets are dropped.
l IPv6 packets are dropped.
l FortiSwitch devices are not discovered.
l HA might fail to form depending on the network topology.
When the hw-switch-ether-filter command is disabled, all packet types are allowed, but, depending on the
network topology, an STP loop might result.
To work around this issue:
1. Use either WAN1 or WAN2 as the HA heartbeat device.
2. Disable the hw-switch-ether-filter option.

Fortinet, Inc.
FortiSwitch management
This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a FortiLink
connection.
In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the switch
ports (depending on the model) support auto-discovery of the FortiLink ports.
You can chose to connect a single FortiLink port or multiple FortiLink ports as a logical interface (link-aggregation group,
hardware switch, or software switch).
NOTE: FortiSwitch units, when used in FortiLink mode, support only the default administrative access HTTPS port (443).
This section covers the following topics:
l Configuring FortiLink on page 15
l Optional FortiLink configuration required before discovering and authorizing FortiSwitch units on page 21
l Discovering on page 27
l Optional FortiLink configuration on page 28
l Disabling stacking on page 38
Configuring FortiLink
You need to physically connect the FortiSwitch unit to the FortiGate unit only after completing
this section. Some settings are only possible when the FortiGate unit has not authorized any
switches.
To configure FortiLink:
1. Enabling the switch controller on the FortiGate unit on page 15
2. Configuring the FortiLink interface on page 16
3. Auto-discovery of the FortiSwitch ports on page 19
1. Enabling the switch controller on the FortiGate unit
Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the
FortiGate unit with the FortiGate GUI or CLI to enable the switch controller. Depending on the FortiGate model and
software release, this feature might be enabled by default.
Using the FortiGate GUI
1. Go to System > Feature Visibility.

2. Turn on the Switch Controller feature, which is in the Core Features list.
3. Select Apply.

Fortinet, Inc.
The menu option WiFi & Switch Controller now appears.
Using the FortiGate CLI
Use the following commands to enable the switch controller:
set switch-controller enable
end
2. Configuring the FortiLink interface
The FortiLink interface is created automatically as an aggregate interface type; if the FortiGate model does not support
the aggregate interface type, the FortiLink interface is created automatically as a hardware switch. Fortinet recommends
keeping the default type of the FortiLink; however, if a physcial interface or soft-switch interface type is required, the
interface must be enabled for FortiLink using the FortiOS CLI, and then the default FortiLink interface can be deleted.
The FortiLink interface type is dependent on the network topology to be deployed. See Determining the network topology
on page 39.
This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit.
You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the
CLI procedures are more complex (and therefore more prone to error).
If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection with no configuration
steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.
Configure the FortiLink interface
To configure the FortiLink interface on the FortiGate unit:
1. Go to WiFi & Switch Controller > FortiLink Interface.

2. Select + in the Interface members field and then select the ports to add to the FortiLink interface.
NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, right-click the
FortiLink physical port, select Edit, delete the port from the Interface Members field, and then select OK.
3. Configure the IP/Network Mask for your network.
4. Select Automatically authorize devices.
5. Select Apply.
FortiLink split interface
You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two
FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.
The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).
The FortiLink split interface is enabled by default. You can configure this feature with the FortiGate GUI and CLI.
NOTE: The FortiLink split interface is required before enabling MCLAG. See MCLAG peer groups on page 59.

Fortinet, Inc.
Using the FortiGate GUI:

2. Move the FortiLink split interface slider
Using the FortiGate CLI:
config system interface
edit <name of the FortiLink
interface>
set fortilink-split-interface {enable | disable}
end
This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI
because the CLI procedures are more complex (and therefore more prone to error).
If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG)
with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.
You can also configure FortiLink mode over a layer-3 network.
Summary of the procedure
1. On the FortiGate unit, configure the FortiLink interface.
2. Authorize the managed FortiSwitch unit manually if you did not select Automatically authorize devices.
For example, if the IP address, members, and automatic FortiSwitch authorization are enabled:
edit "fortilink"
set ip 172.16.16.254 255.255.255.0
set member "port9" "port10"
set auto-auth-extension-device enable
next
end
If required, remove a physical port from the lan interface:
config system virtual-switch
edit lan
config port
delete port1
end
end
end
2.1 Custom FortiLink interfaces
Choosing the FortiGate ports
The FortiLink can consist of a single (physical) or multiple ports (802.3ad aggregate, hardware switch, or software
switch).
FortiLink is supported on all Ethernet ports except HA and MGMT.

Fortinet, Inc.
If the default FortiLink interface was removed, on the FortiGate GUI, edit the interface and select Dedicated to
FortiSwitch. Optionally, set the IP address and enable auto-authorization. Disable the split-interface if the interface is the
aggregate type and is connecting all members to the same FortiSwitch unit.
NOTE: The FortiLink interface type is dependent upon the network topology to be deployed. See Determining the
network topology on page 39.
Configure FortiLink on a physical port
Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.
In the following steps, port1 is configured as the FortiLink port.
1. Configure port1 as the FortiLink interface with the customer IP address and automatic authorization:

edit "port1"
set fortilink enable
set ip 172.16.16.254 255.255.255.0
set auto-auth-extension-device enable
next
end

If required, remove port1 from the lan interface:

edit lan
config port
delete port1
end
end
end

2. (Optional) Configure an NTP server on port1:

config system ntp
set server-mode enable
set interface port1
end

3. If automatic authorization is disabled, you need to manually authorize the FortiSwitch unit as a managed switch:

config switch-controller managed-switch
edit FS224D3W14000370
set fsw-wan1-admin enable
end
end

4. The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.
Configure FortiLink on a logical interface
You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch.

Fortinet, Inc.
LAG is supported on all FortiSwitch models. Check the FortiGate feature matrix to check which models support the
hardware switch and LAG (802.3ad aggregate) interfaces.
In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.
Using the GUI:
To configure the FortiLink interface on the FortiGate unit:
1. Go to Network > Interfaces and click Create New.
2. Enter a name for the interface (11 characters maximum).
3. For the type, select 802.3ad aggregate.
4. Select + in the Interface members field and then select the ports to add to the FortiLink interface.
NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, edit the lan or
internal interface, delete the port from the Interface Members field, and then click OK.
5. Configure the IP/Network Mask for your network.
6. Select Automatically authorize devices.
7. Click Apply.
If you want to add a third FortiLink interface, go to WiFi & Switch Controller > FortiLink Interface and click Create
new.
Using the CLI:
1. If required, remove the FortiLink ports from the lan interface:

edit lan
config port
delete port4
delete port5
end
end
end

2. Create a trunk with the two ports that you connected to the switch:

edit flink1 (enter a name with a maximum of 11 characters)
set ip 172.16.16.254 255.255.255.0
set type aggregate
set member port4 port5
(optional) set fortilink-split-interface disable
next
end

NOTE: If the members of the aggregate interface connect to the same FortiSwitch unit, you must disable
fortilink-split-interface.
3. Auto-discovery of the FortiSwitch ports
NOTE: For details on how to connect the FortiSwitch topology, see Determining the network topology on page 39.

Fortinet, Inc.
By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you connect
the FortiLink using one of these ports, no switch configuration is required.
In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You can also
run the show switch interface command on the FortiSwitch unit to see the ports that have auto-discovery enabled.
The following table lists the default auto-discovery ports for each switch model.
FortiSwitch Model Default Auto-FortiLink ports
FS-108D-POE port9–port10
FS-108E, FS-108E-POE, FS-108E-FPOE port7–port10
FSR-112D-POE port5–port12
FS-124D, FS-124D-POE port23–port26
FSR-124D port1-port4, port21–port28
FS-124E, FS-124E-POE, FS-124E-FPOE port21–port28
FS-148E, FS-148E-POE port21–port52
FS-224D-FPOE port21–port28
FS-224E, FS-224E-POE port21–port28
FS-248D, FS-248D-FPOE port45–port52
FS-248E-POE, FS-248E-FPOE port45–port52
FS-424D, FS-424D-POE, FS-424D-FPOE port23–port26
FS-424E-Fiber port1-port30
FS-426E-FPOE-MG port23-port30
FS-448D, FS-448D-POE, FS-448D-FPOE port45–port52
FS-524D, FS-524D-FPOE port21–port30
FS-548D port39–port54
FS-548D-FPOE, FS-548DN port45–port54
FS-1024D port1–port24
FS-1048D, FS-1048E port1–port52
FS-3032D, FS-3032E port1–port32
NOTE: Any port can be used for FortiLink if it is manually configured.
You can use any of the switch ports for FortiLink. Before connecting the switch to the FortiGate unit, use the following
FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:
config switch interface
edit <port>
set auto-discovery-fortilink enable

Fortinet, Inc.
end
Automatic inter-switch links (ISLs)
After a FortiSwitch unit is discovered and in FortiLink mode, all ports are enabled for FortiLink. Connect another
FortiSwitch unit to any of the already discovered FortiSwitch ports, and the ISL is formed automatically, and the new unit
is discovered by the FortiGate unit.
Static ISL trunks
In some cases, you might want to manually create an ISL trunk, for example, for FortiLink mode over a point-to-point
layer-2 network or for FortiLink mode over a layer-3 network. You can also enable or disable automatic VLAN
configuration on the manually created (static) ISL trunk.
To manually create an ISL trunk:
config switch trunk
edit "<trunk_name>"
set static-isl enable
set static-isl-auto-vlan {enable | disable}
end
Deleting a FortiLink interface
If you have any problems with deleting a FortiLink interface, disable it first using the CLI:
edit <FortiLink_interface_name>
set fortilink disable
end
Optional FortiLink configuration required before discovering and

authorizing FortiSwitch units
l Migrating the configuration of standalone FortiSwitch units on page 21
l VLAN interface templates for FortiSwitch units on page 22
l Automatic provisioning of FortiSwitch firmware upon authorization on page 25
Migrating the configuration of standalone FortiSwitch units
When a configured standalone FortiSwitch unit is converted to FortiLink mode, the standalone configuration is lost. To
save time, use the fortilinkify.py utility to migrate your standalone configuration from one or more FortiSwitch
units to a combined FortiGate-compatible configuration.

Fortinet, Inc.
To get the script and instructions, go to:
https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/
VLAN interface templates for FortiSwitch units
NOTE: You can only create VLAN interface templates when the FortiGate device has not authorized any FortiSwitch
units yet, so only physically connect the FortiSwitch unit to the FortiGate device after completing this section.
You can create configuration templates that define the VLAN interfaces and are applied to new FortiSwitch devices
when they are discovered and managed by the FortiGate device.
For each VDOM, you can create templates, and then assign those templates to the automatically created switch VLAN
interfaces for six types of traffic. The network subnet that is reserved for the switch controller can also be customized.
To ensure that switch VLAN interface names are unique for each system, the following naming rules are used:
l root VDOM: The interface names are the same as the template names.
l other VDOMs: The interface name is created from the template name and the SNMP index of the interface. For
example, if the template name is quarantined and the SNMP index is 29, the interface name is
quarantined.29.
You can also customize the FortiLink management VLAN per FortiLink interface:
edit <fortilink interface>
set switch-controller-mgmt-vlan <integer>
next
end
The management VLAN can be a number from 1 to 4094. the default value is 4094.
Create VLAN interface templates
To configure the VLAN interface templates:
config switch-controller initial-config template
edit <template_name>
set vlanid <integer>
set ip <ip/netmask>
set allowaccess {options}
set auto-ip {enable | disable}
set dhcp-server {enable | disable}
next
end
<template_name> The name, or part of the name, of the
template.
vlanid <integer> The unique VLAN ID for the type of
traffic the template is assigned to (1-
4094; the default is 4094)

Fortinet, Inc.
ip <ip/netmask> The IP address and subnet mask of
the switch VLAN interface. This can
only be configured when auto-ip is
disabled.
allowaccess {options} The permitted types of management
access to this interface.
auto-ip {enable | disable} When enabled, the switch-controller
will pick an unused 24 bit subnet from
the
switch-controller-reserved-network
(configured in config system global).
dhcp-server {enable | disable} When enabled, the switch-controller
will create a DHCP server for the
switch VLAN interface
To assign the templates to the specific traffic types:
config switch-controller initial-config vlans
set default-vlan <template>
set quarantine <template>
set rspan <template>
set voice <template>
set video <template>
set nac <template>
end
default-vlan <template> Default VLAN assigned to all switch ports upon discovery.
quarantine <template> VLAN for quarantined traffic.
rspan <template> VLAN for RSPAN/ERSPAN mirrored traffic.
voice <template> VLAN dedicated for voice devices.
video <template> VLAN dedicated for video devices.
nac <template> VLAN for NAC onboarding devices.
To configure the network subnet that is reserved for the switch controller:
set switch-controller-reserved-network <ip/netmask>
end
The default value is 169.254.0.0 255.255.0.0.
Example
In this example, six templates are configured with different VLAN IDs. Except for the default template, all of them have
DHCP server enabled. When a FortiSwitch is discovered, VLANs and the corresponding DHCP servers are
automatically created.

Fortinet, Inc.
To configure six templates and apply them to VLAN traffic types:
edit "default"
set vlanid 1
set auto-ip disable
next
edit "quarantine"
set vlanid 4093
set dhcp-server enable
next
edit "rspan"
set vlanid 4092
next
edit "voice"
set vlanid 4091
next
edit "video"
set vlanid 4090
next
edit "onboarding"
set vlanid 4089
next
end
config switch-controller initial-config vlans
set default-vlan "default"
set quarantine "quarantine"
set rspan "rspan"
set voice "voice"
set video "video"
set nac "onboarding"
end
To see the automatically created VLANs and DHCP servers:
show system interface
edit "default"
set vdom "root"
set snmp-index 24
set switch-controller-feature default-vlan
set interface "fortilink"
set vlanid 1
next
edit "quarantine"
set vdom "root"
set ip 169.254.11.1 255.255.255.0
set description "Quarantine VLAN"
set security-mode captive-portal
set replacemsg-override-group "auth-intf-quarantine"
set device-identification enable
set snmp-index 25
set switch-controller-access-vlan enable
set switch-controller-feature quarantine

Fortinet, Inc.
set color 6
set vlanid 4093
next
...
end
show system dhcp server
edit 2
set dns-service local
set ntp-service local
set default-gateway 169.254.1.1
set netmask 255.255.255.0
config ip-range
edit 1
set start-ip 169.254.1.2
set end-ip 169.254.1.254
next
end
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
next
edit 3
set dns-service default
set interface "quarantine"
config ip-range
edit 1
set start-ip 169.254.11.2
set end-ip 169.254.11.254
next
end
set timezone-option default
next
...
end
Automatic provisioning of FortiSwitch firmware upon authorization
FortiSwitch firmware images can be automatically provisioned after authorization. After a FortiSwitch unit is authorized
by FortiLink, its firmware is upgraded to the version provisioned by the administrator.
On FortiGate models that have a hard disk, up to four images for the same FortiSwitch model can be uploaded. For
FortiGate models without a hard disk, only one image can be uploaded for each FortiSwitch model.
To configure the automatic provisioning:
edit <FortiSwitch_serial_number>
set firmware-provision {enable | disable}
set firmware-provision-version <version>
next
end


Fortinet, Inc.
firmware-provision Enable or disable provisioning firmware to the FortiSwitch unit after authorization
{enable | disable} (the default is disable).
firmware-provision- The firmware version to provision the FortiSwitch unit with on bootup.
version <version>
The format is major_version.minor_version.build_number, for example, 6.4.0454.
Example
In this example, a FortiSwitch 248E-POE is upgraded from FortiSwitchOS 6.4.3 to 6.4.4.
To configure automatic provisioning and upgrade the FortiSwitch firmware after authorization:
1. Upload the FortiSwitch image to the FortiGate device and confirm that it was uploaded successfully:
# execute switch-controller switch-software upload tftp 248-454.out 172.18.60.160

Downloading file 248-454.out from tftp server 172.18.60.160...

###########################

Image checking ...

Image MD5 calculating ...

Image Saving S248EP-IMG.swtp ...

Successful!

File Syncing...

# execute switch-controller switch-software list-available

ImageName ImageSize(B) ImageInfo Uploaded Time

S248EP-v6.4-build454-IMG.swtp 28579517 S248EP-v6.4-build454 Mon Nov 30

15:06:07 2020
2. On the FortiSwitch unit, check the current version:
# get system status
Version: FortiSwitch-248E-POE v6.4.3,build0452,201029 (GA)

Serial-Number: S248EPTF18001842

BIOS version: 04000004

System Part-Number: P22169-02

Burn in MAC: 70:4c:a5:e1:53:f6

Hostname: S248EPTF18001842

Distribution: International

Branch point: 452

System time: Wed Dec 31 16:11:17 1969

3. On the FortiSwitch unit, change the management mode to FortiLink:
set switch-mgmt-mode fortilink
end

4. On the FortiGate device, enable firmware provisioning and specify the version:
edit S248EPTF18000000
set firmware-provision enable
set firmware-provision-version 6.4.0454

Fortinet, Inc.
next
end

5. On the FortiGate device, authorize the FortiSwitch unit:
edit S248EPTF18000000
set fsw-wan1-peer flink
next
end

6. When the authorized FortiSwitch unit is in FortiLink mode, it automatically starts upgrading to the provisioned
firmware:
# execute switch-controller get-upgrade-status
Device Running-version Status Next-boot

========================================================================================
===========================
VDOM : vdom1

FS1D243Z170000XX FS1D24-v6.4.0-build456,201121 (Interim) (0/0/0) N/A (Idle)
S248DN3X170002XX S248DN-v6.4.0-build456,201121 (Interim) (0/0/0) N/A (Idle)
S248EPTF18000000 S248EP-v6.4.3-build452,201029 (GA) (14/0/0) N/A
(Upgrading)
7. Check the version when the upgrade is complete:
# execute switch-controller get-conn-status
Managed-devices in current vdom vdom1:

FortiLink interface : flink

SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME

NAME
FS1D243Z17000032 v6.4.0 (456) Authorized/Up - 169.254.1.3 Mon Nov 30

11:08:10 2020 -
S248DN3X170002XX v6.4.0 (456) Authorized/Up - 169.254.1.4 Mon Nov 30

11:08:32 2020 -
S248EPTF18000000 v6.4.4 (454) Authorized/Up C 169.254.1.6 Mon Nov 30
15:20:53 2020 -
Discovering
l Authorizing on page 27
l Preparing the FortiSwitch unit on page 28
Authorizing
If automatic authorization is disabled, you need to authorize the FortiSwitch unit as a managed switch:
edit FS224D3W14000370

Fortinet, Inc.
end
end
NOTE: After authorization, the FortiSwitch unit reboots in FortiLink mode.
Preparing the FortiSwitch unit
If the FortiSwitch unit is in the factory default configuration, it is ready to be connected to the FortiGate device. If the
FortiSwitch unit is not in the factory default configuration, log in to the FortiSwitch unit with the CLI and use the execute
factoryreset command to reset the FortiSwitch unit to the factory defaults
Optional FortiLink configuration
l Using the FortiSwitch serial number for automatic name resolution on page 28
l Changing the admin password on the FortiGate for all managed FortiSwitch units on page 29
l Using automatic network detection and configuration on page 29
l Limiting the number of parallel processes for FortiSwitch configuration on page 30
l Configuring access to management and internal interfaces on page 30
l Enabling FortiLink VLAN optimization on page 31
l Configuring the MAC sync interval on page 31
l Configuring the FortiSwitch management port on page 31
l Multiple FortiLink interfaces on page 32
l Grouping FortiSwitch units on page 32
Using the FortiSwitch serial number for automatic name resolution
By default, you can check that FortiSwitch unit is accessible from the FortiGate unit with the execute ping
<FortiSwitch_IP_address> command. If you want to use the FortiSwitch serial number instead of the FortiSwitch
IP address, use the following commands:
config switch-controller global
set sn-dns-resolution enable
end
NOTE:The set sn-dns-resolution enable configuration is enabled by default.
Then you can use the execute ping <FortiSwitch_serial_ number>.<domain_name> command to check if
the FortiSwitch unit is accessible from the FortiGate unit. For example:
FG100D3G15817028 (root) # execute ping S524DF4K15000024.fsw
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes
64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms


Fortinet, Inc.
Optionally, you can omit the domain name (.fsw) from the command by setting the default DNS domain on the
FortiGate unit.
config system dns
set domain "fsw"
end

Now you can use the execute ping <FortiSwitch_serial_number> command to check if the FortiSwitch unit is
accessible from the FortiGate unit. For example:
FG100D3G15817028 (root) # execute ping S524DF4K15000024
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes

--- S524DF4K15000024.fsw ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
Changing the admin password on the FortiGate for all managed FortiSwitch units
By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all
FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:
config switch-controller switch-profile
edit default
set login-passwd-override {enable | disable}
set login-passwd <password>
next
end
If you had already applied a profile with the override enabled and the password set and then decide to remove the admin
password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set
password will remain in the FortiSwitch. For example:
config switch-controller switch-profile
edit default
set login-passwd-override enable
unset login-passwd
next
end
Using automatic network detection and configuration
There are three commands that let you use automatic network detection and configuration.
To specify which policies can override the defaults for a specific ISL, ICl, or FortiLink interface:
config switch-controller auto-config custom
edit <automatically configured FortiLink, ISL, or ICL interface name>
config switch-binding
edit "switch serial number"
set policy "custom automatic-configuation policy"

Fortinet, Inc.
end
To specify policies that are applied automatically for all ISL, ICL, and FortiLink interfaces:
config switch-controller auto-config default
set fgt-policy <default FortiLink automatic-configuration policy>
set isl-policy <default ISL automatic-configuration policy>
set icl-policy <default ICL automatic-configuration policy>
end
NOTE: The ICL automatic-configuration policy requires FortiOS 6.2.0 or later.
To specify policy definitions that define the behavior on automatically configured interfaces:
config switch-controller auto-config policy
edit <policy_name>
set qos-policy <automatic-configuration QoS policy>
set storm-control-policy <automatic-configuation storm-control policy>
set poe-status {enable | disable}
set igmp-flood-report {enable | disable}
set igmp-flood-traffic {enable | disable}
end
Limiting the number of parallel processes for FortiSwitch configuration
Use the following CLI commands to reduce the number of parallel processes that the switch controller uses for
configuring FortiSwitch units:
config global
set parallel-process-override enable
set parallel-process <1-300>
end
end
Configuring access to management and internal interfaces
The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have different
access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-access
security policy with the following commands:
config switch-controller security-policy local-access
edit <policy_name>
set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
end
set access-profile <name_of_policy>
end
For example:
edit policy1
set mgmt-allowaccess https ping ssh radius-acct
set internal-allowaccess https ssh snmp telnet

Fortinet, Inc.
end
edit S524DF4K15000024
set access-profile policy1
end

NOTE: After you upgrade to FortiOS 6.2, the allowaccess settings for the FortiSwitch mgmt and internal interfaces are
overridden by the default local-access security policy.
set min-bundle <int>
set max-bundle <int>
set members <port1 port2 ...>
next
end
end
end
Enabling FortiLink VLAN optimization
When inter-switch links (ISLs) are automatically formed on trunks, the switch controller allows VLANs 1-4093 on ISL
ports. This configuration can increase data processing on the FortiSwitch unit. When VLAN optimization is enabled, the
FortiSwitch unit allows only user-defined VLANs on the automatically generated trunks.
NOTE: VLAN optimization is enabled by default.
To enable FortiLink VLAN optimization on FortiSwitch units from the FortiGate unit:
set vlan-optimization enable
end

NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable
command.
Configuring the MAC sync interval
Use the following commands to configure the global MAC synch interval.
The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the
default value is 60.
config switch-controller mac-sync-settings
set mac-sync-interval <30-600>
end
Configuring the FortiSwitch management port
If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In
FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch
management port.

Fortinet, Inc.
1. Go to Network > Static Routes > Create New > Route.
2. Set Destination to Subnet and enter a subnetwork and mask.
3. Set Device to the management interface.
4. Add a Gateway IP address.
Using the FortiSwitch CLI
Enter the following commands:
config router static
edit 1
set device mgmt
set gateway <router IP address>
set dst <router subnet> <subnet mask>
end
end
In the following example, the FortiSwitch management port is connected to a router with IP address 192.168.0.10:
config router static
edit 1
set device mgmt
set gateway 192.168.0.10
set dst 192.168.0.0 255.255.0.0
end
end
If provisioned with custom commands on the FortiGate device, the configuration is preserved on the FortiGate device.
See Executing custom FortiSwitch scripts on page 194.
Multiple FortiLink interfaces
If you are adding a second FortiLink interface, use the CLI to enable FortiLink. For example:
edit "fortilink_2"
next
end
After that, the interface is available in the GUI to complete the settings. Click Create to add additional FortiLink
interfaces.
Grouping FortiSwitch units
You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A group can
include one or more FortiSwitch units and you can include different models in a group.
Using the GUI:
1. Go to WiFi & Switch Controller > Managed FortiSwitch.

2. Select Create New > FortiSwitch Group.

Fortinet, Inc.
3. In the Name field, enter a name for the FortiSwitch group.
4. In the Members field, click + to select which switches to include in the FortiSwitch group.
5. In the Description field, enter a description of the FortiSwitch group.
6. Select OK.
Using the CLI:
config switch-controller switch-group
edit <name>
set description <string>
set members <serial-number> <serial-number> ...
end
end
Grouping FortiSwitch units allows you to restart all of the switches in the group instead of individually. F
or example, you
can use the following command to restart all of the FortiSwitch units in a group named my-sw-group:
execute switch-controller switch-action restart delay switch-group my-sw-group
Upgrading the firmware of FortiSwitch groups is easier, too, because fewer commands are needed. See the next section
for the procedure.
Firmware upgrade of stacked or tiered FortiSwitch units
In this topology, the core FortiSwitch units are model FS-224E, and the access FortiSwitch units are model FS-108E-
FPOE. Because the switches are stacked or tiered, the procedure to update the firmware is simpler. The FortiGate unit is
running FortiOS 6.2.2 GA. In the following procedure, the four FortiSwitch units are upgraded from 6.2.1 to 6.2.2.

