Fortinet black logo

FortiSwitchOS Release Notes

Home FortiSwitch 7.4.3 FortiSwitchOS Release Notes
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
3.2.2
3.2.1
3.2.0
3.0.1
3.0.0
2.0.3
2.0.2

What’s new in FortiSwitchOS 7.4.3

What’s new in FortiSwitchOS 7.4.3

Release 7.4.3 provides the following new features:

  • The FS-624F, FS-624F-FPOE, FS-648F, and FS-648F-FPOE models now support more features:

    • Multichassis link aggregation groups (MCLAGs).

    • Hardware-based layer-3 routing of IPv6 data traffic. This functionality applies to static routing, dynamic routing, VRRP, VRF, RVI, and IPv6 equal cost multi-path (ECMP) hardware routing.

    • Media Access Control security (MACsec) in both PSK mode and dynamic-CAK mode.

    • Enhanced access control list (ACL) support. You can now create an egress ACL with a maximum of 130 entries, add 240 entries to your ingress ACL (in the previous release, you could add 130 entries), use the ingress ACL to redirect traffic to the trunk, and display information about all ACL policies, egress ACL policies, or ingress ACL policies.

    • Quality of service (QoS).

  • Support for the Precision Time Protocol (PTP) has been expanded:

    • The FS-424E-Fiber, FS-448E, FS-448E-POE, and FS-448E-FPOE models now support Layer-2 Precision Time Protocol (PTP) transparent clock using the peer-to-peer mode. Previously, these switches just supported the layer-2 and layer-3 PTP transparent clock using the end-to-end mode.

    • The FSR-424F-POE, FS-424E-Fiber, FS-448E, FS-448E-POE, and FS-448E-FPOE models now support the layer-2 PTP boundary clock using the end-to-end or peer-to-peer mode.

  • Port security has been improved:

    • You can now specify a tagged VLAN for users to be assigned to when the authentication server is unavailable. Previously, you could only specify an untagged VLAN. This feature is available with 802.1x MAC-based authentication. It is compatible with both Extensible Authentication Protocol (EAP) and MAC authentication bypass (MAB).

    • You can now restrict logins from local administrator accounts when remote servers (such as TACACS+, LDAP, or RADIUS) are available. When the CLI command is enabled, FortiSwitchOS checks if all of the remote servers used by administrators are down before allowing a local administrator to log in. This option is applied globally; it is disabled by default.

    • When the Tunnel-Private-Group-ID attribute (used by the RADIUS server for the VLAN ID or name) has a Tag field, FortiSwitchOS will now ignore the Tag field so that the VLAN string is parsed correctly.

    • You can now use forced priority tagging on the egress ports of the FS-1xxE and FS-1xxF models. When the allowed-vlans command is set on a port, all egress traffic will have the priority tag of vlan=0. This command is most useful when the port is acting as an access port for native traffic only.

  • CLI support for downloading firmware images has been improved:

    • You can now specify an optional source IPv4 or IPv6 address when downloading a firmware image from a TFTP server to a FortiSwitch unit.

    • You can now use the CLI to download a firmware image from an SFTP server and stage it without restarting the FortiSwitch unit.

  • Storm control has been enhanced:

    • You can now monitor the rate at which packets are dropped when storm control is enabled and generate a log message when a specified threshold is exceeded.

    • You can now use an automation stitch to shut down a port when the storm-control dropped-packet rate is too high and bring up the port when the dropped-packet rate is below the specified threshold.

  • Support of Virtual Extensible LAN (VXLAN) has been enhanced:

    • You can now use DHCP snooping and DHCPv6 snooping with VXLAN. In addition, you can specify how many IP addresses are learned per interface for the DHCP-snooping binding database.

    • You can now add quality of service (QoS) capabilities to VXLAN traffic.

  • Support of the Spanning Tree Protocol (STP) has been enhanced:

    • The number of Multiple Spanning Tree Protocol (MSTP) instances supported has been increased.

    • The number of VLANs supported by Rapid Per-VLAN Spanning Tree Protocol (Rapid PVST+ or RPVST+) has been increased.

  • DHCP snooping has been enhanced:

    • A new monitor mode for DHCP snooping collects DHCP information from untrusted interfaces in the DHCP client or server database.

