Introduction
This document provides the following information for FortiSwitch 7.4.0 devices managed by FortiOS 7.4.0 build 2360:
See the Fortinet Document Library for FortiSwitchOS documentation.
Refer to the FortiLink Compatibility table to find which FortiSwitchOS versions support which FortiOS versions.
NOTE: FortiLink is not supported in transparent mode.
The maximum number of supported FortiSwitch units depends on the FortiGate model:
FortiGate Model Range | Number of FortiSwitch Units Supported |
---|---|
FortiGate 40F, FortiGate-VM01 | 8 |
FortiGate 6xE, 8xE, 90E, 91E | 16 |
FGR-60F, FG-60F, FGR-60F-3G4G, FG-61F, FGR-70F, FGR-70F-3G4G, FG-80F, FG-80FB, FG-80FP, FG-81F, and FG-81FP |
24 |
FortiGate 100D, FortiGate-VM02 | 24 |
FortiGate 100E, 100EF, 100F, 101E, 140E, 140E-POE | 32 |
FortiGate 200E, 201E | 64 |
FortiGate 300D to 500D | 48 |
FortiGate 300E to 500E | 72 |
FortiGate 600D to 900D and FortiGate-VM04 | 64 |
FortiGate 600E to 900E | 96 |
FortiGate 1000D to 15xxD | 128 |
FortiGate 1100E to 26xxF | 196 |
FortiGate-3xxx and up and FortiGate-VM08 and up |
300 |
New models (NPI releases) might not support FortiLink. Contact Customer Service & Support to check support for FortiLink. |
What’s new in FortiOS 7.4.0
The following list contains new managed FortiSwitch features added in FortiOS 7.4.0:
-
You can now include option-82 data in the DHCP request for DHCP snooping. DHCP option-82 data provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can select a fixed format for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields. You can configure the option-82 settings on a global level, or you can override the global option-82 setting to specify plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port. In addition, you can display the DHCP option-82 string in ASCII or hexadecimal format.
-
More tests have been added to the FortiSwitch recommendations to help optimize your network:
-
Check if the switch port where a quarantined device was last seen has bouncing enabled.
-
Check if the Basic Input/Output System (BIOS) on the FortiSwitch unit needs to be upgraded before FortiSwitchOS can be upgraded.
-
If the
poe-status
has been enabled under theconfig switch-controller auto-config policy
command, FortiOS recommends that you disable it to prevent unpredictable problems caused by connecting two power sourcing equipment (PSE) ports.
-
-
The
execute switch-controller get-conn-status
command now shows when the managed FortiSwitch unit is controlled by VXLAN. -
Two new CLI commands have been added under
config switch-controller system
to improve the FortiLink connection:-
Use the
set caputp-echo-interval <8-600>
command to set the interval for the Control and Provisioning of Unified Termination Points (CAPUTP) ECHO requests from the Scheduling Wide-area Transport Protocol (SWTP). The default value is 30 seconds. Setting the interval to a shorter time means that an offline device is detected quicker. -
Use the
set caputp-max-retransmit <0-64>
command to set the maximum number of times that CAPUTP tunnel packets are retransmitted. The default value is 4. Setting the retransmission times to a lower number causes the CAPUTP daemon to time out sooner and then restart for faster failover.
-
-
You can now use the FortiSwitch network access control (NAC) to identify Internet of Things (IoT) and Operational Technology (OT) devices that need to be patched and isolate these devices in a separate VLAN segment. You can specify how severe the IoT and OT vulnerabilities must be for the devices to be isolated.
-
You can now use names for managed FortiSwitch units in switch-controller CLI commands. The user-defined name is also used in the FortiOS GUI and logs. The FortiSwitch unitʼs serial number is saved in a new read-only field.
-
You can now use an access control list (ACL) to configure a policy for the ingress stage of the pipeline for incoming traffic. After creating an ACL group for the ingress policy, you apply the ACL group to a managed switch port.