Additional capabilities

This chapter covers the following topics:

Execute custom FortiSwitch commands

From the FortiGate, you can execute FortiSwitch commands on the managed FortiSwitch.

This feature adds a simple scripting mechanism for users to execute generic commands on the switch.

FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch.

Create a command

Use the following syntax to create a command file:

config switch-controller custom-command

edit <cmd-name>

set command " <FortiSwitch commands>"


Next, create a command file to set the STP max-age parameter:

config switch-controller custom-command

edit "stp-age-10"

set command "config switch stp setting

set max-age 10





Execute a command

After you have created a command file, use the following command on the FortiGate to execute the command file on the target switch:

exec switch-controller custom-command <cmd-name> <target-switch>


The following example runs the stp-age-10 command on the specified target FortiSwitch:


# exec switch-controller custom-command stp-age-10 S124DP3X15000118

Firmware upgrade management and compatible version information

You can view the current firmware version of a FortiSwitch and upgrade the FortiSwitch to a new firmware version. FortiGate will suggest an upgrade when a new version is available in FortiGuard.

Using the FortiGate Web interface

To view the FortiSwitch firmware version:

  1. Go to WiFi & Switch Controller>Managed FortiSwitch.
  2. In the main panel, select the FortiSwitch and click Edit.
  3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.

    To update the FortiSwitch firmware version:

  1. Click Update to open the Update Firmware panel.
  2. Click Select File. In the file chooser, click the image file and click Open.
  3. Click Upload and Reboot to install the new image and reboot the FortiSwitch.
Using the CLI

Use the following command to display the latest version:

diagnose fdsm fortisw-latest-ver <model>


Use the following command to download the image:

diagnose fdsm fortisw-download <image id>


The following example shows how to download the latest image for FS224D:

FG100D3G15801204 (global) # diagnose fdsm fortisw-latest-ver FS224D

FS224D - 3.4.2 b192 03004000FIMG0900904002FG100D3G15801204 (global) #


diagnose fdsm fortisw-download 03004000FIMG0900904002


Download image-03004000FIMG0900904002:



FortiSwitch log export

You can enable and disable the managed FortiSwitches to export their syslogs to the FortiGate. The setting is global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch logs.

To allow a level of filtering, FortiGate sets the user field to "fortiswitch-syslog” for each entry.

The following is the CLI command syntax:

config switch-controller switch-log

set status (*enable | disable)

set severity [emergency | alert | critical | error | warning | notification | *information | debug]



You can override the global log settings for a FortiSwitch, using the following commands:

config switch-controller managed-switch

edit <switch-id>

config switch-log

set local-override enable


At this point, you can configure the log settings that apply to this specific switch.

FortiSwitch per-port device visibility

In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port).

From the CLI, the following command displays information about the host devices:

diagnose switch-controller dump mac-hosts_switch-ports

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

You can configure the following FortiSwitch features from the FortiGate CLI.

Configuring a link aggregation group (LAG)

You can configure a link aggregation group (LAG) for non-FortiLink ports on a FortiSwitch. You cannot configure ports from different FortiSwitches in one LAG.

config switch-controller managed-switch

edit <switch-id>

config ports

it <trunk name>

set type trunk

set mode < static | lacp > Link Aggregation mode

set bundle (enable | disable)

set min-bundle <int>

set max-bundle <int>

set members < port1 port2 ...>





Configuring an MCLAG with managed FortiSwitches

A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP). For the network topology, see Dual-homed servers connected to FortiLink tier-1 FortiSwitches using an MCLAG and Standalone FortiGate with dual-homed FortiSwitch access .


  • Both peer switches should be of the same hardware model and same software version. Mismatched configurations might work but are unsupported.
  • There is a maximum of two FortiSwitch models per MCLAG.
  • The routing feature is not available within an MCLAG.
  • For static MAC addresses within an MCLAG, if one FortiSwitch learns the MAC address, the second FortiSwitch will automatically learn the MAC address.

