Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Feature Visibility – FortiOS 6.2

Feature Visibility

Feature Visibility is used to control which features are visible in the GUI. This allows you to hide features that are not being used. Some features are also disabled by default and must be enabled in order to configure them through the GUI.

Feature Visibility only alters the visibility of these features, rather than their functionality. For example, disabling web filtering on the Feature Visibility page does not remove web filtering from the FortiGate, but removes the option of configuring web filtering from the GUI. Configuration options will still be available using the CLI.

Enabling/disabling features

Feature Visibility can be found at System > Feature Visibility. Ensure that all features you wish to configure in the GUI are turned on, and that features you wish to hide are turned off. When you have finished, select Apply. Security feature presets

The main security features can be toggled individually, however six system presets (or Feature Sets) are available:

  • NGFW should be chosen for networks that require application control and protection from external attacks. l ATP should be chosen for networks that require protection from viruses and other external threats. l WF should be chosen for networks that require web filtering. l NGFW + ATP should be chosen for networks that require protection from external threats and attacks.
  • UTM should be chosen for networks that require protection from external threats and wish to use security features that control network usage. This is the default setting.
  • Custom should be chosen for networks that require customization of available features (including the ability to select all features).

Dashboard – FortiOS 6.2

Dashboard

The FortiOS Dashboard consists of a Network Operations Center (NOC) view with a focus on alerts. Widgets are interactive. By clicking or hovering over most widgets, the user can see additional information or follow links to other pages.

The dashboard and its widgets include:

  • Multiple dashboard support l VDOM and global dashboards l Widget resize control l Notifications on the top header bar

The following widgets are displayed by default:

Widget Description
System Information The System Information widget lists information relevant to the FortiGate system, including hostname, serial number, and firmware.
Security Fabric The Security Fabric widget displays a visual summary of many of the devices in the Fortinet Security Fabric.
CPU The real-time CPU usage is displayed for different time frames.
Widget Description
Licenses Hovering over the Licenses widget results in the display of status information (and, where applicable, database information) on the licenses for FortiCare Support, Firmware & General Updates, AntiVirus, Web Filtering, Security Rating,

FortiClient, and FortiToken. Note that Mobile Malware is not a separate service in FortiOS 6.0.0. The Mobile Malware subscription is included with the AntiVirus subscription. Clicking in the Licenses widget provides you with links to other pages, such as System > FortiGuard or contract renewal pages.

FortiCloud This widget displays FortiCloud status and provides a link to activate FortiCloud.
Administrators This widget allows you to view: l which administrators are logged in and how many sessions are active (a link directs you to a page displaying active administrator sessions) l all connected administrators and the protocols used by each
Memory Real-time memory usage is displayed for different time frames. Hovering over any point on the graph displays percentage of memory used along with a timestamp.
Sessions Hovering over the Sessions widget allows you to view memory usage data over time. Click on the down arrow to change the timeframe displayed.

Security processing unit, or SPU, percentage is displayed if your FortiGate includes an SPU. Likewise, nTurbo percentage is displayed if supported by your FortiGate.

Bandwidth Hover over the Bandwidth widget to display bandwidth usage data over time. Click on the down arrow to change the timeframe displayed. Bandwidth is displayed for both incoming and outgoing traffic.
Virtual Machine The VM widget (shown by default in the dashboard of a FortiOS VM device) includes:

l License status and type l CPU allocation usage l License RAM usage l VMX license information (if the VM supports VMX)

If the VM license specifies ‘unlimited’ the progress bar is blank. If the VM is in evaluation mode, it is yellow (warning style) and the dashboard shows the number of evaluation days used.

The following optional widgets are also available:

  • FortiView l Host Scan Summary
  • Vulnerabilities Summary l Botnet Activity l HA Status l Log Rate l Session Rate l Security Fabric Score l Advanced Threat Protection Statistics l Interface Bandwidth

Modifying dashboard widget titles

Dashboard widget titles can be modified so that widgets with different filters applied can be easily differentiated. The widget has a default title unless you set a new title.

Syntax

config system admin edit <name> config gui-dashboard config widget edit 9 set type fortiview …

set title “test source by bytes”

end

end

end

Menus – FortiOS 6.2

Menus

If you believe your FortiGate model supports a menu that does not appear in the GUI as expected, go to System > Feature Visibility and ensure the feature is enabled. For more information, see Feature Visibility on page 18.

The GUI contains the following main menus, which provide access to configuration options for most FortiOS features:

Dashboard The dashboard displays various widgets that display important system information and allow you to configure some system options.

For more information, see Dashboard on page 16.

Security Fabric Access the physical topology, logical topology, audit, and settings features of the Fortinet Security Fabric.

For more information, see Security Fabric on page 72.

FortiView A collection of dashboards and logs that give insight into network traffic, showing which users are creating the most traffic, what sort of traffic it is, when the traffic occurs, and what kind of threat the traffic may pose to the network.
Network Options for networking, including configuring system interfaces and routing options.

For more information, see Network Configurations on page 95.

System Configure system settings, such as administrators, FortiGuard, and certificates. For more information, see System Configurations on page 150.
Policy & Objects Configure firewall policies, protocol options, and supporting content for policies, including schedules, firewall addresses, and traffic shapers.

For more information, see Policies and Objects on page 224.

Security Profiles Configure your FortiGate’s security features, including AntiVirus, Web Filtering, and Application Control.

For more information, see Security Profiles on page 280.

VPN Configure options for IPsec and SSL virtual private networks (VPNs).

For more information, see IPsec VPNs on page 412 and SSL VPN on page 571.

User & Device Configure user accounts, groups, and authentication methods, including external authentication and single sign-on (SSO).
WiFi & Switch Controller Configure the unit to act as a wireless network controller, managing the wireless Access Point (AP) functionality of FortiWiFi and FortiAP units.

On certain FortiGate models, this menu has additional features allowing for FortiSwitch units to be managed by the FortiGate.

For more information, see WiFi on page 639.

Log & Report Configure logging and alert email as well as reports.

For more information, see Log and Report on page 718.

Monitor View a variety of monitors, including the Routing Monitor, VPN monitors for both IPsec and SSL, monitors relating to wireless networking, and more.

Differences between models FortiOS 6.2

Differences between models

Not all FortiGates have the same features, particularly entry-level models (models 30 to 90). A number of features on this models are only available in the CLI.

FortiGate models differ principally by the names used and the features available:

  • Naming conventions may vary between FortiGate models. For example, on some models the hardware switch interface used for the local area network is called lan, while on other units it is called internal.
  • Certain features are not available on all models. Additionally, a particular feature may be available only through the CLI on some models, while that same feature may be viewed in the GUI on other models.

If you believe your FortiGate model supports a feature that does not appear in the GUI, go to System > Feature Visibility and confirm that the feature is enabled.

Managed FortiSwitch Troubleshooting

Troubleshooting

Troubleshooting FortiLink issues

If the FortiGate does not establish the FortiLink connection with the FortiSwitch, perform the following troubleshooting checks.

Check the FortiGate configuration

To use the FortiGate GUI to check the FortiLink interface configuration:

  1. In Network > Interfaces, double-click the interface used for FortiLink.
  2. Ensure that Dedicated to FortiSwitch is set for this interface.

To use the FortiGate CLI to verify that you have configured the DHCP and NTP settings correctly:

  1. Verify that the NTP server is enabled and that the FortiLink interface has been added to the list:

show system ntp

  1. Ensure that the DHCP server on the Fortilink interface is configured correctly:

show system dhcp

Check the FortiSwitch configuration

To use FortiSwitch CLI commands to check the FortiSwitch configuration:

  1. Verify that the switch system time matches the time on the FortiGate:

get system status

  1. Verify that FortiGate has sent an IP address to the FortiSwitch (anticipate an IP address in the range 169.254.x.x):

get system interfaces

  1. Verify that you can ping the FortiGate IP address:

exec ping x.x.x.x

To use FortiGate CLI commands to check the FortiSwitch configuration:

  1. Verify that the connections from the FortiGate to the FortiSwitch units are up:

exec switch-controller get-conn-status

  1. Verify that ports for a specific FortiSwitch stack are connected to the correct locations:

exec switch-controller get-physical-conn <FortiSwitch-Stack-ID>

  1. Verify that all the ports for a specific FortiSwitch are up:

exec switch-controller get-conn-status <FortiSwitch-device-ID>

Check FortiSwitch connections

Use the following CLI command for detailed diagnostic information on the managed FortiSwitch connections: execute switch-controller diagnose-connection <FortiSwitch_serial_number>

If the FortiSwitch serial number is omitted, only the FortiLink configuration is checked.

Additional capabilities

Additional capabilities

Execute custom FortiSwitch commands

From the FortiGate, you can execute FortiSwitch commands on the managed FortiSwitch.

This feature adds a simple scripting mechanism for users to execute generic commands on the switch.

NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch.

Create a command

Use the following syntax to create a command file:

config switch-controller custom-command edit <cmd-name> set command ” <FortiSwitch commands>”

Next, create a command file to set the STP max-age parameter:

config switch-controller custom-command edit “stp-age-10” set command “config switch stp setting set max-age 10

end

” next

end

Execute a command

After you have created a command file, use the following command on the FortiGate to execute the command file on the target switch: exec switch-controller custom-command <cmd-name> <target-switch>

The following example runs the stp-age-10 command on the specified target FortiSwitch:

# exec switch-controller custom-command stp-age-10 S124DP3X15000118

View and upgrade the FortiSwitch firmware version

View and upgrade the FortiSwitch firmware version

You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch to a new firmware version. The FortiGate unit will suggest an upgrade when a new version is available in FortiGuard.

Using the FortiGate web interface

To view the FortiSwitch firmware version:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. In the main panel, select the FortiSwitch faceplate and click Edit.
  3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.

To upgrade the firmware on multiple FortiSwitch units at the same time:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Select the faceplates of the FortiSwitch units that you want to upgrade.
  3. Click Upgrade.

The Upgrade FortiSwitches page opens.

  1. Select FortiGuard or select Upload and then select the firmware file to upload.

If you select FortiGuard, all FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at a time for upgrading.

  1. Select Upgrade.

Using the CLI

Use the following command to display the latest version: diagnose fdsm fortisw-latest-ver <model>

Use the following command to download the image: diagnose fdsm fortisw-download <image id>

The following example shows how to download the latest image for FS224D:

FG100D3G15801204 (global) # diagnose fdsm fortisw-latest-ver FS224D FS224D – 3.4.2 b192 03004000FIMG0900904002FG100D3G15801204 (global) # diagnose fdsm fortisw-download 03004000FIMG0900904002

Download image-03004000FIMG0900904002:

################################################################################ Result=Success

Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:

config switch-controller global set https-image-push enable end

FortiSwitch log export

From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model using a single execute command. The command includes the name of a firmware image file and all of the managed FortiSwitch units compatible with that firmware image file are upgraded. For example: execute switch-controller stage-tiered-swtp-image ALL <firmware-image-file>

You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.

execute switch-controller restart-swtp-delayed ALL

FortiSwitch log export

You can enable and disable the managed FortiSwitch units to export their syslogs to the FortiGate. The setting is global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch logs.

To allow a level of filtering, FortiGate sets the user field to “fortiswitch-syslog” for each entry.

The following is the CLI command syntax:

config switch-controller switch-log set status (*enable | disable)

set severity [emergency | alert | critical | error | warning | notification |

*information | debug] end

You can override the global log settings for a FortiSwitch, using the following commands:

config switch-controller managed-switch edit <switch-id> config switch-log set local-override enable

At this point, you can configure the log settings that apply to this specific switch.

FortiSwitch per-port device visibility

In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port).

From the CLI, the following command displays information about the host devices: diagnose switch-controller dump mac-hosts_switch-ports

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

You can configure the following FortiSwitch features from the FortiGate CLI.

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

Configuring a link aggregation group (LAG)

You can configure a link aggregation group (LAG) for non-FortiLink ports on a FortiSwitch. You cannot configure ports from different FortiSwitch units in one LAG.

config switch-controller managed-switch edit <switch-id> config ports it <trunk name> set type trunk

set mode < static | lacp > Link Aggregation mode set bundle (enable | disable) set min-bundle <int> set max-bundle <int> set members < port1 port2 …>

next

end

end

end

Configuring an MCLAG with managed FortiSwitch units

A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP). For the network topology, see Dual-homed servers connected to FortiLink tier-1 FortiSwitch units using an MCLAG on page 48 and Standalone FortiGate unit with dual-homed FortiSwitch access on page 49. Notes

  • Both peer switches should be of the same hardware model and same software version. Mismatched configurations might work but are unsupported. l There is a maximum of two FortiSwitch models per MCLAG. l The routing feature is not available within an MCLAG.
  • For static MAC addresses within an MCLAG, if one FortiSwitch learns the MAC address, the second FortiSwitch will automatically learn the MAC address.

To configure an MCLAG with managed FortiSwitch unis:

  1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:

config switch trunk edit “LAG-member” set mode lacp-active set mclag-icl enable set members “<port>” “<port>”

next

  1. Enable the MCLAG on each managed FortiSwitch:

config switch-controller managed-switch edit “<switch-id>” config ports edit “<trunk name>”

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

set type trunk

set mode {static | lacp-passive | lacp-active} set bundle {enable | disable} set members “<port>,<port>” set mclag {enable | disable}

next

end

next

  1. Log into each managed FortiSwitch to check the MCLAG configuration:

diagnose switch mclag

After the FortiSwitch units are configured as MCLAG peer switches, any port that supports advanced features on the FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member ports on the peer FortiSwitch.

Configuring storm control

Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.

When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of traffic to drop: broadcast, unknown unicast, or multicast.

The storm control settings are global to all of the non-FortiLink ports on the managed switches. Use the following CLI commands to configure storm control:

config switch-controller storm-control set rate <rate> set unknown-unicast (enable | disable) set unknown-multicast (enable | disable) set broadcast (enable | disable)

end

You can override the global storm control settings for a FortiSwitch using the following commands:

config switch-controller managed-switch edit <switch-id> config storm-control set local-override enable

At this point, you can configure the storm control settings that apply to this specific switch.

Displaying port statistics

Port statistics will be accessed using the following FortiSwitch CLI command:

FG100D3G15804763 # diagnose switch-controller dump port-stats S124DP3X16000413 port8 S124DP3X16000413 0 :

{

“port8”:{

“tx-bytes”:823526672,

“tx-packets”:1402390,

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

“tx-ucast”:49047,

“tx-mcast”:804545,

“tx-bcast”:548798,

“tx-errors”:0,

“tx-drops”:3,

“tx-oversize”:0,

“rx-bytes”:13941793,

“rx-packets”:160303,

“rx-ucast”:148652,

“rx-mcast”:7509,

“rx-bcast”:4142,

“rx-errors”:0,

“rx-drops”:720,

“rx-oversize”:0,

“undersize”:0,

“fragments”:0,

“jabbers”:0,

“collisions”:0,

“crc-alignments”:0,

“l3packets”:0

}

}

Configuring QoS with managed FortiSwitch units

Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.

NOTE: The FortiGate unit does not support QoS for hard or soft switch ports. The FortiSwitch unit supports the following QoS configuration capabilities:

  • Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
  • Providing eight egress queues on each port. l Policing the maximum data rate of egress traffic on the interface.

To configure the QoS for managed FortiSwitch units:

  1. Configure a Dot1p map.

A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value.

config switch-controller qos dot1p-map edit <Dot1p map name> set description <text> set priority-0 <queue number> set priority-1 <queue number> set priority-2 <queue number>

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

set priority-3 <queue number> set priority-4 <queue number> set priority-5 <queue number> set priority-6 <queue number> set priority-7 <queue number>

next

end

  1. Configure a DSCP map.

A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP precedence, you have the following choices: o network-control—Network control o internetwork-control—Internetwork control o critic-ecp—Critic and emergency call processing (ECP) o flashoverride—Flash override o flash—Flash o immediate—Immediate

o priority—Priority o routine—Routine

config switch-controller qos ip-dscp-map edit <DSCP map name> set description <text> configure map <map_name> edit <entry name> set cos-queue <COS queue number>

set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF |

CS6 | CS7} set ip-precedence {network-control | internetwork-control | critic-ecp

| flashoverride | flash | immediate | priority | routine} set value <DSCP raw value>

next

end

end

  1. Configure the egress QoS policy.

In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:

  • With strict scheduling, the queues are served in descending order (of queue number), so higher number queues receive higher priority.
  • In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one.
  • In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to 63.

config switch-controller qos queue-policy edit <QoS egress policy name> set schedule {strict | round-robin | weighted} config cos-queue

Synchronizing the FortiGate unit with the managed FortiSwitch units

edit [queue-<number>] set description <text> set min-rate <rate in kbps> set max-rate <rate in kbps>

set drop-policy {taildrop | random-early-detection} set weight <weight value>

next

end

next

end

  1. Configure the overall policy that will be applied to the switch ports.

config switch-controller qos qos-policy edit <QoS egress policy name> set default-cos <default CoS value 0-7> set trust-dot1p-map <Dot1p map name> set trust-ip-dscp-map <DSCP map name> set queue-policy <queue policy name>

next

end

Configure each switch port.

config switch-controller managed-switch edit <switch-id> config ports edit <port> set qos-policy <CoS policy>

next

end

next

end

Synchronizing the FortiGate unit with the managed FortiSwitch units

You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.

Use the following command to synchronize the full configuration of a FortiGate unit with the managed FortiSwitch unit:

execute switch-controller trigger-config-sync <FortiSwitch_serial_number>

Use one of the following commands to display the synchronization state of a FortiGate unit with a specific managed FortiSwitch unit:

execute switch-controller get-sync-status switch-id <FortiSwitch_serial_number> execute switch-controller get-sync-status name <FortiSwitch_name>

Use the following command to display the synchronization state of a FortiGate unit with a group of managed FortiSwitch units:

execute switch-controller get-sync-status group <FortiSwitch_group_name>

Replacing a managed FortiSwitch unit

Use the following command to check the synchronization state of all managed FortiSwitch units in the current VDOM: execute switch-controller get-sync-status all

For example:

FG100D3G14813513 (root) # execute switch-controller get-sync-status all Managed-devices in current vdom root:

STACK-NAME: FortiSwitch-Stack-port5

SWITCH (NAME)                               STATUS CONFIG             MAC-SYNC          UPGRADE

FS1D243Z14000173                           Up       Idle               Idle               Idle

S124DP3X16006228 (Desktop-Switch)       Up       Idle               Idle               Idle

Replacing a managed FortiSwitch unit

If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.

NOTE: Both FortiSwitch units must be of the same model. The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.

