Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    FortiSwitchOS Release Notes

    Home FortiSwitch 8.0.0 FortiSwitchOS Release Notes
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.2
    7.6.1
    7.6.0
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    3.2.2
    3.2.1
    3.2.0
    3.0.1
    3.0.0
    2.0.3
    2.0.2

    What’s new in FortiSwitchOS 8.0.0

    What’s new in FortiSwitchOS 8.0.0

    Release 8.0.0 provides the following new features:

    • GUI elements (such as radio buttons, checkboxes, and fields) now are highlighted in light blue to show that they have been changed. Some changed GUI elements, such as radio buttons and checkboxes, also have a circular arrow, which can be clicked to revert the changes.

    • Two types of OpenSSH security keys, sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519, are now supported for multifactor authentication (MFA). These security keys support FIDO2 hardware tokens.

    • The layer-2 interface for Routed VLAN interfaces (RVIs) is now shown on the Switch > Interfaces page with a checkmark in the L2 Interface column. When you edit an RVI in the GUI, only the options that can be changed are displayed. In addition, you can now enable or disable the ARP monitor for RVIs in the GUI.

    • DNS support has been enhanced:

      • You can now use the domain name system (DNS) over Transport Layer Security (TLS). DNS over TLS (DoT) is a security protocol for encrypting and encapsulating DNS queries and responses over the TLS protocol. DoT increases user privacy and security by preventing eavesdropping and manipulation of DNS data using man-in-the-middle attacks. DNS over TLS uses port 853. All FortiSwitch models support DNS over TLS.

      • When a Certificate Authority (CA) certificate is specified for the DNS server, FortiSwitchOS now validates the certificate before establishing the connection between the FortiSwitch unit and the DNS server.

      • The set dns-cache-limit command (under config system dns) now specifies the maximum size of the DNS cache memory from 1 to 1,023 KB with a default of 512 KB. Previously, the command specified the maximum number of entries in the DNS cache.

    • The length of the set location field (under the config system snmp sysinfo command) in the CLI has changed from 35 to 255 characters.

    • Configuration files backed up from the FortiSwitch unit are now signed by the FortiSwitch unit. When you restore the configuration file, the FortiSwitch unit verifies that the configuration file was generated on the same FortiSwitch unit and that the configuration file has not been changed since it was generated. You can select in the CLI whether the FortiSwitch unit rejects an unverified file or accepts it and logs a warning.

    • For the FS-424E-Fiber, FS-448E, FS-448E-POE, and FS-448E-FPOE models, you can now specify that FortiSwitchOS automatically selects the best source for the system clock. If multiple values are valid, the priority is Precision Time Protocol (PTP), then a Network Time Protocol (NTP) server, and finally a manual setting.

    • To increase network security, the security level for OpenSSL is now set to 2 by default. Before FortiSwitchOS 8.0.0, the security level for OpenSSL was set to 0 by default.

      You can now configure the OpenSSL security level in the CLI for various FortiSwitch applications. By default, all applications are set to 2. You can change the OpenSSL security level from 0 to 5, with 0 being the least secure and 5 being the most secure.

    • FortiSwitchOS now supports the Federal Risk and Authorization Management Program (FedRAMP) for the FSR-424FPOE, FS-4xxE, FS-6xxF, FS-1024E, FS-1048E, FS-T1024E, FS-T1024F-FPOE, FS-2048F, FS-3032E models.

    • After the password of an admin is changed, all sessions being used by that admin are automatically closed. Previously, the admin could continue using active sessions after the admin’s password was changed.

    • You can now specify the public keys of up to three SSH clients in the GUI. These clients are authenticated without being asked for the administrator password.

    • You can now use File Transfer Protocol (FTP) and SSH FTP (SFTP) to import local certificates and certificate authority (CA) certificates in the CLI.

