Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.16
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.17
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config switch-controller global

    config switch-controller global

    Configure FortiSwitch global settings.

    config switch-controller global
    Description: Configure FortiSwitch global settings.
    set bounce-quarantined-link [disable|enable]
    config custom-command
        Description: List of custom commands to be pushed to all FortiSwitches in the VDOM.
        edit <command-entry>
            set command-name {string}
        next
    end
    set default-virtual-switch-vlan {string}
    set dhcp-option82-circuit-id {option1}, {option2}, ...
    set dhcp-option82-format [ascii|legacy]
    set dhcp-option82-remote-id {option1}, {option2}, ...
    set dhcp-server-access-list [enable|disable]
    set dhcp-snoop-client-db-exp {integer}
    set dhcp-snoop-client-req [drop-untrusted|forward-untrusted]
    set dhcp-snoop-db-per-port-learn-limit {integer}
    set disable-discovery <name1>, <name2>, ...
    set fips-enforce [disable|enable]
    set firewall-auth-user-hold-period {integer}
    set firmware-provision-on-authorization [enable|disable]
    set https-image-push [enable|disable]
    set log-mac-limit-violations [enable|disable]
    set mac-aging-interval {integer}
    set mac-event-logging [enable|disable]
    set mac-retention-period {integer}
    set mac-violation-timer {integer}
    set quarantine-mode [by-vlan|by-redirect]
    set sn-dns-resolution [enable|disable]
    set switch-custom-cmd [on-replay|on-any]
    set switch-on-deauth [no-op|factory-reset]
    set update-user-device {option1}, {option2}, ...
    set vlan-all-mode [all|defined]
    set vlan-identity [description|name]
    set vlan-optimization [prune|configured|...]
end

    config switch-controller global

    Parameter

    Description

    Type

    Size

    Default

    bounce-quarantined-link

    Enable/disable bouncing (administratively bring the link down, up) of a switch port where a quarantined device was seen last. Helps to re-initiate the DHCP process for a device.

    option

    -

    disable

    Option

    Description

    disable

    Disable bouncing (administratively bring the link down, up) of a switch port where a quarantined device was seen last.

    enable

    Enable bouncing (administratively bring the link down, up) of a switch port where a quarantined device was seen last.

    default-virtual-switch-vlan

    Default VLAN for ports when added to the virtual-switch.

    string

    Maximum length: 15

    dhcp-option82-circuit-id

    List the parameters to be included to inform about client identification.

    option

    -

    intfname vlan mode

    Option

    Description

    intfname

    Interface name.

    vlan

    VLAN name.

    hostname

    Hostname.

    mode

    Mode.

    description

    Description.

    dhcp-option82-format

    DHCP option-82 format string.

    option

    -

    ascii

    Option

    Description

    ascii

    Allow user to choose values for circuit-id and remote-id. Format: cid= [hostname,interface,mode,vlan,description] rid=[hostname,xx:xx:xx:xx:xx:xx,ip]

    legacy

    Generate predefine fixed format for circuit-id and remote. Format: cid=hostname-[<vlan:16><mod:8><port:8>].32bit, rid= [mac(0.6)].48bit

    dhcp-option82-remote-id

    List the parameters to be included to inform about client identification.

    option

    -

    mac

    Option

    Description

    mac

    MAC address.

    hostname

    Hostname.

    ip

    IP address.

    dhcp-server-access-list

    Enable/disable DHCP snooping server access list.

    option

    -

    disable

    Option

    Description

    enable

    Enable DHCP server access list.

    disable

    Disable DHCP server access list.

    dhcp-snoop-client-db-exp

    Expiry time for DHCP snooping server database entries (300 - 259200 sec, default = 86400 sec).

    integer

    Minimum value: 300 Maximum value: 259200

    86400

    dhcp-snoop-client-req

    Client DHCP packet broadcast mode.

    option

    -

    drop-untrusted

    Option

    Description

    drop-untrusted

    Broadcast packets on trusted ports in the VLAN.

    forward-untrusted

    Broadcast packets on all ports in the VLAN.

    dhcp-snoop-db-per-port-learn-limit

    Per Interface dhcp-server entries learn limit (0 - 1024, default = 64).

    integer

    Minimum value: 0 Maximum value: 2048

    64

    disable-discovery <name>

    Prevent this FortiSwitch from discovering.

