Fortinet black logo

FortiSwitch features configuration

Copy Link
Copy Doc ID daae6d6f-d2a0-11ea-96b9-00505692583a:985221
Download PDF

FortiSwitch features configuration

This section describes how to configure global FortiSwitch settings using FortiGate CLI commands. These settings will apply to all of the managed FortiSwitch units. You can also override some of the settings on individual FortiSwitch units.

This chapter covers the following topics:

Configure VLANs

Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs.)

From the FortiGate unit, you can centrally configure and manage VLANs for the managed FortiSwitch units.

In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 1-4095) to each of the VLANs. For FortiSwitch units in FortiLink mode (FortiOS 6.2.0 and later), you can assign a name to each VLAN.

You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch port.

Creating VLANs

Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either the Web GUI or CLI.

Using the GUI

To create the VLAN:

  1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
    Interface Name VLAN name
    VLAN ID Enter a number (1-4094)
    Color Choose a unique color for each VLAN, for ease of visual display.
    Role Select LAN, WAN, DMZ, or Undefined.
  2. Enable DHCP for IPv4 or IPv6.
  3. Set the Administrative access options as required.
  4. Select OK.
To assign FortiSwitch ports to the VLAN:
  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Click a port row.
  3. Click the Native VLAN column in one of the selected entries to change the native VLAN.
  4. Select a VLAN from the displayed list. The new value is assigned to the selected ports.
  5. Click the + icon in the Allowed VLANs column to change the allowed VLANs.
  6. Select one or more of the VLANs (or the value all) from the displayed list. The new value is assigned to the selected port.

Using the FortiSwitch CLI

  1. Create the marketing VLAN.

    config system interface

    edit <vlan name>

    set vlanid <1-4094>

    set color <1-32>

    set interface <FortiLink-enabled interface>

    end

  2. Set the VLAN’s IP address.

    config system interface

    edit <vlan name>

    set ip <IP address> <Network mask>

    end

  3. Enable a DHCP Server.

    config system dhcp server

    edit 1

    set default-gateway <IP address>

    set dns-service default

    set interface <vlan name>

    config ip-range

    set start-ip <IP address>

    set end-ip <IP address>

    end

    set netmask <Network mask>

    end

  4. Assign ports to the VLAN.

    config switch-controller managed-switch

    edit <Switch ID>

    config ports

    edit <port name>

    set vlan <vlan name>

    set allowed-vlans <vlan name>

    or

    set allowed-vlans-all enable

    next

    end

    end

  5. Assign untagged VLANs to a managed FortiSwitch port:

    config switch-controller managed-switch

    edit <managed-switch>

    config ports

    edit <port>

    set untagged-vlans <VLAN-name>

    next

    end

    next

    end

Viewing FortiSwitch VLANs

The WiFi & Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.

Each entry in the VLAN list displays the following information:

  • Name—name of the VLAN
  • VLAN ID—the VLAN number
  • IP/Netmask—address and mask of the subnetwork that corresponds to this VLAN
  • Access—administrative access settings for the VLAN
  • Ref—number of configuration objects referencing this VLAN

Enabling and disabling switch-controller access VLANs through the FortiGate unit

Access VLANs are VLANs that aggregate client traffic solely to the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate.

NOTE: IPv6 is not supported between clients within a switch-controller access VLAN.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

config system interface

edit <VLAN name>

set switch-controller-access-vlan {enable | disable}

next

end

NOTE: You must configure the proxy ARP with the config system proxy-arp CLI command to be able to use the access VLANs. For example:

config system proxy-arp

edit 1

set interface "V100"

set ip 1.1.1.1

set end-ip 1.1.1.200

next

end

Changing the VLAN configuration mode

You can change which VLANs the set allowed-vlans command affects.

If you want the set allowed-vlans command to apply to all user-defined VLANs, use the following CLI commands:

config switch-controller global

set vlan-all-mode defined

end

If you want the set allowed-vlans command to apply to all possible VLANs (1-4094), use the following CLI commands:

config switch-controller global

set vlan-all-mode all

end

NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable command.

Enabling FortiLink VLAN optimization

When inter-switch links (ISLs) are automatically formed on trunks, the switch controller allows VLANs 1-4093 on ISL ports. This configuration can increase data processing on the FortiSwitch unit. When VLAN optimization is enabled, the FortiSwitch unit allows only user-defined VLANs on the automatically generated trunks. By default, VLAN optimization is disabled.

To enable FortiLink VLAN optimization on FortiSwitch units from the FortiGate unit:

config switch-controller global

set vlan-optimization enable

end

NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable command.

Configure IGMP snooping settings

Use the following commands to configure the global IGMP snooping settings.

Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer value from 15 to 3600. The default value is 300.

Flood-unknown-multicast controls whether the system will flood unknown multicast messages within the VLAN.

config switch-controller igmp-snooping

set aging-time <15-3600>

set flood-unknown-multicast {enable | disable}

end

Configure LLDP-MED

Starting in FortiOS 6.4.0 and FortiSwitchOS 6.4.0, LLDP neighbor devices are dynamically detected. By default, this feature is enabled in FortiOS but disabled in managed FortiSwitch units. Dynamic detection must be enabled in both FortiOS and FortiSwitchOS for this feature to work.

To configure LLDP profiles in FortiOS:

config switch-controller lldp-profile

edit <profile_name>

set med-tlvs (inventory-management | network-policy | power-management | location-identification)

set 802.1-tlvs port-vlan-id

set 802.3-tlvs {max-frame-size | power-negotiation}

set auto-isl {enable | disable}

set auto-isl-hello-timer <1-30>

set auto-isl-port-group <0-9>

set auto-isl-receive-timeout <3-90>

config med-network-policy

edit {guest-voice | guest-voice-signaling | softphone-voice | streaming-video | video-conferencing | video-signaling | voice | voice-signaling}

set status {enable | disable}

set vlan-intf <string>

set priority <0-7>

set dscp <0-63>

next

end

config med-location-service

edit {address-civic | coordinates | elin-number}

set status {enable | disable}

set sys-location-id <string>

next

end

config-tlvs

edit <TLV_name>

set oui <hexadecimal_number>

set subtype <0-255>

set information-string <0-507>

next

end

next

end

Variable Description
<profile_name> Enable or disable
med-tlvs (inventory-management | network-policy | power-management | location-identification) Select which LLDP-MED type-length-value descriptions (TLVs) to transmit: inventory-managment TLVs, network-policy TLVs, power-management TLVs for PoE, and location-identification TLVs. You can select one or more option. Separate multiple options with a space.
802.1-tlvs port-vlan-id Transmit the IEEE 802.1 port native-VLAN TLV.
802.3-tlvs {max-frame-size | power-negotiation} Select whether to transmit the IEEE 802.3 maximum frame size TLV, the power-negotiation TLV for PoE, or both. Separate multiple options with a space.
auto-isl {enable | disable} Enable or disable the automatic inter-switch LAG.

