Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Whatʼs new in FortiOS 7.0.0

The following list contains new managed FortiSwitch features added in FortiOS 7.0.0. Click on a link to navigate to that section for further information.

GUI changes

  • Three new tests have been added to the FortiSwitch recommendations in the Security Fabric > Security Rating page to help optimize your network:
    • Check if the quarantine bounce port option is enabled.
    • Check if the PoE status of the switch controller auto-config default policy is enabled.
    • Check if PoE pre-standard detection for all user ports is enabled.

    See Optimizing the FortiSwitch network.

  • You can now use the GUI to view and configure FortiSwitch ports that are shared between VDOMs. To share FortiSwitch ports between VDOMs, you must use the CLI. Go to WiFi & Switch Controller > FortiSwitch Ports to view the shared FortiSwitch ports and edit them. See FortiSwitch VLANs from different VDOMs sharing the same FortiSwitch ports.
  • A new cloud icon indicates when the FortiSwitch unit is being managed over layer 3. See Cloud icon indicates that the FortiSwitch unit is managed over layer 3.
  • The new FortiSwitch NAC VLANs widget shows a pie chart of the assigned FortiSwitch NAC VLANs. When expanded to the full screen, the widget shows a full list of devices grouped by VLAN, NAC policy, or last seen. See Using the FortiSwitch NAC VLAN widget.
  • There have been GUI updates to the FortiSwitch Ports, FortiLink Interface, and FortiSwitch NAC Policies pages to simplify the configuration of NAC policies.

    Previously, dynamic port policies had to be configured in the FortiSwitch Ports, FortiLink Interface, and FortiSwitch NAC Policies pages. Now, configuring dynamic port polices is under the Dynamic Port Policies tab on the FortiSwitch Port Policies page. For more information about dynamic port policies, see Configuring dynamic port policy rules.

  • The FortiSwitch NAC Policies page is now the NAC Policies page.
  • The access mode of each FortiSwitch port is listed in the Mode column in the FortiSwitch Ports page. Right-click in the Mode column to select the access mode of the port:
    • Static—The port does not use a dynamic port policy or FortiSwitch NAC policy.
    • Assign Port Policy—The port uses a dynamic port policy.
    • NAC—The port uses a FortiSwitch NAC policy.

CLI changes

  • New FortiOS commands allow you to enable the automatic provisioning of FortiSwitch firmware after authorization. On FortiGate models with a disk, up to four images of the same FortiSwitch model can be uploaded. On FortiGate models without a disk, one FortiSwitchOS image can be uploaded. See Automatic provisioning of FortiSwitch firmware upon authorization.
  • When a FortiSwitch upgrade cannot be completed (because of connectivity issues, for example), you can cancel the upgrade with a new FortiOS command:

     

    execute switch-controller switch-software cancel {all | sn <FortiSwitch_serial_ number> | switch-group <switch_group_ID>}

     

    See Canceling pending or downloading FortiSwitch upgrades.

  • Supported managed-switch ports can be configured with a forward error correction (FEC) state of Clause 74 FC-FEC for 25-Gbps ports and Clause 91 RS-FEC for 100-Gbps ports. See Configuring forward error correction on switch ports.
  • A new FortiOS command allows you to control the cipher used by the switch-controller CAPWAP:

     

    config switch-controller system

    set tunnel-mode {compatible | strict}

    end

     

    By default, tunnel-mode is set to compatible, which lets the switch-controller CAPWAP use AES128-SHA:DES-CBC3-SHA. If you set tunnel-mode to strict, the switch-controller CAPWAP uses the cipher set in FortiOS.
  • You can now manually create an inter-switch link (ISL) trunk. You can also enable or disable automatic VLAN configuration on the manually created (static) ISL trunk. See Static ISL trunks.
  • Fortinet now supports Federal Information Processing Standard Publication (FIPS) 140-2 (Level 2) for the following managed FortiSwitch models:
    • FS-424E
    • FS-424E-FPOE
    • FS-M426E-FPOE
    • FS-424E-Fiber
    • FS-448E
    • FS-448E-FPOE
    • FS-1048E
    • FS-3032E
  • There are more authentication protocols and privacy (encryption) protocols supported under the config switch-controller snmp-user command. The following authentication protocols are available for the set auth-proto command:
    • HMAC-MD5-96
    • HMAC-SHA-1
    • HMAC-SHA-224
    • HMAC-SHA-256
    • HMAC-SHA-384
    • HMAC-SHA-512

