Fortinet black logo

Additional capabilities

Copy Link
Copy Doc ID daae6d6f-d2a0-11ea-96b9-00505692583a:395997
Download PDF

Additional capabilities

This chapter covers the following topics:

Execute custom FortiSwitch scripts

From the FortiGate unit, you can execute a custom script on a managed FortiSwitch unit. The custom script contains generic FortiSwitch commands.

NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch unit.

Create a custom script

Use the following syntax to create a custom script from the FortiGate unit:

config switch-controller custom-command

edit <cmd-name>

set command "<FortiSwitch_command>"

end

NOTE: You need to use %0a to indicate a return.

For example, use the custom script to set the STP max-age parameter on a managed FortiSwitch unit:

config switch-controller custom-command

edit "stp-age-10"

set command "config switch stp setting %0a set max-age 10 %0a end %0a"

end

Execute a custom script once

After you have created a custom script, you can manually execute it on any managed FortiSwitch unit. Because the custom script is not bound to any switch, the FortiSwitch unit might reset some parameters when it is restarted.

Use the following syntax on the FortiGate unit to execute the custom script once on a specified managed FortiSwitch unit:

execute switch-controller custom-command <cmd-name> <target-switch>

For example, you can execute the stp-age-10 script on the specified managed FortiSwitch unit:

execute switch-controller custom-command stp-age-10 S124DP3X15000118

Bind a custom script to a managed switch

If you want the custom script to be part of the managed switchʼs configuration, the custom script must be bound to the managed switch. If any of the commands in the custom script are locally controlled by a switch, the commands might be overwritten locally.

Use the following syntax to bind a custom script to a managed switch:

config switch-controller managed-switch

edit "<FortiSwitch_serial_number>"

config custom-command

edit <custom_script_entry>

set command-name "<name_of_custom_script>"

next

end

next

end

For example:

config switch-controller managed-switch

edit "S524DF4K15000024"

config custom-command

edit 1

set command-name "stp-age-10"

next

end

next

end

View and upgrade the FortiSwitch firmware version

You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch unit to a new firmware version. The FortiGate unit will suggest an upgrade when a new version is available in FortiGuard.

Using the FortiGate web interface

To view the FortiSwitch firmware version:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. In the main panel, select the FortiSwitch faceplate and click Edit.
  3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.
To upgrade the firmware on multiple FortiSwitch units at the same time:
  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Select the faceplates of the FortiSwitch units that you want to upgrade.
  3. Click Upgrade.The Upgrade FortiSwitches page opens.
  4. Select FortiGuard or select Upload and then select the firmware file to upload. If you select FortiGuard, all FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at a time for upgrading.
  5. Select Upgrade.
Using the CLI

Use the following command to stage a firmware image on all FortiSwitch units:

diagnose switch-controller switch-software stage all <image id>

Use the following command to upgrade the firmware image on one FortiSwitch unit:

diagnose switch-controller switch-software upgrade <switch id> <image id>

Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:

config switch-controller global

set https-image-push enable

end

From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model using a single execute command. The command includes the name of a firmware image file and all of the managed FortiSwitch units compatible with that firmware image file are upgraded. For example:

execute switch-controller switch-software stage all <firmware-image-file>

You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.

execute switch-controller switch-action restart delay all

FortiSwitch log settings

You can export the logs of managed FortiSwitch units to the FortiGate unit or send FortiSwitch logs to a remote Syslog server.

Exporting logs to FortiGate

You can enable and disable whether the managed FortiSwitch units export their logs to the FortiGate unit. The setting is global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch logs.

To allow a level of filtering, the FortiGate unit sets the user field to “fortiswitch-syslog” for each entry.

Use the following CLI command syntax:

config switch-controller switch-log

set status {*enable | disable}

set severity {emergency | alert | critical | error | warning | notification | *information | debug}

end

You can override the global log settings for a FortiSwitch unit, using the following commands:

config switch-controller managed-switch

edit <switch-id>

config switch-log

set local-override enable

At this point, you can configure the log settings that apply to this specific switch.

Sending logs to a remote Syslog server

Instead of exporting FortiSwitch logs to a FortiGate unit, you can send FortiSwitch logs to one or two remote Syslog servers. After enabling this option, you can select the severity of log messages to send, whether to use comma-separated values (CSVs), and the type of remote Syslog facility. By default, FortiSwitch logs are sent to port 514 of the remote Syslog server.

Use the following CLI command syntax to configure the default syslogd and syslogd2 settings:

config switch-controller remote-log

edit {syslogd | syslogd2}

set status {enable | *disable}

set server <IPv4_address_of_remote_syslog_server>

set port <remote_syslog_server_listening_port>

set severity {emergency | alert | critical | error | warning | notification | *information | debug}

set csv {enable | *disable}

set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | *local7}

next

end

You can override the default syslogd and syslogd2 settings for a specific FortiSwitch unit, using the following commands:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config remote-log

edit {edit syslogd | syslogd2}

set status {enable | *disable}

set server <IPv4_address_of_remote_syslog_server>

set port <remote_syslog_server_listening_port>

set severity {emergency | alert | critical | error | warning | notification | *information | debug}

set csv {enable | *disable}

set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | *local7}

next

end

next

end

FortiSwitch per-port device visibility

In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port).

From the CLI, the following command displays information about the host devices:

diagnose switch-controller mac-cache show <switch-id>

FortiOS CLI support for FortiSwitch features (on non-FortiLink ports)

You can configure the following FortiSwitch features from the FortiOS CLI.

Configuring a link aggregation group (LAG)

You can configure a link aggregation group (LAG) for non-FortiLink ports on a FortiSwitch unit. You cannot configure ports from different FortiSwitch units in one LAG. When the trunk is in LACP mode, either lacp-passive or lacp-active, members of a trunk can be grouped into the aggregator with the largest bandwidth or the aggregator with the most ports.

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <trunk_name>

set type trunk

set mode {static | lacp-passive | lacp-active}

set aggregator-mode {bandwidth | count}

set bundle {enable | disable}

set min-bundle <int>

set max-bundle <int>

set members <port1 port2 ...>

next

end

end

end

Configuring storm control

Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.

When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of traffic to drop: broadcast, unknown unicast, or multicast. By default, these three types of traffic are not dropped.

To configure storm control for all switch ports (including both FortiLink ports and non-FortiLink ports) on the managed switches, use the following FortiOS CLI commands:

config switch-controller storm-control

set rate <rate>

set unknown-unicast {enable | disable}

set unknown-multicast {enable | disable}

set broadcast {enable | disable}

end

To configure storm control for a FortiSwitch port, use the FortiOS CLI to select the override storm-control-mode in the storm-control policy and then assigning the storm-control policy for the FortiSwitch port.

config switch-controller storm-control-policy

edit <storm_control_policy_name>

set description <description_of_the_storm_control_policy>

set storm-control-mode override

set rate <1-10000000 or 0 to drop all packets>

set unknown-unicast {enable | disable}

set unknown-multicast {enable | disable}

set broadcast {enable | disable}

next

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit port5

set storm-control-policy <storm_control_policy_name>

next

end

For example:

config switch-controller storm-control-policy

edit stormpol1

set description "storm control policy for port 5"

set storm-control-mode override

set rate 1000

set unknown-unicast enable

set unknown-multicast enable

set broadcast enable

next

end

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port5

set storm-control-policy stormpol1

next

end

Displaying, resetting, and restoring port statistics

For the following commands, if the managed FortiSwitch unit is not specified, the command is applied to all ports of all managed FortiSwitch units.

To display port statistics of a managed FortiSwitch unit:

diagnose switch-controller switch-info port-stats <managed FortiSwitch device ID> <port_name>

For example:

FG100D3G15817028 (global) # diagnose switch-controller switch-info port-stats S524DF4K15000024 port8

Vdom: dmgmt-vdom

Vdom: roort

Vdom: root

S524DF4K15000024:

Port(port8) is Admin up, line protocol is down

Interface Type is Serial Gigabit Media Independent Interface(SGMII/SerDes)

Address is 08:5B:0E:F1:95:ED, loopback is not set

MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II

half-duplex, 0 Mb/s, link type is auto

input : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes

0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns

output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes

0 unicasts, 0 multicasts, 0 broadcasts

0 fragments, 0 undersizes, 0 collisions, 0 jabbers

Vdom: vdom-1

To reset the port statistics counters of a managed FortiSwitch unit:

diagnose switch-controller trigger reset-hardware-counters <managed FortiSwitch device ID> <port_name>

For example:

FG100D3G15817028 (global) # diagnose switch-controller trigger reset-hardware-counters S524DF4K15000024 1,3,port6-7

NOTE: This command is provided for debugging; accuracy is not guaranteed when the counters are reset. Resetting the counters might have a negative effect on monitoring tools, such as SNMP and FortiGate. The statistics gathered during the time when the counters are reset might be discarded.