To replace a managed FortiSwitch unit:

  1. Unplug the failed FortiSwitch unit.
  2. Plug in the replacement FortiSwitch unit.
  3. Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See View and upgrade the FortiSwitch firmware version on page 100.
  4. Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset
  5. Check the serial number of the replacement FortiSwitch unit.
  6. From the FortiGate unit, go to WiFi & Switch Controller> Managed FortiSwitch.
  7. Select the faceplate of the failed FortiSwitch unit.
  8. Select Deauthorize.
  9. Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.
  10. If the failed FortiSwitch unit was part of a VDOM, enter the following commands:

config vdom edit <VDOM_name> execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>

For example:

config vdom edit vdom_new execute replace-device fortiswitch fortiswitch S124DN3W16002025 S124DN3W16002026

If the failed FortiSwitch unit was not part of a VDOM, enter the following command:

Replacing a managed FortiSwitch unit

execute replace-device fortiswitch <failed_FortiSwitch_serial_number>

<replacement_FortiSwitch_serial_number>

An error is returned if the replacement FortiSwitch unit is authorized.

FortiSwitch port security policy

FortiSwitch port security policy

To control network access, the managed FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The supplicant and the authentication server communicate using the switch using the EAP protocol. The managed FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the managed FortiSwitch unit.

NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1x authentication from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through the FortiGate.

The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

Optionally, you can configure a guest VLAN for unauthorized users. Alternatively, you can specify a VLAN for users whose authentication was unsuccessful.

When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

This chapter covers the following topics:

Configure the 802.1X settings for a virtual domain

To configure the 802.1X security policy for a virtual domain, use the following commands:

config switch-controller 802-1X-settings set reauth-period < int > set max-reauth-attempt < int >

set link-down-auth < *set-unauth | no-action > end

Override the virtual domain settings

Option Description
set link-down-auth If a link is down, this command determines the authentication state. Choosing set-auth sets the interface to unauthenticated when a link is down, and reauthentication is needed. Choosing no-auth means that the interface does not need to be reauthenticated when a link is down.
set reauth-period This command sets how often reauthentication is needed. The range is 11440 minutes. The default is 60 minutes. Setting the value to 0 minutes disables reauthenticaion.
set max-reauth-attempt This command sets the maximum number of reauthentication attempts. The range is 1-15. the default is 3. Setting the value to 0 disables reauthentication.

Override the virtual domain settings

You can override the virtual domain settings for the 802.1X security policy.

Using the FortiGate GUI

To override the 802.1X settings for a virtual domain:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Click on a FortiSwitch faceplate and select Edit.
  3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
  4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.
  5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
  6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does not need to be reauthenticated when a link is down.
  7. Select OK.

Using the FortiGate CLI

To override the 802.1X settings for a virtual domain, use the following commands:

config switch-controller managed-switch edit < switch > config 802-1X-settings set local-override [ enable | *disable ] set reauth-period < int >                 // visible if override enabled set max-reauth-attempt < int >             // visible if override enabled set link-down-auth < *set-unauth | no-action >   // visible if override enabled

end

next end

Define an 802.1X

For a description of the options, see Configure the 802.1X settings for a virtual domain.

Define an 802.1X security policy

You can define multiple 802.1X security policies.

Using the FortiGate GUI

To create an 802.1X security policy:

  1. Go to WiFi & Switch Controller> FortiSwitch Security Policies.
  2. Select Create New.
  3. Enter a name for the new FortiSwitch security policy.
  4. For the security mode, select Port-based or MAC-based.
  5. Select + to select which user groups will have access.
  6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
  7. Enter the number of seconds for authentication delay for guest VLANs. The range is 1-900 seconds.
  8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
  9. Enable or disable MAC authentication bypass (MAB) on this interface.
  10. Enable or disable EAP pass-through mode on this interface.
  11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
  12. Select OK.

Using the FortiGate CLI

To create an 802.1X security policy, use the following commands:

config switch-controller security-policy 802-1X edit “<policy.name>” set security-mode {802.1X | 802.1X-mac-based)

set user-group <*group_name | Guest-group | SSO_Guest_Users> set mac-auth-bypass [enable | *disable] set eap-passthru [enable | disable] set guest-vlan [enable | *disable] set guest-vlan-id “guest-VLAN-name” set guest-auth-delay <integer> set auth-fail-vlan [enable | *disable] set auth-fail-vlan-id “auth-fail-VLAN-name” set radius-timeout-overwrite [enable | *disable] set policy-type 802.1X

end end

Option Description
set security-mode You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication.

 

Option                                                Description
You can set a specific group name, Guest-group, or SSO_Guest_Users to set user-group

have access. This setting is mandatory.

set mac-auth-bypass           You can enable or disable MAB on this interface.
set eap-passthrough           You can enable or disable EAP pass-through mode on this interface.
set guest-vlan                You can enable or disable guest VLANs on this interface to allow restricted access for some users.
set guest-vlan-id “guest-

You can specify the name of the guest VLAN.

