config switch-controller managed-switch

Configure FortiSwitch devices that are managed by this FortiGate.

config switch-controller managed-switch
    Description: Configure FortiSwitch devices that are managed by this FortiGate.
    edit <switch-id>
        config 802-1X-settings
            Description: Configuration method to edit FortiSwitch 802.1X global settings.
            set allow-mac-move [disable|enable]
            set link-down-auth [set-unauth|no-action]
            set local-override [enable|disable]
            set mab-entry-as [static|dynamic]
            set mab-reauth [disable|enable]
            set mac-called-station-delimiter [colon|hyphen|...]
            set mac-calling-station-delimiter [colon|hyphen|...]
            set mac-case [lowercase|uppercase]
            set mac-password-delimiter [colon|hyphen|...]
            set mac-username-delimiter [colon|hyphen|...]
            set max-reauth-attempt {integer}
            set reauth-period {integer}
            set tx-period {integer}
        end
        set access-profile {string}
        config components
            Description: Managed-switch component list.
            edit <name>
                set admin-status [disable|enable]
                set capability {user}
                set component-id {integer}
                set description {string}
                set dynamically-discovered {integer}
                set max-allowed-trunk-members {integer}
                set poe-detection-type {integer}
                set role [None|Primary|...]
                set serial-number {string}
                set status [offline|online]
                set sw-version {string}
                set switch-id {string}
                set type [stack-node|supervisor|...]
                set version {integer}
            next
        end
        config custom-command
            Description: Configuration method to edit FortiSwitch commands to be pushed to this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.
            edit <command-entry>
                set command-name {string}
            next
        end
        set delayed-restart-trigger {integer}
        set description {string}
        set dhcp-server-access-list [global|enable|...]
        config dhcp-snooping-static-client
            Description: Configure FortiSwitch DHCP snooping static clients.
            edit <name>
                set ip {ipv4-address}
                set mac {mac-address}
                set port {string}
                set vlan {string}
            next
        end
        set directly-connected {integer}
        set dynamic-capability {user}
        set dynamically-discovered {integer}
        set firmware-provision [enable|disable]
        set firmware-provision-latest [disable|once]
        set firmware-provision-version {string}
        set flow-identity {user}
        set fsw-wan1-admin [discovered|disable|...]
        set fsw-wan1-peer {string}
        config igmp-snooping
            Description: Configure FortiSwitch IGMP snooping global settings.
            set aging-time {integer}
            set flood-unknown-multicast [enable|disable]
            set local-override [enable|disable]
            config vlans
                Description: Configure IGMP snooping VLAN.
                edit <vlan-name>
                    set proxy [disable|enable|...]
                    set querier [disable|enable]
                    set querier-addr {ipv4-address}
                    set version {integer}
                next
            end
        end
        config ip-source-guard
            Description: IP source guard.
            edit <port>
                config binding-entry
                    Description: IP and MAC address configuration.
                    edit <entry-name>
                        set ip {ipv4-address-any}
                        set mac {mac-address}
                    next
                end
                set description {string}
            next
        end
        set l3-discovered {integer}
        set max-allowed-trunk-members {integer}
        set max-poe-budget {integer}
        set mclag-igmp-snooping-aware [enable|disable]
        set mgmt-mode {integer}
        config mirror
            Description: Configuration method to edit FortiSwitch packet mirror.
            edit <name>
                set dst {string}
                set src-egress <name1>, <name2>, ...
                set src-ingress <name1>, <name2>, ...
                set status [active|inactive]
                set switching-packet [enable|disable]
            next
        end
        set override-snmp-community [enable|disable]
        set override-snmp-sysinfo [disable|enable]
        set override-snmp-trap-threshold [enable|disable]
        set override-snmp-user [enable|disable]
        set owner-vdom {string}
        set poe-detection-type {integer}
        set poe-pre-standard-detection [enable|disable]
        set port-selection-criteria [src-mac|dst-mac|...]
        config ports
            Description: Managed-switch port list.
            edit <port-name>
                set access-mode [dynamic|nac|...]
                set acl-group <name1>, <name2>, ...
                set aggregator-mode [bandwidth|count]
                set allow-arp-monitor [disable|enable]
                set allowed-vlans <vlan-name1>, <vlan-name2>, ...
                set allowed-vlans-all [enable|disable]
                set arp-inspection-trust [untrusted|trusted]
                set authenticated-port {integer}
                set bundle [enable|disable]
                set description {string}
                config dhcp-snoop-option82-override
                    Description: Configure DHCP snooping option 82 override.
                    edit <vlan-name>
                        set circuit-id {string}
                        set remote-id {string}
                    next
                end
                set dhcp-snoop-option82-trust [enable|disable]
                set dhcp-snooping [untrusted|trusted]
                set discard-mode [none|all-untagged|...]
                set edge-port [enable|disable]
                set eee-tx-idle-time {integer}
                set eee-tx-wake-time {integer}
                set encrypted-port {integer}
                set energy-efficient-ethernet [disable|enable]
                set export-to {string}
                set export-to-pool {string}
                set fallback-port {string}
                set fec-capable {integer}
                set fec-state [disabled|cl74|...]
                set fgt-peer-device-name {string}
                set fgt-peer-port-name {string}
                set fiber-port {integer}
                set flags {integer}
                set flap-duration {integer}
                set flap-rate {integer}
                set flap-timeout {integer}
                set flapguard [enable|disable]
                set flow-control [disable|tx|...]
                set fortilink-port {integer}
                set fortiswitch-acls <id1>, <id2>, ...
                set igmp-snooping-flood-reports [enable|disable]
                set interface-tags <tag-name1>, <tag-name2>, ...
                set ip-source-guard [disable|enable]
                set isl-local-trunk-name {string}
                set isl-peer-device-name {string}
                set isl-peer-device-sn {string}
                set isl-peer-port-name {string}
                set lacp-speed [slow|fast]
                set learning-limit {integer}
                set lldp-profile {string}
                set lldp-status [disable|rx-only|...]
                set log-mac-event [disable|enable]
                set loop-guard [enabled|disabled]
                set loop-guard-timeout {integer}
                set mac-addr {mac-address}
                set matched-dpp-intf-tags {string}
                set matched-dpp-policy {string}
                set max-bundle {integer}
                set mcast-snooping-flood-traffic [enable|disable]
                set mclag [enable|disable]
                set mclag-icl-port {integer}
                set media-type {string}
                set member-withdrawal-behavior [forward|block]
                set members <member-name1>, <member-name2>, ...
                set min-bundle {integer}
                set mode [static|lacp-passive|...]
                set p2p-port {integer}
                set packet-sample-rate {integer}
                set packet-sampler [enabled|disabled]
                set pause-meter {integer}
                set pause-meter-resume [75%|50%|...]
                set pd-capable {integer}
                set poe-capable {integer}
                set poe-max-power {string}
                set poe-max-power-mode [class-based|30W|...]
                set poe-mode-bt-cabable {integer}
                set poe-port-mode [ieee802-3af|ieee802-3at|...]
                set poe-port-power [normal|perpetual|...]
                set poe-port-priority [critical-priority|high-priority|...]
                set poe-pre-standard-detection [enable|disable]
                set poe-standard {string}
                set poe-status [enable|disable]
                set port-number {integer}
                set port-owner {string}
                set port-policy {string}
                set port-prefix-type {integer}
                set port-security-policy {string}
                set port-selection-criteria [src-mac|dst-mac|...]
                set ptp-policy {string}
                set ptp-status [disable|enable]
                set qnq {string}
                set qos-policy {string}
                set restricted-auth-port {integer}
                set rpvst-port [disabled|enabled]
                set sample-direction [tx|rx|...]
                set sflow-counter-interval {integer}
                set speed [10half|10full|...]
                set stacking-port {integer}
                set status [up|down]
                set sticky-mac [enable|disable]
                set storm-control-policy {string}
                set stp-bpdu-guard [enabled|disabled]
                set stp-bpdu-guard-timeout {integer}
                set stp-root-guard [enabled|disabled]
                set stp-state [enabled|disabled]
                set switch-id {string}
                set type [physical|trunk]
                set untagged-vlans <vlan-name1>, <vlan-name2>, ...
                set vlan {string}
            next
        end
        set pre-provisioned {integer}
        set ptp-profile {string}
        set ptp-status [disable|enable]
        set purdue-level [1|1.5|...]
        set qos-drop-policy [taildrop|random-early-detection]
        set qos-red-probability {integer}
        set radius-nas-ip {ipv4-address}
        set radius-nas-ip-override [disable|enable]
        config remote-log
            Description: Configure logging by FortiSwitch device to a remote syslog server.
            edit <name>
                set csv [enable|disable]
                set facility [kernel|user|...]
                set port {integer}
                set server {string}
                set severity [emergency|alert|...]
                set status [enable|disable]
            next
        end
        set route-offload [disable|enable]
        set route-offload-mclag [disable|enable]
        config route-offload-router
            Description: Configure route offload MCLAG IP address.
            edit <vlan-name>
                set router-ip {ipv4-address}
            next
        end
        config router-static
            Description: Configure static routes.
            edit <id>
                set blackhole [disable|enable]
                set comment {string}
                set device {string}
                set distance {integer}
                set dst {ipv4-classnet}
                set dynamic-gateway [disable|enable]
                set gateway {ipv4-address}
                set status [disable|enable]
                set switch-id {string}
                set vrf {string}
            next
        end
        config router-vrf
            Description: Configure VRF.
            edit <name>
                set switch-id {string}
                set vrfid {integer}
            next
        end
        set sn {string}
        config snmp-community
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) communities.
            edit <id>
                set events {option1}, {option2}, ...
                config hosts
                    Description: Configure IPv4 SNMP managers (hosts).
                    edit <id>
                        set ip {user}
                    next
                end
                set name {string}
                set query-v1-port {integer}
                set query-v1-status [disable|enable]
                set query-v2c-port {integer}
                set query-v2c-status [disable|enable]
                set status [disable|enable]
                set trap-v1-lport {integer}
                set trap-v1-rport {integer}
                set trap-v1-status [disable|enable]
                set trap-v2c-lport {integer}
                set trap-v2c-rport {integer}
                set trap-v2c-status [disable|enable]
            next
        end
        config snmp-sysinfo
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) system info.
            set contact-info {string}
            set description {string}
            set engine-id {string}
            set location {string}
            set status [disable|enable]
        end
        config snmp-trap-threshold
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) trap threshold values.
            set trap-high-cpu-threshold {integer}
            set trap-log-full-threshold {integer}
            set trap-low-memory-threshold {integer}
        end
        config snmp-user
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) users.
            edit <name>
                set auth-proto [md5|sha1|...]
                set auth-pwd {password}
                set priv-proto [aes128|aes192|...]
                set priv-pwd {password}
                set queries [disable|enable]
                set query-port {integer}
                set security-level [no-auth-no-priv|auth-no-priv|...]
            next
        end
        set staged-image-version {string}
        config static-mac
            Description: Configuration method to edit FortiSwitch Static and Sticky MAC.
            edit <id>
                set description {string}
                set interface {string}
                set mac {mac-address}
                set type [static|sticky]
                set vlan {string}
            next
        end
        config storm-control
            Description: Configuration method to edit FortiSwitch storm control for measuring traffic activity using data rates to prevent traffic disruption.
            set broadcast [enable|disable]
            set burst-size-level {integer}
            set local-override [enable|disable]
            set rate {integer}
            set unknown-multicast [enable|disable]
            set unknown-unicast [enable|disable]
        end
        config stp-instance
            Description: Configuration method to edit Spanning Tree Protocol (STP) instances.
            edit <id>
                set priority [0|4096|...]
            next
        end
        config stp-settings
            Description: Configuration method to edit Spanning Tree Protocol (STP) settings used to prevent bridge loops.
            set forward-time {integer}
            set hello-time {integer}
            set local-override [enable|disable]
            set max-age {integer}
            set max-hops {integer}
            set name {string}
            set pending-timer {integer}
            set revision {integer}
        end
        set switch-device-tag {string}
        set switch-dhcp_opt43_key {string}
        config switch-log
            Description: Configuration method to edit FortiSwitch logging settings (logs are transferred to and inserted into the FortiGate event log).
            set local-override [enable|disable]
            set severity [emergency|alert|...]
            set status [enable|disable]
        end
        set switch-profile {string}
        config system-dhcp-server
            Description: Configure DHCP servers.
            edit <id>
                set default-gateway {ipv4-address}
                set dns-server1 {ipv4-address}
                set dns-server2 {ipv4-address}
                set dns-server3 {ipv4-address}
                set dns-service [local|default|...]
                set interface {string}
                config ip-range
                    Description: DHCP IP range configuration.
                    edit <id>
                        set end-ip {ipv4-address}
                        set start-ip {ipv4-address}
                    next
                end
                set lease-time {integer}
                set netmask {ipv4-netmask}
                set ntp-server1 {ipv4-address}
                set ntp-server2 {ipv4-address}
                set ntp-server3 {ipv4-address}
                set ntp-service [local|default|...]
                config options
                    Description: DHCP options.
                    edit <id>
                        set code {integer}
                        set ip {user}
                        set type [hex|string|...]
                        set value {string}
                    next
                end
                set status [disable|enable]
                set switch-id {string}
            next
        end
        config system-interface
            Description: Configure system interface on FortiSwitch.
            edit <name>
                set allowaccess {option1}, {option2}, ...
                set interface {string}
                set ip {ipv4-classnet-host}
                set mode [static|dhcp]
                set status [disable|enable]
                set switch-id {string}
                set type [vlan|physical]
                set vlan {string}
                set vrf {string}
            next
        end
        set tdr-supported {string}
        set tunnel-discovered {integer}
        set type [virtual|physical]
        set version {integer}
        config vlan
            Description: Configure VLAN assignment priority.
            edit <vlan-name>
                set assignment-priority {integer}
            next
        end
    next
end

config switch-controller managed-switch

Parameter

Description

Type

Size

Default

access-profile

FortiSwitch access profile.

string

Maximum length: 31

default

delayed-restart-trigger

Delayed restart triggered for this FortiSwitch.

integer

Minimum value: 0 Maximum value: 255

description

Description.

string

Maximum length: 63

dhcp-server-access-list

DHCP snooping server access list.

option

global

Option	Description
global	Use global setting for DHCP snooping server access list.
enable	Override global setting and enable DHCP server access list.
disable	Override global setting and disable DHCP server access list.

directly-connected

Directly connected FortiSwitch. Read-only.

integer

Minimum value: 0 Maximum value: 1

dynamic-capability

List of features this FortiSwitch supports (not configurable) that is sent to the FortiGate device for subsequent configuration initiated by the FortiGate device.

user

Not Specified

0x00000000000000000000000000000000

dynamically-discovered

Dynamically discovered FortiSwitch. Read-only.

integer

Minimum value: 0 Maximum value: 1

firmware-provision

Enable/disable provisioning of firmware to FortiSwitches on join connection.

option

disable

Option	Description
enable	Enable firmware-provision.
disable	Disable firmware-provision.

firmware-provision-latest

Enable/disable one-time automatic provisioning of the latest firmware version.

option

disable

Option	Description
disable	Do not automatically provision the latest available firmware.
once	Automatically attempt a one-time upgrade to the latest available firmware version.

firmware-provision-version

Firmware version to provision to this FortiSwitch on bootup (major.minor.build, i.e. 6.2.1234).

string

Maximum length: 35

flow-identity

Flow-tracking netflow ipfix switch identity in hex format(00000000-FFFFFFFF default=0).

user

Not Specified

00000000

fsw-wan1-admin

FortiSwitch WAN1 admin status; enable to authorize the FortiSwitch as a managed switch.

option

discovered

Option	Description
discovered	Link waiting to be authorized.
disable	Link unauthorized.
enable	Link authorized.

fsw-wan1-peer

FortiSwitch WAN1 peer port.

string

Maximum length: 35

l3-discovered

Layer 3 management discovered. Read-only.

integer

Minimum value: 0 Maximum value: 1

max-allowed-trunk-members

FortiSwitch maximum allowed trunk members.

integer

Minimum value: 0 Maximum value: 255

max-poe-budget

Max PoE budget for FortiSwitch. Read-only.

integer

Minimum value: 0 Maximum value: 65535

mclag-igmp-snooping-aware

Enable/disable MCLAG IGMP-snooping awareness.

option

enable

Option	Description
enable	Enable MCLAG IGMP-snooping awareness.
disable	Disable MCLAG IGMP-snooping awareness.

mgmt-mode

FortiLink management mode.

integer

Minimum value: 0 Maximum value: 255

override-snmp-community

Enable/disable overriding the global SNMP communities.

option

disable

Option	Description
enable	Override the global SNMP communities.
disable	Use the global SNMP communities.

override-snmp-sysinfo

Enable/disable overriding the global SNMP system information.

option

disable

Option	Description
disable	Use the global SNMP system information.
enable	Override the global SNMP system information.

override-snmp-trap-threshold

Enable/disable overriding the global SNMP trap threshold values.

option

disable

Option	Description
enable	Override the global SNMP trap threshold values.
disable	Use the global SNMP trap threshold values.

override-snmp-user

Enable/disable overriding the global SNMP users.

option

disable

Option	Description
enable	Override the global SNMPv3 users.
disable	Use the global SNMPv3 users.

owner-vdom

VDOM which owner of port belongs to.

string

Maximum length: 31

poe-detection-type

PoE detection type for FortiSwitch. Read-only.

integer

Minimum value: 0 Maximum value: 255

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

disable

Option	Description
enable	Enable PoE pre-standard detection.
disable	Disable PoE pre-standard detection.

port-selection-criteria *

Algorithm for aggregate port selection.

option

src-dst-ip

Option	Description
src-mac	Source MAC address.
dst-mac	Destination MAC address.
src-dst-mac	Source and destination MAC address.
src-ip	Source IP address.
dst-ip	Destination IP address.
src-dst-ip	Source and destination IP address.

pre-provisioned

Pre-provisioned managed switch.

integer

Minimum value: 0 Maximum value: 255

ptp-profile

PTP profile configuration.

string

Maximum length: 63

default

ptp-status

Enable/disable PTP profile on this FortiSwitch.

option

disable

Option	Description
disable	Disable PTP profile.
enable	Enable PTP profile.

purdue-level

Purdue Level of this FortiSwitch.

option

Option	Description
1	Level 1 - Basic Control
1.5	Level 1.5
2	Level 2 - Area Supervisory Control
2.5	Level 2.5
3	Level 3 - Operations & Control
3.5	Level 3.5
4	Level 4 - Business Planning & Logistics
5	Level 5 - Enterprise Network
5.5	Level 5.5

qos-drop-policy

Set QoS drop-policy.

option

taildrop

Option	Description
taildrop	Taildrop policy.
random-early-detection	Random early detection drop policy.

qos-red-probability

Set QoS RED/WRED drop probability.

integer

Minimum value: 0 Maximum value: 100

radius-nas-ip

NAS-IP address.

ipv4-address

Not Specified

0.0.0.0

radius-nas-ip-override

Use locally defined NAS-IP.

option

disable

Option	Description
disable	Disable radius-nas-ip-override.
enable	Enable radius-nas-ip-override.

route-offload

Enable/disable route offload on this FortiSwitch.

option

disable

Option	Description
disable	Disable route offload.
enable	Enable route offload.

route-offload-mclag

Enable/disable route offload MCLAG on this FortiSwitch.

option

disable

Option	Description
disable	Disable route offload MCLAG.
enable	Enable route offload MCLAG.

Managed-switch serial number.

string

Maximum length: 16

staged-image-version

Staged image version for FortiSwitch.

string

Maximum length: 127

switch-device-tag

User definable label/tag.

string

Maximum length: 32

switch-dhcp_opt43_key

DHCP option43 key.

string

Maximum length: 63

switch-id

Managed-switch name.

string

Maximum length: 35

switch-profile

FortiSwitch profile.

string

Maximum length: 35

default

tdr-supported

TDR supported. Read-only.

string

Maximum length: 31

tunnel-discovered

SOCKS tunnel management discovered. Read-only.

integer

Minimum value: 0 Maximum value: 1

type

Indication of switch type, physical or virtual.

option

physical

Option	Description
virtual	Switch is of type virtual.
physical	Switch is of type physical.

version

FortiSwitch version.

integer

Minimum value: 0 Maximum value: 255

* This parameter may not exist in some models.

config 802-1X-settings

Parameter

Description

Type

Size

Default

allow-mac-move *

Enable/disable MAC move (default = enable).

option

enable

Option	Description
disable	Disable MAC move.
enable	Enable MAC move.

link-down-auth

Authentication state to set if a link is down.

option

set-unauth

Option	Description
set-unauth	Interface set to unauth when down. Reauthentication is needed.
no-action	Interface reauthentication is not needed.

local-override

Enable to override global 802.1X settings on individual FortiSwitches.

option

disable

Option	Description
enable	Override global 802.1X settings.
disable	Use global 802.1X settings.

mab-entry-as *

Configure MAB MAC entry as static or dynamic (default = static).

option

static

Option	Description
static	MAB MAC entry as static.
dynamic	MAB MAC entry as dynamic.

mab-reauth

Enable or disable MAB reauthentication settings.

option

disable

Option	Description
disable	Disable MAB re-authentication setttings.
enable	Enable MAB re-authentication setttings.

mac-called-station-delimiter

MAC called station delimiter (default = hyphen).

option

hyphen

Option	Description
colon	Use colon as delimiter for called station.
hyphen	Use hyphen as delimiter for called station.
none	No delimiter for called station.
single-hyphen	Use single hyphen as delimiter for called station.

mac-calling-station-delimiter

MAC calling station delimiter (default = hyphen).

option

hyphen

Option	Description
colon	Use colon as delimiter for calling station.
hyphen	Use hyphen as delimiter for calling station.
none	No delimiter for calling station.
single-hyphen	Use single hyphen as delimiter for calling station.

mac-case

MAC case (default = lowercase).

option

lowercase

Option	Description
lowercase	Use lowercase MAC.
uppercase	Use uppercase MAC.

mac-password-delimiter

MAC authentication password delimiter (default = hyphen).

option

hyphen

Option	Description
colon	Use colon as delimiter for MAC auth password.
hyphen	Use hyphen as delimiter for MAC auth password.
none	No delimiter for MAC auth password.
single-hyphen	Use single hyphen as delimiter for MAC auth password.

mac-username-delimiter

MAC authentication username delimiter (default = hyphen).

option

hyphen

Option	Description
colon	Use colon as delimiter for MAC auth username.
hyphen	Use hyphen as delimiter for MAC auth username.
none	No delimiter for MAC auth username.
single-hyphen	Use single hyphen as delimiter for MAC auth username.

max-reauth-attempt

Maximum number of authentication attempts (0 - 15, default = 3).

integer

Minimum value: 0 Maximum value: 15

reauth-period

Reauthentication time interval (1 - 1440 min, default = 60, 0 = disable).

integer

Minimum value: 0 Maximum value: 1440

tx-period

802.1X Tx period (seconds, default=30).

integer

Minimum value: 12 Maximum value: 60

* This parameter may not exist in some models.

config components

Parameter

Description

Type

Size

Default

admin-status

Managed-switch component admin-status.

option

disable

Option	Description
disable	Disable the component.
enable	Enable the component.

capability

Managed-switch feature capability list.

user

Not Specified

0x00000000000000000000000000000000

component-id

Managed-switch component id in stacking/chassis.

integer

Minimum value: 1 Maximum value: 10

description

Managed-switch component description.

string

Maximum length: 63

dynamically-discovered

Managed-switch component is dynamically discovered or not. Read-only.

integer

Minimum value: 0 Maximum value: 1

max-allowed-trunk-members

Managed-switch component maximum allowed trunk members.

integer

Minimum value: 0 Maximum value: 255

name

Managed-switch component name.

string

Maximum length: 63

poe-detection-type

Managed-switch component PoE detection type. Read-only.

integer

Minimum value: 0 Maximum value: 255

role

Managed-switch components role.

option

None

Option	Description
None	No Status.
Primary	HA Primary node.
Backup	HA Backup node.
Follower	Follower node.
Standalone	Standalone node.

serial-number

Managed-switch component serial number.

string

Maximum length: 16

status

Managed-switch component status. Read-only.

option

offline

Option	Description
offline	Operational down
online	Operational Up

sw-version

Managed-switch component software version.

string

Maximum length: 63

switch-id

Managed-switch component parent switch id. Read-only.

string

Maximum length: 35

type

Managed-switch component type.

option

stack-node

Option	Description
stack-node	Stacking node.
supervisor	Chassis supervisor module.
linecard	Chassis linecard module.

version

Managed-switch component version.

integer

Minimum value: 0 Maximum value: 255

config custom-command

Parameter	Description	Type	Size	Default
command-entry	List of FortiSwitch commands.	string	Maximum length: 35
command-name	Names of commands to be pushed to this FortiSwitch device, as configured under config switch-controller custom-command.	string	Maximum length: 35

config dhcp-snooping-static-client

Parameter	Description	Type	Size	Default
ip	Client static IP address.	ipv4-address	Not Specified	0.0.0.0
mac	Client MAC address.	mac-address	Not Specified	00:00:00:00:00:00
name	Client name.	string	Maximum length: 35
port	Interface name.	string	Maximum length: 15
vlan	VLAN name.	string	Maximum length: 15

config igmp-snooping

Parameter

Description

Type

Size

Default

aging-time

Maximum time to retain a multicast snooping entry for which no packets have been seen (15 - 3600 sec, default = 300).

integer

Minimum value: 15 Maximum value: 3600

300

flood-unknown-multicast

Enable/disable unknown multicast flooding.

option

disable

Option	Description
enable	Enable unknown multicast flooding.
disable	Disable unknown multicast flooding.

local-override

Enable/disable overriding the global IGMP snooping configuration.

option

disable

Option	Description
enable	Override the global IGMP snooping configuration.
disable	Use the global IGMP snooping configuration.

config vlans

Parameter

Description

Type

Size

Default

proxy

IGMP snooping proxy for the VLAN interface.

option

global

Option	Description
disable	Disable IGMP snooping proxy on VLAN interface.
enable	Enable IGMP snooping proxy on VLAN interface.
global	Use global setting for IGMP snooping proxy on VLAN interface.

querier

Enable/disable IGMP snooping querier for the VLAN interface.

option

disable

Option	Description
disable	Disable IGMP snooping querier on VLAN interface.
enable	Enable IGMP snooping querier on VLAN interface.

querier-addr

IGMP snooping querier address.

ipv4-address

Not Specified

0.0.0.0

version

IGMP snooping querying version.

integer

Minimum value: 2 Maximum value: 3

vlan-name

List of FortiSwitch VLANs.

string

Maximum length: 15

default

config ip-source-guard

Parameter	Description	Type	Size	Default
description	Description.	string	Maximum length: 63
port	Ingress interface to which source guard is bound.	string	Maximum length: 15

config binding-entry

Parameter	Description	Type	Size	Default
entry-name	Configure binding pair.	string	Maximum length: 16
ip	Source IP for this rule.	ipv4-address-any	Not Specified	0.0.0.0
mac	MAC address for this rule.	mac-address	Not Specified	00:00:00:00:00:00

config mirror

Parameter

Description

Type

Size

Default

dst

Destination port.

string

Maximum length: 63

name

Mirror name.

string

Maximum length: 63

src-egress <name>

Source egress interfaces.

Interface name.

string

Maximum length: 79

src-ingress <name>

Source ingress interfaces.

Interface name.

string

Maximum length: 79

status

Active/inactive mirror configuration.

option

inactive

Option	Description
active	Activate mirror configuration.
inactive	Deactivate mirror configuration.

switching-packet

Enable/disable switching functionality when mirroring.

option

disable

Option	Description
enable	Enable switching functionality when mirroring.
disable	Disable switching functionality when mirroring.

config ports

Parameter

Description

Type

Size

Default

access-mode

Access mode of the port.

option

static

Option	Description
dynamic	Dynamic mode.
nac	NAC mode.
static	Static mode.

acl-group <name>

ACL groups on this port.

ACL group name.

string

Maximum length: 79

aggregator-mode

LACP member select mode.

option

bandwidth

Option	Description
bandwidth	Member selection based on largest total bandwidth of links of similar speed.
count	Member selection based on largest count of similar link speed.

allow-arp-monitor

Enable/Disable allow ARP monitor.

option

disable

Option	Description
disable	Disable allow ARP monitor.
enable	Enable allow ARP monitor.

allowed-vlans <vlan-name>

Configure switch port tagged VLANs.

