How to get started
FortiSwitch Manager is offered as a virtual appliance. After you install a hypervisor of your choice, install the FortiSwitch Manager license as per your scale requirements. The FortiSwitch Manager license SKUs can be added together, so you can use more than one of the following available license SKUs:
|
FortiSwitch Manager subscription license |
Description |
|---|---|
| FC1-10-SWMVM-258-01-DD |
Subscription license for 10 FortiSwitch units managed by FortiSwitch Manager VM. 24x7 FortiCare support (for FSWM VM) included. |
| FC2-10-SWMVM-258-01-DD |
Subscription license for 100 FortiSwitch units managed by FortiSwitch Manager VM. 24x7 FortiCare support (for FSWM VM) included. |
| FC3-10-SWMVM-258-01-DD |
Subscription license for 1,000 FortiSwitch units managed by FortiSwitch Manager VM. 24x7 FortiCare support (for FSWM VM) included. |
Your licenses control the maximum number of FortiSwitch units that you can manage; however, only authorized switches are counted by FortiSwitch Manager. Switches that have been discovered but not authorized yet do not count toward the maximum number of switches that can be managed.
To check how many FortiSwitch units can be managed:
diagnose debug vm-print-license
To check how many FortiSwitch units are managed:
execute switch-controller licensed-switches counts
In the command output, switches are in one of four states:
- managed—Authorized switches are counted as managed. Deauthorized a switch does not remove it from the count of managed switches.
- reserved— Switches are included in the count of managed switches without being discovered or authorized. Reserving a place for a switch prevents another switch from being added to count instead.
- pending— A switch that is in the process of becoming managed or being deleted from the configuration. A pending switch is included in the count of managed switches.
- locked-out—When a configuration has more authorized switches than are licensed, the system will lock out some switches. Locked-out switches are not included in the count of managed switches.
To delete an authorized switch so that it is no longer included in the count of managed switches:
config switch-controller managed-switch
delete <FortiSwitch-serial-number>
end
To remove a FortiSwitch unit from being managed and to reserve space for a different FortiSwitch unit in the count of managed switches:
execute switch-controller licensed-switches swap <swap-out-FortiSwitch-serial-number> <swap-in-FortiSwitch-serial-number>
The command deletes <swap-out-FortiSwitch-serial-number> from the configuration and reserves a place for <swap-in-FortiSwitch-serial-number>.
|
The swapped-out switch can still be re-discovered. If automatic authorization is enabled, the swapped-out switch can be authorized again. |
In the following example, S108DV3A17000033 is deleted from the configuration, and S108DV3A17000034 is authorized and counted by FortiSwitch Manager:
execute switch-controller licensed-switches swap S108DV3A17000033 S108DV3A17000034
To list the switches that are managed and authorized and reserved switches:
execute switch-controller licensed-switches list managed
To list reserved switches:
execute switch-controller licensed-switches list reserved
To delete a reserved switch and remove it from the count of managed switches:
execute switch-controller licensed-switches delete-reserved <FortiSwitch-serial-number>
Setting up FortiSwitch Manager
To set up FortiSwitch Manager, you need to configure the FortiSwitch Manager VM port1 and configure static routes. By default, port1 has the DHCP client enabled. If necessary, assign a fixed IP address and configure a default route.
The VM platform and hypervisor management environments include a guest console window. On FortiSwitch Manager, the guest console window provides access to the FortiSwitch Manager console. Before you can access the CLI using SSH/Telnet, you must configure the FortiSwitch Manager VM port1 with an IP address and administrative access. For example:
config system interface
edit "port1"
set ip 192.268.2.1 255.255.255.0
set allowaccess ping https ssh http telnet
next
end
To configure static routes:
config router static
edit <ID>
set dst <router-subnet> <subnet-mask>
set gateway <router-IP-address>
set device "<FortiLink-interface>"
next
end
For example:
config router static
edit 2
set gateway 192.168.2.11
set device "port1"
next
end
Registering the FortiSwitch Manager license
You need the following to register the FortiSwitch Manager license:
- An Internet connection is required for FortiSwitch Manager to contact FortiGuard to validate its license.
- The UUID is required for registration. Use the following CLI command to obtain the UUID:
diagnose hardware sysinfo vm
Installing the FortiSwitch Manager license
To upload the license file using the GUI:
-
Go to Dashboard > Status.
-
Click in the Virtual Machine widget.
-
Click FortiSwitch Manager VM License.
-
Click Upload.
-
After you upload the license file, click OK.
To upload the license file:
execute restore vmlicense {ftp | tftp} <file-name> <FTP-server>[:FTP-port]
For example:
execute restore vmlicense tftp license.lic 10.0.1.2
To check that the license is valid using the GUI:
Go to Dashboard > Status and hover over the license link in the Virtual Machine widget.
To check that the license status is valid using the CLI:
get system status
Configuring FortiLink
By default, port1 is the FortiLink interface. After the network connectivity is configured, FortiSwitch Manager is ready to manage FortiSwitch units.
Optionally, enable automatic FortiSwitch authorization:
-
Go to Switch Controller > FortiLink Interface.
-
Select the FortiLink interface and click Edit.
-
Enable Automatically authorize devices.
-
Click OK.
Setting up the FortiSwitch units
Starting with FortiSwitchOS 7.2.0, when using DHCP discovery, FortiSwitch units can automatically connect with FortiSwitch Manager, either with “internal” or “mgmt” ports, and the FortiSwitch units can then be authorized and managed. Additional FortiSwitch units connected to another FortiSwitch unit already managed by FortiSwitch Manager are also discovered and authorized.
If you are using an earlier version of FortiSwitchOS or if you are using static discovery, follow the procedures in this section.
You need to configure FortiSwitch units with the FortiSwitch Manager IP address to establish connectivity, and you need to configure the FortiSwitch units to use FortiLink mode over a layer-3 network.
To configure a FortiSwitch unit to operate in a layer-3 network (in-band management):
NOTE: You must enter these commands in the indicated order for this feature to work.
- Reset the FortiSwitch to factory default settings with the
execute factoryresetcommand. - Manually set the FortiSwitch unit to FortiLink mode if you are using FortiSwitchOS 7.0.0 or earlier:
config system global
set switch-mgmt-mode fortilink
end
- Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery to find the IP address of the FortiSwitch Manager. The default
ac-dhcp-option-codeis138.To use DHCP discovery:
config switch-controller global
set ac-discovery-type dhcp
set ac-dhcp-option-code <integer>
end
To use static discovery:
config switch-controller global
set ac-discovery-type static
config ac-list
edit <id>
set ipv4-address <IPv4-address>
next
end
end
- Configure only one physical port or LAG interface of the FortiSwitch unit as an uplink port. When the FortiSwitch unit is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network. NOTE: The uplink port cannot be assigned any VLANs.
config switch interface
edit <port-number>
set fortilink-l3-mode enable
end
end
The
fortilink-l3-modecommand is only visible after you configure DHCP or static discovery. -
If you are going to configure another FortiSwitch unit that is connected to the FortiSwitch unit configured in steps 1-4, you only need to configure the discovery settings. You do not need to enable
fortilink-l3-modeon the uplink port.To use DHCP discovery:
config switch-controller global
set ac-discovery-type dhcp
set ac-dhcp-option-code <integer>
end
To use static discovery:
config switch-controller global
set ac-discovery-type static
config ac-list
edit <id>
set ipv4-address <IPv4-address>
next
end
end
To configure a FortiSwitch unit to operate in a layer-3 network (out-of-band management):
- Configure FortiSwitch Manager as the Network Time Protocol (NTP) server:
config system ntp
set allow-unsync-source enable
config ntpserver
edit <ID>
set server "<FortiSwitch-Manager-IP-address>"
next
end
set ntpsync enable
end
For example:
config system ntp
set allow-unsync-source enable
config ntpserver
edit 1
set server "192.168.2.1"
next
end
set ntpsync enable
end
- Configure the management system interface.
NOTE: You can use DHCP mode for the management system interface (set mode dhcp). If you do use DHCP mode, configuring NTP and the static route is not necessary.config system interface
edit "mgmt"
set ip <IP-address-netmask>
set allowaccess ping https ssh
set type physical
next
end
For example:
config system interface
edit "mgmt"
set ip 192.168.11.94 255.255.255.0
set allowaccess ping https ssh
set type physical
next
end
- Configure a static route:
config router static
edit <ID>
set device "mgmt"
set dst <destination-IP-address-netmask>
set gateway <gateway-IP-address>
next
end
For example:
config router static
edit 1
set device "mgmt"
set dst 0.0.0.0 0.0.0.0
set gateway 192.168.11.1
next
end
- Configure the discovery setting for the FortiSwitch unit. You can either use static discovery or DHCP discovery to find the IP address of the FortiSwitch Manager. The default
ac-dhcp-option-codeis 138.To use static discovery:
config switch-controller global
set ac-discovery-type static
config ac-list
edit <id>
set ipv4-address <IPv4-address>
next
end
end
To configure DHCP on the management interface:
config system interface
edit "mgmt"
set mode dhcp
set allowaccess ping https http ssh telnet
set type physical
next
end
To use DHCP discovery:
config switch-controller global
set ac-discovery-type dhcp
set ac-dhcp-option-code <integer>
end
Connecting additional FortiSwitch units to the first FortiSwitch unit
In this scenario, the default FortiLink-enabled port of FortiSwitch 2 is connected to FortiSwitch 1, and the two switches then form an auto-ISL. You only need to configure the discovery settings (see Step 3) for additional switches (FortiSwitch 2 in the following diagram). You do not need to enable fortilink-l3-mode on the uplink port. Check that each FortiSwitch unit can reach FortiSwitch Manager.
Using FortiSwitch Manager
Go to Dashboard > Status to see the current values for the following:
- System information
- Licenses
- Allocated vCPUs and RAM
- Administrators
- CPU
- Memory
Go to System > Fabric Management to see a list of managed FortiSwitch units, as well as the status, registration status, firmware version, and upgrade status for each.
How to authorize a FortiSwitch unit
Using the GUI:
-
Go to System > Fabric Management.
-
Select an unauthorized FortiSwitch unit.
-
Click Authorize.
Using the CLI:
config switch-controller managed-switch
edit <FortiSwitch-serial-number>
set fsw-wan1-admin enable
next
end
Creating a switch group
Grouping switches makes it easier to manage a large number of switches. For example, a switch group can be all switches in a building, in a city, or in a business unit.
Using the GUI:
-
Go to Switch Controller > Managed FortiSwitches.
-
Click Create New > FortiSwitch Group.
-
Enter a name for the switch group.
-
Select the FortiLink interface.
-
Click + and then select the switches to be grouped.
-
Click Close to return to the New FortiSwitch Group page.
-
Enter a description of the switch group.
-
Click OK.
Using the CLI:
config switch-controller switch-group
edit <name-of-FortiSwitch-group>
set description <description-of-FortiSwitch-group
set fortilink <name-of-FortiLink-interface>
set members <FortiSwitch-serial-number1>, <FortiSwitch-serial-number2>, ...
next
end