Fortinet black logo

FortiSwitchOS Administration Guide

Introduction

7.4.0
Copy Link
Copy Doc ID 3807367f-00a0-11ee-8e6d-fa163e15d75b:755567
Download PDF

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the FortiLink Guide—FortiSwitch Devices Managed by FortiOS 7.4.

If you will be managing your FortiSwitch unit using FortiLAN Cloud, see the FortiLAN Cloud User Guide.

If you will be managing your FortiSwitch unit using FortiSwitch Manager, see the FortiSwitch Manager Administration Guide.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Whatʼs new in FortiSwitchOS 7.4.0

Release 7.4.0 provides the following new features.

GUI changes

  • The System > Dashboard page has been reorganized to focus on the operational status of the FortiSwitch unit. In addition, there are now graphs for both the last day and last week of the switchʼs CPU usage, RAM usage, and temperature. For more details, see Dashboard.

  • The charts for port and interface traffic and packet losses have been enhanced. For more details, see Viewing port statistics and Interface.

  • The Route Monitor (Router > Monitor > Routing) and IPv6 Route Monitor (Router > Monitor > IPv6 Routing) now display the routes graphically, as well as in a table. When you hover your cursor over a route, the route is highlighted, and the destination and interface of the route are displayed. For more details, see Monitor.

  • You can now add a peer user in the GUI. For more details, see Peer user.

  • The Switch > Monitor > 802.1x Status page is now the Switch > Monitor > 802.1x > Interfaces page.

  • There is now a separate Switch > Monitor > 802.1x > Sessions page that displays the 802.1x MAC authenticated sessions. In the Sessions page, you can search for partial or complete MAC addresses. You can also select one or more MAC addresses and de-authorize the clients at those MAC addresses. For more details, see Viewing the 802.1X details.

  • The GUI now provides OS image signature verification.

    • If you upload an unverified firmware image, the GUI displays a “WARNING: This firmware failed signature validation.” message.

    • If you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays an “Unverified Image Detected” message.

    • After you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays a triangle with a red exclamation mark in the title bar.

    For more details, see Firmware.

CLI changes

  • You can now use the Border Gateway Protocol (BGP) Ethernet Virtual Private Network (EVPN) with Virtual Extensible LAN (VXLAN). For more details, see Using BGP EVPN with VXLAN.

  • ARP/ND suppression is now supported for BGP EVPN. For more details, see ARP and ND suppression.

  • The FSR-112D-POE, FSR-124D, FS-1xxE, and FS-1xxF models now support IPv6 router advertisement (RA) guard. For more details, see IPv6 router advertisement guard.

  • You can now back up the FortiSwitch configuration or logs to a Secure File Transfer Protocol (SFTP) server. You can also restore the FortiSwitch configuration or firmware from an SFTP server. You can use an IPv4 address, IPv6 address, or fully qualified domain name (FQDN) to specify the SFTP server. For more details, see the FortiSwitchOS CLI Reference.

  • You can now specify in the CLI that the access control list (ACL) prelookup policy applies to all ingress interfaces. Previously, you could specify only a single interface. For more details, see Creating an ACL prelookup policy.

  • The Message-Authenticator attribute is now used for authentication in MAC authentication bypass (MAB) Access-Request messages. For more details, see Attributes sent from the FortiSwitch unit to the RADIUS server during MAB (Access-Request).

  • The new get system interface vlan command lists information about the VLAN interfaces. For more details, see the FortiSwitchOS CLI Reference.

  • The new get system interface vxlan command lists information about the VXLAN interfaces. For more details, see the FortiSwitchOS CLI Reference.

  • As part of the existing support for RFC 2233, the following counters have been added:

    • ifInOctets
    • ifInUcastPkts
    • ifInErrors
    • ifInDiscards
    • ifOutOctets
    • ifOutUcastPkts
    • ifOutErrors
    • ifOutDiscards

    NOTE: The link status and duplex status are available on all platforms. Some statistics are not tracked (.dot3StatsLateCollisions, .dot3StatsExcessiveCollisions, and .dot3StatsSymbolErrors). Some statistics (.dot3StatsFCSErrors, .dot3StatsDeferredTransmissions, and .dot3StatsFrameTooLongs) are supported only on the following switch models: FSR-124D, FSR-424F-POE, 200 Series, FS-4xxE, 500 Series, FS-1xxxD, and FS-1xxxE.