Fortinet, Inc.
To upgrade the firmware of stacked or tiered FortiSwitch units:
1. Check that all of the FortiSwitch units are connected and which firmware versions they are running. For example:
FGT81ETK19001274 # execute switch-controller get-conn-status
Managed-devices in current vdom root:

STACK-NAME: FortiSwitch-Stack-flink


NAME
S108EF5918003577 v6.2.1 (176) Authorized/Up - 10.105.22.6 Thu Oct 24

10:47:27 2019 -
S108EP5918008265 v6.2.1 (176) Authorized/Up - 10.105.22.5 Thu Oct 24

10:47:20 2019 -
S224ENTF18001408 v6.2.1 (176) Authorized/Up - 10.105.22.2 Thu Oct 24

10:44:36 2019 -

10:44:49 2019 -

Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration

sync error
Managed-Switches: 4 (UP: 4 DOWN: 0)

2. (Optional) To speed up how fast the image is pushed from the FortiGate unit to the FortiSwitch units, enable the
HTTPS image push instead of the CAPWAP image push. For example:
FGT81ETK19001274 # config switch-controller global
FGT81ETK19001274 (global) # set https-image-push enable

FGT81ETK19001274 (global) # end


Fortinet, Inc.
3. Download the file for the FortiSwitchOS 6.2.2 GA build 194 in the FortiGate unit. For example:
FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_224E-v6-
build0194-FORTINET.out 10.105.16.15

Downloading file FSW_224E-v6-build0194-FORTINET.out from tftp server 10.105.16.15...

#########################

Image checking ...


Image Saving S224EN-IMG.swtp ...

Successful!

File Syncing...

FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_108E_POE-

v6-build0194-FORTINET.out 10.105.16.15

Downloading file FSW_108E_POE-v6-build0194-FORTINET.out from tftp server 10.105.16.15...

##################

Image checking ...


Image Saving S108EP-IMG.swtp ...

Successful!

File Syncing...

FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_108E_FPOE-

v6-build0194-FORTINET.out 10.105.16.15

Downloading file FSW_108E_FPOE-v6-build0194-FORTINET.out from tftp server

10.105.16.15...
##################

Image checking ...


Image Saving S108EF-IMG.swtp ...

Successful!

File Syncing...

FGT81ETK19001274 #

4. Check the downloaded FortiSwitch image. For example:
FGT81ETK19001274 # execute switch-controller switch-software list-available

ImageName ImageSize(B) ImageInfo Uploaded Time

S108EF-IMG.swtp 19574769 S108EF-v6.2-build194 Thu Oct 24 13:03:51 2019

S108EP-IMG.swtp 19583362 S108EP-v6.2-build194 Thu Oct 24 13:03:23 2019

S224EN-IMG.swtp 27159659 S224EN-v6.2-build194 Thu Oct 24 13:03:02 2019

FGT81ETK19001274 #

5. Start the image staging. For example:
FGT81ETK19001274 # execute switch-controller switch-software stage all S224EN-IMG.swtp
Staged Image Version S224EN-v6.2-build194

Image staging operation is started for FortiSwitch S224ENTF18001408 ...

Image staging operation is started for FortiSwitch S224ENTF18001432 ...


Fortinet, Inc.

FGT81ETK19001274 # execute switch-controller switch-software stage all S108EF-IMG.swtp

Staged Image Version S108EF-v6.2-build194

Image staging operation is started for FortiSwitch S108EF5918003577 ...

FGT81ETK19001274 # execute switch-controller switch-software stage all S108EP-IMG.swtp

Staged Image Version S108EP-v6.2-build194

Image staging operation is started for FortiSwitch S108EP5918008265 ...

6. Check the status of the image staging. For example:
FGT81ETK19001274 # execute switch-controller get-upgrade-status

========================================================================================
===
VDOM : root

S224ENTF18001408 S224EN-v6.2.1-build176,190620 (GA) (100/0/0) S224EN-

v6.2-build176 (Staging)

v6.2-build176 (Staging)
S108EP5918008265 S108EP-v6.2.1-build176,190620 (GA) (18/0/0) S108EP-v6.2-

build176 (Staging)
S108EF5918003577 S108EF-v6.2.1-build176,190620 (GA) (25/0/0) S108EF-v6.2-

build176 (Staging)
7. Verify that the image staging has completed. For example:

========================================================================================
===
VDOM : root


v6.2-build194 (Idle)

S108EP5918008265 S108EP-v6.2.1-build176,190620 (GA) (0/100/100) S108EP-

S108EF5918003577 S108EF-v6.2.1-build176,190620 (GA) (0/100/100) S108EF-

8. Reboot all switches (or reboot the switches by group). For example:
FGT81ETK19001274 # execute switch-controller switch-action restart delay all
Delayed restart operation is requested for FortiSwitch S224ENTF18001408 ...


Delayed restart operation is requested for FortiSwitch S108EP5918008265 ...

Delayed restart operation is requested for FortiSwitch S108EF5918003577 ...

9. Check the status of the switch reboot. For example:
FGT81ETK19001274 # execute switch-controller switch-action restart delay all


Delayed restart operation is requested for FortiSwitch S108EP5918008265 ...

Delayed restart operation is requested for FortiSwitch S108EF5918003577 ...


Fortinet, Inc.
GT81ETK19001274 # execute switch-controller get-upgrade-status
F

========================================================================================
===
VDOM : root

S224ENTF18001408 Prepping for delayed restart triggered ...

please wait for switch to reboot in a moment
S224ENTF18001432 Prepping for delayed restart triggered ...

S108EP5918008265 Prepping for delayed restart triggered ...

S108EF5918003577 Prepping for delayed restart triggered ...






NAME
S108EF5918003577 v6.2.1 () Authorized/Down D 0.0.0.0 N/A

-
S108EP5918008265 v6.2.1 () Authorized/Down D 0.0.0.0 N/A

-
S224ENTF18001408 v6.2.1 () Authorized/Down D 0.0.0.0 N/A

-
S224ENTF18001432 v6.2.1 () Authorized/Down D 0.0.0.0 N/A

-


sync error

FGT81ETK19001274 #

10. Wait for a while before checking that all switches are online. For example:

========================================================================================
===
VDOM : root



S108EP5918008265 S108EP-v6.2.2-build194,191018 (GA) (0/100/100) S108EP-

S108EF5918003577 S108EF-v6.2.2-build194,191018 (GA) (0/100/100) S108EF-






Fortinet, Inc.
WITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME
S
NAME
S108EF5918003577 v6.2.2 (194) Authorized/Up - 10.105.22.6 Thu Oct 24

13:22:27 2019 -
S108EP5918008265 v6.2.2 (194) Authorized/Up - 10.105.22.5 Thu Oct 24

13:22:41 2019 -

13:20:11 2019 -

13:19:58 2019 -


sync error

FGT81ETK19001274 #

append disable-discovery S012345678
unselect disable-discovery S1234567890
end
Disabling stacking
To disable stacking, execute the following commands from the FortiGate CLI. In the following example, port4 is the
FortiLink interface:
edit port4
set fortilink-stacking disable
end
end

Fortinet, Inc.
Determining the network topology
The FortiGate unit requires an active FortiLink interface to manage all of the subtending FortiSwitch units (called
stacking).
You can configure the FortiLink as a physical interface or as a logical interface (associated with one or more physical
interfaces). Depending on the network topology, you can also configure a standby FortiLink.
NOTE: For any of the topologies:
l All of the managed FortiSwitch units will function as one Layer-2 stack where the FortiGate unit manages each
FortiSwitch separately.
l The active FortiLink carries data as well as management traffic.
l Single FortiGate managing a single FortiSwitch unit on page 39
l Single FortiGate unit managing a stack of several FortiSwitch units on page 40
l HA-mode FortiGate units managing a single FortiSwitch unit on page 41
l HA-mode FortiGate units managing a stack of several FortiSwitch units on page 42
l HA-mode FortiGate units managing a FortiSwitch two-tier topology on page 43
l Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software switch interface) on page
44
l HA-mode FortiGate units using hardware-switch interfaces and STP on page 44
l FortiLink over a point-to-point layer-2 network on page 45
l FortiLink mode over a layer-3 network on page 46
l Switch redundancy with MCLAG on page 50
Single FortiGate managing a single FortiSwitch unit
On the FortiGate unit, the FortiLink interface is configured as a physical or aggregate interface. The 802.3ad aggregate
interface type provides a logical grouping of one or more physical interfaces.
NOTE:
l For the aggregate interface, you must disable the split interface on the FortiGate unit.
l When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of the
FortiLink aggregate interface must be set to static. Unless MCLAG is enabled and you are using 6.2.0 or later,
see Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 59 for details.

Fortinet, Inc.
Single FortiGate unit managing a stack of several FortiSwitch units
The FortiGate unit connects directly to one FortiSwitch unit using a physical or aggregate interface. The remaining
FortiSwitch units connect in a ring using inter-switch links (that is, ISL).
Optionally, you can connect a standby FortiLink connection to the last FortiSwitch unit. For this configuration, you create
a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link).
NOTE:
l Do not create loops or rings with the FortiGate unit in the path.

Fortinet, Inc.
HA-mode FortiGate units managing a single FortiSwitch unit
The master and slave FortiGate units both connect a FortiLink to the FortiSwitch unit. The FortiLink port(s) and interface
type must match on the two FortiGate units.
NOTE: Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be
active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.

Fortinet, Inc.
HA-mode FortiGate units managing a stack of several FortiSwitch

units
The master and slave FortiGate units both connect a FortiLink to the first FortiSwitch unit and (optionally) to the last
FortiSwitch unit. The FortiLink ports and interface type must match on the two FortiGate units.
When using an aggregate interface for the active/standby FortiLink configuration, make sure the FortiLink split interface
is enabled (this forces one link to be active and the rest to be standby links, which avoids loops in the network). This
option can be disabled later if you enable an MCLAG. See Transitioning from a FortiLink split interface to a FortiLink
MCLAG on page 59.
NOTE:
l Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be

Fortinet, Inc.
HA-mode FortiGate units managing a FortiSwitch two-tier topology
The distribution FortiSwitch unit connects to the master and slave FortiGate units. The FortiLink port(s) and interface
type must match on the two FortiGate units.
NOTE: Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be

Fortinet, Inc.
Single FortiGate unit managing multiple FortiSwitch units (using a

hardware or software switch interface)
The FortiGate unit connects directly to each FortiSwitch unit. Each of these FortiLink ports is added to the logical
hardware-switch or software-switch interface on the FortiGate unit.
Optionally, you can connect other devices to the FortiGate logical interface. These devices, which must support
IEEE 802.1q VLAN tagging, will have Layer 2 connectivity with the FortiSwitch ports.
NOTE:
l Using the hardware or software switch interface in FortiLink mode is not recommended in most cases. It can be
used when the traffic on the ports is very light because all traffic across the switches moves through the FortiGate
unit.
l Do not create loops or rings in this topology.
HA-mode FortiGate units using hardware-switch interfaces and STP
In most FortiLink topologies, MCLAG or LAG configurations are used for FortiSwitch redundancy. However, some
FortiGate models do not support the FortiLink aggregate interface, or some FortiSwitch models do not support MCLAG.
The following network topology uses a hardware-switch interface on each FortiGate unit. Each FortiSwitch unit is
connected to a single port of the hardware-switch interface of the FortiGate unit. The inter-switch link (ISL) between the
FortiSwitch units provides redundancy.
For this network topology to function, use the following commands on each FortiLink hardware-switch interface:

Fortinet, Inc.
edit <FortiLink_hardware_switch_interface>
set stp enable
end

NOTE:
l The FortiLink interface uses the Link Layer Discovery Protocol (LLDP) for neighbor detection. LLDP transmission
must be enabled with the set lldp-transmission enable command before enabling Spanning Tree Protocol
(STP).
l STP and STP forwarding are both supported by the FortiLink hardware-switch interface.
l The software-switch interface is not supported.

FortiLink over a point-to-point layer-2 network
Starting in FortiSwitchOS 6.4.0, you can run FortiLink mode over a point-to-point layer-2 network. You can form an inter-
switch link (ISL) between two FortiSwitch units over a layer-2 device or non-FortiSwitch device (such as a wireless
bridge). To create this topology, you configure ports on both ends of the link as described in the following procedure and,
optionally, configure the tag protocol identifier (TPID) between the two FortiSwitch units.
NOTE:
l The set fortilink-p2p command is available in FortiLink mode and standalone mode. The set fortilink-
p2p-tpid command is available only in FortiLink mode.
l The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, FS-148E-
POE, FS-148F, FS-148F-POE, FS-148F-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE models support only
the default 0x8100 TPID; TPID changes are not supported.

1. Enable the FortiLink point-to-point network on each FortiSwitch unit:

config switch physical-port
edit <port_name>
set fortilink-p2p enable
end

2. Make certain that the FortiLink point-to-point TPID value is the same on each FortiSwitch unit. By default, it is
0x8100.

config switch global

Fortinet, Inc.
set fortilink-p2p-tpid <0x0001-0xfffe>
end
FortiLink mode over a layer-3 network
This feature allows FortiSwitch islands to operate in FortiLink mode over a layer-3 network, even though they are not
directly connected to the switch-controller FortiGate unit. FortiSwitch islands contain one or more FortiSwitch units.
There are two main deployment scenarios for using FortiLink mode over a layer-3 network:
l In-band management, which uses the FortiSwitch unitʼs internal interface to connect to the layer-3 network
l Out-of-band management, which uses the FortiSwitch unitʼs mgmt interface to connect to the layer-3 network
Starting in FortOS 6.4.3, you can now configure a FortiLink-over-layer-3 network to use the FortiLink interface as the
source IP address for the communication between the FortiGate unit and the FortiSwitch unit. You can still use the
outbound interface as the source IP address if you prefer.
To use the FortiLink interface as the source IP address:
edit <FortiLink_interface>
set switch-controller-source-ip fixed
end
In-band management

Fortinet, Inc.
To configure a FortiSwitch unit to operate in a layer-3 network:
NOTE: You must enter these commands in the indicated order for this feature to work.
1. Reset the FortiSwitch to factory default settings with the execute factoryreset command.
2. Manually set the FortiSwitch unit to FortiLink mode:
set switch-mgmt-mode fortilink
end
3. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery to
find the IP address of the FortiGate unit (switch controller) that manages this switch. The default dhcp-option-
code is 138.
To use DHCP discovery:
set ac-discovery-type dhcp
set dhcp-option-code <integer>
end
To use static discovery:
set ac-discovery-type static
config ac-list
edit <id>
set ipv4-address <IPv4_address>
next
end
end
4. Configure only one physical port or LAG interface of the FortiSwitch unit as an uplink port. When the FortiSwitch unit
is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network
with the following commands:
edit <port_number>
set fortilink-l3-mode enable
end
end
The fortilink-l3-mode command is only visible after you configure DHCP or static discovery.
NOTE:
l Make certain that each FortiSwitch unit can successfully ping the FortiGate unit.
l The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server
must be reachable from the FortiSwitch unit.
l If more than one port (switch interface) has fortilink-l3-mode enabled, the FortiSwitch unit automatically
forms a link aggregation group (LAG) trunk that contains all fortilink-l3-mode-enabled ports as a single logical
interface.

Fortinet, Inc.
l If you have more than one port with fortilink-l3-mode enabled, all ports are automatically added to the __
FoRtILnk0L3__ trunk. Make certain that the layer-3 network is also configured as a LAG with a matching LACP
mode.
l In addition to the two layer-3 discovery modes (DHCP and static), there is the default layer-2 discovery broadcast
mode. The layer-3 discovery multicast mode is unsupported.
Connecting additional FortiSwitch units to the first FortiSwitch unit
In this scenario, the default FortiLink-enabled port of FortiSwitch 2 is connected to FortiSwitch 1, and the two switches
then form an auto-ISL. You only need to configure the discovery settings (see Step 3) for additional switches (FortiSwitch
2 in the following diagram). You do not need to enable fortilink-l3-mode on the uplink port. Check that each
FortiSwitch unit can reach the FortiGate unit.
Out-of-band management
If you use the mgmt port to connect to the layer-3 network, you do not need to enable fortilink-l3-mode on any
physical port because the mgmt port is directly connected to the layer-3 network.

Fortinet, Inc.
You can use the internal interface for one FortiSwitch island to connect to the layer-3 network
and the mgmt interface for another FortiSwitch island to connect to the same layer-3 network.
Do not mix the internal interface connection and mgmt interface connection within a single
FortiSwitch island.
Other topologies
If you have a layer-2 loop topology, make certain that the alternative path can reach the FortiGate unit and that STP is
enabled on the FortiLink layer-3 trunk.
If you have two FortiSwitch units separately connected to two different intermediary routers or switches, the uplink
interfaces for both FortiSwitch units must have fortilink-l3-mode enabled. If the FortiSwitch units are also
connected to each other, an auto-ISL forms automatically, and STP must be enabled to avoid loops.
A single logical interface (which can be a LAG) is supported when they use the internal interface as the FortiLink
management interface.
You can use a LAG connected to a single intermediary router or switch. A topology with multiple ports connected to
different intermediary routers or switches is not supported.

Fortinet, Inc.
Limitations
The following limitations apply to FortiSwitch islands operating in FortiLink mode over a layer-3 network:
l No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the
FortiSwitch unit.
l All FortiSwitch units within an FortiSwitch island must be connected to the same FortiGate unit.
l The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any feature-
configured destination, such as syslog or 802.1x.
l Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
l If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FortiSwitch island can
contain only one FortiSwitch unit. All switch ports must remain in standalone mode. If you need more than one
physical link, you can group the links as a link aggregation group (LAG).
l Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
l If the network has a wide geographic distribution, some features, such as software downloads, might operate
slowly.
l After a topology change, make certain that every FortiSwitch unit can reach the FortiGate unit.
l Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.
l NAT is not supported between the FortiSwitch unit and FortiGate unit.
Switch redundancy with MCLAG
The following network topologies provide switch redundancy with MCLAG:
l Standalone FortiGate unit with dual-homed FortiSwitch access on page 50
l HA-mode FortiGate units with dual-homed FortiSwitch access on page 51
l HA-mode one-tier MCLAG on page 52
l FortiLink with an HA cluster of four FortiGate units on page 53
l HA-mode FortiGate units in different sites on page 54
l Isolated LAN/WAN with multiple FortiLink interfaces on page 55
l Three-tier FortiLink MCLAG configuration on page 56
l Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG on page 57
Standalone FortiGate unit with dual-homed FortiSwitch access
This network topology provides high port density with two tiers of FortiSwitch units.
See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 59.
After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically
established with the access switches (FortiSwitch 3 and FortiSwitch 4).
NOTE:
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They
are both enabled by default.
l Fortinet recommends using at least two links for ICL redundancy.

Fortinet, Inc.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
l The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink
trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks.
These settings are enabled by default.
l IGMP proxy must be enabled.
HA-mode FortiGate units with dual-homed FortiSwitch access
In HA mode, only one FortiGate is active at a time. If the active FortiGate unit fails, the backup FortiGate unit becomes
active.
See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 59.
After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically
established with the access switches (FortiSwitch 3, FortiSwitch 4, and FortiSwitch 5).
NOTE:

Fortinet, Inc.
HA-mode one-tier MCLAG
HA-mode FortiGate units connect to redundant distribution FortiSwitch units. Access FortiSwitch units are arranged in a
stack in each IDF, connected to both distribution switches.
For the FortiLink connection to each distribution switch, you create a FortiLink split interface (an aggregate interface that
contains one active link and one standby link).
NOTE:
l Before FortiSwitchOS 3.6.4, MCLAG was not supported when access rings were present. Starting with
FortiSwitchOS 3.6.4, MCLAG is supported, even with access rings present.
l This is only an example topology. Other combinations of FortiGate units and FortiSwitch units can be used to create
a similar topology.

Fortinet, Inc.
FortiLink with an HA cluster of four FortiGate units
A FortiGate HA cluster consists of two to four FortiGate units configured for HA operation. Each FortiGate in a cluster is
called a cluster unit. All cluster units must be the same FortiGate model with the same FortiOS firmware build installed.
All cluster units must also have the same hardware configuration (for example, the same number of hard disks) and be
running in the same operating mode (NAT mode or transparent mode).
In addition, the cluster units must be able to communicate with each other through their heartbeat interfaces. This
heartbeat communication is required for the cluster to be created and to continue operating. Without it, the cluster acts
like a collection of standalone FortiGate units.
On startup, after configuring the cluster units with the same HA configuration and connecting their heartbeat interfaces,
the cluster units use the FortiGate Clustering Protocol (FGCP) to find other FortiGate units configured for HA operation
and to negotiate to create a cluster. During cluster operation, the FGCP shares communication and synchronization
information among the cluster units over the heartbeat interface link. This communication and synchronization is called
the FGCP heartbeat or the HA heartbeat. Often, this is shortened to just heartbeat.
NOTE: You can create an FGCP cluster of up to four FortiGate units.
The cluster uses the FGCP to select the primary unit, and to provide device, link, and session failover. The FGCP also
manages the two HA modes; active-passive (failover HA) and active-active (load-balancing HA).
The FGCP supports a cluster of two, three, or four FortiGate units. You can add more than two units to a cluster to
improve reliability: if two cluster units fail the third will continue to operate and so on. A cluster of three or four units in
active-active mode may improve performance because another cluster unit is available for security profile processing.
However, active-active FGCP HA results in diminishing performance returns as you add units to the cluster, so the
additional performance achieved by adding the third cluster unit might not be worth the cost.
There are no special requirements for clusters of more than two units. Here are a few recommendations though:
l The matching heartbeat interfaces of all of the cluster units must be able to communicate with each other. So each
unitʼs matching heartbeat interface should be connected to the same switch. If the ha1 interface is used for

Fortinet, Inc.
heartbeat communication, the ha1 interfaces of all of the units in the cluster must be connected together so
communication can happen between all of the cluster units over the ha1 interface.
l Redundant heartbeat interfaces are recommended. You can reduce the number of points of failure by connecting
each matching set of heartbeat interfaces to a different switch. This is not a requirement; however, and you can
connect both heartbeat interfaces of all cluster units to the same switch. However, if that switch fails the cluster will
stop forwarding traffic.
l For any cluster, a dedicated switch for each heartbeat interface is recommended because of the large volume of
heartbeat traffic and to keep heartbeat traffic off of other networks, but it is not required.
l Full mesh HA can scale to three or four FortiGate units. Full mesh HA is not required if you have more than two units
in a cluster.
l Virtual clustering can only be done with two FortiGate units.
l FortiSwitch units must be connected on a NAT VDOM.
The following network topology uses four FortiGate units; each is a 3200D model and is running FortiOS 6.4.0 build
1533. The FortiSwitch models are 1048E, 448D, and 426EF; they are running FortiSwitchOS 6.2.0 build 0202:
HA-mode FortiGate units in different sites
There are two sites in this topology, each with a FortiGate unit. The two sites share the FortiGate units in active-passive
HA mode. The FortiGate units use the FortiSwitch units in FortiLink mode as the heartbeat connections because of
limited physical connections between the two sites.
FortiOS 6.4.2 or higher and FortiSwitchOS 6.4.2 or higher are required.
For example steps, refer to Deploying MCLAG topologies on page 61.
NOTE: Fortinet recommends using at least two links for ICL redundancy.

Fortinet, Inc.
Isolated LAN/WAN with multiple FortiLink interfaces
This topology makes use of two FortiLink interfaces to provide a dedicated switching layer for each part of the network,
LAN and WAN. Each FortiLink interface is independent with its own FortiSwitch VLANs, providing two separate FortiLink
stacks.
In this specific example, the FortiLink stack for the LAN networks consists of a two-tier MCLAG topology with dual-
homed access switches, whereas the WAN FortiLink stack has a one-tier MCLAG peer group connected to the ISP
routers.
Starting with FortiOS 6.4.2, you can use the GUI to entirely manage multiple FortiLink stacks.

Fortinet, Inc.
Three-tier FortiLink MCLAG configuration
To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.
MCLAG can be deployed in up to three tiers to expand the FortiSwitch stack, offering link and switch redundancy with the
efficient use of the bandwidth because all links are active.
For the procedure, see Deploying MCLAG topologies on page 61.

Fortinet, Inc.
Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG
To configure a multichassis LAG, you need to configure FortiSwitch 1 and FortiSwitch 2 as MCLAG peer switches before
creating a two-port LAG. Then you set up two MCLAGs towards the servers, each MCLAG using one port from each
FortiSwitch unit. For the procedure, see Deploying MCLAG topologies on page 61.
This topology is supported when the FortiGate unit is in HA mode.

NOTE:


Fortinet, Inc.

Fortinet, Inc.
MCLAG peer groups
MCLAG peer groups
A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they
appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption,
increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP).
l MCLAG requirements on page 59
l Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 59
l Deploying MCLAG topologies on page 61
MCLAG requirements
l Both peer switches should be of the same hardware model and same software version. Mismatched configurations
might work but are unsupported.
l There is a maximum of two FortiSwitch models per MCLAG.
l The routing feature is not available within an MCLAG.
l When min_bundle or max_bundle is combined with MCLAG, the bundle limit properties are applied only to the local
aggregate interface.
l On the global switch level, mclag-igmpsnooping-aware must be enabled. By default, mclag-igmpsnooping-
aware is enabled in the FortiSwitchOS CLI.
Transitioning from a FortiLink split interface to a FortiLink MCLAG
You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two
FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.
In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate unit to two
FortiSwitch units. The aggregate interface of the FortiGate unit for this configuration contains at least one physical port
connected to each FortiSwitch unit.