To restore the port statistics counters of a managed FortiSwitch unit:

diagnose switch-controller trigger restore-hardware-counters <managed FortiSwitch device ID> <port_name>

For example:

FG100D3G15817028 (global) # diagnose switch-controller trigger restore-hardware-counters S524DF4K15000024 port10-port11,internal

Configuring QoS with managed FortiSwitch units

Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.

NOTE: The FortiGate unit does not support QoS for hard or soft switch ports.

The FortiSwitch unit supports the following QoS configuration capabilities:

  • Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
  • Providing eight egress queues on each port.
  • Policing the maximum data rate of egress traffic on the interface.
  • If you select weighted-random-early-detection for the drop-policy, you can enable explicit congestion notification (ECN) marking to indicate that congestion is occurring without just dropping packets.
To configure the QoS for managed FortiSwitch units:
  1. Configure a Dot1p map.

    A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

    NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value.

    config switch-controller qos dot1p-map

    edit <Dot1p map name>

    set description <text>

    set priority-0 <queue number>

    set priority-1 <queue number>

    set priority-2 <queue number>

    set priority-3 <queue number>

    set priority-4 <queue number>

    set priority-5 <queue number>

    set priority-6 <queue number>

    set priority-7 <queue number>

    next

    end

  2. Configure a DSCP map. A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP precedence, you have the following choices:
    • network-control—Network control
    • internetwork-control—Internetwork control
    • critic-ecp—Critic and emergency call processing (ECP)
    • flashoverride—Flash override
    • flash—Flash
    • immediate—Immediate
    • priority—Priority
    • routine—Routine

    config switch-controller qos ip-dscp-map

    edit <DSCP map name>

    set description <text>

    configure map <map_name>

    edit <entry name>

    set cos-queue <COS queue number>

    set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF | CS6 | CS7}

    set ip-precedence {network-control | internetwork-control | critic-ecp | flashoverride | flash | immediate | priority | routine}

    set value <DSCP raw value>

    next

    end

    end

  3. Configure the egress QoS policy. In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:
    • With strict scheduling, the queues are served in descending order (of queue number), so higher number queues receive higher priority.
    • In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one.
    • In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to 63.

    config switch-controller qos queue-policy

    edit <QoS egress policy name>

    set schedule {strict | round-robin | weighted}

    config cos-queue

    edit queue-<number>

    set description <text>

    set min-rate <rate in kbps>

    set max-rate <rate in kbps>

    set drop-policy {taildrop | weighted-random-early-detection}

    set ecn {enable | disable}

    set weight <weight value>

    next

    end

    next

    end

  4. Configure the overall policy that will be applied to the switch ports.

    config switch-controller qos qos-policy

    edit <QoS egress policy name>

    set default-cos <default CoS value 0-7>

    set trust-dot1p-map <Dot1p map name>

    set trust-ip-dscp-map <DSCP map name>

    set queue-policy <queue policy name>

    next

    end

  5. Configure each switch port.

    config switch-controller managed-switch

    edit <switch-id>

    config ports

    edit <port>

    set qos-policy <CoS policy>

    next

    end

    next

    end

  6. Check the QoS statistics on each switch port.

    diagnose switch-controller switch-info qos-stats <FortiSwitch_serial_number> <port_name>

Configuring PTP transparent-clock mode

Use the Precision Time Protocol (PTP) transparent-clock mode to measure the overall path delay for packets in a network to improve the time precision. There are two transparent-clock modes:

  • End-to-end measures the path delay for the entire path
  • Peer-to-peer measures the path delay between each pair of nodes

Use the following steps to configure PTP transparent-clock mode:

  1. Configure the global PTP settings.
    By default, PTP is disabled.
  2. Enable the PTP policy.
    By default, the PTP policy is enabled.
  3. Apply the PTP policy to a port.
    NOTE: PTP policies are hidden on virtual ports
To configure the global PTP settings:

config switch-controller ptp settings

set mode {disable | transparent-e2e | transparent-p2p}

end

To enable the PTP policy:

config switch-controller ptp policy

edit {default | <policy_name>}

set status {enable | disable}

next

end

To apply the PTP policy to a port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set ptp-policy {default | <policy_name>}

end

end

For example:

config switch-controller ptp settings

set mode transparent-p2p

end

config switch-controller ptp policy

edit ptppolicy1

set status enable

next

end

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port5

set ptp-policy ptppolicy1

end

end

Synchronizing the FortiGate unit with the managed FortiSwitch units

You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.

Use the following command to synchronize the full configuration of a FortiGate unit with a managed FortiSwitch unit:

diagnose switch-controller trigger config-sync <FortiSwitch_serial_number>

Replacing a managed FortiSwitch unit

If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.

NOTE:

  • Both FortiSwitch units must be of the same model.
  • The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
  • If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL trunk.
  • After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
  • If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.
To replace a managed FortiSwitch unit:
  1. Unplug the failed FortiSwitch unit.
  2. Plug in the replacement FortiSwitch unit.
  3. Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See View and upgrade the FortiSwitch firmware version.
  4. Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
  5. Check the serial number of the replacement FortiSwitch unit.
  6. From the FortiGate unit, go to WiFi & Switch Controller > Managed FortiSwitch.
  7. Select the faceplate of the failed FortiSwitch unit.
  8. Select Deauthorize.
  9. Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.
  10. If the failed FortiSwitch unit was part of a VDOM, enter the following commands:

    config vdom

    edit <VDOM_name>

    execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>


    For example:


    config vdom

    edit vdom_new

    execute replace-device fortiswitch S124DN3W16002025 S124DN3W16002026


    If the failed FortiSwitch unit was not part of a VDOM, enter the following command:


    execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>


    An error is returned if the replacement FortiSwitch unit is authorized.

To rename the MCLAG-ICL trunk:

Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You need a maintenance window for the change.

  1. Shut down the FortiLink interface on the FortiGate unit.
    1. On the FortiGate unit, execute the show system interface command. For example:

      FG3K2D3Z17800156 # show system interface root-lag
      config system interface
      edit "root-lag"
      set vdom "root"
      set fortilink enable
      set ip 10.105.60.254 255.255.255.0
      set allowaccess ping capwap
      set type aggregate
      set member "port45" "port48"
      config managed-device


    2. Write down the member port information. In this example, port45 and port48 are the member ports.
    3. Shut down the member ports with the config system interface, edit <member-port#>, set status down, and end commands. For example:

      FG3K2D3Z17800156 # config system interface
      FG3K2D3Z17800156 (interface) # edit port48
      FG3K2D3Z17800156 (port48) # set status down
      FG3K2D3Z17800156 (port48) # next // repeat for each member port
      FG3K2D3Z17800156 (interface) # edit port45
      FG3K2D3Z17800156 (port45) # set status down
      FG3K2D3Z17800156 (port45) # end


    4. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For example:

      FG3K2D3Z17800156 # exec switch-controller get-conn-status
      Managed-devices in current vdom root:
      STACK-NAME: FortiSwitch-Stack-root-lag
      SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
      FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2
      FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1


  2. Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.
    1. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that includes the set mclag-icl enable command in its configuration and write down the member ports and configuration information. For example:

      icl-sw1 # show switch trunk
      config switch trunk
      ...
      edit "D483Z17000282-0"
      set mode lacp-active
      set auto-isl 1
      set mclag-icl enable // look for this line
      set members "port27" "port28" // note the member ports
      next
      end


    2. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For example:

      icl-sw1 # show switch interface D483Z17000282-0
      config switch interface
      edit "D483Z17000282-0"
      set native-vlan 4094
      set allowed-vlans 1,100,2001-2060,4093
      set dhcp-snooping trusted
      set stp-state disabled
      set edge-port disabled
      set igmps-flood-reports enable
      set igmps-flood-traffic enable
      set snmp-index 57
      next
      end

      icl-sw1 # diag switch mclag icl
      D483Z17000282-0
      icl-ports 27-28
      egress-block-ports 3-4,7-12,47-48
      interface-mac 70:4c:a5:86:6d:e5
      lacp-serial-number FS1D483Z17000348
      peer-mac 70:4c:a5:49:50:53
      peer-serial-number FS1D483Z17000282
      Local uptime 0 days 1h:49m:24s
      Peer uptime 0 days 1h:49m:17s
      MCLAG-STP-mac 70:4c:a5:49:50:52
      keepalive interval 1
      keepalive timeout 60

      Counters
      received keepalive packets 4852
      transmited keepalive packets 5293
      received keepalive drop packets 20
      receive keepalive miss 1

      icl-sw1 # diagnose switch trunk sum D483Z17000282-0
      Trunk Name Mode PSC MAC Status Up Time
      ________________ _________________________ ___________ _________________ ___________ _________________________________
      D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,0 hours,16 mins,4 secs


    3. Shut down the ICL member ports using the config switch physical-port, edit <member port#>, set status down, next, and end commands. For example:

      icl-sw1 # config switch physical-port
      icl-sw1 (physical-port) # edit port27
      icl-sw1 (port27) # set status down
      icl-sw1 (port27) # n // repeat for each ICL member port
      icl-sw1 (physical-port) # edit port28
      icl-sw1 (port28) # set status down
      icl-sw1 (port28) # next
      icl-sw1 (physical-port) # end