VLAN-name”

set guest-auth-delay          You can set the authentication delay for guest VLANs on this interface. The range is 1-900 seconds.
You can enable or disable authentication fail VLAN on this interface to set auth-fail-vlan allow restricted access for users who fail to access the guest VLAN.
set auth-fail-vlan-id    You can specify the name of the authentication fail VLAN “auth-fail-VLAN-name”
set radius-timeout- You can enable or disable whether the session timeout for the RADIUS overwrite server will overwrite the local timeout.
set policy-type 802.1X        You can set the policy type to the 802.1X security policy.

Apply an 802.1X security policy to a FortiSwitch port

You can apply a different 802.1X security policy to each FortiSwitch port.

Using the FortiGate GUI

To apply an 802.1X security policy to a managed FortiSwitch port:

  1. Go to WiFi & Switch Controller> FortiSwitch Ports.
  2. Select the + next to a FortiSwitch unit.
  3. In the Security Policy column for a port, click + to select a security policy.
  4. Select OK to apply the security policy to that port.

Using the FortiGate CLI

To apply an 802.1X security policy to a managed FortiSwitch port, use the following commands:

config switch-controller managed-switch edit <managed-switch> config ports

edit <port> set port-security-policy <802.1X-policy>

Test 802.1x authentication with monitor mode

next

end

next

end

Test 802.1x authentication with monitor mode

Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.

To enable or disable monitor mode, use the following commands:

config switch-controller security-policy 802-1X edit “<policy_name>” set open-auth {enable | disable}

next

end

Restrict the type of frames allowed through IEEE 802.1Q ports

You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or allows all frames access to the port. By default, all frames have access to each FortiSwitch port.

Use the following CLI commands:

config switch-controller managed-switch <SN> config ports edit <port_name> set discard-mode <none | all-tagged | all-untagged>

next

next

end

RADIUS accounting support

The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

l START—The FortiSwitch has been successfully authenticated, and the session has started. l STOP—The FortiSwitch session has ended. l INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command. l ON—FortiSwitch will send this message when the switch is turned on. l OFF—FortiSwitch will send this message when the switch is shut down.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units: config user radius

edit <RADIUS_server_name> set acct-interim-interval <seconds> config accounting-server edit <entry_ID> set status {enable | disable} set server <server_IP_address> set secret <secret_key> set port <port_number>

next

end

next end

Configuring ports using the FortiGate CLI

Configuring ports using the FortiGate CLI

Configuring port speed and status

Use the following commands to set port speed and other base port settings:

config switch-controller managed-switch edit <switch> config ports edit <port> set description <text> set speed <speed> set status {down | up}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set description “First port” set speed auto set status up

end

end

Sharing FortiSwitch ports between VDOMs

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

NOTE: You cannot use the quarantine feature while sharing FortiSwitch ports between VDOMs.

To share FortiSwitch ports between VDOMs:

  1. Create one or more VDOMs.
  2. Assign VLANs to each VDOM as required.

 

  1. From these VLANs, select one VLAN to be the default VLAN for the ports in the virtual switch:

config switch-controller global

set default-virtual-switch-vlan <VLAN>

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

When you add a new port to the VDOM, the new port will be automatically assigned to the default VLAN. You can reassign the ports to other VLANs later.

  1. Create a virtual port pool (VPP) to contain the ports to be shared:

config switch-controller virtual-port-pool edit <VPP_name> description <string>

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example:

config switch-controller virtual-port-pool edit “pool3” description “pool for port3”

next

end

  1. Share a FortiSwitch port from the VDOM that the FortiSwitch belongs to with another VDOM or export the FortiSwitch port to a VPP where it can be used by any VDOM:

config switch-controller managed-switch edit <switch.id> config ports edit <port_name> set {export-to-pool <VPP_name> | export-to <VDOM_name>} set export-tags <string1,string2,string3,…>

next

end

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example, if you want to export a port to the VPP named pool3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to-pool “pool3” set export-tags “Pool 3”

next

end

next end

For example, if you want to export a port to the VDOM named vdom3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to “vdom3” set export-tags “VDOM 3”

next

end

next

end

  1. Request a port in a VPP: execute switch-controller virtual-port-pool request <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that is requesting the port.

For example:

execute switch-controller virtual-port-pool request S524DF4K15000024h port3

  1. Return a port to a VPP: execute switch-controller virtual-port-pool return <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that owns the port.

For example: execute switch-controller virtual-port-pool return S524DF4K15000024h port3

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP: execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents: execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features: l LLDP

  • 1x l STP l BPDU guard l Root guard l DHCP snooping l IGMP snooping l QoS
  • Port security l MCLAG

Limiting the number of learned MAC addresses on a FortiSwitch interface

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan edit <integer> set switch-controller-learning-limit <limit>

end

end

For example:

config switch vlan edit 100 set switch-controller-learning-limit 20

end

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config ports edit <port> set learning-limit <limit>

next

end

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set learning-limit 50

next

end

end

end

You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after 300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.

config switch-controller global set mac-aging-interval <10 to 1000000> end

For example:

config switch-controller global set mac-aging-interval 500

end

If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.

