Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiSwitch Manager 7.2.5 Administration Guide
    7.2.5
    7.2.8
    7.2.7
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.0

    Whatʼs new in FortiSwitch Manager 7.2.5

    Whatʼs new in FortiSwitch Manager 7.2.5

    The following new features are available in FortiSwitch Manager 7.2.5:

    • The command for enabling VLAN optimization has changed from set vlan-optimization enable to set vlan-optimization configured; the command is still located under config switch-controller global. For more details, see Enabling VLAN optimization.

    • FortiSwitch Manager now supports VLAN pruning. VLAN pruning prevents unnecessary traffic from unused VLANs by only allowing traffic from the VLANs required for the inter-switch link (ISL) trunks. This process makes networks more efficient and preserves bandwidth. In addition, VLAN pruning eliminates the time spent on manual VLAN pruning and reduces the chance of errors. For more details, see VLAN pruning.

    • Two new CLI commands have been added under config switch-controller system to improve the FortiSwitch Manager connection:

      • Use the set caputp-echo-interval <8-600> command to set the interval for the Control and Provisioning of Unified Termination Points (CAPUTP) ECHO requests from the Scheduling Wide-area Transport Protocol (SWTP). The default value is 30 seconds. Setting the interval to a shorter time means that an offline device is detected quicker.

      • Use the set caputp-max-retransmit <0-64> command to set the maximum number of times that CAPUTP tunnel packets are retransmitted. The default value is 4. Setting the retransmission times to a lower number causes the CAPUTP daemon to time out sooner and then restart for faster failover.

    • Two more port speed options are available for managed switches: 40000auto (autonegotiation of the 40G-CR4 interface of FS-1048E) and 2500full (25 Gbps full-duplex.). You can select these speeds under the config switch-controller managed-switch command.

    • The LACP fallback mode is now supported on managed switches. LACP fallback mode allows a selected port to stay up so that a device not running LACP can still connect to the network. For more details, see LACP fallback mode.

    • The CLI commands for configuring Precision Time Protocol (PTP) transparent-clock mode have changed. FortiSwitch Manager supports the previous CLI commands, as well as the new ones. For more details, see Configuring PTP transparent-clock mode.

    • You can now specify a tagged VLAN for users to be assigned to when the authentication server is unavailable. Previously, you could only specify an untagged VLAN. This feature is available with 802.1x MAC-based authentication. It is compatible with both Extensible Authentication Protocol (EAP) and MAC authentication bypass (MAB). For more details, see FortiSwitch security policies.

    • You can use new CLI commands to specify how the following RADIUS request attributes are formatted:

      • User-Name

      • User-Password

      • Called-Station-Id

      • Calling-Station-Id

      For more details, see Specifying how RADIUS request attributes are formatted.

    • You can now dynamically assign a different NAS-IP-Address attribute to the managed switches when authenticating users with a RADIUS server. If needed, you can override the dynamic assignment and manually assign the NAS-IP-Address attribute to individual managed switches. NOTE: FortiSwitchOS supports only IPv4 addresses for the NAS-IP-Address attribute. For more details, see Dynamically and manually assigning the NAS-IP-Address attribute.

    • The synchronization of the FortiSwitch Manager system interface description to the switch VLAN description (up to the first 63 characters of FortiSwitch VLAN description field in FortiSwitch Manager) is now supported. This allows a more flexible use of the Tunnel-Private-Group-Id RADIUS attribute. For more details, see Dynamic VLAN assignment.

    • You can now assign a priority to each VLAN used in the 802.1X security policy. If there is more than one VLAN with the same name (specified in the set description command), FortiSwitchOS selects the VLAN with the lowest assignment-priority value (which is the highest priority) of the VLANs with names that match the value of the RADIUS Tunnel-Private-Group-Id or Egress-VLAN-Name attribute. The assignment-priority value can be 1-255. By default, the assignment-priority is 128. The lowest assignment-priority value gets the highest priority. For more details, see Setting the priority for dynamic or egress VLAN assignment.

