FortiSwitch Managed By FortiOS 6 – Whatʼs new in FortiOS 6.0

Whatʼs new in FortiOS 6.0

The following list contains new features added in FortiOS 6.0. Click on a link to navigate to that section for further information.

l “Limiting the number of learned MAC addresses on a FortiSwitch interface (445087)” on page 12 l “Sharing FortiSwitch ports between VDOMs (391878)” on page 13 l “sFlow support (450507)” on page 15 l “Restricting the type of frames allowed through IEEE 802.1Q ports (448505)” on page 17 l “Dynamic ARP inspection (DAI) support (462511)” on page 17 l “FortiSwitch port mirroring support (457122)” on page 17 l “Quarantining MAC addresses (459525)” on page 18 l “Banning IP addresses (459525)” on page 19 l “Synchronizing the FortiGate unit with the managed FortiSwitch units (454664)” on page 19 l “Enabling the use of HTTPS to download firmware to managed FortiSwitch units (454664)” on page 20 l “RADIUS accounting support (451023)” on page 20 l “FortiLink mode supported over a layer-3 network (457103)” on page 20 l “Limiting the number of parallel process for FortiSwitch configuration (457103)” on page 22 l “CLI changes for FortiLink mode (447349, 473773)” on page 22 l “Upgrade the firmware on multiple FortiSwitch units at the same time using the GUI (462553)” on page 23 l “Network-assisted device detection (377467) ” on page 23

FortiOS 6.0

These features first appeared in FortiOS 6.0.

Limiting the number of learned MAC addresses on a FortiSwitch interface (445087)

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan edit <integer> set switch-controller-learning-limit <limit>

end end

For example:

config switch vlan edit 100 set switch-controller-learning-limit 20

end

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config ports edit <port> set learning-limit <limit>

next

end

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set learning-limit 50

next

end

end

end

Sharing FortiSwitch ports between VDOMs (391878)

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

NOTE: You cannot use the quarantine feature while sharing FortiSwitch ports between VDOMs.

To share FortiSwitch ports between VDOMs:

  1. Create one or more VDOMs.
  2. Assign VLANs to each VDOM as required.
  3. From these VLANs, select one VLAN to be the default VLAN for the ports in the virtual switch:

config switch-controller global

set default-virtual-switch-vlan <VLAN>

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

When you add a new port to the VDOM, the new port will be automatically assigned to the default VLAN. You can

reassign the ports to other VLANs later.

  1. Create a virtual port pool (VPP) to contain the ports to be shared:

config switch-controller virtual-port-pool edit <VPP_name> description <string>

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example:

config switch-controller virtual-port-pool edit “pool3” description “pool for port3”

next

end

  1. Share a FortiSwitch port from the VDOM that the FortiSwitch belongs to with another VDOM or export the FortiSwitch port to a VPP where it can be used by any VDOM:

config switch-controller managed-switch edit <switch.id> config ports edit <port_name> set {export-to-pool <VPP_name> | export-to <VDOM_name>} set export-tags <string1,string2,string3,…>

next

end

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example, if you want to export a port to the VPP named pool3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to-pool “pool3” set export-tags “Pool 3”

next

end

next

end

For example, if you want to export a port to the VDOM named vdom3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to “vdom3” set export-tags “VDOM 3” next

end

next

end

  1. Request a port in a VPP: execute switch-controller virtual-port-pool request <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that is requesting the port.

For example:

execute switch-controller virtual-port-pool request S524DF4K15000024h port3

  1. Return a port to a VPP: execute switch-controller virtual-port-pool return <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that owns the port.

For example: execute switch-controller virtual-port-pool return S524DF4K15000024h port3

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP: execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents: execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features: l LLDP

l 802.1x l STP l BPDU guard l Root guard l DHCP snooping l IGMP snooping l QoS

l Port security l MCLAG sFlow support (450507)

sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs.

NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.

sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.

The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.

sFlow can monitor network traffic in two ways:

l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample. l Counter samples—You specify how often (in seconds) the network device sends interface counters.

Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.

config switch-controller sflow collector-ip <x.x.x.x> collector-port <port_number>

end

Use the following CLI commands to configure sFlow:

config switch-controller managed-switch <FortiSwitch_serial_number> config ports edit <port_name> set sflow-sampler <disabled | enabled> set sflow-sample-rate <0-99999> set sflow-counter-interval <1-255>

next

next

end

For example:

config switch-controller sflow collector-ip 1.2.3.4 collector-port 10

end

config switch-controller managed-switch S524DF4K15000024 config ports edit port5 set sflow-sampler enabled set sflow-sample-rate 10 set sflow-counter-interval 60

next

next end

Restricting the type of frames allowed through IEEE 802.1Q ports (448505)

You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or allows all frames access to the port. By default, all frames have access to each FortiSwitch port.