Fortinet, Inc.
MCLAG peer groups
NOTE:
l Make sure that the split interface is enabled.
l This procedure also applies to a FortiGate unit in HA mode.
l More links can be added between the FortiGate unit and FortiSwitch unit.
The following procedure uses zero-touch provisioning to change the configuration of the FortiSwitch units without losing
their management from the FortiGate unit. The MCLAG-ICL can also be enabled directly using console cables or
management ports.
1. Using the FortiGate CLI, assign the LLDP profile “default-auto-mclag-icl” to the ports that should form the MCLAG
ICL in FortiSwitch unit 1. For example:

FGT_Switch_Controller # config switch-controller managed-switch
FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051
FGT_Switch_Controller (FS1E48T419000051) # config ports
FGT_Switch_Controller (ports) # edit port49
FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl
FGT_Switch_Controller (port49) # end
FGT_Switch_Controller (FS1E48T419000051) # end

2. Repeat step 1 for FortiSwitch unit 2. The port numbers can be different.
3. Disable the split interface in the FortiLink interface. For example:

edit <aggregate_name>
set fortilink-split-interface disable
next
end

Fortinet, Inc.
MCLAG peer groups

4. From the FortiGate unit, enable the LACP active mode if not already set:

edit <aggregate_name>
set lacp-mode active
next
end

NOTE: If you are using FortiOS 6.2 or earlier, use the set lacp-mode static command instead.
5. Check that the LAG is working correctly. For example:

diagnose netlink aggregate name <aggregate_name>

If you disable the MCLAG ICL (with the set mclag-icl disable command), you need to
enable the fortilink-split-interface.
Deploying MCLAG topologies
l Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG on page 62
l Multi-tiered MCLAG with HA-mode FortiGate units on page 63
l HA-mode FortiGate units in different sites on page 65

Fortinet, Inc.
MCLAG peer groups
Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG
To configure a multichassis LAG, you need to configure FortiSwitch 1 and FortiSwitch 2 as MCLAG peer switches before
creating a two-port LAG. See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 59. Then you
set up two MCLAGs towards the servers, each MCLAG using one port from each FortiSwitch unit.
This topology is also supported when the FortiGate unit is in HA mode.
NOTE:

Step 1: Ensure the MCLAG ICL is already configured between FortiSwitch 1 and FortiSwitch 2.
diagnose switch-controller switch-info mclag icl
Step 2: For each server, configure a trunk with MCLAG enabled. For server 1, select port10 on
FortiSwitch 1 and FortiSwitch 2. For server 2, select port15 on FortiSwitch 1 and FortiSwitch 2.
For details, refer to MCLAG trunks on page 76.
Step 4: Verify the MCLAG configuration.
diagnose switch-controller switch-info mclag list

Fortinet, Inc.
MCLAG peer groups
Multi-tiered MCLAG with HA-mode FortiGate units
Use the following procedure to deploy tier-2 and tier-3 MCLAG peer groups from the FortiGate switch controller without
the need for direct console access to the FortiSwitch units.
NOTE:
l In this topology, you must use the auto-isl-port-group setting as described in the following configuration
example. This setting instructs the switches to group ports from MCLAG peers together into one MCLAG when the
inter-switch link (ISL) is formed.
l The auto-isl-port-group setting must be done directly on the FortiSwitch unit.
To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.
Tier-1 MCLAG
Wire the two core FortiSwitch units to the FortiGate devices. To configure the FortiSwitch units in the core, see
Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 59.

Fortinet, Inc.
MCLAG peer groups
Tier-2 and Tier-3 MCLAGs
1. Connect only the tier-2 MCLAG FortiSwitch units 3 and 4 to the core units 1 and 2 (leaving the other switches in
Closet 1 disconnected). Wait until they are discovered and authorized (authorization must be done manually if auto-
authorization is disabled).
2. For each tier-2 MCLAG peer group, add an auto-isl-port-group for the tier-2 MCLAG switches on both switch
1 and switch 2:

config switch auto-isl-port-group
edit tier2-closet-1
set members port1
next
edit tier2-closet-2
set members port2
next
end

This configuration is done directly in the FortiSwitch CLI (or by binding a custom script using custom commands on
the FortiGate device. See Executing custom FortiSwitch scripts on page 194.
3. Using the FortiGate CLI, assign the LLDP profile “default-auto-mclag-icl” to the ports that should form the MCLAG
ICL in the tier-2 MCLAG switches 3 and 4. For example:


Fortinet, Inc.
MCLAG peer groups

If there is not a tier-3 MCLAG, skip to step 7.
4. Wire the tier-3 MCLAG switches 5, 6, 7, and 8. Wait until they are discovered and authorized (authorization must be
done manually if auto-authorization is disabled).
5. For each tier-3 MCLAG peer group, add two auto-isl-port-groups for the tier-3 MCLAG switches on both
switch 3 and switch 4:

config switch auto-isl-port-group
edit tier-2-closet-<1>-downlink-trunk-A
set member <port_name>
next
edit tier-2-closet-<1>-downlink-trunk-B
set member <port_name>
next
end

This configuration is done directly in the FortiSwitch CLI (or by binding a custom script using custom commands on
the FortiGate device. See Executing custom FortiSwitch scripts on page 194.
6. Using the FortiGate CLI, assign the LLDP profile “default-auto-mclag-icl” to the ports that should form the ICL in the
tier-3 MCLAG peers switches 5 and 6 and switches 7 and 8. For example:


7. Connect the access switches to the MCLAG peer groups, and the inter-switch links are formed automatically. Wait
until they are discovered and authorized (authorization must be done manually if auto-authorization is disabled).
8. Wire only the tier-2 MCLAG FortiSwitch units from Closet 2 (leaving the other switches in Closet 2 disconnected).
Wait until they are discovered and authorized (authorization must be done manually if auto-authorization is
disabled). Return to step 3 to complete the process for Closet 2.
9. All FortiSwitch units are now authorized, and all MCLAG peer groups are enabled. Proceed with the configuration of
the FortiSwitch units by assigning VLANs to the access ports and any other functionality required.
HA-mode FortiGate units in different sites
There are two sites in this topology, each with a FortiGate unit. The two sites share the FortiGate units in active-passive
HA mode. The FortiGate units use the FortiSwitch units in FortiLink mode as the heartbeat connections because of
limited physical connections between the two sites.
FortiOS 6.4.2 or higher and FortiSwitchOS 6.4.2 or higher are required.
Refer to the other network topologies in Deploying MCLAG topologies on page 61.

Fortinet, Inc.
MCLAG peer groups
The following steps are an example of how to configure this topology:
1. Disconnect the physical connections between the two sites.
2. On Site 1:
a. Use the FortiGate unit to establish the FortiLinks on Site 1. See Configuring FortiLink on page 15.
b. Enable the MCLAG-ICL on the core switches of Site 1. See Transitioning from a FortiLink split interface to a
FortiLink MCLAG on page 59.
c. Enable the HA mode and set the heartbeat ports on FortiGate-1. FortiGate port1 and port2 are used as HA
heartbeat ports in this example. For example, set hbdev "port1" 242 "port2" 25.
d. Create a switch VLAN or VLANs dedicated to the FortiGate HA heartbeats between the two FortiGate units.
For example:

edit "hb1"
set vdom "vdom name"
set vlanid 998
next
edit "hb2"
set vdom "vdom name"
set vlanid 999
next
end


Fortinet, Inc.
MCLAG peer groups
e. Under the config switch-controller managed-switch command, set the native VLAN of the switch
ports connected to the heartbeat ports using the VLAN created in step 2d.
In this example, you need to assign port1 of core-switch1 to vlan998 and connect port1 of the active FortiGate
unit to port1 of core-switch1. Then you need to assign port1 of core-switch2 to vlan999 and connect port2 of the
active FortiGate unit to port1 of core-switch2.

edit <site1-core-switch1>
edit "port1"
set vlan "hb1"
next
end
edit <site1-core-switch2>
edit "port1"
set vlan "hb2"
next
end

f. Make sure all FortiLinks are up.
3. On Site 2:
a. Configure Site 2 using the same configuration as step 2, except for the HA priority.
b. Make sure all FortiLinks are up.
4. Disconnect the physical connections for the FortiGate HA and FortiLink interface on Site 2.
5. Connect the cables between the two pairs of core switches in Site 1 and Site 2.
6. On both sites:
a. On the MCLAG Peer Group switches at Site 1, use the config switch auto-isl-port-group command
in the FortiSwitch CLI to group the ports to Site 2. See Deploying MCLAG topologies on page 61.
b. On the MCLAG Peer Group switches at Site 2 , use the config switch auto-isl-port-group
command in the FortiSwitch CLI to group the ports to Site 1. See Deploying MCLAG topologies on page 61.
c. Make sure all the FortiLinks are up.
7. Connect the FortiGate HA and FortiLink interface connections on Site 2.
8. Check the configuration:
a. On both sites, enter the get system ha status command on the FortiGate unit to check the HA status.
b. On the active (master) FortiGate unit, enter the execute switch-controller get-conn-status
command to check the FortiLink state.

Fortinet, Inc.
MCLAG peer groups
9. In the GUI, the example configuration looks like the following:

Fortinet, Inc.
Configuring FortiSwitch VLANs and ports
l Configuring VLANs on page 69
l Configuring ports using the GUI on page 72
l Configuring port speed and status on page 72
l Configuring PoE on page 73
l Adding 802.3ad link aggregation groups (trunks) on page 75
l Configuring FortiSwitch split ports (phy-mode) in FortiLink mode on page 78
l Restricting the type of frames allowed through IEEE 802.1Q ports on page 81
l Multitenancy and VDOMs on page 82
Configuring VLANs
Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you
to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent
automatically within the VLAN. You must configure routing for traffic between VLANs.)
From the FortiGate unit, you can centrally configure and manage VLANs for the managed FortiSwitch units.
In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The
switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 1-4095) to each of the
VLANs. For FortiSwitch units in FortiLink mode (FortiOS 6.2.0 and later), you can assign a name to each VLAN.
You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch
port.
l Creating VLANs on page 69
l Viewing FortiSwitch VLANs on page 71
l Changing the VLAN configuration mode on page 72
Creating VLANs
Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either
the Web GUI or CLI.

Fortinet, Inc.
Using the GUI
To create the VLAN:

1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
Interface Name VLAN name
VLAN ID Enter a number (1-4094)
Color Choose a unique color for each VLAN, for ease of visual display.
Role Select LAN, WAN, DMZ, or Undefined.
2. Enable DHCP for IPv4 or IPv6.
3. Set the Administrative access options as required.
4. Select OK.
To assign FortiSwitch ports to the VLAN:
1. Go to WiFi & Switch Controller > FortiSwitch Ports.

2. Click a port row.
3. Click the Native VLAN column in one of the selected entries to change the native VLAN.
4. Select a VLAN from the displayed list. The new value is assigned to the selected ports.
5. Click the + icon in the Allowed VLANs column to change the allowed VLANs.
6. Select one or more of the VLANs (or the value all) from the displayed list. The new value is assigned to the selected
port.
Using the FortiSwitch CLI
1. Create the marketing VLAN.

edit <vlan name>
set vlanid <1-4094>
set color <1-32>
set interface <FortiLink-enabled interface>
end

2. Set the VLAN’s IP address.

edit <vlan name>
set ip <IP address> <Network mask>
end

3. Enable a DHCP Server.

config system dhcp server
edit 1
set default-gateway <IP address>
set interface <vlan name>

Fortinet, Inc.
config ip-range
set start-ip <IP address>
set end-ip <IP address>
end
set netmask <Network mask>
end

4. Assign ports to the VLAN.

edit <Switch ID>
config ports
edit <port name>
set vlan <vlan name>
set allowed-vlans <vlan name>
or
set allowed-vlans-all enable
next
end
end

5. Assign untagged VLANs to a managed FortiSwitch port:
edit <managed-switch>
config ports
edit <port>
set untagged-vlans <VLAN-name>
next
end
next
end
Viewing FortiSwitch VLANs
The WiFi & Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.
Each entry in the VLAN list displays the following information:
l Name—name of the VLAN
l VLAN ID—the VLAN number
l IP/Netmask—address and mask of the subnetwork that corresponds to this VLAN
l Access—administrative access settings for the VLAN
l Ref—number of configuration objects referencing this VLAN

Fortinet, Inc.
Changing the VLAN configuration mode
You can change which VLANs the set allowed-vlans command affects.
If you want the set allowed-vlans command to apply to all user-defined VLANs, use the following CLI commands:
set vlan-all-mode defined
end
If you want the set allowed-vlans command to apply to all possible VLANs (1-4094), use the following CLI
commands:
set vlan-all-mode all
end

NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable
command.
Configuring ports using the GUI
You can use the WiFi & Switch Controller > FortiSwitch Ports page to do the following with FortiSwitch switch ports:

l Set the native VLAN and add more VLANs
l Edit the description of the port
l Enable or disable the port
l Set the access mode of the port:
l Static—The port does not use a dynamic port policy or FortiSwitch network access control (NAC) policy.
l Assign Port Policy—The port uses a dynamic port policy.
l NAC—The port uses a FortiSwitch NAC policy.
l Enable or disable PoE for the port
l Enable or disable DHCP snooping (if supported by the port)
l Enable or disable whether a port is an edge port
l Enable or disable STP (if supported by the port)
l Enable or disable loop guard (if supported by the port)
l Enable or disable STP BPDU guard (if supported by the port)
l Enable or disable STP root guard (if supported by the port)
Configuring port speed and status
Use the following commands to set port speed and other base port settings:
config ports
edit <port_name>
set description <text>

Fortinet, Inc.
set speed <speed>
set status {down | up}
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set description "First port"
set speed auto
set status up
end
end
Configuring PoE
NOTE: The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.
l Enabling PoE on the port on page 73
l Enabling PoE pre-standard detection on page 73
l Resetting the PoE port on page 74
l Displaying general PoE status on page 74
Enabling PoE on the port

edit
<FortiSwitch_serial_number>
config ports
edit <port_name>
set poe-status {enable | disable}
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set poe-status enable
end
end
Enabling PoE pre-standard detection
Depending on the FortiSwitch model, you can manually change the PoE pre-standard detection setting on the global
level or on the port level. Starting with FortiOS 6.4.5, the factory default setting for poe-pre-standard-detection is

Fortinet, Inc.
disable.
PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-
112D-POE, FS-548DFPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE,
FS-108E-FPOE, FS-124E-POE, and FS-124EFPOE. For the other FortiSwitch PoE models,
PoE pre-standard detection is set on each port.
On the global level, set poe-pre-standard-detection with the following commands:
set poe-pre-standard-detection {enable | disable}
next
end

On the port level, set poe-pre-standard-detection with the following commands:
config ports
edit <port_name>
set poe-pre-standard-detection {enable | disable}
next
end
next
end

Resetting the PoE port
Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet
cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example,
wireless access points, IP cameras, and VoIP phones).
The following command resets PoE on the port:
execute switch-controller poe-reset <FortiSwitch_serial_number>
<port_name>
Displaying general PoE status

get switch-controller <FortiSwitch_serial_number>
<port_name>
The following example displays the PoE status for port 6 on the specified switch:
# get switch-controller poe FS108D3W14000967 port6
Port(6) Power:3.90W,
P
ower-Status: Delivering Power
Power-Up Mode: Normal Mode
Remote Power Device Type: IEEE802.3AT PD
Power Class: 4
Defined Max Power: 30.0W, Priority:3
Voltage: 54.00V
Current: 78mA

Fortinet, Inc.
Adding 802.3ad link aggregation groups (trunks)
If the trunk is in LACP mode and has ports with different speeds, the ports of the same negotiated speed are grouped in
an aggregator.
If multiple aggregators exist, one and only one of the aggregators is used by the trunk.
You can use the CLI to specify how the aggregator is selected:
l When the aggregator-mode is set to bandwidth, the aggregator with the largest bandwidth is selected. This
mode is the default.
l When the aggregator-mode is set to count, the aggregator with the largest number of ports is selected.
Using the FortiGate GUI:
2. Click Create New > Trunk.
3. In the New Trunk Group page, enter a Name for the trunk group.
4. Select two or more physical ports to add to the trunk group and then select Apply.
5. Select the Mode: Static, Passive LACP, or Active LACP.
6. Select Enabled or Disabled for the MCLAG.
l An MCLAG peer group must be configured before adding a trunk with MCLAG enabled. See MCLAG peer
groups on page 59.
l Make sure to select ports from switches that are part of the same MCLAG peer group.
7. Select OK.
Using the the FortiGate CLI:

Fortinet, Inc.
config ports
edit <trunk_name>
set type trunk
set mode {static | lacp-passive | lacp-active}
set aggregator-mode {bandwidth | count}
set bundle {enable | disable}
set min-bundle <int>
set max-bundle <int>
set members <port1 port2 ...>
next
end
end
end
MCLAG trunks
The MCLAG trunk consists of 802.3ad link aggregation groups with members that belong to different FortiSwitch units.
To configure an MCLAG trunk, you need an MCLAG peer group (see MCLAG peer groups on page 59). The MCLAG
trunk members are selected from the same MCLAG peer group.
Using the GUI

2. Select Create New > Trunk.
3. Enter a name for the MCLAG trunk.
4. For the MCLAG status, select Enabled to create an active MCLAG trunk.
5. For the mode, select Static, Passive LACP, or Active LACP.
l Set to Static for static aggregation. In this mode, no control messages are sent, and received control messages
are ignored.
l Set to Passive LACP to passively use LACP to negotiate 802.3ad aggregation.
l Set to Active LACP to actively use LACP to negotiate 802.3ad aggregation.

Fortinet, Inc.
6. For trunk members, select Select Members, select the ports to include in the MCLAG trunk, and then select OK to

save the trunk members. NOTE: The members must belong to the same MCLAG peer group.
7. Select OK to save the MCLAG configuration.
The ports are listed as part of the MCLAG trunk on the FortiSwitch Ports page.
Using the CLI
Configure a trunk in each switch that is part of the MCLAG pair:
l The trunk name for each switch must be the same.
l The port members for each trunk can be different.
l After you enable MCLAG, you can enable LACP if needed.

edit "<switch-id>"
config ports
edit "<trunk name>"
set type trunk
set mode {static | lacp-passive | lacp-active}
set members "<port>,<port>"
set mclag enable
next
end
next

Variable Description Default
<switch-id> FortiSwitch serial number. No default
<trunk name> Enter a name for the MCLAG trunk. No default
NOTE: Each FortiSwitch unit that is part of the MCLAG must have the same
MCLAG trunk name configured.
type trunk Set the interface type to a trunk port. physical
mode {static | lacp- Set the LACP mode. lacp-active

passive | lacp- —Set to static for static aggregation. In this mode, no control messages are
active} sent, and received control messages are ignored.
—Set to lacp-passive to passively use LACP to negotiate 802.3ad
aggregation.
—Set to lacp-active to actively use LACP to negotiate 802.3ad aggregation.
members Set the aggregated LAG bundle interfaces. No default

"<port>,<port>"
mclag enable Enable or disable the MCLAG. disable

Fortinet, Inc.
Configuring FortiSwitch split ports (phy-mode) in FortiLink mode
On FortiSwitch models that provide 40G/100G QSFP (quad small form-factor pluggable) interfaces, you can install a
breakout cable to convert one 40G/100G interface into four 10G/25G interfaces. See the list of supported FortiSwitch
models in the notes in this section.
FortiLink mode supports the FortiSwitch split-port configuration:
l Configuring split ports on a previously discovered FortiSwitch unit on page 78
l Configuring split ports with a new FortiSwitch unit on page 79
l Configuring forward error correction on switch ports on page 79
l Configuring a split port on the FortiSwitch unit on page 80
Notes
l Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.
l Split ports are not configured for pre-configured FortiSwitch units.
l Splitting ports is supported on the following FortiSwitch models:
o FS-3032D (ports 5 to 28 are splittable)
o FS-3032E (Ports can be split into 4 x 25G when configured in 100G QSFP28 mode or can be split into 4 x 10G
when configured in 40G QSFP mode. Use the set <port_name>-phy-mode disabled command to
disable some 100G ports to allow up to sixty-two 100G/25G/10G ports.)
FS-524D and FS-524D-FPOE (ports 29 and 30 are splittable)
o
o FS-548D and FS-548D-FPOE (ports 53 and 54 are splittable)
o FS-1048E (In the 4 x 100G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 25G. In the 6 x 40G
configuration, ports 49, 50, 51, 52, 53, 54 are splittable as 4 x 10G.)
Use the set port-configuration ? command to check which ports are supported for each model.
l Currently, the maximum number of ports supported in software is 64 (including the management port). Therefore,
only 10 QSFP ports can be split. This limitation applies to all of the models, but only the FS-3032D, FS-3032E, and
the FS-1048E models have enough ports to encounter this limit.
l Use 10000full for the general 10G interface configuration. If that setting does not work, use 10000cr for copper
connections (with copper cables such as 10GBASE-CR) or use 10000sr for fiber connections (fiber optic
transceivers such as 10GBASE-SR/-LR/-ER/-ZR).
Configuring split ports on a previously discovered FortiSwitch unit
1. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit on page 80.
2. Restart the FortiSwitch unit.
3. Remove the FortiSwitch from being managed:

delete <FortiSwitch_serial_number>
end

4. Discover the FortiSwitch unit.
5. Authorize the FortiSwitch unit.

Fortinet, Inc.
Configuring split ports with a new FortiSwitch unit
4. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit on page 80.
6. Remove the FortiSwitch from being managed:

delete <FortiSwitch_serial_number>
end

Configuring forward error correction on switch ports
Supported managed-switch ports of the FS-1048E and FS-3032E can be configured with a forward error correction
(FEC) state of Clause 74 FC-FEC for 25-Gbps ports and Clause 91 RS-FEC for 100-Gbps ports.
config ports
edit <port_name>
set fec-capable {0 | 1}
set fec-state {disabled | cl74 | cl91}
next
end
next
end

fec-capable {0 | 1}
Set whether the port is FEC capable.
l 0: The port is not FEC capable.
l 1: The port is FEC capable.
fec-state {disabled | Set the FEC state:
cl74 | cl91}
l disabled: Disable FEC on the port.
l c174: Enable Clause 74 FC-FEC. This option is only available for on FS-
1048E and FS-3032E ports that have been split to 4x25G.
l c191: Enable Clause 91 RS-FEC. This option is only available for on FS-
1048E and FS-3032E ports that have been split to 4x100G.
In this example, a FortiSwitch FS-3032E that is managed by a FortiGate device is configured with Clause 74 FC-FEC on
port 16.1 and Clause 91 RS-FEC on port 8.
edit FS3E32T419000000
config ports
edit port16.1
set fec-state cl74

Fortinet, Inc.
next
edit port8
set fec-state cl91
next
end
next
end

Configuring a split port on the FortiSwitch unit
To configure a split port:
config switch phy-mode
set port-configuration <default | disable-port54 | disable-port41-48 | 4x100G | 6x40G |
4x4x25G}
set {<port-name>-phy-mode <single-port| 4x25G | 4x10G | 4x1G | 2x50G}
...
(one entry for each port that supports split port)
end
The following settings are available:
l disable-port54—For 548D and 548D-FPOE, only port53 is splittable; port54 is unavailable.
l disable-port41-48—For 548D and 548D-FPOE, port41 to port48 are unavailable, but you can configure port53
and port54 in split-mode.
l 4x100G—For 1048E, enable the maximum speed (100G) of ports 49 through 52. Ports 53 and 54 are disabled.
l 6x40G—For 1048E, enable the maximum speed (40G) of ports 49 through 54.
l 4x4x25G—For 1048E, enable the maximum speed (100G) of ports 49 through 52; each split port has a maximum
speed of 25G. Ports 47 and 48 are disabled.
l single-port—Use the port at the full base speed without splitting it.
l 4x25G—For 100G QSFP only, split one port into four subports of 25 Gbps each.
l 4x10G—For 40G or 100G QSFP only, split one port into four subports of 10Gbps each.
l 4x1G—For 40G or 100G QSFP only, split one port into four subports of 1 Gbps each.
l 2x50G—For 100G QSFP only, split one port into two subports of 50 Gbps each.
In the following example, a FortiSwitch 3032D is configured with ports 10, 14, and 28 set to 4x10G:
config switch phy-mode
set port5-phy-mode 1x40G

Fortinet, Inc.
end
The system applies the configuration only after you enter the end command, displaying the following message:
This change will cause a ports to be added and removed, this will cause loss of
configuration on removed ports. The system will have to reboot to apply this change.
Do you want to continue? (y/n)y
To configure one of the split ports, use the notation ".x" to specify the split port:
config switch physical-port
edit "port1"
set lldp-profile "default-auto-isl"
set speed 40000full
next
edit "port2"
set speed 40000full
next
edit "port3"
set speed 40000full
next
edit "port4"
set speed 40000full
next
edit "port5.1"
set speed 10000full
next
edit "port5.2"
set speed 10000full
next
edit "port5.3"
set speed 10000full
next
edit "port5.4"
set speed 10000full
next
end
Restricting the type of frames allowed through IEEE 802.1Q ports
You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or
allows all frames access to the port. By default, all frames have access to each FortiSwitch port.
Use the following CLI commands:

Fortinet, Inc.
config switch-controller managed-switch <SN>
config ports
edit <port_name>
set discard-mode <none | all-tagged | all-untagged>
next
next
end
Multitenancy and VDOMs
l FortiSwitch ports dedicated to VDOMs on page 82
l FortiSwitch VLANs from different VDOMs sharing the same FortiSwitch ports on page 85
FortiSwitch ports dedicated to VDOMs
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple
independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security
policies, routing, and VPN configurations.
FortiSwitch ports can now be shared between VDOMs.
Starting in FortiOS 6.2.0, the following features are supported on FortiSwitch ports shared between VDOMs:
l POE pre-standard detection (on a per-port basis if the FortiSwitch model supports this feature)
l Learning limit for dynamic MAC addresses on ports, trunks, and VLANs (if the FortiSwitch unit supports this feature)
l QoS egress CoS queue policy (if the FortiSwitch unit supports this feature)
l Port security policy
The following example shows how to share FortiSwitch ports between VDOMs:
1. In the tenant VDOM named bbb, create a VLAN interface using the following CLI commands (not supported in the
GUI):

FG5H0E3917900081 (bbb) #
edit "bbb-vlan99"
set vdom "bbb"
set allowaccess ping

set role lan

set snmp-index 58
set switch-controller-dhcp-snooping enable

set interface "flink-lag" // this is the FortiLink interface in the root VDOM
set vlanid 99
next

end

set default-virtual-switch-vlan "bbb-vlan99"

Fortinet, Inc.
end

2. Go back to the root VDOM. Pick a switch port to share between VDOMs, port10 in this case.

FG5H0E3917900081 (vdom) # edit root

current vf=root:0

FG5H0E3917900081 (root) # config switch-controller managed-switch

FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

FG5H0E3917900081 (S548DF4K15000276) # config ports
FG5H0E3917900081 (ports) # edit port10
FG5H0E3917900081 (port10) # set export-to bbb

If you want to use the virtual-pool feature instead:

FG5H0E3917900081 (root) # c
onfig switch-controller virtual-port-pool

edit "bbb-pool"

set description "bbb-vlan-pool"

end

FG5H0E3917900081 (root) # config switch-controller managed-switch
FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276
FG5H0E3917900081 (S548DF4K15000276) # config port
FG5H0E3917900081 (ports) # edit port11
FG5H0E3917900081 (port11) # set export-to-pool bbb-pool

3. Go back to the bbb VDOM to claim port11 because it is in the virtual pool but not directly exported to the VDOM yet.
(The administrator might want to pre-assign some ports in the tenant VDOM and let the tenant VDOM administrator
claim them before they are used.)

