Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

Download PDF
Copy Link

Introduction

This document provides the following information for FortiSwitchOS 7.0.0 devices managed by FortiOS 7.0.0 build 0066.

See the Fortinet Document Library for Managed FortiSwitch documentation.

NOTE: FortiLink is not supported in transparent mode.

The maximum number of supported FortiSwitch units depends on the FortiGate model:

FortiGate Model Range Number of FortiSwitch Units Supported
FortiGate 40F, 91E, FortiGate-VM01 8
FortiGate 60F, 6xE, 80F, 8xE, 90E 16
FortiGate 100D, FortiGate-VM02 24
FortiGate 100E, 100EF, 100F, 101E, 140E, 140E-POE 32
FortiGate 200E, 201E 64
FortiGate 300D to 500D 48
FortiGate 300E to 500E 72
FortiGate 600D to 900D and FortiGate-VM04 64
FortiGate 600E to 900E 96
FortiGate 1000D to 15xxD 128
FortiGate 1100E to 25xxE 196
FortiGate-3xxx and up and FortiGate-VM08 and up 300

Supported models

Refer to the FortiLink Compatibility table to find which FortiSwitchOS versions support which FortiOS versions.

 

note icon New models (NPI releases) might not support FortiLink. Contact Customer Service & Support to check support for FortiLink.

What’s new in FortiOS 7.0.0

The following list contains new managed FortiSwitch features added in FortiOS 7.0.0.

GUI changes

  • Three new tests have been added to the FortiSwitch recommendations in the Security Fabric > Security Rating page to help optimize your network:
    • Check if the quarantine bounce port option is enabled.
    • Check if the PoE status of the switch controller auto-config default policy is enabled.
    • Check if PoE pre-standard detection for all user ports is enabled.
  • You can now use the GUI to view and configure FortiSwitch ports that are shared between VDOMs. To share FortiSwitch ports between VDOMs, you must use the CLI. Go to WiFi & Switch Controller > FortiSwitch Ports to view the shared FortiSwitch ports and edit them.
  • A new cloud icon indicates when the FortiSwitch unit is being managed over layer 3.
  • The new FortiSwitch NAC VLANs widget shows a pie chart of the assigned FortiSwitch NAC VLANs. When expanded to the full screen, the widget shows a full list of devices grouped by VLAN, NAC policy, or last seen.
  • There have been GUI updates to the FortiSwitch Ports, FortiLink Interface, and FortiSwitch NAC Policies pages to simplify the configuration of NAC policies.

    Previously, dynamic port policies had to be configured in the FortiSwitch Ports, FortiLink Interface, and FortiSwitch NAC Policies pages. Now, configuring dynamic port polices is under the Dynamic Port Policies tab on the FortiSwitch Port Policies page.

  • The FortiSwitch NAC Policies page is now the NAC Policies page.
  • The access mode of each FortiSwitch port is listed in the Mode column in the FortiSwitch Ports page. Right-click in the Mode column to select the access mode of the port:
    • Static—The port does not use a dynamic port policy or FortiSwitch NAC policy.
    • Assign Port Policy—The port uses a dynamic port policy.
    • NAC—The port uses a FortiSwitch NAC policy.

CLI changes

  • New FortiOS commands allow you to enable the automatic provisioning of FortiSwitch firmware after authorization. On FortiGate models with a disk, up to four images of the same FortiSwitch model can be uploaded. On FortiGate models without a disk, one FortiSwitchOS image can be uploaded.
  • When a FortiSwitch upgrade cannot be completed (because of connectivity issues, for example), you can cancel the upgrade with a new FortiOS command:

     

    execute switch-controller switch-software cancel {all | sn <FortiSwitch_serial_ number> | switch-group <switch_group_ID>}

     

  • Supported managed-switch ports can be configured with a forward error correction (FEC) state of Clause 74 FC-FEC for 25-Gbps ports and Clause 91 RS-FEC for 100-Gbps ports.
  • A new FortiOS command allows you to control the cipher used by the switch-controller CAPWAP:

     

    config switch-controller system

    set tunnel-mode {compatible | strict}

    end

     

