Introduction
This document provides the following information for FortiSwitchOS 7.4.0 build 0767.
- Supported models
- Special notices
- Upgrade information
- Product integration and support
- Resolved issues
- Known issues
See the Fortinet Document Library for FortiSwitchOS documentation.
Supported models
FortiSwitchOS 7.4.0 supports the following models:
FortiSwitch 1xx | FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE |
FortiSwitch 2xx | FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE |
FortiSwitch 4xx | FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, FS-448E-FPOE |
FortiSwitch 5xx | FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE |
FortiSwitch 1xxx | FS-1024D, FS-1024E, FS-1048E, FS-T1024E |
FortiSwitch 3xxx | FS-3032E |
FortiSwitch Rugged | FSR-112D-POE, FSR-124D, FSR-424F-POE |
What’s new in FortiSwitchOS 7.4.0
Release 7.4.0 provides the following new features.
GUI changes
-
The System > Dashboard page has been reorganized to focus on the operational status of the FortiSwitch unit. In addition, there are now graphs for both the last day and last week of the switchʼs CPU usage, RAM usage, and temperature.
-
The charts for port and interface traffic and packet losses have been enhanced.
-
The Route Monitor (Router > Monitor > Routing) and IPv6 Route Monitor (Router > Monitor > IPv6 Routing) now display the routes graphically, as well as in a table. When you hover your cursor over a route, the route is highlighted, and the destination and interface of the route are displayed.
-
You can now add a peer user in the GUI.
-
The Switch > Monitor > 802.1x Status page is now the Switch > Monitor > 802.1x > Interfaces page.
-
There is now a separate Switch > Monitor > 802.1x > Sessions page that displays the 802.1x MAC authenticated sessions. In the Sessions page, you can search for partial or complete MAC addresses. You can also select one or more MAC addresses and de-authorize the clients at those MAC addresses.
-
The GUI now provides OS image signature verification.
-
If you upload an unverified firmware image, the GUI displays a “WARNING: This firmware failed signature validation.” message.
-
If you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays an “Unverified Image Detected” message.
-
After you log in to a FortiSwitch unit running an unverified firmware image, the GUI displays a triangle with a red exclamation mark in the title bar.
-
CLI changes
-
You can now use the Border Gateway Protocol (BGP) Ethernet Virtual Private Network (EVPN) with Virtual Extensible LAN (VXLAN).
-
ARP/ND suppression is now supported for BGP EVPN.
-
The FSR-112D-POE, FSR-124D, FS-1xxE, and FS-1xxF models now support IPv6 router advertisement (RA) guard.
-
You can now back up the FortiSwitch configuration or logs to a Secure File Transfer Protocol (SFTP) server. You can also restore the FortiSwitch configuration or firmware from an SFTP server. You can use an IPv4 address, IPv6 address, or fully qualified domain name (FQDN) to specify the SFTP server.
-
You can now specify in the CLI that the access control list (ACL) prelookup policy applies to all ingress interfaces. Previously, you could specify only a single interface.
-
The Message-Authenticator attribute is now used for authentication in MAC authentication bypass (MAB) Access-Request messages.
-
The new
get system interface vlan
command lists information about the VLAN interfaces. -
The new
get system interface vxlan
command lists information about the VXLAN interfaces. -
As part of the existing support for RFC 2233, the following counters have been added:
- ifInOctets
- ifInUcastPkts
- ifInErrors
- ifInDiscards
- ifOutOctets
- ifOutUcastPkts
- ifOutErrors
- ifOutDiscards
NOTE: The link status and duplex status are available on all platforms. Some statistics are not tracked (.dot3StatsLateCollisions, .dot3StatsExcessiveCollisions, and .dot3StatsSymbolErrors). Some statistics (.dot3StatsFCSErrors, .dot3StatsDeferredTransmissions, and .dot3StatsFrameTooLongs) are supported only on the following switch models: FSR-124D, FSR-424F-POE, 200 Series, FS-4xxE, 500 Series, FS-1xxxD, and FS-1xxxE.
-
EAP-FAST is now supported.
-
LACP fallback mode is now supported in the CLI. LACP fallback mode allows a selected port to stay up so that a device not running LACP can still connect to the network.