    • You can now use the CLI to turn off all LEDs on the front panel of certain FortiSwitch units. This feature is supported by the following models: FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, FS-148F-FPOE, FS-110G-FPOE, FS-124G, and FS-124G-FPOE.

    • The set speed auto-module command has been changed to set speed detect-by-module (under config switch physical-port).

    • The FSR-424F-POE model now supports split ports. Ports 29 and 30 can be split into 4x10G.

    • The FS-3032G model now supports split ports. Ports 1 to 31 can be split into 4x25G when configured for 100G or split into 4x10G when configured for 40G.

      In addition, the FS-3032G model now supports Clause 108 RS-FEC.

    • You can now edit multiple network interfaces and physical ports in the GUI at the same time. If the items have different values, the differences are highlighted in purple. You must select or enter the value to be used for the purple elements.

    • You can now perform IEEE 802.1X authentication with the EAP pass-through mode disabled.

    • The FSR-216F-POE, FSR-112F-POE, and FSR-108F models now support forced priority tagging.

    • The FSR-108F, FSR-112F-POE, FSR-216F-POE, FS-624F, FS-624F-FPOE, FS-648F, and FS-648F-FPOE models now support the MAC move feature. When 802.1x authentication is being used, you can move an 802.1X client between ports that are not directly connected to the FortiSwitch unit.

    • The FSR-108F, FSR-112F-POE, and FSR-216F-POE models now support Media Access Control security (MACsec), both in the static (PSK) mode and the dynamic-CAK mode, as well as the MACsec traffic statistics. These models support only the GCM-AES-128 cipher suite.

    • The FS-1024E, FS-T1024E, FS-T1024F-FPOE, and FS-2048F models now support IP source guard.

    • You can now use IPv6 routing with multichassis link aggregation groups (MCLAGs) with Virtual Router Redundancy Protocol (VRRP), open shortest path first (OSPF), and Border Gateway Protocol (BGP). This feature is available for the FSR-424F-POE, 200 Series, FS-4xxE, FS-1024E, FS-1048E, FS-1048G, FS-T1024E, FS-T1024F-FPOE, FS-2048F, FS-3032E, and FS-3032G models.

    • FortiSwitchOS now supports the Data Center Bridging Exchange (DCBX) protocol, Enhanced Transmission Selection (ETS), and Priority-based Flow Control (PFC) for the FS-T1024E, FS-T1024F-FPOE, FS-2048F, FS-3032E, and FS-3032G models.

      Four new DCBX TLVs can be added to LLDP profiles for ETS configuration, ETS recommendation, PFC configuration, and Application Priority.

      ETS allows you to assign class of service (CoS) queues to priority groups for priority-based flow control. There are 16 priority groups. You can assign a guaranteed percentage of link bandwidth to each priority group. For example, the new ets-qos-default QoS policy creates priority groups for lossy traffic, lossless traffic, and high-priority traffic.

      DCBX application priority allows you to communicate the priority for various protocols. For example, the new default-dcbx LLDP profile creates six application priority entries for Fibre Channel over Ethernet (FCoE) traffic using EtherType 0x8906, FCoE traffic using EtherType 0x8914, RDMA over Converged Ethernet (RoCE) version 1 traffic, RoCE version 2 traffic, Internet Small Computer Systems Interface (iSCSI) traffic using TCP port 860, and iSCSI traffic using TCP port 3260.

    • On the Switch > Interfaces page, the icon now indicates that auto-network is enabled on the switch. When the icon is blue, it indicates an active inter-switch link (ISL) trunk. Previously, the icon indicated that FortiLink discovery was enabled.

    • The FS-448E-FPOE and FS-448E-POE models now support two Media Redundancy Protocol (MRP) rings.

    • Layer-3 Precision Time Protocol (PTP) is now supported for the FSR-424F-POE, FS-424E-Fiber, FS-448E, FS-448E-POE, FS-448E-FPOE models.

    • Layer-2 network address translation (NAT) is now supported for the FSR-108F, FSR-112F-POE, and FSR-216F-POE models.

    • You can now allow a Border Gateway Protocol (BGP) speaker to belong to multiple autonomous systems. This feature provides flexibility when networks are being reconfigured, as well as an additional layer of security when a company wants to protect their internal AS numbers. This feature is available for the FSR-424F-POE, FS-4xxE, FS-6xxF, FS-1024E, FS-1048E, FS-1048G, FS-T1024E, FS-T1024F-FPOE, FS-2048F, FS-3032E, and FS-3032G models.

    • You can now specify the open shortest path first (OSPF) reference bandwidth for routed VLAN interfaces (RVIs). When the reference bandwidth divided by the interface bandwidth is less than 1, the OSPF cost is set to 1. Lower interface bandwidths with the same reference bandwidth result in higher OSPF costs. By default, the OSPF reference bandwidth is set to 100 megabits per second. The range of values is 1-4,294,967. The OSPF reference bandwidth supports both IPv4 and IPv6. This feature is available on the FSR-424F-POE, 200 Series, FS-4xxE, FS-6xxF, FS-1024E, FS-1048E, FS-1048G, FS-T1024E, FS-T1024F-FPOE, FS-2048F, FS-3032E, and FS-3032G models.

    • You can now specify the network type of OSPF interfaces. By default, Ethernet links in OSPF form a broadcast network. Now, you can specify a point-to-point network or a point-to-multipoint network. For a point-to-point network or a point-to-multipoint network, no designated router or backup designated router election occurs, which simplifies OSPF and improves the OSPF performance. This feature is supported in IPv4 and IPv6. This feature is available on the FSR-424F-POE, 200 Series, FS-4xxE, FS-6xxF, FS-1024E, FS-1048E, FS-1048G, FS-T1024E, FS-T1024F-FPOE, FS-2048F, FS-3032E, and FS-3032G models.

    • Syslog messages are now listed on the Log > Entries page for the following:

      • When you download a local certificate, remote certificate, certificate authority, or certificate revocation list from the GUI

      • When there are GUI runtime errors

    note icon Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.
    Previous
    Next

    What’s new in FortiSwitchOS 8.0.0

    What’s new in FortiSwitchOS 8.0.0

    Release 8.0.0 provides the following new features:

    • GUI elements (such as radio buttons, checkboxes, and fields) now are highlighted in light blue to show that they have been changed. Some changed GUI elements, such as radio buttons and checkboxes, also have a circular arrow, which can be clicked to revert the changes.

    • Two types of OpenSSH security keys, sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519, are now supported for multifactor authentication (MFA). These security keys support FIDO2 hardware tokens.

    • The layer-2 interface for Routed VLAN interfaces (RVIs) is now shown on the Switch > Interfaces page with a checkmark in the L2 Interface column. When you edit an RVI in the GUI, only the options that can be changed are displayed. In addition, you can now enable or disable the ARP monitor for RVIs in the GUI.

    • DNS support has been enhanced:

      • You can now use the domain name system (DNS) over Transport Layer Security (TLS). DNS over TLS (DoT) is a security protocol for encrypting and encapsulating DNS queries and responses over the TLS protocol. DoT increases user privacy and security by preventing eavesdropping and manipulation of DNS data using man-in-the-middle attacks. DNS over TLS uses port 853. All FortiSwitch models support DNS over TLS.

      • When a Certificate Authority (CA) certificate is specified for the DNS server, FortiSwitchOS now validates the certificate before establishing the connection between the FortiSwitch unit and the DNS server.

      • The set dns-cache-limit command (under config system dns) now specifies the maximum size of the DNS cache memory from 1 to 1,023 KB with a default of 512 KB. Previously, the command specified the maximum number of entries in the DNS cache.

    • The length of the set location field (under the config system snmp sysinfo command) in the CLI has changed from 35 to 255 characters.

    • Configuration files backed up from the FortiSwitch unit are now signed by the FortiSwitch unit. When you restore the configuration file, the FortiSwitch unit verifies that the configuration file was generated on the same FortiSwitch unit and that the configuration file has not been changed since it was generated. You can select in the CLI whether the FortiSwitch unit rejects an unverified file or accepts it and logs a warning.

    • For the FS-424E-Fiber, FS-448E, FS-448E-POE, and FS-448E-FPOE models, you can now specify that FortiSwitchOS automatically selects the best source for the system clock. If multiple values are valid, the priority is Precision Time Protocol (PTP), then a Network Time Protocol (NTP) server, and finally a manual setting.

    • To increase network security, the security level for OpenSSL is now set to 2 by default. Before FortiSwitchOS 8.0.0, the security level for OpenSSL was set to 0 by default.

      You can now configure the OpenSSL security level in the CLI for various FortiSwitch applications. By default, all applications are set to 2. You can change the OpenSSL security level from 0 to 5, with 0 being the least secure and 5 being the most secure.

    • FortiSwitchOS now supports the Federal Risk and Authorization Management Program (FedRAMP) for the FSR-424FPOE, FS-4xxE, FS-6xxF, FS-1024E, FS-1048E, FS-T1024E, FS-T1024F-FPOE, FS-2048F, FS-3032E models.

    • After the password of an admin is changed, all sessions being used by that admin are automatically closed. Previously, the admin could continue using active sessions after the admin’s password was changed.

    • You can now specify the public keys of up to three SSH clients in the GUI. These clients are authenticated without being asked for the administrator password.

    • You can now use File Transfer Protocol (FTP) and SSH FTP (SFTP) to import local certificates and certificate authority (CA) certificates in the CLI.

    • You can now use the CLI to turn off all LEDs on the front panel of certain FortiSwitch units. This feature is supported by the following models: FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, FS-148F-FPOE, FS-110G-FPOE, FS-124G, and FS-124G-FPOE.

    • The set speed auto-module command has been changed to set speed detect-by-module (under config switch physical-port).

    • The FSR-424F-POE model now supports split ports. Ports 29 and 30 can be split into 4x10G.

    • The FS-3032G model now supports split ports. Ports 1 to 31 can be split into 4x25G when configured for 100G or split into 4x10G when configured for 40G.

      In addition, the FS-3032G model now supports Clause 108 RS-FEC.

    • You can now edit multiple network interfaces and physical ports in the GUI at the same time. If the items have different values, the differences are highlighted in purple. You must select or enter the value to be used for the purple elements.

    • You can now perform IEEE 802.1X authentication with the EAP pass-through mode disabled.

    • The FSR-216F-POE, FSR-112F-POE, and FSR-108F models now support forced priority tagging.

    • The FSR-108F, FSR-112F-POE, FSR-216F-POE, FS-624F, FS-624F-FPOE, FS-648F, and FS-648F-FPOE models now support the MAC move feature. When 802.1x authentication is being used, you can move an 802.1X client between ports that are not directly connected to the FortiSwitch unit.

    • The FSR-108F, FSR-112F-POE, and FSR-216F-POE models now support Media Access Control security (MACsec), both in the static (PSK) mode and the dynamic-CAK mode, as well as the MACsec traffic statistics. These models support only the GCM-AES-128 cipher suite.

    • The FS-1024E, FS-T1024E, FS-T1024F-FPOE, and FS-2048F models now support IP source guard.

    • You can now use IPv6 routing with multichassis link aggregation groups (MCLAGs) with Virtual Router Redundancy Protocol (VRRP), open shortest path first (OSPF), and Border Gateway Protocol (BGP). This feature is available for the FSR-424F-POE, 200 Series, FS-4xxE, FS-1024E, FS-1048E, FS-1048G, FS-T1024E, FS-T1024F-FPOE, FS-2048F, FS-3032E, and FS-3032G models.

