Fortinet black logo

FortiSwitchOS Administration Guide

Home FortiSwitch 7.4.1 FortiSwitchOS Administration Guide
7.4.1
7.4.3
7.4.2
7.4.1
7.4.0

Introduction

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the FortiLink Guide (FortiOS 7.4.1).

If you will be managing your FortiSwitch unit using FortiLAN Cloud, see the FortiLAN Cloud User Guide.

If you will be managing your FortiSwitch unit using FortiSwitch Manager, see the FortiSwitch Manager Administration Guide.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Whatʼs new in FortiSwitchOS 7.4.1

Release 7.4.1 provides the following new features:

  • The FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models now support flow export. For more details, see Flow export.

  • The FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, and FS-448E-FPOE models now support Protocol Independent Multicast (PIM) routing. For more details, see Multicast.

  • The FS-1024E and FS-T1024E models now support Media Access Control security (MACsec) on 4x25G split ports. For more details, see MAC security.

  • You can now configure MACsec profiles in the GUI. For more details, see MAC security.

  • You now have the flexibility to exclude one or more protocols from the MACsec traffic policy. By default, all protocols are encrypted. You can use the CLI to exclude ARP, 802.1q VLAN, FortiLink, IPv4, IPv6, LACP, LLDP, 802.1ad QinQ, and STP packets. For more details, see MAC security.

  • When strong cryptography is disabled in the System > Config > SSL page, FortiSwitchOS displays a warning that the switch will reboot and then requires the user to confirm before rebooting the switch. For more details, see SSL.

  • You can now generate an elliptic curve (ECDSA) certificate using a certificate signing request (CSR). You can choose an SECP256R1, SECP384R1, or SECP521R1 elliptic curve. For more details, see Local.

  • You can use new CLI commands to specify how the following RADIUS request attributes are formatted:

    • User-Name

    • User-Password

    • Called-Station-Id

    • Calling-Station-Id

    For more details, see Specifying how RADIUS request attributes are formatted.

  • You can now configure network monitoring and view network-monitoring statistics in the GUI. You can monitor specific unicast MAC addresses in directed mode, monitor all detected MAC addresses on a FortiSwitch unit in survey mode, or do both. For more details, see Network monitor.

  • You can now configure Intermediate System to Intermediate System Protocol (IS-IS) routing in the GUI. For more details, see IS-IS routing.

  • FR-TRAN-ZX now supports the diagnostic monitoring interface (DMI). For more details, see Diagnostic monitoring interface module status.

  • FortiSwitchOS can now distinguish between the interchassis link (ICL) being down and a peer switch being down or getting restarted. When a peer switch is down or restarted, the other switch does not mistakenly detect a split-brain state and shut down all ports. For more details, see Detecting a split-brain state.

  • You can now configure in the CLI how long MAC authentication bypass (MAB) sessions are kept:

    • In static mode, MAB sessions are kept until the link goes down or the MAB sessions are manually deleted with the CLI.

    • In dynamic mode, MAB sessions are treated the same way as dynamically learned MAC addresses.

    For more details, see Configuring how long MAB sessions are kept.

  • You can now use flow-based Equal Cost Multi-Path (ECMP) routing with Virtual Extensible LAN (VXLAN) interfaces for load balancing. For more details, see Using ECMP routing with VXLAN interfaces.

  • The set vxlan-port command (under config switch global) is now the set vxlan-dport command.

  • FortiSwitchOS can now detect duplicate MAC addresses in a Border Gateway Protocol (BGP) Ethernet Virtual Private Network (EVPN) with VXLAN interfaces. When a duplicate MAC address is detected, FortiSwitchOS logs it as an error, making it quicker to find and resolve problems in the network configuration. For more details, see Duplicate address detection.

  • The FS-1048 model now supports autonegotiation for the 40G direct-attach cable (FN-CABLE-QSFP+). For more details, see Setting port speed (autonegotiation).

  • If you are using FortiSwitchOS 7.4.1 in FortiLink mode:

    • You can now make your Security Fabric more secure with the FortiLink secured fabric. The FortiLink secured fabric provides authentication and encryption to all fabric links, wherever possible. Zero-touch support is available for FortiLink mode over a layer-2 network and over a layer-3 network. For more details, see FortiLink secured fabric.

    • Managed FortiSwitch units can now perform inter-VLAN routing. The FortiGate device can program a FortiSwitch unit to do the layer-3 routing of trusted traffic between specific VLANs. For more details, see Configuring inter-VLAN routing.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.