    By default, tunnel-mode is set to compatible, which lets the switch-controller CAPWAP use AES128-SHA:DES-CBC3-SHA. If you set tunnel-mode to strict, the switch-controller CAPWAP uses the cipher set in FortiOS.
  • You can now manually create an inter-switch link (ISL) trunk. You can also enable or disable automatic VLAN configuration on the manually created (static) ISL trunk.
  • Fortinet now supports Federal Information Processing Standard Publication (FIPS) 140-2 (Level 2) for the following managed FortiSwitch models:
    • FS-424E
    • FS-424E-FPOE
    • FS-M426E-FPOE
    • FS-424E-Fiber
    • FS-448E
    • FS-448E-FPOE
    • FS-1048E
    • FS-3032E
  • There are more authentication protocols and privacy (encryption) protocols supported under the config switch-controller snmp-user command. The following authentication protocols are available for the set auth-proto command:
    • HMAC-MD5-96
    • HMAC-SHA-1
    • HMAC-SHA-224
    • HMAC-SHA-256
    • HMAC-SHA-384
    • HMAC-SHA-512

    The following privacy (encryption) protocols are available for the set priv-proto command:

    • CFB128-AES-128 symmetric encryption protocol
    • CFB128-AES-192 symmetric encryption protocol
    • CFB128-AES-192-C symmetric encryption protocol
    • CFB128-AES-256 symmetric encryption protocol
    • CFB128-AES-256-C symmetric encryption protocol
    • CBC-DES symmetric encryption protocol
  • There were some FortiOS CLI changes for the FortiSwitch network access control. The set switch-port-policy command under config user nac-policy was removed. The config switch-controller nac-settings command is now the config switch-controller fortilink-settings command.

GUI and CLI changes

  • You can now specify rules that dynamically determine port policies. After you create the FortiLink policy settings, you define the dynamic port policy rules. When a rule matches the specified device patterns, the switch-controller actions control the portʼs properties.
  • The FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy when a device first connects to a switch port or when a device goes from offline to online. This process has been optimized to shorten the amount of time it takes for a new device to be recognized and assigned to the VLAN.

    These optimizations include the following:

    • A new event-based approach.
    • A new NAC MAC cache table that populates MAC addresses from the FortiSwitch unit immediately after an event.
    • NAC inactive timers are now applied to the NAC MAC cache table.
    • Added nac-periodic-interval to run the NAC engine at intervals in case any events are missed. The range is 5 to 60 seconds, and the default setting is 15 seconds.

    Before these optimizations, the process took approximately 65 seconds from the time the device links to a switch port to matching the device to a NAC policy. After optimization, the process takes a maximum of 16 seconds with a minimum nac-periodic-interval of 5 seconds.

Introduction

This document provides the following information for FortiSwitchOS 7.0.0 devices managed by FortiOS 7.0.0 build 0066.

See the Fortinet Document Library for Managed FortiSwitch documentation.

NOTE: FortiLink is not supported in transparent mode.

The maximum number of supported FortiSwitch units depends on the FortiGate model:

FortiGate Model Range Number of FortiSwitch Units Supported
FortiGate 40F, 91E, FortiGate-VM01 8
FortiGate 60F, 6xE, 80F, 8xE, 90E 16
FortiGate 100D, FortiGate-VM02 24
FortiGate 100E, 100EF, 100F, 101E, 140E, 140E-POE 32
FortiGate 200E, 201E 64
FortiGate 300D to 500D 48
FortiGate 300E to 500E 72
FortiGate 600D to 900D and FortiGate-VM04 64
FortiGate 600E to 900E 96
FortiGate 1000D to 15xxD 128
FortiGate 1100E to 25xxE 196
FortiGate-3xxx and up and FortiGate-VM08 and up 300

Supported models

Refer to the FortiLink Compatibility table to find which FortiSwitchOS versions support which FortiOS versions.

 

note icon New models (NPI releases) might not support FortiLink. Contact Customer Service & Support to check support for FortiLink.

What’s new in FortiOS 7.0.0

The following list contains new managed FortiSwitch features added in FortiOS 7.0.0.

GUI changes

  • Three new tests have been added to the FortiSwitch recommendations in the Security Fabric > Security Rating page to help optimize your network:
    • Check if the quarantine bounce port option is enabled.
    • Check if the PoE status of the switch controller auto-config default policy is enabled.
    • Check if PoE pre-standard detection for all user ports is enabled.
  • You can now use the GUI to view and configure FortiSwitch ports that are shared between VDOMs. To share FortiSwitch ports between VDOMs, you must use the CLI. Go to WiFi & Switch Controller > FortiSwitch Ports to view the shared FortiSwitch ports and edit them.
  • A new cloud icon indicates when the FortiSwitch unit is being managed over layer 3.
  • The new FortiSwitch NAC VLANs widget shows a pie chart of the assigned FortiSwitch NAC VLANs. When expanded to the full screen, the widget shows a full list of devices grouped by VLAN, NAC policy, or last seen.
  • There have been GUI updates to the FortiSwitch Ports, FortiLink Interface, and FortiSwitch NAC Policies pages to simplify the configuration of NAC policies.