    • You can now monitor ARP packets for a specific VLAN and save the VLAN ID, MAC addresses, and IP addresses in the DHCP-snooping database. By default, the information learned from ARP packets is kept for 24 hours. You can configure how long the information is kept from 5 minutes to 7 days or specify that the information is never removed from the DHCP-snooping database.

  • There are six new SNMP traps:

    • storm-control—This SNMP trap detects when there has been a change in the storm-control status.

    • fsTrapStitch1—This custom SNMP trap can be used as a trigger for an automation stitch.

    • fsTrapStitch2—This custom SNMP trap can be used as a trigger for an automation stitch.

    • fsTrapStitch3—This custom SNMP trap can be used as a trigger for an automation stitch.

    • fsTrapStitch4—This custom SNMP trap can be used as a trigger for an automation stitch.

    • fsTrapStitch5—This custom SNMP trap can be used as a trigger for an automation stitch.

  • You can now use five custom SNMP traps (fsStitchTrap1, fsStitchTrap2, fsStitchTrap3, fsStitchTrap4, and fsStitchTrap5) for automation actions.

  • You can use a new CLI command to disable the FortiSwitch hardware Reset button while the OS is running.

  • When the CPU usage exceeds the configured threshold value, the generated log message now includes the top five processes.

  • You can now use the GUI to specify which hash algorithm is used to encode passwords for new administrator accounts and updated passwords. You can select the PBKDF2 (with a lower or higher iteration count), SHA1, or SHA256 hash algorithm. By default, the SHA256 hash algorithm is used.

  • You can now specify multiple servers for the link probe.

  • When invalid data is entered into the configuration management database (CMDB), an error is now returned that will aid with debugging.

  • The Advanced Features License has been updated. The new license file is a text file signed by the Fortinet certificate authority (CA) for better security and includes the license key. The licensing SKUs remain the same. The updated license file is backwards compatible if FortiSwitchOS is downgraded.

  • There are two new buttons in the CLI console that allow you to copy the contents of the CLI console to the clipboard or erase the contents of the CLI console.

  • You can now use the CLI to specify the native customer VLAN (native-c-vlan) and allowed customer VLAN (allowed-c-vlan) when configuring QnQ (VLAN stacking).

  • You can use a new CLI command to regenerate the SSH server keys.

  • Fortinet now supports LINCE certification with certain FortiSwitch models.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Previous
Next

What’s new in FortiSwitchOS 7.4.3

Release 7.4.3 provides the following new features:

  • The FS-624F, FS-624F-FPOE, FS-648F, and FS-648F-FPOE models now support more features:

    • Multichassis link aggregation groups (MCLAGs).

    • Hardware-based layer-3 routing of IPv6 data traffic. This functionality applies to static routing, dynamic routing, VRRP, VRF, RVI, and IPv6 equal cost multi-path (ECMP) hardware routing.

    • Media Access Control security (MACsec) in both PSK mode and dynamic-CAK mode.

    • Enhanced access control list (ACL) support. You can now create an egress ACL with a maximum of 130 entries, add 240 entries to your ingress ACL (in the previous release, you could add 130 entries), use the ingress ACL to redirect traffic to the trunk, and display information about all ACL policies, egress ACL policies, or ingress ACL policies.

    • Quality of service (QoS).

  • Support for the Precision Time Protocol (PTP) has been expanded:

    • The FS-424E-Fiber, FS-448E, FS-448E-POE, and FS-448E-FPOE models now support Layer-2 Precision Time Protocol (PTP) transparent clock using the peer-to-peer mode. Previously, these switches just supported the layer-2 and layer-3 PTP transparent clock using the end-to-end mode.

    • The FSR-424F-POE, FS-424E-Fiber, FS-448E, FS-448E-POE, and FS-448E-FPOE models now support the layer-2 PTP boundary clock using the end-to-end or peer-to-peer mode.

  • Port security has been improved:

    • You can now specify a tagged VLAN for users to be assigned to when the authentication server is unavailable. Previously, you could only specify an untagged VLAN. This feature is available with 802.1x MAC-based authentication. It is compatible with both Extensible Authentication Protocol (EAP) and MAC authentication bypass (MAB).

    • You can now restrict logins from local administrator accounts when remote servers (such as TACACS+, LDAP, or RADIUS) are available. When the CLI command is enabled, FortiSwitchOS checks if all of the remote servers used by administrators are down before allowing a local administrator to log in. This option is applied globally; it is disabled by default.