Previous
Next

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the FortiLink Guide (FortiOS 7.4.1).

If you will be managing your FortiSwitch unit using FortiLAN Cloud, see the FortiLAN Cloud User Guide.

If you will be managing your FortiSwitch unit using FortiSwitch Manager, see the FortiSwitch Manager Administration Guide.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Whatʼs new in FortiSwitchOS 7.4.1

Release 7.4.1 provides the following new features:

  • The FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models now support flow export. For more details, see Flow export.

  • The FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, and FS-448E-FPOE models now support Protocol Independent Multicast (PIM) routing. For more details, see Multicast.

  • The FS-1024E and FS-T1024E models now support Media Access Control security (MACsec) on 4x25G split ports. For more details, see MAC security.

  • You can now configure MACsec profiles in the GUI. For more details, see MAC security.

  • You now have the flexibility to exclude one or more protocols from the MACsec traffic policy. By default, all protocols are encrypted. You can use the CLI to exclude ARP, 802.1q VLAN, FortiLink, IPv4, IPv6, LACP, LLDP, 802.1ad QinQ, and STP packets. For more details, see MAC security.

  • When strong cryptography is disabled in the System > Config > SSL page, FortiSwitchOS displays a warning that the switch will reboot and then requires the user to confirm before rebooting the switch. For more details, see SSL.

  • You can now generate an elliptic curve (ECDSA) certificate using a certificate signing request (CSR). You can choose an SECP256R1, SECP384R1, or SECP521R1 elliptic curve. For more details, see Local.

  • You can use new CLI commands to specify how the following RADIUS request attributes are formatted:

    • User-Name

    • User-Password

    • Called-Station-Id

    • Calling-Station-Id

    For more details, see Specifying how RADIUS request attributes are formatted.

  • You can now configure network monitoring and view network-monitoring statistics in the GUI. You can monitor specific unicast MAC addresses in directed mode, monitor all detected MAC addresses on a FortiSwitch unit in survey mode, or do both. For more details, see Network monitor.

  • You can now configure Intermediate System to Intermediate System Protocol (IS-IS) routing in the GUI. For more details, see IS-IS routing.

  • FR-TRAN-ZX now supports the diagnostic monitoring interface (DMI). For more details, see Diagnostic monitoring interface module status.

  • FortiSwitchOS can now distinguish between the interchassis link (ICL) being down and a peer switch being down or getting restarted. When a peer switch is down or restarted, the other switch does not mistakenly detect a split-brain state and shut down all ports. For more details, see Detecting a split-brain state.

  • You can now configure in the CLI how long MAC authentication bypass (MAB) sessions are kept:

    • In static mode, MAB sessions are kept until the link goes down or the MAB sessions are manually deleted with the CLI.

    • In dynamic mode, MAB sessions are treated the same way as dynamically learned MAC addresses.

    For more details, see Configuring how long MAB sessions are kept.

  • You can now use flow-based Equal Cost Multi-Path (ECMP) routing with Virtual Extensible LAN (VXLAN) interfaces for load balancing. For more details, see Using ECMP routing with VXLAN interfaces.

  • The set vxlan-port command (under config switch global) is now the set vxlan-dport command.

  • FortiSwitchOS can now detect duplicate MAC addresses in a Border Gateway Protocol (BGP) Ethernet Virtual Private Network (EVPN) with VXLAN interfaces. When a duplicate MAC address is detected, FortiSwitchOS logs it as an error, making it quicker to find and resolve problems in the network configuration. For more details, see Duplicate address detection.

  • The FS-1048 model now supports autonegotiation for the 40G direct-attach cable (FN-CABLE-QSFP+). For more details, see Setting port speed (autonegotiation).

  • If you are using FortiSwitchOS 7.4.1 in FortiLink mode:

    • You can now make your Security Fabric more secure with the FortiLink secured fabric. The FortiLink secured fabric provides authentication and encryption to all fabric links, wherever possible. Zero-touch support is available for FortiLink mode over a layer-2 network and over a layer-3 network. For more details, see FortiLink secured fabric.

    • Managed FortiSwitch units can now perform inter-VLAN routing. The FortiGate device can program a FortiSwitch unit to do the layer-3 routing of trusted traffic between specific VLANs. For more details, see Configuring inter-VLAN routing.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.

Previous
Next