Fortinet black logo

Administration Guide

Introduction

Copy Link
Copy Doc ID 2d1d802e-71d2-11ed-8e6d-fa163e15d75b:755567
Download PDF

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the FortiLink Guide—FortiSwitch Devices Managed by FortiOS 7.2.

If you will be managing your FortiSwitch unit using FortiLAN Cloud, see the FortiLAN Cloud User Guide.

If you will be managing your FortiSwitch unit using FortiSwitch Manager, see the FortiSwitch Manager Administration Guide.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Whatʼs new in FortiSwitchOS 7.2.3

Release 7.2.3 provides the following new features:

  • You can now use the GUI to create a policy to control routing using the Router > Config > Policy > Next Hop Groups, Router > Config > Policy > PBR Maps, and Router > Config > Policy > Interfaces pages.

  • IPv6 address are now supported in access control lists (ACLs) for ingress policies.

  • To support the EtherLike-MIB, the following improvements have been made to the dot3StatsTable (OID: 1.3.6.1.2.1.10.7.2.1.19):

    • System interfaces are now supported in addition to switch ports.

    • The table type was changed from the simple table type to the complex table type so that the table size more accurately reflects the number of available interfaces.

    • The following additional nodes are now supported:

      • dot3StatsFCSErrors

      • dot3StatsDeferredTransmissions

      • dot3StatsInternalMacTransmitErrors

      • dot3StatsCarrierSenseErrors

      • dot3StatsFrameTooLongs

      • dot3StatsInternalMacReceiveErrors

    • There are additional diagnose-debug messages.

  • PSK-mode MACsec and dynamic-CAK mode are now supported on the 10G and 100G ports on FS-1024E and the 100G ports on FS-T1024E. The FS-1024E and FS-T1024E models support the GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, and GCM-AES-XPN-256 cipher suites.

  • The set eap-egress-tagged {enable | disable} command is now supported on the FS-1xxE and FS-1xxF models. When you are using the MAC move feature with EAP authentication, you can disable eap-egress-tagged to force the switch to always use the untagged EAP response.

  • The following changes and enhancements have been made to the set allow-mac-move command:

    • The set allow-mac-move command has been changed to set allow-mac-move-to for FSR-124D, 200 Series, FS-4xxE, 500 Series, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E.

    • You can now use the set allow-mac-move-from command for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

    • You can now enable the set allow-mac-move command on a global level for the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.

  • The new User, Security, and Fortinet columns in the 802.1X Session page provide the user name, the security group name, and the RADIUS group name.

  • You can now change how the ALARM LED functions for the FSR-112D-POE model, system part number P17080-04 or later. You can check the system part number with the get system status command. Use the following command to have the ALARM LED turn red when only one power supply unit (PSU) is connected:

    config system global

    set single-psu-fault enable

    end

    By default, the set single-psu-fault command is disabled.

  • MAB-only authentication is now supported. In this mode, the FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are not sent. To enable MAB-only authentication:

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode {802.1X | 802.1X-mac-based}

    set mac-auth-bypass enable

    set auth-order MAB

    end

    next

    end

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the FortiLink Guide—FortiSwitch Devices Managed by FortiOS 7.2.

If you will be managing your FortiSwitch unit using FortiLAN Cloud, see the FortiLAN Cloud User Guide.

If you will be managing your FortiSwitch unit using FortiSwitch Manager, see the FortiSwitch Manager Administration Guide.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Whatʼs new in FortiSwitchOS 7.2.3

Release 7.2.3 provides the following new features:

  • You can now use the GUI to create a policy to control routing using the Router > Config > Policy > Next Hop Groups, Router > Config > Policy > PBR Maps, and Router > Config > Policy > Interfaces pages.

  • IPv6 address are now supported in access control lists (ACLs) for ingress policies.

  • To support the EtherLike-MIB, the following improvements have been made to the dot3StatsTable (OID: 1.3.6.1.2.1.10.7.2.1.19):

    • System interfaces are now supported in addition to switch ports.

    • The table type was changed from the simple table type to the complex table type so that the table size more accurately reflects the number of available interfaces.

    • The following additional nodes are now supported:

      • dot3StatsFCSErrors

      • dot3StatsDeferredTransmissions

      • dot3StatsInternalMacTransmitErrors

      • dot3StatsCarrierSenseErrors

      • dot3StatsFrameTooLongs

      • dot3StatsInternalMacReceiveErrors

    • There are additional diagnose-debug messages.

  • PSK-mode MACsec and dynamic-CAK mode are now supported on the 10G and 100G ports on FS-1024E and the 100G ports on FS-T1024E. The FS-1024E and FS-T1024E models support the GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, and GCM-AES-XPN-256 cipher suites.

  • The set eap-egress-tagged {enable | disable} command is now supported on the FS-1xxE and FS-1xxF models. When you are using the MAC move feature with EAP authentication, you can disable eap-egress-tagged to force the switch to always use the untagged EAP response.

  • The following changes and enhancements have been made to the set allow-mac-move command:

    • The set allow-mac-move command has been changed to set allow-mac-move-to for FSR-124D, 200 Series, FS-4xxE, 500 Series, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E.

    • You can now use the set allow-mac-move-from command for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

    • You can now enable the set allow-mac-move command on a global level for the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.

  • The new User, Security, and Fortinet columns in the 802.1X Session page provide the user name, the security group name, and the RADIUS group name.

  • You can now change how the ALARM LED functions for the FSR-112D-POE model, system part number P17080-04 or later. You can check the system part number with the get system status command. Use the following command to have the ALARM LED turn red when only one power supply unit (PSU) is connected:

    config system global

    set single-psu-fault enable

    end

    By default, the set single-psu-fault command is disabled.

  • MAB-only authentication is now supported. In this mode, the FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are not sent. To enable MAB-only authentication:

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode {802.1X | 802.1X-mac-based}

    set mac-auth-bypass enable

    set auth-order MAB

    end

    next

    end

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.