    4. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete <mclag-icl-trunk-name>, and end commands. For example:

      icl-sw1 # config switch trunk
      icl-sw1 (trunk) # delete D483Z17000282-0


    5. Use the show switch trunk command to verify that the trunk is deleted.
    6. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the set auto-isl 0 command in the configuration. For example:

      icl-sw1 # config switch trunk

      icl-sw1 (trunk) # edit MCLAG-ICL
      new entry 'MCLAG-ICL' added
      icl-sw1 (MCLAG-ICL) #set mode lacp-active
      icl-sw1 (MCLAG-ICL) #set members "port27" "port28"
      icl-sw1 (MCLAG-ICL) #set mclag-icl enable
      icl-sw1 (MCLAG-ICL) # end


    7. Use the show switch trunk command to check the trunk configuration.
    8. Start the trunk member ports by using the config switch physical-port, edit <member port#>, set status up, next, and end commands. For example:

      icl-sw1 # config switch physical-port
      icl-sw1 (physical-port) # edit port27
      icl-sw1 (port27) # set status up
      icl-sw1 (port27) # next // repeat for each trunk member port
      icl-sw1 (physical-port) # edit port28
      icl-sw1 (port28) # set status up
      icl-sw1 (port28) # end


      NOTE: Follow steps 2a through 2h on both switches.
  3. Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit <interface-member-port>, set status up, next, and end commands. For example:

    FG3K2D3Z17800156 # config system interface
    FG3K2D3Z17800156 (interface) # edit port45
    FG3K2D3Z17800156 (port45) # set status up
    FG3K2D3Z17800156 (port45) # next // repeat on all member ports
    FG3K2D3Z17800156 (interface) # edit port48
    FG3K2D3Z17800156 (port48) # set status up
    FG3K2D3Z17800156 (port48) # next
    FG3K2D3Z17800156 (interface) # end


  4. Check the configuration and status on both MCLAG-ICL switches
    1. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk summary <new-trunk-name> commands. For example:

      icl-sw1 # show switch trunk
      config switch trunk
      <snip>
      edit "MCLAG-ICL"
      set mode lacp-active
      set mclag-icl enable
      set members "port27" "port28"
      next
      end

      icl-sw1 # show switch interface MCLAG-ICL
      config switch interface
      edit "MCLAG-ICL"
      set native-vlan 4094
      set allowed-vlans 1,100,2001-2060,4093
      set dhcp-snooping trusted
      set stp-state disabled
      set igmps-flood-reports enable
      set igmps-flood-traffic enable
      set snmp-index 56
      next
      end

      icl-sw1 # diagnose switch mclag icl
      MCLAG-ICL
      icl-ports 27-28
      egress-block-ports 3-4,7-12,47-48
      interface-mac 70:4c:a5:86:6d:e5
      lacp-serial-number FS1D483Z17000348
      peer-mac 70:4c:a5:49:50:5
      peer-serial-number FS1D483Z17000282
      Local uptime 0 days 2h:11m:13s
      Peer uptime 0 days 2h:11m: 7s
      MCLAG-STP-mac 70:4c:a5:49:50:52
      keepalive interval 1
      keepalive timeout 60

      Counters
      received keepalive packets 5838
      transmited keepalive packets 6279
      received keepalive drop packets 27
      receive keepalive miss 1

      icl-sw1 # diagnose switch trunk summary MCLAG-ICL

      Trunk Name Mode PSC MAC Status Up Time
      ________________ _________________________ ___________ _________________ ___________ _________________________________

      MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,1 hours,4 mins,57 secs

    2. Compare the command results in step 4a with the command results in step 2b.

FortiSwitch network access control

You can configure a FortiSwitch network access control (NAC) policy within FortiOS that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match are assigned to a specific VLAN or have port-specific settings applied to them.

NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. See Configuring the FortiSwitch NAC settings.

Summary of the procedure

  1. Define a FortiSwitch NAC VLAN. See Defining a FortiSwitch NAC VLAN.
  2. Configure the FortiSwitch NAC settings. See Configuring the FortiSwitch NAC settings.
  3. Create a FortiSwitch NAC policy. See Defining a FortiSwitch NAC policy.
  4. View the devices that match the NAC policy. See Viewing the devices that match the NAC policy.

Defining a FortiSwitch NAC VLAN

When devices are matched by a NAC policy, you can assign those devices to a FortiSwitch NAC VLAN. By default, there are six VLAN templates:

  • default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
  • quarantine—This VLAN contains quarantined traffic.
  • rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
  • voice—This VLAN is dedicated for voice devices.
  • video—This VLAN is dedicated for video devices.
  • onboarding—This VLAN is for NAC onboarding devices.

You can use the default onboarding VLAN, edit it, or create a new NAC VLAN. If you want to use the default onboarding NAC VLAN, specify it when you configure the FortiSwitch NAC settings. If you want to edit the default onboarding VLAN or create a new NAC VLAN, use the following procedures.

Creating a NAC VLAN

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
    Interface Name VLAN name
    VLAN ID Enter a number (1-4094)
    Color Choose a unique color for each VLAN, for ease of visual display.
    Role Select LAN, WAN, DMZ, or Undefined.
  2. Enable DHCP for IPv4 or IPv6.
  3. Set the Admission access options as required.
  4. Select OK.
Using the CLI:

config system interface

edit <vlan name>

set vlanid <1-4094>

set color <1-32>

set interface <FortiLink-enabled interface>

end

Editing a NAC VLAN

You can edit the default onboarding NAC VLAN.

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch VLANs.
  2. Select the onboarding NAC VLAN.
  3. Select Edit.
  4. Make your changes.
  5. Select OK to save your changes.
Using the CLI:

config switch-controller initial-config template

edit onboarding

set vlanid <1-4094>

set allowaccess {ping | https |ssh | snmp | http | telnet | fgfm | radius-acct | probe-response | fabric | ftm}

set auto-ip {enable | disable}

set dhcp-server {enable | disable}

end

Configuring the FortiSwitch NAC settings

NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. You can either manually configure the NAC settings or use the NAC wizard. See Using the NAC wizard.

The local mode uses the local port-level settings of managed FortiSwitch units. The global mode applies the NAC to all managed FortiSwitch ports. Be default, the mode is local.

You can set how many minutes that NAC devices are allowed to be inactive. By default, NAC devices can be inactive for 15 minutes. The range of values is 0 to 1 440 minutes. If you set the inactive-timer to 0, there is no limit to how long the NAC devices can be inactive for.

When NAC devices are discovered, they are assigned to the NAC onboarding VLAN. You can specify the default onboarding VLAN or specify another existing VLAN. By default, there is no NAC onboarding VLAN assigned.

When NAC devices are discovered and match a NAC policy, they are automatically authorized by default.

When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the DHCP process for that switch.

When a link goes down, the NAC devices are cleared from all switch ports by default.

Configuring NAC on a global level

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Move the NAC Settings slider to expand the NAC Settings section.
  3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
  4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  5. Select All or Specify to apply NAC policies to all FortiSwitch ports.
  6. Select Apply to save your changes.
Using the CLI:

config switch-controller nac-settings

edit <name_of_this_NAC_configuration>

set mode global

set inactive-timer <integer>

set onboarding-vlan <string>

set auto-auth {enable | disable}

set bounce-nac-port {enable | disable}

set link-down-flush {enable | disable}

end

Configuring NAC on a local level

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Move the NAC Settings slider to expand the NAC Settings section.
  3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
  4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  5. Select Specify to apply NAC policies to specific FortiSwitch ports.
  6. Select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC policies to.
  7. Select Apply to save your changes.
Using the CLI:

config switch-controller nac-settings

edit <name_of_this_NAC_configuration>

set mode local

set inactive-timer <integer>

set onboarding-vlan <string>

set auto-auth {enable | disable}

set bounce-nac-port {enable | disable}

set link-down-flush {enable | disable}

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set access-mode nac

next

end

next

end

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Right-click a port.
  3. Select Access Mode > NAC.

Using the NAC wizard

The NAC wizard helps with configuring the FortiSwitch NAC settings and defining a FortiSwitch NAC VLAN. If you do not want to manually configure the FortiSwitch NAC settings, use the NAC wizard instead.

NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy.

  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Configure NAC Settings.
  3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
  4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  5. Select All or Specify to apply NAC policies to all FortiSwitch ports or to specific FortiSwitch ports.
  6. If you selected Specify, select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC policies to.
  7. Select Next.
  8. Select one of the default NAC VLANs to be the onboarding VLAN, create a new NAC VLAN, or edit one of the default NAC VLANs. The default onboarding VLAN is onboarding. See Defining a FortiSwitch NAC VLAN.
  9. Select Submit.

Defining a FortiSwitch NAC policy

In the FortiOS GUI, you can create three types of NAC policies:

  • Device—The NAC policy matches devices with the specified MAC address, hardware vendor, device family, type, operating system, and user.
  • User—The NAC policy matches devices belonging to the specified user group.
  • EMS tag—The NAC policy matches devices with the specified FortiClient EMS tag.