auto-isl-hello-timer <1-30>

If you enabled auto-isl, you can set the number of seconds for the automatic inter-switch LAG hello timer. The default value is 3 seconds.

auto-isl-port-group <0-9>

If you enabled auto-isl, you can set the automatic inter-switch LAG port group identifier.

auto-isl-receive-timeout <3-90>

If you enabled auto-isl, you can set the number of seconds before the automatic inter-switch LAG times out if no response is received. The default value is 9 seconds.

config med-network-policy

{guest-voice | guest-voice-signaling | softphone-voice | streaming-video | video-conferencing | video-signaling | voice | voice-signaling}

Select which Media Endpoint Discovery (MED) network policy type-length-value (TLV) category to edit.

status {enable | disable}

Enable or disable whether this TLV is transmitted.

vlan-intf <string>

If you enabled the status, you can enter the VLAN interface to advertise. The maximum length is 15 characters.

priority <0-7>

If you enabled the status, you can enter the advertised Layer-2 priority. Set to 7 for the highest priority.

dscp <0-63>

If you enabled the status, you can enter the advertised Differentiated Services Code Point (DSCP) value to indicate the level of service requested for the traffic.

config med-location-service

{address-civic | coordinates | elin-number}

Select which Media Endpoint Discovery (MED) location type-length-value (TLV) category to edit.

status {enable | disable}

Enable or disable whether this TLV is transmitted.

sys-location-id <string>

If you enabled the status, you can enter the location service identifier. The maximum length is 63 characters.

config-tlvs

<TLV_name>

Enter the name of a custom TLV entry.

oui <hexadecimal_number>

Ener the organizationally unique identifier (OUI), a 3-byte hexadecimal number, for this TLV.

subtype <0-255>

Enter the organizationally defined subtype.

information-string <0-507>

Enter the organizationally defined information string in hexadecimal bytes.

To configure LLDP settings in FortiOS:

config switch-controller lldp-settings

set tx-hold <int>

set tx-interval <int>

set fast-start-interval <int>

set management-interface {internal | management}

set device-detection {enable | disable}

end

Variable Description
tx-hold Number of tx-intervals before the local LLDP data expires. Therefore, the packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1 to 16, and the default value is 4.
tx-interval How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095 seconds, and the default is 30 seconds.
fast-start-interval How often the FortiSwitch transmits the first 4 LLDP packets when a link comes up. The range is 2 to 5 seconds, and the default is 2 seconds. Set this variable to zero to disable fast start.
management-interface Primary management interface to be advertised in LLDP and CDP PDUs.

device-detection {enable | disable}

Enable or disable whether LLDP neighbor devices are dynamically detected. By default, this setting is disabled.

To configure dynamic detection of LLDP neighbor devices in FortiSwitchOS:

config switch lldp settings

set device-detection enable

end

Create LLDP asset tags for each managed FortiSwitch

You can use the following commands to add an LLDP asset tag for a managed FortiSwitch:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set switch-device-tag <string>

end

Add media endpoint discovery (MED) to an LLDP configuration

You can use the following commands to add media endpoint discovery (MED) features to an LLDP profile:

config switch-controller lldp-profile

edit <lldp-profle>

config med-network-policy

edit guest-voice

set status {disable | enable}

next

edit guest-voice-signaling

set status {disable | enable}

next

edit guest-voice-signaling

set status {disable | enable}

next

edit softphone-voice

set status {disable | enable}

next

edit streaming-video

set status {disable | enable}

next

edit video-conferencing

set status {disable | enable}

next

edit video-signaling

set status {disable | enable}

next

edit voice

set status {disable | enable}

next

edit voice-signaling

set status {disable | enable}

end

config custom-tlvs

edit <name>

set oui <identifier>

set subtype <subtype>

set information-string <string>

end

end

Display LLDP information

You can use the following commands to display LLDP information:

diagnose switch-controller switch-info lldp stats <switch> <port>

diagnose switch-controller switch-info lldp neighbors-summary <switch>

diagnose switch-controller switch-info lldp neighbors-detail <switch>

Configure the MAC sync interval

Use the following commands to configure the global MAC synch interval.

The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the default value is 60.

config switch-controller mac-sync-settings

set mac-sync-interval <30-600>

end

Configure STP settings

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

The managed FortiSwitch unit supports Spanning Tree Protocol (a link-management protocol that ensures a loop-free layer-2 network topology) as well as Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q standard.

MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the mapping of VLANs to instances is configurable). MSTP is backward-compatible with STP and Rapid Spanning Tree Protocol (RSTP). A layer-2 network can contain switches that are running MSTP, STP, or RSTP. MSTP is built on RSTP, so it provides fast recovery from network faults and fast convergence times.

To configure STP for all managed FortiSwitch units:

config switch-controller stp-settings

set name <name>

set revision <stp revision>

set hello-time <hello time>

set forward-time <forwarding delay>

set max-age <maximum aging time>

set max-hops <maximum number of hops>

end

To override the global STP settings for a specific FortiSwitch unit:

config switch-controller managed-switch

edit <switch-id>

config stp-settings

set local-override enable

end

To configure MSTP instances:

config switch-controller stp-instance

edit <id>

config vlan-range <list of VLAN names>

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config stp-instance

edit <id>

set priority <0 | 4096 | 8192 | 12288 | 16384 | 20480 | 24576 | 28672 | 32768 | 36864 | 40960 | 45056 | 49152 | 53248 | 57344 | 61440>

next

end

next

end

For example:

config switch-controller stp-instance

edit 1

config vlan-range vlan1 vlan2 vlan3

end

config switch-controller managed-switch

edit S524DF4K15000024

config stp-instance

edit 1

set priority 16384

next

end

next

end

Configure flow tracking and export

You can sample IP packets on managed FortiSwitch units and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format. You can choose to sample on a single ingress or egress port, on all FortiSwitch units, or on all FortiSwitch ingress ports.

When a new FortiSwitch unit or trunk port is added, the flow-tracking configuration is updated automatically based on the specified sampling mode. When a FortiSwitch port becomes part of an ISL or ICL or is removed, the flow-tracking configuration is updated automatically based on the specified sampling mode.

The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.

To configure flow tracking on managed FortiSwitch units:

config switch-controller flow-tracking

set sample-mode {local | perimeter | device-ingress}

set sample-rate <0-99999>

set format {netflow1 | netflow5 | netflow9 | ipfix}

set collector-ip <collector IP address>

set collector-port <0-65535; default is 0>

set transport {udp | tcp | sctp}

set level {vlan | ip | port | proto}

set filter <string>

set max-export-pkt-size <512-9216 bytes; default is 512>.

set timeout-general <60-604800 seconds; default is 3600>

set timeout-icmp <60-604800 seconds; default is 300>.

set timeout-max <60-604800 seconds; default is 604800>

set timeout-tcp <60-604800 seconds; default is 3600>

set timeout-tcp-fin <60-604800 seconds; default is 300>

set timeout-tcp-rst <60-604800 seconds; default is 120>

set timeout-udp <60-604800 seconds; default is 300>

end

Configure the sampling mode

You can set the sampling mode to local, perimeter, or device-ingress.

