In the Security Rating section of the FortiGate GUI, an error or warning appears related to Lockdown LLDP Profile for FortiSwitch. This occurs when LLDP (Link Layer Discovery Protocol) profiles are not properly restricted, which may expose the network to accidental growth in network topology.

By default, the lldp-profile 'default-auto-isl' on all the ports. Make sure to change the profile to 'default profile' on all the edge ports.

config switch-controller managed-switch

    edit S248EFXXXXXX

        config ports

        (ports) # edit port3

        (port3) # sh full
        set lldp-profile "default-auto-isl"  <- Set it to ' lldp-profile default profile '.
        set poe-status disable
        set speed auto
        set storm-control-mode disabled
    next
end

Once this change is done, the security rating will be set to 'passed'.

This can be achieved with the following command on FortiGate:

diagnose switch-controller switch-recommendation lock-down-topo-lldp-profile <fortilink interface name> <Serial number of the FortiSwitch>

Related article: