Fortinet black logo

FortiLink Guide

Home FortiSwitch 7.2.0 FortiLink Guide

Whatʼs new in FortiOS 7.2.0

7.2.0
7.4.2
7.4.1
7.4.0
7.2.6
7.2.4
7.2.1
7.2.0
Copy Link
Copy Doc ID 27f63c72-b083-11ec-9fd1-fa163e15d75b:950458
Download PDF

Whatʼs new in FortiOS 7.2.0

The following list contains new managed FortiSwitchOS features added in FortiOS 7.2.0. Click on a link to navigate to that section for further information:

  • Zero-touch management is now more efficient. When a new FortiSwitch unit is started, by default, it will connect to the available manager, which can be a FortiGate device, FortiLAN Cloud, or FortiSwitch Manager. Only one manager can be used at a time. The FortiSwitch configuration does not need to be backed up before the FortiSwitch unit is managed, and the FortiSwitch unit does not need to be restarted when it becomes managed. All ports are enabled for auto discovery. The “internal” interface is the DHCP client in all FortiSwitch models.

    Setting the switch-mgmt-mode is no longer needed, so the set switch-mgmt-mode command has been removed from config system global.

  • You can now use Virtual Extensible LAN (VXLAN) interfaces to create a layer-2 overlay network. After a VXLAN tunnel is set up between a FortiGate device and a FortiSwitch unit, the FortiGate device can use the VXLAN interface to manage the FortiSwitch unit. For more details, see Managing FortiSwitch units on VXLAN interfaces.

  • NAC LAN segments are now supported on the following FortiSwitch models in FortiLink mode: FSR-112D-POE, FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE. For more details, see Configuring the FortiSwitch NAC settings.

  • The new execute switch-controller switch-action 802-1X clear-auth-mac <FortiSwitch_serial_number> <MAC_address> command allows you to clear the 802.1X-authorized session associated with a specific MAC address. Also, the execute switch-controller switch-action 802-1X clear-auth <FortiSwitch_serial_number> <port_name> command has been changed to execute switch-controller switch-action 802-1X clear-auth-port <FortiSwitch_serial_number> <port_name>. For more details, see Clearing authorized sessions.

  • The new WiFi & Switch Controller > FortiSwitch Clients page lists all devices connected to the FortiSwitch unit for a particular VDOM. Double-clicking a row displays the Device Info pane, which lists the NAC policies and dynamic port policies that the device matches. Hovering over the device name displays the detail window, where you can do the following:

    • Create a firewall device address.

    • Create a firewall IP address.

    • Quarantine the host.

    For more details, see FortiSwitch clients.

  • The number of managed FortiSwitch units has increased from 16 to 24 on the following FortiGate models: FGR-60F, FG-60F, FGR-60F-3G4G, FG-61F, FG-80F, FG-80FB, FG-80FP, FG-81F, and FG-81FP.

  • You can now configure multiple flow-export collectors using the config collectors command. For each collector, you can specify the collector IP address, the collector port number, and the collector layer-4 transport protocol for exporting packets. You can also specify how often a template packet is sent using the new set template-export-period command. For more details, see Configuring flow tracking and export.

  • Administrators can now use the FortiSwitch profile to control whether users can log in with the managed FortiSwitchOS console port. By default, users can log in with the managed FortiSwitchOS console port. For more details, see Disabling the FortiSwitch console port login.

  • You can now configure NAC LAN segments in the GUI. For more details, see Configuring NAC settings.

  • You can now use asterisks as a wildcard character when you pre-authorize FortiSwitch units. Using a FortiSwitch template, you can name the managed switch and configure the ports. When the FortiSwitch unit is turned on and discovered by the FortiGate device, the wildcard serial number is replaced by the actual serial number and the settings in the FortiSwitch template are applied to the discovered FortiSwitch unit. For more details, see Using wildcard serial numbers to pre-authorize FortiSwitch units.

  • Dynamic discovery in FortiLink mode over a layer-3 network detects FortiSwitch split ports and newer FortiSwitch models. Split ports on all supported FortiSwitch models can be managed and displayed correctly on a FortiGate device.

  • You can now configure flap guard through the switch controller. For more details, see Configuring flap guard.

  • You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1X authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication. If a link goes down, you can select whether the impacted devices must reauthenticate. By default, reauthentication is disabled. You can use the FortiOS CLI to enable MAB reauthentication globally or locally:

    • On the global level, use the new set mab-reauth command to enable or disable MAB reauthentication.

    • On the local level, you can override the 802.1X settings for a specific managed switch and then use the new set mab-reauth command to enable or disable MAB reauthentication.

    For more details, see FortiSwitch security policies.

