Technical Tip: Enable lock-down-topo-lldp-profile on managed FortiSwitches

1. Check that, by default, all FortiSwitches have their LLDP profile set to 'default-auto-isl'. This profile, among other things, allows the FortiSwitches to recognize each other and negotiate an automatic ISL link between them: a FortiLink.

Default settings LLDP profile

2. Note that when checking the configuration of the ports on the managed switch through the FortiGate CLI, no configuration will be seen regarding the LLDP-profile unless it was already changed by someone or something. Remember that default configurations most of the time won't appear when executing 'show' commands on Fortinet's devices.
   
   As can be seen in this screenshot, only the port 8 has a configuration different than the default settings regarding lldp-profile. It is set to 'default'.

CLI default settings

3. Go to the FortiGate CLI and execute the following command:

diagnose switch-controller switch-recommendation lock-down-topo-lldp-profile <fortilink interface name> <Serial number of the FortiSwitch>

Command

4. After executing this command, the message 'Output message: Successful operation' should be seen.
   
   
5. Then, upon refreshing the FortiSwitch Ports interface on FortiGate, now all of the ports will have changed their config and have 'default' on the LLDP profile.

After the recommendation command

Optional: Apply the same command from step 3 to other switches to lock down the current topology.

Next time a new FortiSwitch gets connected to any of the currently managed FortiSwitch ports, it will not negotiate FortiLink. It will be treated as a standalone switch, or as any other vendor switch.