VLAN name.

string

Maximum length: 79

allowed-vlans-all

Enable/disable all defined vlans on this port.

option

disable

Option	Description
enable	Enable all defined VLANs on this port.
disable	Disable all defined VLANs on this port.

arp-inspection-trust

Trusted or untrusted dynamic ARP inspection.

option

untrusted

Option	Description
untrusted	Untrusted dynamic ARP inspection.
trusted	Trusted dynamic ARP inspection.

authenticated-port

Peer to Peer Authenticated port. Read-only.

integer

Minimum value: 0 Maximum value: 1

bundle

Enable/disable Link Aggregation Group (LAG) bundling for non-FortiLink interfaces.

option

disable

Option	Description
enable	Enable bundling.
disable	Disable bundling.

description

Description for port.

string

Maximum length: 63

dhcp-snoop-option82-trust

Enable/disable allowance of DHCP with option-82 on untrusted interface.

option

disable

Option	Description
enable	Enable allowance of DHCP with option-82 on untrusted interface.
disable	Disable allowance of DHCP with option-82 on untrusted interface.

dhcp-snooping

Trusted or untrusted DHCP-snooping interface.

option

untrusted

Option	Description
untrusted	Untrusted DHCP snooping interface.
trusted	Trusted DHCP snooping interface.

discard-mode

Configure discard mode for port.

option

none

Option	Description
none	Discard disabled.
all-untagged	Discard all frames that are untagged.
all-tagged	Discard all frames that are tagged.

edge-port

Enable/disable this interface as an edge port, bridging connections between workstations and/or computers.

option

enable

Option	Description
enable	Enable this interface as an edge port.
disable	Disable this interface as an edge port.

eee-tx-idle-time *

Time in which the transmitter is in low power idle (LPI) before transitioning to the refresh state in microseconds (0 - 2560, default = 60).

integer

Minimum value: 0 Maximum value: 2560

eee-tx-wake-time *

Time for the transmitter to transition from low power idle (LPI) to its normal operating state in microseconds (0 - 2560, default = 30).

integer

Minimum value: 0 Maximum value: 2560

encrypted-port

Peer to Peer Encrypted port. Read-only.

integer

Minimum value: 0 Maximum value: 1

energy-efficient-ethernet *

Enable/disable energy efficient events.

option

disable

Option	Description
disable	Disable energy efficient ethernet.
enable	Enable energy efficient ethernet.

export-to

Export managed-switch port to a tenant VDOM.

string

Maximum length: 31

export-to-pool

Switch controller export port to pool-list.

string

Maximum length: 35

fallback-port

LACP fallback port.

string

Maximum length: 79

fec-capable

FEC capable.

integer

Minimum value: 0 Maximum value: 1

fec-state

State of forward error correction.

option

detect-by-module

Option	Description
disabled	Disable forward error correction.
cl74	Enable Clause 74 FC-FEC, which only applies to 25Gbps.
cl91	Enable Clause 91 RS-FEC, which only applies to 100Gbps.
detect-by-module	FEC supported by module.

fgt-peer-device-name

FGT peer device name. Read-only.

string

Maximum length: 35

fgt-peer-port-name

FGT peer port name. Read-only.

string

Maximum length: 15

fiber-port

Fiber-port. Read-only.

integer

Minimum value: 0 Maximum value: 1

flags

Port properties flags. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

flap-duration

Period over which flap events are calculated (seconds).

integer

Minimum value: 5 Maximum value: 300

flap-rate

Number of stage change events needed within flap-duration.

integer

Minimum value: 1 Maximum value: 30

flap-timeout

Flap guard disabling protection (min).

integer

Minimum value: 0 Maximum value: 120

flapguard

Enable/disable flap guard.

option

disable

Option	Description
enable	Enable FlapGuard for this port.
disable	Disable FlapGuard for this port.

flow-control

Flow control direction.

option

disable

Option	Description
disable	Disable flow control.
tx	Enable flow control for transmission pause control frames.
rx	Enable flow control for receive pause control frames.
both	Enable flow control for both transmission and receive pause control frames.

fortilink-port

FortiLink uplink port. Read-only.

integer

Minimum value: 0 Maximum value: 1

fortiswitch-acls <id>

ACLs on this port.

ACL ID.

integer

Minimum value: 0 Maximum value: 4294967295

igmp-snooping-flood-reports

Enable/disable flooding of IGMP reports to this interface when igmp-snooping enabled.

option

disable

Option	Description
enable	Enable flooding of IGMP snooping reports to this interface.
disable	Disable flooding of IGMP snooping reports to this interface.

interface-tags <tag-name>

Tag(s) associated with the interface for various features including virtual port pool, dynamic port policy.

FortiSwitch port tag name when exported to a virtual port pool or matched to dynamic port policy.

string

Maximum length: 63

ip-source-guard

Enable/disable IP source guard.

option

disable

Option	Description
disable	Disable IP source guard.
enable	Enable IP source guard.

isl-local-trunk-name

ISL local trunk name. Read-only.

string

Maximum length: 15

isl-peer-device-name

ISL peer device name. Read-only.

string

Maximum length: 35

isl-peer-device-sn

ISL peer device serial number. Read-only.

string

Maximum length: 16

isl-peer-port-name

ISL peer port name. Read-only.

string

Maximum length: 15

lacp-speed

End Link Aggregation Control Protocol (LACP) messages every 30 seconds (slow) or every second (fast).

option

slow

Option	Description
slow	Send LACP message every 30 seconds.
fast	Send LACP message every second.

learning-limit

Limit the number of dynamic MAC addresses on this Port (1 - 128, 0 = no limit, default).

integer

Minimum value: 0 Maximum value: 128

lldp-profile

LLDP port TLV profile.

string

Maximum length: 63

default-auto-isl

lldp-status

LLDP transmit and receive status.

option

tx-rx

Option	Description
disable	Disable LLDP TX and RX.
rx-only	Enable LLDP as RX only.
tx-only	Enable LLDP as TX only.
tx-rx	Enable LLDP TX and RX.

log-mac-event

Enable/disable logging for dynamic MAC address events.

option

disable

Option	Description
disable	Disable log MAC event for this interface.
enable	Enable log MAC event for this interface.

loop-guard

Enable/disable loop-guard on this interface, an STP optimization used to prevent network loops.

option

disabled

Option	Description
enabled	Enable loop-guard on this interface.
disabled	Disable loop-guard on this interface.

loop-guard-timeout

Loop-guard timeout (0 - 120 min, default = 45).

integer

Minimum value: 0 Maximum value: 120

mac-addr

Port/Trunk MAC.

mac-address

Not Specified

00:00:00:00:00:00

matched-dpp-intf-tags

Matched interface tags in the dynamic port policy.

string

Maximum length: 63

matched-dpp-policy

Matched child policy in the dynamic port policy.

string

Maximum length: 63

max-bundle

Maximum size of LAG bundle (1 - 24, default = 24).

integer

Minimum value: 1 Maximum value: 24

mcast-snooping-flood-traffic

Enable/disable flooding of IGMP snooping traffic to this interface.

option

disable

Option	Description
enable	Enable flooding of IGMP snooping traffic to this interface.
disable	Disable flooding of IGMP snooping traffic to this interface.

mclag

Enable/disable multi-chassis link aggregation (MCLAG).

option

disable

Option	Description
enable	Enable MCLAG.
disable	Disable MCLAG.

mclag-icl-port

MCLAG-ICL port. Read-only.

integer

Minimum value: 0 Maximum value: 1

media-type

Media type. Read-only.

string

Maximum length: 31

member-withdrawal-behavior

Port behavior after it withdraws because of loss of control packets.

option

block

Option	Description
forward	Forward traffic.
block	Block traffic.

members <member-name>

Aggregated LAG bundle interfaces.

Interface name from available options.

string

Maximum length: 79

min-bundle

Minimum size of LAG bundle (1 - 24, default = 1).

integer

Minimum value: 1 Maximum value: 24

mode

LACP mode: ignore and do not send control messages, or negotiate 802.3ad aggregation passively or actively.

option

static

Option	Description
static	Static aggregation, do not send and ignore any control messages.
lacp-passive	Passively use LACP to negotiate 802.3ad aggregation.
lacp-active	Actively use LACP to negotiate 802.3ad aggregation.

p2p-port

General peer to peer tunnel port. Read-only.

integer

Minimum value: 0 Maximum value: 1

packet-sample-rate

Packet sampling rate (0 - 99999 p/sec).

integer

Minimum value: 0 Maximum value: 99999

512

packet-sampler

Enable/disable packet sampling on this interface.

option

disabled

Option	Description
enabled	Enable packet sampling on this interface.
disabled	Disable packet sampling on this interface.

pause-meter

Configure ingress pause metering rate, in kbps (default = 0, disabled).

integer

Minimum value: 128 Maximum value: 2147483647

pause-meter-resume

Resume threshold for resuming traffic on ingress port.

option

50%

Option	Description
75%	Back pressure state won't be cleared until bucket count falls below 75% of pause threshold.
50%	Back pressure state won't be cleared until bucket count falls below 50% of pause threshold.
25%	Back pressure state won't be cleared until bucket count falls below 25% of pause threshold.

pd-capable

Powered device capable.

integer

Minimum value: 0 Maximum value: 1

poe-capable

PoE capable.

integer

Minimum value: 0 Maximum value: 1

poe-max-power

PoE maximum power. Read-only.

string

Maximum length: 35

poe-max-power-mode *

PoE maximum power mode.

option

class-based

Option	Description
class-based	Port will draw a maximum amount of power based on class.
30W	Port will be limited to draw a maximum of 30W.
60W	Port will be limited to draw a maximum of 60W.

poe-mode-bt-cabable

PoE mode IEEE 802.3BT capable.

integer

Minimum value: 0 Maximum value: 1

poe-port-mode

Configure PoE port mode.

option

ieee802-3at

Option	Description
ieee802-3af	IEEE802.3 AF.
ieee802-3at	IEEE802.3 AT.
ieee802-3bt	IEEE802.3 BT.

poe-port-power

Configure PoE port power.

option

normal

Option	Description
normal	Power not delivered during boot.
perpetual	Power delivered during soft reboot.
perpetual-fast	Early power delivered during cold boot.

poe-port-priority

Configure PoE port priority.

option

low-priority

Option	Description
critical-priority	Critical Priority.
high-priority	High Priority.
low-priority	Low Priority.
medium-priority	Medium Priority.

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

disable

Option	Description
enable	Enable PoE pre-standard detection.
disable	Disable PoE pre-standard detection.

poe-standard

PoE standard supported. Read-only.

string

Maximum length: 63

poe-status

Enable/disable PoE status.

option

enable

Option	Description
enable	Enable PoE status.
disable	Disable PoE status.

port-name

Switch port name.

string

Maximum length: 15

port-number

Port number. Read-only.

integer

Minimum value: 1 Maximum value: 64

port-owner

Switch port name.

string

Maximum length: 15

port-policy

Switch controller dynamic port policy from available options.

string

Maximum length: 63

port-prefix-type

Port prefix type. Read-only.

integer

Minimum value: 0 Maximum value: 1

port-security-policy

Switch controller authentication policy to apply to this managed switch from available options.

string

Maximum length: 31

port-selection-criteria

Algorithm for aggregate port selection.

option

src-dst-ip

Option	Description
src-mac	Source MAC address.
dst-mac	Destination MAC address.
src-dst-mac	Source and destination MAC address.
src-ip	Source IP address.
dst-ip	Destination IP address.
src-dst-ip	Source and destination IP address.

ptp-policy

PTP policy configuration.

string

Maximum length: 63

default

ptp-status

Enable/disable PTP policy on this FortiSwitch port.

option

enable

Option	Description
disable	Disable PTP policy.
enable	Enable PTP policy.

qnq

802.1AD VLANs in the VDom.

string

Maximum length: 15

qos-policy

Switch controller QoS policy from available options.

string

Maximum length: 63

default

restricted-auth-port

Peer to Peer Restricted Authenticated port. Read-only.

integer

Minimum value: 0 Maximum value: 1

rpvst-port

Enable/disable inter-operability with rapid PVST on this interface.

option

disabled

Option	Description
disabled	Disable inter-operability with rapid PVST on this interface.
enabled	Enable inter-operability with rapid PVST on this interface.

sample-direction

Packet sampling direction.

option

both

Option	Description
tx	Monitor transmitted traffic.
rx	Monitor received traffic.
both	Monitor transmitted and received traffic.

sflow-counter-interval

sFlow sampling counter polling interval in seconds (0 - 255).

integer

Minimum value: 0 Maximum value: 255

speed

Switch port speed; default and available settings depend on hardware.

option

auto

Option	Description
10half	10M half-duplex.
10full	10M full-duplex.
100half	100M half-duplex.
100full	100M full-duplex.
1000full	1G full-duplex
10000full	10G full-duplex
auto	Auto-negotiation.
1000auto	Auto-negotiation (1G full-duplex only).
1000full-fiber	1G full-duplex (fiber SFPs only)
40000full	40G full-duplex
detect-by-module	Detect by Module.
100FX-half	100Mbps half-duplex.100Base-FX.
100FX-full	100Mbps full-duplex.100Base-FX.
100000full	100Gbps full-duplex.
2500auto	Auto-Negotiation (2.5Gbps Only).
2500full	2.5Gbps full-duplex.
25000full	25Gbps full-duplex.
50000full	50Gbps full-duplex.
10000cr	10Gbps copper interface.
10000sr	10Gbps SFI interface.
100000sr4	100Gbps SFI interface.
100000cr4	100Gbps copper interface.
40000sr4	40Gbps SFI interface.
40000cr4	40Gbps copper interface.
40000auto	Auto-Negotiation (40Gbps Only).
25000cr	25Gbps copper interface.
25000sr	25Gbps SFI interface.
50000cr	50Gbps copper interface.
50000sr	50Gbps SFI interface.
5000auto	5Gbps full-duplex.
sgmii-auto	Auto-negotiation in SGMII mode.

stacking-port

Stacking port. Read-only.

integer

Minimum value: 0 Maximum value: 1

status

Switch port admin status: up or down.

option

Option	Description
up	Set admin status up.
down	Set admin status down.

sticky-mac

Enable or disable sticky-mac on the interface.

option

disable

Option	Description
enable	Enable sticky mac on the interface.
disable	Disable sticky mac on the interface.

storm-control-policy

Switch controller storm control policy from available options.

string

Maximum length: 63

default

stp-bpdu-guard

Enable/disable STP BPDU guard on this interface.

option

disabled

Option	Description
enabled	Enable STP BPDU guard on this interface.
disabled	Disable STP BPDU guard on this interface.

stp-bpdu-guard-timeout

BPDU Guard disabling protection (0 - 120 min).

integer

Minimum value: 0 Maximum value: 120

stp-root-guard

Enable/disable STP root guard on this interface.

option

disabled

Option	Description
enabled	Enable STP root-guard on this interface.
disabled	Disable STP root-guard on this interface.

stp-state

Enable/disable Spanning Tree Protocol (STP) on this interface.

option

enabled

Option	Description
enabled	Enable STP on this interface.
disabled	Disable STP on this interface.

switch-id

Switch id. Read-only.

string

Maximum length: 35

type

Interface type: physical or trunk port.

option

physical

Option	Description
physical	Physical port.
trunk	Trunk port.

untagged-vlans <vlan-name>

Configure switch port untagged VLANs.

