Fortinet black logo

Administration Guide

Introduction

Copy Link
Copy Doc ID 962fb21b-9bd3-11eb-b70b-00505692583a:755567
Download PDF

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Managed by FortiOS 7.0.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Whatʼs new in FortiSwitchOS 7.0.0

Release 7.0.0 provides the following new features.

GUI changes

  • You can now configure Protocol Independent Multicast (PIM) version-4 routing in the GUI.
  • You can now configure IPv6 static routes in the GUI.
  • The average traffic bandwidth is now listed in the Traffic (Last Day) column in the Physical Switch Ports page (Switch > Port > Physical), Physical Port Interfaces page (Switch > Interface > Physical), and Trunk Interfaces page (Switch > Interface > Trunk) . You can now sort this column by value.
  • The diagnostics monitoring of QSFP+ transceivers is now supported in the GUI (Switch > Monitor > Modules).
  • You can now create or customize an ACL service by going to Switch > ACL > Service.

CLI changes

  • You can now control whether the size of the layer-2 table is checked and how often. When the table size is more than 75-percent full or less than 70-percent full, FortiSwitchOS adds a warning to the system log.
  • The factory default setting for power over Ethernet (PoE) pre-standard detection is now disable for both managed and standalone FortiSwitch units. When you upgrade FortiSwitchOS, the setting of PoE pre-standard detection stays the same. The setting of PoE pre-standard detection might change during a downgrade from FortiSwitchOS 7.0.0 to earlier versions.
  • More protocols have been added to the set protocol command (under config router setting). You can now filter by any IPv6 protocol, IPv6 BGP, IPv6 IS-IS, IPv6 OSPF, IPv6 RIP, or IPv6 static. The connected option is no longer supported.
  • You can now set up the following SNMP v3 notifications (traps):
    • The CPU usage is too high.
    • The configuration of an entity was changed.
    • The IP address for an interface was changed.
    • The available log space is low.
    • The available memory is low.
  • The diagnostic monitoring interface (DMI) now detects the interface type (Short Reach or Copper Reach) and forward error correction (FEC) state for a module and displays this information with the diagnose switch physical-ports list <port_name> command.
  • By default, the 25G and 100G ports of the FS-1048E and FS-3032E models now automatically detect whether FEC is supported by the module.
  • Flow export and tracking have been improved. You can control how often the template is exported and specify a Berkeley packet filter (BPF).
  • Virtual routing and forwarding (VRF) is now supported by DHCP relay (IPv4), bidirectional forwarding detection (BFD) for static routes (IPv4 and IPv6), link monitor (IPv4 and IPv6) on VRF-enabled switch virtual interfaces (SVIs), and OSPF (IPv4).
  • VRF is now supported by the 500-Series switches.
  • When you specify a route map during routing configuration, only the route maps for that protocol are listed.
  • You can now use the alias CLI commands to grant an administrator access to individual configuration attributes, table entries, or CLI commands.
  • Fortinet now supports Federal Information Processing Standard Publication (FIPS) 140-2 (Level 2) for the following FortiSwitch models:
    • FS-424E
    • FS-424E-FPOE
    • FS-M426E-FPOE
    • FS-424E-Fiber
    • FS-448E
    • FS-448E-FPOE
    • FS-1048E
    • FS-3032E
  • The Media Redundancy Protocol (MRP) is now supported on the FSR-112D and FSR-124D models.
  • When 802.1x authentication is being used, you can now move an 802.1x client between ports that are not directly connected to the FortiSwitch unit.
  • The following RADIUS attributes are now supported for configuring dynamic non-native VLANs:
    • Egress-VLANID
    • Egress-VLAN-Name
    • Ingress-Filters

GUI and CLI changes

  • You can now configure multiple flow-export collectors
  • You can now configure multiple sFlow collectors.
  • sFlow is now supported on the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.
  • The maximum number of IGMP-snooping groups has been increased. The following table lists the maximum number of groups for various FortiSwitch models:

    FortiSwitch Models Snooping Table Limit
    (values have been rounded)
    FS-108E and FS-124E 500
    FSR-112D-POE, FS-124F, FS-148E, FS-148F, FS-224E, FS-248D, FS-248E, FS-424D, FS-424E, FS-424E-Fiber, FS-426E, FS-448D, FS-448E 1,000
    FS-1024D and FS-1048D 4,000
    FS-3032D 6,000
    FS-524D, FS-548D, 1048E, and 3032E 8,000

REST API changes

The following are the new REST API endpoints:

  • The new cmdb/system.alias/command endpoint grants an administrator access to individual configuration attributes, table entries, or CLI commands.
  • The new cmdb/system.alias/group endpoint bundles different alias commands together for easy assignment.
  • The new cmdb/router/vrf command supports virtual routing and forwarding (VRF).

