| Refer to the link below for configuring DPP: Configuring dynamic port policy rules. In the below example, DPP is configured for Laptop MAC address, i.e., when the rule matches, the laptop will be assigned the 802.1x policy: config switch-controller dynamic-port-policy
edit "Laptop_DPP"
set fortilink "fortilink"
config policy
edit "Laptop_8021x"
set match-type override
set mac "a0:29:19:**:**:**"
set 802-1x "802-1X-policy-default" FortiGate# # config switch-controller managed-switch FortiGate(managed-switch) # edit access3 FortiGate(access3) # config ports FortiGate(ports) # edit port4 FortiGate(port4) # show
config ports
edit "port4"
set access-mode dynamic
set port-policy "Laptop_DPP"
next
end Laptop 'a0:29:19:b5:98:20' is connected to FortiSwitch 'access3' on port4. - Enable the application debug on the FortiGate and connect the laptop:
diagnose debug application flpold -1
diagnose debug console timestamp enable
diagnose debug enable 426s:537ms:157us flpol_process_ipc_mac_sync_msg[519]:vfid 0 sw access3 mac a0:29:19:b5:98:20 vlan 1 action 1 intf port4 count 1 i 0
426s:537ms:210us flpol_mac_cache_search[397]:a0:29:19:b5:98:20 in vlan 1 not found
426s:537ms:262us flpol_mac_cache_add[440]:New MAC added a0:29:19:b5:98:20 vlan 1 interface port4
434s:141ms:332us flpol_process_ipc_mac_sync_msg[519]:vfid 0 sw access3 mac a0:29:19:b5:98:20 vlan 1 action 2 intf port4 count 1 i 0
434s:141ms:387us flpol_mac_cache_del[480]:aging mac a0:29:19:b5:98:20 in vlan 1 on interface port4
436s:356ms:868us __mac_cache_link_chg[65]:Inactive tmr started for mac a0:29:19:b5:98:20 vlan 1 intf port4 on link down
446s:420ms:692us flpol_process_ipc_mac_sync_msg[519]:vfid 0 sw access3 mac a0:29:19:b5:98:20 vlan 1 action 1 intf port4 count 1 i 0
446s:420ms:749us flpol_mac_cache_add[440]:New MAC added a0:29:19:b5:98:20 vlan 1 interface port4
446s:954ms:116us flpold_dpp_check_device_store_dev_match[1731]:vfid=0 mac_count=1 mac=a0:29:19:b5:98:20 match=1
446s:954ms:182us flpol_dpp_check_mac_exists_in_mac_cache[664]:all: ret=1 vfid=0 sw=access3 mac=a0:29:19:b5:98:20 port=port4 vlan=0 last_seen=0x0
446s:954ms:237us flpol_run_dpp_engine[981]:mac=a0:29:19:b5:98:20 is located on switch=access3 port=port4 ret=1
446s:954ms:523us flpol_run_dpp_engine[1031]:MAC a0:29:19:b5:98:20 located in 447s:960ms:352us flpol_update_bounce_in_progress[739]:increament sw=access3 port=port4 bounce_in_progress=22 To disable debug: diagnose debug enable
diagnose debug reset - Collect the logs below from FortiGate:
diagnose switch-controller mac-device cache VFID SWITCH MAC-ADDRESS VLAN CREATION(secs ago) LAST-SEEN(secs ago) INTERFACE
0 access3 a0:29:19:b5:98:20 1 40 0 port4 diagnose switch-controller mac-device dynamic
MAC LAST-KNOWN-SWITCH LAST-KNOWN-PORT DYNAMIC-PORT-POLICY POLICY LAST-SEEN(sec) OVERRIDE(min) COMMENTS
a0:29:19:b5:98:20 access3 port4 Laptop_DPP Laptop_8021x 0 0 auto detected @ 2026-03-24 11:02:45
diagnose switch-controller mac-cache show managed-switch: access3 vfid: 0
running-clients:
VLANID PORTID MAC LAST SEEN(secs ago) INTF-NAME
1 4 a0:29:19:b5:98:20 7 port4 diagnose user-device-store device memory list Record #12: device_info
'ipv4_address' = '192.168.1.100'
'mac' = 'a0:29:19:b5:98:20'
'hardware_vendor' = 'Dell'
'vdom' = 'root'
'os_name' = 'Windows' diagnose user device list vd root/0 a0:29:19:b5:98:20 gen 135 scan off
created 1133s gen 103 seen 4s _default gen 19
ip 192.168.1.100 src llmnr - Additional outputs from FortiGate:
diagnose debug crashlog read execute switch-controller get-conn-status
execute switch-controller get-sync-status all
execute switch-controller diagnose-connection - Collect the outputs below from FortiSwitch CLI:
diagnose debug report show full-config diagnose debug crashlog read - Capture a snippet of the topology view of the Managed FortiSwitches under FortiGate GUI -> WiFi & Switch Controller -> Managed FortiSwitches -> Topology.
- FortiGate configuration backup.
| 