Using the CLI, you can specify a port policy and MAC policy to be applied to devices that have been matched by the NAC policy. See Creating a port policy and Creating a MAC policy.

NOTE: The FortiSwitch NAC settings must be configured before defining a FortiSwitch NAC policy. See Configuring the FortiSwitch NAC settings.

Creating a device policy

A device policy matches devices with the specified criteria and then assigns a specific VLAN to those devices or applies port-level settings to those devices. You can specify the MAC address, hardware vendor, device family, type, operating system, and user for the devices to match.

By default, there is a default device policy, Onboarding VLAN, which uses the default onboarding NAC VLAN. You can use the default Onboarding VLAN policy, edit it, or create a new NAC policy.

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Create New.
  3. In the Name field, enter a name for the NAC policy.
  4. Make certain that the status is set to Enabled.
  5. Select which FortiSwitch units to apply the NAC policy to or select All.
  6. Select Device for the category.
  7. If you want the device to match a MAC address, move the MAC Address slider and enter the MAC address to match.
  8. If you want the device to match a hardware vendor, move the Hardware Vendor slider and enter the name of the hardware vendor to match.
  9. If you want the device to match a device family, move the Device Family slider and enter the name of the device family to match.
  10. If you want the device to match a device type, move the Type slider and enter the device type to match.
  11. If you want the device to match an operating system, move the Operating System slider and enter the operating system to match.
  12. If you want the device to match a user, move the User slider and enter the user name to match.
  13. If you want to assign a specific VLAN to the device that matches the specified criteria, select Assign VLAN and enter the VLAN identifier.
  14. If you want to assign port-level settings to the device that matches the specified criteria select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
  15. Select OK to create the new NAC policy.
Using the CLI:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category device

set status enable

set mac <MAC_address>

set hw-vendor <hardware_vendor>

set type <device_type>

set family <device_family>

set os <operating_system>

set hw-version <hardware_version>

set sw-version <software_version>

set host <host_name>

set user <user_name>.

set src <source>

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-port-policy <switch_port_policy>

set switch-mac-policy <switch_mac_policy>

end

Creating a user policy

A user policy matches devices that are assigned to the specified user group and then assigns a specific VLAN to those devices or applies port-level settings to those devices.

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Create New.
  3. In the Name field, enter a name for the NAC policy.
  4. Make certain that the status is set to Enabled.
  5. Select which FortiSwitch units to apply the NAC policy to or select All.
  6. Select User for the category.
  7. Select which user group that devices must belong to.
  8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and enter the VLAN identifier.
  9. If you want to assign port-level settings for devices assigned to the specific user group, select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
  10. Select OK to create the new NAC policy.
Using the CLI:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category user

set status enable

set user-group <name_of_user_group>

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-port-policy <switch_port_policy>

set switch-mac-policy <switch_mac_policy>

end

Creating an EMS-tag policy

An EMS-tag policy matches devices with a specified MAC address and then assigns a specific VLAN to those devices or applies port-level settings to those devices. The MAC address is derived from an Endpoint Management Server (EMS) tag created in FortiClient.

NOTE: The FortiClient EMS server must be 6.4.1 build 1442 or higher. FortiOS must be 6.4.2 build 1709 or higher.

Before creating an EMS-tag policy on a managed FortiSwitch unit:

  1. In FortiClient, group FortiClient Fabric Agent endpoints with an EMS tag.
  2. In FortiClient, share these endpoint groups with a FortiGate unit over the EMS connector.
  3. In FortiOS, add an on-premise FortiClient EMS server to the Security Fabric:

    config endpoint-control fctems

    edit <ems_name>

    set server <ip_address>

    set certificate <string>

    next

    end

    For example:

    config endpoint-control fctems

    edit EMS_Server

    set server 1.2.3.4

    set certificate REMOTE_Cert_1

    next

    end

  4. In FortiOS, verify the EMS certificate. For example:

    execute fctems verify EMS_Server

  5. In FortiOS, check that the FortiGate unit and FortiClient are connected:

    diagnose user device get <FortiClient_MAC_address>

  6. In FortiOS, verify which MAC addresses the dynamic firewall address resolves to:

    diagnose firewall dynamic list

Using the GUI to create an EMS-tag policy:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Create New.
  3. In the Name field, enter a name for the NAC policy.
  4. Make certain that the status is set to Enabled.
  5. Select which FortiSwitch units to apply the NAC policy to or select All.
  6. Select EMS Tag for the category.
  7. Select which FortiClient EMS tag that devices must be assigned.
  8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and enter the VLAN identifier.
  9. If you want to assign port-level settings for devices assigned to the specific user group, select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
  10. Select OK to create the new NAC policy.
Using the CLI to create an EMS-tag policy:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category ems-tag

set ems-tag <string>

set status enable

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-port-policy <switch_port_policy>

set switch-mac-policy <switch_mac_policy>

next

end

For example:

config user nac-policy

edit nac_policy_1

set category ems-tag

set ems-tag MAC_FCTEMS0000108427_Low

set switch-fortilink fortilink1

set switch-port-policy port_policy_1

next

end

Creating a port policy

You can apply a port policy to the devices that were matched by the NAC policy. In the port policy, you can specify which LLDP profile, QoS policy, 802.1x policy, and VLAN policy are used on the ports.

config switch-controller port-policy

edit <port_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set lldp-profile <LLDP_profile>

set qos-policy <QoS_policy>

set 802-1x <802.1x_policy>

set vlan-policy <VLAN_policy>

set bounce-port-link {enable | disable}

next

end

For example:

config switch-controller port-policy

edit port_policy_1

set fortilink fortilink1

set vlan-policy vlan_policy_1

next

end

Creating a VLAN policy

You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether to discard untagged or tagged frames or to not discard any frames.

config switch-controller vlan-policy

edit <VLAN_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set vlan <VLAN_name>

set allowed-vlans <lists_of_VLAN_names>

set untagged-vlans <lists_of_VLAN_names>

set allowed-vlans-all {enable | disable}

set discard-mode {none | all-untagged | all-tagged}

next

end

For example:

config switch-controller vlan-policy

edit vlan_policy_1

set fortilink fortilink1

set vlan default

next

end

Creating a MAC policy

You can apply a MAC policy to the devices that were matched by the NAC policy. You can specify which VLAN is applied, select which traffic policy is used, and enable or disable packet count.

config switch-controller mac-policy

edit <MAC_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set vlan <VLAN_name>

set traffic-policy <traffic_policy_name>

set count {enable | disable}

next

end

Viewing the devices that match the NAC policy

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select View Matched Devices.
  3. Select Refresh to update the results.
Using the CLI:

To show known NAC devices with a known location that match a NAC policy:

diagnose switch-controller nac-device known

To show pending NAC devices with an unknown location that match a NAC policy:

diagnose switch-controller nac-device pending

Configuring IoT detection

Starting in FortiOS 6.4, FortiSwitch units can use a new FortiGuard service to identify Internet of things (IoT) devices. FortiOS can use the identified devices for storage and display. You can use the FortiOS CLI to configure the IoT detection.

Each detected MAC address of an IoT device has a confidence level assigned to it. If the confidence level is less than the iot-weight-threshold value, the MAC address is scanned. The default value is 1. Set the iot-weight-threshold value to 0 to disable IoT detection.

You can control how often a FortiSwitch unit scans for IoT devices. The range of values is 2 to 4,294,967,295 minutes. The default is a scan interval of 60 minutes. Every MAC address will be scanned for a time interval of 60 minutes followed by 60 minutes when it will not be scanned. The start time of every MAC addressʼs 60-minute scan interval is unique. Set the iot-scan-interval value to 0 to disable IoT detection.

A MAC address of an IoT device must be detected by the FortiSwitch unit for more than a specified number of minutes before the MAC address is passed along to the FortiGuard service for IoT identification. The default number of minutes is 5. The range of values is 0 to 4,294,967,295 minutes. Set the iot-holdoff value to 0 to disable this setting.

If a MAC address entryʼs last-seen time is greater than the iot-mac-idle value, the MAC address entry is not considered for IoT detection. By default, the iot-mac-idle value is 1,440 minutes. The range of values is 0 to 4,294,967,295 minutes.

config switch-controller system

set iot-weight-threshold <0-4294967295>

set iot-scan-interval <2-4294967295>

set iot-holdoff <0-4294967295>

set iot-mac-idle <0-4294967295>

end

Optimizing the FortiSwitch network

Starting in FortiOS 6.4.2 with FortiSwitchOS 6.4.2, you can check your FortiSwitch network and get recommendations on how to optimize it. If you agree with the configuration recommendations, you can accept them, and they are automatically applied.

NOTE: The Security Rating feature is available only when VDOMs are disabled.

To optimize your FortiSwitch network:
  1. Go to Security Fabric > Security Rating.
  2. Select Run Now (under Report Details in the right pane) to generate the Security Rating report.

