Category Archives: FortiOS 6

Best Practices – Firmware

Firmware

Firmware upgrading and downgrading sounds pretty simple, anyone can do it, right? The mark of a professional is not that they can do something correctly, or even do it correctly over and over again. A professional works in such a way that, if anything goes wrong they are prepared and able to quickly get things back to normal. Firmware updates can go wrong just like anything else. So a real professional does things in a way that minimizes their risk and follows some best practices, as listed below.

Firmware change management

Consider the following five points when performing firmware upgrades, not only in FortiOS but in general. This applies to pretty much any change you have to do in a production environment.

Understanding the new version first

Before attempting any changes in production, first make sure you set up a laboratory where you can freely play with the new features, and understand them with enough time and no pressure. Read the Release Notes, Manuals, and other documentation like presentations, videos, or podcasts about the new version.

You are ready to explain the need for an upgrade once you understand:

l The differences and the enhancements between the new version and the previous version(s). l The impact of the upgrade on customers and the users of the operating platform. l The known limitations that might affect your environment. l The potential risks when performing the upgrade. l The licensing changes that may apply.

Have a valid reason to upgrade

The reason can NOT be “Because I want to have the latest version”. The reason has to be explained in terms of business, technical, and/or operational improvement.

Affirmative answers to the following questions are valid reasons to upgrade:

  • Does the new version have a feature that helps to ensure compliance?
  • Does the new version have an enhancement that allows 40% decrease (40% improvement) on the time to perform a certain operation?
  • Does the new feature correct a known defect/bug found on a previous version that affects the company business/operations?
  • Will the new version allow your organization to deploy new services that will help to gain new customers or increase Firmware change management

loyalty of existing ones? l Is the vendor cutting support for the version your organization is currently using?

If the best reason to upgrade is “Because the new features seem to be cool” or “Because I want to have the latest version”, a little more understanding and planning may be necessary.

Prepare an upgrade plan

If you choose to upgrade because you found a valid reason to do so, make sure you create a plan that covers business, technical, and operational aspects of the upgrade:

Business:

Proper planning and justification for an upgrade should be proportional to how critical the system is to the business.

  • Make sure you can clearly articulate the benefits of the upgrade in business terms (time, money, and efficiency). l Understand the business processes that will be affected by the change.
  • Make sure the upgrade maintenance window is not close to a business-critical process (such as quarterly or monthly business closure).
  • Obtain executive and operational approval for the maintenance window. The approval must come from the owners of ALL the systems/information affected by the upgrade, not only from those that own the system being upgraded.

The approval must be done in a formal (written or e-mail) form.

Technical and operational:

  • Re-read the Release Notes for the technology you are upgrading. Supported hardware models, upgrade paths, and known limitations should be clearly understood.
  • Make sure your upgrade maintenance window does not overlap with any other maintenance window on your infrastructure.
  • If you have any premium support offer (such as TAM, Premium Support), do a capacity planning exercise to ensure the new firmware/software version does not take more hardware resources than you currently have.
  • Create a backup, whether or not you have scheduled backups. Create a new fresh backup. l Obtain offline copies of both the currently installed firmware and the new version.
  • Create a list of systems with inter-dependencies to the system you are upgrading. For example, if you are upgrading a FortiGate; understand the impact on any FortiAP, FortiAuthenticator, FortiToken, FortiManager, or FortiAnalyzer you have on your environment. l Ensure you have a list of adjacent devices to the upgrading platform and have administrative access to them, just in case you need to do some troubleshooting. Are you upgrading FortiWeb? Make sure you can administratively access the Web Applications. Are you upgrading a FortiGate? Make sure you can administratively access the surrounding switches and routers.
  • Have a step-by-step plan on how to perform and test the upgrade. You want to make sure you think of the worst situation before it happens, and have predefined courses of action, instead of thinking under pressure when something already went wrong.
  • Define a set of tests (that include critical business applications that should be working) to make sure the upgrade went fine. If any test does not go well, define which ones mandate a rollback and which ones can be tolerated for further troubleshooting. This set of tests should be run before and after the upgrade to compare results, and they should be the same.

