Fortinet black logo

FortiSwitchOS Release Notes

Home FortiSwitch 7.4.0 FortiSwitchOS Release Notes

Introduction

7.4.0
7.4.3
7.4.2
7.4.1
7.4.0
3.2.2
3.2.1
3.2.0
3.0.1
3.0.0
2.0.3
2.0.2
Copy Link
Copy Doc ID f07e1929-009e-11ee-8e6d-fa163e15d75b:784383
Download PDF

Introduction

This document provides the following information for FortiSwitchOS 7.4.0 build 0767.

See the Fortinet Document Library for FortiSwitchOS documentation.

Supported models

FortiSwitchOS 7.4.0 supports the following models:

FortiSwitch 1xx FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE
FortiSwitch 2xx FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE
FortiSwitch 4xx FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, FS-448E-FPOE
FortiSwitch 5xx FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE
FortiSwitch 1xxx FS-1024D, FS-1024E, FS-1048E, FS-T1024E
FortiSwitch 3xxx FS-3032E
FortiSwitch Rugged FSR-112D-POE, FSR-124D, FSR-424F-POE

What’s new in FortiSwitchOS 7.4.0

Release 7.4.0 provides the following new features.

GUI changes

  • The System > Dashboard page has been reorganized to focus on the operational status of the FortiSwitch unit. In addition, there are now graphs for both the last day and last week of the switchʼs CPU usage, RAM usage, and temperature.

  • The charts for port and interface traffic and packet losses have been enhanced.

  • The Route Monitor (Router > Monitor > Routing) and IPv6 Route Monitor (Router > Monitor > IPv6 Routing) now display the routes graphically, as well as in a table. When you hover your cursor over a route, the route is highlighted, and the destination and interface of the route are displayed.

  • You can now add a peer user in the GUI.

  • The Switch > Monitor > 802.1x Status page is now the Switch > Monitor > 802.1x > Interfaces page.

  • There is now a separate Switch > Monitor > 802.1x > Sessions page that displays the 802.1x MAC authenticated sessions. In the Sessions page, you can search for partial or complete MAC addresses. You can also select one or more MAC addresses and de-authorize the clients at those MAC addresses.

  • The GUI now provides OS image signature verification.

    • If you upload an unverified firmware image, the GUI displays a “WARNING: This firmware failed signature validation.” message.

    • If you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays an “Unverified Image Detected” message.

    • After you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays a triangle with a red exclamation mark in the title bar.

CLI changes

  • You can now use the Border Gateway Protocol (BGP) Ethernet Virtual Private Network (EVPN) with Virtual Extensible LAN (VXLAN).

  • ARP/ND suppression is now supported for BGP EVPN.

  • The FSR-112D-POE, FSR-124D, FS-1xxE, and FS-1xxF models now support IPv6 router advertisement (RA) guard.

  • You can now back up the FortiSwitch configuration or logs to a Secure File Transfer Protocol (SFTP) server. You can also restore the FortiSwitch configuration or firmware from an SFTP server. You can use an IPv4 address, IPv6 address, or fully qualified domain name (FQDN) to specify the SFTP server.

  • You can now specify in the CLI that the access control list (ACL) prelookup policy applies to all ingress interfaces. Previously, you could specify only a single interface.

  • The Message-Authenticator attribute is now used for authentication in MAC authentication bypass (MAB) Access-Request messages.

  • The new get system interface vlan command lists information about the VLAN interfaces.

  • The new get system interface vxlan command lists information about the VXLAN interfaces.

  • As part of the existing support for RFC 2233, the following counters have been added:

    • ifInOctets
    • ifInUcastPkts
    • ifInErrors
    • ifInDiscards
    • ifOutOctets
    • ifOutUcastPkts
    • ifOutErrors
    • ifOutDiscards

    NOTE: The link status and duplex status are available on all platforms. Some statistics are not tracked (.dot3StatsLateCollisions, .dot3StatsExcessiveCollisions, and .dot3StatsSymbolErrors). Some statistics (.dot3StatsFCSErrors, .dot3StatsDeferredTransmissions, and .dot3StatsFrameTooLongs) are supported only on the following switch models: FSR-124D, FSR-424F-POE, 200 Series, FS-4xxE, 500 Series, FS-1xxxD, and FS-1xxxE.