-
The commands for applying a Media Access Control security (MACsec) profile to a port have moved from under
config switch interface
to underconfig switch physical-port
. In addition, theexecute macsec clearstat interface
,execute macsec reset interface
, andexecute macsec toggle interface
commands are now theexecute macsec clearstat physical-port
,execute macsec reset physical-port
, andexecute macsec toggle physical-port
commands. -
A new CLI command allows you to specify which hash algorithm is used to encode passwords for new administrator accounts. You can select the PBKDF2, SHA1, or SHA256 hash algorithm. By default, the SHA256 hash algorithm is used.
-
The
execute system admin account-convert
command has been changed toexecute system admin account-convert-sha1
andexecute system admin account-convert-sha256
:-
Before downgrading to a FortiSwitchOS version earlier than 7.0.0, you need to ensure that the administrator password is in SHA1 format. Use the
execute system admin account-convert-sha1
command to convert the administrator password to SHA1 encryption. -
Before downgrading to FortiSwitchOS 7.0.0 or later, you need to ensure that the administrator password is in SHA1 or SHA256 format. Use the
execute system admin account-convert-sha1
command to convert the administrator password to SHA1 encryption. Use theexecute system admin account-convert-sha256
command to convert the password for a system administrator account to SHA256 encryption.
-
-
The new
set wildcard-fallback
command allows FortiSwitchOS to try to match a login name with wildcard system administrator names if FortiSwitchOS cannot match the exact login name. -
You can now split ports on the FS-T1024E and FS-1024E models. You can enable the maximum speed (100G) of ports 25 and 26; each split port has a maximum speed of 25G.
GUI and CLI changes
-
FS-1xx and FS-2xx models now support configuring a DHCP server.
-
You can now add multiple administrators with wildcards in their names.
-
To increase the security of strong cryptography, additional weaker ciphers algorithms are now removed. When you enable strong cryptography (
set strong-crypto enable
underconfig system global
), the following ciphers and algorithms are currently supported:Ciphers (encryption algorithms):
chacha20-poly1305@openssh.com
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
Key-exchange algorithms:
curve25519-sha256@libssh.org
diffie-hellman-group-exchange-sha256
Host-key algorithm:
ssh-ed25519
Message authentication code algorithms:
umac-128-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
REST API changes
The following REST API endpoint is new:
-
The new
execute/backup/config
endpoint allows you to back up the switchʼs configuration.
The following REST API endpoint was removed:
-
execute/backup/standalone-config
The following REST API schema changes were made for this release:
-
In the
cmdb/router/static
endpoint, there is a newgw-l2-switch
parameter to enable or disable the layer-2 gateway on the FortiSwitch unit. -
In the
cmdb/switch/global
endpoint, theauto-fortilink-discovery
parameter was removed. -
In the
cmdb/switch/interface
endpoint, theauto-discovery-fortilink
parameter was removed. -
In the
cmdb/switch/physical-port
endpoint, you can now specify2500full
for thespeed
parameter. -
In the
monitor/switch/port-speed
endpoint, you can now specify2500full
for thesupported_speeds
parameter. -
In the
cmdb/switch.lldp/profile
endpoint, theauto-isl-auth
,auto-isl-auth-encrypt
,auto-isl-auth-user
,auto-isl-auth-identity
, andauto-isl-auth-reauth
parameters were added. -
In the
cmdb/switch/trunk
endpoint, there is a newfallback-port
parameter for specifying the LACP fallback port. -
In the
cmdb/switch.acl/prelookup
endpoint, the newinterface-all
parameter allows you to select all interfaces. -
In the
cmdb/system/admin
endpoint, there is a newwildcard-fallback
parameter to enable or disable attempting authentication against wildcard accounts if authenticating the current account fails. -
In the
cmdb/system.certificate/ca
endpoint, there is a newInfo
parameter for information about the CA certificate name. -
In the
cmdb/system.certifiate/local
endpoint, there is a newInfo
parameter for information about the local certificate name. -
In the
cmdb/system/global
endpoint, there is a newadmin-password-hash
parameter for selecting which hash algorithm to use to encode the administrator password. Thefortilink-auto-discovery
andauto-isl
parameters were removed.
Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.