FG5H0E3917900081 (bbb) # execute switch-controller virtual-port-pool request
S548DF4K15000276 port11
FG5H0E3917900081 (bbb) # config switch-controller managed-switch // The switch port is
now in the bbb VDOM even though there is no FortiLink interface in the bbb VDOM.

FG5H0E3917900081 (managed-switch) # show
edit "S548DF4K15000276"
set poe-detection-type 1
set type virtual
set owner-vdom "root"
config ports
edit "port10"

set poe-capable 1
set vlan "bbb-vlan99"
next

edit "port11"

set poe-capable 1
next

end

next

end

4. Check your configuration on the root VDOM:

FG5H0E3917900081 (port10) #
s
how
config ports

Fortinet, Inc.
edit "port10"
set poe-capable 1
set export-to "bbb"

next
end

FG5H0E3917900081 (port11) # show
config ports
edit "port11"
set poe-capable 1
set export-to-pool "bbb-pool"
set export-to "bbb"
next
end

5. Check your configuration on the tenant VDOM:

FG5H0E3917900081 (ports) # s
how
config ports
edit "port10"
set poe-capable 1

next
edit "port11"
set poe-capable 1
next
end

You can create your own export tags using the following CLI commands:
config switch-controller switch-interface-tag
edit <tag_name>
end
Use the following CLI command to list the contents of a specific VPP:
execute switch-controller virtual-port-pool show-by-pool <VPP_name>
Use the following CLI command to list all VPPs and their contents:
execute switch-controller virtual-port-pool show
NOTE: Shared ports do not support the following features:
l LLDP
l STP
l BPDU guard
l Root guard
l DHCP snooping
l IGMP snooping
l MCLAG
l Quarantines

Fortinet, Inc.
NOTE: After you export a switch port to a pool, if you need to export the switch port to a different pool, you need to
exit/abort and then re-enter into the FortiSwitch CLI port configuration.
FortiSwitch VLANs from different VDOMs sharing the same FortiSwitch ports
In this scenario, there is no administrative separation, and all FortiSwitch ports and VLANs are created and assigned by
the administrator of the VDOM where the FortiSwitch unit is controlled, usually root.
1. From the root VDOM, create the FortiSwitch VLANs and assign them to their respective VDOMs.
2. From the CLI, assign the VLANs to the FortiSwitch ports. The assigned VLANs are displayed in the GUI (WiFi &
Switch Controller > FortiSwitch Ports) in the root VDOM.
NOTE: FortiSwitch units are not visible in non-root VDOMs.

Fortinet, Inc.
Configuring switching features
This section covers the following features:
l Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports on page 86
l Configuring edge ports on page 87
l Configuring loop guard on page 88
l Configuring STP settings on page 88
l Dynamic MAC address learning on page 94
l Configuring storm control on page 98
l Configuring IGMP-snooping settings on page 99
l Configuring PTP transparent-clock mode on page 101
Configuring DHCP blocking, STP, and loop guard on managed

FortiSwitch ports
Go to WiFi & Switch Controller > FortiSwitch Ports. Right-click any port and then enable or disable the following features:

l DHCP Snooping—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example,
typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent
this, DHCP blocking filters messages on untrusted ports.
l Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network
topology.
l Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects.
Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its
subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP
rather than as a replacement for STP.
l STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard
is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes.
The BPDUs are not forwarded, and the network edge is enforced.
l STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When
enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root
guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause
your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured
device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By
enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce
the specified network topology.
STP and IGMP snooping are enabled on all ports by default. Loop guard is disabled by default on all ports.

Fortinet, Inc.
Configuring edge ports
Use the following commands to enable or disable an interface as an edge port:
config ports
edit <port_name>
set edge-port {enable | disable}
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set edge-port enable
end
end

Fortinet, Inc.
Configuring loop guard
A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard
helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any
downstream loops. Loop guard and STP should be used separately for loop protection. By default, loop guard is disabled
on all ports.
Use the following commands to configure loop guard on a FortiSwitch port:
edit
config ports
edit <port_name>
set loop-guard
{
enabled | disabled}
set loop-guard-timeout <0-120 minutes>
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set loop-guard enabled
set loop-guard-timeout
10
end
end
Configuring STP settings
NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.
The managed FortiSwitch unit supports Spanning Tree Protocol (a link-management protocol that ensures a loop-free
layer-2 network topology) as well as Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q
standard.
MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the
mapping of VLANs to instances is configurable). MSTP is backward-compatible with STP and Rapid Spanning Tree
Protocol (RSTP). A layer-2 network can contain switches that are running MSTP, STP, or RSTP. MSTP is built on RSTP,
so it provides fast recovery from network faults and fast convergence times.
l Configuring STP on FortiSwitch ports on page 89
l Configuring STP root guard on page 91
l Configuring STP BPDU guard on page 92
l Configuring interoperation with per-VLAN RSTP on page 93
To configure STP for all managed FortiSwitch units:
config switch-controller stp-settings
set name <name>

Fortinet, Inc.
set revision <stp revision>
set hello-time <hello time>
set forward-time <forwarding delay>
set max-age <maximum aging time>
set max-hops <maximum number of hops>
end
To override the global STP settings for a specific FortiSwitch unit:
edit
<switch-id>
config stp-settings
set local-override enable
end
To configure MSTP instances:
config switch-controller stp-instance
edit <id>
config vlan-range <list of VLAN names>
end
config stp-instance
edit <id>
set priority <0 | 4096 | 8192 | 12288 | 16384 | 20480 | 24576 | 28672 | 32768 |
36864 | 40960 |
45056 | 49152 | 53248 | 57344 | 61440>
next
end
next
end
For example:
config switch-controller stp-instance
edit 1
config vlan-range vlan1 vlan2 vlan3
end
edit S524DF4K15000024
config stp-instance
edit 1
set priority 16384
next
end
next
end
Configuring STP on FortiSwitch ports
Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed
FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.
NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

Fortinet, Inc.
Use the following commands to enable or disable STP on FortiSwitch ports:
edit
config ports
edit <port_name>
set stp-state
{
enabled | disabled}
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set stp-state enabled
end
end
To check the STP configuration on a FortiSwitch, use the following command:
diagnose switch-controller switch-info stp <FortiSwitch_serial_number> <instance_number>
For example:
FG100D3G15817028 # diagnose switch-controller switch-info stp S524DF4K15000024 0
MST Instance Information, primary-Channel:

Instance ID : 0

Switch Priority : 24576

Root MAC Address : 085b0ef195e4

Root Priority: 24576

Root Pathcost: 0

Regional Root MAC Address : 085b0ef195e4

Regional Root Priority: 24576

Regional Root Path Cost: 0

Remaining Hops: 20

This Bridge MAC Address : 085b0ef195e4

This bridge is the root

Port Speed Cost Priority Role State Edge STP-Status

Loop Protection
________________ ______ _________ _________ ___________ __________ ____ __________

________

port1 - 200000000 128 DISABLED DISCARDING YES ENABLED

NO

NO

NO

NO

NO

NO

NO

Fortinet, Inc.
ort8 - 200000000 128 DISABLED DISCARDING YES ENABLED
p
NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO
internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED

NO
__FoRtI1LiNk0__ 1G 20000 128 DESIGNATED FORWARDING YES DISABLED

NO
Configuring STP root guard
Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface,
superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates
in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of

Fortinet, Inc.
traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic
through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can
create a perimeter around your existing paths to root to enforce the specified network topology.
Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have
STP enabled to be able to use root guard.
Use the following commands to enable or disable STP root guard on FortiSwitch ports:
edit
config ports
edit <port_name>
set stp-root-guard
{
enabled | disabled}
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set stp-root-guard enabled
end
end
Configuring STP BPDU guard
Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge
ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not
forwarded, and the network edge is enforced.
There are two prerequisites for using BPDU guard:
l You must define the port as an edge port with the set edge-port enable command.
l You must enable STP on the switch interface with the set stp-state enabled command.
You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port
timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will
have manually reset the port.
Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:
edit
config ports
edit <port_name>
set stp-bpdu-guard {enabled | disabled}
set stp-bpdu-guard-time <0-120>
end
end
For example:
edit S524DF4K15000024
config ports
edit port1

Fortinet, Inc.
set stp-bpdu-guard enabled
set stp-bpdu-guard-time 10
end
end
To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command:
diagnose switch-controller switch-info bpdu-guard-status <FortiSwitch_serial_number>
For example:
FG100D3G15817028 # diagnose switch-controller switch-info bpdu-guard-status S524DF4K15000024
Managed Switch : S524DF4K15000024 0

Portname State Status Timeout(m) Count Last-Event

_________________ _______ _________ ___________ _____ _______________

port1 enabled - 10 0 -

port2 disabled - - - -




























__FoRtI1LiNk0__ disabled - - - -

Configuring interoperation with per-VLAN RSTP
Starting in FortiOS 6.4.2, managed FortiSwitch units can now interoperate with a network that is running RPVST+. The
existing networkʼs configuration can be maintained while adding managed FortiSwitch units as an extended region. By
default, interoperation with RPVST+ is disabled.

Fortinet, Inc.
When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain
works in two ways:
l If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region duplicates
instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+ domain.
In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1
defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST
root bridge within MSTP region.
l If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN
1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected
RPVST+ domain are used only for consistency checks.
In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of
VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.
To configure interoperation with RPVST+:
config ports
edit <port_name>
set rpvst-port {enabled | disabled}
next
end

For example:
FGT-1 (testvdom) # config switch-controller managed-switch
FGT-1 (managed-switch) # edit FS3E32T419000006
FGT-1 (FS3E32T419000006) # config ports
FGT-1 (ports) # edit port5
FGT-1 (port5) # set rpvst-port enabled
FGT-1 (port5) # next
FGT-1 (ports) # end

To check your configuration and to diagnose any problems:
diagnose switch-controller switch-info rpvst <FortiSwitch_serial_number> <port_name>

For example:
diagnose switch-controller switch-info rpvst FS3E32T419000006 port5
Dynamic MAC address learning
You can enable or disable dynamic MAC address learning on a port or VLAN. The existing dynamic MAC entries are
flushed when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming
packet with an unknown MAC address (to drop or forward the packet).

Fortinet, Inc.
l Limiting the number of learned MAC addresses on a FortiSwitch interface on page 95
l Controlling how long learned MAC addresses are saved on page 96
l Logging violations of the MAC address learning limit on page 96
l Persistent (sticky) MAC addresses on page 97
l Logging changes to MAC addresses on page 97
Limiting the number of learned MAC addresses on a FortiSwitch interface
You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to
128. If the limit is set to the default value zero, there is no learning limit.
NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.
Use the following CLI commands to limit MAC address learning on a VLAN:
config switch vlan
edit <integer>
set switch-controller-learning-limit <limit>
end
end
For example:
config switch vlan
edit 100
set switch-controller-learning-limit 20
end
end
Use the following CLI commands to limit MAC address learning on a port:
config ports
edit <port_name>
set learning-limit <limit>
next
end
end
end
For example:
edit S524DF4K15000024
config ports
edit port3
set learning-limit 50
next
end
end
end

Fortinet, Inc.
Controlling how long learned MAC addresses are saved
You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after
300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value
ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.
set mac-aging-interval
<
10 to 1000000>
end
For example:
set mac-aging-interval
5
00
end
If the mac-aging-interval is disabled by being set to 0, you can still control when inactive MAC addresses are removed
from the FortiSwitch hardware. By default, inactive MAC addresses are removed after 24 hours. The value ranges from 0
to 168 hours. Set the value to 0 to use the mac-aging-interval setting to control when inactive MAC addresses are
deleted.
set mac-retention-period
<
0 to 168>
end
For example:
set mac-retention-period
3
6
end
Logging violations of the MAC address learning limit
If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the
learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.
By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the
system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the
most recent 128 violations are displayed in the console.
Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses
are saved:
set mac-violation-timer <0-1500>
set log-mac-limit-violations {enable | disable}
end
For example:
set mac-violation-timer 1000
set log-mac-limit-violations enable
end
To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:
l diagnose switch-controller switch-info mac-limit-violations all <FortiSwitch_
serial_number>

Fortinet, Inc.
l diagnose switch-controller switch-info mac-limit-violations interface <FortiSwitch_
serial_number> <port_name>
l diagnose switch-controller switch-info mac-limit-violations vlan <FortiSwitch_
serial_number> <VLAN_ID>
For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit:
diagnose switch-controller switch-info mac-limit-violations vlan S124DP3XS12345678 5
To reset the learning-limit violation log f or a managed FortiSwitch unit, use one of the following commands:
l execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_number>
l execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_
number> <VLAN_ID>
l execute switch-controller mac-limit-violation reset interface <FortiSwitch_serial_
number> <port_name>
For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:
execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5
Persistent (sticky) MAC addresses
You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes
down or up). By default, MAC addresses are not persistent.
Use the following commands to configure the persistence of MAC addresses on an interface:
config ports
edit <port_name>
set sticky-mac {enable | disable}
next
end
You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded
when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the
following commands to save persistent MAC addresses for a specific interface or all interfaces:
execute switch-controller switch-action sticky-mac save interface <FortiSwitch_serial_
number> <port_name>
execute switch-controller switch-action sticky-mac save all <FortiSwitch_serial_number>
Use one of the following commands to delete the persistent MAC addresses instead of saving them in the FortiSwitch
configuration file:
execute switch-controller switch-action delete sticky-mac delete-unsaved all <FortiSwitch_
serial_number>
execute switch-controller switch-action delete sticky-mac delete-unsaved interface
<FortiSwitch_serial_number> <port_name>
Logging changes to MAC addresses
Use the following commands to create syslog entries for when MAC addresses are learned, aged out, and removed:
set mac-event-logging enable

Fortinet, Inc.
end
Configuring storm control
Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a
LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.
When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of
traffic to drop: broadcast, unknown unicast, or multicast. By default, these three types of traffic are not dropped.
To configure storm control for all switch ports (including both FortiLink ports and non-FortiLink ports) on the managed
switches, use the following FortiOS CLI commands:
config switch-controller storm-control
set rate <rate>
set unknown-unicast {enable | disable}
set unknown-multicast {enable | disable}
set broadcast {enable | disable}
end
To configure storm control for a FortiSwitch port, use the FortiOS CLI to select the override storm-control-mode in the
storm-control policy and then assigning the storm-control policy for the FortiSwitch port.
config switch-controller storm-control-policy
edit <storm_control_policy_name>
set description <description_of_the_storm_control_policy>
set storm-control-mode override
set rate <1-10000000 or 0 to drop all packets>
set unknown-unicast {enable | disable}
set unknown-multicast {enable | disable}
set broadcast {enable | disable}
next
end

config ports
edit port5
set storm-control-policy <storm_control_policy_name>
next
end

For example:
config switch-controller storm-control-policy
edit stormpol1
set description "storm control policy for port 5"
set storm-control-mode override
set rate 1000
set unknown-unicast enable
set unknown-multicast enable
set broadcast enable
next
end


Fortinet, Inc.
edit S524DF4K15000024
config ports
edit port5
set storm-control-policy stormpol1
next
end
Configuring IGMP-snooping settings
You need to configure global IGMP-snooping settings and then configure IGMP-snooping settings on a FortiSwitch unit.
You cannot use IGMP snooping when network access control (NAC) has been
enabled on a global scale with set mode global under the config switch-
controller nac-settings command.
l Configuring global IGMP-snooping settings on page 99
l Configuring IGMP-snooping settings on a switch on page 99
l Configuring IGMP proxy on page 100
Configuring global IGMP-snooping settings
Use the following commands to configure the global IGMP-snooping settings.
Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer
value from 15 to 3600. The default value is 300.
The flood-unknown-multicast setting controls whether the system will flood unknown multicast messages within
the VLAN.
config switch-controller igmp-snooping
set aging-time <15-3600>
set flood-unknown-multicast {enable | disable}
end
Configuring IGMP-snooping settings on a switch
IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network
traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving
each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from
links that do not contain a multicast listener.
NOTE: When an inter-switch link (ISL) is formed automatically in FortiLink mode, the igmps-flood-reports and
igmps-flood-traffic options are disabled by default.
Use the following commands to configure IGMP settings on a FortiSwitch port:

Fortinet, Inc.
edit
config ports
edit <port_name>
set igmps-flood-reports {enable | disable}
set igmps-flood-traffic {enable | disable}
end
end
For example:
edit S524DF4K15000024
config ports
edit port3
set igmps-flood-reports enable
set igmps-flood-traffic enable
end
end
Configuring IGMP proxy
Starting in FortiSwitchOS 6.2.0, you can also use the CLI to enable IGMP proxy, which allows the VLAN to send IGMP
reports. After you enable switch-controller-igmp-snooping-proxy on a VLAN, it will start suppressing reports
and leave messages. For each multicast group, only one report is sent to the upstream interface. When a leave message
is received, the FortiSwitch unit will only send the leave message to the upstream interface when there are no more
members left in the multicast group. The FortiSwitch unit will also reply to generic queries and will send IGMP reports to
the upstream interface.
Use the following commands in FortiOS to configure IGMP proxy:
edit "<interface_name>"
set vdom "<VDOM_name>"
set ip <IPv4_address> <network_mask>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | radius-acct |
probe-response | fabric | ftm}
set role lan
set snmp-index <integer>
set switch-controller-igmp-snooping enable
set switch-controller-igmp-snooping-proxy enable
set color <integer>
set interface "<FortiLink_interface>"
set vlanid <integer>
next
end
For example:
edit "port1"
set vdom "VDOM1"
set ip 172.16.16.254 255.255.255.0
set allowaccess ping https ssh http
set role lan
set snmp-index 25
set switch-controller-igmp-snooping enable

Fortinet, Inc.
set switch-controller-igmp-snooping-proxy enable
set color 5
set vlanid 22
next
end
Configuring PTP transparent-clock mode
Use the Precision Time Protocol (PTP) transparent-clock mode to measure the overall path delay for packets in a
network to improve the time precision. There are two transparent-clock modes:
l End-to-end measures the path delay for the entire path
l Peer-to-peer measures the path delay between each pair of nodes
Use the following steps to configure PTP transparent-clock mode:
1. Configure the global PTP settings.
By default, PTP is disabled.
2. Enable the PTP policy.
By default, the PTP policy is enabled.
3. Apply the PTP policy to a port.
NOTE: PTP policies are hidden on virtual ports
To configure the global PTP settings:
config switch-controller ptp settings
set mode {disable | transparent-e2e | transparent-p2p}
end
To enable the PTP policy:
config switch-controller ptp policy
edit {default | <policy_name>}
set status {enable | disable}
next
end
To apply the PTP policy to a port:
config ports
edit <port_name>
set ptp-policy {default | <policy_name>}
end
end

For example:
config switch-controller ptp settings
set mode transparent-p2p
end

Fortinet, Inc.

config switch-controller ptp policy
edit ptppolicy1
set status enable
next
end

edit S524DF4K15000024
config ports
edit port5
set ptp-policy ptppolicy1
end
end

Fortinet, Inc.
Device detection
Device detection
l Enabling network-assisted device detection on page 103
l Voice device detection on page 103
l Configuring IoT detection on page 110
l Configuring LLDP-MED settings on page 111
Enabling network-assisted device detection
Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by
the managed FortiSwitch unit.
To enable network-assisted device detection on a VDOM:
config switch-controller network-monitor-settings
set network-monitoring enable
end
You can display a list of detected devices from the Device Inventory menu in the GUI. To list the detected devices in the
CLI, enter the following command:
diagnose user device list
Voice device detection
FortiSwitchOS is able to parse LLDP messages from voice devices such as FortiFone and pass this information to a
FortiGate device for device detection. You can use a dynamic port policy to assign a device to an LLDP profile, QoS
policy, and VLAN policy. When a detected device is matched to the dynamic port policy, the corresponding policy actions
are applied on the switch port.
In the following example, FortiFone is connected to port2 of the FortiSwitch unit. A dynamic port policy is created to apply
a VLAN policy, LLDP policy, and QoS policy to the device family FortiFone.
The following is a summary of the procedure:
1. Use the FortiGate CLI to configure the VLAN policy, LLDP profile, and Quality of Service (QoS) policy. You can use
the predefined voice-qos policy for QoS and the predefined fortivoice.fortilink profile for LLDP.

Fortinet, Inc.
Device detection
2. Use the FortiGate GUI to configure a dynamic port policy to match the FortiFone device family with the actions from
the assigned LLDP profile, QoS policy, and VLAN policy.
3. Use the FortiGate GUI to assign the dynamic port policy to the FortiSwitch port.
To create a dynamic port policy in the GUI and then assign it to a FortiSwitch port:
1. Go to WiFi & Switch Controller > FortiSwitch Port Policies and click Dynamic Port Policies.
a. Click Create New to create a dynamic port policy.
b. In the Name field, enter FortiFone.
c. Click Create new to create a dynamic port policy rule.

d. In the Name field, enter FortiFone.
e. Disable MAC address.
f. Enable Device family and enter FortiFone.
g. Enable LLDP profile and select a voice profile.
h. Enable QoS policy and select a voice policy.

Fortinet, Inc.
Device detection
i. Enable VLAN policy and select a voice policy.

Fortinet, Inc.
Device detection
j. Click OK to save the dynamic port policy rule.
k. Click OK to save the dynamic port policy.

Fortinet, Inc.
Device detection
3. Right-click port2 and select Mode > Assign Port Policy.
4. Click the pencil icon in the Port Policy column, select the FortiFone dynamic port policy, and then click Apply.
5. Plug the FortiFone into port2 of the FortiSwitch unit.

Fortinet, Inc.
Device detection
6. Go to Dashboard > Users & Devices and verify that the FortiFone is displayed in the FortiSwitch NAC VLANs pane.
To configure voice device detection in the CLI:
1. Use the FortiGate CLI to configure the VLAN policy, LLDP profile, and QoS policy.

config switch-controller lldp-profile
edit "fortivoice.fortilink"
set med-tlvs inventory-management network-policy location-identification
set auto-isl disable
config med-network-policy
edit "voice"
set status enable
set vlan-intf "voice"
set assign-vlan enable
set dscp 46
next
edit "voice-signaling"
set status enable
set vlan-intf "voice"
set assign-vlan enable
set dscp 46
next
edit "guest-voice"
next
edit "guest-voice-signaling"
next
edit "softphone-voice"
next
edit "video-conferencing"
next
edit "streaming-video"
next
edit "video-signaling"
next
end
config med-location-service
edit "coordinates"
next
edit "address-civic"
next
edit "elin-number"
next
end

Fortinet, Inc.
Device detection
next
end

config switch-controller qos qos-policy
edit "voice-qos"
set trust-dot1p-map "voice-dot1p"
set trust-ip-dscp-map "voice-dscp"
set queue-policy "voice-egress"
next
end

config switch-controller vlan-policy
edit "fon"
set fortilink "fortilink"
set vlan "default_10"
set allowed-vlans "quarantine" "voice"
set untagged-vlans "quarantine"
next
end

2. Configure a dynamic port policy to match the FortiFone device family with the actions from the assigned LLDP
profile, QoS policy, and VLAN policy.

config switch-controller dynamic-port-policy
edit "FortiFone"
set fortilink "fortilink"
config policy
edit "FortiFone"
set family "FortiFone"
set lldp-profile "fortivoice.fortilink"
set qos-policy "voice-qos"
set vlan-policy "fon"
next
end
next
end

3. Assign the dynamic port policy to port2 of the FortiSwitch unit.

edit S108DVIJAK1VGG54
config ports
edit "port2"
set vlan "default_10"
set allowed-vlans "quarantine"
set untagged-vlans "quarantine"
set access-mode dynamic
set port-policy "FortiFone"
set export-to "root"
set mac-addr 02:09:0f:00:2c:01
next
end

4. The FortiSwitch unit receives an LLDP message from FortiFone after it is plugged into port2.
5. Run the diagnose switch-controller mac-device dynamic command to check the device information on
FortiGate device. The FortiFone is identified.