  • EAP-FAST is now supported.

  • LACP fallback mode is now supported in the CLI. LACP fallback mode allows a selected port to stay up so that a device not running LACP can still connect to the network.

  • The commands for applying a Media Access Control security (MACsec) profile to a port have moved from under config switch interface to under config switch physical-port. In addition, the execute macsec clearstat interface, execute macsec reset interface, and execute macsec toggle interface commands are now the execute macsec clearstat physical-port, execute macsec reset physical-port, and execute macsec toggle physical-port commands.

  • A new CLI command allows you to specify which hash algorithm is used to encode passwords for new administrator accounts. You can select the PBKDF2, SHA1, or SHA256 hash algorithm. By default, the SHA256 hash algorithm is used.

  • The execute system admin account-convert command has been changed to execute system admin account-convert-sha1 and execute system admin account-convert-sha256:

    • Before downgrading to a FortiSwitchOS version earlier than 7.0.0, you need to ensure that the administrator password is in SHA1 format. Use the execute system admin account-convert-sha1 command to convert the administrator password to SHA1 encryption.

    • Before downgrading to FortiSwitchOS 7.0.0 or later, you need to ensure that the administrator password is in SHA1 or SHA256 format. Use the execute system admin account-convert-sha1 command to convert the administrator password to SHA1 encryption. Use the execute system admin account-convert-sha256 command to convert the password for a system administrator account to SHA256 encryption.

  • The new set wildcard-fallback command allows FortiSwitchOS to try to match a login name with wildcard system administrator names if FortiSwitchOS cannot match the exact login name.

  • You can now split ports on the FS-T1024E and FS-1024E models. You can enable the maximum speed (100G) of ports 25 and 26; each split port has a maximum speed of 25G.

GUI and CLI changes

  • FS-1xx and FS-2xx models now support configuring a DHCP server.

  • You can now add multiple administrators with wildcards in their names.

  • To increase the security of strong cryptography, additional weaker ciphers algorithms are now removed. When you enable strong cryptography (set strong-crypto enable under config system global), the following ciphers and algorithms are currently supported:

    • Ciphers (encryption algorithms):

      • chacha20-poly1305@openssh.com

      • aes128-ctr

      • aes192-ctr

      • aes256-ctr

      • aes128-gcm@openssh.com

      • aes256-gcm@openssh.com

    • Key-exchange algorithms:

      • curve25519-sha256@libssh.org

      • diffie-hellman-group-exchange-sha256

    • Host-key algorithm:

      • ssh-ed25519

    • Message authentication code algorithms:

      • umac-128-etm@openssh.com

      • hmac-sha2-256-etm@openssh.com

      • hmac-sha2-512-etm@openssh.com

REST API changes

The following REST API endpoint is new:

  • The new execute/backup/config endpoint allows you to back up the switchʼs configuration.

The following REST API endpoint was removed:

  • execute/backup/standalone-config

The following REST API schema changes were made for this release:

  • In the cmdb/router/static endpoint, there is a new gw-l2-switch parameter to enable or disable the layer-2 gateway on the FortiSwitch unit.

  • In the cmdb/switch/global endpoint, the auto-fortilink-discovery parameter was removed.

  • In the cmdb/switch/interface endpoint, the auto-discovery-fortilink parameter was removed.

  • In the cmdb/switch/physical-port endpoint, you can now specify 2500full for the speed parameter.

  • In the monitor/switch/port-speed endpoint, you can now specify 2500full for the supported_speeds parameter.

  • In the cmdb/switch.lldp/profile endpoint, the auto-isl-auth, auto-isl-auth-encrypt, auto-isl-auth-user, auto-isl-auth-identity, and auto-isl-auth-reauth parameters were added.

  • In the cmdb/switch/trunk endpoint, there is a new fallback-port parameter for specifying the LACP fallback port.

  • In the cmdb/switch.acl/prelookup endpoint, the new interface-all parameter allows you to select all interfaces.

  • In the cmdb/system/admin endpoint, there is a new wildcard-fallback parameter to enable or disable attempting authentication against wildcard accounts if authenticating the current account fails.

  • In the cmdb/system.certificate/ca endpoint, there is a new Info parameter for information about the CA certificate name.

  • In the cmdb/system.certifiate/local endpoint, there is a new Info parameter for information about the local certificate name.

