Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
gvenkatesan
Staff
Staff

Created on ‎02-12-2025 03:48 AM Edited on ‎02-12-2025 03:55 AM By Community Manager

Article Id 376072

Technical Tip: How to perform basic checks to bring FortiSwitch online on FortiGate

Description This article explains how to get the FortiSwitch online on FortiGate.
Scope FortiLink and FortiSwitch v7.0.x,v7.2.x and v7.4.x.
Solution

Login to the FortiSwitch that is currently offline using the serial console cable, if SSH access via the switch IP is not possible. 

 

For the Serial console settings refer to the Quick Start guides for the respective FortiSwitches from this link: Hardware Guides 

 

To Know the last known IP address for the FortiSwitch use the command shown below on the FortiGate: 

 

execute dhcp lease-list <Fortilink interface name>

 

 

  1. Check the switch management mode:

 

config switch auto-network

    set status enable

end

 

Starting from the FortiSwitch v7.2.0, the auto-network will be enabled by default. To configure the FortiSwitch in standalone mode keep this option disabled.

 

  1. Check the trunk summary:

 

diag switch trunk summary

 

  • See if the trunk interface is up, If the trunk interface is not up perform the following checks: 
  • All the switch ports that is getting connected or getting connected to the FortiLink interface on the FortiGate must be configured with the 'default- auto-isl' LLDP profile. 

 

FortiGate: 

 

Config switch-controller managed-switch

    edit <switch serial or name>

        config ports

            edit portxx

                set lldp-profile default-auto-isl

            next

        end

    end

 

Fortiswitch: 

 

config switch physical-port

    edit portxx

        set lldp-profile defualt-auto-isl

    next

end

 

Make sure that the configuration between the FortiGate and FortiSwitch is consistent.

 

 

  1. Check the system interface IP:
  • The IP address assignment for the 'internal' interface is important because the switch negotiates the CAPWAP session using the 'internal' interface IP address.
  • To check the IP address assignment, use the command shown below:

 

get system interface

 

If there is no valid IP present for the internal interface check the VLAN configurations as shown below:

 

config switch interface

    edit internal

    show full

next

    edit <trunk interface>

    show full

next

end

 

  • The native VLAN should be 4094 for both of these interfaces. By default, the FortiSwitch initiates the CAPWAP traffic as well as FortiLink traffic via VLAN 4094. 
  • After checking these details, try to renew the IP address using the command:

 

execute interface dhcp-client-renew internal

 

  1. Check the time on FortiSwitch and FortiGate:
  • The date and time on the FortiSwitch and FortiGate must be the same. If the time and date are different the CAPWAP negotiation will fail due to the time and date mismatch. 
  • To verify the date and time use the commands shown below (the commands for checking time and date are the same for both FortiSwitch and FortiGate).

 

execute time

execute date

 

If the time and date on the Fortiswitch are different from what exists on the FortiGate, manually set the time and date as shown below:

 

execute time <hh:mm:ss>

execute date <yyyy-mm-dd>

 

This step will make sure to resolve the time differences between the FortiGate and the FortiSwitch. The CAPWAP negotiation will succeed as expected. 
188
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.