Fortinet, Inc.
Device detection

FGT_Switch_Controller (root) # diagnose switch-controller mac-device dynamic
Vdom: root

MAC LAST-KNOWN-SWITCH LAST-KNOWN-PORT DYNAMIC-PORT-POLICY POLICY

LAST-SEEN COMMENTS
00:15:65:83:cb:16 S108DVIJAK1VGG54 port2 FortiFone

FortiFone 148 auto detected @ 2021-04-29 19:12:42

Configuring IoT detection
NOTE: This feature requires an IoT Detection Service license.
Starting in FortiOS 6.4, FortiSwitch units can use a new FortiGuard service to identify Internet of things (IoT) devices.
FortiOS can use the identified devices for storage and display. You can use the FortiOS CLI to configure IoT detection.
Each detected MAC address of an IoT device has a confidence level assigned to it. If the confidence level is less than the
iot-weight-threshold value, the MAC address is scanned. The default value is 1. Set the iot-weight-
threshold value to 0 to disable IoT detection.
You can control how often a FortiSwitch unit scans for IoT devices. The range of values is 2 to 10,080 minutes. By
default, the scan interval is 60 minutes. Every MAC address will be scanned for a time interval of 60 minutes followed by
60 minutes when it will not be scanned. The start time of every MAC addressʼs 60-minute scan interval is unique. Set the
iot-scan-interval value to 0 to disable IoT detection.
A MAC address of an IoT device must be detected by the FortiSwitch unit for more than a specified number of minutes
before the MAC address is passed along to the FortiGuard service for IoT identification. The default number of minutes is
5. The range of values is 0 to 10,080 minutes. Set the iot-holdoff value to 0 to disable this setting.
If a MAC address entryʼs last-seen time is greater than the iot-mac-idle value, the MAC address entry is not
considered for IoT detection. By default, the iot-mac-idle value is 1,440 minutes. The range of values is 0 to 10,080
minutes.
To configure system-wide settings for IoT detection:
set iot-weight-threshold <0-255>
set iot-scan-interval

<2-10080>
set iot-holdoff
<
0-10080>
set iot-mac-idle <0-10080>
end
Starting in FortiOS 6.4.3, IoT detection can be managed per FortiLink interface as well. IoT detection is disabled by
default on the FortiLink interface. Use the FortiOS CLI or GUI to enable IoT detection on the FortiLink interface so that
the FortiSwitch unit starts scanning for IoT devices.
Using the GUI:

2. Enable IoT scanning.

Fortinet, Inc.
Device detection
Using the CLI:
edit <FortiLink_interface>
set switch-controller-iot-scanning enable
end
Configuring LLDP-MED settings
Starting in FortiOS 6.4.0 and FortiSwitchOS 6.4.0, LLDP neighbor devices are dynamically detected. By default, this
feature is enabled in FortiOS but disabled in managed FortiSwitch units. Dynamic detection must be enabled in both
FortiOS and FortiSwitchOS for this feature to work.
l Creating LLDP asset tags for each managed FortiSwitch on page 113
l Adding media endpoint discovery (MED) to an LLDP configuration on page 114
l Displaying LLDP information on page 114
l Configuring the LLDP settings on page 115
To configure LLDP profiles in FortiOS:
edit <profile_name>
set med-tlvs (inventory-management | network-policy | power-management | location-
identification)
set 802.1-tlvs port-vlan-id
set 802.3-tlvs {max-frame-size | power-negotiation}
set auto-isl {enable | disable}
set auto-isl-hello-timer <1-30>
set auto-isl-port-group <0-9>
set auto-isl-receive-timeout <3-90>
edit {guest-voice | guest-voice-signaling | softphone-voice | streaming-video |
video-conferencing | video-signaling | voice | voice-signaling}
set vlan-intf <string>
set priority <0-7>
set dscp <0-63>
next
end
edit {address-civic | coordinates | elin-number}
set sys-location-id <string>
next
end
config-tlvs
edit <TLV_name>
set oui <hexadecimal_number>
set subtype <0-255>
set information-string <0-507>
next

Fortinet, Inc.
Device detection
end
next
end
Variable Description
<profile_name> Enable or disable
med-tlvs (inventory-management Select which LLDP-MED type-length-value descriptions (TLVs) to transmit:
| network-policy | power-management | inventory-managment TLVs, network-policy TLVs, power-management
location-identification) TLVs for PoE, and location-identification TLVs. You can select one or more
option. Separate multiple options with a space.
802.1-tlvs port-vlan-id Transmit the IEEE 802.1 port native-VLAN TLV.
802.3-tlvs {max-frame-size | power- Select whether to transmit the IEEE 802.3 maximum frame size TLV, the
negotiation} power-negotiation TLV for PoE, or both. Separate multiple options with a
space.
auto-isl {enable | disable} Enable or disable the automatic inter-switch LAG.
auto-isl-hello-timer <1-30> If you enabled auto-isl, you can set the number of seconds for the automatic
inter-switch LAG hello timer. The default value is 3 seconds.
auto-isl-port-group <0-9> If you enabled auto-isl, you can set the automatic inter-switch LAG port
group identifier.
auto-isl-receive-timeout <3-90> If you enabled auto-isl, you can set the number of seconds before the
automatic inter-switch LAG times out if no response is received. The default
value is 9 seconds.
{guest-voice | guest-voice-signaling | Select which Media Endpoint Discovery (MED) network policy type-length-
softphone-voice | streaming-video | value (TLV) category to edit.
video-conferencing | video-signaling |
voice | voice-signaling}
status {enable | disable} Enable or disable whether this TLV is transmitted.
vlan-intf <string> If you enabled the status, you can enter the VLAN interface to advertise.
The maximum length is 15 characters.
priority <0-7> If you enabled the status, you can enter the advertised Layer-2 priority. Set
to 7 for the highest priority.
dscp <0-63> If you enabled the status, you can enter the advertised Differentiated
Services Code Point (DSCP) value to indicate the level of service requested
for the traffic.
{address-civic | coordinates | elin- Select which Media Endpoint Discovery (MED) location type-length-value
number} (TLV) category to edit.
status {enable | disable} Enable or disable whether this TLV is transmitted.

Fortinet, Inc.
Device detection
sys-location-id <string> If you enabled the status, you can enter the location service identifier. The
maximum length is 63 characters.
config-tlvs
<TLV_name> Enter the name of a custom TLV entry.
oui <hexadecimal_number> Ener the organizationally unique identifier (OUI), a 3-byte hexadecimal
number, for this TLV.
subtype <0-255> Enter the organizationally defined subtype.
information-string <0-507> Enter the organizationally defined information string in hexadecimal bytes.
To configure LLDP settings in FortiOS:
config switch-controller lldp-settings
set tx-hold <int>
set tx-interval <int>
set fast-start-interval <int>
set management-interface {internal | management}
set device-detection {enable | disable}
end

tx-hold Number of tx-intervals before the local LLDP data expires. Therefore, the
packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1
to 16, and the default value is 4.
tx-interval How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095
seconds, and the default is 30 seconds.
fast-start-interval How often the FortiSwitch transmits the first 4 LLDP packets when a link
comes up. The range is 2 to 5 seconds, and the default is 2 seconds. Set this
variable to zero to disable fast start.
management-interface Primary management interface to be advertised in LLDP and CDP PDUs.
device-detection {enable | disable} Enable or disable whether LLDP neighbor devices are dynamically detected.
By default, this setting is disabled.
To configure dynamic detection of LLDP neighbor devices in FortiSwitchOS:
config switch lldp settings
set device-detection enable
end
Creating LLDP asset tags for each managed FortiSwitch
You can use the following commands to add an LLDP asset tag for a managed FortiSwitch:

Fortinet, Inc.
Device detection
set switch-device-tag <string>
end
Adding media endpoint discovery (MED) to an LLDP configuration
You can use the following commands to add media endpoint discovery (MED) features to an LLDP profile:
edit <lldp-profle>
edit guest-voice
set status {disable | enable}
next
edit guest-voice-signaling
next
edit guest-voice-signaling
next
edit softphone-voice
next
edit streaming-video
next
edit video-conferencing
next
edit video-signaling
next
edit voice
next
edit voice-signaling
end
config custom-tlvs
edit <name>
set oui <identifier>
set subtype <subtype>
set information-string <string>
end
end
Displaying LLDP information
You can use the following commands to display LLDP information:
diagnose switch-controller switch-info lldp stats <switch> <port>
diagnose switch-controller switch-info lldp neighbors-summary <switch>
diagnose switch-controller switch-info lldp neighbors-detail <switch>

Fortinet, Inc.
Device detection
Configuring the LLDP settings
The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception
wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent
information from adjacent layer-2 peers.
Starting in FortiOS 6.4.3, you can also configure the lldp-status and lldp-profile settings of a virtual switch port
in a tenant VDOM. NOTE: The auto-isl setting in config switch-controller lldp-profile is ignored, and
the setting remains disabled for the tenantʼs ports.
Use the following commands to configure LLDP on a FortiSwitch port:
edit
config ports
edit <port_name>
set lldp-status
{
rx-only | tx-only | tx-rx | disable}
set lldp-profile <profile_name>
end
end
For example:
edit S524DF4K15000024
config ports
edit port2
set lldp-status tx-rx
set lldp-profile default
end
end
Use the following commands to configure LLDP on a virtual FortiSwitch port in a tenant VDOM:
config vdom
edit <VDOM_name>
edit
config ports
edit <port_name>
set lldp-status
{
rx-only | tx-only | tx-rx | disable}
set lldp-profile <profile_name>
next
end
end
end
For example:
config vdom
edit VDOM_1
edit
"S424ENTF19000007"
config ports
edit port28
set lldp-status
t
x-rx
set lldp-profile lldpprofile1
next
end
end

Fortinet, Inc.
Device detection
end

Fortinet, Inc.
FortiSwitch security
l FortiSwitch network access control on page 117
l Configuring dynamic port policy rules on page 126
l FortiSwitch security policies on page 129
l Configuring the DHCP trust setting on page 140
l Configuring dynamic ARP inspection (DAI) on page 141
l Configuring IPv4 source guard on page 141
l Security Fabric showing on page 143
l Blocking intra-VLAN traffic on page 144
l Quarantines on page 146
FortiSwitch network access control
You can configure a FortiSwitch network access control (NAC) policy within FortiOS that matches devices with the
specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices
that match are assigned to a specific VLAN or have port-specific settings applied to them.
NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. See Configuring the FortiSwitch
NAC settings on page 119.
Summary of the procedure
1. Define a FortiSwitch NAC VLAN. See Defining a FortiSwitch NAC VLAN on page 117.
2. Configure the FortiSwitch NAC settings. See Configuring the FortiSwitch NAC settings on page 119.
3. Create a FortiSwitch NAC policy. See Defining a FortiSwitch NAC policy on page 120.
4. View the devices that match the NAC policy. See Viewing the devices that match the NAC policy on page 124.
Defining a FortiSwitch NAC VLAN
When devices are matched by a NAC policy, you can assign those devices to a FortiSwitch NAC VLAN. By default, there
are six VLAN templates:
l default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
l quarantine—This VLAN contains quarantined traffic.
l rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
l voice—This VLAN is dedicated for voice devices.
l video—This VLAN is dedicated for video devices.
l onboarding—This VLAN is for NAC onboarding devices.

Fortinet, Inc.
You can use the default onboarding VLAN, edit it, or create a new NAC VLAN. If you want to use the default onboarding
NAC VLAN, specify it when you configure the FortiSwitch NAC settings. If you want to edit the default onboarding VLAN
or create a new NAC VLAN, use the following procedures.
Creating a NAC VLAN
Using the GUI:
1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
Interface Name VLAN name
VLAN ID Enter a number (1-4094)
Color Choose a unique color for each VLAN, for ease of visual display.
Role Select LAN, WAN, DMZ, or Undefined.
2. Enable DHCP for IPv4 or IPv6.
3. Set the Admission access options as required.
4. Select OK.
Using the CLI:
edit <VLAN_name>
set vlanid <1-4094>
set color <1-32>
set interface <FortiLink-enabled interface>
end
Editing a NAC VLAN
You can edit the default onboarding NAC VLAN.
Using the GUI:
1. Go to WiFi & Switch Controller > FortiSwitch VLANs.

2. Select the onboarding NAC VLAN.
3. Select Edit.
4. Make your changes.
5. Select OK to save your changes.
Using the CLI:
edit onboarding
set vlanid
<
1-4094>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | radius-acct |
probe-response | fabric | ftm}
set auto-ip {
enable | disable}
set dhcp-server {enable | disable}
end

Fortinet, Inc.
Configuring the FortiSwitch NAC settings
NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy.
The local mode uses the local port-level settings of managed FortiSwitch units. The global mode applies the NAC to all
managed FortiSwitch ports. Be default, the mode is local.
You can set how many minutes that NAC devices are allowed to be inactive. By default, NAC devices can be inactive for
15 minutes. The range of values is 0 to 1 440 minutes. If you set the inactive-timer to 0, there is no limit to how long the
NAC devices can be inactive for.
When NAC devices are discovered, they are assigned to the NAC onboarding VLAN. You can specify the default
onboarding VLAN or specify another existing VLAN. By default, there is no NAC onboarding VLAN assigned.
When NAC devices are discovered and match a NAC policy, they are automatically authorized by default.
When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the
DHCP process for that device.
When a link goes down, the NAC devices are cleared from all switch ports by default.
Starting in FortiOS 7.0.0, you can use the set nac-periodic-interval command to specify how often the NAC
engine runs in case any events are missed. The range is 5 to 60 seconds, and the default setting is 15 seconds.
Configuring NAC on a global level
config switch-controller fortilink-settings
edit <name_of_this_FortiLink_configuration>
set inactive-timer <integer>
set link-down-flush
{enable | disable}
config nac-ports
set onboarding-vlan <string>
set bounce-nac-port {enable | disable}
end
next
end

set nac-periodic-interval <5-60 seconds>
end
Configuring NAC on a local level
Using the CLI:
config ports
edit <port_name>
set access-mode nac
next
end
next
end

Fortinet, Inc.
Using the GUI:

2. Right-click a port.
3. Select Mode > NAC.
Synchronizing MAC events
edit <FortiSwitch_interface>
set nac enable
end
For example
edit port20
set nac enable
end
Defining a FortiSwitch NAC policy
In the FortiOS GUI, you can create three types of NAC policies:
l Device—The NAC policy matches devices with the specified MAC address, hardware vendor, device family, type,
operating system, and user.
l User—The NAC policy matches devices belonging to the specified user group.
l EMS tag—The NAC policy matches devices with the specified FortiClient EMS tag.
Using the CLI, you can specify a MAC policy to be applied to devices that have been matched by the NAC policy. See
Creating a MAC policy on page 124.
NOTE: The FortiSwitch NAC settings must be configured before defining a FortiSwitch NAC policy. See Configuring the
FortiSwitch NAC settings on page 119.
Creating a device policy
A device policy matches devices with the specified criteria and then assigns a specific VLAN to those devices or applies
port-level settings to those devices. You can specify the MAC address, hardware vendor, device family, type, operating
system, and user for the devices to match.
By default, there is a default device policy, Onboarding VLAN, which uses the default onboarding NAC VLAN. You
can use the default Onboarding VLAN policy, edit it, or create a new NAC policy.
To identify devices to add to a device policy, try the following:
l Use the diagnose user device list command to see devices connected to your
FortiGate device.
l Use the FortiGuard Device Detection service
(https://www.fortiguard.com/learnmore#dds) to provide information about an IoT device
based on its MAC address.

Fortinet, Inc.
Using the GUI:
1. Go to WiFi & Switch Controller > NAC Policies.

2. Click Create New.
3. In the Name field, enter a name for the NAC policy.
4. Make certain that the status is set to Enabled.
5. Click Specify to select which FortiSwitch units to apply the NAC policy to or click All.
6. Select Device for the category.
7. If you want the device to match a MAC address, move the MAC Address slider and enter the MAC address to
match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the MAC address (for example,
xx:xx:xx:**:**:**).
8. If you want the device to match a hardware vendor, move the Hardware Vendor slider and enter the name of the
hardware vendor to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the
hardware vendor.
9. If you want the device to match a device family, move the Device Family slider and enter the name of the device
family to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the device family.
10. If you want the device to match a device type, move the Type slider and enter the device type to match. Starting in
FortiOS 6.4.6, you can use the wildcard * character when entering the device type.
11. If you want the device to match an operating system, move the Operating System slider and enter the operating
system to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the operating
system.
12. If you want the device to match a user, move the User slider and enter the user name to match. Starting in FortiOS
6.4.6, you can use the wildcard * character when entering the user name.
13. If you want to assign a specific VLAN to the device that matches the specified criteria, select Assign VLAN and enter
the VLAN identifier.
14. Select OK to create the new NAC policy.
Using the CLI:
config user nac-policy
edit <policy_name>
set description <description_of_policy>
set category device
set status enable
set mac <
MAC_address>
set hw-vendor <
hardware_vendor>
set type <
device_type>
set family <
device_family>
set os
<
operating_system>
set hw-version <
hardware_version>
set sw-version <
software_version>
set host <
host_name>
set user <user_name>.
set src <
source>
set switch-fortilink <FortiLink_interface>
set switch-scope <list_of_managed_FortiSwitch_serial_numbers>
set switch-auto-auth {enable | disable}
set switch-mac-policy <switch_mac_policy>
end

Fortinet, Inc.
Creating a user policy
A user policy matches devices that are assigned to the specified user group and then assigns a specific VLAN to those
devices or applies port-level settings to those devices.
Using the GUI:

2. Select Create New.
5. Select which FortiSwitch units to apply the NAC policy to or select All.
6. Select User for the category.
7. Select which user group that devices must belong to.
8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and
enter the VLAN identifier.
Using the CLI:
edit <policy_name>
set category firewall-user user
set status enable
set user-group <name_of_user_group>
end
Creating an EMS-tag policy
An EMS-tag policy matches devices with a specified MAC address and then assigns a specific VLAN to those devices or
applies port-level settings to those devices. The MAC address is derived from an Endpoint Management Server (EMS)
tag created in FortiClient.
NOTE: The FortiClient EMS server must be 6.4.1 build 1442 or higher. FortiOS must be 6.4.2 build 1709 or higher.
Before creating an EMS-tag policy on a managed FortiSwitch unit:
1. In FortiClient EMS, group FortiClient Fabric Agent endpoints with an EMS tag.
2. In FortiClient EMS, share these endpoint groups with a FortiGate unit over the EMS connector.
3. In FortiOS, add an on-premise FortiClient EMS server to the Security Fabric:

config endpoint-control fctems
edit <ems_name>
set server <ip_address>
set certificate <string>
next
end

Fortinet, Inc.

For example:

config endpoint-control fctems
edit EMS_Server
set server 1.2.3.4
set certificate REMOTE_Cert_1
next
end

4. In FortiOS, verify the EMS certificate. For example:

execute fctems verify EMS_Server

5. In FortiOS, check that the FortiGate unit and FortiClient are connected:

diagnose user device get <FortiClient_MAC_address>

6. In FortiOS, verify which MAC addresses the dynamic firewall address resolves to:

diagnose firewall dynamic list

Using the GUI to create an EMS-tag policy:

2. Select Create New.
5. Select which FortiSwitch units to apply the NAC policy to or select All.
6. Select EMS Tag for the category.
7. Select which FortiClient EMS tag that devices must be assigned.
8. If you want to assign a specific VLAN to a device assigned to the specified EMS tag, select Assign VLAN and enter
the VLAN identifier.
Using the CLI to create an EMS-tag policy:
edit <policy_name>
set category ems-tag
set ems-tag <string>
set status enable
next
end


Fortinet, Inc.
For example:

edit nac_policy_1
set category ems-tag
set ems-tag MAC_FCTEMS0000108427_Low
set switch-fortilink fortilink1
next
end
Creating a MAC policy
You can apply a MAC policy to the devices that were matched by the NAC policy. You can specify which VLAN is
applied, select which traffic policy is used, and enable or disable packet count.
config switch-controller mac-policy
edit <MAC_policy_name>
set description <policy_description>
set fortilink <FortiLink_interface>
set vlan <VLAN_name>
set traffic-policy <traffic_policy_name>
set count {enable | disable}
next
end
Viewing the devices that match the NAC policy
Using the GUI:

2. Click View Matched Devices.
3. Click Refresh to update the results.
When a NAC device is matched to a NAC policy and assigned to a VLAN, an event log is created.

Fortinet, Inc.
Using the CLI:
To show known NAC devices with a known location that match a NAC policy:
diagnose switch-controller mac-device nac known

To show pending NAC devices with an unknown location that match a NAC policy:
diagnose switch-controller mac-device nac onboarding

To view the NAC clients:
diagnose switch-controller mac-device cache

To display the NAC cache of MAC addresses on the FortiSwitch unit:
execute switch-controller get-nac-mac-cache
Using the FortiSwitch NAC VLAN widget
The widget shows a pie chart of the assigned FortiSwitch NAC VLANs. When expanded to the full screen, the widget
shows a full list of devices grouped by VLAN, NAC policy, or last seen.
The widget is added to the Users & Devices dashboard after a dashboard reset or can be manually added to a
dashboard. It can also be accessed by going to WiFi & Switch Controller > NAC Policies and clicking View Matched
Devices.
The expanded view of the widget shows Assigned VLAN and Last Seen pie charts and a full device list. The list can be
organized By VLAN, By NAC Policy, or By Policy Type.
Click View NAC Policies to go to WiFi & Switch Controller > NAC Policies.

Fortinet, Inc.
Configuring dynamic port policy rules
Dynamic port policies allow you to specify rules that dynamically determine port policies. After you create the FortiLink
policy settings, you define the dynamic port policy rules. When a rule matches the specified device patterns, the switch-
controller actions control the portʼs properties.
When you add dynamic port policy rules to the FortiLink policy settings, the rules are processed sequentially, from the
first rule to the last rule. The last rule in the FortiLink policy settings should indicate the default properties for any port that
has been assigned these FortiLink policy settings.
To identify devices to add to a dynamic port policy rule, try the following:
l Use the diagnose user device list command to see devices connected to your
FortiGate device.
l Use the FortiGuard Device Detection service
(https://www.fortiguard.com/learnmore#dds) to provide information about an IoT device
based on its MAC address.
To configure dynamic port policy rules:
1. Set the access mode and port policy for the port on page 126
2. Set the FortiLink policy settings to the FortiLink interface on page 127
3. Create the FortiLink policy settings on page 127
4. Create the dynamic port policy rule on page 128
5. Set how often the dynamic port policy engine runs on page 129
Set the access mode and port policy for the port
config ports
edit <port_name>
set access-mode dynamic
set port-policy <dynamic_port_policy>
next

Fortinet, Inc.
end
next
end
Set the FortiLink policy settings to the FortiLink interface
Enable the dynamic port policy on the FortiLink interface by specifying the FortilLink policy settings on the FortiLink
interface.
edit fortilink
set switch-controller-dynamic <FortiLink_policy_settings>
next
end
Create the FortiLink policy settings
Using the GUI
1. Go to WiFi & Switch Controller > FortiSwitch Port Policies.

2. Click Dynamic Port Policies.
3. Click Configure Dynamic Port Settings.
4. Select the onboarding VLAN from the Onboarding VLAN dropdown list. The default onboarding VLAN is
onboarding.
5. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is
configured on the port.
6. If you are using the dynamic port policy with FortiSwitch network access control, move the Apply rule to NAC
policies slider to enable it.
7. Click Next.
8. When devices are matched by a dynamic port policy, you can assign those devices to a dynamic port VLAN. By
default, there are six VLAN templates:
l default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
l onboarding—This VLAN is for NAC onboarding devices.
l quarantine—This VLAN contains quarantined traffic.
l rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
l video—This VLAN is dedicated for video devices.
l voice—This VLAN is dedicated for voice devices.
You can select one of the default VLAN templates, edit one of the default VLAN templates, or create a dynamic port
VLAN.
9. Click Submit.
Using the CLI
config switch-controller fortilink-settings
edit <name_of_this_FortiLink_configuration>
set inactive-timer <integer>
set link-down-flush
{enable | disable}
config nac-ports
set onboarding-vlan <string>
set bounce-nac-port {enable | disable}

Fortinet, Inc.
end
next
end
Create the dynamic port policy rule
Using the GUI
1. On the Dynamic Port Policies page, select the dynamic port policy that you want to add dynamic port policy rules to.

2. Click Edit.
4. In the Name field, enter a name for the dynamic port policy rule.
6. In the Description field, enter a description of the dynamic port policy rule.
7. If you want the device to match a MAC address, move the MAC Address slider and enter the MAC address to
match.
8. If you want the device to match a host name or IP address, move the Host slider and enter the host name or IP
address to match.
9. If you want the device to match a device family, move the Device Family slider and enter the name of the device
family to match.
10. If you want the device to match a device type, move the Type slider and enter the device type to match.
11. If you want to assign an LLDP profile to the device that matches the specified criteria, move the LLDP profile slider
and enter the name of the LLDP profile.
12. If you want to assign a QoS policy to the device that matches the specified criteria, move the QoS policy slider and
enter the name of the QoS policy.
13. If you want to assign an 802.1x policy to the device that matches the specified criteria, move the 802.1X policy slider
and enter the name of the 802.1x policy.
14. If you want to assign a VLAN policy to the device that matches the specified criteria, move the VLAN policy slider
and enter the name of the VLAN policy.
15. Click OK.
Using the CLI
config switch-controller dynamic-port-policy
edit <dynamic_port_policy_name>
set fortilink <FortiLink_interface_name>
config policy
edit <policy_name>
set category {device | interface-tag}
set mac <MAC_address>
set type <device_type>
set family <device_family_name>
set host <host_name_or_IP_address>
set lldp-profile <LLDP_profile_name>
set qos-policy <QoS_policy_name>
set 802-1x <802.1x_policy_name>
set vlan-policy <VLAN_policy_name>
set bounce-port-link {disable | enable}

Fortinet, Inc.
next
end
next
end
Creating a VLAN policy
You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be
applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether
to discard untagged or tagged frames or to not discard any frames.
edit <VLAN_policy_name>
set description <policy_description>
set fortilink <FortiLink_interface>
set vlan <VLAN_name>
set allowed-vlans <lists_of_VLAN_names>
set untagged-vlans <lists_of_VLAN_names>
set allowed-vlans-all

{enable | disable}
set discard-mode {none | all-untagged | all-tagged}
next
end

For example:

edit vlan_policy_1
set fortilink fortilink1
set vlan default
next
end
Set how often the dynamic port policy engine runs
In the FortiOS CLI, you can change how often the dynamic port policy engine runs. By default, it runs every 15 seconds.
The range of values is 5-60 seconds.
set dynamic-periodic-interval

<5-60 seconds>
end
FortiSwitch security policies
To control network access, the managed FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected
to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The
supplicant and the authentication server communicate using the switch using the EAP protocol. The managed
FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.
To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups
on the managed FortiSwitch unit.

Fortinet, Inc.
NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1x authentication
from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through the FortiGate.
The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each
supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.
You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot
respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC
address as the user name and password for authentication.
You can configure a guest VLAN for unauthorized users and a VLAN for users whose authentication was unsuccessful.
Starting in FortiSwitchOS 6.4.3, if the RADIUS server cannot be reached for 802.1x authentication, you can specify a
RADIUS timeout VLAN for users after the authentication server timeout period expires.
When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow
network traffic to flow, even if there are configuration problems or authentication failures.
Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.
l Number of devices supported per port for 802.1x MAC-based authentication on page 130
l Configuring the 802.1x settings for a virtual domain on page 131
l Overriding the virtual domain settings on page 131
l Defining an 802.1x security policy on page 132
l Applying an 802.1x security policy to a FortiSwitch port on page 134
l Testing 802.1x authentication with monitor mode on page 134
l RADIUS accounting support on page 134
l RADIUS change of authorization (CoA) support on page 135
l 802.1x authentication deployment example on page 138
l Detailed deployment notes on page 139
Number of devices supported per port for 802.1x MAC-based authentication
The FortiSwitch unit supports up to 20 devices per port for 802.1x MAC-based authentication. System-wide, the
FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1x MAC-based authentication. See the
following table.
Model Total number of devices supported per switch
108 80
112 120
124/224/424/524/1024 240
148/248/448/548/1048 480
3032 320

Fortinet, Inc.
Configuring the 802.1x settings for a virtual domain
To configure the 802.1x security policy for a virtual domain, use the following commands:
config switch-controller 802-1X-settings
set reauth-period <integer>
set max-reauth-attempt <integer>
set link-down-auth {*set-unauth | no-action}
end
Option Description
set link-down-auth If a link is down, this command determines the authentication state.
Choosing set-unauth sets the interface to unauthenticated when a link is
down, and reauthentication is needed. Choosing no-action means that
the interface does not need to be reauthenticated when a link is down.
set reauth-period This command sets how often reauthentication is needed. The range is 1-
1440 minutes. The default is 60 minutes. Setting the value to 0 minutes
disables reauthentication.
NOTE: Setting the reauth-period to 0 is supported only in the CLI. The
RADIUS dynamic session timeout and CoA session timeout do not support
setting the Session Timeout to 0.
set max-reauth-attempt This command sets the maximum number of reauthentication attempts. The
range is 1-15. The default is 3. Setting the value to 0 disables
reauthentication.
Overriding the virtual domain settings
You can override the virtual domain settings for the 802.1x security policy.
To override the 802.1x settings for a virtual domain:

2. Click on a FortiSwitch faceplate and select Edit.
3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The
maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.
5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The
maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to
unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does
not need to be reauthenticated when a link is down.
7. Select OK.