  • The local mode samples packets on a specific FortiSwitch port.
  • The perimeter mode samples packets on all FortiSwitch ports that receive data traffic, except for ISL and ICL ports. For perimeter mode, you can also configure the sampling rate.
  • The device-ingress mode samples packets on all FortiSwitch ports that receive data traffic for hop-by-hop tracking. For device-ingress mode, you can also configure the sampling rate.

Configure the sampling rate

For perimeter or device-ingress sampling, you can set the sampling rate, which samples 1 out of the specified number of packets. The default sampling rate is 1 out of 512 packets.

Configure the flow-tracking protocol

You can set the format of exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.

Configure collector IP address

The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.

Configure the transport protocol

You can set exported packets to use UDP, TCP, or SCTP for transport.

Configure the flow-tracking level

You can set the flow-tracking level to one of the following:

  • vlan—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, protocol, Type of Service, and VLAN from the sample packet.
  • ip—The FortiSwitch unit collects source IP address and destination IP address from the sample packet.
  • port—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
  • proto—The FortiSwitch unit collects source IP address, destination IP address, and protocol from the sample packet.

Configure the filter

Use the Berkeley Packet Filter to specify what packets to sample.

Configure the maximum exported packet size

You can set the maximum size of exported packets in the application level.

To remove flow reports from a managed FortiSwitch unit:

execute switch-controller switch-action flow-tracking {delete-flows-all | expire-flows-all} <FortiSwitch_serial_number>

Expired flows are exported.

To view flow statistics for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking statistics <FortiSwitch_serial_number>

To view raw flow records for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking flows-raw <FortiSwitch_serial_number>

To view flow record data for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking flows {number_of_records | all} {IP_address | all} <FortiSwitch_serial_number> <FortiSwitch_port_name>

For example:

diagnose switch-controller switch-info flow-tracking flows 100 all S524DF4K15000024 port6

Quarantines

Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit. Quarantined MAC addresses are isolated from the rest of the network and LAN.

Quarantining MAC addresses

You can use the FortiGate GUI or CLI to quarantine a MAC address.

NOTE: If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.

Using the FortiGate GUI

In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.

  1. Select the host to quarantine.
    • Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on FortiSwitch.
  2. Select Accept to confirm that you want to quarantine the host.

Using the FortiGate CLI

NOTE: Previously, this feature used the config switch-controller quarantine CLI command.

There are two kinds of quarantines:

  • Quarantine-by-VLAN sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN (starting in FortiOS 6.0.0 and FortiSwitchOS 6.0.0).
  • Quarantine-by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit (starting in FortiOS 6.4.0 and FortiSwitchOS 6.4.0).

By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was disabled in the older configuration, it will be disabled after the upgrade.

You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.

The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined per quarantine entry.

Optionally, you can configure a traffic policy for quarantined devices to control how much bandwidth and burst they use and which class of service (CoS) queue they are assigned to. Without a traffic policy, you cannot control how much network resources quarantined devices use.

Quarantine-by-VLAN is the default. If you have a quarantine-by-VLAN configuration and want to migrate to a quarantine-by-redirect configuration:

  1. Disable quarantine.
  2. Change the quarantine-mode to by-redirect.
  3. Remove the quarantine VLAN from the switch ports.
  4. Enable quarantine.
To set up a quarantine in FortiOS:

config switch-controller global

set quarantine-mode {by-vlan | by-redirect}

end

config user quarantine

set quarantine enable

set traffic-policy <traffic_policy_name>

set firewall-groups <firewall_address_group>

config targets

edit <quarantine_entry_name>

set description <string>

config macs

edit <MAC_address_1>

set drop {enable | disable}

next

edit <MAC_address_2>

set drop {enable | disable}

next

edit <MAC_address_3>

set drop {enable | disable}

next

end

end

end

Option Description

quarantine-mode {by-vlan | by-redirect}

Select the quarantine mode:

  • by-vlan sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN.This mode is the default.
  • by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit.

traffic-policy <traffic_policy_name>

Optional. A name for the traffic policy that controls quarantined devices. If you do add a traffic policy, you need to configure it with the config switch-controller traffic-policy command.

firewall-groups <firewall_address_group>

Optional. By default, the firewall address group is QuarantinedDevices. If you are using quarantine-by-redirect, you must use the default firewall address group.

quarantine_entry_name A name for this quarantine entry.
description <string> Optional. A description of the MAC addresses being quarantined.
MAC_address_1, MAC_address_2, MAC_address_3 A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc

drop {enable | disable}

Enable to drop quarantined device traffic. Disable to send quarantined device traffic to the FortiGate unit.

For example:

config switch-controller global

set quarantine-mode by-redirect

end

config user quarantine

set quarantine enable

set traffic-policy qtrafficp

set firewall-groups QuarantinedDevices

config targets

edit quarantine1

config macs

set description "infected by virus"

edit 00:00:00:aa:bb:cc

set drop disable

next

edit 00:11:22:33:44:55

set drop disable

next

edit 00:01:02:03:04:05

set drop disable

next

end

next

end

To configure a traffic policy for quarantined devices in FortiOS:

config switch-controller traffic-policy

edit <traffic_policy_name>

set description <string>

set policer-status enable

set guaranteed-bandwidth <0-524287000>

set guaranteed-burst <0-4294967295>

set maximum-burst <0-4294967295>

set cos-queue <0-7>

end

Option Description

traffic-policy <traffic_policy_name>

Enter a name for the traffic policy that controls quarantined devices.

description <string>

Enter an optional description of the traffic policy.

policer-status enable

Enable the policer configuration to control quarantined devices. It is enabled by default.

guaranteed-bandwidth <0-524287000>

Enter the guaranteed bandwidth in kbps. The maximum value is 524287000. The default value is 0.

guaranteed-burst <0-4294967295>

Enter the guaranteed burst size in bytes. The maximum value is 4294967295. The default value is 0.

maximum-burst <0-4294967295>

The maximum burst size is in bytes. The maximum value is 4294967295. The default value is 0.

set cos-queue <0-7>

Set the class of service for the VLAN traffic. Use the unset cos-queue command to disable this setting.