Use the following CLI commands:

config switch-controller managed-switch <SN> config ports edit <port_name> set discard-mode <none | all-tagged | all-untagged>

next

next

end

Dynamic ARP inspection (DAI) support (462511)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface edit vsw.test set switch-controller-arp-inpsection <enable | disable>

end

config switch-controller managed-switch edit <sn> config ports edit <VLAN_ID> arp-inspection-trust <untrusted | trusted>

next

end

next

end

Use the following CLI command to check DAI statistics for a FortiSwitch unit: diagnose switch arp-inspection stats <FortiSwitch_Serial_Number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch arp-inspection stats clear <VLAN_ID> <FortiSwitch_Serial_Number>

FortiSwitch port mirroring support (457122)

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port mirroring and is typically used for external analysis and capture.

Use the following CLI commands to configure FortiSwitch port mirroring:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config mirror edit <mirror_name>

set status <active | inactive> set dst <port_name>

set switching-packet <enable | disable> set src-ingress <port_name> set src-egress <port_name>

next

end

next

NOTE: The set status and set dst commands are mandatory for port mirroring.

For example:

config switch-controller managed-switch edit S524DF4K15000024 config mirror

edit 2

set status active set dst port1 set switching-packet enable set src-ingress port2 port3 set src-egress port4 port5

next

end

next

Quarantining MAC addresses (459525)

To create a permanent quarantine of specific MAC addresses, use the following CLI commands:

config user quarantine

set quarantine enable config targets edit <MAC_address>

set description <string>

set tags <tag1 tag2 tag3 …>

next

end

end

Option Description
MAC_address_1, MAC_ address_2 A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc
string Optional. A description of the MAC address being quarantined.
tag1 tag2 tag3 … Optional. A list of arbitrary strings.

For example:

config user quarantine

set quarantine enable config targets edit 00:00:00:aa:bb:cc set description “infected by virus” set tags “quarantined”

next

end

end

Previously, this feature used the config switch-controller quarantine CLI command.

You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.

Banning IP addresses (459525)

To temporarily ban an IP address, use the following CLI command: diagnose user ban add src4 <IPv4_address>

Previously, this feature used the diagnose user quarantine CLI command.

Synchronizing the FortiGate unit with the managed FortiSwitch units (454664)

You can now synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.

Use the following command to synchronize the full configuration of a FortiGate unit with the managed FortiSwitch unit:

execute switch-controller trigger-config-sync <FortiSwitch_serial_number>

Use one of the following commands to display the synchronization state of a FortiGate unit with a specific managed FortiSwitch unit:

execute switch-controller get-sync-status switch-id <FortiSwitch_serial_number> execute switch-controller get-sync-status name <FortiSwitch_name>

Use the following command to display the synchronization state of a FortiGate unit with a group of managed FortiSwitch units:

execute switch-controller get-sync-status group <FortiSwitch_group_name>

Use the following command to check the synchronization state of all managed FortiSwitch units in the current VDOM: execute switch-controller get-sync-status all

For example:

FG100D3G14813513 (root) # execute switch-controller get-sync-status all Managed-devices in current vdom root:

STACK-NAME: FortiSwitch-Stack-port5

SWITCH (NAME)                               STATUS CONFIG             MAC-SYNC          UPGRADE

FS1D243Z14000173 Up Idle Idle Idle S124DP3X16006228 (Desktop-Switch) Up Idle Idle Idle

Enabling the use of HTTPS to download firmware to managed FortiSwitch units (454664)

Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:

config switch-controller global set https-image-push enable

end

RADIUS accounting support (451023)

The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

  • START—The FortiSwitch has been successfully authenticated, and the session has started.
  • STOP—The FortiSwitch session has ended.
  • INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command. l ON—FortiSwitch will send this message when the switch is turned on. l OFF—FortiSwitch will send this message when the switch is shut down.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units:

config user radius edit <RADIUS_server_name> set acct-interim-interval <seconds> config accounting-server edit <entry_ID> set status {enable | disable} set server <server_IP_address> set secret <secret_key> set port <port_number>

next

end

next

end

FortiLink mode supported over a layer-3 network (457103)

This feature allows FortiSwitch islands (FSIs) to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FSIs contain one or more FortiSwitch units.

The following limitations apply to FSIs operating in FortiLink mode over a layer-3 network:

  • All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
  • No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
  • All FortiSwitch units within an FSI must be connected to the same FortiGate unit.
  • The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x.
  • Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
  • If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FSI can contain only one FortiSwitch unit. All switch ports must remain in standalone mode.
  • Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
  • If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.