    The following privacy (encryption) protocols are available for the set priv-proto command:

    • CFB128-AES-128 symmetric encryption protocol
    • CFB128-AES-192 symmetric encryption protocol
    • CFB128-AES-192-C symmetric encryption protocol
    • CFB128-AES-256 symmetric encryption protocol
    • CFB128-AES-256-C symmetric encryption protocol
    • CBC-DES symmetric encryption protocol

    See Configuring SNMP.

  • There were some FortiOS CLI changes for the FortiSwitch network access control. The set switch-port-policy command under config user nac-policy was removed. The config switch-controller nac-settings command is now the config switch-controller fortilink-settings command. See FortiSwitch network access control.

GUI and CLI changes

  • You can now specify rules that dynamically determine port policies. After you create the FortiLink policy settings, you define the dynamic port policy rules. When a rule matches the specified device patterns, the switch-controller actions control the portʼs properties. See Configuring dynamic port policy rules.
  • The FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy when a device first connects to a switch port or when a device goes from offline to online. This process has been optimized to shorten the amount of time it takes for a new device to be recognized and assigned to the VLAN.

    These optimizations include the following:

    • A new event-based approach.
    • A new NAC MAC cache table that populates MAC addresses from the FortiSwitch unit immediately after an event.
    • NAC inactive timers are now applied to the NAC MAC cache table.
    • Added nac-periodic-interval to run the NAC engine at intervals in case any events are missed. The range is 5 to 60 seconds, and the default setting is 15 seconds.

    Before these optimizations, the process took approximately 65 seconds from the time the device links to a switch port to matching the device to a NAC policy. After optimization, the process takes a maximum of 16 seconds with a minimum nac-periodic-interval of 5 seconds. See FortiSwitch network access control.

Whatʼs new in FortiOS 7.0.0

The following list contains new managed FortiSwitch features added in FortiOS 7.0.0. Click on a link to navigate to that section for further information.

GUI changes

  • Three new tests have been added to the FortiSwitch recommendations in the Security Fabric > Security Rating page to help optimize your network:
    • Check if the quarantine bounce port option is enabled.
    • Check if the PoE status of the switch controller auto-config default policy is enabled.
    • Check if PoE pre-standard detection for all user ports is enabled.

    See Optimizing the FortiSwitch network.

  • You can now use the GUI to view and configure FortiSwitch ports that are shared between VDOMs. To share FortiSwitch ports between VDOMs, you must use the CLI. Go to WiFi & Switch Controller > FortiSwitch Ports to view the shared FortiSwitch ports and edit them. See FortiSwitch VLANs from different VDOMs sharing the same FortiSwitch ports.
  • A new cloud icon indicates when the FortiSwitch unit is being managed over layer 3. See Cloud icon indicates that the FortiSwitch unit is managed over layer 3.
  • The new FortiSwitch NAC VLANs widget shows a pie chart of the assigned FortiSwitch NAC VLANs. When expanded to the full screen, the widget shows a full list of devices grouped by VLAN, NAC policy, or last seen. See Using the FortiSwitch NAC VLAN widget.
  • There have been GUI updates to the FortiSwitch Ports, FortiLink Interface, and FortiSwitch NAC Policies pages to simplify the configuration of NAC policies.

    Previously, dynamic port policies had to be configured in the FortiSwitch Ports, FortiLink Interface, and FortiSwitch NAC Policies pages. Now, configuring dynamic port polices is under the Dynamic Port Policies tab on the FortiSwitch Port Policies page. For more information about dynamic port policies, see Configuring dynamic port policy rules.

  • The FortiSwitch NAC Policies page is now the NAC Policies page.
  • The access mode of each FortiSwitch port is listed in the Mode column in the FortiSwitch Ports page. Right-click in the Mode column to select the access mode of the port:
    • Static—The port does not use a dynamic port policy or FortiSwitch NAC policy.
    • Assign Port Policy—The port uses a dynamic port policy.
    • NAC—The port uses a FortiSwitch NAC policy.