For example:

config switch-controller traffic-policy

edit qtrafficp

set description "quarantined traffic policy"

set policer-status enable

set guaranteed-bandwidth 10000

set guaranteed-burst 10000

set maximum-burst 10000

unset cos-queue

end

Using quarantine with DHCP

When a device using DHCP is quarantined, the device becomes inaccessible until the DHCP is renewed. To avoid this problem, enable the bounce-quarantined-link option, which shuts down the switch port where the quarantined device was last seen and then brings it back up again. Bouncing the port when the device is quarantined and when the device is released from quarantine causes the DHCP to be renewed so that the device is connected to the correct network. By default, the bounce-quarantined-link option is disabled.

To bounce the switch port where a quarantined device was last seen:

config switch-controller global

set bounce-quarantined-link {enable | disable}

end

Using quarantine with 802.1x MAC-based authentication

After a device is authorized with IEEE 802.1x MAC-based authentication, you can quarantine that device. If the device was quarantined before 802.1x MAC-based authentication was enabled, the deviceʼs traffic remains in the quarantine VLAN 4093 after 802.1x MAC-based authentication is enabled.

To use quarantines with IEEE 802.1x MAC-based authentication:
  1. By default, detecting the quarantine VLAN is enabled on a global level on the managed FortiSwitch unit. You can verify that quarantine-vlan is enabled with the following commands:
  2. S448DF3X16000118 # config switch global

    S448DF3X16000118 (global) # config port-security

    S448DF3X16000118 (port-security) # get

    link-down-auth : set-unauth

    mab-reauth : disable

    quarantine-vlan : enable

    reauth-period : 60

    max-reauth-attempt : 0

  3. By default, 802.1x MAC-based authentication and quarantine VLAN detection are enabled on a port level on the managed FortiSwitch unit. You can verify the settings for the port-security-mode and quarantine-vlan. For example:
  4. S448DF3X16000118 (port17) # show switch interface port17

    config switch interface

    edit "port17"

    set allowed-vlans 4093

    set untagged-vlans 4093

    set security-groups "group1"

    set snmp-index 17

    config port-security

    set auth-fail-vlan disable

    set eap-passthru enable

    set framevid-apply enable

    set guest-auth-delay 30

    set guest-vlan disable

    set mac-auth-bypass enable

    set open-auth disable

    set port-security-mode 802.1X-mac-based

    set quarantine-vlan enable

    set radius-timeout-overwrite disable

    set auth-fail-vlanid 200

    set guest-vlanid 100

    end

    next

    end

  5. On the FortiGate unit, quarantine a MAC address. For example:
  6. config user quarantine

    edit "quarantine1"

    config macs

    edit 00:05:65:ad:15:03

    next

    end

    next

    end

  7. The FortiGate unit pushes the MAC-VLAN binding to the managed FortiSwitch unit. You can verify that the managed FortiSwitch unit received the MAC-VLAN binding with the following command:
  8. S448DF3X16000118 # show switch vlan 4093

    config switch vlan

    edit 4093

    set description "qtn.FLNK10"

    set dhcp-snooping enable

    set access-vlan enable

    config member-by-mac

    edit 1

    set mac 00:05:65:ad:15:03

    next

    end

    next

    end

  9. The 802.1x session shows that the MAC address is quarantined in VLAN 4093. You can verify that the managed FortiSwitch port has the quarantined MAC address. For example:
  10. S448DF3X16000118 # diagnose switch 8 status port17

    port17: Mode: mac-based (mac-by-pass enable)

    Link: Link up

    Port State: authorized: ( )

    EAP pass-through mode : Enable

    Quarantine VLAN (4093) detection : Enable

    Native Vlan : 1

    Allowed Vlan list: 1,4093

    Untagged Vlan list: 1,4093

    Guest VLAN :

    Auth-Fail Vlan :

    Switch sessions 3/480, Local port sessions:1/20

    Client MAC Type Vlan Dynamic-Vlan

    Quarantined

    00:05:65:ad:15:03 802.1x 1 4093

    Sessions info:

    00:50:56:ad:51:81 Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=41 params:reAuth=1800

  11. The MAC address table also shows the MAC address in VLAN 4093. You can verify the entries in the MAC address table with the following commands:
  12. S448DF3X16000118 # diagnose switch vlan assignment mac list

    00:05:65:ad:15:03 VLAN: 4093 Installed: yes

    Source: 802.1X-MAC-Radius

    Description: port17

    S448DF3X16000118 # diagnose switch mac list | grep "VLAN: 4093"

    MAC: 00:05:65:ad:15:03 VLAN: 4093 Port: port17(port-id 17)

Viewing quarantine entries

Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.

Using the FortiGate GUI

  1. Go to Monitor > Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.The Quarantined on FortiSwitch button is only available if a device is detected behind the FortiSwitch unit, which requires Device Detection to be enabled.

Using the FortiGate CLI

Use the following command to view the quarantine list of MAC addresses:

show user quarantine

For example:

show user quarantine

config user quarantine

set quarantine enable

config targets

edit quarantine1

config macs

set description "infected by virus"

edit 00:00:00:aa:bb:cc

next

edit 00:11:22:33:44:55

next

edit 00:01:02:03:04:05

next

end

end

end

When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_name>) and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.

Use the following command to view the quarantine VLAN:

show system interface qtn.<FortiLink_port_name>

For example:

show system interface qtn.port7

config system interface

edit "qtn.port7"

set vdom "vdom1"

set ip 10.254.254.254 255.255.255.0

set description "Quarantine VLAN"

set security-mode captive-portal

set replacemsg-override-group "auth-intf-qtn.port7"

set device-identification enable

set device-identification-active-scan enable

set snmp-index 34

set switch-controller-access-vlan enable

set color 6

set interface "port7"

set vlanid 4093

next

end

Use the following commands to view the quarantine DHCP server:

show system dhcp server

config system dhcp server

edit 2

set dns-service default

set default-gateway 10.254.254.254

set netmask 255.255.255.0

set interface "qtn.port7"

config ip-range

edit 1

set start-ip 10.254.254.192

set end-ip 10.254.254.253

next

end

set timezone-option default

next

end

Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports:

show switch-controller managed-switch

For example:

show switch-controller managed-switch

config switch-controller managed-switch

edit "FS1D483Z15000036"

set fsw-wan1-peer "port7"

set fsw-wan1-admin enable

set version 1

set dynamic-capability 503

config ports

edit "port1"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

edit "port2"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

edit "port3"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

...

end

end

Releasing MAC addresses from quarantine

Using the FortiGate GUI

  1. Go to Monitor > Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.
  3. Right-click on one of the entries and select Delete or Remove All.
  4. Click OK to confirm your choice.

Using the FortiGate CLI

To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all quarantined MAC addresses from quarantine.

To delete a single quarantined MAC address:

config user quarantine

config targets

edit <quarantine_entry_name>

config macs

delete <MAC_address_1>

end

end

end

To delete all MAC addresses in a quarantine entry:

config user quarantine

config targets

delete <quarantine_entry_name>

end

end

To disable the quarantine feature:

config user quarantine

set quarantine disable

end

FortiSwitch features configuration

This section describes how to configure global FortiSwitch settings using FortiGate CLI commands. These settings will apply to all of the managed FortiSwitch units. You can also override some of the settings on individual FortiSwitch units.