  • EAP-FAST is now supported.

  • LACP fallback mode is now supported in the CLI. LACP fallback mode allows a selected port to stay up so that a device not running LACP can still connect to the network. For more details, see Link aggregation groups.

  • The commands for applying a Media Access Control security (MACsec) profile to a port have moved from under config switch interface to under config switch physical-port. In addition, the execute macsec clearstat interface, execute macsec reset interface, and execute macsec toggle interface commands are now the execute macsec clearstat physical-port, execute macsec reset physical-port, and execute macsec toggle physical-port commands. For more details, see MACsec.

  • A new CLI command allows you to specify which hash algorithm is used to encode passwords for new administrator accounts. You can select the PBKDF2, SHA1, or SHA256 hash algorithm. By default, the SHA256 hash algorithm is used. For more details, see Setting the administrator password.

  • The execute system admin account-convert command has been changed to execute system admin account-convert-sha1 and execute system admin account-convert-sha256:

    • Before downgrading to a FortiSwitchOS version earlier than 7.0.0, you need to ensure that the administrator password is in SHA1 format. Use the execute system admin account-convert-sha1 command to convert the administrator password to SHA1 encryption.

    • Before downgrading to FortiSwitchOS 7.0.0 or later, you need to ensure that the administrator password is in SHA1 or SHA256 format. Use the execute system admin account-convert-sha1 command to convert the administrator password to SHA1 encryption. Use the execute system admin account-convert-sha256 command to convert the password for a system administrator account to SHA256 encryption.

    For more details, see Setting the administrator password.

  • The new set wildcard-fallback command allows FortiSwitchOS to try to match a login name with wildcard system administrator names if FortiSwitchOS cannot match the exact login name. For more details, see Adding a remote administrator.

  • You can now split ports on the FS-T1024E and FS-1024E models. You can enable the maximum speed (100G) of ports 25 and 26; each split port has a maximum speed of 25G. For more information, see Configuring split ports .

GUI and CLI changes

REST API changes

The following REST API endpoint is new:

  • The new execute/backup/config endpoint allows you to back up the switchʼs configuration.

The following REST API endpoint was removed:

  • execute/backup/standalone-config

The following REST API schema changes were made for this release:

  • In the cmdb/router/static endpoint, there is a new gw-l2-switch parameter to enable or disable the layer-2 gateway on the FortiSwitch unit.

  • In the cmdb/switch/global endpoint, the auto-fortilink-discovery parameter was removed.

  • In the cmdb/switch/interface endpoint, the auto-discovery-fortilink parameter was removed.

  • In the cmdb/switch/physical-port endpoint, you can now specify 2500full for the speed parameter.

  • In the monitor/switch/port-speed endpoint, you can now specify 2500full for the supported_speeds parameter.

  • In the cmdb/switch.lldp/profile endpoint, the auto-isl-auth, auto-isl-auth-encrypt, auto-isl-auth-user, auto-isl-auth-identity, and auto-isl-auth-reauth parameters were added.

  • In the cmdb/switch/trunk endpoint, there is a new fallback-port parameter for specifying the LACP fallback port.

  • In the cmdb/switch.acl/prelookup endpoint, the new interface-all parameter allows you to select all interfaces.

  • In the cmdb/system/admin endpoint, there is a new wildcard-fallback parameter to enable or disable attempting authentication against wildcard accounts if authenticating the current account fails.

  • In the cmdb/system.certificate/ca endpoint, there is a new Info parameter for information about the CA certificate name.

  • In the cmdb/system.certifiate/local endpoint, there is a new Info parameter for information about the local certificate name.