The schema for two REST API endpoints has changed:

  • The schema for the cmdb/system/sflow endpoint has changed because you can now configure multiple sFlow collectors.
  • The schema for the cmdb/system/flow-export endpoint has changed because you can now configure multiple flow-export collectors.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Managed by FortiOS 7.0.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Whatʼs new in FortiSwitchOS 7.0.0

Release 7.0.0 provides the following new features.

GUI changes

  • You can now configure Protocol Independent Multicast (PIM) version-4 routing in the GUI.
  • You can now configure IPv6 static routes in the GUI.
  • The average traffic bandwidth is now listed in the Traffic (Last Day) column in the Physical Switch Ports page (Switch > Port > Physical), Physical Port Interfaces page (Switch > Interface > Physical), and Trunk Interfaces page (Switch > Interface > Trunk) . You can now sort this column by value.
  • The diagnostics monitoring of QSFP+ transceivers is now supported in the GUI (Switch > Monitor > Modules).
  • You can now create or customize an ACL service by going to Switch > ACL > Service.

CLI changes

  • You can now control whether the size of the layer-2 table is checked and how often. When the table size is more than 75-percent full or less than 70-percent full, FortiSwitchOS adds a warning to the system log.
  • The factory default setting for power over Ethernet (PoE) pre-standard detection is now disable for both managed and standalone FortiSwitch units. When you upgrade FortiSwitchOS, the setting of PoE pre-standard detection stays the same. The setting of PoE pre-standard detection might change during a downgrade from FortiSwitchOS 7.0.0 to earlier versions.
  • More protocols have been added to the set protocol command (under config router setting). You can now filter by any IPv6 protocol, IPv6 BGP, IPv6 IS-IS, IPv6 OSPF, IPv6 RIP, or IPv6 static. The connected option is no longer supported.
  • You can now set up the following SNMP v3 notifications (traps):
    • The CPU usage is too high.
    • The configuration of an entity was changed.
    • The IP address for an interface was changed.
    • The available log space is low.
    • The available memory is low.
  • The diagnostic monitoring interface (DMI) now detects the interface type (Short Reach or Copper Reach) and forward error correction (FEC) state for a module and displays this information with the diagnose switch physical-ports list <port_name> command.
  • By default, the 25G and 100G ports of the FS-1048E and FS-3032E models now automatically detect whether FEC is supported by the module.
  • Flow export and tracking have been improved. You can control how often the template is exported and specify a Berkeley packet filter (BPF).
  • Virtual routing and forwarding (VRF) is now supported by DHCP relay (IPv4), bidirectional forwarding detection (BFD) for static routes (IPv4 and IPv6), link monitor (IPv4 and IPv6) on VRF-enabled switch virtual interfaces (SVIs), and OSPF (IPv4).
  • VRF is now supported by the 500-Series switches.
  • When you specify a route map during routing configuration, only the route maps for that protocol are listed.
  • You can now use the alias CLI commands to grant an administrator access to individual configuration attributes, table entries, or CLI commands.
  • Fortinet now supports Federal Information Processing Standard Publication (FIPS) 140-2 (Level 2) for the following FortiSwitch models:
    • FS-424E
    • FS-424E-FPOE
    • FS-M426E-FPOE
    • FS-424E-Fiber
    • FS-448E
    • FS-448E-FPOE
    • FS-1048E
    • FS-3032E
  • The Media Redundancy Protocol (MRP) is now supported on the FSR-112D and FSR-124D models.
  • When 802.1x authentication is being used, you can now move an 802.1x client between ports that are not directly connected to the FortiSwitch unit.
  • The following RADIUS attributes are now supported for configuring dynamic non-native VLANs:
    • Egress-VLANID
    • Egress-VLAN-Name
    • Ingress-Filters

GUI and CLI changes

  • You can now configure multiple flow-export collectors
  • You can now configure multiple sFlow collectors.
  • sFlow is now supported on the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.
  • The maximum number of IGMP-snooping groups has been increased. The following table lists the maximum number of groups for various FortiSwitch models:

    FortiSwitch Models Snooping Table Limit
    (values have been rounded)
    FS-108E and FS-124E 500
    FSR-112D-POE, FS-124F, FS-148E, FS-148F, FS-224E, FS-248D, FS-248E, FS-424D, FS-424E, FS-424E-Fiber, FS-426E, FS-448D, FS-448E 1,000
    FS-1024D and FS-1048D 4,000
    FS-3032D 6,000
    FS-524D, FS-548D, 1048E, and 3032E 8,000

REST API changes

The following are the new REST API endpoints:

  • The new cmdb/system.alias/command endpoint grants an administrator access to individual configuration attributes, table entries, or CLI commands.
  • The new cmdb/system.alias/group endpoint bundles different alias commands together for easy assignment.
  • The new cmdb/router/vrf command supports virtual routing and forwarding (VRF).

The schema for two REST API endpoints has changed:

  • The schema for the cmdb/system/sflow endpoint has changed because you can now configure multiple sFlow collectors.
  • The schema for the cmdb/system/flow-export endpoint has changed because you can now configure multiple flow-export collectors.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.