This chapter covers the following topics:

Configure VLANs

Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs.)

From the FortiGate unit, you can centrally configure and manage VLANs for the managed FortiSwitch units.

In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 1-4095) to each of the VLANs. For FortiSwitch units in FortiLink mode (FortiOS 6.2.0 and later), you can assign a name to each VLAN.

You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch port.

Creating VLANs

Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either the Web GUI or CLI.

Using the GUI

To create the VLAN:

  1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
    Interface Name VLAN name
    VLAN ID Enter a number (1-4094)
    Color Choose a unique color for each VLAN, for ease of visual display.
    Role Select LAN, WAN, DMZ, or Undefined.
  2. Enable DHCP for IPv4 or IPv6.
  3. Set the Administrative access options as required.
  4. Select OK.
To assign FortiSwitch ports to the VLAN:
  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Click a port row.
  3. Click the Native VLAN column in one of the selected entries to change the native VLAN.
  4. Select a VLAN from the displayed list. The new value is assigned to the selected ports.
  5. Click the + icon in the Allowed VLANs column to change the allowed VLANs.
  6. Select one or more of the VLANs (or the value all) from the displayed list. The new value is assigned to the selected port.

Using the FortiSwitch CLI

  1. Create the marketing VLAN.

    config system interface

    edit <vlan name>

    set vlanid <1-4094>

    set color <1-32>

    set interface <FortiLink-enabled interface>

    end

  2. Set the VLAN’s IP address.

    config system interface

    edit <vlan name>

    set ip <IP address> <Network mask>

    end

  3. Enable a DHCP Server.

    config system dhcp server

    edit 1

    set default-gateway <IP address>

    set dns-service default

    set interface <vlan name>

    config ip-range

    set start-ip <IP address>

    set end-ip <IP address>

    end

    set netmask <Network mask>

    end

  4. Assign ports to the VLAN.

    config switch-controller managed-switch

    edit <Switch ID>

    config ports

    edit <port name>

    set vlan <vlan name>

    set allowed-vlans <vlan name>

    or

    set allowed-vlans-all enable

    next

    end

    end

  5. Assign untagged VLANs to a managed FortiSwitch port:

    config switch-controller managed-switch

    edit <managed-switch>

    config ports

    edit <port>

    set untagged-vlans <VLAN-name>

    next

    end

    next

    end

Viewing FortiSwitch VLANs

The WiFi & Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.

Each entry in the VLAN list displays the following information:

  • Name—name of the VLAN
  • VLAN ID—the VLAN number
  • IP/Netmask—address and mask of the subnetwork that corresponds to this VLAN
  • Access—administrative access settings for the VLAN
  • Ref—number of configuration objects referencing this VLAN

Enabling and disabling switch-controller access VLANs through the FortiGate unit

Access VLANs are VLANs that aggregate client traffic solely to the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate.

NOTE: IPv6 is not supported between clients within a switch-controller access VLAN.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

config system interface

edit <VLAN name>

set switch-controller-access-vlan {enable | disable}

next

end

NOTE: You must configure the proxy ARP with the config system proxy-arp CLI command to be able to use the access VLANs. For example:

config system proxy-arp

edit 1

set interface "V100"

set ip 1.1.1.1

set end-ip 1.1.1.200

next

end

Changing the VLAN configuration mode

You can change which VLANs the set allowed-vlans command affects.

If you want the set allowed-vlans command to apply to all user-defined VLANs, use the following CLI commands:

config switch-controller global

set vlan-all-mode defined

end

If you want the set allowed-vlans command to apply to all possible VLANs (1-4094), use the following CLI commands:

config switch-controller global

set vlan-all-mode all

end

NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable command.

Enabling FortiLink VLAN optimization

When inter-switch links (ISLs) are automatically formed on trunks, the switch controller allows VLANs 1-4093 on ISL ports. This configuration can increase data processing on the FortiSwitch unit. When VLAN optimization is enabled, the FortiSwitch unit allows only user-defined VLANs on the automatically generated trunks. By default, VLAN optimization is disabled.

To enable FortiLink VLAN optimization on FortiSwitch units from the FortiGate unit:

config switch-controller global

set vlan-optimization enable

end

NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable command.

Configure IGMP snooping settings

Use the following commands to configure the global IGMP snooping settings.

Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer value from 15 to 3600. The default value is 300.

Flood-unknown-multicast controls whether the system will flood unknown multicast messages within the VLAN.

config switch-controller igmp-snooping

set aging-time <15-3600>

set flood-unknown-multicast {enable | disable}

end

Configure LLDP-MED

Starting in FortiOS 6.4.0 and FortiSwitchOS 6.4.0, LLDP neighbor devices are dynamically detected. By default, this feature is enabled in FortiOS but disabled in managed FortiSwitch units. Dynamic detection must be enabled in both FortiOS and FortiSwitchOS for this feature to work.

To configure LLDP profiles in FortiOS:

config switch-controller lldp-profile

edit <profile_name>

set med-tlvs (inventory-management | network-policy | power-management | location-identification)

set 802.1-tlvs port-vlan-id

set 802.3-tlvs {max-frame-size | power-negotiation}

set auto-isl {enable | disable}

set auto-isl-hello-timer <1-30>

set auto-isl-port-group <0-9>

set auto-isl-receive-timeout <3-90>

config med-network-policy

edit {guest-voice | guest-voice-signaling | softphone-voice | streaming-video | video-conferencing | video-signaling | voice | voice-signaling}

set status {enable | disable}

set vlan-intf <string>

set priority <0-7>

set dscp <0-63>

next

end

config med-location-service

edit {address-civic | coordinates | elin-number}

set status {enable | disable}

set sys-location-id <string>

next

end

config-tlvs

edit <TLV_name>

set oui <hexadecimal_number>

set subtype <0-255>

set information-string <0-507>

next

end

next

end

Variable Description
<profile_name> Enable or disable
med-tlvs (inventory-management | network-policy | power-management | location-identification) Select which LLDP-MED type-length-value descriptions (TLVs) to transmit: inventory-managment TLVs, network-policy TLVs, power-management TLVs for PoE, and location-identification TLVs. You can select one or more option. Separate multiple options with a space.
802.1-tlvs port-vlan-id Transmit the IEEE 802.1 port native-VLAN TLV.
802.3-tlvs {max-frame-size | power-negotiation} Select whether to transmit the IEEE 802.3 maximum frame size TLV, the power-negotiation TLV for PoE, or both. Separate multiple options with a space.
auto-isl {enable | disable} Enable or disable the automatic inter-switch LAG.

