Quick Navigation
FortiLink Protocol FundamentalsFortiSwitch Configuration CLIVLAN Management on Managed FortiSwitchFortiAP and CAPWAP WirelessRADIUS AuthenticationLDAP AuthenticationSSO: FSSO and RSSOTwo-Factor Authentication and CertificatesGuest Portal and Captive PortalFortiSwitch Port Security FeaturesNetwork Access Control (NAC)802.1X CLI ConfigurationSecurity Fabric and FortiManager IntegrationTroubleshooting Commands Reference
FortiLink Protocol Fundamentals
- FortiLink
- Fortinet proprietary protocol allowing FortiGate to discover, authorize, and centrally manage FortiSwitch units over Ethernet — extends Security Fabric to switch ports.
- FortiLink vs CAPWAP
- FortiLink manages FortiSwitch (wired switches); CAPWAP manages FortiAP (wireless APs). Both enable centralized FortiGate control but for different device types.
- FortiLink DHCP requirement
- A DHCP server MUST be enabled on the FortiLink interface so FortiSwitch can obtain an IP address during discovery — without DHCP, switches are never discovered.
- FortiSwitch authorization states
- After first FortiLink connection a switch appears as Unauthorized — it must be explicitly authorized (or auto-authorization enabled) before it can be managed.
- Security policies and FortiLink
- Security policies on FortiGate control transit (user) traffic only — they do NOT affect FortiLink management traffic between FortiGate and managed switches.
- FortiLink interface config (CLI)
- Enable switch controller and create a FortiLink interface with an IP and DHCP server so managed FortiSwitch units can be discovered.
FortiSwitch Configuration CLI
- config system global set switch-controller enable end
- Enable the FortiGate switch controller — prerequisite before any FortiSwitch can be managed via FortiLink.
- config system interface edit "fortilink" set ip 172.16.16.254 255.255.255.0 set fortilink enable set auto-auth-extension-device enable next end
- Create a FortiLink interface; auto-auth-extension-device enables automatic FortiSwitch authorization on discovery.
- config switch-controller managed-switch edit <FortiSwitch_SN> set authorized enable next end
- Manually authorize a specific FortiSwitch unit by serial number in the switch controller (FortiOS 7.x uses 'authorized'; the old 'fsw-wan1-admin' parameter is deprecated).
- execute switch-controller get-conn-status <SN>
- Verify the connection health and status of a managed FortiSwitch by serial number.
- execute switch-controller diagnose-connection <SN>
- Run full FortiLink connectivity diagnostics against a specific managed FortiSwitch.
- diagnose switch-controller switch-info port-stats
- View per-port traffic statistics on managed FortiSwitch units from the FortiGate CLI.
- diagnose switch-controller switch-info mac-table
- Display the MAC address table of managed FortiSwitch units — useful for troubleshooting client connectivity.
VLAN Management on Managed FortiSwitch
- VLAN optimization
- Limits auto-generated ISL (inter-switch link) trunks to carry only user-defined VLANs instead of all VLANs 1–4093 — reduces unnecessary trunk traffic.
- Quarantine VLAN 4093
- Default quarantine VLAN on Fortinet — automatically included on all FortiSwitch ports; compromised or non-compliant devices are moved here, not disconnected.
- ISL trunk VLAN pruning
- Manually removing specific VLANs from inter-switch link trunks; distinct from VLAN optimization which restricts auto-generated trunks globally.
- Native VLAN vs allowed VLANs
- Native VLAN carries untagged frames on a trunk port; allowed VLANs lists which VLANs are permitted on the trunk — both are configured per-port from FortiGate.
- diagnose switch-controller switch-info trunk status
- Check trunk port configuration and status on managed FortiSwitch units including allowed VLANs.
- diagnose switch-controller switch-info stp
- Check Spanning Tree Protocol status on managed FortiSwitch — used to troubleshoot loop prevention and topology changes.
FortiAP and CAPWAP Wireless
- CAPWAP ports
- CAPWAP uses UDP 5246 (control plane) and UDP 5247 (data plane) — firewalls between FortiGate and FortiAP must allow both ports.