    FortiSwitch Serial-number.

    string

    Maximum length: 79

    fips-enforce

    Enable/disable enforcement of FIPS on managed FortiSwitch devices.

    option

    -

    enable

    Option

    Description

    disable

    Disable enforcement of FIPS on managed FortiSwitch devices.

    enable

    Enable enforcement of FIPS on managed FortiSwitch devices.

    firewall-auth-user-hold-period

    Time period in minutes to hold firewall authenticated MAC users (5 - 1440, default = 5, disable = 0).

    integer

    Minimum value: 5 Maximum value: 1440

    5

    firmware-provision-on-authorization

    Enable/disable automatic provisioning of latest firmware on authorization.

    option

    -

    disable

    Option

    Description

    enable

    Enable firmware provision on authorization.

    disable

    Disable firmware provision on authorization.

    https-image-push

    Enable/disable image push to FortiSwitch using HTTPS.

    option

    -

    enable

    Option

    Description

    enable

    Enable image push to FortiSwitch using HTTPS.

    disable

    Disable image push to FortiSwitch using HTTPS.

    log-mac-limit-violations

    Enable/disable logs for Learning Limit Violations.

    option

    -

    disable

    Option

    Description

    enable

    Enable Learn Limit Violation.

    disable

    Disable Learn Limit Violation.

    mac-aging-interval

    Time after which an inactive MAC is aged out (10 - 1000000 sec, default = 300, 0 = disable).

    integer

    Minimum value: 10 Maximum value: 1000000

    300

    mac-event-logging

    Enable/disable MAC address event logging.

    option

    -

    disable

    Option

    Description

    enable

    Enable MAC address event logging.

    disable

    Disable MAC address event logging.

    mac-retention-period

    Time in hours after which an inactive MAC is removed from client DB (0 = aged out based on mac-aging-interval).

    integer

    Minimum value: 0 Maximum value: 168

    24

    mac-violation-timer

    Set timeout for Learning Limit Violations (0 = disabled).

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    quarantine-mode

    Quarantine mode.

    option

    -

    by-vlan

    Option

    Description

    by-vlan

    Quarantined device traffic is sent to FortiGate on a separate quarantine VLAN.

    by-redirect

    Quarantined device traffic is redirected only to the FortiGate on the received VLAN.

    sn-dns-resolution

    Enable/disable DNS resolution of the FortiSwitch unit's IP address with switch name.

    option

    -

    enable

    Option

    Description

    enable

    Enable DNS resolution of the FortiSwitch unit's IP address with switch name.

    disable

    Disable DNS resolution of the FortiSwitch unit's IP address with switch name.

    switch-custom-cmd *

    Configure push method for switch bound custom command.

    option

    -

    on-replay

    Option

    Description

    on-replay

    Push switch bound custom command only when full config is replayed.

    on-any

    Push switch bound custom command whenever any config on FSW is updated.

    switch-on-deauth

    No-operation/Factory-reset the managed FortiSwitch on deauthorization.

    option

    -

    no-op

    Option

    Description

    no-op

    No-operation on the managed FortiSwitch on deauthorization.

    factory-reset

    Factory-reset the managed FortiSwitch on deauthorization.

    update-user-device

    Control which sources update the device user list.

    option

    -

    mac-cache lldp dhcp-snooping l2-db l3-db

    Option

    Description

    mac-cache

    Update MAC address from switch-controller mac-cache.

    lldp

    Update from FortiSwitch LLDP neighbor database.

    dhcp-snooping

    Update from FortiSwitch DHCP snooping client and server databases.

    l2-db

    Update from FortiSwitch Network-monitor Layer 2 tracking database.

    l3-db

    Update from FortiSwitch Network-monitor Layer 3 tracking database.

    vlan-all-mode

    VLAN configuration mode, user-defined-vlans or all-possible-vlans.

    option

    -

    defined

    Option

    Description

    all

    Include all possible VLANs (1-4093).

    defined

    Include user defined VLANs.

    vlan-identity

    Identity of the VLAN. Commonly used for RADIUS Tunnel-Private-Group-Id.

    option

    -

    name

    Option

    Description

    description

    Configure the VLAN description to that of the FortiOS interface description if available; otherwise use the interface name.

    name

    Configure the VLAN description to that of the FortiOS interface name.

    vlan-optimization

    FortiLink VLAN optimization.

    option

    -

    configured

    Option

    Description

    prune

    Enable VLAN optimization (only VLANs necessary on or along path between destinations) on FortiSwitch units for auto-generated trunks.

    configured

    Enable VLAN optimization (only VLANs created on Fortilink interface) on FortiSwitch units for auto-generated trunks.

    none

    Disable VLAN optimization on FortiSwitch units for auto-generated trunks.

