Whatʼs new in FortiOS 7.4.0
The following list contains new managed FortiSwitchOS features added in FortiOS 7.4.0. Click on a link to navigate to that section for further information:
-
You can now include option-82 data in the DHCP request for DHCP snooping. DHCP option-82 data provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can select a fixed format for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields. You can configure the option-82 settings on a global level, or you can override the global option-82 setting to specify plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port. In addition, you can display the DHCP option-82 string in ASCII or hexadecimal format. For more details, see Including option-82 data.
-
More tests have been added to the FortiSwitch recommendations to help optimize your network:
-
Check if the switch port where a quarantined device was last seen has bouncing enabled.
-
Check if the Basic Input/Output System (BIOS) on the FortiSwitch unit needs to be upgraded before FortiSwitchOS can be upgraded.
-
If the
poe-status
has been enabled under theconfig switch-controller auto-config policy
command, FortiOS recommends that you disable it to prevent unpredictable problems caused by connecting two power sourcing equipment (PSE) ports.
For more details, see Optimizing the FortiSwitch network.
-
-
The
execute switch-controller get-conn-status
command now shows when the managed FortiSwitch unit is controlled by VXLAN. For more details, see Verifying VXLAN management. -
Two new CLI commands have been added under
config switch-controller system
to improve the FortiLink connection:-
Use the
set caputp-echo-interval <8-600>
command to set the interval for the Control and Provisioning of Unified Termination Points (CAPUTP) ECHO requests from the Scheduling Wide-area Transport Protocol (SWTP). The default value is 30 seconds. Setting the interval to a shorter time means that an offline device is detected quicker. -
Use the
set caputp-max-retransmit <0-64>
command to set the maximum number of times that CAPUTP tunnel packets are retransmitted. The default value is 4. Setting the retransmission times to a lower number causes the CAPUTP daemon to time out sooner and then restart for faster failover.
-
-
You can now use the FortiSwitch network access control (NAC) to identify Internet of Things (IoT) and Operational Technology (OT) devices that need to be patched and isolate these devices in a separate VLAN segment. You can specify how severe the IoT and OT vulnerabilities must be for the devices to be isolated. For more details, see Defining a FortiSwitch NAC policy.
-
You can now use names for managed FortiSwitch units in switch-controller CLI commands. The user-defined name is also used in the FortiOS GUI and logs. The FortiSwitch unitʼs serial number is saved in a new read-only field. For more details, see Defining names for managed switches.
-
You can now use an access control list (ACL) to configure a policy for the ingress stage of the pipeline for incoming traffic. After creating an ACL group for the ingress policy, you apply the ACL group to a managed switch port. For more details, see Configuring an ACL.