Firmware change management

  • Define a clear rollback plan. If something goes wrong with the upgrade or the tests, the rollback plan will help you get your environment back to a known and operational status. The plan must clearly state the conditions under which the rollback will be started.
  • Declare configuration freezes. A little bit before and after the upgrade. The idea is to reduce the amount of variables to take into consideration if something goes wrong.
  • Perform a “Quality Assurance” upgrade. Grab a copy of the production configuration, load it on a non-production box and execute the upgrade there to see if there are any issues on the process. Then adjust your plan according to the results you obtained.
  • Have a list of information elements to be gathered if something goes wrong. This ensures that, even if the upgrade fails, you will collect enough information so you can troubleshoot the issue without needing to repeat the problem. Get help from TAC/Support departments if you need to check what else could be missing on your list.
  • Define a test monitoring period after the change was completed. Even if the upgrade went smoothly, something could still go wrong. Make sure you monitor the upgraded system for at least one business cycle. Business cycles may be a week, a month, or a quarter, depending on your organization’s business priorities.

Execute the upgrade plan

Execution of an upgrade is just as key as planning.

Once you are performing the upgrade, the pressure will rise and stress might peak. This is why you should stick to the plan you created with a cool head.

Resist the temptation to take decisions while performing the upgrade, as your judgment will be clouded by the stress of the moment, even if a new decision seems to be “obvious” at such time. If your plan says you should rollback, then execute the rollback despite the potential “We-can-fix-this-very-quickly” mentality.

While performing the upgrade, make sure all the involved components are permanently monitored before, during, and after the upgrade, either via monitoring systems, SNMP alerts, or at least with tools like a ping. Critical resources like CPU, memory, network, and/or disk utilization must also be constantly monitored.

To avoid misunderstandings, when performing the tests for each critical application defined on the planning, make sure there are formal notifications on the results for each user area, service, system, and/or application tested.

Regardless if you have to rollback or not, if a problem occurs, make sure you gather as much information about the problem as possible, so you can later place a support ticket to find a solution.

Last but not least, document the upgrade:

  • Enable your terminal emulation program to leave trace of all the commands executed and all the output generated. If you are performing steps via GUI, consider using a video capture tool to document it. l Document any command or change performed over the adjacent/interdependent systems. Make sure they are acknowledged by the relevant administrators
  • Document any deviations performed over the upgrade plan. This is planned-versus-actual.

Learn more about change management

Change Management and Change Control are huge knowledge areas in the field of Information Systems and Computer/Network Security.

This document is by no means a comprehensive list on what you should do when performing an upgrade, with either Fortinet or any other technology. It is merely a list of important things you should take into consideration Performing a firmware upgrade

when performing upgrades which are the result of years of experience dealing with changes on critical environments, as it is common that security devices are protecting critical applications and processes.

There are vast resources on the topic: books, public white papers, blog entries, etc. If you search the Internet for the “Change Control Best Practices” or “Change Management Best Practices” you will get many interesting documents.

Best Practices – Environmental Specifications

Environmental specifications

Keep the following environmental specifications in mind when installing and setting up your FortiGate unit.

  • Operating temperature: 32 to 104°F (0 to 40°C). Temperatures may vary, depending on the FortiGate model.
  • If you install the FortiGate unit in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient temperature.

Therefore, make sure to install the equipment in an environment compatible with the manufacturer’s maximum rated ambient temperature.

  • Storage temperature: -13 to 158°F (-25 to 70°C). Temperatures may vary, depending on the FortiGate model. l Humidity: 5 to 90% non-condensing.
  • Air flow – For rack installation, make sure that the amount of air flow required for safe operation of the equipment is not compromised.
  • For free-standing installation, make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.

Depending on your device, the FortiGate may generate, use, and even radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If the equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

  • Reorient or relocate the receiving antenna. l Increase the separation between the equipment and receiver.
  • Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. l Consult the dealer or an experienced radio/TV technician for help.

Explosion is a serious risk if the battery is replaced by an incorrect type. Dispose of used batteries according to the instructions. To reduce the risk of fire, use only No. 26 AWG or larger UL Listed or CSA Certified Telecommunication Line Cord.

Grounding

  • Ensure the FortiGate unit is connected and properly grounded to a lightning and surge protector. WAN or LAN connections that enter the premises from outside the building should be connected to an Ethernet CAT5 (10/100 Mb/s) surge protector.
  • Shielded Twisted Pair (STP) Ethernet cables should be used whenever possible rather than Unshielded Twisted Pair (UTP).
  • Do not connect or disconnect cables during lightning activity to avoid damage to the FortiGate unit or personal injury.