  3. Select the Optimization section.

  4. Under Failed, select + next to each item to see more details in the right pane.

  5. If you agree with a suggestion in the Recommendations section, select Apply for the change to be made.

Additional capabilities

This chapter covers the following topics:

Execute custom FortiSwitch scripts

From the FortiGate unit, you can execute a custom script on a managed FortiSwitch unit. The custom script contains generic FortiSwitch commands.

NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch unit.

Create a custom script

Use the following syntax to create a custom script from the FortiGate unit:

config switch-controller custom-command

edit <cmd-name>

set command "<FortiSwitch_command>"

end

NOTE: You need to use %0a to indicate a return.

For example, use the custom script to set the STP max-age parameter on a managed FortiSwitch unit:

config switch-controller custom-command

edit "stp-age-10"

set command "config switch stp setting %0a set max-age 10 %0a end %0a"

end

Execute a custom script once

After you have created a custom script, you can manually execute it on any managed FortiSwitch unit. Because the custom script is not bound to any switch, the FortiSwitch unit might reset some parameters when it is restarted.

Use the following syntax on the FortiGate unit to execute the custom script once on a specified managed FortiSwitch unit:

execute switch-controller custom-command <cmd-name> <target-switch>

For example, you can execute the stp-age-10 script on the specified managed FortiSwitch unit:

execute switch-controller custom-command stp-age-10 S124DP3X15000118

Bind a custom script to a managed switch

If you want the custom script to be part of the managed switchʼs configuration, the custom script must be bound to the managed switch. If any of the commands in the custom script are locally controlled by a switch, the commands might be overwritten locally.

Use the following syntax to bind a custom script to a managed switch:

config switch-controller managed-switch

edit "<FortiSwitch_serial_number>"

config custom-command

edit <custom_script_entry>

set command-name "<name_of_custom_script>"

next

end

next

end

For example:

config switch-controller managed-switch

edit "S524DF4K15000024"

config custom-command

edit 1

set command-name "stp-age-10"

next

end

next

end

View and upgrade the FortiSwitch firmware version

You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch unit to a new firmware version. The FortiGate unit will suggest an upgrade when a new version is available in FortiGuard.

Using the FortiGate web interface

To view the FortiSwitch firmware version:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. In the main panel, select the FortiSwitch faceplate and click Edit.
  3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.
To upgrade the firmware on multiple FortiSwitch units at the same time:
  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Select the faceplates of the FortiSwitch units that you want to upgrade.
  3. Click Upgrade.The Upgrade FortiSwitches page opens.
  4. Select FortiGuard or select Upload and then select the firmware file to upload. If you select FortiGuard, all FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at a time for upgrading.
  5. Select Upgrade.
Using the CLI

Use the following command to stage a firmware image on all FortiSwitch units:

diagnose switch-controller switch-software stage all <image id>

Use the following command to upgrade the firmware image on one FortiSwitch unit:

diagnose switch-controller switch-software upgrade <switch id> <image id>

Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:

config switch-controller global

set https-image-push enable

end

From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model using a single execute command. The command includes the name of a firmware image file and all of the managed FortiSwitch units compatible with that firmware image file are upgraded. For example:

execute switch-controller switch-software stage all <firmware-image-file>

You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.

execute switch-controller switch-action restart delay all

FortiSwitch log settings

You can export the logs of managed FortiSwitch units to the FortiGate unit or send FortiSwitch logs to a remote Syslog server.

Exporting logs to FortiGate

You can enable and disable whether the managed FortiSwitch units export their logs to the FortiGate unit. The setting is global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch logs.

To allow a level of filtering, the FortiGate unit sets the user field to “fortiswitch-syslog” for each entry.

Use the following CLI command syntax:

config switch-controller switch-log

set status {*enable | disable}

set severity {emergency | alert | critical | error | warning | notification | *information | debug}

end

You can override the global log settings for a FortiSwitch unit, using the following commands:

config switch-controller managed-switch

edit <switch-id>

config switch-log

set local-override enable

At this point, you can configure the log settings that apply to this specific switch.

Sending logs to a remote Syslog server

Instead of exporting FortiSwitch logs to a FortiGate unit, you can send FortiSwitch logs to one or two remote Syslog servers. After enabling this option, you can select the severity of log messages to send, whether to use comma-separated values (CSVs), and the type of remote Syslog facility. By default, FortiSwitch logs are sent to port 514 of the remote Syslog server.

Use the following CLI command syntax to configure the default syslogd and syslogd2 settings:

config switch-controller remote-log

edit {syslogd | syslogd2}

set status {enable | *disable}

set server <IPv4_address_of_remote_syslog_server>

set port <remote_syslog_server_listening_port>

set severity {emergency | alert | critical | error | warning | notification | *information | debug}

set csv {enable | *disable}

set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | *local7}

next

end

You can override the default syslogd and syslogd2 settings for a specific FortiSwitch unit, using the following commands:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config remote-log

edit {edit syslogd | syslogd2}

set status {enable | *disable}

set server <IPv4_address_of_remote_syslog_server>

set port <remote_syslog_server_listening_port>

set severity {emergency | alert | critical | error | warning | notification | *information | debug}

set csv {enable | *disable}

set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | *local7}

next

end

next

end

FortiSwitch per-port device visibility

In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port).

From the CLI, the following command displays information about the host devices:

diagnose switch-controller mac-cache show <switch-id>

FortiOS CLI support for FortiSwitch features (on non-FortiLink ports)

You can configure the following FortiSwitch features from the FortiOS CLI.

Configuring a link aggregation group (LAG)

You can configure a link aggregation group (LAG) for non-FortiLink ports on a FortiSwitch unit. You cannot configure ports from different FortiSwitch units in one LAG. When the trunk is in LACP mode, either lacp-passive or lacp-active, members of a trunk can be grouped into the aggregator with the largest bandwidth or the aggregator with the most ports.

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <trunk_name>

set type trunk

set mode {static | lacp-passive | lacp-active}

set aggregator-mode {bandwidth | count}

set bundle {enable | disable}

set min-bundle <int>

set max-bundle <int>

set members <port1 port2 ...>

next

end

end

end

Configuring storm control

Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.

When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of traffic to drop: broadcast, unknown unicast, or multicast. By default, these three types of traffic are not dropped.

To configure storm control for all switch ports (including both FortiLink ports and non-FortiLink ports) on the managed switches, use the following FortiOS CLI commands:

config switch-controller storm-control

set rate <rate>

set unknown-unicast {enable | disable}

set unknown-multicast {enable | disable}

set broadcast {enable | disable}

end

To configure storm control for a FortiSwitch port, use the FortiOS CLI to select the override storm-control-mode in the storm-control policy and then assigning the storm-control policy for the FortiSwitch port.

config switch-controller storm-control-policy

edit <storm_control_policy_name>

set description <description_of_the_storm_control_policy>

set storm-control-mode override

set rate <1-10000000 or 0 to drop all packets>

set unknown-unicast {enable | disable}

set unknown-multicast {enable | disable}

set broadcast {enable | disable}

next

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit port5

set storm-control-policy <storm_control_policy_name>

next

end

For example:

config switch-controller storm-control-policy

edit stormpol1

set description "storm control policy for port 5"

set storm-control-mode override

set rate 1000

set unknown-unicast enable

set unknown-multicast enable

set broadcast enable

next

end

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port5

set storm-control-policy stormpol1

next

end

Displaying, resetting, and restoring port statistics

For the following commands, if the managed FortiSwitch unit is not specified, the command is applied to all ports of all managed FortiSwitch units.

To display port statistics of a managed FortiSwitch unit:

diagnose switch-controller switch-info port-stats <managed FortiSwitch device ID> <port_name>

For example:

FG100D3G15817028 (global) # diagnose switch-controller switch-info port-stats S524DF4K15000024 port8

Vdom: dmgmt-vdom

Vdom: roort

Vdom: root

S524DF4K15000024:

Port(port8) is Admin up, line protocol is down

Interface Type is Serial Gigabit Media Independent Interface(SGMII/SerDes)

Address is 08:5B:0E:F1:95:ED, loopback is not set

MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II

half-duplex, 0 Mb/s, link type is auto

input : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes

0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns

output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes

0 unicasts, 0 multicasts, 0 broadcasts

0 fragments, 0 undersizes, 0 collisions, 0 jabbers

Vdom: vdom-1

To reset the port statistics counters of a managed FortiSwitch unit:

diagnose switch-controller trigger reset-hardware-counters <managed FortiSwitch device ID> <port_name>

For example:

FG100D3G15817028 (global) # diagnose switch-controller trigger reset-hardware-counters S524DF4K15000024 1,3,port6-7

NOTE: This command is provided for debugging; accuracy is not guaranteed when the counters are reset. Resetting the counters might have a negative effect on monitoring tools, such as SNMP and FortiGate. The statistics gathered during the time when the counters are reset might be discarded.

To restore the port statistics counters of a managed FortiSwitch unit:

diagnose switch-controller trigger restore-hardware-counters <managed FortiSwitch device ID> <port_name>

For example:

FG100D3G15817028 (global) # diagnose switch-controller trigger restore-hardware-counters S524DF4K15000024 port10-port11,internal

Configuring QoS with managed FortiSwitch units

Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.