    • FortiSwitchOS now supports the Data Center Bridging Exchange (DCBX) protocol, Enhanced Transmission Selection (ETS), and Priority-based Flow Control (PFC) for the FS-T1024E, FS-T1024F-FPOE, FS-2048F, FS-3032E, and FS-3032G models.

      Four new DCBX TLVs can be added to LLDP profiles for ETS configuration, ETS recommendation, PFC configuration, and Application Priority.

      ETS allows you to assign class of service (CoS) queues to priority groups for priority-based flow control. There are 16 priority groups. You can assign a guaranteed percentage of link bandwidth to each priority group. For example, the new ets-qos-default QoS policy creates priority groups for lossy traffic, lossless traffic, and high-priority traffic.

      DCBX application priority allows you to communicate the priority for various protocols. For example, the new default-dcbx LLDP profile creates six application priority entries for Fibre Channel over Ethernet (FCoE) traffic using EtherType 0x8906, FCoE traffic using EtherType 0x8914, RDMA over Converged Ethernet (RoCE) version 1 traffic, RoCE version 2 traffic, Internet Small Computer Systems Interface (iSCSI) traffic using TCP port 860, and iSCSI traffic using TCP port 3260.

    • On the Switch > Interfaces page, the icon now indicates that auto-network is enabled on the switch. When the icon is blue, it indicates an active inter-switch link (ISL) trunk. Previously, the icon indicated that FortiLink discovery was enabled.

    • The FS-448E-FPOE and FS-448E-POE models now support two Media Redundancy Protocol (MRP) rings.

    • Layer-3 Precision Time Protocol (PTP) is now supported for the FSR-424F-POE, FS-424E-Fiber, FS-448E, FS-448E-POE, FS-448E-FPOE models.

    • Layer-2 network address translation (NAT) is now supported for the FSR-108F, FSR-112F-POE, and FSR-216F-POE models.

    • You can now allow a Border Gateway Protocol (BGP) speaker to belong to multiple autonomous systems. This feature provides flexibility when networks are being reconfigured, as well as an additional layer of security when a company wants to protect their internal AS numbers. This feature is available for the FSR-424F-POE, FS-4xxE, FS-6xxF, FS-1024E, FS-1048E, FS-1048G, FS-T1024E, FS-T1024F-FPOE, FS-2048F, FS-3032E, and FS-3032G models.

    • You can now specify the open shortest path first (OSPF) reference bandwidth for routed VLAN interfaces (RVIs). When the reference bandwidth divided by the interface bandwidth is less than 1, the OSPF cost is set to 1. Lower interface bandwidths with the same reference bandwidth result in higher OSPF costs. By default, the OSPF reference bandwidth is set to 100 megabits per second. The range of values is 1-4,294,967. The OSPF reference bandwidth supports both IPv4 and IPv6. This feature is available on the FSR-424F-POE, 200 Series, FS-4xxE, FS-6xxF, FS-1024E, FS-1048E, FS-1048G, FS-T1024E, FS-T1024F-FPOE, FS-2048F, FS-3032E, and FS-3032G models.

    • You can now specify the network type of OSPF interfaces. By default, Ethernet links in OSPF form a broadcast network. Now, you can specify a point-to-point network or a point-to-multipoint network. For a point-to-point network or a point-to-multipoint network, no designated router or backup designated router election occurs, which simplifies OSPF and improves the OSPF performance. This feature is supported in IPv4 and IPv6. This feature is available on the FSR-424F-POE, 200 Series, FS-4xxE, FS-6xxF, FS-1024E, FS-1048E, FS-1048G, FS-T1024E, FS-T1024F-FPOE, FS-2048F, FS-3032E, and FS-3032G models.

    • Syslog messages are now listed on the Log > Entries page for the following:

      • When you download a local certificate, remote certificate, certificate authority, or certificate revocation list from the GUI

      • When there are GUI runtime errors

    note icon Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.
    Previous
    Next