  • In the cmdb/system/global endpoint, there is a new admin-password-hash parameter for selecting which hash algorithm to use to encode the administrator password. The fortilink-auto-discovery and auto-isl parameters were removed.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the FortiLink Guide—FortiSwitch Devices Managed by FortiOS 7.4.

If you will be managing your FortiSwitch unit using FortiLAN Cloud, see the FortiLAN Cloud User Guide.

If you will be managing your FortiSwitch unit using FortiSwitch Manager, see the FortiSwitch Manager Administration Guide.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Whatʼs new in FortiSwitchOS 7.4.0

Release 7.4.0 provides the following new features.

GUI changes

  • The System > Dashboard page has been reorganized to focus on the operational status of the FortiSwitch unit. In addition, there are now graphs for both the last day and last week of the switchʼs CPU usage, RAM usage, and temperature. For more details, see Dashboard.

  • The charts for port and interface traffic and packet losses have been enhanced. For more details, see Viewing port statistics and Interface.

  • The Route Monitor (Router > Monitor > Routing) and IPv6 Route Monitor (Router > Monitor > IPv6 Routing) now display the routes graphically, as well as in a table. When you hover your cursor over a route, the route is highlighted, and the destination and interface of the route are displayed. For more details, see Monitor.

  • You can now add a peer user in the GUI. For more details, see Peer user.

  • The Switch > Monitor > 802.1x Status page is now the Switch > Monitor > 802.1x > Interfaces page.

  • There is now a separate Switch > Monitor > 802.1x > Sessions page that displays the 802.1x MAC authenticated sessions. In the Sessions page, you can search for partial or complete MAC addresses. You can also select one or more MAC addresses and de-authorize the clients at those MAC addresses. For more details, see Viewing the 802.1X details.

  • The GUI now provides OS image signature verification.

    • If you upload an unverified firmware image, the GUI displays a “WARNING: This firmware failed signature validation.” message.

    • If you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays an “Unverified Image Detected” message.

    • After you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays a triangle with a red exclamation mark in the title bar.

    For more details, see Firmware.

CLI changes

  • You can now use the Border Gateway Protocol (BGP) Ethernet Virtual Private Network (EVPN) with Virtual Extensible LAN (VXLAN). For more details, see Using BGP EVPN with VXLAN.

  • ARP/ND suppression is now supported for BGP EVPN. For more details, see ARP and ND suppression.

  • The FSR-112D-POE, FSR-124D, FS-1xxE, and FS-1xxF models now support IPv6 router advertisement (RA) guard. For more details, see IPv6 router advertisement guard.

  • You can now back up the FortiSwitch configuration or logs to a Secure File Transfer Protocol (SFTP) server. You can also restore the FortiSwitch configuration or firmware from an SFTP server. You can use an IPv4 address, IPv6 address, or fully qualified domain name (FQDN) to specify the SFTP server. For more details, see the FortiSwitchOS CLI Reference.

  • You can now specify in the CLI that the access control list (ACL) prelookup policy applies to all ingress interfaces. Previously, you could specify only a single interface. For more details, see Creating an ACL prelookup policy.

  • The Message-Authenticator attribute is now used for authentication in MAC authentication bypass (MAB) Access-Request messages. For more details, see Attributes sent from the FortiSwitch unit to the RADIUS server during MAB (Access-Request).

  • The new get system interface vlan command lists information about the VLAN interfaces. For more details, see the FortiSwitchOS CLI Reference.

  • The new get system interface vxlan command lists information about the VXLAN interfaces. For more details, see the FortiSwitchOS CLI Reference.

  • As part of the existing support for RFC 2233, the following counters have been added:

    • ifInOctets
    • ifInUcastPkts
    • ifInErrors
    • ifInDiscards
    • ifOutOctets
    • ifOutUcastPkts
    • ifOutErrors
    • ifOutDiscards

    NOTE: The link status and duplex status are available on all platforms. Some statistics are not tracked (.dot3StatsLateCollisions, .dot3StatsExcessiveCollisions, and .dot3StatsSymbolErrors). Some statistics (.dot3StatsFCSErrors, .dot3StatsDeferredTransmissions, and .dot3StatsFrameTooLongs) are supported only on the following switch models: FSR-124D, FSR-424F-POE, 200 Series, FS-4xxE, 500 Series, FS-1xxxD, and FS-1xxxE.

