Fortinet black logo

Administration Guide

Introduction

Copy Link
Copy Doc ID 661f0c32-514d-11ec-bdf2-fa163e15d75b:755567
Download PDF

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Devices Managed by FortiOS 7.0.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Whatʼs new in FortiSwitchOS 7.0.3

Release 7.0.3 provides the following new features:

  • NAC LAN segments are now supported on the FS-124F, FS-124F-POE, and FS-124F-FPOE models in FortiLink mode. FortiOS 7.0.1 or higher is required.
  • To support the IEEE 802 LLDP MIB, the following OIDs have been added:

    Name

    OID

    lldpLocalSystemData

    lldpLocChassisIdSubtype

    lldpLocChassisId

    lldpLocSysName

    lldpLocSysDesc

    lldpLocSysCapSupported

    lldpLocSysCapEnabled

    .1.0.8802.1.1.2.1.3

    lldpLocPortTable

    lldpLocPortNum

    lldpLocPortIdSubtype

    lldpLocPortId

    lldpLocPortDesc

    .1.0.8802.1.1.2.1.3.7

    lldpLocManAddrTable

    lldpLocManAddrSubtype

    lldpLocManAddr

    lldpLocManAddrLen

    lldpLocManAddrIfSubtype

    lldpLocManAddrIfId

    lldpLocManAddrOID

    .1.0.8802.1.1.2.1.3.8

  • The execute 802-1x clear mac <MAC_address> command allows you to clear the authorized session associated with a specific MAC address.
  • TLS 1.0 is no longer supported. To configure which TLS version to use for web administration, use the set https-ssl-versions {tlsv1-1 | tlsv1-2 | tlsv1-3} command under config system web. In previous releases, the command was set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | tlsv1-3} under config system global. NOTE: TLS 1.3 is not supported in FIPS mode.
  • Dynamic access control lists (DACLs) are now supported on the following platforms:
    • FSR-124D
    • FS-224D-FPOE
    • FS-248D
    • FS-424D
    • FS-424D-POE
    • FS-424D-FPOE
    • FS-424E
    • FS-424E-POE
    • FS-424E-FPOE
    • FS-448D
    • FS-448D-POE
    • FS-448D-FPOE
    • FS-224E
    • FS-224E-POE
    • FS-248E-POE
    • FS-248E-FPOE
    • FS-524D
    • FS-524D-FPOE
    • FS-548D
    • FS-548D-FPOE
    • FS-1024D
    • FS-1048D
    • FS-3032D
  • When the maximum number of 802.1x-authorized clients for a port, which is 20, is exceeded, a warning log (including the MAC address) is reported. For example:

    "6: 1969-12-31 16:02:09 log_id=0104010017 type=event subtype=switch pri=warning vd=root MAC=f0:4d:a2:be:a3:31 , not authorized, exceed port9 maximum of 20 MAC sessions."

  • When the maximum number of 802.1x-authorized clients for the system, which is 10 x the model number of ports, is exceeded, a warning log (including the MAC address) is reported. For example, on an FS-224E model:

    "1: 2021-11-02 20:25:49 log_id=0104010010 type=event subtype=switch pri=warning vd=root MAC=f0:4d:a2:be:a3:31 , not authorized, exceed system maximum of 240 MAC sessions."

  • The following are the new REST API endpoints:
    • The monitor/switch/dhcp-snooping-limit-db-details endpoint displays details about the DHCP-snooping lease-count database.
    • The monitor/switch/cable-diag endpoint displays the results of a time-domain reflectometer (TDR) diagnostic test on the cables connected to a specific port.
  • The following are the REST API schema changes:
    • The cmdb/system/fsw-cloud endpoint has been renamed and is now the cmdb/system/flan-cloud endpoint.

    • The response from the monitor/switch/capabilities endpoint has been updated to reflect the current switch capabilities.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Devices Managed by FortiOS 7.0.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Whatʼs new in FortiSwitchOS 7.0.3

Release 7.0.3 provides the following new features:

  • NAC LAN segments are now supported on the FS-124F, FS-124F-POE, and FS-124F-FPOE models in FortiLink mode. FortiOS 7.0.1 or higher is required.
  • To support the IEEE 802 LLDP MIB, the following OIDs have been added:

    Name

    OID

    lldpLocalSystemData

    lldpLocChassisIdSubtype

    lldpLocChassisId

    lldpLocSysName

    lldpLocSysDesc

    lldpLocSysCapSupported

    lldpLocSysCapEnabled

    .1.0.8802.1.1.2.1.3

    lldpLocPortTable

    lldpLocPortNum

    lldpLocPortIdSubtype

    lldpLocPortId

    lldpLocPortDesc

    .1.0.8802.1.1.2.1.3.7

    lldpLocManAddrTable

    lldpLocManAddrSubtype

    lldpLocManAddr

    lldpLocManAddrLen

    lldpLocManAddrIfSubtype

    lldpLocManAddrIfId

    lldpLocManAddrOID

    .1.0.8802.1.1.2.1.3.8

  • The execute 802-1x clear mac <MAC_address> command allows you to clear the authorized session associated with a specific MAC address.
  • TLS 1.0 is no longer supported. To configure which TLS version to use for web administration, use the set https-ssl-versions {tlsv1-1 | tlsv1-2 | tlsv1-3} command under config system web. In previous releases, the command was set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | tlsv1-3} under config system global. NOTE: TLS 1.3 is not supported in FIPS mode.
  • Dynamic access control lists (DACLs) are now supported on the following platforms:
    • FSR-124D
    • FS-224D-FPOE
    • FS-248D
    • FS-424D
    • FS-424D-POE
    • FS-424D-FPOE
    • FS-424E
    • FS-424E-POE
    • FS-424E-FPOE
    • FS-448D
    • FS-448D-POE
    • FS-448D-FPOE
    • FS-224E
    • FS-224E-POE
    • FS-248E-POE
    • FS-248E-FPOE
    • FS-524D
    • FS-524D-FPOE
    • FS-548D
    • FS-548D-FPOE
    • FS-1024D
    • FS-1048D
    • FS-3032D
  • When the maximum number of 802.1x-authorized clients for a port, which is 20, is exceeded, a warning log (including the MAC address) is reported. For example:

    "6: 1969-12-31 16:02:09 log_id=0104010017 type=event subtype=switch pri=warning vd=root MAC=f0:4d:a2:be:a3:31 , not authorized, exceed port9 maximum of 20 MAC sessions."

  • When the maximum number of 802.1x-authorized clients for the system, which is 10 x the model number of ports, is exceeded, a warning log (including the MAC address) is reported. For example, on an FS-224E model:

    "1: 2021-11-02 20:25:49 log_id=0104010010 type=event subtype=switch pri=warning vd=root MAC=f0:4d:a2:be:a3:31 , not authorized, exceed system maximum of 240 MAC sessions."

  • The following are the new REST API endpoints:
    • The monitor/switch/dhcp-snooping-limit-db-details endpoint displays details about the DHCP-snooping lease-count database.
    • The monitor/switch/cable-diag endpoint displays the results of a time-domain reflectometer (TDR) diagnostic test on the cables connected to a specific port.
  • The following are the REST API schema changes:
    • The cmdb/system/fsw-cloud endpoint has been renamed and is now the cmdb/system/flan-cloud endpoint.

    • The response from the monitor/switch/capabilities endpoint has been updated to reflect the current switch capabilities.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.