Rack mounting                                                                                                             Environmental specifications

Rack mounting

  • Elevated Operating Ambient – If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient.

Therefore, consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature (Tmax) specified by the manufacturer.

  • Reduced Air Flow – Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised.
  • Mechanical Loading – Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical loading.
  • Circuit Overloading – Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern. l Reliable Earthing – Reliable earthing of rack-mounted equipment should be maintained.

Particular attention should be given to supply connections other than direct connections to the branch circuit (e.g. use of power strips).

 

Firmware change management

Best Practices For Firewall Migration

Migration

Network administrators are often reluctant to change firewall vendors due to the perception that the migration process is difficult. Indeed, there is no point hiding the fact that moving to a new vendor requires careful consideration. But concern over the potential pain of migration should not stand in the way of adopting new security technologies. The purpose of this chapter is to describe the best practices for performing such migrations and ultimately to ease the migration process itself.

Information gathering

It is always best practice to perform a full network audit prior to any migration. This should include:

  • Full back up of all security systems (including switches, routers) in case a back-out needs to be performed. l Physical and logical network diagram with visual audit

Understanding exactly where cables run in the network and verifying they are all correctly labeled is essential to avoid mistakes and unnecessary downtime during the upgrade. Don’t overlook simple things such as:

  • Do I have enough spare interfaces on my switches? l Do I have the right fiber (single/multi mode) and right connectors (LC, FC, MTRJ, SC, ST)?
  • Do I have spare cables? (in the heat of the moment, it is a simple mistake to break an RJ-45 connector or damage a fiber) l Do I have space in the rack for the new equipment? l Do I have enough power sockets?

No matter how securely a FortiGate is configured in the network, it cannot help if it has been bypassed; visually checking where the device sits in the network in relation to other devices will ensure you are maintaining security and verify the network diagram is ‘as built’. Details of all networks including subnet masks should be documented at this point to ensure that the replacement device is configured with the correct information.

Object and policy migration

Whilst we have suggested some level of manual review is included in the policy migration, it can be useful to be able to automatically migrate simply between another vendor’s format and the FortiGate format. The FortiGate policy format is text based and can easily be cut and pasted into from other vendor formats however, responding to the high customer demand to migrate away from other vendors, Fortinet have released an automatic configuration migration tool at http://convert.fortinet.com to simplify this process. Supporting Cisco ACLs, PIX, ASA, Check Point, and Juniper, the Converter can securely upload and convert the policy into the Fortinet format.

Testing and validation

This is an important process and should be tested offline first wherever possible i.e. configure the policy in the lab or on a test network and verify that the required access permissions are being implemented. To really test the Going live and obtaining feedback       Migration

solution out, the FortiGate can be implemented on the live network with a different gateway IP and the selected user pointed to the new gateway. This allows a staged approach to migrating the new platform into the network ensuring that the process does not interrupt day to day operations.

Going live and obtaining feedback

If testing and validation is successful at this point, you can migrate to the new firewall either by switching IP’s and removing the old devices or by changing the default gateway in DHCP. Once the firewall is in place, acceptance testing will of course need to be carried out and an iterative process of tuning undertaken to finalize the configuration.

Adding new services

The Fortinet solution will have a plethora of additional features compared to your previous vendor and it is very tempting to start switching them on but it is a good idea to wait and validate the new firewall as was previously configured before adding new functions as this simplifies testing and problem diagnosis. Finally complete the migration (don’t forget about the Plan Do Check Act Cycle) by adding any new services that were requested and learn about the multiple features you have available with the FortiGate appliance.

Environmental specifications                                                                                                                   Grounding

Best Practices – Shutting Down

Shutting down

Always shut down the FortiGate operating system properly before turning off the power switch to avoid potentially catastrophic hardware problems.

To power off the FortiGate unit – web-based manager:

  1. Go to Dashboard.
  2. In the System Resources widget, select Shutdown.

To power off the FortiGate unit – CLI:

execute shutdown

Once this has been done, you can safely turn off the power switch or disconnect the power cables from the power supply.

