Introduction

Copy Link

Copy Doc ID b962e1ac-b082-11ec-9fd1-fa163e15d75b:483871

Download PDF

Introduction

This document provides the following information for FortiSwitchOS 7.2.0 devices managed by FortiOS 7.2.0 build 1157:

See the Fortinet Document Library for FortiSwitchOS documentation.

Refer to the FortiLink Compatibility table to find which FortiSwitchOS versions support which FortiOS versions.

NOTE: FortiLink is not supported in transparent mode.

The maximum number of supported FortiSwitch units depends on the FortiGate model:

FortiGate Model Range	Number of FortiSwitch Units Supported
FortiGate 40F, 91E, FortiGate-VM01	8
FortiGate 6xE, 8xE, 90E	16
FGR-60F, FG-60F, FGR-60F-3G4G, FG-61F, FG-80F, FG-80FB, FG-80FP, FG-81F, and FG-81FP	24
FortiGate 100D, FortiGate-VM02	24
FortiGate 100E, 100EF, 100F, 101E, 140E, 140E-POE	32
FortiGate 200E, 201E	64
FortiGate 300D to 500D	48
FortiGate 300E to 500E	72
FortiGate 600D to 900D and FortiGate-VM04	64
FortiGate 600E to 900E	96
FortiGate 1000D to 15xxD	128
FortiGate 1100E to 25xxE	196

New models (NPI releases) might not support FortiLink. Contact Customer Service & Support to check support for FortiLink.

What’s new in FortiOS 7.2.0

The following list contains new managed FortiSwitch features added in FortiOS 7.2.0:

Zero-touch management is now more efficient. When a new FortiSwitch unit is started, by default, it will connect to the available manager, which can be a FortiGate device, FortiLAN Cloud, or FortiSwitch Manager. Only one manager can be used at a time. The FortiSwitch configuration does not need to be backed up before the FortiSwitch unit is managed, and the FortiSwitch unit does not need to be restarted when it becomes managed. All ports are enabled for auto discovery. The “internal” interface is the DHCP client in all FortiSwitch models.

Setting the switch-mgmt-mode is no longer needed, so the set switch-mgmt-mode command has been removed from config system global.
You can now use Virtual Extensible LAN (VXLAN) interfaces to create a layer-2 overlay network. After a VXLAN tunnel is set up between a FortiGate device and a FortiSwitch unit, the FortiGate device can use the VXLAN interface to manage the FortiSwitch unit.
NAC LAN segments are now supported on the following FortiSwitch models in FortiLink mode: FSR-112D-POE, FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE.
The new execute switch-controller switch-action 802-1X clear-auth-mac <FortiSwitch_serial_number> <MAC_address> command allows you to clear the 802.1X-authorized session associated with a specific MAC address. Also, the execute switch-controller switch-action 802-1X clear-auth <FortiSwitch_serial_number> <port_name> command has been changed to execute switch-controller switch-action 802-1X clear-auth-port <FortiSwitch_serial_number> <port_name>.
The new WiFi & Switch Controller > FortiSwitch Clients page lists all devices connected to the FortiSwitch unit for a particular VDOM. Double-clicking a row displays the Device Info pane, which lists the NAC policies and dynamic port policies that the device matches. Hovering over the device name displays the detail window, where you can do the following:
- Create a firewall device address.
- Create a firewall IP address.
- Quarantine the host.
The number of managed FortiSwitch units has increased from 16 to 24 on the following FortiGate models: FGR-60F, FG-60F, FGR-60F-3G4G, FG-61F, FG-80F, FG-80FB, FG-80FP, FG-81F, and FG-81FP.
You can now configure multiple flow-export collectors using the config collectors command. For each collector, you can specify the collector IP address, the collector port number, and the collector layer-4 transport protocol for exporting packets. You can also specify how often a template packet is sent using the new set template-export-period command.
You can now configure NAC LAN segments in the GUI.
Administrators can now use the FortiSwitch profile to control whether users can log in with the managed FortiSwitchOS console port. By default, users can log in with the managed FortiSwitchOS console port.
You can now use asterisks as a wildcard character when you pre-authorize FortiSwitch units. Using a FortiSwitch template, you can name the managed switch and configure the ports. When the FortiSwitch unit is turned on and discovered by the FortiGate device, the wildcard serial number is replaced by the actual serial number and the settings in the FortiSwitch template are applied to the discovered FortiSwitch unit.
Dynamic discovery in FortiLink mode over a layer-3 network detects FortiSwitch split ports and newer FortiSwitch models. Split ports on all supported FortiSwitch models can be managed and displayed correctly on a FortiGate device.
You can now configure flap guard through the switch controller.
You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1X authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication. If a link goes down, you can select whether the impacted devices must reauthenticate. By default, reauthentication is disabled. You can use the FortiOS CLI to enable MAB reauthentication globally or locally:
- On the global level, use the new set mab-reauth command to enable or disable MAB reauthentication.
- On the local level, you can override the 802.1X settings for a specific managed switch and then use the new set mab-reauth command to enable or disable MAB reauthentication.
You can now add multiple managed FortiSwitch VLANs to a software switch using the GUI or CLI. In previous releases, you could add only one managed FortiSwitch VLAN per FortiGate device to a software switch.
You can now configure link-aggregation groups (LAGs) as members of a software switch that is being used for FortiLink.
In previous releases, changing FortiSwitch split ports and then restarting the managed FortiSwitch unit caused the FortiGate device to have to rediscover and re-authorize the FortiSwitch unit. Now, the FortiGate device automatically updates the port list after split ports are changed and the FortiSwitch unit restarts. When split ports are added or removed, the changes are logged.
The WiFi & Switch Controller > FortiSwitch Ports page has been improved.
- In Trunk view, the FortiSwitch Ports page has been improved in the following ways:
  - The LLDP Profile, Loop Guard , and Security Policy columns were removed.
  - When you right-click a port, the menu now contains a Mode submenu.
  - When you right-click a port, the menu now contains the option to clear port counters.
  - The Enabled Features column lists LACP when it has been enabled.
- In Port view, the FortiSwitch Ports page has been improved in the following ways:
  - New VLAN, Dynamic VLAN, and Transceiver Power (Transmitted/Received) columns are now available.
  - When you double-click a port, a new Port Statistics pane is displayed, which shows the transmitted and received traffic, frame errors by type, and transmitted and received frames. You can also select a port and then click the View Statistics button in the upper right corner. The Compare with dropdown list allows you to select another port to compare with the currently selected port. The statistics are refreshed every 15 seconds.
  - When you right-click a port, the menu now contains the option to clear port counters.
The Diagnostics and Tools pane (from WiFi & Switch Controller > Managed FortiSwitches) has been improved.
- The General pane now reports the fan status, power supply unit (PSU) status, and port health.
- Clicking the new Legend button in the General pane displays the Health Thresholds pane, which lists the thresholds for the good, fair, and poor ratings of the general health, port health, and MC-LAG health.
- A new Clients tab lists the FortiClient users of the selected FortiSwitch unit.
IGMP snooping and MLD snooping are now supported on FortiLink NAC LAN segments when a FortiSwitch unit is controlled by a FortiGate device.

