fortigate interface configuration cli

2. You must have read-write permission for system settings. 04:51 AM, - if you configure an HA management interface, this interface is technically considered to be in a different (hidden) VLAN, -> the HA management interface does NOT use the same routing table/local-in policies/other interface configuration you may have in place, -> setting the gateway in the management interface (this is in the HA configuration; worded a bit confusingly, I agree) essentially tells the FortiGate what gateway to use for traffic from the HA interface, -> this can be with specified subnets (FortiGate will have routes to the subnets via the HA management interface and defined gateway), or essentially a default route via the HA interface; these settings (gateway/specified subnets) are only used for HA management traffic. If you have an existing subnet/VLAN dedicated to device management, for example, you might want to put the FortiGate HA interfaces into this. Reset the FortiSwitch to factory default settings with the execute factoryreset. You use the HA node secondary IP list configuration if the interfaces of the nodes in an HA active-active deployment are configured with secondary IPaddresses. Name used to identify the CLI configuration. Created on I basically have the cabling already as described. Before you begin: You must have read-write permission for system settings. Double-click the row for a physical interface to Then there is "set ha-direct enable" option but no good explanation, what is this and for what purpose is it needed. Indicates success or failure to substitute the "Port, VLAN, IP, or MAC" data into the CLI. Allow inbound service traffic. VLANA logical interface you create to VLAN subinterfaces on a single physical interface. Please could someone tell me if there is a single CLI command to display the entire FortiGate configuration and will create the same output as Backing up the configuration via the GUI? Thank you for the explanation. Two network interfaces cannot have IP addresses on the same subnet (i.e. Note that by using both Set and Undo, the CLI configurations do not become cumulative on the device. 07-21-2012 If you have comments on this content, its format, or requests for commands that are not included, contact us at techdoc@fortinet.com. This section describes how to configure FortiLink using the FortiGate CLI. When it receives an ECHO_REQUEST (ping), FortiADC will reply with ICMP type 0 (ECHO_RESPONSE or pong). All FortiSwitch units within an FSI must be connected to the same FortiGate unit. When the FortiSwitch is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands. 07-22-2012 01:28 AM. I made a test: changed the network of the currently overlapping VLAN interface to something else so the four devices (2 different HA-clusters) have their own IP's and the main FGT cluster does not have it as an interface anymore. Copyrights, Your rating helps us to improve the content. Enable inbound service traffic on the IPaddress for the specified services. But thank you for the hint! the network device sends interface counters. We recommend this option instead of HTTP. HTTPEnables connections to the web UI. 08:41 AM, Created on Copyright 2023 Fortinet, Inc. All Rights Reserved. In response to Matthijs. Created on Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error). If you assign multiple IP addresses to an interface, you must assign them static addresses. See Configuration in use. We recommend you maintain the default. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector. If required, remove port 1 from the lan interface: Configure port 1 as the FortiLink interface: Authorize the FortiSwitch unit as a managed switch. NOTE: The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. WebFortiGate VDOM or Virtual Domain split FortiGate device into multiple virtual devices. When the appliance is in standalone mode, it uses the physical port IP address; when it is in HA mode, it uses the HA node IP address. In my case I don't want to have a separate FGT for management. I have to think about it, what would it mean in our environment to use that routing and what else needs to be configured then. User name of the last user to modify the configuration. See Add an administrator profile. - another of the FortiGate interfaces could serve as gateway to the management subnet, if the FortiGate should also function as router between the management subnet and other subnets. So to get the mgmt working, the "gateway" in HA mgmt config seems to be not necessary (unusable for that purpose). - FortiGate would have WAN interfaces and LAN interfaces in 192.168.0.0 subnet (and serve as gateway between them) - FortiGate would have dedicated HA TeraCourses is a leading educational website in the fields of Computer