- Tunnel mode
- All wireless client traffic is encapsulated in a CAPWAP tunnel back to FortiGate for inspection — required when FortiGate security policies must inspect wireless traffic.
- Bridge mode
- Wireless traffic is bridged locally at the AP to the wired network — lower latency but traffic bypasses FortiGate inspection; use for performance-sensitive local SSIDs.
- Security Fabric Connection required
- FortiAPs only appear in the Security Fabric topology when connected to an interface with Security Fabric Connection enabled — missing this setting prevents AP onboarding.
- Wireless NAC: 2 VLANs required
- Wireless NAC requires at minimum 2 VLANs with L3 settings including DHCP: one onboarding VLAN and one or more target VLANs — without both, clients cannot be dynamically reassigned.
- diagnose wireless-controller wlac -c wtp
- List all wireless access points and their connection status from FortiGate — the primary command to verify AP discovery and state.
- diagnose wireless-controller wlac -c sta
- Display all currently connected wireless clients (stations) across all managed FortiAP devices.
- diagnose wireless-controller wlac -c vap
- Show virtual access point (SSID) configuration data as seen by the wireless controller.
RADIUS Authentication
- RADIUS ports
- RADIUS uses UDP 1812 for authentication and UDP 1813 for accounting — legacy ports 1645/1646 also exist but 1812/1813 are standard.
- config user radius edit "RADIUS-SRV" set server "192.168.1.10" set secret "SharedSecret" set radius-port 1812 set auth-type auto next end
- Configure a RADIUS server on FortiGate with server IP, shared secret, and authentication port.
- diagnose test authserver radius <server_name> pap <username> <password>
- Test RADIUS server connectivity and authenticate a user directly from the FortiGate CLI — essential for troubleshooting authentication failures.
- RADIUS shared secret mismatch
- A mismatched shared secret silently fails RADIUS authentication with no clear error message — always verify the secret matches exactly on both sides.
- Dynamic VLAN RADIUS attributes
- Three RADIUS attributes are required for dynamic VLAN assignment: Tunnel-Type (=VLAN/13), Tunnel-Medium-Type (=802/6), Tunnel-Private-Group-ID (=VLAN ID or name) — missing any one causes fallback to default VLAN.
LDAP Authentication
- LDAP ports
- Standard LDAP uses TCP 389 (cleartext); LDAPS (LDAP over TLS) uses TCP 636 (encrypted) — use 636 when encrypted LDAP communication is required.
- config user ldap edit "AD-LDAP" set server "192.168.1.20" set cnid "sAMAccountName" set dn "dc=corp,dc=local" set type regular set username "corp\\binduser" set password ENC <password> set port 389 next end
- Configure an LDAP server on FortiGate for Active Directory integration with regular bind type.
- LDAP bind types: simple vs regular vs anonymous
- Simple bind sends credentials in cleartext; regular bind uses bind DN credentials; anonymous bind requires no credentials — exam tests which to use for different security requirements.
- LDAPS (encrypted): set secure ldaps / set port 636
- Enable LDAPS by setting secure mode to ldaps and changing the port from 389 to 636 in the LDAP server configuration.
- diagnose test authserver ldap <server_name> <username> <password>
- Test LDAP server connectivity and validate user credentials from the FortiGate CLI.
- cnid (Common Name Identifier)
- The LDAP attribute used to identify users — use sAMAccountName for Active Directory, cn for OpenLDAP, or uid for some UNIX directories.
SSO: FSSO and RSSO
- FSSO (Fortinet Single Sign-On)
- Monitors Windows Active Directory domain controller logon events via DC Agent or polling — forwards user-to-IP mappings to FortiGate for transparent identity-based policy enforcement.
- RSSO (RADIUS Single Sign-On)
- FortiAuthenticator receives RADIUS accounting Start/Stop messages from network devices (wireless controllers, switches, VPN) and forwards user session info to FortiGate.
- FSSO vs RSSO trigger source
- FSSO is triggered by Windows AD logon events; RSSO is triggered by RADIUS accounting messages from network devices — exam tests knowing which to use based on infrastructure.
- diagnose debug authd fsso list
- Review current FSSO user authentication records and user-to-IP mappings as seen by the FortiGate.