auto-isl-hello-timer <1-30>

If you enabled auto-isl, you can set the number of seconds for the automatic inter-switch LAG hello timer. The default value is 3 seconds.

auto-isl-port-group <0-9>

If you enabled auto-isl, you can set the automatic inter-switch LAG port group identifier.

auto-isl-receive-timeout <3-90>

If you enabled auto-isl, you can set the number of seconds before the automatic inter-switch LAG times out if no response is received. The default value is 9 seconds.

config med-network-policy

{guest-voice | guest-voice-signaling | softphone-voice | streaming-video | video-conferencing | video-signaling | voice | voice-signaling}

Select which Media Endpoint Discovery (MED) network policy type-length-value (TLV) category to edit.

status {enable | disable}

Enable or disable whether this TLV is transmitted.

vlan-intf <string>

If you enabled the status, you can enter the VLAN interface to advertise. The maximum length is 15 characters.

priority <0-7>

If you enabled the status, you can enter the advertised Layer-2 priority. Set to 7 for the highest priority.

dscp <0-63>

If you enabled the status, you can enter the advertised Differentiated Services Code Point (DSCP) value to indicate the level of service requested for the traffic.

config med-location-service

{address-civic | coordinates | elin-number}

Select which Media Endpoint Discovery (MED) location type-length-value (TLV) category to edit.

status {enable | disable}

Enable or disable whether this TLV is transmitted.

sys-location-id <string>

If you enabled the status, you can enter the location service identifier. The maximum length is 63 characters.

config-tlvs

<TLV_name>

Enter the name of a custom TLV entry.

oui <hexadecimal_number>

Ener the organizationally unique identifier (OUI), a 3-byte hexadecimal number, for this TLV.

subtype <0-255>

Enter the organizationally defined subtype.

information-string <0-507>

Enter the organizationally defined information string in hexadecimal bytes.

To configure LLDP settings in FortiOS:

config switch-controller lldp-settings

set tx-hold <int>

set tx-interval <int>

set fast-start-interval <int>

set management-interface {internal | management}

set device-detection {enable | disable}

end

Variable Description
tx-hold Number of tx-intervals before the local LLDP data expires. Therefore, the packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1 to 16, and the default value is 4.
tx-interval How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095 seconds, and the default is 30 seconds.
fast-start-interval How often the FortiSwitch transmits the first 4 LLDP packets when a link comes up. The range is 2 to 5 seconds, and the default is 2 seconds. Set this variable to zero to disable fast start.
management-interface Primary management interface to be advertised in LLDP and CDP PDUs.

device-detection {enable | disable}

Enable or disable whether LLDP neighbor devices are dynamically detected. By default, this setting is disabled.

To configure dynamic detection of LLDP neighbor devices in FortiSwitchOS:

config switch lldp settings

set device-detection enable

end

Create LLDP asset tags for each managed FortiSwitch

You can use the following commands to add an LLDP asset tag for a managed FortiSwitch:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set switch-device-tag <string>

end

Add media endpoint discovery (MED) to an LLDP configuration

You can use the following commands to add media endpoint discovery (MED) features to an LLDP profile:

config switch-controller lldp-profile

edit <lldp-profle>

config med-network-policy

edit guest-voice

set status {disable | enable}

next

edit guest-voice-signaling

set status {disable | enable}

next

edit guest-voice-signaling

set status {disable | enable}

next

edit softphone-voice

set status {disable | enable}

next

edit streaming-video

set status {disable | enable}

next

edit video-conferencing

set status {disable | enable}

next

edit video-signaling

set status {disable | enable}

next

edit voice

set status {disable | enable}

next

edit voice-signaling

set status {disable | enable}

end

config custom-tlvs

edit <name>

set oui <identifier>

set subtype <subtype>

set information-string <string>

end

end

Display LLDP information

You can use the following commands to display LLDP information:

diagnose switch-controller switch-info lldp stats <switch> <port>

diagnose switch-controller switch-info lldp neighbors-summary <switch>

diagnose switch-controller switch-info lldp neighbors-detail <switch>

Configure the MAC sync interval

Use the following commands to configure the global MAC synch interval.

The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the default value is 60.

config switch-controller mac-sync-settings

set mac-sync-interval <30-600>

end

Configure STP settings

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

The managed FortiSwitch unit supports Spanning Tree Protocol (a link-management protocol that ensures a loop-free layer-2 network topology) as well as Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q standard.

MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the mapping of VLANs to instances is configurable). MSTP is backward-compatible with STP and Rapid Spanning Tree Protocol (RSTP). A layer-2 network can contain switches that are running MSTP, STP, or RSTP. MSTP is built on RSTP, so it provides fast recovery from network faults and fast convergence times.

To configure STP for all managed FortiSwitch units:

config switch-controller stp-settings

set name <name>

set revision <stp revision>

set hello-time <hello time>

set forward-time <forwarding delay>

set max-age <maximum aging time>

set max-hops <maximum number of hops>

end

To override the global STP settings for a specific FortiSwitch unit:

config switch-controller managed-switch

edit <switch-id>

config stp-settings

set local-override enable

end

To configure MSTP instances:

config switch-controller stp-instance

edit <id>

config vlan-range <list of VLAN names>

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config stp-instance

edit <id>

set priority <0 | 4096 | 8192 | 12288 | 16384 | 20480 | 24576 | 28672 | 32768 | 36864 | 40960 | 45056 | 49152 | 53248 | 57344 | 61440>

next

end

next

end

For example:

config switch-controller stp-instance

edit 1

config vlan-range vlan1 vlan2 vlan3

end

config switch-controller managed-switch

edit S524DF4K15000024

config stp-instance

edit 1

set priority 16384

next

end

next

end

Configure flow tracking and export

You can sample IP packets on managed FortiSwitch units and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format. You can choose to sample on a single ingress or egress port, on all FortiSwitch units, or on all FortiSwitch ingress ports.

When a new FortiSwitch unit or trunk port is added, the flow-tracking configuration is updated automatically based on the specified sampling mode. When a FortiSwitch port becomes part of an ISL or ICL or is removed, the flow-tracking configuration is updated automatically based on the specified sampling mode.

The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.

To configure flow tracking on managed FortiSwitch units:

config switch-controller flow-tracking

set sample-mode {local | perimeter | device-ingress}

set sample-rate <0-99999>

set format {netflow1 | netflow5 | netflow9 | ipfix}

set collector-ip <collector IP address>

set collector-port <0-65535; default is 0>

set transport {udp | tcp | sctp}

set level {vlan | ip | port | proto}

set filter <string>

set max-export-pkt-size <512-9216 bytes; default is 512>.

set timeout-general <60-604800 seconds; default is 3600>

set timeout-icmp <60-604800 seconds; default is 300>.

set timeout-max <60-604800 seconds; default is 604800>

set timeout-tcp <60-604800 seconds; default is 3600>

set timeout-tcp-fin <60-604800 seconds; default is 300>

set timeout-tcp-rst <60-604800 seconds; default is 120>

set timeout-udp <60-604800 seconds; default is 300>

end

Configure the sampling mode

You can set the sampling mode to local, perimeter, or device-ingress.