By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses are save:

config switch-controller global set mac-violation-timer <0-1500>

set log-mac-limit-violations {enable | disable}

end

For example:

config switch-controller global set mac-violation-timer 1000 set log-mac-limit-violations enable

end

To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • diagnose switch-controller dump mac-limit-violations all <FortiSwitch_serial_ number>
  • diagnose switch-controller dump mac-limit-violations interface <FortiSwitch_ serial_number> <port_name>
  • diagnose switch-controller dump mac-limit-violations vlan <FortiSwitch_serial_ number> <VLAN_ID>

For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit: diagnose switch-controller dump mac-limit-violations vlan S124DP3XS12345678 5

To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_ number>
  • execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_ number> <VLAN_ID>
  • execute switch-controller mac-limit-violation reset interface <FortiSwitch_ serial_number> <port_name>

For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:

execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5

Configuring the DHCP trust setting

The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.

Set the port as a trusted or untrusted DHCP-snooping interface:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set dhcp-snooping {trusted | untrusted}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set dhcp-snooping trusted

end

end

Configuring PoE

The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.

Enable PoE on the port

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set poe-status {enable | disable}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set poe-status enable

end

end

Reset the PoE port

Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example, wireless access points, IP cameras, and VoIP phones).

The following command resets PoE on the port:

execute switch-controller poe-reset <fortiswitch-id> <port>

Display general PoE status get switch-controller <fortiswitch-id> <port>

The following example displays the PoE status for port 6 on the specified switch:

# get switch-controller poe FS108D3W14000967 port6

Port(6) Power:3.90W, Power-Status: Delivering Power

Power-Up Mode: Normal Mode

Remote Power Device Type: IEEE802.3AT PD

Power Class: 4

Defined Max Power: 30.0W, Priority:3

Voltage: 54.00V

Current: 78mA

Configuring edge ports

Use the following commands to enable or disable an interface as an edge port:

config switch-controller managed-switch edit <switch> config ports edit <port> set edge-port {enable | disable}

end end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set edge-port enable

end

end

Configuring STP

Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

To configure global STP settings, see Configure STP settings on page 71.

Use the following commands to enable or disable STP on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-state {enabled | disabled} end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-state enabled

end

end

To check the STP configuration on a FortiSwitch, use the following command: diagnose switch-controller dump stp <FortiSwitch_serial_number> <instance_number>

For example:

FG100D3G15817028 # diagnose switch-controller dump stp S524DF4K15000024 0    
MST Instance Information, primary-Channel:

Instance ID :     0

Switch Priority : 24576

Root MAC Address :       085b0ef195e4

Root Priority:      24576

Root Pathcost:      0

Regional Root MAC Address :      085b0ef195e4

     
Regional Root Priority: 24576          
Regional Root Path Cost: Remaining Hops:  20 0          
This Bridge MAC Address : This bridge is the root 085b0ef195e4          
Port

Protection

Speed Cost Priority Role State Edge STP-Status Loop
________________ ______ _________ _________ ___________ __________ ____ __________ ________
port1 200000000 128 DISABLED DISCARDING YES ENABLED NO
port2 200000000 128 DISABLED DISCARDING YES ENABLED NO
port3 200000000 128 DISABLED DISCARDING YES ENABLED NO
port4 200000000 128 DISABLED DISCARDING YES ENABLED NO
port5 200000000 128 DISABLED DISCARDING YES ENABLED NO
port6 200000000 128 DISABLED DISCARDING YES ENABLED NO
port7 200000000 128 DISABLED DISCARDING YES ENABLED NO
port8 200000000 128 DISABLED DISCARDING YES ENABLED NO
port9 200000000 128 DISABLED DISCARDING YES ENABLED NO
port10 200000000 128 DISABLED DISCARDING YES ENABLED NO
port11 200000000 128 DISABLED DISCARDING YES ENABLED NO
port12 200000000 128 DISABLED DISCARDING YES ENABLED NO
port13 200000000 128 DISABLED DISCARDING YES ENABLED NO
port14 200000000 128 DISABLED DISCARDING YES ENABLED NO
port15 200000000 128 DISABLED DISCARDING YES ENABLED NO
port16 200000000 128 DISABLED DISCARDING YES ENABLED NO
port17 200000000 128 DISABLED DISCARDING YES ENABLED NO
port18 200000000 128 DISABLED DISCARDING YES ENABLED NO
port19 200000000 128 DISABLED DISCARDING YES ENABLED NO
port20 200000000 128 DISABLED DISCARDING YES ENABLED NO
port21 200000000 128 DISABLED DISCARDING YES ENABLED NO
port22 200000000 128 DISABLED DISCARDING YES ENABLED NO
port23 200000000 128 DISABLED DISCARDING YES ENABLED NO
port25 200000000 128 DISABLED DISCARDING YES ENABLED NO
port26 200000000 128 DISABLED DISCARDING YES ENABLED NO
port27 200000000 128 DISABLED DISCARDING YES ENABLED NO
port28 200000000 128 DISABLED DISCARDING YES ENABLED NO
port29 200000000 128 DISABLED DISCARDING YES ENABLED NO  
port30 200000000 128 DISABLED DISCARDING YES ENABLED NO  
internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO  
__FoRtI1LiNk0__ 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO  