VLAN name.

string

Maximum length: 79

vlan

Assign switch ports to a VLAN.

string

Maximum length: 15

* This parameter may not exist in some models.

config dhcp-snoop-option82-override

Parameter	Description	Type	Size
circuit-id	Circuit ID string.	string	Maximum length: 254
remote-id	Remote ID string.	string	Maximum length: 254
vlan-name	DHCP snooping option 82 VLAN.	string	Maximum length: 15

config remote-log

Parameter

Description

Type

Size

Default

csv

Enable/disable comma-separated value (CSV) strings.

option

disable

Option	Description
enable	Enable comma-separated value (CSV) strings.
disable	Disable comma-separated value (CSV) strings.

facility

Facility to log to remote syslog server.

option

local7

Option	Description
kernel	Kernel messages.
user	Random user-level messages.
mail	Mail system.
daemon	System daemons.
auth	Security/authorization messages.
syslog	Messages generated internally by syslogd.
lpr	Line printer subsystem.
news	Network news subsystem.
uucp	UUCP server messages.
cron	Clock daemon.
authpriv	Security/authorization messages (private).
ftp	FTP daemon.
ntp	NTP daemon.
audit	Log audit.
alert	Log alert.
clock	Clock daemon.
local0	Reserved for local use.
local1	Reserved for local use.
local2	Reserved for local use.
local3	Reserved for local use.
local4	Reserved for local use.
local5	Reserved for local use.
local6	Reserved for local use.
local7	Reserved for local use.

name

Remote log name.

string

Maximum length: 35

port

Remote syslog server listening port.

integer

Minimum value: 0 Maximum value: 65535

514

server

IPv4 address of the remote syslog server.

string

Maximum length: 63

severity

Severity of logs to be transferred to remote log server.

option

information

Option	Description
emergency	Emergency level.
alert	Alert level.
critical	Critical level.
error	Error level.
warning	Warning level.
notification	Notification level.
information	Information level.
debug	Debug level.

status

Enable/disable logging by FortiSwitch device to a remote syslog server.

option

disable

Option	Description
enable	Enable logging by FortiSwitch device to a remote syslog server.
disable	Disable logging by FortiSwitch device to a remote syslog server.

config route-offload-router

Parameter	Description	Type	Size	Default
router-ip	Router IP address.	ipv4-address	Not Specified	0.0.0.0
vlan-name	VLAN name.	string	Maximum length: 15

config router-static

Parameter

Description

Type

Size

Default

blackhole

Enable/disable blackhole on this route.

option

disable

Option	Description
disable	Disable blackhole on this route.
enable	Enable blackhole on this route.

comment

Comment.

string

Maximum length: 63

device

Gateway out interface.

string

Maximum length: 35

distance

Administrative distance for the route (1 - 255, default = 10).

integer

Minimum value: 1 Maximum value: 255

dst

Destination ip and mask for this route.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

dynamic-gateway

Enable/disable dynamic gateway.

option

disable

Option	Description
disable	Disable dynamic gateway on this route.
enable	Disable dynamic gateway on this route.

gateway

Gateway ip for this route.

ipv4-address

Not Specified

0.0.0.0

Entry sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

status

Enable/disable route status.

option

enable

Option	Description
disable	Disable route status.
enable	Enable route status.

switch-id

Switch ID.

string

Maximum length: 35

vrf

VRF for this route.

string

Maximum length: 35

config router-vrf

Parameter	Description	Type	Size	Default
name	VRF entry name.	string	Maximum length: 35
switch-id	Switch ID.	string	Maximum length: 35
vrfid	VRF ID.	integer	Minimum value: 0 Maximum value: 1023	0

config snmp-community

Parameter

Description

Type

Size

Default

events

SNMP notifications (traps) to send.

option

cpu-high mem-low log-full intf-ip ent-conf-change l2mac

Option	Description
cpu-high	Send a trap when CPU usage too high.
mem-low	Send a trap when available memory is low.
log-full	Send a trap when log disk space becomes low.
intf-ip	Send a trap when an interface IP address is changed.
ent-conf-change	Send a trap when an entity MIB change occurs (RFC4133).
l2mac	Send a trap for Learning event (add/delete/movefrom/moveto).

SNMP community ID.

integer

Minimum value: 0 Maximum value: 4294967295

name

SNMP community name.

string

Maximum length: 35

query-v1-port

SNMP v1 query port (default = 161).

integer

Minimum value: 0 Maximum value: 65535

161

query-v1-status

Enable/disable SNMP v1 queries.

option

enable

Option	Description
disable	Disable SNMP v1 queries.
enable	Enable SNMP v1 queries.

query-v2c-port

SNMP v2c query port (default = 161).

integer

Minimum value: 0 Maximum value: 65535

161

query-v2c-status

Enable/disable SNMP v2c queries.

option

enable

Option	Description
disable	Disable SNMP v2c queries.
enable	Enable SNMP v2c queries.

status

Enable/disable this SNMP community.

option

enable

Option	Description
disable	Disable SNMP community.
enable	Enable SNMP community.

trap-v1-lport

SNMP v2c trap local port (default = 162).

integer

Minimum value: 0 Maximum value: 65535

162

trap-v1-rport

SNMP v2c trap remote port (default = 162).

integer

Minimum value: 0 Maximum value: 65535

162

trap-v1-status

Enable/disable SNMP v1 traps.

option

enable

Option	Description
disable	Disable SNMP v1 traps.
enable	Enable SNMP v1 traps.

trap-v2c-lport

SNMP v2c trap local port (default = 162).

integer

Minimum value: 0 Maximum value: 65535

162

trap-v2c-rport

SNMP v2c trap remote port (default = 162).

integer

Minimum value: 0 Maximum value: 65535

162

trap-v2c-status

Enable/disable SNMP v2c traps.

option

enable

Option	Description
disable	Disable SNMP v2c traps.
enable	Enable SNMP v2c traps.

config hosts

Parameter	Description	Type	Size	Default
id	Host entry ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
ip	IPv4 address of the SNMP manager (host).	user	Not Specified

config snmp-sysinfo

Parameter

Description

Type

Size

Default

contact-info

Contact information.

string

Maximum length: 35

description

System description.

string

Maximum length: 35

engine-id

Local SNMP engine ID string (max 24 char).

string

Maximum length: 24

location

System location.

string

Maximum length: 35

status

Enable/disable SNMP.

option

disable

Option	Description
disable	Disable SNMP.
enable	Enable SNMP.

config snmp-trap-threshold

Parameter	Description	Type	Size	Default
trap-high-cpu-threshold	CPU usage when trap is sent.	integer	Minimum value: 0 Maximum value: 4294967295	80
trap-log-full-threshold	Log disk usage when trap is sent.	integer	Minimum value: 0 Maximum value: 4294967295	90
trap-low-memory-threshold	Memory usage when trap is sent.	integer	Minimum value: 0 Maximum value: 4294967295	80

config snmp-user

Parameter

Description

Type

Size

Default

auth-proto

Authentication protocol.

option

sha256

Option	Description
md5	HMAC-MD5-96 authentication protocol.
sha1	HMAC-SHA-1 authentication protocol.
sha224	HMAC-SHA-224 authentication protocol.
sha256	HMAC-SHA-256 authentication protocol.
sha384	HMAC-SHA-384 authentication protocol.
sha512	HMAC-SHA-512 authentication protocol.

auth-pwd

Password for authentication protocol.

password

Not Specified

name

SNMP user name.

string

Maximum length: 32

priv-proto

Privacy (encryption) protocol.

option

aes128

Option	Description
aes128	CFB128-AES-128 symmetric encryption protocol.
aes192	CFB128-AES-192 symmetric encryption protocol.
aes192c	CFB128-AES-192-C symmetric encryption protocol.
aes256	CFB128-AES-256 symmetric encryption protocol.
aes256c	CFB128-AES-256-C symmetric encryption protocol.
des	CBC-DES symmetric encryption protocol.

priv-pwd

Password for privacy (encryption) protocol.

password

Not Specified

queries

Enable/disable SNMP queries for this user.

option

enable

Option	Description
disable	Disable SNMP queries for this user.
enable	Enable SNMP queries for this user.

query-port

SNMPv3 query port (default = 161).

integer

Minimum value: 0 Maximum value: 65535

161

security-level

Security level for message authentication and encryption.

option

no-auth-no-priv

Option	Description
no-auth-no-priv	Message with no authentication and no privacy (encryption).
auth-no-priv	Message with authentication but no privacy (encryption).
auth-priv	Message with authentication and privacy (encryption).

config static-mac

Parameter

Description

Type

Size

Default

description

Description.

string

Maximum length: 63

ID.

integer

Minimum value: 0 Maximum value: 4294967295

interface

Interface name.

string

Maximum length: 35

mac

MAC address.

mac-address

Not Specified

00:00:00:00:00:00

type

Type.

option

static

Option	Description
static	Static MAC.
sticky	Sticky MAC.

vlan

Vlan.

string

Maximum length: 15

config storm-control

Parameter

Description

Type

Size

Default

broadcast

Enable/disable storm control to drop broadcast traffic.

option

disable

Option	Description
enable	Drop broadcast traffic.
disable	Allow broadcast traffic.

burst-size-level

Increase level to handle bursty traffic (0 - 4, default = 0).

integer

Minimum value: 0 Maximum value: 4

local-override

Enable to override global FortiSwitch storm control settings for this FortiSwitch.

option

disable

Option	Description
enable	Override global storm control settings.
disable	Use global storm control settings.

rate

Rate in packets per second at which storm control drops excess traffic(0-10000000, default=500, drop-all=0).

integer

Minimum value: 0 Maximum value: 10000000

500

unknown-multicast

Enable/disable storm control to drop unknown multicast traffic.

option

disable

Option	Description
enable	Drop unknown multicast traffic.
disable	Allow unknown multicast traffic.

unknown-unicast

Enable/disable storm control to drop unknown unicast traffic.

option

disable

Option	Description
enable	Drop unknown unicast traffic.
disable	Allow unknown unicast traffic.

config stp-instance

Parameter

Description

Type

Size

Default

Instance ID.

string

Maximum length: 2

priority

Priority.

option

32768

Option	Description
0	0.
4096	4096.
8192	8192.
12288	12288.
16384	16384.
20480	20480.
24576	24576.
28672	28672.
32768	32768.
36864	36864.
40960	40960.
45056	45056.
49152	49152.
53248	53248.
57344	57344.
61440	61440.

config stp-settings

Parameter

Description

Type

Size

Default

forward-time

Period of time a port is in listening and learning state (4 - 30 sec, default = 15).

integer

Minimum value: 4 Maximum value: 30

hello-time

Period of time between successive STP frame Bridge Protocol Data Units (BPDUs) sent on a port (1 - 10 sec, default = 2).

integer

Minimum value: 1 Maximum value: 10

local-override

Enable to configure local STP settings that override global STP settings.

option

disable

Option	Description
enable	Override global STP settings.
disable	Use global STP settings.

max-age

Maximum time before a bridge port saves its configuration BPDU information (6 - 40 sec, default = 20).

integer

Minimum value: 6 Maximum value: 40

max-hops

Maximum number of hops between the root bridge and the furthest bridge (1- 40, default = 20).

integer

Minimum value: 1 Maximum value: 40

name

Name of local STP settings configuration.

string

Maximum length: 31

pending-timer

Pending time (1 - 15 sec, default = 4).

integer

Minimum value: 1 Maximum value: 15

revision

STP revision number (0 - 65535).

integer

Minimum value: 0 Maximum value: 65535

config switch-log

Parameter

Description

Type

Size

Default

local-override

Enable to configure local logging settings that override global logging settings.

option

disable

Option	Description
enable	Override global logging settings.
disable	Use global logging settings.

severity

Severity of FortiSwitch logs that are added to the FortiGate event log.

option

notification

Option	Description
emergency	Emergency level.
alert	Alert level.
critical	Critical level.
error	Error level.
warning	Warning level.
notification	Notification level.
information	Information level.
debug	Debug level.

status

Enable/disable adding FortiSwitch logs to the FortiGate event log.

option

enable

Option	Description
enable	Add FortiSwitch logs to the FortiGate event log.
disable	Do not add FortiSwitch logs to the FortiGate event log.

config system-dhcp-server

Parameter

Description

Type

Size

Default

default-gateway

Default gateway IP address assigned by the DHCP server.

ipv4-address

Not Specified

0.0.0.0

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

dns-server3

DNS server 3.

ipv4-address

Not Specified

0.0.0.0

dns-service

Options for assigning DNS servers to DHCP clients.

option

specify

Option	Description
local	IP address of the interface the DHCP server is added to becomes the client's DNS server IP address.
default	Clients are assigned the FortiGate's configured DNS servers.
specify	Specify up to 3 DNS servers in the DHCP server configuration.

ID.

integer

Minimum value: 0 Maximum value: 4294967295

interface

DHCP server can assign IP configurations to clients connected to this interface.

string

Maximum length: 15

lease-time

Lease time in seconds, 0 means unlimited.

integer

Minimum value: 0 Maximum value: 4294967295

604800

netmask

Netmask assigned by the DHCP server.

ipv4-netmask

Not Specified

0.0.0.0

ntp-server1

NTP server 1.

ipv4-address

Not Specified

0.0.0.0

ntp-server2

NTP server 2.

ipv4-address

Not Specified

0.0.0.0

ntp-server3

NTP server 3.

ipv4-address

Not Specified

0.0.0.0

ntp-service

Options for assigning Network Time Protocol (NTP) servers to DHCP clients.

option

specify

Option	Description
local	IP address of the interface the DHCP server is added to becomes the client's NTP server IP address.
default	Clients are assigned the FortiGate's configured NTP servers.
specify	Specify up to 3 NTP servers in the DHCP server configuration.

status

Enable/disable this DHCP configuration.

option

enable

Option	Description
disable	Do not use this DHCP server configuration.
enable	Use this DHCP server configuration.

switch-id

Switch ID.

string

Maximum length: 35

config ip-range

Parameter	Description	Type	Size	Default
end-ip	End of IP range.	ipv4-address	Not Specified	0.0.0.0
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
start-ip	Start of IP range.	ipv4-address	Not Specified	0.0.0.0

config options

Parameter

Description

Type

Size

Default

code

DHCP option code.

integer

Minimum value: 0 Maximum value: 255

ID.

integer

Minimum value: 0 Maximum value: 4294967295

DHCP option IPs.

user

Not Specified

type

DHCP option type.

option

hex

Option	Description
hex	DHCP option in hex.
string	DHCP option in string.
ip	DHCP option in IP.
fqdn	DHCP option in domain search option format.

value

DHCP option value.

string

Maximum length: 312

config system-interface

Parameter

Description

Type

Size

Default

allowaccess

Permitted types of management access to this interface.

option

Option	Description
ping	PING.
https	HTTPS.
http	HTTP.
ssh	SSH.
snmp	SNMP.
telnet	TELNET.
radius-acct	RADIUS ACCOUNTING.

interface

Interface name.

string

Maximum length: 63

IP and mask for this interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

mode

Interface addressing mode.

option

static

Option	Description
static	static addressing mode.
dhcp	DHCP addressing mode.

name

Interface name.

string

Maximum length: 15

status

Enable/disable interface status.

option

enable

Option	Description
disable	Disable interface.
enable	Enable interface.

switch-id

Switch ID.

string

Maximum length: 35

type

Interface type.

option

vlan

Option	Description
vlan	VLAN interface.
physical	Physical interface.

vlan

VLAN name.

string

Maximum length: 15

vrf

VRF for this route.

string

Maximum length: 63

config vlan

Parameter	Description	Type	Size	Default
assignment-priority	802.1x Radius (Tunnel-Private-Group-Id) VLANID assign-by-name priority. A smaller value has a higher priority.	integer	Minimum value: 1 Maximum value: 255	128
vlan-name	VLAN name.	string	Maximum length: 15

config switch-controller managed-switch

Configure FortiSwitch devices that are managed by this FortiGate.