- execute fsso refresh
- Manually synchronize the FSSO logged-on user list — use when users are not being identified after a domain logon.
- FortiAuthenticator dual role
- FortiAuthenticator can act as both a RADIUS server (authenticating users) AND as a RADIUS client receiving accounting messages for RSSO — do not confuse the two roles.
- config user fsso edit "FAC-FSSO" set server "192.168.1.30" set port 8000 set password ENC <password> next end
- Configure an FSSO agent connector on FortiGate pointing to a FortiAuthenticator or FSSO Collector Agent.
Two-Factor Authentication and Certificates
- FortiToken types
- FortiToken hardware (physical OTP token), FortiToken Mobile (smartphone app), email token, and SMS token — all deliver the second factor for 2FA.
- 2FA requires per-user FortiToken assignment
- Simply enabling 2FA globally is not sufficient — each user account must have a FortiToken explicitly associated with it in the user configuration.
- 2FA on FortiGate vs FortiAuthenticator
- FortiGate can handle 2FA directly for local users; FortiAuthenticator is used for 2FA when authenticating against RADIUS/LDAP backends or at larger scale.
- Certificate-based authentication
- Digital certificates used for user and device authentication; FortiAuthenticator can act as the Certificate Authority (CA) issuing and validating certificates.
- config user local edit "john" set two-factor fortitoken set fortitoken "FTKMOB..." set email-to "john@corp.com" next end
- Associate a FortiToken Mobile with a local user account to enable two-factor authentication on FortiGate.
Guest Portal and Captive Portal
- Guest portal VLAN isolation
- Guest users are placed in a dedicated guest VLAN with internet-only access — the guest VLAN must be isolated from production VLANs via firewall policy.
- Captive portal redirect mechanism
- Unauthenticated HTTP requests are intercepted and redirected to the captive portal page — HTTPS interception requires importing the FortiGate CA certificate on the client.
- Guest portal on FortiAuthenticator
- FortiAuthenticator can host a self-service guest portal where sponsors create temporary accounts; credentials can be delivered by SMS or email to the guest.
- config wireless-controller vap edit "guest-ssid" set security captive-portal set captive-portal-fw-accounting enable next end
- Configure a wireless SSID to use captive portal authentication — clients connect and are redirected to login before gaining network access.
FortiSwitch Port Security Features
- DHCP snooping
- Filters DHCP responses on untrusted ports — prevents rogue DHCP servers from assigning addresses; configured on managed FortiSwitch ports via FortiGate.
- Dynamic ARP Inspection (DAI)
- Validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing/poisoning attacks on managed FortiSwitch ports.
- IP source guard
- Restricts traffic on a port to only the IP/MAC address learned during DHCP — drops packets with spoofed source IPs on managed FortiSwitch ports.
- Storm control
- Limits broadcast, multicast, or unknown unicast traffic on FortiSwitch ports to prevent network storms — configured as packets-per-second threshold via FortiGate.
- config switch-controller security-policy local-access edit "port-sec" set mgmt-allowaccess https ssh next end
- Configure local access restrictions on managed FortiSwitch ports through the FortiGate switch controller security policy.
Network Access Control (NAC)
- 802.1X authentication roles
- Supplicant (endpoint software), Authenticator (FortiSwitch port), Authentication Server (RADIUS) — 802.1X requires a supplicant; devices without one must fall back to MAB.
- Authentication order: 802.1X → MAB → Captive Portal
- 802.1X is attempted first; if no supplicant responds MAB is tried; captive portal is the final fallback for web-based authentication — order matters on exam questions.
- MAC Authentication Bypass (MAB)
- Fallback for devices that cannot run 802.1X supplicants (printers, cameras, IoT) — the switch sends the device MAC address as both username and password to RADIUS.
- MAB MAC format
- By default MAB sends the MAC address in lowercase without separators (e.g., aabbccddeeff) — format must match what the RADIUS server expects or authentication fails.
- config user nac-policy edit "IoT-Policy" set category device set family "Cameras" set switch-fortilink "fortilink" set switch-mac-policy "vlan-assign" set switch-vlan 30 next end
- Create a NAC policy matching device category with VLAN assignment action on managed FortiSwitch ports.
