Fortinet white logo
Fortinet white logo

Administration Guide

Introduction

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Devices Managed by FortiOS 7.2.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Whatʼs new in FortiSwitchOS 7.2.0

Release 7.2.0 provides the following new features:

  • You can now configure in the CLI whether packets with specific source static MAC address are allowed or dropped. By default, they are allowed.

  • You can now send Wake-on-LAN (WoL) “magic” packets from a system interface or switch port to a specific MAC address.

  • You can now use CLI commands to run REST API requests locally.

  • VXLAN tunnels are now supported.

  • You can now use the CLI for multiple path traceroute, which allows you to find all the routers that perform load balancing between the FortiSwitch unit and destination.

  • The execute restore and execute backup commands now support IPv6 addresses.

  • You can now configure an IPv6 address and netmask with correction for the administrative distance in the Border Gateway Protocol version-4 (BGP-4) routing parameters.

  • The Operation pane of the System > Dashboard page now displays the status of the power supply units (PSUs) with indicator lights to allow administrators to quickly identify any problems. The PSU status is shown only on FortiSwitch models with redundant PSUs.

  • You can now configure an automation stitch by specifying a trigger and the action to be performed. The automation stitch can be triggered by configuration changes, switch reboots, logged events, and scheduled times. The triggered action can be running a CLI script, sending an email message, displaying an alert in the console, or generating an SNMP trap.

  • The diagnose debug application alertd command now also reports measurements from the CPU, memory, and disk sensors.

  • You can now count ingress and egress packets by color in the GUI and CLI:

    • Ingress packets are marked green if the traffic rate is within the guaranteed information rate. Ingress packets are marked yellow if they exceed the committed burst size but do not exceed the excess burst size. All other ingress packets are marked red.

    • Egress packets are marked green if the traffic rate is within the guaranteed information rate. All other egress packets are marked yellow.

  • IPv6 addresses are now supported when modifying the administrative distance for Border Gateway Protocol version-4 (BGP-4) routing parameters.

  • IPv6 addresses are now supported when configuring a link probe and viewing the link monitor in the GUI.

  • You can now select whether to advertise the IPv4 management address, the IPv6 management address, or no management address in the Management Address TLV. By default, both IPv4 and IPv6 addresses are advertised.

  • The VLAN name TLV is now supported in the LLDP profile. When this TLV is enabled, the specified VLAN names are advertised in LLDP.

  • You can now configure a physical port or trunk as a routed VLAN interface (RVI) for layer-3 routing protocols.

  • You can now configure an IGMP static group to ignore dynamic joins from other ports. Preventing other ports from joining means that administrators control which ports receive traffic. This option is available in the GUI and CLI; it is disabled by default, which allows other ports to dynamically join.

  • You can now configure an MLD static group to ignore requests from other ports to become members. Preventing other ports from joining means that administrators control which ports receive traffic. This option is available in the CLI; it is disabled by default, which allows other ports to dynamically join.

  • The new diagnose sys permission {list | list-by-accprofile | list-cli} commands list the access permissions for access profile groups, access profiles, and CLI paths.

  • You can now configure virtual routing and forwarding in the FortiSwitchOS GUI.

  • Partial VLAN mapping is now supported by the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, FS-148F-FPOE, and FSR-112D-POE models.

  • You can now configure an SNMP trap so that you receive a message when a layer-2 MAC address has been added, deleted, or moved.

  • As part of the existing support for RFC 1493, the following OID has been added:

    Name

    OID

    dot1dStaticTable

    1.3.6.1.2.1.17.5.1

  • The new diagnose sys remote assistance commands allow Customer Support (ETAC) to examine your FortiSwitch unit remotely to gather more data about your switchʼs configuration and to find the solution to your issue. The remote assistance session uses an SSL tunnel for a secure connection. When the remote assistance session is active, it is shown in the System Information panel of your FortiSwitch dashboard, and a warning against local changes is displayed at the top of the GUI.

  • You can now use the config log disk filter and config log disk setting commands to save event log messages in flash memory.

  • The following statistics for the flash partitions are now displayed on the System > Config > Firmware page:
    • Content of each partition
    • Total size of the partition
    • How much of the partition is used
    • Percent used
    • Status
    • Which image will be loaded when the FortiSwitch unit is restarted
  • You can now generate a detailed debugging report from the System > Debug Report page and then download it so that you can send it to technical support. The report is identical to the output of the diagnose debug report command.
  • A new Switch > DHCP Snooping page allows you to enable the trusted DHCP server list for DHCP snooping.
  • You can now configure the maximum burst size allowed by storm control on the Switch > Storm Control page and the Edit Physical Port page.
  • Access control lists are now supported on the FSR-112D-POE model.
  • Border Gateway Protocol (BGP) routing is now supported on the FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, and FS-448E-FPOE models.
  • The following commands are now supported by the FS-148F, FS-148F-POE, and FS-148F-FPOE models:
    • diagnose switch physical-ports qos-stats list
    • diagnose switch physical-ports qos-stats non-zero
    • diagnose switch physical-ports qos-stats set-qos-counter-revert
    • diagnose switch physical-ports qos-stats set-qos-counter-zero
    • diagnose switch physical-ports qos-rates list
    • diagnose switch physical-ports qos-rates non-zero
  • Setting the switch-mgmt-mode is no longer needed, so the set switch-mgmt-mode command has been removed from config system global.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.