Introduction

This document provides the following information for FortiSwitchOS 7.2.0 devices managed by FortiOS 7.2.0 build 1157:

See the Fortinet Document Library for FortiSwitchOS documentation.

Refer to the FortiLink Compatibility table to find which FortiSwitchOS versions support which FortiOS versions.

NOTE: FortiLink is not supported in transparent mode.

The maximum number of supported FortiSwitch units depends on the FortiGate model:

FortiGate Model Range

Number of FortiSwitch Units Supported

FortiGate 40F, 91E, FortiGate-VM01

FortiGate 6xE, 8xE, 90E

FGR-60F, FG-60F, FGR-60F-3G4G, FG-61F, FG-80F, FG-80FB, FG-80FP, FG-81F, and FG-81FP

FortiGate 100D, FortiGate-VM02

FortiGate 100E, 100EF, 100F, 101E, 140E, 140E-POE

FortiGate 200E, 201E

FortiGate 300D to 500D

FortiGate 300E to 500E

FortiGate 600D to 900D and FortiGate-VM04

FortiGate 600E to 900E

FortiGate 1000D to 15xxD

128

FortiGate 1100E to 25xxE

196

New models (NPI releases) might not support FortiLink. Contact Customer Service & Support to check support for FortiLink.

What’s new in FortiOS 7.2.0

The following list contains new managed FortiSwitch features added in FortiOS 7.2.0:

Zero-touch management is now more efficient. When a new FortiSwitch unit is started, by default, it will connect to the available manager, which can be a FortiGate device, FortiLAN Cloud, or FortiSwitch Manager. Only one manager can be used at a time. The FortiSwitch configuration does not need to be backed up before the FortiSwitch unit is managed, and the FortiSwitch unit does not need to be restarted when it becomes managed. All ports are enabled for auto discovery. The “internal” interface is the DHCP client in all FortiSwitch models.

Setting the switch-mgmt-mode is no longer needed, so the set switch-mgmt-mode command has been removed from config system global.

You can now use Virtual Extensible LAN (VXLAN) interfaces to create a layer-2 overlay network. After a VXLAN tunnel is set up between a FortiGate device and a FortiSwitch unit, the FortiGate device can use the VXLAN interface to manage the FortiSwitch unit.

NAC LAN segments are now supported on the following FortiSwitch models in FortiLink mode: FSR-112D-POE, FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE.