NOTE: The FortiGate unit does not support QoS for hard or soft switch ports.

The FortiSwitch unit supports the following QoS configuration capabilities:

  • Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
  • Providing eight egress queues on each port.
  • Policing the maximum data rate of egress traffic on the interface.
  • If you select weighted-random-early-detection for the drop-policy, you can enable explicit congestion notification (ECN) marking to indicate that congestion is occurring without just dropping packets.
To configure the QoS for managed FortiSwitch units:
  1. Configure a Dot1p map.

    A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

    NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value.

    config switch-controller qos dot1p-map

    edit <Dot1p map name>

    set description <text>

    set priority-0 <queue number>

    set priority-1 <queue number>

    set priority-2 <queue number>

    set priority-3 <queue number>

    set priority-4 <queue number>

    set priority-5 <queue number>

    set priority-6 <queue number>

    set priority-7 <queue number>

    next

    end

  2. Configure a DSCP map. A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP precedence, you have the following choices:
    • network-control—Network control
    • internetwork-control—Internetwork control
    • critic-ecp—Critic and emergency call processing (ECP)
    • flashoverride—Flash override
    • flash—Flash
    • immediate—Immediate
    • priority—Priority
    • routine—Routine

    config switch-controller qos ip-dscp-map

    edit <DSCP map name>

    set description <text>

    configure map <map_name>

    edit <entry name>

    set cos-queue <COS queue number>

    set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF | CS6 | CS7}

    set ip-precedence {network-control | internetwork-control | critic-ecp | flashoverride | flash | immediate | priority | routine}

    set value <DSCP raw value>

    next

    end

    end

  3. Configure the egress QoS policy. In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:
    • With strict scheduling, the queues are served in descending order (of queue number), so higher number queues receive higher priority.
    • In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one.
    • In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to 63.

    config switch-controller qos queue-policy

    edit <QoS egress policy name>

    set schedule {strict | round-robin | weighted}

    config cos-queue

    edit queue-<number>

    set description <text>

    set min-rate <rate in kbps>

    set max-rate <rate in kbps>

    set drop-policy {taildrop | weighted-random-early-detection}

    set ecn {enable | disable}

    set weight <weight value>

    next

    end

    next

    end

  4. Configure the overall policy that will be applied to the switch ports.

    config switch-controller qos qos-policy

    edit <QoS egress policy name>

    set default-cos <default CoS value 0-7>

    set trust-dot1p-map <Dot1p map name>

    set trust-ip-dscp-map <DSCP map name>

    set queue-policy <queue policy name>

    next

    end

  5. Configure each switch port.

    config switch-controller managed-switch

    edit <switch-id>

    config ports

    edit <port>

    set qos-policy <CoS policy>

    next

    end

    next

    end

  6. Check the QoS statistics on each switch port.

    diagnose switch-controller switch-info qos-stats <FortiSwitch_serial_number> <port_name>

Configuring PTP transparent-clock mode

Use the Precision Time Protocol (PTP) transparent-clock mode to measure the overall path delay for packets in a network to improve the time precision. There are two transparent-clock modes:

  • End-to-end measures the path delay for the entire path
  • Peer-to-peer measures the path delay between each pair of nodes

Use the following steps to configure PTP transparent-clock mode:

  1. Configure the global PTP settings.
    By default, PTP is disabled.
  2. Enable the PTP policy.
    By default, the PTP policy is enabled.
  3. Apply the PTP policy to a port.
    NOTE: PTP policies are hidden on virtual ports
To configure the global PTP settings:

config switch-controller ptp settings

set mode {disable | transparent-e2e | transparent-p2p}

end

To enable the PTP policy:

config switch-controller ptp policy

edit {default | <policy_name>}

set status {enable | disable}

next

end

To apply the PTP policy to a port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set ptp-policy {default | <policy_name>}

end

end

For example:

config switch-controller ptp settings

set mode transparent-p2p

end

config switch-controller ptp policy

edit ptppolicy1

set status enable

next

end

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port5

set ptp-policy ptppolicy1

end

end

Synchronizing the FortiGate unit with the managed FortiSwitch units

You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.

Use the following command to synchronize the full configuration of a FortiGate unit with a managed FortiSwitch unit:

diagnose switch-controller trigger config-sync <FortiSwitch_serial_number>

Replacing a managed FortiSwitch unit

If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.

NOTE:

  • Both FortiSwitch units must be of the same model.
  • The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
  • If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL trunk.
  • After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
  • If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.
To replace a managed FortiSwitch unit:
  1. Unplug the failed FortiSwitch unit.
  2. Plug in the replacement FortiSwitch unit.
  3. Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See View and upgrade the FortiSwitch firmware version.
  4. Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
  5. Check the serial number of the replacement FortiSwitch unit.
  6. From the FortiGate unit, go to WiFi & Switch Controller > Managed FortiSwitch.
  7. Select the faceplate of the failed FortiSwitch unit.
  8. Select Deauthorize.
  9. Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.
  10. If the failed FortiSwitch unit was part of a VDOM, enter the following commands:

    config vdom

    edit <VDOM_name>

    execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>


    For example:


    config vdom

    edit vdom_new

    execute replace-device fortiswitch S124DN3W16002025 S124DN3W16002026


    If the failed FortiSwitch unit was not part of a VDOM, enter the following command:


    execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>


    An error is returned if the replacement FortiSwitch unit is authorized.

To rename the MCLAG-ICL trunk:

Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You need a maintenance window for the change.

  1. Shut down the FortiLink interface on the FortiGate unit.
    1. On the FortiGate unit, execute the show system interface command. For example:

      FG3K2D3Z17800156 # show system interface root-lag
      config system interface
      edit "root-lag"
      set vdom "root"
      set fortilink enable
      set ip 10.105.60.254 255.255.255.0
      set allowaccess ping capwap
      set type aggregate
      set member "port45" "port48"
      config managed-device


    2. Write down the member port information. In this example, port45 and port48 are the member ports.
    3. Shut down the member ports with the config system interface, edit <member-port#>, set status down, and end commands. For example:

      FG3K2D3Z17800156 # config system interface
      FG3K2D3Z17800156 (interface) # edit port48
      FG3K2D3Z17800156 (port48) # set status down
      FG3K2D3Z17800156 (port48) # next // repeat for each member port
      FG3K2D3Z17800156 (interface) # edit port45
      FG3K2D3Z17800156 (port45) # set status down
      FG3K2D3Z17800156 (port45) # end


    4. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For example:

      FG3K2D3Z17800156 # exec switch-controller get-conn-status
      Managed-devices in current vdom root:
      STACK-NAME: FortiSwitch-Stack-root-lag
      SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
      FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2
      FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1


  2. Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.
    1. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that includes the set mclag-icl enable command in its configuration and write down the member ports and configuration information. For example:

      icl-sw1 # show switch trunk
      config switch trunk
      ...
      edit "D483Z17000282-0"
      set mode lacp-active
      set auto-isl 1
      set mclag-icl enable // look for this line
      set members "port27" "port28" // note the member ports
      next
      end


    2. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For example:

      icl-sw1 # show switch interface D483Z17000282-0
      config switch interface
      edit "D483Z17000282-0"
      set native-vlan 4094
      set allowed-vlans 1,100,2001-2060,4093
      set dhcp-snooping trusted
      set stp-state disabled
      set edge-port disabled
      set igmps-flood-reports enable
      set igmps-flood-traffic enable
      set snmp-index 57
      next
      end

      icl-sw1 # diag switch mclag icl
      D483Z17000282-0
      icl-ports 27-28
      egress-block-ports 3-4,7-12,47-48
      interface-mac 70:4c:a5:86:6d:e5
      lacp-serial-number FS1D483Z17000348
      peer-mac 70:4c:a5:49:50:53
      peer-serial-number FS1D483Z17000282
      Local uptime 0 days 1h:49m:24s
      Peer uptime 0 days 1h:49m:17s
      MCLAG-STP-mac 70:4c:a5:49:50:52
      keepalive interval 1
      keepalive timeout 60

      Counters
      received keepalive packets 4852
      transmited keepalive packets 5293
      received keepalive drop packets 20
      receive keepalive miss 1

      icl-sw1 # diagnose switch trunk sum D483Z17000282-0
      Trunk Name Mode PSC MAC Status Up Time
      ________________ _________________________ ___________ _________________ ___________ _________________________________
      D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,0 hours,16 mins,4 secs


    3. Shut down the ICL member ports using the config switch physical-port, edit <member port#>, set status down, next, and end commands. For example:

      icl-sw1 # config switch physical-port
      icl-sw1 (physical-port) # edit port27
      icl-sw1 (port27) # set status down
      icl-sw1 (port27) # n // repeat for each ICL member port
      icl-sw1 (physical-port) # edit port28
      icl-sw1 (port28) # set status down
      icl-sw1 (port28) # next
      icl-sw1 (physical-port) # end