Configuring STP root guard

Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Use the following commands to enable or disable STP root guard on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-root-guard {enabled | disabled}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-root-guard enabled

end

end

Configuring STP BPDU guard

Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced. There are two prerequisites for using BPDU guard:

l You must define the port as an edge port with the set edge-port enable command. l You must enable STP on the switch interface with the set stp-state enabled command.

You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id>

config ports edit <port name> set stp-bpdu-guard {enabled | disabled} set stp-bpdu-guard-time <0-120>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-bpdu-guard enabled set stp-bpdu-guard-time 10

end

end

To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command: diagnose switch-controller dump bpdu-guard-status <FortiSwitch_serial_number>

For example:

FG100D3G15817028 # diagnose switch-controller dump bpdu-guard-status
S524DF4K15000024

Managed Switch : S524DF4K15000024 0

     
Portname State Status Timeout(m) Count Last-Event
_________________ _______ _________ ___________ _____ _______________
port1 enabled 10 0
port2 disabled
port3 disabled
port4 disabled
port5 disabled
port6 disabled
port7 disabled
port8 disabled
port9 disabled
port10 disabled
port11 disabled
port12 disabled
port13 disabled
port14 disabled
port15 disabled
port16 disabled
port17 disabled
port18 disabled
port19 disabled
port20 disabled
port21 disabled
port22 disabled
port23 disabled
port25 disabled
port26 disabled  
port27 disabled  
port28 disabled  
port29 disabled  
port30 disabled  
__FoRtI1LiNk0__ disabled  

Configuring loop guard

A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. By default, loop guard is disabled on all ports.

Use the following commands to configure loop guard on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set loop-guard {enabled | disabled} set loop-guard-timeout <0-120 minutes>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set loop-guard enabled set loop-guard-timeout 10

end

end

Configuring LLDP settings

The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent information from adjacent layer-2 peers.

Use the following commands to configure LLDP on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set lldp-status {rx-only | tx-only | tx-rx | disable} set lldp-profile <profile name>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024

config ports edit port2 set lldp-status tx-rx set lldp-profile default

end

end

Configuring IGMP settings

IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.

Use the following commands to configure IGMP settings on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set igmp-snooping {enable | disable} set igmps-flood-reports {enable | disable}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set igmp-snooping enable set igmps-flood-reports enable

end

end

Configuring sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs.

NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.

sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.

The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.

sFlow can monitor network traffic in two ways:

l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample. l Counter samples—You specify how often (in seconds) the network device sends interface counters.

Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.

config switch-controller sflow collector-ip <x.x.x.x> collector-port <port_number>

end

Use the following CLI commands to configure sFlow:

config switch-controller managed-switch <FortiSwitch_serial_number> config ports edit <port_name> set sflow-sampler <disabled | enabled> set sflow-sample-rate <0-99999> set sflow-counter-interval <1-255>

next

next

end

For example:

config switch-controller sflow collector-ip 1.2.3.4 collector-port 10

end

config switch-controller managed-switch S524DF4K15000024 config ports edit port5 set sflow-sampler enabled set sflow-sample-rate 10 set sflow-counter-interval 60

next

next

end

Configuring Dynamic ARP inspection (DAI)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface edit vsw.test set switch-controller-arp-inpsection <enable | disable>

end config switch-controller managed-switch edit <sn> config ports edit <VLAN_ID> arp-inspection-trust <untrusted | trusted>

next

end

next

end

Use the following CLI command to check DAI statistics for a FortiSwitch unit: diagnose switch arp-inspection stats <FortiSwitch_Serial_Number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch arp-inspection stats clear <VLAN_ID> <FortiSwitch_Serial_Number>

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port mirroring and is typically used for external analysis and capture.

Use the following CLI commands to configure FortiSwitch port mirroring:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config mirror edit <mirror_name> set status <active | inactive> set dst <port_name>

set switching-packet <enable | disable> set src-ingress <port_name> set src-egress <port_name>

next

end

next

NOTE: The set status and set dst commands are mandatory for port mirroring.

For example:

config switch-controller managed-switch edit S524DF4K15000024 config mirror edit 2 set status active set dst port1 set switching-packet enable set src-ingress port2 port3 set src-egress port4 port5

next

end next