science, Business, Graphics, Languages, and others that helps students seize a job opportunity. Via CLI : To add a Physical interface to software switch #config system switch-interface config switch-controller global set allow-multiple-interfaces {enable | disable}. Syntax config system 07-01-2022 , Created on After upgrading to 6.4 I see that something has changed. Is it possible to remove the fortilink interface setting on a Fortigate 40F and add it to the hardware switch like interfaces 1-3 are by default? That is very important to have such to see exactly what happens with booting one of the members. For ha-direct, I understood now, thank you. Yes, we have switches that can route but we haven't used those switches for routing to keep the whole design as simple as possible. All switch ports must remain in standalone mode. Basic Fortigate configuration with CLI commands. Thanks You use the HA node IP list configuration in an HA active-active deployment. -> to continue the example from above: port1 on FortiGate is LAN interface, with 192.168.0.254/24, wan1 is WAN interface with a public IP, port2 is HA management interface with 10.0.0.101/24 and 10.0.0.102 on the other node, and port3 is the gateway for that management subnet with 10.0.0.254/24 (other switches/routers/etc could also have their management IPs in 10.0.0.0/24 subnet, and FortiGate would serve as gateway to those management interfaces, including the cluster nodes' own interfaces)-> cabling would be something like: port2 (HA management) on both FortiGates go to a switch, and from that switch would go back to port3 (gateway for management subnet) on the FortiGates. VLAN ID of packets that belong to this VLAN. It looks like this is not the case that HA mgmt interfaces are completely isolated from everything else: if they were, I wouldn't get the warning about overlapping subnet with an existing VLAN interface in one of the VDOMs (root in my case). Valid types are: http https ping ssh telnet. Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. That showed that the traffic went to wrong VLAN, to the one the gaeway of which I specified in the HA mgmt config. Hardware switch is supported on some FortiGate models. 07-04-2022 To configure a network interface: Go to Networking > Interface. 07-16-2012 Also a terminal server(s) is necessary to access each console port when it doesn't even boot up correctly, unless all of them are locally located. 3. WebDescription: Configure software switch interfaces by grouping physical and WiFi interfaces. The CLI syntax is created by processing the schema from FortiGate models running FortiOS7.0.5 and reformatting the resultant CLI output. Created on SSHEnables SSH connections to the CLI. Technical Tip: Verify configuration in CLI. See, Apply specific CLI configurations for roles. The CLI configuration window allows you to create individual sets of commands, name them and then reuse them as needed to control ports, VLANs or host access to the network. Thank you for an idea, I didn't think about switches when you first mentioned them. The IP address cannot be on the same subnet as any other interface. 09:08 AM In the following procedure, port 4 and port 5 are configured as a FortiLink LAG. follow these simple steps to guarantee a certificate by the end of course. Created on " what gateway to use for traffic from the HA interface". Notify me of follow-up comments by email. HTTPSEnables secure connections to the web UI. config system console Fortinet GURU is not owned by or affiliated with, Click to share on Twitter (Opens in new window), Click to share on Facebook (Opens in new window), Click to share on LinkedIn (Opens in new window), Click to share on Tumblr (Opens in new window), Click to share on Reddit (Opens in new window). That other was even a VLAN, not ssw or another physical. - port2 and IP 10.11.101.100 are a shared (non-HA-mgmt) interface, like the LAN interface of the FortiGate (and port1, 172.20.120.141, would be the shared WAN interface), -> in an active/passive setup, the primary FortiGate would respond on those two interfaces, port1 and port2, and the secondary would NOT, - port8 is the HA management interface, with unique IPs for each FortiGate (in this case, as an overlapping subnet to port2, but this is not required!). So is that "gateway" in ha mgmt config (seen above) ALSO used for getting access to those IP-s? It should have been like 10.0.0.96/28, then GW on the switch side is .110 so that each device can take 101-104. Wont be using a Fortiswitch, so its just a burned port at this point. In this configuration I could manage every one of the four devices separately and this has been useful and needed to get the HA fixed when it has broken sometimes. Ensure that you configure autodiscovery on the FortiSwitch ports (unless it is