    4. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete <mclag-icl-trunk-name>, and end commands. For example:

      icl-sw1 # config switch trunk
      icl-sw1 (trunk) # delete D483Z17000282-0


    5. Use the show switch trunk command to verify that the trunk is deleted.
    6. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the set auto-isl 0 command in the configuration. For example:

      icl-sw1 # config switch trunk

      icl-sw1 (trunk) # edit MCLAG-ICL
      new entry 'MCLAG-ICL' added
      icl-sw1 (MCLAG-ICL) #set mode lacp-active
      icl-sw1 (MCLAG-ICL) #set members "port27" "port28"
      icl-sw1 (MCLAG-ICL) #set mclag-icl enable
      icl-sw1 (MCLAG-ICL) # end


    7. Use the show switch trunk command to check the trunk configuration.
    8. Start the trunk member ports by using the config switch physical-port, edit <member port#>, set status up, next, and end commands. For example:

      icl-sw1 # config switch physical-port
      icl-sw1 (physical-port) # edit port27
      icl-sw1 (port27) # set status up
      icl-sw1 (port27) # next // repeat for each trunk member port
      icl-sw1 (physical-port) # edit port28
      icl-sw1 (port28) # set status up
      icl-sw1 (port28) # end


      NOTE: Follow steps 2a through 2h on both switches.
  3. Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit <interface-member-port>, set status up, next, and end commands. For example:

    FG3K2D3Z17800156 # config system interface
    FG3K2D3Z17800156 (interface) # edit port45
    FG3K2D3Z17800156 (port45) # set status up
    FG3K2D3Z17800156 (port45) # next // repeat on all member ports
    FG3K2D3Z17800156 (interface) # edit port48
    FG3K2D3Z17800156 (port48) # set status up
    FG3K2D3Z17800156 (port48) # next
    FG3K2D3Z17800156 (interface) # end


  4. Check the configuration and status on both MCLAG-ICL switches
    1. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk summary <new-trunk-name> commands. For example:

      icl-sw1 # show switch trunk
      config switch trunk
      <snip>
      edit "MCLAG-ICL"
      set mode lacp-active
      set mclag-icl enable
      set members "port27" "port28"
      next
      end

      icl-sw1 # show switch interface MCLAG-ICL
      config switch interface
      edit "MCLAG-ICL"
      set native-vlan 4094
      set allowed-vlans 1,100,2001-2060,4093
      set dhcp-snooping trusted
      set stp-state disabled
      set igmps-flood-reports enable
      set igmps-flood-traffic enable
      set snmp-index 56
      next
      end

      icl-sw1 # diagnose switch mclag icl
      MCLAG-ICL
      icl-ports 27-28
      egress-block-ports 3-4,7-12,47-48
      interface-mac 70:4c:a5:86:6d:e5
      lacp-serial-number FS1D483Z17000348
      peer-mac 70:4c:a5:49:50:5
      peer-serial-number FS1D483Z17000282
      Local uptime 0 days 2h:11m:13s
      Peer uptime 0 days 2h:11m: 7s
      MCLAG-STP-mac 70:4c:a5:49:50:52
      keepalive interval 1
      keepalive timeout 60

      Counters
      received keepalive packets 5838
      transmited keepalive packets 6279
      received keepalive drop packets 27
      receive keepalive miss 1

      icl-sw1 # diagnose switch trunk summary MCLAG-ICL

      Trunk Name Mode PSC MAC Status Up Time
      ________________ _________________________ ___________ _________________ ___________ _________________________________

      MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,1 hours,4 mins,57 secs

    2. Compare the command results in step 4a with the command results in step 2b.

FortiSwitch network access control

You can configure a FortiSwitch network access control (NAC) policy within FortiOS that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match are assigned to a specific VLAN or have port-specific settings applied to them.

NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. See Configuring the FortiSwitch NAC settings.

Summary of the procedure

  1. Define a FortiSwitch NAC VLAN. See Defining a FortiSwitch NAC VLAN.
  2. Configure the FortiSwitch NAC settings. See Configuring the FortiSwitch NAC settings.
  3. Create a FortiSwitch NAC policy. See Defining a FortiSwitch NAC policy.
  4. View the devices that match the NAC policy. See Viewing the devices that match the NAC policy.

Defining a FortiSwitch NAC VLAN

When devices are matched by a NAC policy, you can assign those devices to a FortiSwitch NAC VLAN. By default, there are six VLAN templates:

  • default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
  • quarantine—This VLAN contains quarantined traffic.
  • rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
  • voice—This VLAN is dedicated for voice devices.
  • video—This VLAN is dedicated for video devices.
  • onboarding—This VLAN is for NAC onboarding devices.

You can use the default onboarding VLAN, edit it, or create a new NAC VLAN. If you want to use the default onboarding NAC VLAN, specify it when you configure the FortiSwitch NAC settings. If you want to edit the default onboarding VLAN or create a new NAC VLAN, use the following procedures.

Creating a NAC VLAN

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
    Interface Name VLAN name
    VLAN ID Enter a number (1-4094)
    Color Choose a unique color for each VLAN, for ease of visual display.
    Role Select LAN, WAN, DMZ, or Undefined.
  2. Enable DHCP for IPv4 or IPv6.
  3. Set the Admission access options as required.
  4. Select OK.
Using the CLI:

config system interface

edit <vlan name>

set vlanid <1-4094>

set color <1-32>

set interface <FortiLink-enabled interface>

end

Editing a NAC VLAN

You can edit the default onboarding NAC VLAN.

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch VLANs.
  2. Select the onboarding NAC VLAN.
  3. Select Edit.
  4. Make your changes.
  5. Select OK to save your changes.
Using the CLI:

config switch-controller initial-config template

edit onboarding

set vlanid <1-4094>

set allowaccess {ping | https |ssh | snmp | http | telnet | fgfm | radius-acct | probe-response | fabric | ftm}

set auto-ip {enable | disable}

set dhcp-server {enable | disable}

end

Configuring the FortiSwitch NAC settings

NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. You can either manually configure the NAC settings or use the NAC wizard. See Using the NAC wizard.

The local mode uses the local port-level settings of managed FortiSwitch units. The global mode applies the NAC to all managed FortiSwitch ports. Be default, the mode is local.

You can set how many minutes that NAC devices are allowed to be inactive. By default, NAC devices can be inactive for 15 minutes. The range of values is 0 to 1 440 minutes. If you set the inactive-timer to 0, there is no limit to how long the NAC devices can be inactive for.

When NAC devices are discovered, they are assigned to the NAC onboarding VLAN. You can specify the default onboarding VLAN or specify another existing VLAN. By default, there is no NAC onboarding VLAN assigned.

When NAC devices are discovered and match a NAC policy, they are automatically authorized by default.

When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the DHCP process for that switch.

When a link goes down, the NAC devices are cleared from all switch ports by default.

Configuring NAC on a global level

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Move the NAC Settings slider to expand the NAC Settings section.
  3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
  4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  5. Select All or Specify to apply NAC policies to all FortiSwitch ports.
  6. Select Apply to save your changes.
Using the CLI:

config switch-controller nac-settings

edit <name_of_this_NAC_configuration>

set mode global

set inactive-timer <integer>

set onboarding-vlan <string>

set auto-auth {enable | disable}

set bounce-nac-port {enable | disable}

set link-down-flush {enable | disable}

end

Configuring NAC on a local level

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Move the NAC Settings slider to expand the NAC Settings section.
  3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
  4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  5. Select Specify to apply NAC policies to specific FortiSwitch ports.
  6. Select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC policies to.
  7. Select Apply to save your changes.
Using the CLI:

config switch-controller nac-settings

edit <name_of_this_NAC_configuration>

set mode local

set inactive-timer <integer>

set onboarding-vlan <string>

set auto-auth {enable | disable}

set bounce-nac-port {enable | disable}

set link-down-flush {enable | disable}

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set access-mode nac

next

end

next

end

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Right-click a port.
  3. Select Access Mode > NAC.

Using the NAC wizard

The NAC wizard helps with configuring the FortiSwitch NAC settings and defining a FortiSwitch NAC VLAN. If you do not want to manually configure the FortiSwitch NAC settings, use the NAC wizard instead.

NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy.

  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Configure NAC Settings.
  3. Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
  4. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  5. Select All or Specify to apply NAC policies to all FortiSwitch ports or to specific FortiSwitch ports.
  6. If you selected Specify, select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC policies to.
  7. Select Next.
  8. Select one of the default NAC VLANs to be the onboarding VLAN, create a new NAC VLAN, or edit one of the default NAC VLANs. The default onboarding VLAN is onboarding. See Defining a FortiSwitch NAC VLAN.
  9. Select Submit.

Defining a FortiSwitch NAC policy

In the FortiOS GUI, you can create three types of NAC policies:

  • Device—The NAC policy matches devices with the specified MAC address, hardware vendor, device family, type, operating system, and user.
  • User—The NAC policy matches devices belonging to the specified user group.
  • EMS tag—The NAC policy matches devices with the specified FortiClient EMS tag.