    * This parameter may not exist in some models.

    config custom-command

    Parameter

    Description

    Type

    Size

    Default

    command-entry

    List of FortiSwitch commands.

    string

    Maximum length: 35

    command-name

    Name of custom command to push to all FortiSwitches in VDOM.

    string

    Maximum length: 35

    Previous
    Next

    config switch-controller global

    config switch-controller global

    Configure FortiSwitch global settings.

    config switch-controller global
    Description: Configure FortiSwitch global settings.
    set bounce-quarantined-link [disable|enable]
    config custom-command
        Description: List of custom commands to be pushed to all FortiSwitches in the VDOM.
        edit <command-entry>
            set command-name {string}
        next
    end
    set default-virtual-switch-vlan {string}
    set dhcp-option82-circuit-id {option1}, {option2}, ...
    set dhcp-option82-format [ascii|legacy]
    set dhcp-option82-remote-id {option1}, {option2}, ...
    set dhcp-server-access-list [enable|disable]
    set dhcp-snoop-client-db-exp {integer}
    set dhcp-snoop-client-req [drop-untrusted|forward-untrusted]
    set dhcp-snoop-db-per-port-learn-limit {integer}
    set disable-discovery <name1>, <name2>, ...
    set fips-enforce [disable|enable]
    set firewall-auth-user-hold-period {integer}
    set firmware-provision-on-authorization [enable|disable]
    set https-image-push [enable|disable]
    set log-mac-limit-violations [enable|disable]
    set mac-aging-interval {integer}
    set mac-event-logging [enable|disable]
    set mac-retention-period {integer}
    set mac-violation-timer {integer}
    set quarantine-mode [by-vlan|by-redirect]
    set sn-dns-resolution [enable|disable]
    set switch-custom-cmd [on-replay|on-any]
    set switch-on-deauth [no-op|factory-reset]
    set update-user-device {option1}, {option2}, ...
    set vlan-all-mode [all|defined]
    set vlan-identity [description|name]
    set vlan-optimization [prune|configured|...]
end

    config switch-controller global

    Parameter

    Description

    Type

    Size

    Default

    bounce-quarantined-link

    Enable/disable bouncing (administratively bring the link down, up) of a switch port where a quarantined device was seen last. Helps to re-initiate the DHCP process for a device.

    option

    -

    disable

    Option

    Description

    disable

    Disable bouncing (administratively bring the link down, up) of a switch port where a quarantined device was seen last.

    enable

    Enable bouncing (administratively bring the link down, up) of a switch port where a quarantined device was seen last.

    default-virtual-switch-vlan

    Default VLAN for ports when added to the virtual-switch.

    string

    Maximum length: 15

    dhcp-option82-circuit-id

    List the parameters to be included to inform about client identification.

    option

    -

    intfname vlan mode

    Option

    Description

    intfname

    Interface name.

    vlan

    VLAN name.

    hostname

    Hostname.

    mode

    Mode.

    description

    Description.

    dhcp-option82-format

    DHCP option-82 format string.

    option

    -

    ascii

    Option

    Description

    ascii

    Allow user to choose values for circuit-id and remote-id. Format: cid= [hostname,interface,mode,vlan,description] rid=[hostname,xx:xx:xx:xx:xx:xx,ip]

    legacy

    Generate predefine fixed format for circuit-id and remote. Format: cid=hostname-[<vlan:16><mod:8><port:8>].32bit, rid= [mac(0.6)].48bit

    dhcp-option82-remote-id

    List the parameters to be included to inform about client identification.

    option

    -

    mac

    Option

    Description

    mac

    MAC address.

    hostname

    Hostname.

    ip

    IP address.

    dhcp-server-access-list

    Enable/disable DHCP snooping server access list.

    option

    -

    disable

    Option

    Description

    enable

    Enable DHCP server access list.

    disable

    Disable DHCP server access list.

    dhcp-snoop-client-db-exp

    Expiry time for DHCP snooping server database entries (300 - 259200 sec, default = 86400 sec).

    integer

    Minimum value: 300 Maximum value: 259200

    86400

    dhcp-snoop-client-req

    Client DHCP packet broadcast mode.

    option

    -

    drop-untrusted

    Option

    Description

    drop-untrusted

    Broadcast packets on trusted ports in the VLAN.

    forward-untrusted

    Broadcast packets on all ports in the VLAN.

    dhcp-snoop-db-per-port-learn-limit

    Per Interface dhcp-server entries learn limit (0 - 1024, default = 64).

    integer

    Minimum value: 0 Maximum value: 2048

    64

    disable-discovery <name>

    Prevent this FortiSwitch from discovering.