Fortinet, Inc.
To override the 802.1x settings for a virtual domain:
edit < switch >
config 802-1X-settings
set local-override [ enable | *disable ]
set reauth-period < int > // visible if override enabled
set max-reauth-attempt < int > // visible if override enabled
set link-down-auth < *set-unauth | no-action > // visible if override enabled
end
next
end
For a description of the options, see Configuring the 802.1x settings for a virtual domain.
Defining an 802.1x security policy
You can define multiple 802.1x security policies.
To create an 802.1x security policy:

1. Go to WiFi & Switch Controller > FortiSwitch Port Policies.
2. Under Security Policies, click Create New.
3. Enter a name for the new FortiSwitch security policy.
4. For the security mode, click Port-based or MAC-based.
5. Select + to select which user groups will have access.
6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
7. Enter the number of seconds for authentication delay for guest VLANs. The range is 1-900 seconds.
8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access
the guest VLAN.
9. Enable or disable MAC authentication bypass (MAB) on this interface.
10. Enable or disable EAP pass-through mode on this interface.
11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
12. Select OK.
To create an 802.1x security policy, use the following commands:
config switch-controller security-policy 802-1X
edit "<policy.name>"
set security-mode {802.1X | 802.1X-mac-based}
set user-group <*group_name | Guest-group | SSO_Guest_Users>
set mac-auth-bypass {enable | *disable}
set eap-passthru {enable | disable}
set guest-vlan {enable | *disable}
set guest-vlan-id "<guest-VLAN-name>"
set guest-auth-delay <integer>

Fortinet, Inc.
set auth-fail-vlan {enable | *disable}
set auth-fail-vlan-id "<auth-fail-VLAN-name>"
set radius-timeout-overwrite {enable | *disable}
set policy-type 802.1X
set authserver-timeout-vlan {enable | disable}
set authserver-timeout-period <integer>
set authserver-timeout-vlanid "<RADIUS-timeout-VLAN-name>"
end
end
Option Description
set security-mode You can restrict access with 802.1x port-based authentication or with
802.1x MAC-based authentication.
set user-group You can set a specific group name, Guest-group, or SSO_Guest_Users to
have access. This setting is mandatory.
set mac-auth-bypass You can enable or disable MAB on this interface.
set eap-passthrough You can enable or disable EAP pass-through mode on this interface.
set guest-vlan You can enable or disable guest VLANs on this interface to allow restricted
access for some users.
set guest-vlan-id "<guest- You can specify the name of the guest VLAN.
VLAN-name>"
set guest-auth-delay You can set the authentication delay for guest VLANs on this interface. The
range is 1-900 seconds.
set auth-fail-vlan You can enable or disablethe authentication fail VLAN on this interface to
allow restricted access for users who fail to access the guest VLAN.
set auth-fail-vlan-id You can specify the name of the authentication fail VLAN
"<auth-fail-VLAN-name>"
set radius-timeout-overwrite You can enable or disable whether the session timeout for the RADIUS
server will overwrite the local timeout.
set policy-type 802.1X You can set the policy type to the 802.1x security policy.
set authserver-timeout-vlan Enable or disable the RADIUS timeout VLAN on this interface to allow
limited access for users when the RADIUS server times out before finishing
authentication.
By default, this option is disabled.
set authserver-timeout- You can set how many seconds the RADIUS server has to authenticate
period users. The range of values is 3-15 seconds; the default time is 3 seconds.
This option is only visible when authserver-timeout-vlan is enabled.
set authserver-timeout- The VLAN name that is used for users when the RADIUS server times out
vlanid "<RADIUS-timeout- before finishing authentication.
VLAN-name>" This option is only visible when authserver-timeout-vlan is enabled.

Fortinet, Inc.
Applying an 802.1x security policy to a FortiSwitch port
You can apply a different 802.1x security policy to each FortiSwitch port.
To apply an 802.1x security policy to a managed FortiSwitch port:

2. Select the + next to a FortiSwitch unit.
3. In the Security Policy column for a port, click + to select a security policy.
4. Select OK to apply the security policy to that port.
To apply an 802.1x security policy to a managed FortiSwitch port, use the following commands:
edit <managed-switch>
config ports
edit <port>
set port-security-policy <802.1x-policy>
next
end
next
end
Testing 802.1x authentication with monitor mode
Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test
port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass.
Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the
users fail authentication.
To enable or disable monitor mode, use the following commands:
edit "<policy_name>"
set open-auth {enable | disable}
next
end
RADIUS accounting support
The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the
RADIUS accounting server to support FortiGate RADIUS single sign-on:
l START—The FortiSwitch has been successfully authenticated, and the session has started.
l STOP—The FortiSwitch session has ended.
l INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command.
l ON—FortiSwitch will send this message when the switch is turned on.
l OFF—FortiSwitch will send this message when the switch is shut down.

Fortinet, Inc.
You can specify more than one value to be sent in the RADIUS Service-Type attribute. Use a space between multiple
values.
Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed
FortiSwitch units:
config user radius
edit <RADIUS_server_name>
set acct-interim-interval <seconds>
set switch-controller-service-type {administrative | authenticate-only | callback-
administrative | callback-framed | callback-login | callback-nas-prompt | call-
check | framed | login | nas-prompt | outbound}
config accounting-server
edit <entry_ID>
set server <server_IP_address>
set secret <secret_key>
set port <port_number>
next
end
next
end
RADIUS change of authorization (CoA) support
For increased security, each subnet interface that will be receiving CoA requests must be configured with the set
allowaccess radius-acct command.
Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA support EAP and MAB 802.1x authentication.
The FortiSwitch unit supports two types of RADIUS CoA messages:
l CoA messages to change session authorization attributes (such as data filters and the session-timeout setting )
during an active session.
l Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are
unchanged, and the port stays up. For port-based authentication, only one session is deleted.
RADIUS CoA messages use the following Fortinet proprietary attribute:
Fortinet-Host-Port-AVPair 42 string
The format of the value is as follows:
Attribute Value Description
Fortinet-Host-Port-AVPair action=bounce-port The FortiSwitch unit disconnects all sessions on a

port. The port goes down for 10 seconds and then
up again.
Fortinet-Host-Port-AVPair action=disable-port The FortiSwitch unit disconnects all session on a

port. The port goes down until the user resets it.
Fortinet-Host-Port-AVPair action=reauth-port The FortiSwitch unit forces the reauthentication of

the current session.
In addition, RADIUS CoA use the session-timeout attribute:

Fortinet, Inc.
Attribute Value Description
session-timeout <session_timeout_ The FortiSwitch unit disconnects a session after

value> the specified number of seconds of idleness. This
value must be more than 60 seconds. NOTE: To
use the session-timeout attribute, you must
enable the set radius-timeout-overwrite
command first.
The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages.
Error Cause Error Code Description
Unsupported Attribute 401 This error is a fatal error, which is sent if a request

contains an attribute that is not supported.
NAS Identification Mismatch 403 This error is a fatal error, which is sent if one or more

NAS-Identifier Attributes do not match the identity of the
NAS receiving the request.
Invalid Attribute Value 407 This error is a fatal error, which is sent if a CoA-Request

or Disconnect-Request message contains an attribute
with an unsupported value.
Session Context Not Found 503 This error is a fatal error if the session context identified

in the CoA-Request or Disconnect-Request message
does not exist on the NAS.
Configuring CoA and disconnect messages
Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS
server:
edit "mgmt"
set ip <address> <netmask>
set allowaccess <access_types>
set type physical
next
config user radius
edit <RADIUS_server_name>
set radius-coa {enable | disable}
set radius-port <port_number>
set secret <secret_key>
set server <server_name_IPv4>
end

ip <address> <netmask> Enter the interface IP address and netmask.

Fortinet, Inc.
allowaccess <access_types> Enter the types of management access permitted on this i nterface.
Valid types are as follows: http https ping snmp ssh telnet
radius-acct. S eparate each type with a space. You must include
radius-acct to receive CoA and disconnect messages.
<RADIUS_server_name> Enter the name of the RADIUS server that will be sending CoA and
disconnect messages to the FortiSwitch unit. By default, the messages
use port 3799.
config user radius
radius-coa {enable | disable} Enable or disable whether the FortiSwitch unit will accept CoA and
disconnect messages. The default is disable.
radius-port <port_number> Enter the RADIUS port number. By default, the value is 0 for FortiOS,
which uses port 1812 for the FortiSwitch unit in FortiLink mode.
secret <secret_key> Enter the shared secret key for authentication with the RADIUS server.
There is no default.
server <server_name_IPv4> Enter the domain name or IPv4 address for the RADIUS server. There
is no default.
Example: RADIUS CoA
The following example uses the FortiOS CLI to enable the FortiSwitch unit to receive CoA and disconnect messages
from the specified RADIUS server:
edit default
set internal-allowaccess ping https http ssh snmp telnet radius-acct
next
end
config user radius
edit "Radius-188-200"
set radius-coa enable
set radius-port 0
set secret ENC
+2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoe
ZfOQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hp
CiVUMiPOU6fSrj
set server "10.105.188.200"
next
end

Fortinet, Inc.
802.1x authentication deployment example
To control network access, you can configure 802.1x authentication from a FortiGate unit managing FortiSwitch units. A
supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the
network.
To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups
on the FortiSwitch unit. You also need a firewall policy on the FortiGate unit to allow traffic from the FortiSwitch unit to the
RADIUS server.
To create a firewall policy to allow the FortiSwitch unit to reach the RADIUS server:
config firewall policy
edit 1
set name "fortilink-to-radius"
set srcintf "fortilink"
set dstintf "accounting-server"
set action accept
set service "ALL"
set nat enable
end
To create a group for users who will be authenticated by 802.1x:
config user radius
edit "dot1x-radius"
set server "192.168.174.10"
set secret ENC ***
set radius-port 1812
config accounting-server
edit 1
set status enable
set server "192.168.174.10"
set secret ENC ***
set port 1813
next
end
next
end

config user group

Fortinet, Inc.
edit "radius users"
set member "dot1x-radius"
next
end
To create an 802.1x security policy:
You can create an 802.1x security policy using the FortiGate GUI by going to WiFi & Switch Controller > FortiSwitch

Security Policies and selecting Create New.
edit "802-1X-policy-default"
set security-mode 802.1X-mac-based
set user-group "dot1x-local"
set mac-auth-bypass enable
set eap-passthru enable
set guest-vlan enable
set guest-vlan-id "guest-VLAN"
set auth-fail-vlan enable
set auth-fail-vlan-id "auth-fail-VLAN"
set radius-timeout-overwrite disable
next
end
To configure the global 802.1x settings:
config switch-controller 802-1X-settings
set link-down-auth no-action
set reauth-period 90
set max-reauth-attempt 4
end
To apply an 802.1x security policy to a managed FortiSwitch port:
You can apply an 802.1x security policy to a managed FortiSwitch port using the FortiGate GUI by going to WiFi &
Switch Controller > FortiSwitch Ports.
edit S548DN4K16000360
config ports
edit "port1"
set dhcp-snooping trusted
set dhcp-snoop-option82-trust enable
set port-security-policy "802-1X-policydefault"
next
end
Detailed deployment notes
l Using more than one security group (with the set security-groups command) per security profile is not
supported.
l CoA and single sign-on are supported only by the CLI in this release.
l RADIUS CoA is supported in standalone mode. In addition, RADIUS CoA is supported in FortiLink mode when NAT
is disabled in the firewall policy (set nat disable under the config firewall policy command), and the

Fortinet, Inc.
interfaces on the link between the FortiGate unit and FortiSwitch unit are assigned routable addresses other than
169.254.1.x.
l The FortiSwitch unit supports using FortiAuthenticator, FortiConnect, Microsoft Network Policy Server (NPS), Aruba
ClearPass, and Cisco Identity Services Engine (ISE) as the RADIUS server for CoA and RSSO.
l Each RADIUS CoA server can support only one accounting manager in this release.
l RADIUS accounting/CoA/VLAN-by-name features are supported only with eap-passthru enable.
l Fortinet recommends a unique secret key for each accounting server.
l For CoA to correctly function with FortiAuthenticator or FortiConnect, you must include the User-Name attribute
(you can optionally include the Framed-IP-Address attribute) or the User-Name and Calling-Station-ID attributes in
the CoA request.
l To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the 802.1x-
authenticated ports of your VLAN network for both port and MAC modes.
l Port-based basic statistics for RADIUS accounting messages are supported in the Accounting Stop request.
l By default, the accounting server is disabled. You must enable the accounting server with the set status
enable command.
l The default port for FortiAuthenticator single sign-on is 1813 for the FortiSwitch unit.
l In MAC-based authentication, the maximum number of client MAC addresses is 20. Each model has its own
maximum limit.
l Static MAC addresses and sticky MAC addresses are mechanisms for manual/local authorization; 802.1x is a
mechanism for protocol-based authorization. Do not mix them.
l Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.
l Starting in FortiSwitch 6.2.0, when 802.1x authentication is configured, the EAP pass-through mode (set eap-
passthru) is enabled by default.
l For information about the RADIUS attributes supported by FortiSwitchOS, refer to the “Supported attributes for
RADIUS CoA and RSSO” appendix in the FortiSwitchOS Administration Guide—Standalone Mode.
Configuring the DHCP trust setting
The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and
unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters
messages on untrusted ports.
Set the port as a trusted or untrusted DHCP-snooping interface:
edit
config ports
edit <port_name>
set dhcp-snooping {trusted | untrusted}
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
end
end

Fortinet, Inc.
Configuring dynamic ARP inspection (DAI)
DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have
valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.
To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By
default, DAI is disabled on all VLANs.
After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the
following CLI commands to enable DAI and then enable DAI for a VLAN:
edit vsw.test
set switch-controller-arp-inpsection {enable | disable}
end

config ports
edit <port_name>
arp-inspection-trust <untrusted | trusted>
next
end
next
end

Use the following CLI command to check DAI statistics for a FortiSwitch unit:
diagnose switch-controller switch-info arp-inspection stats <FortiSwitch_serial_number>
Use the following CLI command to delete DAI statistics for a specific VLAN:
diagnose switch-controller switch-info arp-inspection stats-clear <VLAN_ID> <FortiSwitch_
serial_number>
Configuring IPv4 source guard
IPv4 source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses.
Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.
IPv4 source guard allows traffic from the following sources:
l Static entries—IP addresses that have been manually associated with MAC addresses.
l Dynamic entries—IP addresses that have been learned through DHCP snooping.
By default, IPv4 source guard is disabled. You must enable it on each port that you want protected.
If you add more than 2,048 IP source guard entries from a FortiGate unit, you will get an error. When there is a conflict
between static entries and dynamic entries, static entries take precedence over dynamic entries.
IPv4 source guard can be configured in FortiOS only for managed FortiSwitch units that support IP source guard. The
following FortiSwitch models support IP source guard:
l FSR-124D
l FS-224D-FPOE

Fortinet, Inc.
l FS-248D
l FS-424D-POE
l FS-424D-FPOE
l FS-448D-POE
l FS-448D-FPOE
l FS-424D
l FS-448D
l FSW-2xxE
Configuring IPv4 source guard consists of the following steps:
1. Enabling IPv4 source guard on page 142
2. Creating static entries on page 142
3. Checking the IPv4 source-guard entries on page 143
Enabling IPv4 source guard
You must enable IPv4 source guard in the FortiOS CLI before you can configure it.
To enable IPv4 source guard:
edit <FortiSwitch_serial_number
config ports
edit <port_name>
set ip-source-guard enable
next
end
end
For example:
edit S424DF4K15000024
config ports
edit port20
set ip-source-guard enable
next
end
end
Creating static entries
After you enable IPv4 source guard in the FortiOS CLI, you can create static entries in the FortiOS CLI by binding IPv4
addresses with MAC addresses. For IPv4 source-guard dynamic entries, you need to configure DHCP snooping. See
Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports on page 86.
To create static entries:
config ip-source-guard

Fortinet, Inc.
edit <port_name>
config binding-entry
edit <id>
set ip <xxx.xxx.xxx.xxx>
set mac <XX:XX:XX:XX:XX:XX>
next
end
next
end
next
end

For example:
edit S424DF4K15000024
config ip-source-guard
edit port4
config binding-entry
edit 1
set ip 172.168.20.1
set mac 00:21:cc:d2:76:72
next
end
next
end
next
end
Checking the IPv4 source-guard entries
After you configure IPv4 source guard , you can check the entries.
Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are added
by DHCP snooping.
Use this command in the FortiOS CLI to display all IP source-guard entries:
diagnose switch-controller switch-info ip-source-guard hardware <FortiSwitch_serial_number>
Security Fabric showing
This example shows one of the key components in the concept of Security Fabric: FortiSwitches in FortiLink. In the
FortiGate GUI, you can see the whole picture of the Security Fabric working for your network security.

Fortinet, Inc.
Sample topology
To show Security Fabric information:
1. Go to Security Fabric > Physical Topology.

2. To see the connection between FortiGates and managed FortiSwitches, hover the pointer over the icons to see
information about each network element.
Blocking intra-VLAN traffic
You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit. This prevents direct client-to-client
traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic
reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the client
by shifting the client's network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled.
Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified
VLAN. Use disable to allow normal traffic on the specified VLAN.

Fortinet, Inc.
1. Go to Network > Interfaces.

2. Select the interface and then select Edit.
3. In the Edit Interface form, enable Block intra-VLAN traffic under Network.
edit <VLAN name>
set switch-controller-access-vlan {enable | disable}
next
end

NOTE:
l IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled.
l Intra-VLAN traffic blocking is not supported when the FortiLink interface type is hardware switch or software switch.
l When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP
with the config system proxy-arp CLI command and configure a firewall policy. For example:

config system proxy-arp
edit 1
set interface "V100"
set ip 1.1.1.1
set end-ip 1.1.1.200
next
end

config firewall policy
edit 4
set name "Allow intra-VLAN traffic"
set srcintf "V100"
set dstintf "V100"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

Fortinet, Inc.
Quarantines
Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit. Quarantined
MAC addresses are isolated from the rest of the network and LAN.
l Quarantining MAC addresses on page 146
l Using quarantine with DHCP on page 149
l Using quarantine with 802.1x MAC-based authentication on page 150
l Viewing quarantine entries on page 152
l Releasing MAC addresses from quarantine on page 154
Quarantining MAC addresses
You can use the FortiGate GUI or CLI to quarantine a MAC address.
NOTE: If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP
address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.
In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.
1. Select the host to quarantine.
l Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
l Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
l Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on
FortiSwitch.
2. Select Accept to confirm that you want to quarantine the host.
NOTE: Previously, this feature used the config switch-controller quarantine CLI command.

Fortinet, Inc.
There are two kinds of quarantines:
l Quarantine-by-VLAN sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN (starting
in FortiOS 6.0.0 and FortiSwitchOS 6.0.0).
l Quarantine-by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit (starting
in FortiOS 6.4.0 and FortiSwitchOS 6.4.0).
By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware
version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was
disabled in the older configuration, it will be disabled after the upgrade.
You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are
only quarantined when the quarantine feature is enabled.
The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined
per quarantine entry.
Optionally, you can configure a traffic policy for quarantined devices to control how much bandwidth and burst they use
and which class of service (CoS) queue they are assigned to. Without a traffic policy, you cannot control how much
network resources quarantined devices use.
Quarantine-by-redirect is the default. If you are upgrading to FortiOS 6.4.0 or higher and already have a quarantine-by
VLAN configuration, the quarantine mode does not change during the upgrade.
If you have a quarantine-by-VLAN configuration and want to migrate to a quarantine-by-redirect configuration:
1. Disable quarantine.
2. Change the quarantine-mode to by-direct.
3. Remove the quarantine VLAN from the switch ports.
4. Enable quarantine.
To set up a quarantine in FortiOS:
set quarantine-mode {by-vlan | by-redirect}
end

config user quarantine
set quarantine enable
set traffic-policy <traffic_policy_name>
set firewall-groups <firewall_address_group>
config targets
edit <quarantine_entry_name>
config macs
edit <MAC_address_1>
set drop {enable | disable}
next
next
next
end
end
end

Fortinet, Inc.
Option Description
quarantine-mode {by-vlan | by-redirect} Select the quarantine mode:
l by-vlan sends quarantined device traffic to the FortiGate unit on a
separate quarantine VLAN.
l by-redirect redirects quarantined device traffic to a firewall
address group on the FortiGate unit. This mode is the default.
traffic-policy <traffic_policy_name> Optional. A name for the traffic policy that controls quarantined devices. If
you do add a traffic policy, you need to configure it with the config
switch-controller traffic-policy command.
firewall-groups <firewall_address_ Optional. By default, the firewall address group is
group> QuarantinedDevices. If you are using quarantine-by-redirect, you must
use the default firewall address group.
quarantine_entry_name A name for this quarantine entry.
description <string> Optional. A description of the MAC addresses being quarantined.
MAC_address_1, MAC_address_2, A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc
MAC_address_3
drop {enable | disable} Enable to drop quarantined device traffic. Disable to send quarantined
device traffic to the FortiGate unit.
For example:
set quarantine-mode by-redirect
end

set traffic-policy qtrafficp
set firewall-groups QuarantinedDevices
config targets
edit quarantine1
config macs
set description "infected by virus"
edit 00:00:00:aa:bb:cc
set drop disable
next
edit 00:11:22:33:44:55
set drop disable
next
edit 00:01:02:03:04:05
set drop disable
next
end
next
end

Fortinet, Inc.
To configure a traffic policy for quarantined devices in FortiOS:
config switch-controller traffic-policy
edit <traffic_policy_name>
set description
<
string>
set policer-status enable
set guaranteed-bandwidth <
0-524287000>
set guaranteed-burst
<
0-4294967295>
set maximum-burst
<
0-4294967295>
set cos-queue <0-7>
end
Option Description
traffic-policy <traffic_policy_name> Enter a name for the traffic policy that controls quarantined devices.
description <
string> Enter an optional description of the traffic policy.
policer-status enable Enable the policer configuration to control quarantined devices. It is
enabled by default.
guaranteed-bandwidth <
0-524287000> Enter the guaranteed bandwidth in kbps. The maximum value is
524287000. The default value is 0.
guaranteed-burst <0-4294967295> Enter the guaranteed burst size in bytes. The maximum value is
4294967295. The default value is 0.
maximum-burst <
0-4294967295> The maximum burst size is in bytes. The maximum value is 4294967295.
The default value is 0.
set cos-queue <0-7> Set the class of service for the VLAN traffic. Use the unset cos-queue
command to disable this setting.
For example:
config switch-controller traffic-policy
edit qtrafficp
set description
" quarantined traffic policy"
set policer-status enable
set guaranteed-bandwidth 10000
set guaranteed-burst 1
0000
set maximum-burst 1
0000
unset cos-queue
end
Using quarantine with DHCP
When a device using DHCP is quarantined, the device becomes inaccessible until the DHCP is renewed. To avoid this
problem, enable the bounce-quarantined-link option, which shuts down the switch port where the quarantined device
was last seen and then brings it back up again. Bouncing the port when the device is quarantined and when the device is
released from quarantine causes the DHCP to be renewed so that the device is connected to the correct network. By
default, the bounce-quarantined-link option is disabled.
To bounce the switch port where a quarantined device was last seen:

Fortinet, Inc.
set bounce-quarantined-link {enable | disable}
end
Using quarantine with 802.1x MAC-based authentication
After a device is authorized with IEEE 802.1x MAC-based authentication, you can quarantine that device. If the device
was quarantined before 802.1x MAC-based authentication was enabled, the deviceʼs traffic remains in the quarantine
VLAN 4093 after 802.1x MAC-based authentication is enabled.
To use quarantines with IEEE 802.1x MAC-based authentication:
1. By default, detecting the quarantine VLAN is enabled on a global level on the managed FortiSwitch unit. You can
verify that quarantine-vlan is enabled with the following commands:

S448DF3X16000118 # config switch global

S448DF3X16000118 (global) # config port-security

S448DF3X16000118 (port-security) # get
link-down-auth :
set-unauth
mab-reauth
:
disable
quarantine-vlan : enable
reauth-period
:
60
max-reauth-attempt : 0

2. By default, 802.1x MAC-based authentication and quarantine VLAN detection are enabled on a port level on the
managed FortiSwitch unit. You can verify the settings for the port-security-mode and quarantine-vlan. For example:

S448DF3X16000118 (port17) # show switch interface port17
edit "port17"
set allowed-vlans 4093
set untagged-vlans 4093
set security-groups "group1"
set snmp-index 17
config port-security
set auth-fail-vlan disable
set eap-passthru enable
set framevid-apply enable
set guest-auth-delay 30
set guest-vlan disable
set mac-auth-bypass enable
set open-auth disable
set port-security-mode 802.1X-mac-based
set quarantine-vlan enable
set radius-timeout-overwrite disable
set auth-fail-vlanid 200
set guest-vlanid 100
end
next
end

3. On the FortiGate unit, quarantine a MAC address. For example:


Fortinet, Inc.
edit "quarantine1"
config macs
edit 00:05:65:ad:15:03
next
end
next
end

4. The FortiGate unit pushes the MAC-VLAN binding to the managed FortiSwitch unit. You can verify that the
managed FortiSwitch unit received the MAC-VLAN binding with the following command:

S448DF3X16000118 # show switch vlan 4093
config switch vlan
edit 4093
set description "qtn.FLNK10"
set dhcp-snooping enable
set access-vlan enable
config member-by-mac
edit 1
set mac 00:05:65:ad:15:03
next
end
next
end

5. The 802.1x session shows that the MAC address is quarantined in VLAN 4093. You can verify that the managed
FortiSwitch port has the quarantined MAC address. For example:

S448DF3X16000118 # diagnose switch 8 status port17

port17: Mode: mac-based (mac-by-pass enable)
Link: Link up
Port State: authorized: ( )
EAP pass-through mode : Enable
Quarantine VLAN (4093) detection : Enable
Native Vlan : 1
Allowed Vlan list: 1,4093
Untagged Vlan list: 1,4093
Guest VLAN :
Auth-Fail Vlan :

Switch sessions 3/480, L
ocal port sessions:1/20
Client
M
AC
T
ype
V lan Dynamic-Vlan
Quarantined
00:05:65:ad:15:03 802.1x 1 4093

Sessions info:
00:50:56:ad:51:81 T
ype=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=41
params:reAuth=1800

6. The MAC address table also shows the MAC address in VLAN 4093. You can verify the entries in the MAC address
table with the following commands:

S448DF3X16000118 # diagnose switch vlan assignment
mac list
00:05:65:ad:15:03 VLAN: 4093 Installed: yes

Fortinet, Inc.
Source: 802.1X-MAC-Radius
Description: port17

S448DF3X16000118 # diagnose switch mac list | grep "VLAN: 4093"
MAC: 00:05:65:ad:15:03 VLAN: 4093 Port: port17(port-id 17)
Viewing quarantine entries
Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.
1. Go to Monitor > Quarantine Monitor.