auto-discovery by default). Indicates whether or not the configuration of the scheduled task was successful. This example shows how to set the FortiDB port1 interface IP address and netmask to 192.168.100.159 255.255.255.0, and the management access to ping, https, and ssh. Created on Use configuration commands to configure and manage a FortiGate unit from the command line interface (CLI). You can either use DHCP discovery or static discovery. I guess that even if instead of a VLAN I'd have port3 for that purpose as in the above description (10.0.0.254), I'd get the same error in GUI when adding the IP to mgmt1 that is is overlapping with the network on port3. Be sure to group devices with common CLI capabilities. The default is 0. LCP echo interval in seconds. CLI commands are applied to the device exactly as they are created. 09:26 AM. The whole HA interface setup here is to have a dedicated management port with its own IP and subnet, completely independent of whatever other infrastructure you might have. Run below commands to display the For example, if this interface uses a DSL connection to the Internet, your ISP may require this option. A random IP in the same network which doesn't even have to exist? The do and undo command combination is sometimes referred to as Flex-CLI. After you have saved it the first time, you can edit it to add secondary IP addresses and enable inbound traffic to that address. NOTE: Only the first FortiLink interface has GUI support. 07-10-2012 The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x. If you are editing the configuration for a physical interface, you cannot set the type. SNMPEnables SNMP queries to this network interface. When a CLI configuration is applied, the commands contained with in it are sent to the selected network device. What is a Chief Information Security Officer? Also, there is no explanation of how the 10.11.101.100 works in that diagram that is common to both units and that is used to configure the new separate addresses for units. The NTP server must be reachable from the FortiSwitch unit. Will that get stuck? 07-01-2022 I can't believe that I shold have another (small) FGT for that which operates as the gateway to that mgmt network. 06:14 AM. Ordering Guides Documents Library Product Pillars Network Security Network Security FortiGate / FortiOS FortiGate-5000/ 6000/ 7000 FortiProxy NOC & SOC Management FortiManager/ FortiManager Cloud FortiAnalyzer/ FortiAnalyzer Cloud FortiMonitor FortiGate Cloud Enterprise Networking Secure SD-WAN FortiLAN Cloud FortiSwitch Opens the CLI window and displays a all of the commands in the Set and Undo sections of the configuration. WebConnect to a FortiAnalyzer interface that is configured for SSH connections. See. Copyright 2023 Fortinet, Inc. All Rights Reserved. The following reference models were used to create this CLI reference: The command branches are in alphabetical order. The config system interface command allows you to edit the configuration of a FortiDB network interface. edit set vdom {string} set span-dest-port {string} set span-source set allowaccess {http https ping ssh telnet}. Since Debbie dissected all questions, I have only comment for the design. Learn how your comment data is processed. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. config system interface Description: Configure interfaces. 09:12 AM. Many Careers require the FortiGate Firewall skill. My questions about it are as follows. Select one of the following speed/duplex settings: This Status column is not the detected physical link status; it is the administrative status (Up/Down) that indicates whether you permit the network interface to receive and/or transmit packets. Disconnect after idle timeout in seconds. This software currently supports CLI commands for Cisco, D-Link, HP ProCurve, Nortel, Enterasys, Brocade, and Extreme wired and wireless devices. WebYou must have Read-Write permission for System settings. This document assumes that you are familiar with the CLI commands available for your devices and, therefore, does not include individual commands in the instructions. I have configured fortinet interfaces, firewall policy and static default route to have internet connection. There are several CLI Configuration events that can be enabled and mapped to alarms for notification: Generated when a user tries to configure a Scheduled task that involves applying a CLI configuration to a group. The default is 1500. The IP address must be on the same subnet as the network to which the interface connects. Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. You can also configure FortiLink mode over a layer-3 network. Use configuration commands to configure and manage a FortiGate unit from the command line interface (CLI). The CLI syntax is created by processing the schema from FortiGate models running FortiOS 7.0.5 and reformatting the resultant CLI output. The following reference models were used to create this CLI reference: Yes, I needed another VLAN interface in the main cluster in the same mgmt subnet to make the NAT work in the firewall rule. Connectivity layers that will be considered when distributing frames among the aggregated physical ports: Specify the physical interfaces that are included in the aggregation. Type a valid administrator name and press Enter. But one thing is unclear and even confusing: what is the gateway in "management interface reservation" configuration? 4. For the subnet and mask -- I understood what you mean. I understood about 10.11.101.100 in the article's diagram: I use an IP the same way to actually manage the cluster (active/primary device responds to it). The config system interfacecommand allows you to edit the configuration of a FortiDBnetwork interface. Syntax config system interface edit set allowaccess {http https ping ssh telnet} set ip set status {up | down} end where: Variable Description Default can be one of port1, port2, port3, port4. No default. FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic. See, Apply specific CLI configurations for network access policies. 11:21 PM, The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.. I thought about the routing from one of our switches. Save my name, email, and website in this browser for the next time I comment. Edited on The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.. Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit. Type the password for this administrator and press Indicates whether or not the CLI commands associated with port based ACLs have been successful. Where is it? If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit. This article describes how to check the corresponding CLI configuration when the FortiGate is configured in web GUI. Dotted quad formatted subnet masks are not accepted. If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs. Created on We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer. If the interface is stopped it does not accept or send packets. edit set vdom {string} set vrf {integer} set cli-conn-status {integer} set fortilink WebFor details about each command, refer to the Command Line Interface section. You can create a set of CLI commands to perform an operation, and a separate set to undo the operation. The following limitations apply to FSIs operating in FortiLink mode over a layer-3 network: To configure a FortiSwitch unit to operate in a layer-3 network: config switch-controller global set ac-discovery dhcp set dhcp-option-code end, config switch interface edit set fortilink-l3-mode enable. Seconds the system waits before it retries to discover the PPPoE server. Will it need a default route? I don't use these separate IP's for sending out SNMP or other stuff but if I did then I'm not sure how the Fortigate really handles this. Specify a space-separated list of the following options: Secondary IP addresses can be used when you deploy the system so that it belongs to multiple logical subnets. 07-12-2022 set mode line See Add or modify a configuration. To remove the interface, deselect the interface from Interface Members list. 01:48 AM, The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.. 09:16 AM. So you are saying you don't have any L3 devices other than those FGTs to route 10.0.0.100/29 and .101&.102 for the first cluster's and .103&.104 for the second cluster's MGMT interfaces? 10:42 PM, Created on Dotted quad formatted subnet masks are not accepted. For information about the admin auditing log, see Audit Logs. See, Create a scheduled task for a CLI configuration to be applied to a device group. Undo is triggered when FortiNAC recognizes that the host or device has disconnected from the port. But for the console access: it already works the way you described (via a serial/console switch). The valid range is between 1 and 4094. Check Out The Fortinet Guru Youtube Channel, Office of The CISO Security Training Videos, Network topologies for managed FortiSwitch units, Collectors and Analyzers FortiAnalyzer FortiOS 6.2.3, High Availability FortiAnalyzer FortiOS 6.2.3, Two-factor authentication FortiAnalyzer FortiOS 6.2.3, Global Admin GUI Language Idle Timeout FortiAnalyzer FortiOS 6.2.3, Global Admin Password Policy FortiAnalyzer FortiOS 6.2.3, Global administration settings FortiAnalyzer FortiOS 6.2.3, SAML admin authentication FortiAnalyzer FortiOS 6.2.3. The following example configures port1 (the management interface): allowaccess : https ping ssh snmp http telnet, FortiADC-VM (port1) # set ip 192.0.2.5/24. Date and time of the last modification to this configuration. You must have permission to view the admin auditing