Using the CLI, you can specify a port policy and MAC policy to be applied to devices that have been matched by the NAC policy. See Creating a port policy and Creating a MAC policy.

NOTE: The FortiSwitch NAC settings must be configured before defining a FortiSwitch NAC policy. See Configuring the FortiSwitch NAC settings.

Creating a device policy

A device policy matches devices with the specified criteria and then assigns a specific VLAN to those devices or applies port-level settings to those devices. You can specify the MAC address, hardware vendor, device family, type, operating system, and user for the devices to match.

By default, there is a default device policy, Onboarding VLAN, which uses the default onboarding NAC VLAN. You can use the default Onboarding VLAN policy, edit it, or create a new NAC policy.

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Create New.
  3. In the Name field, enter a name for the NAC policy.
  4. Make certain that the status is set to Enabled.
  5. Select which FortiSwitch units to apply the NAC policy to or select All.
  6. Select Device for the category.
  7. If you want the device to match a MAC address, move the MAC Address slider and enter the MAC address to match.
  8. If you want the device to match a hardware vendor, move the Hardware Vendor slider and enter the name of the hardware vendor to match.
  9. If you want the device to match a device family, move the Device Family slider and enter the name of the device family to match.
  10. If you want the device to match a device type, move the Type slider and enter the device type to match.
  11. If you want the device to match an operating system, move the Operating System slider and enter the operating system to match.
  12. If you want the device to match a user, move the User slider and enter the user name to match.
  13. If you want to assign a specific VLAN to the device that matches the specified criteria, select Assign VLAN and enter the VLAN identifier.
  14. If you want to assign port-level settings to the device that matches the specified criteria select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
  15. Select OK to create the new NAC policy.
Using the CLI:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category device

set status enable

set mac <MAC_address>

set hw-vendor <hardware_vendor>

set type <device_type>

set family <device_family>

set os <operating_system>

set hw-version <hardware_version>

set sw-version <software_version>

set host <host_name>

set user <user_name>.

set src <source>

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-port-policy <switch_port_policy>

set switch-mac-policy <switch_mac_policy>

end

Creating a user policy

A user policy matches devices that are assigned to the specified user group and then assigns a specific VLAN to those devices or applies port-level settings to those devices.

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Create New.
  3. In the Name field, enter a name for the NAC policy.
  4. Make certain that the status is set to Enabled.
  5. Select which FortiSwitch units to apply the NAC policy to or select All.
  6. Select User for the category.
  7. Select which user group that devices must belong to.
  8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and enter the VLAN identifier.
  9. If you want to assign port-level settings for devices assigned to the specific user group, select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
  10. Select OK to create the new NAC policy.
Using the CLI:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category user

set status enable

set user-group <name_of_user_group>

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-port-policy <switch_port_policy>

set switch-mac-policy <switch_mac_policy>

end

Creating an EMS-tag policy

An EMS-tag policy matches devices with a specified MAC address and then assigns a specific VLAN to those devices or applies port-level settings to those devices. The MAC address is derived from an Endpoint Management Server (EMS) tag created in FortiClient.

NOTE: The FortiClient EMS server must be 6.4.1 build 1442 or higher. FortiOS must be 6.4.2 build 1709 or higher.

Before creating an EMS-tag policy on a managed FortiSwitch unit:

  1. In FortiClient, group FortiClient Fabric Agent endpoints with an EMS tag.
  2. In FortiClient, share these endpoint groups with a FortiGate unit over the EMS connector.
  3. In FortiOS, add an on-premise FortiClient EMS server to the Security Fabric:

    config endpoint-control fctems

    edit <ems_name>

    set server <ip_address>

    set certificate <string>

    next

    end

    For example:

    config endpoint-control fctems

    edit EMS_Server

    set server 1.2.3.4

    set certificate REMOTE_Cert_1

    next

    end

  4. In FortiOS, verify the EMS certificate. For example:

    execute fctems verify EMS_Server

  5. In FortiOS, check that the FortiGate unit and FortiClient are connected:

    diagnose user device get <FortiClient_MAC_address>

  6. In FortiOS, verify which MAC addresses the dynamic firewall address resolves to:

    diagnose firewall dynamic list

Using the GUI to create an EMS-tag policy:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select Create New.
  3. In the Name field, enter a name for the NAC policy.
  4. Make certain that the status is set to Enabled.
  5. Select which FortiSwitch units to apply the NAC policy to or select All.
  6. Select EMS Tag for the category.
  7. Select which FortiClient EMS tag that devices must be assigned.
  8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and enter the VLAN identifier.
  9. If you want to assign port-level settings for devices assigned to the specific user group, select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
  10. Select OK to create the new NAC policy.
Using the CLI to create an EMS-tag policy:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category ems-tag

set ems-tag <string>

set status enable

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-port-policy <switch_port_policy>

set switch-mac-policy <switch_mac_policy>

next

end

For example:

config user nac-policy

edit nac_policy_1

set category ems-tag

set ems-tag MAC_FCTEMS0000108427_Low

set switch-fortilink fortilink1

set switch-port-policy port_policy_1

next

end

Creating a port policy

You can apply a port policy to the devices that were matched by the NAC policy. In the port policy, you can specify which LLDP profile, QoS policy, 802.1x policy, and VLAN policy are used on the ports.

config switch-controller port-policy

edit <port_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set lldp-profile <LLDP_profile>

set qos-policy <QoS_policy>

set 802-1x <802.1x_policy>

set vlan-policy <VLAN_policy>

set bounce-port-link {enable | disable}

next

end

For example:

config switch-controller port-policy

edit port_policy_1

set fortilink fortilink1

set vlan-policy vlan_policy_1

next

end

Creating a VLAN policy

You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether to discard untagged or tagged frames or to not discard any frames.

config switch-controller vlan-policy

edit <VLAN_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set vlan <VLAN_name>

set allowed-vlans <lists_of_VLAN_names>

set untagged-vlans <lists_of_VLAN_names>

set allowed-vlans-all {enable | disable}

set discard-mode {none | all-untagged | all-tagged}

next

end

For example:

config switch-controller vlan-policy

edit vlan_policy_1

set fortilink fortilink1

set vlan default

next

end

Creating a MAC policy

You can apply a MAC policy to the devices that were matched by the NAC policy. You can specify which VLAN is applied, select which traffic policy is used, and enable or disable packet count.

config switch-controller mac-policy

edit <MAC_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set vlan <VLAN_name>

set traffic-policy <traffic_policy_name>

set count {enable | disable}

next

end

Viewing the devices that match the NAC policy

Using the GUI:
  1. Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
  2. Select View Matched Devices.
  3. Select Refresh to update the results.
Using the CLI:

To show known NAC devices with a known location that match a NAC policy:

diagnose switch-controller nac-device known

To show pending NAC devices with an unknown location that match a NAC policy:

diagnose switch-controller nac-device pending

Configuring IoT detection

Starting in FortiOS 6.4, FortiSwitch units can use a new FortiGuard service to identify Internet of things (IoT) devices. FortiOS can use the identified devices for storage and display. You can use the FortiOS CLI to configure the IoT detection.

Each detected MAC address of an IoT device has a confidence level assigned to it. If the confidence level is less than the iot-weight-threshold value, the MAC address is scanned. The default value is 1. Set the iot-weight-threshold value to 0 to disable IoT detection.

You can control how often a FortiSwitch unit scans for IoT devices. The range of values is 2 to 4,294,967,295 minutes. The default is a scan interval of 60 minutes. Every MAC address will be scanned for a time interval of 60 minutes followed by 60 minutes when it will not be scanned. The start time of every MAC addressʼs 60-minute scan interval is unique. Set the iot-scan-interval value to 0 to disable IoT detection.

A MAC address of an IoT device must be detected by the FortiSwitch unit for more than a specified number of minutes before the MAC address is passed along to the FortiGuard service for IoT identification. The default number of minutes is 5. The range of values is 0 to 4,294,967,295 minutes. Set the iot-holdoff value to 0 to disable this setting.

If a MAC address entryʼs last-seen time is greater than the iot-mac-idle value, the MAC address entry is not considered for IoT detection. By default, the iot-mac-idle value is 1,440 minutes. The range of values is 0 to 4,294,967,295 minutes.

config switch-controller system

set iot-weight-threshold <0-4294967295>

set iot-scan-interval <2-4294967295>

set iot-holdoff <0-4294967295>

set iot-mac-idle <0-4294967295>

end

Optimizing the FortiSwitch network

Starting in FortiOS 6.4.2 with FortiSwitchOS 6.4.2, you can check your FortiSwitch network and get recommendations on how to optimize it. If you agree with the configuration recommendations, you can accept them, and they are automatically applied.

NOTE: The Security Rating feature is available only when VDOMs are disabled.

To optimize your FortiSwitch network:
  1. Go to Security Fabric > Security Rating.
  2. Select Run Now (under Report Details in the right pane) to generate the Security Rating report.

  3. Select the Optimization section.

  4. Under Failed, select + next to each item to see more details in the right pane.

  5. If you agree with a suggestion in the Recommendations section, select Apply for the change to be made.