To configure a FortiSwitch unit to operate in a layer-3 network:

  1. Reset the FortiSwitch to factory default settings with the execute factoryreset
  2. Manually set the FortiSwitch unit to FortiLink mode:

config system global

set switch-mgmt-mode fortilink end

  1. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery.

To use DHCP discovery:

config switch-controller global

ac-discovery dhcp

dhcp-option-code <integer>

end end

To use static discovery:

config switch-controller global

ac-discovery static           config ac-list

id <integer>

set ipv4-address <IPv4_address>

next

end

end

  1. Configure at least one port of the FortiSwitch unit as an uplink port. When the FortiSwitch is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

config switch interface edit <port_number> set fortilink-l3-mode enable

end

end

NOTE: The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.

Limiting the number of parallel process for FortiSwitch configuration (457103)

Use the following CLI commands to reduce the number of parallel process that the switch controller uses for configuring FortiSwitch units: config global config switch-controller system set parallel-process-override enable set parallel-process <1-300>

end

end

CLI changes for FortiLink mode (447349, 473773)

There are changes to the execute switch-controller get-physical-connection, execute switch-controller get-conn-status, and diagnose switch-controller dump networkupgrade status CLI commands.

  • The execute switch-controller get-physical-connection CLI command has new parameters:

Use the execute switch-controller get-physical-connection standard command to get the FortiSwitch stack connectivity graph in the standard output format.

Use the execute switch-controller get-physical-connection dot command to get the

FortiSwitch stack connectivity graph in a .dot (Graphviz) output format.

  • The execute switch-controller get-conn-status CLI command output now includes virtual

FortiSwitch units. Virtual FortiSwitch units are indicated by an asterisk (*) after the switch identifier. For example:

execute switch-controller get-conn-status

STACK-NAME: FortiSwitch-Stack-port2      
SWITCH-ID            VERSION STATUS ADDRESS JOIN-TIME NAME
S108DV2EJZDAC42F     v3.6.0 Authorized/Up 169.254.2.4 Thu Feb 8 17:07:35 2018
S108DV4FQON40Q07     v3.6.0 Authorized/Up 169.254.2.5 Thu Feb 8 17:08:37 2018
S108DVBWVLH4QGEB     v3.6.0 Authorized/Up 169.254.2.6 Thu Feb 8 17:09:13 2018
S108DVCY19SA0CD8     v3.6.0 Authorized/Up 169.254.2.2 Thu Feb 8 17:04:41 2018
S108DVD98KMQGC44* v3.6.0 Authorized/Up 169.254.2.7 Thu Feb 8 17:10:50 2018
S108DVGGBJLQQO48* v3.6.0 Authorized/Up 169.254.2.3 Thu Feb 8 17:06:57 2018
S108DVKM5T2QEA92     v3.6.0 Authorized/Up 169.254.2.8 Thu Feb 8 17:11:00 2018
S108DVZX3VTAOO45     v3.6.0 Authorized/Up 169.254.2.9 Thu Feb 8 17:11:00 2018
Managed-Switches: 8 UP: 8 DOWN: 0      
  • The diagnose switch-controller dump network-upgrade status CLI command output now

includes the location of the image that is loaded when the FortiSwitch unit is restarted. If the Next boot column is blank, the FortiSwitch unit uses the same location each it is restarted. The status column shows the percentage downloaded, the percentage erased in flash memory, and the percentage written to flash memory.

For example:

diagnose switch-controller dump network-upgrade status

Running                                       Status       Next boot

__________________ ________________________________________ _________ ___________________________ VDOM : root

S108DVCY19SA0CD8 S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0) S108DV-v3.7.0build4277,171207 (Interim)

S108DV2EJZDAC42F S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0)

Upgrade the firmware on multiple FortiSwitch units at the same time using the GUI (462553)

To upgrade the firmware on multiple FortiSwitch units at the same time:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Select the faceplates of the FortiSwitch units that you want to upgrade.
  3. Click Upgrade.

The Upgrade FortiSwitches page opens.

  1. Select FortiGuard or select Upload and then select the firmware file to upload.

You can select only one firmware image to use to upgrade the selected FortiSwitch units. If the FortiSwitch unit already has the latest firmware image, it will not be upgraded.

  1. Select Upgrade.

Network-assisted device detection (377467)

Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by the managed FortiSwitch unit.

To enable network-assisted device detection on a VDOM:

config switch-controller network-monitor-settings set network-monitoring enable end

 

Connecting FortiLink ports                                                            1. Enable the switch controller on the               unit

This entry was posted in Administration Guides, FortiOS 6, FortiSwitch on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.