• Disable auto-network: FortiSwitch will send FortiLink packets by default, attempting to find a FortiGate where it can be controlled. This behavior can be modified with the following commands:

config switch auto-network
    set status disable
end

• Change the LLDP profile from 'default-auto-isl' to default on physical ports: By default, FortiSwitch has configured the LLDP profile 'default-auto-isl' on all physical ports. The intention is that when connecting to a new FortiSwitch, it negotiates its LAG trunk. This behavior is not expected in standalone mode, so it is a good practice to change the LLDP profile on all physical ports. It is possible to use the 'default' LLDP profile instead.

This is an example of how to change it:

config switch physical-port
    edit "port1"
        set lldp-profile "default"
    next

end

Another way to do this in the badge for all FortiSwitches on a FortiLink interface is by following this article: Technical Tip: Enable lock-down-topo-lldp-profile on managed FortiSwitches.

• Do not allow all VLANs on trunks: It is a generally good practice to only allow the VLANs that need to cross to any other switch. This is the command needed to limit the VLANs on the trunk interface

config switch interface
    edit "Trunk1"
        set allowed-vlans 10,20,40,99
    next
end

• Disable auto discovery FortiLink: FortiSwitch could still send broadcast packets to try to find any Switch controller. This behavior can be disabled with the following commands

config switch global

    set auto-fortilink-discovery disable

end