2. Click Quarantined on FortiSwitch.The Quarantined on FortiSwitch button is only available if a device is detected
behind the FortiSwitch unit, which requires Device Detection to be enabled.
Use the following command to view the quarantine list of MAC addresses:
show user quarantine

For example:
show user quarantine

config targets
edit quarantine1
config macs
set description "infected by virus"
next
edit 00:11:22:33:44:55
next
edit 00:01:02:03:04:05
next
end
end
end

When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_name>)
and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The quarantine
VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.
Use the following command to view the quarantine VLAN:
show system interface qtn.<FortiLink_port_name>

Fortinet, Inc.
For example:
show system interface qtn.port7

edit "qtn.port7"
set vdom "vdom1"
set ip 10.254.254.254 255.255.255.0
set description "Quarantine VLAN"
set security-mode captive-portal
set replacemsg-override-group "auth-intf-qtn.port7"
set device-identification-active-scan enable
set snmp-index 34
set switch-controller-access-vlan enable
set color 6
set interface "port7"
set vlanid 4093
next
end

Use the following commands to view the quarantine DHCP server:
show system dhcp server
config system dhcp server
edit 2
set interface "qtn.port7"
config ip-range
edit 1
set start-ip 10.254.254.192
set end-ip 10.254.254.253
next
end
set timezone-option default
next
end

Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all
connected FortiSwitch ports:
show switch-controller managed-switch

For example:
show switch-controller managed-switch

edit "FS1D483Z15000036"
set fsw-wan1-peer "port7"
set version 1
set dynamic-capability 503
config ports

Fortinet, Inc.
edit "port1"
set vlan "vsw.port7"
set allowed-vlans "qtn.port7"
set untagged-vlans "qtn.port7"
next
edit "port2"
next
edit "port3"
next
...
end
end
Releasing MAC addresses from quarantine
1. Go to Monitor > Quarantine Monitor.

2. Click Quarantined on FortiSwitch.
3. Right-click on one of the entries and select Delete or Remove All.
4. Click OK to confirm your choice.
To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which
will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all
quarantined MAC addresses from quarantine.
To delete a single quarantined MAC address:
config targets
edit <quarantine_entry_name>
config macs
delete <MAC_address_1>
end
end
end

Fortinet, Inc.
To delete all MAC addresses in a quarantine entry:
config targets
delete <quarantine_entry_name>
end
end

To disable the quarantine feature:
set quarantine disable
end

Fortinet, Inc.
Optimizing the FortiSwitch network
Starting in FortiOS 6.4.2 with FortiSwitchOS 6.4.2, you can check your FortiSwitch network and get recommendations
on how to optimize it. If you agree with the configuration recommendations, you can accept them, and they are
automatically applied.
In FortiOS 7.0.0 with FortiSwitchOS 7.0.0, three new tests have been added to the FortiSwitch recommendations to help
optimize your network:
l Check if the quarantine bounce port option is enabled.
l Check if the PoE status of the switch controller auto-config default policy is enabled.
l Check if PoE pre-standard detection for all user ports is enabled.
NOTE: The Security Rating feature is available only when VDOMs are disabled.
To optimize your FortiSwitch network:
1. Go to Security Fabric > Security Rating.

2. Select Run Now (under Report Details in the right pane) to generate the Security Rating report.
3. Select the Optimization section.
4. Under Failed, select + next to each item to see more details in the right pane.

Fortinet, Inc.
5. If you agree with a suggestion in the Recommendations section, select Apply for the change to be made.

Fortinet, Inc.
Configuring QoS with managed FortiSwitch units
Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.
NOTE: The FortiGate unit does not support QoS for hard or soft switch ports.
The FortiSwitch unit supports the following QoS configuration capabilities:
l Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound
QoS queue number.
l Providing eight egress queues on each port.
l Policing the maximum data rate of egress traffic on the interface.
l If you select weighted-random-early-detection for the drop-policy, you can enable explicit congestion
notification (ECN) marking to indicate that congestion is occurring without just dropping packets.
To configure the QoS for managed FortiSwitch units:
1. Configure a Dot1p map.
A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a
trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the
default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch
assigns a CoS value of zero.
NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust
both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use
the Dot1p value and mapping only if the packet contains no DSCP value.
config switch-controller qos dot1p-map
edit <Dot1p map name>
set priority-0 <queue number>
next
end

2. Configure a DSCP map. A DSCP map defines a mapping between IP precedence or DSCP values and the egress
queue values. For IP precedence, you have the following choices:
l network-control—Network control
l internetwork-control—Internetwork control
l critic-ecp—Critic and emergency call processing (ECP)
l flashoverride—Flash override
l flash—Flash
l immediate—Immediate

Fortinet, Inc.
l priority—Priority
l routine—Routine

config switch-controller qos ip-dscp-map
edit <DSCP map name>
configure map <map_name>
edit <entry name>
set cos-queue <COS queue number>
set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3
| AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF
| CS6 | CS7}
set ip-precedence {network-control | internetwork-control | critic-ecp |
flashoverride | flash | immediate | priority | routine}
set value <DSCP raw value>
next
end
end

3. Configure the egress QoS policy. In a QoS policy, you set the scheduling mode for the policy and configure one or
more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:
o With strict scheduling, the queues are served in descending order (of queue number), so higher number
queues receive higher priority.
In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each
o
queue before moving on to the next one.
o In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to
63.

config switch-controller qos queue-policy
edit <QoS egress policy name>
set schedule {strict | round-robin | weighted}
config cos-queue
edit queue-<number>
set min-rate <rate in kbps>
set max-rate <rate in kbps>
set drop-policy {taildrop | weighted-random-early-detection}
set ecn {enable | disable}
set weight <weight value>
next
end
next
end

4. Configure the overall policy that will be applied to the switch ports.

config switch-controller qos qos-policy
edit <QoS egress policy name>
set default-cos <default CoS value 0-7>
set trust-dot1p-map <Dot1p map name>
set trust-ip-dscp-map <DSCP map name>
set queue-policy <queue policy name>
next
end


Fortinet, Inc.
5. Configure each switch port.

edit <switch-id>
config ports
edit <port>
set qos-policy <CoS policy>
next
end
next
end

6. Check the QoS statistics on each switch port.

diagnose switch-controller switch-info qos-stats <FortiSwitch_serial_number> <port_name>
Configuring ECN for managed FortiSwitch devices
Explicit Congestion Notification (ECN) allows ECN enabled endpoints to notify each other when they are experiencing
congestion. It is supported on the following FortiSwitch models: FS-3032E, FS-3032D, FS-1048E, FS-1048D, FS-5xxD
series, and FS-4xxE series.
On the FortiGate unit that is managing the compatible FortiSwitch unit, ECN can be enabled for each class of service
(CoS) queue to enable packet marking to drop eligible packets. The command is only available when the dropping policy
is weighted random early detection. It is disabled by default.
To configure FortiSwitch to enable ECN packet marking to drop eligible packets:
config switch-controller qos queue-policy
edit "ECN_marking"
set schedule round-robin
set rate-by kbps
config cos-queue
edit "queue-0"
set drop-policy weighted-random-early-detection
set ecn enable
next
edit "queue-1"
next
edit "queue-2"
next
...
end
next
end

Fortinet, Inc.
Logging and monitoring
l FortiSwitch log settings on page 161
l Configuring FortiSwitch port mirroring on page 162
l Configuring SNMP on page 165
l Configuring sFlow on page 168
l Configuring flow tracking and export on page 170
l Configuring flow control and ingress pause metering on page 171
FortiSwitch log settings
You can export the logs of managed FortiSwitch units to the FortiGate unit or send FortiSwitch logs to a remote Syslog
server.
l Exporting logs to FortiGate on page 161
l Sending logs to a remote Syslog server on page 162
Exporting logs to FortiGate
You can enable and disable whether the managed FortiSwitch units export their logs to the FortiGate unit. The setting is
global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch
logs.
To allow a level of filtering, the FortiGate unit sets the user field to “fortiswitch-syslog” for each entry.
Use the following CLI command syntax:
config switch-controller switch-log
set status {*enable | disable}
set severity {emergency | alert | critical | error | warning | notification |
*information | debug}
end
You can override the global log settings for a FortiSwitch unit, using the following commands:
edit
<switch-id>
config switch-log
set local-override enable
At this point, you can configure the log settings that apply to this specific switch.

Fortinet, Inc.
Sending logs to a remote Syslog server
Instead of exporting FortiSwitch logs to a FortiGate unit, you can send FortiSwitch logs to one or two remote Syslog
servers. After enabling this option, you can select the severity of log messages to send, whether to use comma-
separated values (CSVs), and the type of remote Syslog facility. By default, FortiSwitch logs are sent to port 514 of the
remote Syslog server.
Use the following CLI command syntax to configure the default syslogd and syslogd2 settings:
config switch-controller remote-log
edit {syslogd | syslogd2}
set status {enable | *disable}
set server <IPv4_address_of_remote_syslog_server>
set port <remote_syslog_server_listening_port>
set csv {enable | *disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron
| authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 |
local3 | local4 | local5 | local6 | *local7}
next
end
You can override the default syslogd and syslogd2 settings for a specific FortiSwitch unit, using the following commands:
edit
config remote-log
edit {edit syslogd | syslogd2}
set status {enable | *disable}
set server <IPv4_address_of_remote_syslog_server>
set port <remote_syslog_server_listening_port>
set csv {enable | *disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 |
local2 | local3 | local4 | local5 | local6 | *local7}
next
end
next
end
Configuring FortiSwitch port mirroring
The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same
FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for
external analysis and capture.
Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across
layer-2 domains for analysis. You can have multiple RSPAN sessions but only one ERSPAN session.
In RSPAN mode, traffic is encapsulated in VLAN 4092. The FortiSwitch unit assigns the uplink port and the dst port. The
switching functionality is enabled on the dst interface when mirroring.

Fortinet, Inc.
NOTE: RSPAN is supported on FSR-112D-POE, FSR-124D, and on platforms 2xx and higher.
In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By
focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount
of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which must be reachable by IPv4 ICMP
ping. If no IP address is specified, the traffic is not mirrored.
NOTE: ERSPAN is supported on FSR-124D and platforms 2xx and higher. ERSPAN cannot be used with the other
FortiSwitch port-mirroring method.
To configure FortiSwitch port-based mirroring:
config mirror
edit <mirror_name>
set status {active | inactive} // Required
set dst <port_name> // Required
set switching-packet {enable | disable}
set src-ingress <port_name>
set src-egress <port_name>
next
end
next
For example:
edit S524DF4K15000024
config mirror
edit 2
set status active
set dst port1
set switching-packet enable
set src-ingress port2 port3
set src-egress port4 port5
next
end
next
To configure FortiSwitch RSPAN:
config switch-controller traffic-sniffer
set mode rspan
config target-mac
edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address
end
config target-ip
edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address
end
config target-port
set in-ports <portx porty portz ...> // mirror any traffic sent to these ports
set out-ports <portx porty portz ...> // mirror any traffic sent from these ports
end

Fortinet, Inc.
end
For example:
set mode rspan
config target-mac
set description MACtarget1
end
config target-ip
edit 10.254.254.192
set description IPtarget1
end
config target-port
edit S524DF4K15000024
set description PortTargets1
set in-ports port5 port6 port7
set out-ports port10
end
end
To configure FortiSwitch ERSPAN:
set mode erspan-auto
set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent
config target-mac
edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent to this MAC address
end
config target-ip
edit <xxx.xxx.xxx.xxx> // mirror traffic sent to this IPv4 address
end
config target-port
set in-ports <portx porty portz ...> // mirror traffic sent to these ports
set out-ports <portx porty portz ...> // mirror traffic sent from these ports
end
end
For example:
set mode erspan-auto
set erspan-ip 10.254.254.254
config target-mac
set description MACtarget1
end
config target-ip
edit 10.254.254.192
set description IPtarget1
end
config target-port
edit S524DF4K15000024
set description PortTargets1

Fortinet, Inc.
set in-ports port5 port6 port7
set out-ports port10
end
end
To disable FortiSwitch port mirroring:
set mode none
end
Configuring SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.
The managed FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers
have read-only access to FortiSwitch system information through queries and can receive trap messages from the
managed FortiSwitch unit.
To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and
FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that
are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP
trap, event, and query messages sent by the FortiSwitch SNMP agent.
FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting the
FortiSwitch MIB File download link.
You configure SNMP on a global level so that all managed FortiSwitch units use the same settings. If you want one of the
FortiSwitch units to use different settings from the global settings, configure SNMP locally.
l Configuring SNMP globally on page 165
l Configuring SNMP locally on page 167
Configuring SNMP globally
To configure SNMP globally:
1. Add SNMP access on the switch-management interface.
2. Configure the SNMP system information.
3. Configure the SNMP community.
4. Configure the SNMP trap threshold values.
5. Configure the SNMP user.
To add SNMP access on the switch-management interface:
edit "{default | <policy_name>}"
set mgmt-allowaccess <options> snmp
set internal-allowaccess <options>

Fortinet, Inc.
next
end
To configure the SNMP system information globally:
config switch-controller snmp-sysinfo
set status enable
set engine-id
<local_SNMP_engine_ID (the maximum is 24 characters)>
set description <system_description>
set contact-info <contact_information>
set location <FortiGate_location>
end
NOTE: Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is
included in each message sent to or from the SNMP engine. The engine-id is part of the snmpEngineID but does not
include the Fortinet prefix 0x8000304404.
To configure the SNMP community globally:
config switch-controller snmp-community
edit <SNMP_community_entry_identifier>
set name <SNMP_community_name>
set status enable
set query-v1-status enable
set query-v1-port <0-65535; the default is 161>
set query-v2c-status enable
set query-v2c-port <0-65535; the default is 161>
set trap-v1-status enable
set trap-v1-lport <0-65535; the default is 162>
set trap-v1-rport <0-65535; the default is 162>
set trap-v2c-status enable
set trap-v2c-lport <0-65535; the default is 162>
set trap-v2c-rport <0-65535; the default is 162>
set events {cpu-high mem-low log-full intf-ip ent-conf-change}
config hosts
edit <host_entry_ID>
set ip <IPv4_address_of_the_SNMP_manager>
end
next
end
To configure the SNMP trap threshold values globally:
config switch-controller snmp-trap-threshold
set trap-high-cpu-threshold
<percentage_value; the default is 80>
set trap-low-memory-threshold <percentage_value; the default is 80>
set trap-log-full-threshold <percentage_value; the default is 90>
end
To configure the SNMP user globally:
config switch-controller snmp-user
edit <SNMP_user_name>
set queries enable
set query-port <0-65535; the default is 161>
set security-level {auth-priv | auth-no-priv | no-auth-no-priv}

Fortinet, Inc.
set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}
set auth-pwd <password_for_authentication_protocol>
set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}}
set priv-pwd <password_for_encryption_protocol>
end
Configuring SNMP locally
To configure SNMP for a specific FortiSwitch unit:
1. Configure the SNMP system information.
2. Configure the SNMP community.
3. Configure the SNMP trap threshold values.
4. Configure the SNMP user.
Starting in FortiSwitchOS 7.0.0, you can set up one or more SNMP v3 notifications (traps) in the CLI. The following
notifications are supported:
l The CPU usage is too high.
l The configuration of an entity was changed.
l The IP address for an interface was changed.
l The available log space is low.
l The available memory is low.
By default, all SNMP notifications are enabled. Notifications are sent to one or more IP addresses.
To configure the SNMP system information locally:
set override-snmp-sysinfo enable
config snmp-sysinfo
set status enable
set engine-id
<local_SNMP_engine_ID (the maximum is 24 characters)>
set description <system_description>
set contact-info <contact_information>
set location <FortiGate_location>
end
next
end
NOTE: Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is
included in each message sent to or from the SNMP engine. The engine-id is part of the snmpEngineID but does not
include the Fortinet prefix 0x8000304404.
To configure the SNMP community locally:
set override-snmp-community enable
config snmp-community
edit <SNMP_community_entry_identifier>
set name <SNMP_community_name>
set status enable

Fortinet, Inc.
set query-v1-status enable
set query-v1-port <0-65535; the default is 161>
set query-v2c-status enable
set query-v2c-port <0-65535; the default is 161>
set trap-v1-status enable
set trap-v1-lport <0-65535; the default is 162>
set trap-v1-rport <0-65535; the default is 162>
set trap-v2c-status enable
set trap-v2c-lport <0-65535; the default is 162>
set trap-v2c-rport <0-65535; the default is 162>
set events {cpu-high mem-low log-full intf-ip ent-conf-change}
config hosts
edit <host_entry_ID>
set ip <IPv4_address_of_the_SNMP_manager>
end
next
end
To configure the SNMP trap threshold values locally:
set override-snmp-trap-threshold enable
config snmp-trap-threshold
set trap-high-cpu-threshold
<percentage_value; the default is 80>
set trap-low-memory-threshold <percentage_value; the default is 80>
set trap-log-full-threshold <percentage_value; the default is 90>
end
next
end
To configure the SNMP user locally:
set override-snmp-user enable
config snmp-user
edit <SNMP_user_name>
set queries enable
set query-port <0-65535; the default is 161>
set security-level {auth-priv | auth-no-priv | no-auth-no-priv}
set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}
set auth-pwd <password_for_authentication_protocol>
set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}
set priv-pwd <password_for_encryption_protocol>
end
next
end
Configuring sFlow
sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact
performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch

Fortinet, Inc.
implements sFlow version 5 and supports trunks and VLANs.
NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.
sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals
and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network
throughput, the information sent is only a sampling of the data.
The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled
packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow
datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to
indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software
vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.
sFlow can monitor network traffic in two ways:
l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample.
l Counter samples—You specify how often (in seconds) the network device sends interface counters.
Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is
0.0.0.0, and the port number is 6343.
config switch-controller sflow
collector-ip <x.x.x.x>
collector-port <port_number>
end
Use the following CLI commands to configure sFlow:
config ports
edit <port_name>
set sflow-sampler {disabled | enabled}
set sflow-sample-rate <0-99999>
set sflow-counter-interval <1-255>
next
next
end
For example:
config switch-controller sflow
collector-ip 1.2.3.4
collector-port 10
end

edit S524DF4K15000024
config ports
edit port5
set sflow-sampler enabled
set sflow-sample-rate 10
set sflow-counter-interval 60
next
next
end

Fortinet, Inc.
Configuring flow tracking and export
You can sample IP packets on managed FortiSwitch units and then export the data in NetFlow format or Internet
Protocol Flow Information Export (IPFIX) format. You can choose to sample on a single ingress or egress port, on all
FortiSwitch units, or on all FortiSwitch ingress ports.
When a new FortiSwitch unit or trunk port is added, the flow-tracking configuration is updated automatically based on the
specified sampling mode. When a FortiSwitch port becomes part of an ISL or ICL or is removed, the flow-tracking
configuration is updated automatically based on the specified sampling mode.
The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest
flow expires and is exported.
To configure flow tracking on managed FortiSwitch units:
config switch-controller flow-tracking
set sample-mode {local | perimeter | device-ingress}
set sample-rate <0-99999>
set format
{
netflow1 | netflow5 | netflow9 | ipfix}
set collector-ip <
collector IP address>
set collector-port <0-65535; default is 0>
set transport {udp | tcp | sctp}
set level {vlan | ip | port | proto}
set filter
<
string>
set max-export-pkt-size <
512-9216 bytes; default is 512>.
set timeout-general <60-604800 seconds; default is 3600>
set timeout-icmp <
60-604800 seconds; default is 300>.
set timeout-max <60-604800 seconds; default is 604800>
set timeout-tcp
<
60-604800 seconds; default is 3600>
set timeout-tcp-fin <
set timeout-tcp-rst <
set timeout-udp
<
end
Configure the sampling mode

You can set the sampling mode to local, perimeter, or device-ingress.
l The local mode samples packets on a specific FortiSwitch port.
l The perimeter mode samples packets on all FortiSwitch ports that receive data traffic, except for ISL and ICL ports.
For perimeter mode, you can also configure the sampling rate.
l The device-ingress mode samples packets on all FortiSwitch ports that receive data traffic for hop-by-hop tracking.
For device-ingress mode, you can also configure the sampling rate.
Configure the sampling rate
For perimeter or device-ingress sampling, you can set the sampling rate, which samples 1 out of the specified number of
packets. The default sampling rate is 1 out of 512 packets.
Configure the flow-tracking protocol
You can set the format of exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX
sampling.
Configure collector IP address
The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.

Fortinet, Inc.
Configure the transport protocol

You can set exported packets to use UDP, TCP, or SCTP for transport.
Configure the flow-tracking level
You can set the flow-tracking level to one of the following:
l vlan—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port,
protocol, Type of Service, and VLAN from the sample packet.
l ip—The FortiSwitch unit collects source IP address and destination IP address from the sample packet.
l port—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, and
protocol from the sample packet.
l proto—The FortiSwitch unit collects source IP address, destination IP address, and protocol from the sample
packet.
Configure the filter
Use the Berkeley Packet Filter to specify what packets to sample.
Configure the maximum exported packet size
You can set the maximum size of exported packets in the application level.
To remove flow reports from a managed FortiSwitch unit:
execute switch-controller switch-action flow-tracking {delete-flows-all | expire-flows-all}
Expired flows are exported.
To view flow statistics for a managed FortiSwitch unit:
diagnose switch-controller switch-info flow-tracking statistics <FortiSwitch_serial_number>
To view raw flow records for a managed FortiSwitch unit:
diagnose switch-controller switch-info flow-tracking flows-raw <FortiSwitch_serial_number>
To view flow record data for a managed FortiSwitch unit:
diagnose switch-controller switch-info flow-tracking flows {number_of_records | all} {IP_
address | all} <FortiSwitch_serial_number> <FortiSwitch_port_name>
For example:
diagnose switch-controller switch-info flow-tracking flows 100 all S524DF4K15000024 port6
Configuring flow control and ingress pause metering
Flow control allows you to configure a port to send or receive a “pause frame” (that is, a special packet that signals a
source to stop sending flows for a specific time interval because the buffer is full). By default, flow control is disabled on
all ports.

Fortinet, Inc.
config ports
edit <port_name>
set flow-control {both | rx | tx | disable}
next
end
end
Parameters enable flow control to do the following:
l rx—receive pause control frames
l tx—transmit pause control frames
l both—transmit and receive pause control frames
If you enable flow control to transmit pause control frames or to transmit and receive pause control frames, you can also
use ingress pause metering to limit the input bandwidth of an ingress port. Because ingress pause metering stops the
traffic temporarily instead of dropping it, ingress pause metering can provide better performance than policing when the
port is connected to a server or end station. To use ingress pause metering, you need to set the ingress metering rate in
kilobits and set the percentage of the threshold for resuming traffic on the ingress port.
config ports
edit <port_name>
set flow-control {tx | both}
set pause-meter <128–2147483647; set to 0 to disable>
set pause-meter-resume {25% | 50% | 75%}
next
end
end
For example:
edit S424ENTF19000007
config ports
edit port29
set flow-control tx
set pause-meter 900
set pause-meter-resume 50%
next
end
end

Fortinet, Inc.
Operation and maintenance
l Discovering, authorizing, and deauthorizing FortiSwitch units on page 173
l Managed FortiSwitch display on page 175
l Diagnostics and tools on page 177
l FortiSwitch ports display on page 180
l FortiSwitch per-port device visibility on page 180
l Displaying, resetting, and restoring port statistics on page 181
l Network interface display on page 182
l Data statistics on page 182
l Synchronizing the FortiGate unit with the managed FortiSwitch units on page 184
l Viewing and upgrading the FortiSwitch firmware version on page 184
l Canceling pending or downloading FortiSwitch upgrades on page 185
l Registering FortiSwitch to FortiCloud on page 185
l Replacing a managed FortiSwitch unit on page 188
l Executing custom FortiSwitch scripts on page 194
l Resetting PoE-enabled ports on page 195
Discovering, authorizing, and deauthorizing FortiSwitch units
l Editing a managed FortiSwitch unit on page 173
l Adding preauthorized FortiSwitch units on page 174
l Authorizing the FortiSwitch unit on page 174
l Deauthorizing FortiSwitch units on page 174
l Converting to FortiSwitch standalone mode on page 175
Editing a managed FortiSwitch unit
To edit a managed FortiSwitch unit:

2. Click on the FortiSwitch unit and then click Edit or right-click on a FortiSwitch unit and select Edit.
From the Edit Managed FortiSwitch form, you can:
l Change the Name and Description of the FortiSwitch unit.
l View the Status of the FortiSwitch unit.
l Restart the FortiSwitch.
l Authorize or deauthorize the FortiSwitch unit.
l Update the firmware running on the switch.