    • When the Tunnel-Private-Group-ID attribute (used by the RADIUS server for the VLAN ID or name) has a Tag field, FortiSwitchOS will now ignore the Tag field so that the VLAN string is parsed correctly.

    • You can now use forced priority tagging on the egress ports of the FS-1xxE and FS-1xxF models. When the allowed-vlans command is set on a port, all egress traffic will have the priority tag of vlan=0. This command is most useful when the port is acting as an access port for native traffic only.

  • CLI support for downloading firmware images has been improved:

    • You can now specify an optional source IPv4 or IPv6 address when downloading a firmware image from a TFTP server to a FortiSwitch unit.

    • You can now use the CLI to download a firmware image from an SFTP server and stage it without restarting the FortiSwitch unit.

  • Storm control has been enhanced:

    • You can now monitor the rate at which packets are dropped when storm control is enabled and generate a log message when a specified threshold is exceeded.

    • You can now use an automation stitch to shut down a port when the storm-control dropped-packet rate is too high and bring up the port when the dropped-packet rate is below the specified threshold.

  • Support of Virtual Extensible LAN (VXLAN) has been enhanced:

    • You can now use DHCP snooping and DHCPv6 snooping with VXLAN. In addition, you can specify how many IP addresses are learned per interface for the DHCP-snooping binding database.

    • You can now add quality of service (QoS) capabilities to VXLAN traffic.

  • Support of the Spanning Tree Protocol (STP) has been enhanced:

    • The number of Multiple Spanning Tree Protocol (MSTP) instances supported has been increased.

    • The number of VLANs supported by Rapid Per-VLAN Spanning Tree Protocol (Rapid PVST+ or RPVST+) has been increased.

  • DHCP snooping has been enhanced:

    • A new monitor mode for DHCP snooping collects DHCP information from untrusted interfaces in the DHCP client or server database.

    • You can now monitor ARP packets for a specific VLAN and save the VLAN ID, MAC addresses, and IP addresses in the DHCP-snooping database. By default, the information learned from ARP packets is kept for 24 hours. You can configure how long the information is kept from 5 minutes to 7 days or specify that the information is never removed from the DHCP-snooping database.

  • There are six new SNMP traps:

    • storm-control—This SNMP trap detects when there has been a change in the storm-control status.

    • fsTrapStitch1—This custom SNMP trap can be used as a trigger for an automation stitch.

    • fsTrapStitch2—This custom SNMP trap can be used as a trigger for an automation stitch.

    • fsTrapStitch3—This custom SNMP trap can be used as a trigger for an automation stitch.

    • fsTrapStitch4—This custom SNMP trap can be used as a trigger for an automation stitch.

    • fsTrapStitch5—This custom SNMP trap can be used as a trigger for an automation stitch.

  • You can now use five custom SNMP traps (fsStitchTrap1, fsStitchTrap2, fsStitchTrap3, fsStitchTrap4, and fsStitchTrap5) for automation actions.

  • You can use a new CLI command to disable the FortiSwitch hardware Reset button while the OS is running.

  • When the CPU usage exceeds the configured threshold value, the generated log message now includes the top five processes.

  • You can now use the GUI to specify which hash algorithm is used to encode passwords for new administrator accounts and updated passwords. You can select the PBKDF2 (with a lower or higher iteration count), SHA1, or SHA256 hash algorithm. By default, the SHA256 hash algorithm is used.

  • You can now specify multiple servers for the link probe.

  • When invalid data is entered into the configuration management database (CMDB), an error is now returned that will aid with debugging.

  • The Advanced Features License has been updated. The new license file is a text file signed by the Fortinet certificate authority (CA) for better security and includes the license key. The licensing SKUs remain the same. The updated license file is backwards compatible if FortiSwitchOS is downgraded.

  • There are two new buttons in the CLI console that allow you to copy the contents of the CLI console to the clipboard or erase the contents of the CLI console.

  • You can now use the CLI to specify the native customer VLAN (native-c-vlan) and allowed customer VLAN (allowed-c-vlan) when configuring QnQ (VLAN stacking).

  • You can use a new CLI command to regenerate the SSH server keys.

  • Fortinet now supports LINCE certification with certain FortiSwitch models.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Previous
Next