    Previously, dynamic port policies had to be configured in the FortiSwitch Ports, FortiLink Interface, and FortiSwitch NAC Policies pages. Now, configuring dynamic port polices is under the Dynamic Port Policies tab on the FortiSwitch Port Policies page.

  • The FortiSwitch NAC Policies page is now the NAC Policies page.
  • The access mode of each FortiSwitch port is listed in the Mode column in the FortiSwitch Ports page. Right-click in the Mode column to select the access mode of the port:
    • Static—The port does not use a dynamic port policy or FortiSwitch NAC policy.
    • Assign Port Policy—The port uses a dynamic port policy.
    • NAC—The port uses a FortiSwitch NAC policy.

CLI changes

  • New FortiOS commands allow you to enable the automatic provisioning of FortiSwitch firmware after authorization. On FortiGate models with a disk, up to four images of the same FortiSwitch model can be uploaded. On FortiGate models without a disk, one FortiSwitchOS image can be uploaded.
  • When a FortiSwitch upgrade cannot be completed (because of connectivity issues, for example), you can cancel the upgrade with a new FortiOS command:

     

    execute switch-controller switch-software cancel {all | sn <FortiSwitch_serial_ number> | switch-group <switch_group_ID>}

     

  • Supported managed-switch ports can be configured with a forward error correction (FEC) state of Clause 74 FC-FEC for 25-Gbps ports and Clause 91 RS-FEC for 100-Gbps ports.
  • A new FortiOS command allows you to control the cipher used by the switch-controller CAPWAP:

     

    config switch-controller system

    set tunnel-mode {compatible | strict}

    end

     

    By default, tunnel-mode is set to compatible, which lets the switch-controller CAPWAP use AES128-SHA:DES-CBC3-SHA. If you set tunnel-mode to strict, the switch-controller CAPWAP uses the cipher set in FortiOS.
  • You can now manually create an inter-switch link (ISL) trunk. You can also enable or disable automatic VLAN configuration on the manually created (static) ISL trunk.
  • Fortinet now supports Federal Information Processing Standard Publication (FIPS) 140-2 (Level 2) for the following managed FortiSwitch models:
    • FS-424E
    • FS-424E-FPOE
    • FS-M426E-FPOE
    • FS-424E-Fiber
    • FS-448E
    • FS-448E-FPOE
    • FS-1048E
    • FS-3032E
  • There are more authentication protocols and privacy (encryption) protocols supported under the config switch-controller snmp-user command. The following authentication protocols are available for the set auth-proto command:
    • HMAC-MD5-96
    • HMAC-SHA-1
    • HMAC-SHA-224
    • HMAC-SHA-256
    • HMAC-SHA-384
    • HMAC-SHA-512

    The following privacy (encryption) protocols are available for the set priv-proto command:

    • CFB128-AES-128 symmetric encryption protocol
    • CFB128-AES-192 symmetric encryption protocol
    • CFB128-AES-192-C symmetric encryption protocol
    • CFB128-AES-256 symmetric encryption protocol
    • CFB128-AES-256-C symmetric encryption protocol
    • CBC-DES symmetric encryption protocol
  • There were some FortiOS CLI changes for the FortiSwitch network access control. The set switch-port-policy command under config user nac-policy was removed. The config switch-controller nac-settings command is now the config switch-controller fortilink-settings command.

GUI and CLI changes

  • You can now specify rules that dynamically determine port policies. After you create the FortiLink policy settings, you define the dynamic port policy rules. When a rule matches the specified device patterns, the switch-controller actions control the portʼs properties.
  • The FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy when a device first connects to a switch port or when a device goes from offline to online. This process has been optimized to shorten the amount of time it takes for a new device to be recognized and assigned to the VLAN.

    These optimizations include the following:

    • A new event-based approach.
    • A new NAC MAC cache table that populates MAC addresses from the FortiSwitch unit immediately after an event.
    • NAC inactive timers are now applied to the NAC MAC cache table.
    • Added nac-periodic-interval to run the NAC engine at intervals in case any events are missed. The range is 5 to 60 seconds, and the default setting is 15 seconds.

    Before these optimizations, the process took approximately 65 seconds from the time the device links to a switch port to matching the device to a NAC policy. After optimization, the process takes a maximum of 16 seconds with a minimum nac-periodic-interval of 5 seconds.