    • You can now use RADIUS attributes to configure dynamic access control lists (DACLs) on the 802.1x ports of managed switches. DACLs are configured on a switch or saved on a RADIUS server. You can use DACLs to control traffic per user session or per port for switch ports directly connected to user clients. DACLs apply to hardware only when 802.1x authentication is successful. For more details, see Dynamic access control lists.

    • You can now include option-82 data in the DHCP request for DHCP snooping. DHCP option-82 data provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can select a fixed format for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields. You can configure the option-82 settings on a global level, or you can override the global option-82 setting to specify plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port. In addition, you can display the DHCP option-82 string in ASCII or hexadecimal format. For more details, see Including option-82 data.

    • You can now monitor ARP packets for a specific VLAN on a DHCP-snooping trusted port of a managed FortiSwitch unit and save the VLAN ID, MAC addresses, and IP addresses in the DHCP-snooping database. For more details, see Monitoring ARP packets.

    • You can now use an access control list (ACL) to configure a policy for the ingress stage of the pipeline for incoming traffic. After creating an ACL group for the ingress policy, you apply the ACL group to a managed switch port. For more details, see Configuring an ACL.

    • You can now use names for managed FortiSwitch units in switch-controller CLI commands. The user-defined name is also used in the FortiSwitch Manager GUI and logs. The FortiSwitch unitʼs serial number is saved in a new read-only field. For more details, see Defining names for managed switches.

    • You can now export a list of FortiSwitch names, switch groups, status, models, firmware versions, where the switch is connecting from, and the join times. You can also export a list of switch ports with trunk names, port policies, enabled features, native VLANs, allowed VLANs, dynamic VLANs, PoE status, device information, security policies, DHCP-snooping status, transceivers connected to, transceiver power (transmitted or received), and negotiated speed. You can choose to export each list in comma-separated values (CSV) or JSON format. For more details, see Exporting switch information.

    Previous
    Next

    Whatʼs new in FortiSwitch Manager 7.2.5

    Whatʼs new in FortiSwitch Manager 7.2.5

    The following new features are available in FortiSwitch Manager 7.2.5:

    • The command for enabling VLAN optimization has changed from set vlan-optimization enable to set vlan-optimization configured; the command is still located under config switch-controller global. For more details, see Enabling VLAN optimization.

    • FortiSwitch Manager now supports VLAN pruning. VLAN pruning prevents unnecessary traffic from unused VLANs by only allowing traffic from the VLANs required for the inter-switch link (ISL) trunks. This process makes networks more efficient and preserves bandwidth. In addition, VLAN pruning eliminates the time spent on manual VLAN pruning and reduces the chance of errors. For more details, see VLAN pruning.

    • Two new CLI commands have been added under config switch-controller system to improve the FortiSwitch Manager connection:

      • Use the set caputp-echo-interval <8-600> command to set the interval for the Control and Provisioning of Unified Termination Points (CAPUTP) ECHO requests from the Scheduling Wide-area Transport Protocol (SWTP). The default value is 30 seconds. Setting the interval to a shorter time means that an offline device is detected quicker.

      • Use the set caputp-max-retransmit <0-64> command to set the maximum number of times that CAPUTP tunnel packets are retransmitted. The default value is 4. Setting the retransmission times to a lower number causes the CAPUTP daemon to time out sooner and then restart for faster failover.

    • Two more port speed options are available for managed switches: 40000auto (autonegotiation of the 40G-CR4 interface of FS-1048E) and 2500full (25 Gbps full-duplex.). You can select these speeds under the config switch-controller managed-switch command.

    • The LACP fallback mode is now supported on managed switches. LACP fallback mode allows a selected port to stay up so that a device not running LACP can still connect to the network. For more details, see LACP fallback mode.