config switch-controller managed-switch
    Description: Configure FortiSwitch devices that are managed by this FortiGate.
    edit <switch-id>
        config 802-1X-settings
            Description: Configuration method to edit FortiSwitch 802.1X global settings.
            set allow-mac-move [disable|enable]
            set link-down-auth [set-unauth|no-action]
            set local-override [enable|disable]
            set mab-entry-as [static|dynamic]
            set mab-reauth [disable|enable]
            set mac-called-station-delimiter [colon|hyphen|...]
            set mac-calling-station-delimiter [colon|hyphen|...]
            set mac-case [lowercase|uppercase]
            set mac-password-delimiter [colon|hyphen|...]
            set mac-username-delimiter [colon|hyphen|...]
            set max-reauth-attempt {integer}
            set reauth-period {integer}
            set tx-period {integer}
        end
        set access-profile {string}
        config components
            Description: Managed-switch component list.
            edit <name>
                set admin-status [disable|enable]
                set capability {user}
                set component-id {integer}
                set description {string}
                set dynamically-discovered {integer}
                set max-allowed-trunk-members {integer}
                set poe-detection-type {integer}
                set role [None|Primary|...]
                set serial-number {string}
                set status [offline|online]
                set sw-version {string}
                set switch-id {string}
                set type [stack-node|supervisor|...]
                set version {integer}
            next
        end
        config custom-command
            Description: Configuration method to edit FortiSwitch commands to be pushed to this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.
            edit <command-entry>
                set command-name {string}
            next
        end
        set delayed-restart-trigger {integer}
        set description {string}
        set dhcp-server-access-list [global|enable|...]
        config dhcp-snooping-static-client
            Description: Configure FortiSwitch DHCP snooping static clients.
            edit <name>
                set ip {ipv4-address}
                set mac {mac-address}
                set port {string}
                set vlan {string}
            next
        end
        set directly-connected {integer}
        set dynamic-capability {user}
        set dynamically-discovered {integer}
        set firmware-provision [enable|disable]
        set firmware-provision-latest [disable|once]
        set firmware-provision-version {string}
        set flow-identity {user}
        set fsw-wan1-admin [discovered|disable|...]
        set fsw-wan1-peer {string}
        config igmp-snooping
            Description: Configure FortiSwitch IGMP snooping global settings.
            set aging-time {integer}
            set flood-unknown-multicast [enable|disable]
            set local-override [enable|disable]
            config vlans
                Description: Configure IGMP snooping VLAN.
                edit <vlan-name>
                    set proxy [disable|enable|...]
                    set querier [disable|enable]
                    set querier-addr {ipv4-address}
                    set version {integer}
                next
            end
        end
        config ip-source-guard
            Description: IP source guard.
            edit <port>
                config binding-entry
                    Description: IP and MAC address configuration.
                    edit <entry-name>
                        set ip {ipv4-address-any}
                        set mac {mac-address}
                    next
                end
                set description {string}
            next
        end
        set l3-discovered {integer}
        set max-allowed-trunk-members {integer}
        set max-poe-budget {integer}
        set mclag-igmp-snooping-aware [enable|disable]
        set mgmt-mode {integer}
        config mirror
            Description: Configuration method to edit FortiSwitch packet mirror.
            edit <name>
                set dst {string}
                set src-egress <name1>, <name2>, ...
                set src-ingress <name1>, <name2>, ...
                set status [active|inactive]
                set switching-packet [enable|disable]
            next
        end
        set override-snmp-community [enable|disable]
        set override-snmp-sysinfo [disable|enable]
        set override-snmp-trap-threshold [enable|disable]
        set override-snmp-user [enable|disable]
        set owner-vdom {string}
        set poe-detection-type {integer}
        set poe-pre-standard-detection [enable|disable]
        set port-selection-criteria [src-mac|dst-mac|...]
        config ports
            Description: Managed-switch port list.
            edit <port-name>
                set access-mode [dynamic|nac|...]
                set acl-group <name1>, <name2>, ...
                set aggregator-mode [bandwidth|count]
                set allow-arp-monitor [disable|enable]
                set allowed-vlans <vlan-name1>, <vlan-name2>, ...
                set allowed-vlans-all [enable|disable]
                set arp-inspection-trust [untrusted|trusted]
                set authenticated-port {integer}
                set bundle [enable|disable]
                set description {string}
                config dhcp-snoop-option82-override
                    Description: Configure DHCP snooping option 82 override.
                    edit <vlan-name>
                        set circuit-id {string}
                        set remote-id {string}
                    next
                end
                set dhcp-snoop-option82-trust [enable|disable]
                set dhcp-snooping [untrusted|trusted]
                set discard-mode [none|all-untagged|...]
                set edge-port [enable|disable]
                set eee-tx-idle-time {integer}
                set eee-tx-wake-time {integer}
                set encrypted-port {integer}
                set energy-efficient-ethernet [disable|enable]
                set export-to {string}
                set export-to-pool {string}
                set fallback-port {string}
                set fec-capable {integer}
                set fec-state [disabled|cl74|...]
                set fgt-peer-device-name {string}
                set fgt-peer-port-name {string}
                set fiber-port {integer}
                set flags {integer}
                set flap-duration {integer}
                set flap-rate {integer}
                set flap-timeout {integer}
                set flapguard [enable|disable]
                set flow-control [disable|tx|...]
                set fortilink-port {integer}
                set fortiswitch-acls <id1>, <id2>, ...
                set igmp-snooping-flood-reports [enable|disable]
                set interface-tags <tag-name1>, <tag-name2>, ...
                set ip-source-guard [disable|enable]
                set isl-local-trunk-name {string}
                set isl-peer-device-name {string}
                set isl-peer-device-sn {string}
                set isl-peer-port-name {string}
                set lacp-speed [slow|fast]
                set learning-limit {integer}
                set lldp-profile {string}
                set lldp-status [disable|rx-only|...]
                set log-mac-event [disable|enable]
                set loop-guard [enabled|disabled]
                set loop-guard-timeout {integer}
                set mac-addr {mac-address}
                set matched-dpp-intf-tags {string}
                set matched-dpp-policy {string}
                set max-bundle {integer}
                set mcast-snooping-flood-traffic [enable|disable]
                set mclag [enable|disable]
                set mclag-icl-port {integer}
                set media-type {string}
                set member-withdrawal-behavior [forward|block]
                set members <member-name1>, <member-name2>, ...
                set min-bundle {integer}
                set mode [static|lacp-passive|...]
                set p2p-port {integer}
                set packet-sample-rate {integer}
                set packet-sampler [enabled|disabled]
                set pause-meter {integer}
                set pause-meter-resume [75%|50%|...]
                set pd-capable {integer}
                set poe-capable {integer}
                set poe-max-power {string}
                set poe-max-power-mode [class-based|30W|...]
                set poe-mode-bt-cabable {integer}
                set poe-port-mode [ieee802-3af|ieee802-3at|...]
                set poe-port-power [normal|perpetual|...]
                set poe-port-priority [critical-priority|high-priority|...]
                set poe-pre-standard-detection [enable|disable]
                set poe-standard {string}
                set poe-status [enable|disable]
                set port-number {integer}
                set port-owner {string}
                set port-policy {string}
                set port-prefix-type {integer}
                set port-security-policy {string}
                set port-selection-criteria [src-mac|dst-mac|...]
                set ptp-policy {string}
                set ptp-status [disable|enable]
                set qnq {string}
                set qos-policy {string}
                set restricted-auth-port {integer}
                set rpvst-port [disabled|enabled]
                set sample-direction [tx|rx|...]
                set sflow-counter-interval {integer}
                set speed [10half|10full|...]
                set stacking-port {integer}
                set status [up|down]
                set sticky-mac [enable|disable]
                set storm-control-policy {string}
                set stp-bpdu-guard [enabled|disabled]
                set stp-bpdu-guard-timeout {integer}
                set stp-root-guard [enabled|disabled]
                set stp-state [enabled|disabled]
                set switch-id {string}
                set type [physical|trunk]
                set untagged-vlans <vlan-name1>, <vlan-name2>, ...
                set vlan {string}
            next
        end
        set pre-provisioned {integer}
        set ptp-profile {string}
        set ptp-status [disable|enable]
        set purdue-level [1|1.5|...]
        set qos-drop-policy [taildrop|random-early-detection]
        set qos-red-probability {integer}
        set radius-nas-ip {ipv4-address}
        set radius-nas-ip-override [disable|enable]
        config remote-log
            Description: Configure logging by FortiSwitch device to a remote syslog server.
            edit <name>
                set csv [enable|disable]
                set facility [kernel|user|...]
                set port {integer}
                set server {string}
                set severity [emergency|alert|...]
                set status [enable|disable]
            next
        end
        set route-offload [disable|enable]
        set route-offload-mclag [disable|enable]
        config route-offload-router
            Description: Configure route offload MCLAG IP address.
            edit <vlan-name>
                set router-ip {ipv4-address}
            next
        end
        config router-static
            Description: Configure static routes.
            edit <id>
                set blackhole [disable|enable]
                set comment {string}
                set device {string}
                set distance {integer}
                set dst {ipv4-classnet}
                set dynamic-gateway [disable|enable]
                set gateway {ipv4-address}
                set status [disable|enable]
                set switch-id {string}
                set vrf {string}
            next
        end
        config router-vrf
            Description: Configure VRF.
            edit <name>
                set switch-id {string}
                set vrfid {integer}
            next
        end
        set sn {string}
        config snmp-community
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) communities.
            edit <id>
                set events {option1}, {option2}, ...
                config hosts
                    Description: Configure IPv4 SNMP managers (hosts).
                    edit <id>
                        set ip {user}
                    next
                end
                set name {string}
                set query-v1-port {integer}
                set query-v1-status [disable|enable]
                set query-v2c-port {integer}
                set query-v2c-status [disable|enable]
                set status [disable|enable]
                set trap-v1-lport {integer}
                set trap-v1-rport {integer}
                set trap-v1-status [disable|enable]
                set trap-v2c-lport {integer}
                set trap-v2c-rport {integer}
                set trap-v2c-status [disable|enable]
            next
        end
        config snmp-sysinfo
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) system info.
            set contact-info {string}
            set description {string}
            set engine-id {string}
            set location {string}
            set status [disable|enable]
        end
        config snmp-trap-threshold
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) trap threshold values.
            set trap-high-cpu-threshold {integer}
            set trap-log-full-threshold {integer}
            set trap-low-memory-threshold {integer}
        end
        config snmp-user
            Description: Configuration method to edit Simple Network Management Protocol (SNMP) users.
            edit <name>
                set auth-proto [md5|sha1|...]
                set auth-pwd {password}
                set priv-proto [aes128|aes192|...]
                set priv-pwd {password}
                set queries [disable|enable]
                set query-port {integer}
                set security-level [no-auth-no-priv|auth-no-priv|...]
            next
        end
        set staged-image-version {string}
        config static-mac
            Description: Configuration method to edit FortiSwitch Static and Sticky MAC.
            edit <id>
                set description {string}
                set interface {string}
                set mac {mac-address}
                set type [static|sticky]
                set vlan {string}
            next
        end
        config storm-control
            Description: Configuration method to edit FortiSwitch storm control for measuring traffic activity using data rates to prevent traffic disruption.
            set broadcast [enable|disable]
            set burst-size-level {integer}
            set local-override [enable|disable]
            set rate {integer}
            set unknown-multicast [enable|disable]
            set unknown-unicast [enable|disable]
        end
        config stp-instance
            Description: Configuration method to edit Spanning Tree Protocol (STP) instances.
            edit <id>
                set priority [0|4096|...]
            next
        end
        config stp-settings
            Description: Configuration method to edit Spanning Tree Protocol (STP) settings used to prevent bridge loops.
            set forward-time {integer}
            set hello-time {integer}
            set local-override [enable|disable]
            set max-age {integer}
            set max-hops {integer}
            set name {string}
            set pending-timer {integer}
            set revision {integer}
        end
        set switch-device-tag {string}
        set switch-dhcp_opt43_key {string}
        config switch-log
            Description: Configuration method to edit FortiSwitch logging settings (logs are transferred to and inserted into the FortiGate event log).
            set local-override [enable|disable]
            set severity [emergency|alert|...]
            set status [enable|disable]
        end
        set switch-profile {string}
        config system-dhcp-server
            Description: Configure DHCP servers.
            edit <id>
                set default-gateway {ipv4-address}
                set dns-server1 {ipv4-address}
                set dns-server2 {ipv4-address}
                set dns-server3 {ipv4-address}
                set dns-service [local|default|...]
                set interface {string}
                config ip-range
                    Description: DHCP IP range configuration.
                    edit <id>
                        set end-ip {ipv4-address}
                        set start-ip {ipv4-address}
                    next
                end
                set lease-time {integer}
                set netmask {ipv4-netmask}
                set ntp-server1 {ipv4-address}
                set ntp-server2 {ipv4-address}
                set ntp-server3 {ipv4-address}
                set ntp-service [local|default|...]
                config options
                    Description: DHCP options.
                    edit <id>
                        set code {integer}
                        set ip {user}
                        set type [hex|string|...]
                        set value {string}
                    next
                end
                set status [disable|enable]
                set switch-id {string}
            next
        end
        config system-interface
            Description: Configure system interface on FortiSwitch.
            edit <name>
                set allowaccess {option1}, {option2}, ...
                set interface {string}
                set ip {ipv4-classnet-host}
                set mode [static|dhcp]
                set status [disable|enable]
                set switch-id {string}
                set type [vlan|physical]
                set vlan {string}
                set vrf {string}
            next
        end
        set tdr-supported {string}
        set tunnel-discovered {integer}
        set type [virtual|physical]
        set version {integer}
        config vlan
            Description: Configure VLAN assignment priority.
            edit <vlan-name>
                set assignment-priority {integer}
            next
        end
    next
end

config switch-controller managed-switch

Parameter

Description

Type

Size

Default

access-profile

FortiSwitch access profile.

string

Maximum length: 31

default

delayed-restart-trigger

Delayed restart triggered for this FortiSwitch.

integer

Minimum value: 0 Maximum value: 255

description

Description.

string

Maximum length: 63

dhcp-server-access-list

DHCP snooping server access list.

option

global

Option	Description
global	Use global setting for DHCP snooping server access list.
enable	Override global setting and enable DHCP server access list.
disable	Override global setting and disable DHCP server access list.

directly-connected

Directly connected FortiSwitch. Read-only.

integer

Minimum value: 0 Maximum value: 1

dynamic-capability

List of features this FortiSwitch supports (not configurable) that is sent to the FortiGate device for subsequent configuration initiated by the FortiGate device.

user

Not Specified

0x00000000000000000000000000000000

dynamically-discovered

Dynamically discovered FortiSwitch. Read-only.

integer

Minimum value: 0 Maximum value: 1

firmware-provision

Enable/disable provisioning of firmware to FortiSwitches on join connection.

option

disable

Option	Description
enable	Enable firmware-provision.
disable	Disable firmware-provision.

firmware-provision-latest

Enable/disable one-time automatic provisioning of the latest firmware version.

option

disable

Option	Description
disable	Do not automatically provision the latest available firmware.
once	Automatically attempt a one-time upgrade to the latest available firmware version.