log. Created on Use the DNS addresses retrieved from the PPPoE server instead of the one configured in the FortiADC system settings. Please Reinstall Universe and Reboot +++. PPPoEUse PPPoE to retrieve a configuration for the IP address, gateway, and DNS server. NOTE: The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command. FortiNAC does not detect errors in the structure of the command set being applied on the device. If overlapping of subnets is not allowed, it can't be in the same unit/VDOM if it is meant to be a real address. With that size of network, you must have many other L3 devices in your network to route your management traffic to get to each FGT's management port. If required, remove the FortiLink ports from the. For each HA cluster node, configure an HA node IP list that includes an entry for each cluster node. Enter the interface IP address and netmask. Basic Fortigate configuration with CLI commands. 09:09 AM The valid range is 0 to 32,000. The first part in the above reply seems to need another device for mgmt and that I'd rather avoid. Webwindows server 2022 standard download datediff in hana Use the following command to enable or disable multiple FortiLink interfaces. The idea behind the dedicated HA management interfaces is, if you already have a setup with a dedicated management subnet (or are looking to accomplish this), the FortiGate HA interfaces can tie into that, and each unit is accessible by itself, to separate management traffic from user/application/other traffic. Created on 07-16-2012 10:42 PM. The default is 5. NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command. Because if the switch starts accepting and deciding about routing then what happens to the rest of the traffic? To add secondary IP addresses, enable the feature and save the configuration. Created on 03:48 AM, Created on What is the secret here? Opens the Modify CLI Configuration window. Created on Then I set the gateway address on HA mgmt config. In the following steps, port 1 is configured as the FortiLink port. Seems like a bug. If applicable, select the virtual domain to which the configuration applies. I feel that I'd better not do that unless I can test it but building a test environment seems as good as impossible at the moment. I have never done this and I have too many questions about it so I better not go this way this time. WebConfigure interfaces. FWF60C-Bonny # show full-configuration system console Provides a list of other features that reference this CLI configuration, such as a role mapping or a Scheduled Task. You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch). 07-04-2022 Using the command line interface (CLI) > config > config system interface config system interface The config system interface command allows you to edit the No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit. Why's that, I don't understand. overlapping subnets). WebComments. FSIs contain one or more FortiSwitch units. 07-10-2012 If the gateway is something else, then we are talking about routing tables and then the question is how the traffic to HA mgmt interfaces reaches these interfaces from other networks. Standardized CLI lx. Edited on That was so in 5.4. We recommend this option instead of Telnet. 07-04-2022 Chris, It actually depends on the FortiOS version: after 4.0 MR3 Patch3 (so, with patch4 onwards) the " show" command, Here it is: can be one of port1, port2, port3, port4. If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly. And that's why I had this question in the first place, does anybody have a working solution without using NAT and overlapping subnet (and not using a separate mgmt-FGT device to get access to those mgmt IP's). Creates a copy of the selected CLI configuration. NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Use this command to configure network interfaces. The valid range is 1 to 255. config switch-controller managed-switch edit FS224D3W14000370. This feature allows FortiSwitch islands (FSIs) to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. 12:40 AM. set output standard Once you have dedicated HA interfaces configured on both units (you might need to configure this on secondary via CLI as outlined in the documentation you linked), you should be able to access the GUI of each unit independently via the specified HA management interface IP.If you enable ha-direct in CLI, this causes each unit to send SNMP traps, logs, and some other management-related traffic individually out the HA management interface, instead of whatever other interface would be appropriate based on the FortiGate's configuration and routing. All 04:11 AM, Created on Copyright 2023 Fortinet, Inc. All Rights Reserved. 