Fortinet, Inc.
l Override 802.1x settings, including the reauthentication interval, maximum reauthentication attempts, and link-
down action.
Adding preauthorized FortiSwitch units
After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.
To preauthorize a FortiSwitch:
3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
4. Move the Authorized slider to the right.
5. Select OK. The Managed FortiSwitch page lists the preauthorized switch.
Authorizing the FortiSwitch unit
If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the
following steps:
2. Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the
automatic authorization field of the interface.
Deauthorizing FortiSwitch units
A device can be deauthorized to remove it from the Security Fabric.
To deauthorize a device:
1. On the root FortiGate, go to Security Fabric > Fabric Connectors
2. In the topology tree, click the device and select Deauthorize.
After devices are deauthorized, the devicesʼ serial numbers are saved in a trusted list that can be viewed in the CLI using
the show system csf command. For example, this result shows a deauthorized FortiSwitch:
show system csf
config system csf
set status enable
set group-name "Office-Security-Fabric"
set group-password ENC 1Z2X345V678
config trusted-list
edit "FGT6HD391806070"
next
edit "S248DF3X17000482"
set action deny
next
end
end
end

Fortinet, Inc.
Converting to FortiSwitch standalone mode
Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no
longer be managed by a FortiGate:
l execute switch-controller factory-reset <switch-id>—This command returns the FortiSwitch to
the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery,
FortiGate can detect and automatically authorize the FortiSwitch. For example:execute switch-controller
factory-reset S1234567890
l execute switch-controller switch-action set-standalone <switch-id>—This command
returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from
automatically detecting and authorizing the FortiSwitch. For example:execute switch-controller set-
standalone S1234567890
You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:
set disable-discovery <switch-id>
end
For example:
set disable-discovery S1234567890
end
You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using
the following commands:
append disable-discovery <switch-id>
unselect disable-discovery <switch-id>
end
For example:
append disable-discovery S012345678
unselect disable-discovery S1234567890
end
Managed FortiSwitch display
Go to WiFi & Switch Controller > Managed FortiSwitch to see all of the switches being managed by your FortiGate.

Select Topology from the drop-down menu in the upper right corner to see which devices are connected.
When the FortiLink is established successfully, the status is green (next to the FortiGate interface name and on the
FortiSwitch faceplate), and the link between the ports is a solid line.

Fortinet, Inc.
If the link has gone down for some reason, the line will be dashed, and a broken link icon will appear. You can still edit the
FortiSwitch unit though and find more information about the status of the switch. The link to the FortiSwitch unit might be
down for a number of reasons; for example, a problem with the cable linking the two devices, firmware versions being out
of synch, and so on. You need to make sure the firmware running on the FortiSwitch unit is compatible with the firmware
running on the FortiGate unit.
From the Managed FortiSwitch page, you can edit any of the managed FortiSwitch units, remove a FortiSwitch unit from
the configuration, refresh the display, connect to the CLI of a FortiSwitch unit, or deauthorize a FortiSwitch unit.
Cloud icon indicates that the FortiSwitch unit is managed over layer 3
A new cloud icon indicates when the FortiSwitch unit is being managed over layer 3. The cloud icon is displayed in two
places in the GUI.
Go to WiFi Controller > Managed FortiSwitch and select Topology. In the following figure, the cloud icon over the
connection line indicates that S548DF4K16000730 is being managed over layer 3.

Fortinet, Inc.
Go to Security Fabric > Physical Topology. In the following figure, the cloud icon over the connection line indicates that

S548DF4K16000730 is being managed over layer 3.
Diagnostics and tools
The Diagnostics and Tools form reports the general health of the FortiSwitch unit, displays details about the FortiSwitch

unit, and allows you to run diagnostic tests.

Fortinet, Inc.
To view the Diagnostics and Tools form:

2. Click on the FortiSwitch unit and then click Diagnostics and Tools.
From the Diagnostics and Tools form, you can do the following:
l Authorize or deauthorize the FortiSwitch.
l Upgrade the firmware running on the switch.
l Restart the FortiSwitch unit.
l Connect to CLI to run CLI commands.
l Show in List to return to the WiFi & Switch Controller > Managed FortiSwitch page.
l Go to the Edit Managed FortiSwitch form.
l Start or stop the LED Blink to identify a specific FortiSwitch unit. See Making the LEDs blink on page 179.
l Display a list of FortiSwitch ports and trunks and configuration details.

Fortinet, Inc.
l Run a Cable Test on a selected port. See Runnng the cable test on page 179.
l View the Logs for the FortiSwitch unit.
You can also access the Diagnostics and Tools form from the Security Fabric > Physical Topology page.
Making the LEDs blink
When you have multiple FortiSwitch units and need to locate a specific switch, you can flash all port LEDs on and off for
a specified number of minutes.
To identify a specific FortiSwitch unit:

3. Select LED Blink > Start and then select 5 minutes, 15 minutes, 30 minutes, or 60 minutes.
4. After you locate the FortiSwitch unit, select LED Blink > Stop.
NOTE: For the 5xx switches, LED Blink flashes only the SFP port LEDs, instead of all the port LEDs.
Runnng the cable test
NOTE: Running cable diagnostics on a port that has the link up interrupts the traffic for several seconds.
You can check the state of cables connected to a specific port. The following pair states are supported:
l Open
l Short
l Ok
l Open_Short
l Unknown
l Crosstalk
If no cable is connected to the specific port, the state is Open, and the cable length is 0 meters.
Using the GUI:

3. Select Cable Test.
4. Select a port.
5. Select Diagnose.
NOTE: There are some limitations for cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-
124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:
l Crosstalk cannot be detected.
l There is a 5-second delay before results are displayed.
l The value for the cable length is inaccurate.
l The results are inaccurate for open and short cables.

Fortinet, Inc.
FortiSwitch ports display
The WiFi & Switch Controller > FortiSwitch Ports page displays port information about each of the managed switches.

The following figure shows the display for a FortiSwitch 248E-FPOE:
Select Faceplates to get the following information:
l active ports (green)
l PoE-enabled ports (blue rectangle)
l FortiLink port (link icon)
If you device has PoE, the Faceplates page displays the total power budget and the actual power currently allocated.
The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved
power (power available for additional devices on the POE ports).
Each entry in the port list displays the following information:
l Port status (red for down, green for up)
l Port name
l If the port is a member of a trunk
l Access mode
l Enabled features
l Native VLAN
l Allowed VLANs
l PoE status
l Device information
l DHCP snooping status
l Transceiver information
FortiSwitch per-port device visibility
In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each

device, the table displays the IP address of the device and the interface (FortiSwitch name and port).
From the CLI, the following command displays information about the host devices:
diagnose switch-controller mac-cache show <switch-id>

Fortinet, Inc.
Displaying, resetting, and restoring port statistics
For the following commands, if the managed FortiSwitch unit is not specified, the command is applied to all ports of all
managed FortiSwitch units.
To display port statistics of a managed FortiSwitch unit:
diagnose switch-controller switch-info port-stats <managed FortiSwitch device ID> <port_
name>
For example:
FG100D3G15817028 (global) # diagnose switch-controller switch-info port-stats
S524DF4K15000024 port8
Vdom: dmgmt-vdom
Vdom: roort
Vdom: root

S524DF4K15000024:
Port(port8) is Admin up, line protocol is down
Interface Type is Serial Gigabit Media Independent Interface(SGMII/SerDes)
Address is 08:5B:0E:F1:95:ED, loopback is not set
MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II
half-duplex, 0 Mb/s, link type is auto
input
: 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns
output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts
0 fragments, 0 undersizes, 0 collisions, 0 jabbers

Vdom: vdom-1
To reset the port statistics counters of a managed FortiSwitch unit:
For example:
FG100D3G15817028 (global) # diagnose switch-controller trigger reset-hardware-counters
S524DF4K15000024 1,3,port6-7

NOTE: This command is provided for debugging; accuracy is not guaranteed when the counters are reset. Resetting the
counters might have a negative effect on monitoring tools, such as SNMP and FortiGate. The statistics gathered during
the time when the counters are reset might be discarded.
To restore the port statistics counters of a managed FortiSwitch unit:
diagnose switch-controller trigger restore-hardware-counters <managed FortiSwitch device ID>
<port_name>
For example:
FG100D3G15817028 (global) # diagnose switch-controller trigger restore-hardware-counters
S524DF4K15000024 port10-port11,internal

Fortinet, Inc.
Network interface display
On the Network > Interfaces page, you can see the FortiGate interface connected to the FortiSwitch unit. The GUI

indicates Dedicated to FortiSwitch in the IP/Netmask field.
Data statistics
This example shows a FortiLink scenario where the FortiGate acts as the switch controller that collects the data statistics
of managed FortiSwitch ports. This is counted by each FortiSwitch and concentrated in the controller.

Fortinet, Inc.
Sample topology
To show data statistics using the GUI:

2. Select Configure Table.
3. Select Bytes, Errors and Packets to make them visible.
The related data statistic of each managed FortiSwitch port is shown.
To show data statistics using the CLI:
# diagnose switch-controller switch-info port-stats S248EPTF180XXXX
......

Port(port50) is Admin up, line protocol is down
Interface Type is Gigabit Media Independent Interface(GMII)
Address is 70:4C:A5:E0:F3:8D, loopback is not set
MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II
full-duplex, 1000 Mb/s, link type is manual
input : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns
output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts
0 fragments, 0 undersizes, 0 collisions, 0 jabbers
......

Fortinet, Inc.
Synchronizing the FortiGate unit with the managed FortiSwitch

units
You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each
managed FortiSwitch unit.
Use the following command to synchronize the full configuration of a FortiGate unit with a managed FortiSwitch unit:
diagnose switch-controller trigger config-sync <FortiSwitch_serial_number>
Viewing and upgrading the FortiSwitch firmware version
You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch unit to a new firmware
version. The FortiGate unit will suggest an upgrade when a new version is available in FortiGuard.
To view the FortiSwitch firmware version:

2. In the main panel, select the FortiSwitch faceplate and click Edit.
3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.
To upgrade the firmware on multiple FortiSwitch units at the same time:

2. Select the faceplates of the FortiSwitch units that you want to upgrade.
3. Click Upgrade.The Upgrade FortiSwitches page opens.
4. Select FortiGuard or select Upload and then select the firmware file to upload. If you select FortiGuard, all
FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at
a time for upgrading.
5. Select Upgrade.
Use the following command to stage a firmware image on all FortiSwitch units:
execute switch-controller switch-software stage all <image id>
Use the following command to upgrade the firmware image on one FortiSwitch unit:
execute switch-controller switch-software upgrade <switch id> <image id>
Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:
set https-image-push enable
end
NOTE: The HTTPS download is enabled by default.

Fortinet, Inc.
From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model using
a single execute command. The command includes the name of a firmware image file and all of the managed
FortiSwitch units compatible with that firmware image file are upgraded. For example:
execute switch-controller switch-software stage all <firmware-image-file>
You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.
execute switch-controller switch-action restart delay all
Canceling pending or downloading FortiSwitch upgrades
A FortiSwitch device in FortiLink mode can be upgrade using the FortiGate device.
If a connectivity issue occurs during the upgrade process and the FortiSwitch unit loses contact with the FortiGate
device, the FortiSwitch upgrade status can get stuck at Upgrading. Use the following CLI command to cancel the
process:
execute switch-controller switch-software cancel {all | sn <FortiSwitch_serial_number> |
switch-group <switch_group ID>}
all Cancel the firmware upgrade for all FortiSwitch units.
sn <FortiSwitch_serial_number> Cancel the firmware upgrade for the FortiSwitch unit with the specified
serial number.
switch-group <switch_group ID> Cancel the firmware upgrade for the FortiSwitch units belonging to the
specified switch group.
For example, to cancel the upgrade of a FortiSwitch unit with the specified serial number:
execute switch-controller switch-software cancel sn S248EPTF180018XX
Registering FortiSwitch to FortiCloud
After authorizing a FortiSwitch, administrators can register the FortiSwitch to FortiCloud directly from the FortiOS GUI.

Fortinet, Inc.
To register the FortiSwitch in the GUI:
1. Go to WiFi & Switch Controller > Managed FortiSwitch and ensure the Topology view is selected.

2. In the topology, right-click on an unregistered device and click Registration.
3. Complete the device registration wizard:
a. Click Register to proceed.

Fortinet, Inc.
b. Enter the FortiCloud account information and click Submit.
The registration information is submitted to FortiCare, and FortiOS attempts to collect the registration status
from FortiGuard. Since FortiGuard and FortiCare synchronize periodically, the registration status may not
update immediately (it may take up to a few hours).
c. Click Close.
4. After a while, go back to WiFi & Switch Controller > Managed FortiSwitch.
5. Right-click on the device and click Registration. The device is shown as Registered to the corresponding FortiCloud
account.

Fortinet, Inc.
To register the FortiSwitch in the CLI:
# diagnose forticare direct-registration product-registration -N S124DP3X15000000 -a
[email protected] -p LDAP -T "CA" -R "other" -e 1
Account info:

contract_number=[] account_id=[[email protected]] password=[***]
reseller_id=0 reseller=[other]
first_name=[] last_name=[] company=[]
title=[] address=[] city=[]
state=[] state_code=[] country_code=0
post_code=[] phone=[] fax=[]
industry=[] industry_id=0 orgsize=[] orgsize_id=0
version=0 SN=[S124DP3X15000000] existing=1
Prepare to register product into this account.

Do you want to continue? (y/n)y

Registration successful

Replacing a managed FortiSwitch unit
If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same
FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The
failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.
NOTE:
l Both FortiSwitch units must be of the same model.
l The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
l If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL
trunk.
l After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want
different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At
the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.

Fortinet, Inc.
l If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch
to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the
FortiGate unit with the correct configuration.
l The best way to replace a MCLAG FortiSwitch unit in FortiLink:
a. Back up the configuration of the failed FortiSwitch unit.
b. Restore the configuration to the replaced Fortiswitch unit while it is offline.
c. Enter the replace-device command in FortiOS.
d. Physically replace the failed FortiSwitch unit.
To replace a managed FortiSwitch unit:
1. Unplug the failed FortiSwitch unit.
2. Plug in the replacement FortiSwitch unit.
3. Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed
FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version on page 184.
4. Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
5. Check the serial number of the replacement FortiSwitch unit.
6. From the FortiGate unit, go to WiFi & Switch Controller > Managed FortiSwitch.
7. Select the faceplate of the failed FortiSwitch unit.
8. Select Deauthorize.
9. Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.
NOTE: If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new
switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed
the FortiGate unit with the correct configuration.
10. If the failed FortiSwitch unit was part of a VDOM, enter the following commands:
config vdom
edit <VDOM_name>
execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_
FortiSwitch_serial_number>
For example:
config vdom
edit vdom_new
execute replace-device fortiswitch S124DN3W16002025 S124DN3W16002026
If the failed FortiSwitch unit was not part of a VDOM, enter the following command:
execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_
FortiSwitch_serial_number>
An error is returned if the replacement FortiSwitch unit is authorized.
11. Authorize the replaced managed FortiSwitch unit.
12. Connect the rest of the cables required for the uplinks and downlinks for the MCLAG FortiSwitch units.
To rename the MCLAG-ICL trunk:
After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different
trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name.
Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You
need a maintenance window for the change.

Fortinet, Inc.
1. Shut down the FortiLink interface on the FortiGate unit.
a. On the FortiGate unit, execute the show system interface command. For example:
FG3K2D3Z17800156 # show system interface root-lag

c
onfig system interface

e
dit "root-lag"

s
et vdom "root"

s
et fortilink enable

s
et ip 10.105.60.254 255.255.255.0

s
et allowaccess ping capwap

s
et type aggregate

s
et member "port45" "port48"

c
onfig managed-device
b. Write down the member port information. In this example, port45 and port48 are the member ports.
c. Shut down the member ports with the config system interface, edit <member-port#>, set
status down, and end commands. For example:
FG3K2D3Z17800156 # config system interface
FG3K2D3Z17800156 (interface) # edit port48
FG3K2D3Z17800156 (port48) # set status down
FG3K2D3Z17800156 (port48) # next
/
/ repeat for each member port
FG3K2D3Z17800156 (interface) # edit port45

FG3K2D3Z17800156 (port45) # set status down

FG3K2D3Z17800156 (port45) # end
d. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For
example:
FG3K2D3Z17800156 # exec switch-controller get-conn-status

S
TACK-NAME: FortiSwitch-Stack-root-lag

S
WITCH-ID
V
ERSION
S
TATUS
A DDRESS
J
OIN-TIME
N
AME

F
S1D483Z17000282 v6.0.0
A
uthorized/Down 0.0.0.0
N
/A

icl-sw2

F
S1D483Z17000348 v6.0.0
A
uthorized/Down 0.0.0.0
N
/A

icl-sw1
2. Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.
a. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that
includes the set mclag-icl enable command in its configuration and write down the member ports and
configuration information. For example:
icl-sw1 # show switch trunk
config switch trunk
...
edit "D483Z17000282-0"
set mode lacp-active
set auto-isl 1
set mclag-icl enable
// look for this line
set members "port27" "port28" // note the member ports
next
end

Fortinet, Inc.
b. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch
mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For
example:
icl-sw1 # show switch interface D483Z17000282-0
edit "D483Z17000282-0"
set native-vlan 4094
set allowed-vlans 1,100,2001-2060,4093
set stp-state disabled
set edge-port disabled
set igmps-flood-reports enable
set igmps-flood-traffic enable
set snmp-index 57
next
end
icl-sw1 # diag switch mclag icl
D483Z17000282-0
icl-ports
2 7-28
egress-block-ports 3 -4,7-12,47-48
interface-mac 7
0:4c:a5:86:6d:e5
lacp-serial-number F S1D483Z17000348
peer-mac
7
0:4c:a5:49:50:53
peer-serial-number F S1D483Z17000282
Local uptime
0 days 1h:49m:24s
Peer uptime 0
days 1h:49m:17s
MCLAG-STP-mac 7
0:4c:a5:49:50:52
keepalive interval 1
keepalive timeout 6
0
Counters
received keepalive packets 4
852
transmited keepalive packets
5293
received keepalive drop packets 2
0
receive keepalive miss 1

icl-sw1 # diagnose switch trunk sum D483Z17000282-0
Trunk Name M
ode
P
SC M
AC
S tatus
U p Time
________________ _ ________________________
___________
_________________
_______
____
_________________________________
D483Z17000282-0 l
acp-active(auto-isl,mclag-icl) src-dst-ip
7
0:4C:A5:86:6E:00
up
(2/2) 0
days,0 hours,16 mins,4 secs
c. Shut down the ICL member ports using the config switch physical-port, edit <member port#>,
set status down, next, and end commands. For example:
icl-sw1 # config switch physical-port
icl-sw1 (physical-port) # edit port27
icl-sw1 (port27) # set status down
icl-sw1 (port27) # n // repeat for each ICL member port
icl-sw1 (port28) # set status down

Fortinet, Inc.
icl-sw1 (port28) # next
icl-sw1 (physical-port) # end
d. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete
<mclag-icl-trunk-name>, and end commands. For example:
icl-sw1 # config switch trunk
icl-sw1 (trunk) # delete D483Z17000282-0
e. Use the show switch trunk command to verify that the trunk is deleted.
f. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the
set auto-isl 0 command in the configuration. For example:
icl-sw1 # config switch trunk
icl-sw1 (trunk) # edit MCLAG-ICL
new entry 'MCLAG-ICL' added
icl-sw1 (MCLAG-ICL) #set mode lacp-active
icl-sw1 (MCLAG-ICL) #set members "port27" "port28"
icl-sw1 (MCLAG-ICL) #set mclag-icl enable
icl-sw1 (MCLAG-ICL) # end
g. Use the show switch trunk command to check the trunk configuration.
h. Start the trunk member ports by using the config switch physical-port, edit <member port#>,
set status up, next, and end commands. For example:
icl-sw1 # config switch physical-port
icl-sw1 (port27) # set status up
icl-sw1 (port27) # next // repeat for each trunk member port
icl-sw1 (port28) # set status up
icl-sw1 (port28) # end
NOTE: Follow steps 2a through 2h on both switches.
3. Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit <interface-
member-port>, set status up, next, and end commands. For example:
FG3K2D3Z17800156 # config system interface

F
G3K2D3Z17800156 (interface) # edit port45

F
G3K2D3Z17800156 (port45) # set status up

F
G3K2D3Z17800156 (port45) # next // repeat on all member ports

F
G3K2D3Z17800156 (interface) # edit port48

F
G3K2D3Z17800156 (port48) # set status up

F
G3K2D3Z17800156 (port48) # next

F
G3K2D3Z17800156 (interface) # end
4. Check the configuration and status on both MCLAG-ICL switches
a. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk
summary <new-trunk-name> commands. For example:
icl-sw1 # show switch trunk

c
onfig switch trunk

Fortinet, Inc.

<
snip>

e
dit "MCLAG-ICL"

s
et mode lacp-active

s
et mclag-icl enable

s
et members "port27" "port28"

n
ext

e
nd

i
cl-sw1 # show switch interface MCLAG-ICL

c
onfig switch interface

e
dit "MCLAG-ICL"

s
et native-vlan 4094

s
et allowed-vlans 1,100,2001-2060,4093

s
et dhcp-snooping trusted

s
et stp-state disabled

s
et igmps-flood-reports enable

s
et igmps-flood-traffic enable

s
et snmp-index 56

n
ext

e
nd

i
cl-sw1 # diagnose switch mclag icl

M
CLAG-ICL

i
cl-ports
2 7-28

e
gress-block-ports 3 -4,7-12,47-48

i
nterface-mac 7 0:4c:a5:86:6d:e5

l
acp-serial-number F S1D483Z17000348

p
eer-mac
7
0:4c:a5:49:50:5

p
eer-serial-number F S1D483Z17000282

L
ocal uptime 0
days 2h:11m:13s

P
eer uptime
0 days 2h:11m: 7s

M
CLAG-STP-mac 7 0:4c:a5:49:50:52

k
eepalive interval 1

k
eepalive timeout 6
0

C
ounters

r
eceived keepalive packets
5
838

t
ransmited keepalive packets
6
279

r
eceived keepalive drop packets
2
7

r
eceive keepalive miss
1

i
cl-sw1 # diagnose switch trunk summary MCLAG-ICL

T
runk Name
M
ode
P
SC
MAC
S
tatus
U
p Time

_
_______________
_ ________________________
___________
_________________
______
_____
_________________________________

M
CLAG-ICL
l
acp-active(auto-isl,mclag-icl)
src-dst-ip
7
0:4C:A5:86:6E:00
up(2/2)

0 days,1 hours,4 mins,57 secs
b. Compare the command results in step 4a with the command results in step 2b.

Fortinet, Inc.
Executing custom FortiSwitch scripts
From the FortiGate unit, you can execute a custom script on a managed FortiSwitch unit. The custom script contains
generic FortiSwitch commands.
NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch unit.
l Creating a custom script on page 194
l Executing a custom script once on page 194
l Binding a custom script to a managed switch on page 194
Creating a custom script
Use the following syntax to create a custom script from the FortiGate unit:
config switch-controller custom-command
edit <cmd-name>
set command "<FortiSwitch_command>"
end

NOTE: You need to use %0a to indicate a return.
For example, use the custom script to set the STP max-age parameter on a managed FortiSwitch unit:
config switch-controller custom-command
edit "stp-age-10"
set command "config switch stp setting %0a set max-age 10 %0a end %0a"
end
Executing a custom script once
After you have created a custom script, you can manually execute it on any managed FortiSwitch unit. Because the
custom script is not bound to any switch, the FortiSwitch unit might reset some parameters when it is restarted.
Use the following syntax on the FortiGate unit to execute the custom script once on a specified managed FortiSwitch
unit:
execute switch-controller custom-command <cmd-name> <target-switch>
For example, you can execute the stp-age-10 script on the specified managed FortiSwitch unit:
execute switch-controller custom-command stp-age-10 S124DP3X15000118
Binding a custom script to a managed switch
If you want the custom script to be part of the managed switchʼs configuration, the custom script must be bound to the
managed switch. If any of the commands in the custom script are locally controlled by a switch, the commands might be
overwritten locally.
Use the following syntax to bind a custom script to a managed switch:

Fortinet, Inc.
edit "<FortiSwitch_serial_number>"
config custom-command
edit <custom_script_entry>
set command-name "<name_of_custom_script>"
next
end
next
end
For example:
edit "S524DF4K15000024"
config custom-command
edit 1
set command-name "stp-age-10"
next
end
next
end
Resetting PoE-enabled ports
If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-

enabled ports and select Reset PoE from the context menu.
You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In
the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

Fortinet, Inc.
www.fortinet.com
Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiSwitch-7.0.0-FortiSwitch Managed by FortiOS 7.0

Uploaded by

Copyright:

Available Formats

FortiSwitch-7.0.0-FortiSwitch Managed by FortiOS 7.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiSwitch-7.0.0-FortiSwitch Managed by FortiOS 7.0

Uploaded by

Copyright:

Available Formats

FortiSwitch Managed by FortiOS

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

May 13, 2021

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 3

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 4

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 5

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 6

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 7

Date Change Description

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 8

l Three new tests have been added to the FortiSwitch recommendations in the Security Fabric > Security Rating

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 9

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 10

GUI and CLI changes

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 11

FortiGate Model Range Number of

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 12

Support of FortiLink features

Before you begin

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 13

To work around this issue:

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 14

1. Enabling the switch controller on the FortiGate unit

Using the FortiGate GUI

1. Go to System > Feature Visibility.

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 15

The menu option WiFi & Switch Controller now appears.

Using the FortiGate CLI

2. Configuring the FortiLink interface

Using the FortiGate GUI

Configure the FortiLink interface

To configure the FortiLink interface on the FortiGate unit:

1. Go to WiFi & Switch Controller > FortiLink Interface.

FortiLink split interface

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 16

Using the FortiGate GUI:

1. Go to WiFi & Switch Controller > FortiLink Interface.

Using the FortiGate CLI:

Using the FortiGate CLI

Summary of the procedure

2.1 Custom FortiLink interfaces

Choosing the FortiGate ports

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 17

Configure FortiLink on a physical port

Configure FortiLink on a logical interface

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 18

Using the GUI:

Using the CLI:

3. Auto-discovery of the FortiSwitch ports

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 19

FortiSwitch Model Default Auto-FortiLink ports

FortiSwitch 7.0.0 FortiSwitch Managed by FortiOS 7.0 20

Automatic inter-switch links (ISLs)

Static ISL trunks

To manually create an ISL trunk:

Deleting a FortiLink interface