firmware-provision-version

Firmware version to provision to this FortiSwitch on bootup (major.minor.build, i.e. 6.2.1234).

string

Maximum length: 35

flow-identity

Flow-tracking netflow ipfix switch identity in hex format(00000000-FFFFFFFF default=0).

user

Not Specified

00000000

fsw-wan1-admin

FortiSwitch WAN1 admin status; enable to authorize the FortiSwitch as a managed switch.

option

discovered

Option	Description
discovered	Link waiting to be authorized.
disable	Link unauthorized.
enable	Link authorized.

fsw-wan1-peer

FortiSwitch WAN1 peer port.

string

Maximum length: 35

l3-discovered

Layer 3 management discovered. Read-only.

integer

Minimum value: 0 Maximum value: 1

max-allowed-trunk-members

FortiSwitch maximum allowed trunk members.

integer

Minimum value: 0 Maximum value: 255

max-poe-budget

Max PoE budget for FortiSwitch. Read-only.

integer

Minimum value: 0 Maximum value: 65535

mclag-igmp-snooping-aware

Enable/disable MCLAG IGMP-snooping awareness.

option

enable

Option	Description
enable	Enable MCLAG IGMP-snooping awareness.
disable	Disable MCLAG IGMP-snooping awareness.

mgmt-mode

FortiLink management mode.

integer

Minimum value: 0 Maximum value: 255

override-snmp-community

Enable/disable overriding the global SNMP communities.

option

disable

Option	Description
enable	Override the global SNMP communities.
disable	Use the global SNMP communities.

override-snmp-sysinfo

Enable/disable overriding the global SNMP system information.

option

disable

Option	Description
disable	Use the global SNMP system information.
enable	Override the global SNMP system information.

override-snmp-trap-threshold

Enable/disable overriding the global SNMP trap threshold values.

option

disable

Option	Description
enable	Override the global SNMP trap threshold values.
disable	Use the global SNMP trap threshold values.

override-snmp-user

Enable/disable overriding the global SNMP users.

option

disable

Option	Description
enable	Override the global SNMPv3 users.
disable	Use the global SNMPv3 users.

owner-vdom

VDOM which owner of port belongs to.

string

Maximum length: 31

poe-detection-type

PoE detection type for FortiSwitch. Read-only.

integer

Minimum value: 0 Maximum value: 255

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

disable

Option	Description
enable	Enable PoE pre-standard detection.
disable	Disable PoE pre-standard detection.

port-selection-criteria *

Algorithm for aggregate port selection.

option

src-dst-ip

Option	Description
src-mac	Source MAC address.
dst-mac	Destination MAC address.
src-dst-mac	Source and destination MAC address.
src-ip	Source IP address.
dst-ip	Destination IP address.
src-dst-ip	Source and destination IP address.

pre-provisioned

Pre-provisioned managed switch.

integer

Minimum value: 0 Maximum value: 255

ptp-profile

PTP profile configuration.

string

Maximum length: 63

default

ptp-status

Enable/disable PTP profile on this FortiSwitch.

option

disable

Option	Description
disable	Disable PTP profile.
enable	Enable PTP profile.

purdue-level

Purdue Level of this FortiSwitch.

option

Option	Description
1	Level 1 - Basic Control
1.5	Level 1.5
2	Level 2 - Area Supervisory Control
2.5	Level 2.5
3	Level 3 - Operations & Control
3.5	Level 3.5
4	Level 4 - Business Planning & Logistics
5	Level 5 - Enterprise Network
5.5	Level 5.5

qos-drop-policy

Set QoS drop-policy.

option

taildrop

Option	Description
taildrop	Taildrop policy.
random-early-detection	Random early detection drop policy.

qos-red-probability

Set QoS RED/WRED drop probability.

integer

Minimum value: 0 Maximum value: 100

radius-nas-ip

NAS-IP address.

ipv4-address

Not Specified

0.0.0.0

radius-nas-ip-override

Use locally defined NAS-IP.

option

disable

Option	Description
disable	Disable radius-nas-ip-override.
enable	Enable radius-nas-ip-override.

route-offload

Enable/disable route offload on this FortiSwitch.

option

disable

Option	Description
disable	Disable route offload.
enable	Enable route offload.

route-offload-mclag

Enable/disable route offload MCLAG on this FortiSwitch.

option

disable

Option	Description
disable	Disable route offload MCLAG.
enable	Enable route offload MCLAG.

Managed-switch serial number.

string

Maximum length: 16

staged-image-version

Staged image version for FortiSwitch.

string

Maximum length: 127

switch-device-tag

User definable label/tag.

string

Maximum length: 32

switch-dhcp_opt43_key

DHCP option43 key.

string

Maximum length: 63

switch-id

Managed-switch name.

string

Maximum length: 35

switch-profile

FortiSwitch profile.

string

Maximum length: 35

default

tdr-supported

TDR supported. Read-only.

string

Maximum length: 31

tunnel-discovered

SOCKS tunnel management discovered. Read-only.

integer

Minimum value: 0 Maximum value: 1

type

Indication of switch type, physical or virtual.

option

physical

Option	Description
virtual	Switch is of type virtual.
physical	Switch is of type physical.

version

FortiSwitch version.

integer

Minimum value: 0 Maximum value: 255

* This parameter may not exist in some models.

config 802-1X-settings

Parameter

Description

Type

Size

Default

allow-mac-move *

Enable/disable MAC move (default = enable).

option

enable

Option	Description
disable	Disable MAC move.
enable	Enable MAC move.

link-down-auth

Authentication state to set if a link is down.

option

set-unauth

Option	Description
set-unauth	Interface set to unauth when down. Reauthentication is needed.
no-action	Interface reauthentication is not needed.

local-override

Enable to override global 802.1X settings on individual FortiSwitches.

option

disable

Option	Description
enable	Override global 802.1X settings.
disable	Use global 802.1X settings.

mab-entry-as *

Configure MAB MAC entry as static or dynamic (default = static).

option

static

Option	Description
static	MAB MAC entry as static.
dynamic	MAB MAC entry as dynamic.

mab-reauth

Enable or disable MAB reauthentication settings.

option

disable

Option	Description
disable	Disable MAB re-authentication setttings.
enable	Enable MAB re-authentication setttings.

mac-called-station-delimiter

MAC called station delimiter (default = hyphen).

option

hyphen

Option	Description
colon	Use colon as delimiter for called station.
hyphen	Use hyphen as delimiter for called station.
none	No delimiter for called station.
single-hyphen	Use single hyphen as delimiter for called station.

mac-calling-station-delimiter

MAC calling station delimiter (default = hyphen).

option

hyphen

Option	Description
colon	Use colon as delimiter for calling station.
hyphen	Use hyphen as delimiter for calling station.
none	No delimiter for calling station.
single-hyphen	Use single hyphen as delimiter for calling station.

mac-case

MAC case (default = lowercase).

option

lowercase

Option	Description
lowercase	Use lowercase MAC.
uppercase	Use uppercase MAC.

mac-password-delimiter

MAC authentication password delimiter (default = hyphen).

option

hyphen

Option	Description
colon	Use colon as delimiter for MAC auth password.
hyphen	Use hyphen as delimiter for MAC auth password.
none	No delimiter for MAC auth password.
single-hyphen	Use single hyphen as delimiter for MAC auth password.

mac-username-delimiter

MAC authentication username delimiter (default = hyphen).

option

hyphen

Option	Description
colon	Use colon as delimiter for MAC auth username.
hyphen	Use hyphen as delimiter for MAC auth username.
none	No delimiter for MAC auth username.
single-hyphen	Use single hyphen as delimiter for MAC auth username.

max-reauth-attempt

Maximum number of authentication attempts (0 - 15, default = 3).

integer

Minimum value: 0 Maximum value: 15

reauth-period

Reauthentication time interval (1 - 1440 min, default = 60, 0 = disable).

integer

Minimum value: 0 Maximum value: 1440

tx-period

802.1X Tx period (seconds, default=30).

integer

Minimum value: 12 Maximum value: 60

* This parameter may not exist in some models.

config components

Parameter

Description

Type

Size

Default

admin-status

Managed-switch component admin-status.

option

disable

Option	Description
disable	Disable the component.
enable	Enable the component.

capability

Managed-switch feature capability list.

user

Not Specified

0x00000000000000000000000000000000

component-id

Managed-switch component id in stacking/chassis.

integer

Minimum value: 1 Maximum value: 10

description

Managed-switch component description.

string

Maximum length: 63

dynamically-discovered

Managed-switch component is dynamically discovered or not. Read-only.

integer

Minimum value: 0 Maximum value: 1

max-allowed-trunk-members

Managed-switch component maximum allowed trunk members.

integer

Minimum value: 0 Maximum value: 255

name

Managed-switch component name.

string

Maximum length: 63

poe-detection-type

Managed-switch component PoE detection type. Read-only.

integer

Minimum value: 0 Maximum value: 255

role

Managed-switch components role.

option

None

Option	Description
None	No Status.
Primary	HA Primary node.
Backup	HA Backup node.
Follower	Follower node.
Standalone	Standalone node.

serial-number

Managed-switch component serial number.

string

Maximum length: 16

status

Managed-switch component status. Read-only.

option

offline

Option	Description
offline	Operational down
online	Operational Up

sw-version

Managed-switch component software version.

string

Maximum length: 63

switch-id

Managed-switch component parent switch id. Read-only.

string

Maximum length: 35

type

Managed-switch component type.

option

stack-node

Option	Description
stack-node	Stacking node.
supervisor	Chassis supervisor module.
linecard	Chassis linecard module.

version

Managed-switch component version.

integer

Minimum value: 0 Maximum value: 255

config custom-command

Parameter	Description	Type	Size	Default
command-entry	List of FortiSwitch commands.	string	Maximum length: 35
command-name	Names of commands to be pushed to this FortiSwitch device, as configured under config switch-controller custom-command.	string	Maximum length: 35

config dhcp-snooping-static-client

Parameter	Description	Type	Size	Default
ip	Client static IP address.	ipv4-address	Not Specified	0.0.0.0
mac	Client MAC address.	mac-address	Not Specified	00:00:00:00:00:00
name	Client name.	string	Maximum length: 35
port	Interface name.	string	Maximum length: 15
vlan	VLAN name.	string	Maximum length: 15

config igmp-snooping

Parameter

Description

Type

Size

Default

aging-time

Maximum time to retain a multicast snooping entry for which no packets have been seen (15 - 3600 sec, default = 300).

integer

Minimum value: 15 Maximum value: 3600

300

flood-unknown-multicast

Enable/disable unknown multicast flooding.

option

disable

Option	Description
enable	Enable unknown multicast flooding.
disable	Disable unknown multicast flooding.

local-override

Enable/disable overriding the global IGMP snooping configuration.

option

disable

Option	Description
enable	Override the global IGMP snooping configuration.
disable	Use the global IGMP snooping configuration.

config vlans

Parameter

Description

Type

Size

Default

proxy

IGMP snooping proxy for the VLAN interface.

option

global

Option	Description
disable	Disable IGMP snooping proxy on VLAN interface.
enable	Enable IGMP snooping proxy on VLAN interface.
global	Use global setting for IGMP snooping proxy on VLAN interface.

querier

Enable/disable IGMP snooping querier for the VLAN interface.

option

disable

Option	Description
disable	Disable IGMP snooping querier on VLAN interface.
enable	Enable IGMP snooping querier on VLAN interface.

querier-addr

IGMP snooping querier address.

ipv4-address

Not Specified

0.0.0.0

version

IGMP snooping querying version.

integer

Minimum value: 2 Maximum value: 3

vlan-name

List of FortiSwitch VLANs.

string

Maximum length: 15

default

config ip-source-guard

Parameter	Description	Type	Size	Default
description	Description.	string	Maximum length: 63
port	Ingress interface to which source guard is bound.	string	Maximum length: 15

config binding-entry

Parameter	Description	Type	Size	Default
entry-name	Configure binding pair.	string	Maximum length: 16
ip	Source IP for this rule.	ipv4-address-any	Not Specified	0.0.0.0
mac	MAC address for this rule.	mac-address	Not Specified	00:00:00:00:00:00

config mirror

Parameter

Description

Type

Size

Default

dst

Destination port.

string

Maximum length: 63

name

Mirror name.

string

Maximum length: 63

src-egress <name>

Source egress interfaces.

Interface name.

string

Maximum length: 79

src-ingress <name>

Source ingress interfaces.

Interface name.

string

Maximum length: 79

status

Active/inactive mirror configuration.

option

inactive

Option	Description
active	Activate mirror configuration.
inactive	Deactivate mirror configuration.

switching-packet

Enable/disable switching functionality when mirroring.

option

disable

Option	Description
enable	Enable switching functionality when mirroring.
disable	Disable switching functionality when mirroring.

config ports

Parameter

Description

Type

Size

Default

access-mode

Access mode of the port.

option

static

Option	Description
dynamic	Dynamic mode.
nac	NAC mode.
static	Static mode.

acl-group <name>

ACL groups on this port.

ACL group name.

string

Maximum length: 79

aggregator-mode

LACP member select mode.

option

bandwidth

Option	Description
bandwidth	Member selection based on largest total bandwidth of links of similar speed.
count	Member selection based on largest count of similar link speed.

allow-arp-monitor

Enable/Disable allow ARP monitor.

option

disable

Option	Description
disable	Disable allow ARP monitor.
enable	Enable allow ARP monitor.

allowed-vlans <vlan-name>

Configure switch port tagged VLANs.