  • In the cmdb/system/global endpoint, there is a new admin-password-hash parameter for selecting which hash algorithm to use to encode the administrator password. The fortilink-auto-discovery and auto-isl parameters were removed.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Previous
Next

Introduction

This document provides the following information for FortiSwitchOS 7.4.0 build 0767.

See the Fortinet Document Library for FortiSwitchOS documentation.

Supported models

FortiSwitchOS 7.4.0 supports the following models:

FortiSwitch 1xx FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE
FortiSwitch 2xx FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE
FortiSwitch 4xx FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, FS-448E-FPOE
FortiSwitch 5xx FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE
FortiSwitch 1xxx FS-1024D, FS-1024E, FS-1048E, FS-T1024E
FortiSwitch 3xxx FS-3032E
FortiSwitch Rugged FSR-112D-POE, FSR-124D, FSR-424F-POE

What’s new in FortiSwitchOS 7.4.0

Release 7.4.0 provides the following new features.

GUI changes

  • The System > Dashboard page has been reorganized to focus on the operational status of the FortiSwitch unit. In addition, there are now graphs for both the last day and last week of the switchʼs CPU usage, RAM usage, and temperature.

  • The charts for port and interface traffic and packet losses have been enhanced.

  • The Route Monitor (Router > Monitor > Routing) and IPv6 Route Monitor (Router > Monitor > IPv6 Routing) now display the routes graphically, as well as in a table. When you hover your cursor over a route, the route is highlighted, and the destination and interface of the route are displayed.

  • You can now add a peer user in the GUI.

  • The Switch > Monitor > 802.1x Status page is now the Switch > Monitor > 802.1x > Interfaces page.

  • There is now a separate Switch > Monitor > 802.1x > Sessions page that displays the 802.1x MAC authenticated sessions. In the Sessions page, you can search for partial or complete MAC addresses. You can also select one or more MAC addresses and de-authorize the clients at those MAC addresses.

  • The GUI now provides OS image signature verification.

    • If you upload an unverified firmware image, the GUI displays a “WARNING: This firmware failed signature validation.” message.

    • If you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays an “Unverified Image Detected” message.

    • After you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays a triangle with a red exclamation mark in the title bar.

CLI changes

  • You can now use the Border Gateway Protocol (BGP) Ethernet Virtual Private Network (EVPN) with Virtual Extensible LAN (VXLAN).

  • ARP/ND suppression is now supported for BGP EVPN.

  • The FSR-112D-POE, FSR-124D, FS-1xxE, and FS-1xxF models now support IPv6 router advertisement (RA) guard.

  • You can now back up the FortiSwitch configuration or logs to a Secure File Transfer Protocol (SFTP) server. You can also restore the FortiSwitch configuration or firmware from an SFTP server. You can use an IPv4 address, IPv6 address, or fully qualified domain name (FQDN) to specify the SFTP server.

  • You can now specify in the CLI that the access control list (ACL) prelookup policy applies to all ingress interfaces. Previously, you could specify only a single interface.

  • The Message-Authenticator attribute is now used for authentication in MAC authentication bypass (MAB) Access-Request messages.

  • The new get system interface vlan command lists information about the VLAN interfaces.

  • The new get system interface vxlan command lists information about the VXLAN interfaces.

  • As part of the existing support for RFC 2233, the following counters have been added:

    • ifInOctets
    • ifInUcastPkts
    • ifInErrors
    • ifInDiscards
    • ifOutOctets
    • ifOutUcastPkts
    • ifOutErrors
    • ifOutDiscards

    NOTE: The link status and duplex status are available on all platforms. Some statistics are not tracked (.dot3StatsLateCollisions, .dot3StatsExcessiveCollisions, and .dot3StatsSymbolErrors). Some statistics (.dot3StatsFCSErrors, .dot3StatsDeferredTransmissions, and .dot3StatsFrameTooLongs) are supported only on the following switch models: FSR-124D, FSR-424F-POE, 200 Series, FS-4xxE, 500 Series, FS-1xxxD, and FS-1xxxE.

  • EAP-FAST is now supported.

  • LACP fallback mode is now supported in the CLI. LACP fallback mode allows a selected port to stay up so that a device not running LACP can still connect to the network.