    • The CLI commands for configuring Precision Time Protocol (PTP) transparent-clock mode have changed. FortiSwitch Manager supports the previous CLI commands, as well as the new ones. For more details, see Configuring PTP transparent-clock mode.

    • You can now specify a tagged VLAN for users to be assigned to when the authentication server is unavailable. Previously, you could only specify an untagged VLAN. This feature is available with 802.1x MAC-based authentication. It is compatible with both Extensible Authentication Protocol (EAP) and MAC authentication bypass (MAB). For more details, see FortiSwitch security policies.

    • You can use new CLI commands to specify how the following RADIUS request attributes are formatted:

      • User-Name

      • User-Password

      • Called-Station-Id

      • Calling-Station-Id

      For more details, see Specifying how RADIUS request attributes are formatted.

    • You can now dynamically assign a different NAS-IP-Address attribute to the managed switches when authenticating users with a RADIUS server. If needed, you can override the dynamic assignment and manually assign the NAS-IP-Address attribute to individual managed switches. NOTE: FortiSwitchOS supports only IPv4 addresses for the NAS-IP-Address attribute. For more details, see Dynamically and manually assigning the NAS-IP-Address attribute.

    • The synchronization of the FortiSwitch Manager system interface description to the switch VLAN description (up to the first 63 characters of FortiSwitch VLAN description field in FortiSwitch Manager) is now supported. This allows a more flexible use of the Tunnel-Private-Group-Id RADIUS attribute. For more details, see Dynamic VLAN assignment.

    • You can now assign a priority to each VLAN used in the 802.1X security policy. If there is more than one VLAN with the same name (specified in the set description command), FortiSwitchOS selects the VLAN with the lowest assignment-priority value (which is the highest priority) of the VLANs with names that match the value of the RADIUS Tunnel-Private-Group-Id or Egress-VLAN-Name attribute. The assignment-priority value can be 1-255. By default, the assignment-priority is 128. The lowest assignment-priority value gets the highest priority. For more details, see Setting the priority for dynamic or egress VLAN assignment.

    • You can now use RADIUS attributes to configure dynamic access control lists (DACLs) on the 802.1x ports of managed switches. DACLs are configured on a switch or saved on a RADIUS server. You can use DACLs to control traffic per user session or per port for switch ports directly connected to user clients. DACLs apply to hardware only when 802.1x authentication is successful. For more details, see Dynamic access control lists.

    • You can now include option-82 data in the DHCP request for DHCP snooping. DHCP option-82 data provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can select a fixed format for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields. You can configure the option-82 settings on a global level, or you can override the global option-82 setting to specify plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port. In addition, you can display the DHCP option-82 string in ASCII or hexadecimal format. For more details, see Including option-82 data.

    • You can now monitor ARP packets for a specific VLAN on a DHCP-snooping trusted port of a managed FortiSwitch unit and save the VLAN ID, MAC addresses, and IP addresses in the DHCP-snooping database. For more details, see Monitoring ARP packets.

    • You can now use an access control list (ACL) to configure a policy for the ingress stage of the pipeline for incoming traffic. After creating an ACL group for the ingress policy, you apply the ACL group to a managed switch port. For more details, see Configuring an ACL.

    • You can now use names for managed FortiSwitch units in switch-controller CLI commands. The user-defined name is also used in the FortiSwitch Manager GUI and logs. The FortiSwitch unitʼs serial number is saved in a new read-only field. For more details, see Defining names for managed switches.

    • You can now export a list of FortiSwitch names, switch groups, status, models, firmware versions, where the switch is connecting from, and the join times. You can also export a list of switch ports with trunk names, port policies, enabled features, native VLANs, allowed VLANs, dynamic VLANs, PoE status, device information, security policies, DHCP-snooping status, transceivers connected to, transceiver power (transmitted or received), and negotiated speed. You can choose to export each list in comma-separated values (CSV) or JSON format. For more details, see Exporting switch information.

    Previous
    Next