CLI changes

  • New FortiOS commands allow you to enable the automatic provisioning of FortiSwitch firmware after authorization. On FortiGate models with a disk, up to four images of the same FortiSwitch model can be uploaded. On FortiGate models without a disk, one FortiSwitchOS image can be uploaded. See Automatic provisioning of FortiSwitch firmware upon authorization.
  • When a FortiSwitch upgrade cannot be completed (because of connectivity issues, for example), you can cancel the upgrade with a new FortiOS command:

     

    execute switch-controller switch-software cancel {all | sn <FortiSwitch_serial_ number> | switch-group <switch_group_ID>}

     

    See Canceling pending or downloading FortiSwitch upgrades.

  • Supported managed-switch ports can be configured with a forward error correction (FEC) state of Clause 74 FC-FEC for 25-Gbps ports and Clause 91 RS-FEC for 100-Gbps ports. See Configuring forward error correction on switch ports.
  • A new FortiOS command allows you to control the cipher used by the switch-controller CAPWAP:

     

    config switch-controller system

    set tunnel-mode {compatible | strict}

    end

     

    By default, tunnel-mode is set to compatible, which lets the switch-controller CAPWAP use AES128-SHA:DES-CBC3-SHA. If you set tunnel-mode to strict, the switch-controller CAPWAP uses the cipher set in FortiOS.
  • You can now manually create an inter-switch link (ISL) trunk. You can also enable or disable automatic VLAN configuration on the manually created (static) ISL trunk. See Static ISL trunks.
  • Fortinet now supports Federal Information Processing Standard Publication (FIPS) 140-2 (Level 2) for the following managed FortiSwitch models:
    • FS-424E
    • FS-424E-FPOE
    • FS-M426E-FPOE
    • FS-424E-Fiber
    • FS-448E
    • FS-448E-FPOE
    • FS-1048E
    • FS-3032E
  • There are more authentication protocols and privacy (encryption) protocols supported under the config switch-controller snmp-user command. The following authentication protocols are available for the set auth-proto command:
    • HMAC-MD5-96
    • HMAC-SHA-1
    • HMAC-SHA-224
    • HMAC-SHA-256
    • HMAC-SHA-384
    • HMAC-SHA-512

    The following privacy (encryption) protocols are available for the set priv-proto command:

    • CFB128-AES-128 symmetric encryption protocol
    • CFB128-AES-192 symmetric encryption protocol
    • CFB128-AES-192-C symmetric encryption protocol
    • CFB128-AES-256 symmetric encryption protocol
    • CFB128-AES-256-C symmetric encryption protocol
    • CBC-DES symmetric encryption protocol

    See Configuring SNMP.

  • There were some FortiOS CLI changes for the FortiSwitch network access control. The set switch-port-policy command under config user nac-policy was removed. The config switch-controller nac-settings command is now the config switch-controller fortilink-settings command. See FortiSwitch network access control.

GUI and CLI changes

  • You can now specify rules that dynamically determine port policies. After you create the FortiLink policy settings, you define the dynamic port policy rules. When a rule matches the specified device patterns, the switch-controller actions control the portʼs properties. See Configuring dynamic port policy rules.
  • The FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy when a device first connects to a switch port or when a device goes from offline to online. This process has been optimized to shorten the amount of time it takes for a new device to be recognized and assigned to the VLAN.

    These optimizations include the following:

    • A new event-based approach.
    • A new NAC MAC cache table that populates MAC addresses from the FortiSwitch unit immediately after an event.
    • NAC inactive timers are now applied to the NAC MAC cache table.
    • Added nac-periodic-interval to run the NAC engine at intervals in case any events are missed. The range is 5 to 60 seconds, and the default setting is 15 seconds.

    Before these optimizations, the process took approximately 65 seconds from the time the device links to a switch port to matching the device to a NAC policy. After optimization, the process takes a maximum of 16 seconds with a minimum nac-periodic-interval of 5 seconds. See FortiSwitch network access control.