  • The commands for applying a Media Access Control security (MACsec) profile to a port have moved from under config switch interface to under config switch physical-port. In addition, the execute macsec clearstat interface, execute macsec reset interface, and execute macsec toggle interface commands are now the execute macsec clearstat physical-port, execute macsec reset physical-port, and execute macsec toggle physical-port commands.

  • A new CLI command allows you to specify which hash algorithm is used to encode passwords for new administrator accounts. You can select the PBKDF2, SHA1, or SHA256 hash algorithm. By default, the SHA256 hash algorithm is used.

  • The execute system admin account-convert command has been changed to execute system admin account-convert-sha1 and execute system admin account-convert-sha256:

    • Before downgrading to a FortiSwitchOS version earlier than 7.0.0, you need to ensure that the administrator password is in SHA1 format. Use the execute system admin account-convert-sha1 command to convert the administrator password to SHA1 encryption.

    • Before downgrading to FortiSwitchOS 7.0.0 or later, you need to ensure that the administrator password is in SHA1 or SHA256 format. Use the execute system admin account-convert-sha1 command to convert the administrator password to SHA1 encryption. Use the execute system admin account-convert-sha256 command to convert the password for a system administrator account to SHA256 encryption.

  • The new set wildcard-fallback command allows FortiSwitchOS to try to match a login name with wildcard system administrator names if FortiSwitchOS cannot match the exact login name.

  • You can now split ports on the FS-T1024E and FS-1024E models. You can enable the maximum speed (100G) of ports 25 and 26; each split port has a maximum speed of 25G.

GUI and CLI changes

  • FS-1xx and FS-2xx models now support configuring a DHCP server.

  • You can now add multiple administrators with wildcards in their names.

  • To increase the security of strong cryptography, additional weaker ciphers algorithms are now removed. When you enable strong cryptography (set strong-crypto enable under config system global), the following ciphers and algorithms are currently supported:

    • Ciphers (encryption algorithms):

      • chacha20-poly1305@openssh.com

      • aes128-ctr

      • aes192-ctr

      • aes256-ctr

      • aes128-gcm@openssh.com

      • aes256-gcm@openssh.com

    • Key-exchange algorithms:

      • curve25519-sha256@libssh.org

      • diffie-hellman-group-exchange-sha256

    • Host-key algorithm:

      • ssh-ed25519

    • Message authentication code algorithms:

      • umac-128-etm@openssh.com

      • hmac-sha2-256-etm@openssh.com

      • hmac-sha2-512-etm@openssh.com

REST API changes

The following REST API endpoint is new:

  • The new execute/backup/config endpoint allows you to back up the switchʼs configuration.

The following REST API endpoint was removed:

  • execute/backup/standalone-config

The following REST API schema changes were made for this release:

  • In the cmdb/router/static endpoint, there is a new gw-l2-switch parameter to enable or disable the layer-2 gateway on the FortiSwitch unit.

  • In the cmdb/switch/global endpoint, the auto-fortilink-discovery parameter was removed.

  • In the cmdb/switch/interface endpoint, the auto-discovery-fortilink parameter was removed.

  • In the cmdb/switch/physical-port endpoint, you can now specify 2500full for the speed parameter.

  • In the monitor/switch/port-speed endpoint, you can now specify 2500full for the supported_speeds parameter.

  • In the cmdb/switch.lldp/profile endpoint, the auto-isl-auth, auto-isl-auth-encrypt, auto-isl-auth-user, auto-isl-auth-identity, and auto-isl-auth-reauth parameters were added.

  • In the cmdb/switch/trunk endpoint, there is a new fallback-port parameter for specifying the LACP fallback port.

  • In the cmdb/switch.acl/prelookup endpoint, the new interface-all parameter allows you to select all interfaces.

  • In the cmdb/system/admin endpoint, there is a new wildcard-fallback parameter to enable or disable attempting authentication against wildcard accounts if authenticating the current account fails.

  • In the cmdb/system.certificate/ca endpoint, there is a new Info parameter for information about the CA certificate name.

  • In the cmdb/system.certifiate/local endpoint, there is a new Info parameter for information about the local certificate name.

  • In the cmdb/system/global endpoint, there is a new admin-password-hash parameter for selecting which hash algorithm to use to encode the administrator password. The fortilink-auto-discovery and auto-isl parameters were removed.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Previous
Next