  • You can now add multiple managed FortiSwitch VLANs to a software switch using the GUI or CLI. In previous releases, you could add only one managed FortiSwitch VLAN per FortiGate device to a software switch. For more details, see Configuring multiple managed FortiSwitch VLANs to be used in a software switch.

  • You can now configure link-aggregation groups (LAGs) as members of a software switch that is being used for FortiLink. For more details, see Configure a LAG on a FortiLink-enabled software switch.

  • In previous releases, changing FortiSwitch split ports and then restarting the managed FortiSwitch unit caused the FortiGate device to have to rediscover and re-authorize the FortiSwitch unit. Now, the FortiGate device automatically updates the port list after split ports are changed and the FortiSwitch unit restarts. When split ports are added or removed, the changes are logged. For more details, see Configuring FortiSwitch split ports (phy-mode) in FortiLink mode.

  • The WiFi & Switch Controller > FortiSwitch Ports page has been improved. For more details, see Configuring ports using the GUI.

    • In Trunk view, the FortiSwitch Ports page has been improved in the following ways:

      • The LLDP Profile, Loop Guard , and Security Policy columns were removed.

      • When you right-click a port, the menu now contains a Mode submenu.

      • When you right-click a port, the menu now contains the option to clear port counters.

      • The Enabled Features column lists LACP when it has been enabled.

    • In Port view, the FortiSwitch Ports page has been improved in the following ways:

      • New VLAN, Dynamic VLAN, and Transceiver Power (Transmitted/Received) columns are now available.

      • When you double-click a port, a new Port Statistics pane is displayed, which shows the transmitted and received traffic, frame errors by type, and transmitted and received frames. You can also select a port and then click the View Statistics button in the upper right corner. The Compare with dropdown list allows you to select another port to compare with the currently selected port. The statistics are refreshed every 15 seconds.

      • When you right-click a port, the menu now contains the option to clear port counters.

  • The Diagnostics and Tools pane (from WiFi & Switch Controller > Managed FortiSwitches) has been improved. For more details, see Diagnostics and tools.

    • The General pane now reports the fan status, power supply unit (PSU) status, and port health.

    • Clicking the new Legend button in the General pane displays the Health Thresholds pane, which lists the thresholds for the good, fair, and poor ratings of the general health, port health, and MC-LAG health.

    • A new Clients tab lists the FortiClient users of the selected FortiSwitch unit.

  • IGMP snooping and MLD snooping are now supported on FortiLink NAC LAN segments when a FortiSwitch unit is controlled by a FortiGate device. For more details, see Configuring the FortiSwitch NAC settings.

Previous
Next

Whatʼs new in FortiOS 7.2.0

The following list contains new managed FortiSwitchOS features added in FortiOS 7.2.0. Click on a link to navigate to that section for further information:

  • Zero-touch management is now more efficient. When a new FortiSwitch unit is started, by default, it will connect to the available manager, which can be a FortiGate device, FortiLAN Cloud, or FortiSwitch Manager. Only one manager can be used at a time. The FortiSwitch configuration does not need to be backed up before the FortiSwitch unit is managed, and the FortiSwitch unit does not need to be restarted when it becomes managed. All ports are enabled for auto discovery. The “internal” interface is the DHCP client in all FortiSwitch models.

    Setting the switch-mgmt-mode is no longer needed, so the set switch-mgmt-mode command has been removed from config system global.

  • You can now use Virtual Extensible LAN (VXLAN) interfaces to create a layer-2 overlay network. After a VXLAN tunnel is set up between a FortiGate device and a FortiSwitch unit, the FortiGate device can use the VXLAN interface to manage the FortiSwitch unit. For more details, see Managing FortiSwitch units on VXLAN interfaces.

  • NAC LAN segments are now supported on the following FortiSwitch models in FortiLink mode: FSR-112D-POE, FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE. For more details, see Configuring the FortiSwitch NAC settings.

  • The new execute switch-controller switch-action 802-1X clear-auth-mac <FortiSwitch_serial_number> <MAC_address> command allows you to clear the 802.1X-authorized session associated with a specific MAC address. Also, the execute switch-controller switch-action 802-1X clear-auth <FortiSwitch_serial_number> <port_name> command has been changed to execute switch-controller switch-action 802-1X clear-auth-port <FortiSwitch_serial_number> <port_name>. For more details, see Clearing authorized sessions.

  • The new WiFi & Switch Controller > FortiSwitch Clients page lists all devices connected to the FortiSwitch unit for a particular VDOM. Double-clicking a row displays the Device Info pane, which lists the NAC policies and dynamic port policies that the device matches. Hovering over the device name displays the detail window, where you can do the following:

    • Create a firewall device address.

    • Create a firewall IP address.

    • Quarantine the host.