To configure an MCLAG with managed FortiSwitches:

  1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:


    config switch trunk

    edit "LAG-member"

    set mode lacp-active

    set mclag-icl enable

    set members "<port>" "<port>"



  2. Enable the MCLAG on each managed FortiSwitch:


    config switch-controller managed-switch

    edit "<switch-id>"

    config ports

    edit "<trunk name>"

    set type trunk

    set mode {static | lacp-passive | lacp-active}

    set bundle {enable | disable}

    set members "<port>,<port>"

    set mclag {enable | disable}





  3. Log into each managed FortiSwitch to check the MCLAG configuration:


    diagnose switch mclag


After the FortiSwitches are configured as MCLAG peer switches, any port that supports advanced features on the FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member ports on the peer FortiSwitch.

Configuring storm control

Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.

When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of traffic to drop: broadcast, unknown unicast, or multicast.

The storm control settings are global to all of the non-FortiLink ports on the managed switches. Use the following CLI commands to configure storm control:

config switch-controller storm-control

set rate <rate>

set unknown-unicast (enable | disable)

set unknown-multicast (enable | disable)

set broadcast (enable | disable)



You can override the global storm control settings for a FortiSwitch using the following commands:

config switch-controller managed-switch

edit <switch-id>

config storm-control

set local-override enable


At this point, you can configure the storm control settings that apply to this specific switch.

Displaying port statistics

Port statistics will be accessed using the following FortiSwitch CLI command:

FG100D3G15804763 # diagnose switch-controller dump port-stats

S124DP3X16000413 port8

S124DP3X16000413 0 :



























Configuring QoS with managed FortiSwitches

Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.

FortiGate does not support QoS for hard or soft switch ports.

FortiSwitch supports the following QoS configuration capabilities:

  • Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
  • Providing eight egress queues on each port.
  • Policing the maximum data rate of egress traffic on the interface.

To configure the QoS for managed FortiSwitches:

  1. Configure a Dot1p map.

    A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

    NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value.


    config switch-controller qos dot1p-map

    edit <Dot1p map name>

    set description <text>

    set priority-0 <queue number>

    set priority-1 <queue number>

    set priority-2 <queue number>

    set priority-3 <queue number>

    set priority-4 <queue number>

    set priority-5 <queue number>

    set priority-6 <queue number>

    set priority-7 <queue number>




  2. Configure a DSCP map.

    A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP precedence, you have the following choices:
    • network-control—Network control
    • internetwork-control—Internetwork control
    • critic-ecp—Critic and emergency call processing (ECP)
    • flashoverride—Flash override
    • flash—Flash
    • immediate—Immediate
    • priority—Priority
    • routine—Routine


    config switch-controller qos ip-dscp-map

    edit <DSCP map name>

    set description <text>

    configure map <map_name>

    edit <entry name>

    set cos-queue <COS queue number>

    set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF | CS6 | CS7}

    set ip-precedence {network-control | internetwork-control | critic-ecp | flashoverride | flash | immediate | priority | routine}

    set value <DSCP raw value>





  3. Configure the egress QoS policy.

    In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:
    • With strict scheduling, the queues are served in descending order (of queue number), so higher number queues receive higher priority.
    • In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one.
    • In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to 63.


    config switch-controller qos queue-policy

    edit <QoS egress policy name>

    set schedule {strict | round-robin | weighted}

    config cos-queue

    edit [queue-<number>]

    set description <text>

    set min-rate <rate in kbps>

    set max-rate <rate in kbps>

    set drop-policy {taildrop | random-early-detection}

    set weight <weight value>






  4. Configure the overall policy that will be applied to the switch ports.


    config switch-controller qos qos-policy

    edit <QoS egress policy name>

    set default-cos <default CoS value 0-7>

    set trust-dot1p-map <Dot1p map name>

    set trust-ip-dscp-map <DSCP map name>

    set queue-policy <queue policy name>




  5. Configure each switch port.


    config switch-controller managed-switch

    edit <switch-id>

    config ports

    edit <port>

    set qos-policy <CoS policy>