  • The local mode samples packets on a specific FortiSwitch port.
  • The perimeter mode samples packets on all FortiSwitch ports that receive data traffic, except for ISL and ICL ports. For perimeter mode, you can also configure the sampling rate.
  • The device-ingress mode samples packets on all FortiSwitch ports that receive data traffic for hop-by-hop tracking. For device-ingress mode, you can also configure the sampling rate.

Configure the sampling rate

For perimeter or device-ingress sampling, you can set the sampling rate, which samples 1 out of the specified number of packets. The default sampling rate is 1 out of 512 packets.

Configure the flow-tracking protocol

You can set the format of exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.

Configure collector IP address

The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.

Configure the transport protocol

You can set exported packets to use UDP, TCP, or SCTP for transport.

Configure the flow-tracking level

You can set the flow-tracking level to one of the following:

  • vlan—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, protocol, Type of Service, and VLAN from the sample packet.
  • ip—The FortiSwitch unit collects source IP address and destination IP address from the sample packet.
  • port—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
  • proto—The FortiSwitch unit collects source IP address, destination IP address, and protocol from the sample packet.

Configure the filter

Use the Berkeley Packet Filter to specify what packets to sample.

Configure the maximum exported packet size

You can set the maximum size of exported packets in the application level.

To remove flow reports from a managed FortiSwitch unit:

execute switch-controller switch-action flow-tracking {delete-flows-all | expire-flows-all} <FortiSwitch_serial_number>

Expired flows are exported.

To view flow statistics for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking statistics <FortiSwitch_serial_number>

To view raw flow records for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking flows-raw <FortiSwitch_serial_number>

To view flow record data for a managed FortiSwitch unit:

diagnose switch-controller switch-info flow-tracking flows {number_of_records | all} {IP_address | all} <FortiSwitch_serial_number> <FortiSwitch_port_name>

For example:

diagnose switch-controller switch-info flow-tracking flows 100 all S524DF4K15000024 port6

Quarantines

Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit. Quarantined MAC addresses are isolated from the rest of the network and LAN.

Quarantining MAC addresses

You can use the FortiGate GUI or CLI to quarantine a MAC address.

NOTE: If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.

Using the FortiGate GUI

In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.

  1. Select the host to quarantine.
    • Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on FortiSwitch.
  2. Select Accept to confirm that you want to quarantine the host.

Using the FortiGate CLI

NOTE: Previously, this feature used the config switch-controller quarantine CLI command.

There are two kinds of quarantines:

  • Quarantine-by-VLAN sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN (starting in FortiOS 6.0.0 and FortiSwitchOS 6.0.0).
  • Quarantine-by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit (starting in FortiOS 6.4.0 and FortiSwitchOS 6.4.0).

By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was disabled in the older configuration, it will be disabled after the upgrade.

You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.

The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined per quarantine entry.

Optionally, you can configure a traffic policy for quarantined devices to control how much bandwidth and burst they use and which class of service (CoS) queue they are assigned to. Without a traffic policy, you cannot control how much network resources quarantined devices use.

Quarantine-by-VLAN is the default. If you have a quarantine-by-VLAN configuration and want to migrate to a quarantine-by-redirect configuration:

  1. Disable quarantine.
  2. Change the quarantine-mode to by-redirect.
  3. Remove the quarantine VLAN from the switch ports.
  4. Enable quarantine.
To set up a quarantine in FortiOS:

config switch-controller global

set quarantine-mode {by-vlan | by-redirect}

end

config user quarantine

set quarantine enable

set traffic-policy <traffic_policy_name>

set firewall-groups <firewall_address_group>

config targets

edit <quarantine_entry_name>

set description <string>

config macs

edit <MAC_address_1>

set drop {enable | disable}

next

edit <MAC_address_2>

set drop {enable | disable}

next

edit <MAC_address_3>

set drop {enable | disable}

next

end

end

end

Option Description

quarantine-mode {by-vlan | by-redirect}

Select the quarantine mode:

  • by-vlan sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN.This mode is the default.
  • by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit.

traffic-policy <traffic_policy_name>

Optional. A name for the traffic policy that controls quarantined devices. If you do add a traffic policy, you need to configure it with the config switch-controller traffic-policy command.

firewall-groups <firewall_address_group>

Optional. By default, the firewall address group is QuarantinedDevices. If you are using quarantine-by-redirect, you must use the default firewall address group.

quarantine_entry_name A name for this quarantine entry.
description <string> Optional. A description of the MAC addresses being quarantined.
MAC_address_1, MAC_address_2, MAC_address_3 A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc

drop {enable | disable}

Enable to drop quarantined device traffic. Disable to send quarantined device traffic to the FortiGate unit.

For example:

config switch-controller global

set quarantine-mode by-redirect

end

config user quarantine

set quarantine enable

set traffic-policy qtrafficp

set firewall-groups QuarantinedDevices

config targets

edit quarantine1

config macs

set description "infected by virus"

edit 00:00:00:aa:bb:cc

set drop disable

next

edit 00:11:22:33:44:55

set drop disable

next

edit 00:01:02:03:04:05

set drop disable

next

end

next

end

To configure a traffic policy for quarantined devices in FortiOS:

config switch-controller traffic-policy

edit <traffic_policy_name>

set description <string>

set policer-status enable

set guaranteed-bandwidth <0-524287000>

set guaranteed-burst <0-4294967295>

set maximum-burst <0-4294967295>

set cos-queue <0-7>

end

Option Description

traffic-policy <traffic_policy_name>

Enter a name for the traffic policy that controls quarantined devices.

description <string>

Enter an optional description of the traffic policy.

policer-status enable

Enable the policer configuration to control quarantined devices. It is enabled by default.

guaranteed-bandwidth <0-524287000>

Enter the guaranteed bandwidth in kbps. The maximum value is 524287000. The default value is 0.

guaranteed-burst <0-4294967295>

Enter the guaranteed burst size in bytes. The maximum value is 4294967295. The default value is 0.

maximum-burst <0-4294967295>

The maximum burst size is in bytes. The maximum value is 4294967295. The default value is 0.

set cos-queue <0-7>

Set the class of service for the VLAN traffic. Use the unset cos-queue command to disable this setting.