    For more details, see FortiSwitch clients.

  • The number of managed FortiSwitch units has increased from 16 to 24 on the following FortiGate models: FGR-60F, FG-60F, FGR-60F-3G4G, FG-61F, FG-80F, FG-80FB, FG-80FP, FG-81F, and FG-81FP.

  • You can now configure multiple flow-export collectors using the config collectors command. For each collector, you can specify the collector IP address, the collector port number, and the collector layer-4 transport protocol for exporting packets. You can also specify how often a template packet is sent using the new set template-export-period command. For more details, see Configuring flow tracking and export.

  • Administrators can now use the FortiSwitch profile to control whether users can log in with the managed FortiSwitchOS console port. By default, users can log in with the managed FortiSwitchOS console port. For more details, see Disabling the FortiSwitch console port login.

  • You can now configure NAC LAN segments in the GUI. For more details, see Configuring NAC settings.

  • You can now use asterisks as a wildcard character when you pre-authorize FortiSwitch units. Using a FortiSwitch template, you can name the managed switch and configure the ports. When the FortiSwitch unit is turned on and discovered by the FortiGate device, the wildcard serial number is replaced by the actual serial number and the settings in the FortiSwitch template are applied to the discovered FortiSwitch unit. For more details, see Using wildcard serial numbers to pre-authorize FortiSwitch units.

  • Dynamic discovery in FortiLink mode over a layer-3 network detects FortiSwitch split ports and newer FortiSwitch models. Split ports on all supported FortiSwitch models can be managed and displayed correctly on a FortiGate device.

  • You can now configure flap guard through the switch controller. For more details, see Configuring flap guard.

  • You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1X authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication. If a link goes down, you can select whether the impacted devices must reauthenticate. By default, reauthentication is disabled. You can use the FortiOS CLI to enable MAB reauthentication globally or locally:

    • On the global level, use the new set mab-reauth command to enable or disable MAB reauthentication.

    • On the local level, you can override the 802.1X settings for a specific managed switch and then use the new set mab-reauth command to enable or disable MAB reauthentication.

    For more details, see FortiSwitch security policies.

  • You can now add multiple managed FortiSwitch VLANs to a software switch using the GUI or CLI. In previous releases, you could add only one managed FortiSwitch VLAN per FortiGate device to a software switch. For more details, see Configuring multiple managed FortiSwitch VLANs to be used in a software switch.

  • You can now configure link-aggregation groups (LAGs) as members of a software switch that is being used for FortiLink. For more details, see Configure a LAG on a FortiLink-enabled software switch.

  • In previous releases, changing FortiSwitch split ports and then restarting the managed FortiSwitch unit caused the FortiGate device to have to rediscover and re-authorize the FortiSwitch unit. Now, the FortiGate device automatically updates the port list after split ports are changed and the FortiSwitch unit restarts. When split ports are added or removed, the changes are logged. For more details, see Configuring FortiSwitch split ports (phy-mode) in FortiLink mode.

  • The WiFi & Switch Controller > FortiSwitch Ports page has been improved. For more details, see Configuring ports using the GUI.

    • In Trunk view, the FortiSwitch Ports page has been improved in the following ways:

      • The LLDP Profile, Loop Guard , and Security Policy columns were removed.

      • When you right-click a port, the menu now contains a Mode submenu.

      • When you right-click a port, the menu now contains the option to clear port counters.

      • The Enabled Features column lists LACP when it has been enabled.

    • In Port view, the FortiSwitch Ports page has been improved in the following ways:

      • New VLAN, Dynamic VLAN, and Transceiver Power (Transmitted/Received) columns are now available.

      • When you double-click a port, a new Port Statistics pane is displayed, which shows the transmitted and received traffic, frame errors by type, and transmitted and received frames. You can also select a port and then click the View Statistics button in the upper right corner. The Compare with dropdown list allows you to select another port to compare with the currently selected port. The statistics are refreshed every 15 seconds.

      • When you right-click a port, the menu now contains the option to clear port counters.

  • The Diagnostics and Tools pane (from WiFi & Switch Controller > Managed FortiSwitches) has been improved. For more details, see Diagnostics and tools.

    • The General pane now reports the fan status, power supply unit (PSU) status, and port health.

    • Clicking the new Legend button in the General pane displays the Health Thresholds pane, which lists the thresholds for the good, fair, and poor ratings of the general health, port health, and MC-LAG health.

    • A new Clients tab lists the FortiClient users of the selected FortiSwitch unit.

  • IGMP snooping and MLD snooping are now supported on FortiLink NAC LAN segments when a FortiSwitch unit is controlled by a FortiGate device. For more details, see Configuring the FortiSwitch NAC settings.

Previous
Next