The new execute switch-controller switch-action 802-1X clear-auth-mac <FortiSwitch_serial_number> <MAC_address> command allows you to clear the 802.1X-authorized session associated with a specific MAC address. Also, the execute switch-controller switch-action 802-1X clear-auth <FortiSwitch_serial_number> <port_name> command has been changed to execute switch-controller switch-action 802-1X clear-auth-port <FortiSwitch_serial_number> <port_name>.

The new WiFi & Switch Controller > FortiSwitch Clients page lists all devices connected to the FortiSwitch unit for a particular VDOM. Double-clicking a row displays the Device Info pane, which lists the NAC policies and dynamic port policies that the device matches. Hovering over the device name displays the detail window, where you can do the following:

Create a firewall device address.
Create a firewall IP address.
Quarantine the host.

The number of managed FortiSwitch units has increased from 16 to 24 on the following FortiGate models: FGR-60F, FG-60F, FGR-60F-3G4G, FG-61F, FG-80F, FG-80FB, FG-80FP, FG-81F, and FG-81FP.

You can now configure multiple flow-export collectors using the config collectors command. For each collector, you can specify the collector IP address, the collector port number, and the collector layer-4 transport protocol for exporting packets. You can also specify how often a template packet is sent using the new set template-export-period command.

You can now configure NAC LAN segments in the GUI.

Administrators can now use the FortiSwitch profile to control whether users can log in with the managed FortiSwitchOS console port. By default, users can log in with the managed FortiSwitchOS console port.

You can now use asterisks as a wildcard character when you pre-authorize FortiSwitch units. Using a FortiSwitch template, you can name the managed switch and configure the ports. When the FortiSwitch unit is turned on and discovered by the FortiGate device, the wildcard serial number is replaced by the actual serial number and the settings in the FortiSwitch template are applied to the discovered FortiSwitch unit.

Dynamic discovery in FortiLink mode over a layer-3 network detects FortiSwitch split ports and newer FortiSwitch models. Split ports on all supported FortiSwitch models can be managed and displayed correctly on a FortiGate device.

You can now configure flap guard through the switch controller.

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1X authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication. If a link goes down, you can select whether the impacted devices must reauthenticate. By default, reauthentication is disabled. You can use the FortiOS CLI to enable MAB reauthentication globally or locally:

On the global level, use the new set mab-reauth command to enable or disable MAB reauthentication.
On the local level, you can override the 802.1X settings for a specific managed switch and then use the new set mab-reauth command to enable or disable MAB reauthentication.

You can now add multiple managed FortiSwitch VLANs to a software switch using the GUI or CLI. In previous releases, you could add only one managed FortiSwitch VLAN per FortiGate device to a software switch.

You can now configure link-aggregation groups (LAGs) as members of a software switch that is being used for FortiLink.

In previous releases, changing FortiSwitch split ports and then restarting the managed FortiSwitch unit caused the FortiGate device to have to rediscover and re-authorize the FortiSwitch unit. Now, the FortiGate device automatically updates the port list after split ports are changed and the FortiSwitch unit restarts. When split ports are added or removed, the changes are logged.

The WiFi & Switch Controller > FortiSwitch Ports page has been improved.

In Trunk view, the FortiSwitch Ports page has been improved in the following ways:
- The LLDP Profile, Loop Guard , and Security Policy columns were removed.
- When you right-click a port, the menu now contains a Mode submenu.
- When you right-click a port, the menu now contains the option to clear port counters.
- The Enabled Features column lists LACP when it has been enabled.
In Port view, the FortiSwitch Ports page has been improved in the following ways:
- New VLAN, Dynamic VLAN, and Transceiver Power (Transmitted/Received) columns are now available.
- When you double-click a port, a new Port Statistics pane is displayed, which shows the transmitted and received traffic, frame errors by type, and transmitted and received frames. You can also select a port and then click the View Statistics button in the upper right corner. The Compare with dropdown list allows you to select another port to compare with the currently selected port. The statistics are refreshed every 15 seconds.
- When you right-click a port, the menu now contains the option to clear port counters.

The Diagnostics and Tools pane (from WiFi & Switch Controller > Managed FortiSwitches) has been improved.

The General pane now reports the fan status, power supply unit (PSU) status, and port health.
Clicking the new Legend button in the General pane displays the Health Thresholds pane, which lists the thresholds for the good, fair, and poor ratings of the general health, port health, and MC-LAG health.
A new Clients tab lists the FortiClient users of the selected FortiSwitch unit.

IGMP snooping and MLD snooping are now supported on FortiLink NAC LAN segments when a FortiSwitch unit is controlled by a FortiGate device.

FortiLink Release Notes

Introduction

Introduction

What’s new in FortiOS 7.2.0

Introduction

What’s new in FortiOS 7.2.0