VLAN name.

string

Maximum length: 79

allowed-vlans-all

Enable/disable all defined vlans on this port.

option

disable

Option	Description
enable	Enable all defined VLANs on this port.
disable	Disable all defined VLANs on this port.

arp-inspection-trust

Trusted or untrusted dynamic ARP inspection.

option

untrusted

Option	Description
untrusted	Untrusted dynamic ARP inspection.
trusted	Trusted dynamic ARP inspection.

authenticated-port

Peer to Peer Authenticated port. Read-only.

integer

Minimum value: 0 Maximum value: 1

bundle

Enable/disable Link Aggregation Group (LAG) bundling for non-FortiLink interfaces.

option

disable

Option	Description
enable	Enable bundling.
disable	Disable bundling.

description

Description for port.

string

Maximum length: 63

dhcp-snoop-option82-trust

Enable/disable allowance of DHCP with option-82 on untrusted interface.

option

disable

Option	Description
enable	Enable allowance of DHCP with option-82 on untrusted interface.
disable	Disable allowance of DHCP with option-82 on untrusted interface.

dhcp-snooping

Trusted or untrusted DHCP-snooping interface.

option

untrusted

Option	Description
untrusted	Untrusted DHCP snooping interface.
trusted	Trusted DHCP snooping interface.

discard-mode

Configure discard mode for port.

option

none

Option	Description
none	Discard disabled.
all-untagged	Discard all frames that are untagged.
all-tagged	Discard all frames that are tagged.

edge-port

Enable/disable this interface as an edge port, bridging connections between workstations and/or computers.

option

enable

Option	Description
enable	Enable this interface as an edge port.
disable	Disable this interface as an edge port.

eee-tx-idle-time *

Time in which the transmitter is in low power idle (LPI) before transitioning to the refresh state in microseconds (0 - 2560, default = 60).

integer

Minimum value: 0 Maximum value: 2560

eee-tx-wake-time *

Time for the transmitter to transition from low power idle (LPI) to its normal operating state in microseconds (0 - 2560, default = 30).

integer

Minimum value: 0 Maximum value: 2560

encrypted-port

Peer to Peer Encrypted port. Read-only.

integer

Minimum value: 0 Maximum value: 1

energy-efficient-ethernet *

Enable/disable energy efficient events.

option

disable

Option	Description
disable	Disable energy efficient ethernet.
enable	Enable energy efficient ethernet.

export-to

Export managed-switch port to a tenant VDOM.

string

Maximum length: 31

export-to-pool

Switch controller export port to pool-list.

string

Maximum length: 35

fallback-port

LACP fallback port.

string

Maximum length: 79

fec-capable

FEC capable.

integer

Minimum value: 0 Maximum value: 1

fec-state

State of forward error correction.

option

detect-by-module

Option	Description
disabled	Disable forward error correction.
cl74	Enable Clause 74 FC-FEC, which only applies to 25Gbps.
cl91	Enable Clause 91 RS-FEC, which only applies to 100Gbps.
detect-by-module	FEC supported by module.

fgt-peer-device-name

FGT peer device name. Read-only.

string

Maximum length: 35

fgt-peer-port-name

FGT peer port name. Read-only.

string

Maximum length: 15

fiber-port

Fiber-port. Read-only.

integer

Minimum value: 0 Maximum value: 1

flags

Port properties flags. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

flap-duration

Period over which flap events are calculated (seconds).

integer

Minimum value: 5 Maximum value: 300

flap-rate

Number of stage change events needed within flap-duration.

integer

Minimum value: 1 Maximum value: 30

flap-timeout

Flap guard disabling protection (min).

integer

Minimum value: 0 Maximum value: 120

flapguard

Enable/disable flap guard.

option

disable

Option	Description
enable	Enable FlapGuard for this port.
disable	Disable FlapGuard for this port.

flow-control

Flow control direction.

option

disable

Option	Description
disable	Disable flow control.
tx	Enable flow control for transmission pause control frames.
rx	Enable flow control for receive pause control frames.
both	Enable flow control for both transmission and receive pause control frames.

fortilink-port

FortiLink uplink port. Read-only.

integer

Minimum value: 0 Maximum value: 1

fortiswitch-acls <id>

ACLs on this port.

ACL ID.

integer

Minimum value: 0 Maximum value: 4294967295

igmp-snooping-flood-reports

Enable/disable flooding of IGMP reports to this interface when igmp-snooping enabled.

option

disable

Option	Description
enable	Enable flooding of IGMP snooping reports to this interface.
disable	Disable flooding of IGMP snooping reports to this interface.

interface-tags <tag-name>

Tag(s) associated with the interface for various features including virtual port pool, dynamic port policy.

FortiSwitch port tag name when exported to a virtual port pool or matched to dynamic port policy.

string

Maximum length: 63

ip-source-guard

Enable/disable IP source guard.

option

disable

Option	Description
disable	Disable IP source guard.
enable	Enable IP source guard.

isl-local-trunk-name

ISL local trunk name. Read-only.

string

Maximum length: 15

isl-peer-device-name

ISL peer device name. Read-only.

string

Maximum length: 35

isl-peer-device-sn

ISL peer device serial number. Read-only.

string

Maximum length: 16

isl-peer-port-name

ISL peer port name. Read-only.

string

Maximum length: 15

lacp-speed

End Link Aggregation Control Protocol (LACP) messages every 30 seconds (slow) or every second (fast).

option

slow

Option	Description
slow	Send LACP message every 30 seconds.
fast	Send LACP message every second.

learning-limit

Limit the number of dynamic MAC addresses on this Port (1 - 128, 0 = no limit, default).

integer

Minimum value: 0 Maximum value: 128

lldp-profile

LLDP port TLV profile.

string

Maximum length: 63

default-auto-isl

lldp-status

LLDP transmit and receive status.

option

tx-rx

Option	Description
disable	Disable LLDP TX and RX.
rx-only	Enable LLDP as RX only.
tx-only	Enable LLDP as TX only.
tx-rx	Enable LLDP TX and RX.

log-mac-event

Enable/disable logging for dynamic MAC address events.

option

disable

Option	Description
disable	Disable log MAC event for this interface.
enable	Enable log MAC event for this interface.

loop-guard

Enable/disable loop-guard on this interface, an STP optimization used to prevent network loops.

option

disabled

Option	Description
enabled	Enable loop-guard on this interface.
disabled	Disable loop-guard on this interface.

loop-guard-timeout

Loop-guard timeout (0 - 120 min, default = 45).

integer

Minimum value: 0 Maximum value: 120

mac-addr

Port/Trunk MAC.

mac-address

Not Specified

00:00:00:00:00:00

matched-dpp-intf-tags

Matched interface tags in the dynamic port policy.

string

Maximum length: 63

matched-dpp-policy

Matched child policy in the dynamic port policy.

string

Maximum length: 63

max-bundle

Maximum size of LAG bundle (1 - 24, default = 24).

integer

Minimum value: 1 Maximum value: 24

mcast-snooping-flood-traffic

Enable/disable flooding of IGMP snooping traffic to this interface.

option

disable

Option	Description
enable	Enable flooding of IGMP snooping traffic to this interface.
disable	Disable flooding of IGMP snooping traffic to this interface.

mclag

Enable/disable multi-chassis link aggregation (MCLAG).

option

disable

Option	Description
enable	Enable MCLAG.
disable	Disable MCLAG.

mclag-icl-port

MCLAG-ICL port. Read-only.

integer

Minimum value: 0 Maximum value: 1

media-type

Media type. Read-only.

string

Maximum length: 31

member-withdrawal-behavior

Port behavior after it withdraws because of loss of control packets.

option

block

Option	Description
forward	Forward traffic.
block	Block traffic.

members <member-name>

Aggregated LAG bundle interfaces.

Interface name from available options.

string

Maximum length: 79

min-bundle

Minimum size of LAG bundle (1 - 24, default = 1).

integer

Minimum value: 1 Maximum value: 24

mode

LACP mode: ignore and do not send control messages, or negotiate 802.3ad aggregation passively or actively.

option

static

Option	Description
static	Static aggregation, do not send and ignore any control messages.
lacp-passive	Passively use LACP to negotiate 802.3ad aggregation.
lacp-active	Actively use LACP to negotiate 802.3ad aggregation.

p2p-port

General peer to peer tunnel port. Read-only.

integer

Minimum value: 0 Maximum value: 1

packet-sample-rate

Packet sampling rate (0 - 99999 p/sec).

integer

Minimum value: 0 Maximum value: 99999

512

packet-sampler

Enable/disable packet sampling on this interface.

option

disabled

Option	Description
enabled	Enable packet sampling on this interface.
disabled	Disable packet sampling on this interface.

pause-meter

Configure ingress pause metering rate, in kbps (default = 0, disabled).

integer

Minimum value: 128 Maximum value: 2147483647

pause-meter-resume

Resume threshold for resuming traffic on ingress port.

option

50%

Option	Description
75%	Back pressure state won't be cleared until bucket count falls below 75% of pause threshold.
50%	Back pressure state won't be cleared until bucket count falls below 50% of pause threshold.
25%	Back pressure state won't be cleared until bucket count falls below 25% of pause threshold.

pd-capable

Powered device capable.

integer

Minimum value: 0 Maximum value: 1

poe-capable

PoE capable.

integer

Minimum value: 0 Maximum value: 1

poe-max-power

PoE maximum power. Read-only.

string

Maximum length: 35

poe-max-power-mode *

PoE maximum power mode.

option

class-based

Option	Description
class-based	Port will draw a maximum amount of power based on class.
30W	Port will be limited to draw a maximum of 30W.
60W	Port will be limited to draw a maximum of 60W.

poe-mode-bt-cabable

PoE mode IEEE 802.3BT capable.

integer

Minimum value: 0 Maximum value: 1

poe-port-mode

Configure PoE port mode.

option

ieee802-3at

Option	Description
ieee802-3af	IEEE802.3 AF.
ieee802-3at	IEEE802.3 AT.
ieee802-3bt	IEEE802.3 BT.

poe-port-power

Configure PoE port power.

option

normal

Option	Description
normal	Power not delivered during boot.
perpetual	Power delivered during soft reboot.
perpetual-fast	Early power delivered during cold boot.

poe-port-priority

Configure PoE port priority.

option

low-priority

Option	Description
critical-priority	Critical Priority.
high-priority	High Priority.
low-priority	Low Priority.
medium-priority	Medium Priority.

poe-pre-standard-detection

Enable/disable PoE pre-standard detection.

option

disable

Option	Description
enable	Enable PoE pre-standard detection.
disable	Disable PoE pre-standard detection.

poe-standard

PoE standard supported. Read-only.

string

Maximum length: 63

poe-status

Enable/disable PoE status.

option

enable

Option	Description
enable	Enable PoE status.
disable	Disable PoE status.

port-name

Switch port name.

string

Maximum length: 15

port-number

Port number. Read-only.

integer

Minimum value: 1 Maximum value: 64

port-owner

Switch port name.

string

Maximum length: 15

port-policy

Switch controller dynamic port policy from available options.

string

Maximum length: 63

port-prefix-type

Port prefix type. Read-only.

integer

Minimum value: 0 Maximum value: 1

port-security-policy

Switch controller authentication policy to apply to this managed switch from available options.

string

Maximum length: 31

port-selection-criteria

Algorithm for aggregate port selection.

option

src-dst-ip

Option	Description
src-mac	Source MAC address.
dst-mac	Destination MAC address.
src-dst-mac	Source and destination MAC address.
src-ip	Source IP address.
dst-ip	Destination IP address.
src-dst-ip	Source and destination IP address.

ptp-policy

PTP policy configuration.

string

Maximum length: 63

default

ptp-status

Enable/disable PTP policy on this FortiSwitch port.

option

enable

Option	Description
disable	Disable PTP policy.
enable	Enable PTP policy.

qnq

802.1AD VLANs in the VDom.

string

Maximum length: 15

qos-policy

Switch controller QoS policy from available options.

string

Maximum length: 63

default

restricted-auth-port

Peer to Peer Restricted Authenticated port. Read-only.

integer

Minimum value: 0 Maximum value: 1

rpvst-port

Enable/disable inter-operability with rapid PVST on this interface.

option

disabled

Option	Description
disabled	Disable inter-operability with rapid PVST on this interface.
enabled	Enable inter-operability with rapid PVST on this interface.

sample-direction

Packet sampling direction.

option

both

Option	Description
tx	Monitor transmitted traffic.
rx	Monitor received traffic.
both	Monitor transmitted and received traffic.

sflow-counter-interval

sFlow sampling counter polling interval in seconds (0 - 255).

integer

Minimum value: 0 Maximum value: 255

speed

Switch port speed; default and available settings depend on hardware.

option

auto

Option	Description
10half	10M half-duplex.
10full	10M full-duplex.
100half	100M half-duplex.
100full	100M full-duplex.
1000full	1G full-duplex
10000full	10G full-duplex
auto	Auto-negotiation.
1000auto	Auto-negotiation (1G full-duplex only).
1000full-fiber	1G full-duplex (fiber SFPs only)
40000full	40G full-duplex
detect-by-module	Detect by Module.
100FX-half	100Mbps half-duplex.100Base-FX.
100FX-full	100Mbps full-duplex.100Base-FX.
100000full	100Gbps full-duplex.
2500auto	Auto-Negotiation (2.5Gbps Only).
2500full	2.5Gbps full-duplex.
25000full	25Gbps full-duplex.
50000full	50Gbps full-duplex.
10000cr	10Gbps copper interface.
10000sr	10Gbps SFI interface.
100000sr4	100Gbps SFI interface.
100000cr4	100Gbps copper interface.
40000sr4	40Gbps SFI interface.
40000cr4	40Gbps copper interface.
40000auto	Auto-Negotiation (40Gbps Only).
25000cr	25Gbps copper interface.
25000sr	25Gbps SFI interface.
50000cr	50Gbps copper interface.
50000sr	50Gbps SFI interface.
5000auto	5Gbps full-duplex.
sgmii-auto	Auto-negotiation in SGMII mode.

stacking-port

Stacking port. Read-only.

integer

Minimum value: 0 Maximum value: 1

status

Switch port admin status: up or down.

option

Option	Description
up	Set admin status up.
down	Set admin status down.

sticky-mac

Enable or disable sticky-mac on the interface.

option

disable

Option	Description
enable	Enable sticky mac on the interface.
disable	Disable sticky mac on the interface.

storm-control-policy

Switch controller storm control policy from available options.

string

Maximum length: 63

default

stp-bpdu-guard

Enable/disable STP BPDU guard on this interface.

option

disabled

Option	Description
enabled	Enable STP BPDU guard on this interface.
disabled	Disable STP BPDU guard on this interface.

stp-bpdu-guard-timeout

BPDU Guard disabling protection (0 - 120 min).

integer

Minimum value: 0 Maximum value: 120

stp-root-guard

Enable/disable STP root guard on this interface.

option

disabled

Option	Description
enabled	Enable STP root-guard on this interface.
disabled	Disable STP root-guard on this interface.

stp-state

Enable/disable Spanning Tree Protocol (STP) on this interface.

option

enabled

Option	Description
enabled	Enable STP on this interface.
disabled	Disable STP on this interface.

switch-id

Switch id. Read-only.

string

Maximum length: 35

type

Interface type: physical or trunk port.

option

physical

Option	Description
physical	Physical port.
trunk	Trunk port.

untagged-vlans <vlan-name>

Configure switch port untagged VLANs.