  • EAP-FAST is now supported.

  • LACP fallback mode is now supported in the CLI. LACP fallback mode allows a selected port to stay up so that a device not running LACP can still connect to the network. For more details, see Link aggregation groups.

  • The commands for applying a Media Access Control security (MACsec) profile to a port have moved from under config switch interface to under config switch physical-port. In addition, the execute macsec clearstat interface, execute macsec reset interface, and execute macsec toggle interface commands are now the execute macsec clearstat physical-port, execute macsec reset physical-port, and execute macsec toggle physical-port commands. For more details, see MACsec.

  • A new CLI command allows you to specify which hash algorithm is used to encode passwords for new administrator accounts. You can select the PBKDF2, SHA1, or SHA256 hash algorithm. By default, the SHA256 hash algorithm is used. For more details, see Setting the administrator password.

  • The execute system admin account-convert command has been changed to execute system admin account-convert-sha1 and execute system admin account-convert-sha256:

    • Before downgrading to a FortiSwitchOS version earlier than 7.0.0, you need to ensure that the administrator password is in SHA1 format. Use the execute system admin account-convert-sha1 command to convert the administrator password to SHA1 encryption.

    • Before downgrading to FortiSwitchOS 7.0.0 or later, you need to ensure that the administrator password is in SHA1 or SHA256 format. Use the execute system admin account-convert-sha1 command to convert the administrator password to SHA1 encryption. Use the execute system admin account-convert-sha256 command to convert the password for a system administrator account to SHA256 encryption.

    For more details, see Setting the administrator password.

  • The new set wildcard-fallback command allows FortiSwitchOS to try to match a login name with wildcard system administrator names if FortiSwitchOS cannot match the exact login name. For more details, see Adding a remote administrator.

  • You can now split ports on the FS-T1024E and FS-1024E models. You can enable the maximum speed (100G) of ports 25 and 26; each split port has a maximum speed of 25G. For more information, see Configuring split ports .

GUI and CLI changes

REST API changes

The following REST API endpoint is new:

  • The new execute/backup/config endpoint allows you to back up the switchʼs configuration.

The following REST API endpoint was removed:

  • execute/backup/standalone-config

The following REST API schema changes were made for this release:

  • In the cmdb/router/static endpoint, there is a new gw-l2-switch parameter to enable or disable the layer-2 gateway on the FortiSwitch unit.

  • In the cmdb/switch/global endpoint, the auto-fortilink-discovery parameter was removed.

  • In the cmdb/switch/interface endpoint, the auto-discovery-fortilink parameter was removed.

  • In the cmdb/switch/physical-port endpoint, you can now specify 2500full for the speed parameter.

  • In the monitor/switch/port-speed endpoint, you can now specify 2500full for the supported_speeds parameter.

  • In the cmdb/switch.lldp/profile endpoint, the auto-isl-auth, auto-isl-auth-encrypt, auto-isl-auth-user, auto-isl-auth-identity, and auto-isl-auth-reauth parameters were added.

  • In the cmdb/switch/trunk endpoint, there is a new fallback-port parameter for specifying the LACP fallback port.

  • In the cmdb/switch.acl/prelookup endpoint, the new interface-all parameter allows you to select all interfaces.

  • In the cmdb/system/admin endpoint, there is a new wildcard-fallback parameter to enable or disable attempting authentication against wildcard accounts if authenticating the current account fails.

  • In the cmdb/system.certificate/ca endpoint, there is a new Info parameter for information about the CA certificate name.

  • In the cmdb/system.certifiate/local endpoint, there is a new Info parameter for information about the local certificate name.

  • In the cmdb/system/global endpoint, there is a new admin-password-hash parameter for selecting which hash algorithm to use to encode the administrator password. The fortilink-auto-discovery and auto-isl parameters were removed.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.