- NAC policy evaluation order
- NAC policies are evaluated top-to-bottom; the first matching policy is applied — incorrect ordering is a common misconfiguration causing wrong VLAN assignment.
- Dynamic VLAN assignment
- RADIUS server returns VLAN attributes during authentication placing the user in a specific VLAN based on role — requires all three Tunnel attributes to function.
- VLAN pooling
- Multiple VLANs grouped into a pool; authenticated users distributed across VLANs using round-robin or hash to prevent broadcast domain overcrowding.
802.1X CLI Configuration
- config switch-controller security-policy 802-1X edit "dot1x-policy" set security-mode 802.1X set auth-order dot1x-MAB set mac-auth-bypass enable set guest-vlan enable set guest-vlanid 999 set auth-fail-vlan enable set auth-fail-vlanid 100 next end
- Create an 802.1X security policy with MAB fallback, guest VLAN, and auth-failure VLAN for managed FortiSwitch ports.
- auth-order dot1x-MAB
- Sets 802.1X as primary authentication with MAB as fallback — the correct order for environments with mixed 802.1X and non-802.1X devices.
- diagnose firewall auth list
- Display currently authenticated IPv4 user sessions on FortiGate — shows user, IP, authentication method, and expiry.
- diagnose firewall auth filter clear
- Clear authentication filters to show all authenticated users — use when diagnosing authentication policy enforcement.
- diagnose firewall dynamic list
- Show dynamic address groups and security posture tags — used to verify NAC policy matching and EMS tag assignments.
Security Fabric and FortiManager Integration
- Security Fabric root FortiGate
- A root FortiGate must be designated for the Security Fabric — without it, downstream FortiSwitch and FortiAP devices will not appear in the fabric topology.
- Zero-Touch Provisioning (ZTP)
- Devices connect to FortiManager and automatically receive pre-staged configurations without on-site manual setup — requires DNS and FortiGuard connectivity for device-to-FortiManager contact.
- FortiManager template deployment
- System templates, device templates, and CLI templates are pushed from FortiManager to managed devices for consistent multi-site configuration.
- FortiManager configuration drift
- FortiManager pushes configurations but does not lock them — local changes after deployment cause drift; the exam tests identifying this scenario.
- ADOM (Administrative Domain)
- FortiManager feature for multi-tenant management — each ADOM can have isolated administrators, policies, and devices with no cross-ADOM visibility.
- FortiAIOps
- AI-powered wireless monitoring tool providing anomaly detection and optimization recommendations — it does NOT automatically apply changes; administrators must implement suggestions manually.
- Firmware management via FortiManager
- FortiManager centrally manages firmware upgrades across FortiGate, FortiSwitch, and FortiAP devices with version compliance checking and scheduled upgrade windows.
Troubleshooting Commands Reference
- diagnose switch-controller switch-info lldp
- Check LLDP (Link Layer Discovery Protocol) data on managed FortiSwitch — shows neighbor device information for topology verification.
- diagnose switch-controller switch-info mclag
- Review multi-chassis link aggregation (MCLAG) information on managed FortiSwitch units — used for stacking and redundancy troubleshooting.
- diagnose wireless-controller wlac wtp_filter <SN>
- Troubleshoot a specific FortiAP by serial number — filters CAPWAP debug output to a single AP for focused diagnosis.
- diagnose wireless-controller wlac sta_filter <MAC> 255
- Focus wireless debugging on a specific client by MAC address — use value 255 for full verbosity when troubleshooting a client's CAPWAP behavior.
- cw_diag -c acs-chan-stats
- Run on the FortiAP CLI to check real-time CAPWAP connection status to the controller — confirms tunnel establishment from the AP side.
- cw_diag -c wtp-cfg
- Display current WTP (Wireless Termination Point) configuration parameters on the FortiAP CLI — confirms profile and settings pushed from FortiGate.
- diagnose endpoint ec-shm list
- Query endpoint compliance records including IP, MAC, and serial number — used to verify NAC/EMS tag matching for connected devices.