07-01-2022 TL;DR: no you do not need a separate FortiGate to get to the HA management interfaces, but yes you technically need a gateway (another router like a second FortiGate, or the FortiGate itself in a weird loop) if you want to use the HA management interfaces for out-of-band (as in, separate subnet) access, Created on And the explanation for "Destination subnet", which is "Optionally, enter aDestination subnetto indicate the destinations that should use the defined gateway. all copyrights return to channels owners - For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. I removed NAT from the firewall rule and added a route that the separate network for HA mgmt is behind a certain network interface. Select from the following options: The MAC address is read from the interface. Gateway IP is the same as interface IP, please choose another IP. The valid range is 1 to 255. 07-04-2022 Opens the admin auditing log showing all changes made to the selected item. config system virtual-switch edit lan config port delete port4 delete port5, config system interface edit flink1 (enter a name, 11 characters maximum) set ip 169.254.3.1 255.255.255.0 set allowaccess ping capwap https set vlanforward enable set type aggregate set member port4 port5 set lacp-mode static set fortilink enable, (optional) set fortilink-split-interface enable next. The Forums are a place to find answers on a range of Fortinet products from peers and product experts. The Forums are a place to find answers on a range of Fortinet products from peers and product experts. Created on 1. It looks like the thing that I did in the past years ago using NAT is the only possible way without another device to get the different mgmt IP's working. AutoSpeed and duplex are negotiated automatically. Enter the types of management access permitted on this interface. PingEnables ping and traceroute to be received on this network interface. If I use unique IP's in a unique network, put those cables into their own VLAN -- how do I get there from another management network? config extender-controller extender-profile, config firewall internet-service-extension, config firewall internet-service-reputation, config firewall internet-service-addition, config firewall internet-service-custom-group, config firewall internet-service-ipbl-vendor, config firewall internet-service-ipbl-reason, config firewall internet-service-definition, config firewall access-proxy-virtual-host, config firewall access-proxy-ssh-client-cert, config log fortianalyzer override-setting, config log fortianalyzer2 override-setting, config log fortianalyzer2 override-filter, config log fortianalyzer3 override-setting, config log fortianalyzer3 override-filter, config log fortianalyzer-cloud override-setting, config log fortianalyzer-cloud override-filter, config switch-controller fortilink-settings, config switch-controller switch-interface-tag, config switch-controller security-policy 802-1X, config switch-controller security-policy local-access, config switch-controller qos queue-policy, config switch-controller storm-control-policy, config switch-controller auto-config policy, config switch-controller auto-config default, config switch-controller auto-config custom, config switch-controller initial-config template, config switch-controller initial-config vlans, config switch-controller virtual-port-pool, config switch-controller dynamic-port-policy, config switch-controller network-monitor-settings, config switch-controller snmp-trap-threshold, config system password-policy-guest-admin, config system performance firewall packet-distribution, config system performance firewall statistics, config videofilter youtube-channel-filter, config vpn status ssl hw-acceleration-status, config webfilter ips-urlfilter-cache-setting, config wireless-controller inter-controller, config wireless-controller hotspot20 anqp-venue-name, config wireless-controller hotspot20 anqp-venue-url, config wireless-controller hotspot20 anqp-network-auth-type, config wireless-controller hotspot20 anqp-roaming-consortium, config wireless-controller hotspot20 anqp-nai-realm, config wireless-controller hotspot20 anqp-3gpp-cellular, config wireless-controller hotspot20 anqp-ip-address-type, config wireless-controller hotspot20 h2qp-operator-name, config wireless-controller hotspot20 h2qp-wan-metric, config wireless-controller hotspot20 h2qp-conn-capability, config wireless-controller hotspot20 icon, config wireless-controller hotspot20 h2qp-osu-provider, config wireless-controller hotspot20 qos-map, config wireless-controller hotspot20 h2qp-advice-of-charge, config wireless-controller hotspot20 h2qp-osu-provider-nai, config wireless-controller hotspot20 h2qp-terms-and-conditions, config wireless-controller hotspot20 hs-profile, config wireless-controller bonjour-profile, config wireless-controller syslog-profile, config wireless-controller access-control-list.