Fortinet black logo

Introduction

Introduction

This document provides the following information for FortiSwitchOS 7.2.3 build 0434.

See the Fortinet Document Library for FortiSwitchOS documentation.

Supported models

FortiSwitchOS 7.2.3 supports the following models:

FortiSwitch 1xx FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE
FortiSwitch 2xx FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE
FortiSwitch 4xx FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, FS-448E-FPOE
FortiSwitch 5xx FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE
FortiSwitch 1xxx FS-1024D, FS-1024E, FS-1048E, FS-T1024E
FortiSwitch 3xxx FS-3032E
FortiSwitch Rugged FSR-112D-POE, FSR-124D

What’s new in FortiSwitchOS 7.2.3

Release 7.2.3 provides the following new features:

  • You can now use the GUI to create a policy to control routing using the Router > Config > Policy > Next Hop Groups, Router > Config > Policy > PBR Maps, and Router > Config > Policy > Interfaces pages.

  • IPv6 address are now supported in access control lists (ACLs) for ingress policies.

  • To support the EtherLike-MIB, the following improvements have been made to the dot3StatsTable (OID: 1.3.6.1.2.1.10.7.2.1.19):

    • System interfaces are now supported in addition to switch ports.

    • The table type was changed from the simple table type to the complex table type so that the table size more accurately reflects the number of available interfaces.

    • The following additional nodes are now supported:

      • dot3StatsFCSErrors

      • dot3StatsDeferredTransmissions

      • dot3StatsInternalMacTransmitErrors

      • dot3StatsCarrierSenseErrors

      • dot3StatsFrameTooLongs

      • dot3StatsInternalMacReceiveErrors

    • There are additional diagnose-debug messages.

  • PSK-mode MACsec and dynamic-CAK mode are now supported on the 10G and 100G ports on FS-1024E and the 100G ports on FS-T1024E. The FS-1024E and FS-T1024E models support the GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, and GCM-AES-XPN-256 cipher suites.

  • The set eap-egress-tagged {enable | disable} command is now supported on the FS-1xxE and FS-1xxF models. When you are using the MAC move feature with EAP authentication, you can disable eap-egress-tagged to force the switch to always use the untagged EAP response.

  • The following changes and enhancements have been made to the set allow-mac-move command:

    • The set allow-mac-move command has been changed to set allow-mac-move-to for FSR-124D, 200 Series, FS-4xxE, 500 Series, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E.

    • You can now use the set allow-mac-move-from command for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

    • You can now enable the set allow-mac-move command on a global level for the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.

  • The new User, Security, and Fortinet columns in the 802.1X Session page provide the user name, the security group name, and the RADIUS group name.

  • You can now change how the ALARM LED functions for the FSR-112D-POE model, system part number P17080-04 or later. You can check the system part number with the get system status command. Use the following command to have the ALARM LED turn red when only one power supply unit (PSU) is connected:

    config system global

    set single-psu-fault enable

    end

    By default, the set single-psu-fault command is disabled.

  • MAB-only authentication is now supported. In this mode, the FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are not sent. To enable MAB-only authentication:

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode {802.1X | 802.1X-mac-based}

    set mac-auth-bypass enable

    set auth-order MAB

    end

    next

    end

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Introduction

This document provides the following information for FortiSwitchOS 7.2.3 build 0434.

See the Fortinet Document Library for FortiSwitchOS documentation.

Supported models

FortiSwitchOS 7.2.3 supports the following models:

FortiSwitch 1xx FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE
FortiSwitch 2xx FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE
FortiSwitch 4xx FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, FS-448E-FPOE
FortiSwitch 5xx FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE
FortiSwitch 1xxx FS-1024D, FS-1024E, FS-1048E, FS-T1024E
FortiSwitch 3xxx FS-3032E
FortiSwitch Rugged FSR-112D-POE, FSR-124D

What’s new in FortiSwitchOS 7.2.3

Release 7.2.3 provides the following new features:

  • You can now use the GUI to create a policy to control routing using the Router > Config > Policy > Next Hop Groups, Router > Config > Policy > PBR Maps, and Router > Config > Policy > Interfaces pages.

  • IPv6 address are now supported in access control lists (ACLs) for ingress policies.

  • To support the EtherLike-MIB, the following improvements have been made to the dot3StatsTable (OID: 1.3.6.1.2.1.10.7.2.1.19):

    • System interfaces are now supported in addition to switch ports.

    • The table type was changed from the simple table type to the complex table type so that the table size more accurately reflects the number of available interfaces.

    • The following additional nodes are now supported:

      • dot3StatsFCSErrors

      • dot3StatsDeferredTransmissions

      • dot3StatsInternalMacTransmitErrors

      • dot3StatsCarrierSenseErrors

      • dot3StatsFrameTooLongs

      • dot3StatsInternalMacReceiveErrors

    • There are additional diagnose-debug messages.

  • PSK-mode MACsec and dynamic-CAK mode are now supported on the 10G and 100G ports on FS-1024E and the 100G ports on FS-T1024E. The FS-1024E and FS-T1024E models support the GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, and GCM-AES-XPN-256 cipher suites.

  • The set eap-egress-tagged {enable | disable} command is now supported on the FS-1xxE and FS-1xxF models. When you are using the MAC move feature with EAP authentication, you can disable eap-egress-tagged to force the switch to always use the untagged EAP response.

  • The following changes and enhancements have been made to the set allow-mac-move command:

    • The set allow-mac-move command has been changed to set allow-mac-move-to for FSR-124D, 200 Series, FS-4xxE, 500 Series, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E.

    • You can now use the set allow-mac-move-from command for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

    • You can now enable the set allow-mac-move command on a global level for the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.

  • The new User, Security, and Fortinet columns in the 802.1X Session page provide the user name, the security group name, and the RADIUS group name.

  • You can now change how the ALARM LED functions for the FSR-112D-POE model, system part number P17080-04 or later. You can check the system part number with the get system status command. Use the following command to have the ALARM LED turn red when only one power supply unit (PSU) is connected:

    config system global

    set single-psu-fault enable

    end

    By default, the set single-psu-fault command is disabled.

  • MAB-only authentication is now supported. In this mode, the FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are not sent. To enable MAB-only authentication:

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode {802.1X | 802.1X-mac-based}

    set mac-auth-bypass enable

    set auth-order MAB

    end

    next

    end

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.