    FortiSwitch Serial-number.

    string

    Maximum length: 79

    fips-enforce

    Enable/disable enforcement of FIPS on managed FortiSwitch devices.

    option

    -

    enable

    Option

    Description

    disable

    Disable enforcement of FIPS on managed FortiSwitch devices.

    enable

    Enable enforcement of FIPS on managed FortiSwitch devices.

    firewall-auth-user-hold-period

    Time period in minutes to hold firewall authenticated MAC users (5 - 1440, default = 5, disable = 0).

    integer

    Minimum value: 5 Maximum value: 1440

    5

    firmware-provision-on-authorization

    Enable/disable automatic provisioning of latest firmware on authorization.

    option

    -

    disable

    Option

    Description

    enable

    Enable firmware provision on authorization.

    disable

    Disable firmware provision on authorization.

    https-image-push

    Enable/disable image push to FortiSwitch using HTTPS.

    option

    -

    enable

    Option

    Description

    enable

    Enable image push to FortiSwitch using HTTPS.

    disable

    Disable image push to FortiSwitch using HTTPS.

    log-mac-limit-violations

    Enable/disable logs for Learning Limit Violations.

    option

    -

    disable

    Option

    Description

    enable

    Enable Learn Limit Violation.

    disable

    Disable Learn Limit Violation.

    mac-aging-interval

    Time after which an inactive MAC is aged out (10 - 1000000 sec, default = 300, 0 = disable).

    integer

    Minimum value: 10 Maximum value: 1000000

    300

    mac-event-logging

    Enable/disable MAC address event logging.

    option

    -

    disable

    Option

    Description

    enable

    Enable MAC address event logging.

    disable

    Disable MAC address event logging.

    mac-retention-period

    Time in hours after which an inactive MAC is removed from client DB (0 = aged out based on mac-aging-interval).

    integer

    Minimum value: 0 Maximum value: 168

    24

    mac-violation-timer

    Set timeout for Learning Limit Violations (0 = disabled).

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    quarantine-mode

    Quarantine mode.

    option

    -

    by-vlan

    Option

    Description

    by-vlan

    Quarantined device traffic is sent to FortiGate on a separate quarantine VLAN.

    by-redirect

    Quarantined device traffic is redirected only to the FortiGate on the received VLAN.

    sn-dns-resolution

    Enable/disable DNS resolution of the FortiSwitch unit's IP address with switch name.

    option

    -

    enable

    Option

    Description

    enable

    Enable DNS resolution of the FortiSwitch unit's IP address with switch name.

    disable

    Disable DNS resolution of the FortiSwitch unit's IP address with switch name.

    switch-custom-cmd *

    Configure push method for switch bound custom command.

    option

    -

    on-replay

    Option

    Description

    on-replay

    Push switch bound custom command only when full config is replayed.

    on-any

    Push switch bound custom command whenever any config on FSW is updated.

    switch-on-deauth

    No-operation/Factory-reset the managed FortiSwitch on deauthorization.

    option

    -

    no-op

    Option

    Description

    no-op

    No-operation on the managed FortiSwitch on deauthorization.

    factory-reset

    Factory-reset the managed FortiSwitch on deauthorization.

    update-user-device

    Control which sources update the device user list.

    option

    -

    mac-cache lldp dhcp-snooping l2-db l3-db

    Option

    Description

    mac-cache

    Update MAC address from switch-controller mac-cache.

    lldp

    Update from FortiSwitch LLDP neighbor database.

    dhcp-snooping

    Update from FortiSwitch DHCP snooping client and server databases.

    l2-db

    Update from FortiSwitch Network-monitor Layer 2 tracking database.

    l3-db

    Update from FortiSwitch Network-monitor Layer 3 tracking database.

    vlan-all-mode

    VLAN configuration mode, user-defined-vlans or all-possible-vlans.

    option

    -

    defined

    Option

    Description

    all

    Include all possible VLANs (1-4093).

    defined

    Include user defined VLANs.

    vlan-identity

    Identity of the VLAN. Commonly used for RADIUS Tunnel-Private-Group-Id.

    option

    -

    name

    Option

    Description

    description

    Configure the VLAN description to that of the FortiOS interface description if available; otherwise use the interface name.

    name

    Configure the VLAN description to that of the FortiOS interface name.

    vlan-optimization

    FortiLink VLAN optimization.

    option

    -

    configured

    Option

    Description

    prune

    Enable VLAN optimization (only VLANs necessary on or along path between destinations) on FortiSwitch units for auto-generated trunks.

    configured

    Enable VLAN optimization (only VLANs created on Fortilink interface) on FortiSwitch units for auto-generated trunks.

    none

    Disable VLAN optimization on FortiSwitch units for auto-generated trunks.

    * This parameter may not exist in some models.

    config custom-command

    Parameter

    Description

    Type

    Size

    Default

    command-entry

    List of FortiSwitch commands.

    string

    Maximum length: 35

    command-name

    Name of custom command to push to all FortiSwitches in VDOM.

    string

    Maximum length: 35

    Previous
    Next