VLAN name.

string

Maximum length: 79

vlan

Assign switch ports to a VLAN.

string

Maximum length: 15

* This parameter may not exist in some models.

config dhcp-snoop-option82-override

Parameter	Description	Type	Size
circuit-id	Circuit ID string.	string	Maximum length: 254
remote-id	Remote ID string.	string	Maximum length: 254
vlan-name	DHCP snooping option 82 VLAN.	string	Maximum length: 15

config remote-log

Parameter

Description

Type

Size

Default

csv

Enable/disable comma-separated value (CSV) strings.

option

disable

Option	Description
enable	Enable comma-separated value (CSV) strings.
disable	Disable comma-separated value (CSV) strings.

facility

Facility to log to remote syslog server.

option

local7

Option	Description
kernel	Kernel messages.
user	Random user-level messages.
mail	Mail system.
daemon	System daemons.
auth	Security/authorization messages.
syslog	Messages generated internally by syslogd.
lpr	Line printer subsystem.
news	Network news subsystem.
uucp	UUCP server messages.
cron	Clock daemon.
authpriv	Security/authorization messages (private).
ftp	FTP daemon.
ntp	NTP daemon.
audit	Log audit.
alert	Log alert.
clock	Clock daemon.
local0	Reserved for local use.
local1	Reserved for local use.
local2	Reserved for local use.
local3	Reserved for local use.
local4	Reserved for local use.
local5	Reserved for local use.
local6	Reserved for local use.
local7	Reserved for local use.

name

Remote log name.

string

Maximum length: 35

port

Remote syslog server listening port.

integer

Minimum value: 0 Maximum value: 65535

514

server

IPv4 address of the remote syslog server.

string

Maximum length: 63

severity

Severity of logs to be transferred to remote log server.

option

information

Option	Description
emergency	Emergency level.
alert	Alert level.
critical	Critical level.
error	Error level.
warning	Warning level.
notification	Notification level.
information	Information level.
debug	Debug level.

status

Enable/disable logging by FortiSwitch device to a remote syslog server.

option

disable

Option	Description
enable	Enable logging by FortiSwitch device to a remote syslog server.
disable	Disable logging by FortiSwitch device to a remote syslog server.

config route-offload-router

Parameter	Description	Type	Size	Default
router-ip	Router IP address.	ipv4-address	Not Specified	0.0.0.0
vlan-name	VLAN name.	string	Maximum length: 15

config router-static

Parameter

Description

Type

Size

Default

blackhole

Enable/disable blackhole on this route.

option

disable

Option	Description
disable	Disable blackhole on this route.
enable	Enable blackhole on this route.

comment

Comment.

string

Maximum length: 63

device

Gateway out interface.

string

Maximum length: 35

distance

Administrative distance for the route (1 - 255, default = 10).

integer

Minimum value: 1 Maximum value: 255

dst

Destination ip and mask for this route.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

dynamic-gateway

Enable/disable dynamic gateway.

option

disable

Option	Description
disable	Disable dynamic gateway on this route.
enable	Disable dynamic gateway on this route.

gateway

Gateway ip for this route.

ipv4-address

Not Specified

0.0.0.0

Entry sequence number.

integer

Minimum value: 0 Maximum value: 4294967295

status

Enable/disable route status.

option

enable

Option	Description
disable	Disable route status.
enable	Enable route status.

switch-id

Switch ID.

string

Maximum length: 35

vrf

VRF for this route.

string

Maximum length: 35

config router-vrf

Parameter	Description	Type	Size	Default
name	VRF entry name.	string	Maximum length: 35
switch-id	Switch ID.	string	Maximum length: 35
vrfid	VRF ID.	integer	Minimum value: 0 Maximum value: 1023	0

config snmp-community

Parameter

Description

Type

Size

Default

events

SNMP notifications (traps) to send.

option

cpu-high mem-low log-full intf-ip ent-conf-change l2mac

Option	Description
cpu-high	Send a trap when CPU usage too high.
mem-low	Send a trap when available memory is low.
log-full	Send a trap when log disk space becomes low.
intf-ip	Send a trap when an interface IP address is changed.
ent-conf-change	Send a trap when an entity MIB change occurs (RFC4133).
l2mac	Send a trap for Learning event (add/delete/movefrom/moveto).

SNMP community ID.

integer

Minimum value: 0 Maximum value: 4294967295

name

SNMP community name.

string

Maximum length: 35

query-v1-port

SNMP v1 query port (default = 161).

integer

Minimum value: 0 Maximum value: 65535

161

query-v1-status

Enable/disable SNMP v1 queries.

option

enable

Option	Description
disable	Disable SNMP v1 queries.
enable	Enable SNMP v1 queries.

query-v2c-port

SNMP v2c query port (default = 161).

integer

Minimum value: 0 Maximum value: 65535

161

query-v2c-status

Enable/disable SNMP v2c queries.

option

enable

Option	Description
disable	Disable SNMP v2c queries.
enable	Enable SNMP v2c queries.

status

Enable/disable this SNMP community.

option

enable

Option	Description
disable	Disable SNMP community.
enable	Enable SNMP community.

trap-v1-lport

SNMP v2c trap local port (default = 162).

integer

Minimum value: 0 Maximum value: 65535

162

trap-v1-rport

SNMP v2c trap remote port (default = 162).

integer

Minimum value: 0 Maximum value: 65535

162

trap-v1-status

Enable/disable SNMP v1 traps.

option

enable

Option	Description
disable	Disable SNMP v1 traps.
enable	Enable SNMP v1 traps.

trap-v2c-lport

SNMP v2c trap local port (default = 162).

integer

Minimum value: 0 Maximum value: 65535

162

trap-v2c-rport

SNMP v2c trap remote port (default = 162).

integer

Minimum value: 0 Maximum value: 65535

162

trap-v2c-status

Enable/disable SNMP v2c traps.

option

enable

Option	Description
disable	Disable SNMP v2c traps.
enable	Enable SNMP v2c traps.

config hosts

Parameter	Description	Type	Size	Default
id	Host entry ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
ip	IPv4 address of the SNMP manager (host).	user	Not Specified

config snmp-sysinfo

Parameter

Description

Type

Size

Default

contact-info

Contact information.

string

Maximum length: 35

description

System description.

string

Maximum length: 35

engine-id

Local SNMP engine ID string (max 24 char).

string

Maximum length: 24

location

System location.

string

Maximum length: 35

status

Enable/disable SNMP.

option

disable

Option	Description
disable	Disable SNMP.
enable	Enable SNMP.

config snmp-trap-threshold

Parameter	Description	Type	Size	Default
trap-high-cpu-threshold	CPU usage when trap is sent.	integer	Minimum value: 0 Maximum value: 4294967295	80
trap-log-full-threshold	Log disk usage when trap is sent.	integer	Minimum value: 0 Maximum value: 4294967295	90
trap-low-memory-threshold	Memory usage when trap is sent.	integer	Minimum value: 0 Maximum value: 4294967295	80

config snmp-user

Parameter

Description

Type

Size

Default

auth-proto

Authentication protocol.

option

sha256

Option	Description
md5	HMAC-MD5-96 authentication protocol.
sha1	HMAC-SHA-1 authentication protocol.
sha224	HMAC-SHA-224 authentication protocol.
sha256	HMAC-SHA-256 authentication protocol.
sha384	HMAC-SHA-384 authentication protocol.
sha512	HMAC-SHA-512 authentication protocol.

auth-pwd

Password for authentication protocol.

password

Not Specified

name

SNMP user name.

string

Maximum length: 32

priv-proto

Privacy (encryption) protocol.

option

aes128

Option	Description
aes128	CFB128-AES-128 symmetric encryption protocol.
aes192	CFB128-AES-192 symmetric encryption protocol.
aes192c	CFB128-AES-192-C symmetric encryption protocol.
aes256	CFB128-AES-256 symmetric encryption protocol.
aes256c	CFB128-AES-256-C symmetric encryption protocol.
des	CBC-DES symmetric encryption protocol.

priv-pwd

Password for privacy (encryption) protocol.

password

Not Specified

queries

Enable/disable SNMP queries for this user.

option

enable

Option	Description
disable	Disable SNMP queries for this user.
enable	Enable SNMP queries for this user.

query-port

SNMPv3 query port (default = 161).

integer

Minimum value: 0 Maximum value: 65535

161

security-level

Security level for message authentication and encryption.

option

no-auth-no-priv

Option	Description
no-auth-no-priv	Message with no authentication and no privacy (encryption).
auth-no-priv	Message with authentication but no privacy (encryption).
auth-priv	Message with authentication and privacy (encryption).

config static-mac

Parameter

Description

Type

Size

Default

description

Description.

string

Maximum length: 63

ID.

integer

Minimum value: 0 Maximum value: 4294967295

interface

Interface name.

string

Maximum length: 35

mac

MAC address.

mac-address

Not Specified

00:00:00:00:00:00

type

Type.

option

static

Option	Description
static	Static MAC.
sticky	Sticky MAC.

vlan

Vlan.

string

Maximum length: 15

config storm-control

Parameter

Description

Type

Size

Default

broadcast

Enable/disable storm control to drop broadcast traffic.

option

disable

Option	Description
enable	Drop broadcast traffic.
disable	Allow broadcast traffic.

burst-size-level

Increase level to handle bursty traffic (0 - 4, default = 0).

integer

Minimum value: 0 Maximum value: 4

local-override

Enable to override global FortiSwitch storm control settings for this FortiSwitch.

option

disable

Option	Description
enable	Override global storm control settings.
disable	Use global storm control settings.

rate

Rate in packets per second at which storm control drops excess traffic(0-10000000, default=500, drop-all=0).

integer

Minimum value: 0 Maximum value: 10000000

500

unknown-multicast

Enable/disable storm control to drop unknown multicast traffic.

option

disable

Option	Description
enable	Drop unknown multicast traffic.
disable	Allow unknown multicast traffic.

unknown-unicast

Enable/disable storm control to drop unknown unicast traffic.

option

disable

Option	Description
enable	Drop unknown unicast traffic.
disable	Allow unknown unicast traffic.

config stp-instance

Parameter

Description

Type

Size

Default

Instance ID.

string

Maximum length: 2

priority

Priority.

option

32768

Option	Description
0	0.
4096	4096.
8192	8192.
12288	12288.
16384	16384.
20480	20480.
24576	24576.
28672	28672.
32768	32768.
36864	36864.
40960	40960.
45056	45056.
49152	49152.
53248	53248.
57344	57344.
61440	61440.

config stp-settings

Parameter

Description

Type

Size

Default

forward-time

Period of time a port is in listening and learning state (4 - 30 sec, default = 15).

integer

Minimum value: 4 Maximum value: 30

hello-time

Period of time between successive STP frame Bridge Protocol Data Units (BPDUs) sent on a port (1 - 10 sec, default = 2).

integer

Minimum value: 1 Maximum value: 10

local-override

Enable to configure local STP settings that override global STP settings.

option

disable

Option	Description
enable	Override global STP settings.
disable	Use global STP settings.

max-age

Maximum time before a bridge port saves its configuration BPDU information (6 - 40 sec, default = 20).

integer

Minimum value: 6 Maximum value: 40

max-hops

Maximum number of hops between the root bridge and the furthest bridge (1- 40, default = 20).

integer

Minimum value: 1 Maximum value: 40

name

Name of local STP settings configuration.

string

Maximum length: 31

pending-timer

Pending time (1 - 15 sec, default = 4).

integer

Minimum value: 1 Maximum value: 15

revision

STP revision number (0 - 65535).

integer

Minimum value: 0 Maximum value: 65535

config switch-log

Parameter

Description

Type

Size

Default

local-override

Enable to configure local logging settings that override global logging settings.

option

disable

Option	Description
enable	Override global logging settings.
disable	Use global logging settings.

severity

Severity of FortiSwitch logs that are added to the FortiGate event log.

option

notification

Option	Description
emergency	Emergency level.
alert	Alert level.
critical	Critical level.
error	Error level.
warning	Warning level.
notification	Notification level.
information	Information level.
debug	Debug level.

status

Enable/disable adding FortiSwitch logs to the FortiGate event log.

option

enable

Option	Description
enable	Add FortiSwitch logs to the FortiGate event log.
disable	Do not add FortiSwitch logs to the FortiGate event log.

config system-dhcp-server

Parameter

Description

Type

Size

Default

default-gateway

Default gateway IP address assigned by the DHCP server.

ipv4-address

Not Specified

0.0.0.0

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

dns-server3

DNS server 3.

ipv4-address

Not Specified

0.0.0.0

dns-service

Options for assigning DNS servers to DHCP clients.

option

specify

Option	Description
local	IP address of the interface the DHCP server is added to becomes the client's DNS server IP address.
default	Clients are assigned the FortiGate's configured DNS servers.
specify	Specify up to 3 DNS servers in the DHCP server configuration.

ID.

integer

Minimum value: 0 Maximum value: 4294967295

interface

DHCP server can assign IP configurations to clients connected to this interface.

string

Maximum length: 15

lease-time

Lease time in seconds, 0 means unlimited.

integer

Minimum value: 0 Maximum value: 4294967295

604800

netmask

Netmask assigned by the DHCP server.

ipv4-netmask

Not Specified

0.0.0.0

ntp-server1

NTP server 1.

ipv4-address

Not Specified

0.0.0.0

ntp-server2

NTP server 2.

ipv4-address

Not Specified

0.0.0.0

ntp-server3

NTP server 3.

ipv4-address

Not Specified

0.0.0.0

ntp-service

Options for assigning Network Time Protocol (NTP) servers to DHCP clients.

option

specify

Option	Description
local	IP address of the interface the DHCP server is added to becomes the client's NTP server IP address.
default	Clients are assigned the FortiGate's configured NTP servers.
specify	Specify up to 3 NTP servers in the DHCP server configuration.

status

Enable/disable this DHCP configuration.

option

enable

Option	Description
disable	Do not use this DHCP server configuration.
enable	Use this DHCP server configuration.

switch-id

Switch ID.

string

Maximum length: 35

config ip-range

Parameter	Description	Type	Size	Default
end-ip	End of IP range.	ipv4-address	Not Specified	0.0.0.0
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
start-ip	Start of IP range.	ipv4-address	Not Specified	0.0.0.0

config options

Parameter

Description

Type

Size

Default

code

DHCP option code.

integer

Minimum value: 0 Maximum value: 255

ID.

integer

Minimum value: 0 Maximum value: 4294967295

DHCP option IPs.

user

Not Specified

type

DHCP option type.

option

hex

Option	Description
hex	DHCP option in hex.
string	DHCP option in string.
ip	DHCP option in IP.
fqdn	DHCP option in domain search option format.

value

DHCP option value.

string

Maximum length: 312

config system-interface

Parameter

Description

Type

Size

Default

allowaccess

Permitted types of management access to this interface.

option

Option	Description
ping	PING.
https	HTTPS.
http	HTTP.
ssh	SSH.
snmp	SNMP.
telnet	TELNET.
radius-acct	RADIUS ACCOUNTING.

interface

Interface name.

string

Maximum length: 63

IP and mask for this interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

mode

Interface addressing mode.

option

static

Option	Description
static	static addressing mode.
dhcp	DHCP addressing mode.

name

Interface name.

string

Maximum length: 15

status

Enable/disable interface status.

option

enable

Option	Description
disable	Disable interface.
enable	Enable interface.

switch-id

Switch ID.

string

Maximum length: 35

type

Interface type.

option

vlan

Option	Description
vlan	VLAN interface.
physical	Physical interface.

vlan

VLAN name.

string

Maximum length: 15

vrf

VRF for this route.

string

Maximum length: 63

config vlan

Parameter	Description	Type	Size	Default
assignment-priority	802.1x Radius (Tunnel-Private-Group-Id) VLANID assign-by-name priority. A smaller value has a higher priority.	integer	Minimum value: 1 Maximum value: 255	128
vlan-name	VLAN name.	string	Maximum length: 15

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

config switch-controller managed-switch

config switch-controller managed-switch

config switch-controller managed-switch

config 802-1X-settings

config components

config custom-command

config dhcp-snooping-static-client

config igmp-snooping

config vlans

config ip-source-guard

config binding-entry