For example:

config switch-controller traffic-policy

edit qtrafficp

set description "quarantined traffic policy"

set policer-status enable

set guaranteed-bandwidth 10000

set guaranteed-burst 10000

set maximum-burst 10000

unset cos-queue

end

Using quarantine with DHCP

When a device using DHCP is quarantined, the device becomes inaccessible until the DHCP is renewed. To avoid this problem, enable the bounce-quarantined-link option, which shuts down the switch port where the quarantined device was last seen and then brings it back up again. Bouncing the port when the device is quarantined and when the device is released from quarantine causes the DHCP to be renewed so that the device is connected to the correct network. By default, the bounce-quarantined-link option is disabled.

To bounce the switch port where a quarantined device was last seen:

config switch-controller global

set bounce-quarantined-link {enable | disable}

end

Using quarantine with 802.1x MAC-based authentication

After a device is authorized with IEEE 802.1x MAC-based authentication, you can quarantine that device. If the device was quarantined before 802.1x MAC-based authentication was enabled, the deviceʼs traffic remains in the quarantine VLAN 4093 after 802.1x MAC-based authentication is enabled.

To use quarantines with IEEE 802.1x MAC-based authentication:
  1. By default, detecting the quarantine VLAN is enabled on a global level on the managed FortiSwitch unit. You can verify that quarantine-vlan is enabled with the following commands:
  2. S448DF3X16000118 # config switch global

    S448DF3X16000118 (global) # config port-security

    S448DF3X16000118 (port-security) # get

    link-down-auth : set-unauth

    mab-reauth : disable

    quarantine-vlan : enable

    reauth-period : 60

    max-reauth-attempt : 0

  3. By default, 802.1x MAC-based authentication and quarantine VLAN detection are enabled on a port level on the managed FortiSwitch unit. You can verify the settings for the port-security-mode and quarantine-vlan. For example:
  4. S448DF3X16000118 (port17) # show switch interface port17

    config switch interface

    edit "port17"

    set allowed-vlans 4093

    set untagged-vlans 4093

    set security-groups "group1"

    set snmp-index 17

    config port-security

    set auth-fail-vlan disable

    set eap-passthru enable

    set framevid-apply enable

    set guest-auth-delay 30

    set guest-vlan disable

    set mac-auth-bypass enable

    set open-auth disable

    set port-security-mode 802.1X-mac-based

    set quarantine-vlan enable

    set radius-timeout-overwrite disable

    set auth-fail-vlanid 200

    set guest-vlanid 100

    end

    next

    end

  5. On the FortiGate unit, quarantine a MAC address. For example:
  6. config user quarantine

    edit "quarantine1"

    config macs

    edit 00:05:65:ad:15:03

    next

    end

    next

    end

  7. The FortiGate unit pushes the MAC-VLAN binding to the managed FortiSwitch unit. You can verify that the managed FortiSwitch unit received the MAC-VLAN binding with the following command:
  8. S448DF3X16000118 # show switch vlan 4093

    config switch vlan

    edit 4093

    set description "qtn.FLNK10"

    set dhcp-snooping enable

    set access-vlan enable

    config member-by-mac

    edit 1

    set mac 00:05:65:ad:15:03

    next

    end

    next

    end

  9. The 802.1x session shows that the MAC address is quarantined in VLAN 4093. You can verify that the managed FortiSwitch port has the quarantined MAC address. For example:
  10. S448DF3X16000118 # diagnose switch 8 status port17

    port17: Mode: mac-based (mac-by-pass enable)

    Link: Link up

    Port State: authorized: ( )

    EAP pass-through mode : Enable

    Quarantine VLAN (4093) detection : Enable

    Native Vlan : 1

    Allowed Vlan list: 1,4093

    Untagged Vlan list: 1,4093

    Guest VLAN :

    Auth-Fail Vlan :

    Switch sessions 3/480, Local port sessions:1/20

    Client MAC Type Vlan Dynamic-Vlan

    Quarantined

    00:05:65:ad:15:03 802.1x 1 4093

    Sessions info:

    00:50:56:ad:51:81 Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=41 params:reAuth=1800

  11. The MAC address table also shows the MAC address in VLAN 4093. You can verify the entries in the MAC address table with the following commands:
  12. S448DF3X16000118 # diagnose switch vlan assignment mac list

    00:05:65:ad:15:03 VLAN: 4093 Installed: yes

    Source: 802.1X-MAC-Radius

    Description: port17

    S448DF3X16000118 # diagnose switch mac list | grep "VLAN: 4093"

    MAC: 00:05:65:ad:15:03 VLAN: 4093 Port: port17(port-id 17)

Viewing quarantine entries

Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.

Using the FortiGate GUI

  1. Go to Monitor > Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.The Quarantined on FortiSwitch button is only available if a device is detected behind the FortiSwitch unit, which requires Device Detection to be enabled.

Using the FortiGate CLI

Use the following command to view the quarantine list of MAC addresses:

show user quarantine

For example:

show user quarantine

config user quarantine

set quarantine enable

config targets

edit quarantine1

config macs

set description "infected by virus"

edit 00:00:00:aa:bb:cc

next

edit 00:11:22:33:44:55

next

edit 00:01:02:03:04:05

next

end

end

end

When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_name>) and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.

Use the following command to view the quarantine VLAN:

show system interface qtn.<FortiLink_port_name>

For example:

show system interface qtn.port7

config system interface

edit "qtn.port7"

set vdom "vdom1"

set ip 10.254.254.254 255.255.255.0

set description "Quarantine VLAN"

set security-mode captive-portal

set replacemsg-override-group "auth-intf-qtn.port7"

set device-identification enable

set device-identification-active-scan enable

set snmp-index 34

set switch-controller-access-vlan enable

set color 6

set interface "port7"

set vlanid 4093

next

end

Use the following commands to view the quarantine DHCP server:

show system dhcp server

config system dhcp server

edit 2

set dns-service default

set default-gateway 10.254.254.254

set netmask 255.255.255.0

set interface "qtn.port7"

config ip-range

edit 1

set start-ip 10.254.254.192

set end-ip 10.254.254.253

next

end

set timezone-option default

next

end

Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports:

show switch-controller managed-switch

For example:

show switch-controller managed-switch

config switch-controller managed-switch

edit "FS1D483Z15000036"

set fsw-wan1-peer "port7"

set fsw-wan1-admin enable

set version 1

set dynamic-capability 503

config ports

edit "port1"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

edit "port2"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

edit "port3"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

...

end

end

Releasing MAC addresses from quarantine

Using the FortiGate GUI

  1. Go to Monitor > Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.
  3. Right-click on one of the entries and select Delete or Remove All.
  4. Click OK to confirm your choice.

Using the FortiGate CLI

To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all quarantined MAC addresses from quarantine.

To delete a single quarantined MAC address:

config user quarantine

config targets

edit <quarantine_entry_name>

config macs

delete <MAC_address_1>

end

end

end

To delete all MAC addresses in a quarantine entry:

config user quarantine

config targets

delete <quarantine_entry_name>

end

end

To disable the quarantine feature:

config user quarantine

set quarantine disable

end