Introduction

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Devices Managed by FortiOS 7.2.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Whatʼs new in FortiSwitchOS 7.2.0

Release 7.2.0 provides the following new features:

  • You can now configure in the CLI whether packets with specific source static MAC address are allowed or dropped. By default, they are allowed.

  • You can now send Wake-on-LAN (WoL) “magic” packets from a system interface or switch port to a specific MAC address.

  • You can now use CLI commands to run REST API requests locally.

  • VXLAN tunnels are now supported.

  • You can now use the CLI for multiple path traceroute, which allows you to find all the routers that perform load balancing between the FortiSwitch unit and destination.

  • The execute restore and execute backup commands now support IPv6 addresses.

  • You can now configure an IPv6 address and netmask with correction for the administrative distance in the Border Gateway Protocol version-4 (BGP-4) routing parameters.

  • The Operation pane of the System > Dashboard page now displays the status of the power supply units (PSUs) with indicator lights to allow administrators to quickly identify any problems. The PSU status is shown only on FortiSwitch models with redundant PSUs.

  • You can now configure an automation stitch by specifying a trigger and the action to be performed. The automation stitch can be triggered by configuration changes, switch reboots, logged events, and scheduled times. The triggered action can be running a CLI script, sending an email message, displaying an alert in the console, or generating an SNMP trap.

  • The diagnose debug application alertd command now also reports measurements from the CPU, memory, and disk sensors.

  • You can now count ingress and egress packets by color in the GUI and CLI:

    • Ingress packets are marked green if the traffic rate is within the guaranteed information rate. Ingress packets are marked yellow if they exceed the committed burst size but do not exceed the excess burst size. All other ingress packets are marked red.

    • Egress packets are marked green if the traffic rate is within the guaranteed information rate. All other egress packets are marked yellow.

  • IPv6 addresses are now supported when modifying the administrative distance for Border Gateway Protocol version-4 (BGP-4) routing parameters.

  • IPv6 addresses are now supported when configuring a link probe and viewing the link monitor in the GUI.

  • You can now select whether to advertise the IPv4 management address, the IPv6 management address, or no management address in the Management Address TLV. By default, both IPv4 and IPv6 addresses are advertised.

  • The VLAN name TLV is now supported in the LLDP profile. When this TLV is enabled, the specified VLAN names are advertised in LLDP.

  • You can now configure a physical port or trunk as a routed VLAN interface (RVI) for layer-3 routing protocols.

  • You can now configure an IGMP static group to ignore dynamic joins from other ports. Preventing other ports from joining means that administrators control which ports receive traffic. This option is available in the GUI and CLI; it is disabled by default, which allows other ports to dynamically join.

  • You can now configure an MLD static group to ignore requests from other ports to become members. Preventing other ports from joining means that administrators control which ports receive traffic. This option is available in the CLI; it is disabled by default, which allows other ports to dynamically join.

  • The new diagnose sys permission {list | list-by-accprofile | list-cli} commands list the access permissions for access profile groups, access profiles, and CLI paths.

  • You can now configure virtual routing and forwarding in the FortiSwitchOS GUI.

  • Partial VLAN mapping is now supported by the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, FS-148F-FPOE, and FSR-112D-POE models.

  • You can now configure an SNMP trap so that you receive a message when a layer-2 MAC address has been added, deleted, or moved.

  • As part of the existing support for RFC 1493, the following OID has been added:

    Name

    OID

    dot1dStaticTable

    1.3.6.1.2.1.17.5.1

  • The new diagnose sys remote assistance commands allow Customer Support (ETAC) to examine your FortiSwitch unit remotely to gather more data about your switchʼs configuration and to find the solution to your issue. The remote assistance session uses an SSL tunnel for a secure connection. When the remote assistance session is active, it is shown in the System Information panel of your FortiSwitch dashboard, and a warning against local changes is displayed at the top of the GUI.

  • You can now use the config log disk filter and config log disk setting commands to save event log messages in flash memory.

  • The following statistics for the flash partitions are now displayed on the System > Config > Firmware page:
    • Content of each partition
    • Total size of the partition
    • How much of the partition is used
    • Percent used
    • Status
    • Which image will be loaded when the FortiSwitch unit is restarted
  • You can now generate a detailed debugging report from the System > Debug Report page and then download it so that you can send it to technical support. The report is identical to the output of the diagnose debug report command.
  • A new Switch > DHCP Snooping page allows you to enable the trusted DHCP server list for DHCP snooping.
  • You can now configure the maximum burst size allowed by storm control on the Switch > Storm Control page and the Edit Physical Port page.
  • Access control lists are now supported on the FSR-112D-POE model.
  • Border Gateway Protocol (BGP) routing is now supported on the FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, and FS-448E-FPOE models.
  • The following commands are now supported by the FS-148F, FS-148F-POE, and FS-148F-FPOE models:
    • diagnose switch physical-ports qos-stats list
    • diagnose switch physical-ports qos-stats non-zero
    • diagnose switch physical-ports qos-stats set-qos-counter-revert
    • diagnose switch physical-ports qos-stats set-qos-counter-zero
    • diagnose switch physical-ports qos-rates list
    • diagnose switch physical-ports qos-rates non-zero
  • Setting the switch-mgmt-mode is no longer needed, so the set switch-mgmt-mode command has been removed from config system global.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.