Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Whatʼs new in FortiOS 6.4.5

The following list contains new managed FortiSwitch features added in FortiOS 6.4.5:

  • You can now use wildcards in a MAC address in a NAC policy.

     

    When configuring a NAC policy, you can use the wildcard * character when manually specifying a MAC address to match the device.

    config user nac-policy
    	edit <policy>
    		set mac "xx:xx:xx:**:**:**"
    	next
    end

    In this example, VM_PC1 and VM_PC2 both have MAC addresses that start with 00:0c:29. A NAC policy is created on the FortiGate 500E to match both PCs. After the PCs are connected to the FortiSwitch units, they are detected by the NAC policy and assigned to Lab_VLAN.

    To configure a MAC address with wildcards in a NAC policy:
    1. Configure a MAC policy to be applied on the managed FortiSwitch units through the NAC device:
      config switch-controller mac-policy
      	edit "LAB_Linux"
      		set fortilink "port11"
      		set vlan "Lab_VLAN"
      	next
      end
    2. Configure the NAC policy matching pattern to identify matching NAC devices:
      config user nac-policy
      	edit "VM-Policy"
      		set mac "00:0c:29:**:**:**"
      		set switch-fortilink "port11"
      		set switch-mac-policy "LAB_Linux"
      	next
      end
    3. Check that the NAC devices are added:
      # show switch-controller nac-device
      config switch-controller nac-device
      	edit 2
      		set description "auto detected @ 2020-11-30 14:13:45"
      		set mac 00:0c:29:d4:4f:3c
      		set last-known-switch "S248EPTF18001384"
      		set last-known-port "port6"
      		set matched-nac-policy "VM-Policy"
      		set mac-policy "LAB_Linux"
      	next
      	edit 3
      		set description "auto detected @ 2020-11-30 14:16:07"
      		set mac 00:0c:29:a8:0a:1c
      		set last-known-switch "S524DN4K16000116"
      		set last-known-port "port7"
      		set matched-nac-policy "VM-Policy"
      		set mac-policy "LAB_Linux"
      	next
      end
  • PoE pre-standard detection is now disabled by default.

     

    Starting with this version, the factory default setting for power over Ethernet (PoE) pre-standard detection is disable for both managed and standalone FortiSwitch units.

    Depending on the FortiSwitch model, you can manually change the poe-pre-standard-detection setting on the global level or on the port level.

    note icon PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-112D-POE, FS-548DFPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, and FS-124EFPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

    On the global level, set poe-pre-standard-detection with the following commands:

    config switch-controller managed-switch
    	edit <FortiSwitch_serial_number>
    		set poe-pre-standard-detection {enable | disable}
    	next
    end

    On the port level, set poe-pre-standard-detection with the following commands:

    config switch-controller managed-switch
    	edit <FortiSwitch_serial_number>
    		config ports
    			edit <port_name>
    				set poe-pre-standard-detection {enable | disable}
    			next
    		end
    	next
    end

    When you upgrade FortiOS, the setting of poe-pre-standard-detection stays the same. When you downgrade from FortiOS 6.4 to FortiOS 6.2, the setting of poe-pre-standard-detection stays the same. The setting of poe-pre-standard-detection might change during a downgrade from FortiOS 7.0 to FortiOS 6.4.

  • You can now use the set fortilink-p2p-native-vlan <VLAN> command (under config switch global) to specify the native VLAN on the inter-switch link (ISL) when fortilink-p2p is enabled. By default, the native VLAN is 4094.
  • The set fortlink-p2p {enable | disable} command under config switch physical port has been changed to set fortilink-p2p {enable | disable}.

Whatʼs new in FortiOS 6.4.5

The following list contains new managed FortiSwitch features added in FortiOS 6.4.5:

  • You can now use wildcards in a MAC address in a NAC policy.

     

    When configuring a NAC policy, you can use the wildcard * character when manually specifying a MAC address to match the device.

    config user nac-policy
    	edit <policy>
    		set mac "xx:xx:xx:**:**:**"
    	next
    end

    In this example, VM_PC1 and VM_PC2 both have MAC addresses that start with 00:0c:29. A NAC policy is created on the FortiGate 500E to match both PCs. After the PCs are connected to the FortiSwitch units, they are detected by the NAC policy and assigned to Lab_VLAN.

    To configure a MAC address with wildcards in a NAC policy:
    1. Configure a MAC policy to be applied on the managed FortiSwitch units through the NAC device:
      config switch-controller mac-policy
      	edit "LAB_Linux"
      		set fortilink "port11"
      		set vlan "Lab_VLAN"
      	next
      end
    2. Configure the NAC policy matching pattern to identify matching NAC devices:
      config user nac-policy
      	edit "VM-Policy"
      		set mac "00:0c:29:**:**:**"
      		set switch-fortilink "port11"
      		set switch-mac-policy "LAB_Linux"
      	next
      end
    3. Check that the NAC devices are added:
      # show switch-controller nac-device
      config switch-controller nac-device
      	edit 2
      		set description "auto detected @ 2020-11-30 14:13:45"
      		set mac 00:0c:29:d4:4f:3c
      		set last-known-switch "S248EPTF18001384"
      		set last-known-port "port6"
      		set matched-nac-policy "VM-Policy"
      		set mac-policy "LAB_Linux"
      	next
      	edit 3
      		set description "auto detected @ 2020-11-30 14:16:07"
      		set mac 00:0c:29:a8:0a:1c
      		set last-known-switch "S524DN4K16000116"
      		set last-known-port "port7"
      		set matched-nac-policy "VM-Policy"
      		set mac-policy "LAB_Linux"
      	next
      end
  • PoE pre-standard detection is now disabled by default.

     

    Starting with this version, the factory default setting for power over Ethernet (PoE) pre-standard detection is disable for both managed and standalone FortiSwitch units.

    Depending on the FortiSwitch model, you can manually change the poe-pre-standard-detection setting on the global level or on the port level.

    note icon PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-112D-POE, FS-548DFPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, and FS-124EFPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

    On the global level, set poe-pre-standard-detection with the following commands:

    config switch-controller managed-switch
    	edit <FortiSwitch_serial_number>
    		set poe-pre-standard-detection {enable | disable}
    	next
    end

    On the port level, set poe-pre-standard-detection with the following commands:

    config switch-controller managed-switch
    	edit <FortiSwitch_serial_number>
    		config ports
    			edit <port_name>
    				set poe-pre-standard-detection {enable | disable}
    			next
    		end
    	next
    end

    When you upgrade FortiOS, the setting of poe-pre-standard-detection stays the same. When you downgrade from FortiOS 6.4 to FortiOS 6.2, the setting of poe-pre-standard-detection stays the same. The setting of poe-pre-standard-detection might change during a downgrade from FortiOS 7.0 to FortiOS 6.4.

  • You can now use the set fortilink-p2p-native-vlan <VLAN> command (under config switch global) to specify the native VLAN on the inter-switch link (ISL) when fortilink-p2p is enabled. By default, the native VLAN is 4094.
  • The set fortlink-p2p {enable | disable} command under config switch physical port has been changed to set fortilink-p2p {enable | disable}.