Best Practices – Performance

Performance

  • Disable any management features you do not need. If you don’t need SSH or SNMP, disable them. SSH also provides another possibility for would-be hackers to infiltrate your FortiGate unit.
  • Put the most used firewall rules to the top of the interface list.
  • Log only necessary traffic. The writing of logs, especially if to an internal hard disk, slows down performance. l Enable only the required application inspections.
  • Keep alert systems to a minimum. If you send logs to a syslog server, you may not need SNMP or email alerts, making for redundant processing.
  • Establish scheduled FortiGuard updates at a reasonable rate. Daily updates occurring every 4-5 hours are sufficient for most situations. In more heavy-traffic situations, schedule updates for the evening when more bandwidth can be available.
  • Keep security profiles to a minimum. If you do not need a profile on a firewall rule, do not include it. l Keep VDOMs to a minimum. On low-end FortiGate units, avoid using them if possible. l Avoid traffic shaping if you need maximum performance. Traffic shaping, by definition, slows down traffic.

Best Practices – General Considerations

General Considerations

  1. For security purposes, NAT mode is preferred because all of the internal or DMZ networks can have secure private addresses. NAT mode policies use network address translation to hide the addresses in a more secure zone from users in a less secure zone.
  2. Use virtual domains (VDOMs) to group related interfaces or VLAN subinterfaces. Using VDOMs will partition networks and create added security by limiting the scope of threats.
  3. Use Transparent mode when a network is complex and does not allow for changes in the IP addressing scheme.

Managed FortiSwitch Troubleshooting

Troubleshooting

Troubleshooting FortiLink issues

If the FortiGate does not establish the FortiLink connection with the FortiSwitch, perform the following troubleshooting checks.

Check the FortiGate configuration

To use the FortiGate GUI to check the FortiLink interface configuration:

  1. In Network > Interfaces, double-click the interface used for FortiLink.
  2. Ensure that Dedicated to FortiSwitch is set for this interface.

To use the FortiGate CLI to verify that you have configured the DHCP and NTP settings correctly:

  1. Verify that the NTP server is enabled and that the FortiLink interface has been added to the list:

show system ntp

  1. Ensure that the DHCP server on the Fortilink interface is configured correctly:

show system dhcp

Check the FortiSwitch configuration

To use FortiSwitch CLI commands to check the FortiSwitch configuration:

  1. Verify that the switch system time matches the time on the FortiGate:

get system status

  1. Verify that FortiGate has sent an IP address to the FortiSwitch (anticipate an IP address in the range 169.254.x.x):

get system interfaces

  1. Verify that you can ping the FortiGate IP address:

exec ping x.x.x.x

To use FortiGate CLI commands to check the FortiSwitch configuration:

  1. Verify that the connections from the FortiGate to the FortiSwitch units are up:

exec switch-controller get-conn-status

  1. Verify that ports for a specific FortiSwitch stack are connected to the correct locations:

exec switch-controller get-physical-conn <FortiSwitch-Stack-ID>

  1. Verify that all the ports for a specific FortiSwitch are up:

exec switch-controller get-conn-status <FortiSwitch-device-ID>

Check FortiSwitch connections

Use the following CLI command for detailed diagnostic information on the managed FortiSwitch connections: execute switch-controller diagnose-connection <FortiSwitch_serial_number>

If the FortiSwitch serial number is omitted, only the FortiLink configuration is checked.

Additional capabilities

Additional capabilities

Execute custom FortiSwitch commands

From the FortiGate, you can execute FortiSwitch commands on the managed FortiSwitch.

This feature adds a simple scripting mechanism for users to execute generic commands on the switch.

NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch.

Create a command

Use the following syntax to create a command file:

config switch-controller custom-command edit <cmd-name> set command ” <FortiSwitch commands>”

Next, create a command file to set the STP max-age parameter:

config switch-controller custom-command edit “stp-age-10” set command “config switch stp setting set max-age 10

end

” next

end

Execute a command

After you have created a command file, use the following command on the FortiGate to execute the command file on the target switch: exec switch-controller custom-command <cmd-name> <target-switch>

The following example runs the stp-age-10 command on the specified target FortiSwitch:

# exec switch-controller custom-command stp-age-10 S124DP3X15000118

View and upgrade the FortiSwitch firmware version

View and upgrade the FortiSwitch firmware version

You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch to a new firmware version. The FortiGate unit will suggest an upgrade when a new version is available in FortiGuard.

Using the FortiGate web interface

To view the FortiSwitch firmware version:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. In the main panel, select the FortiSwitch faceplate and click Edit.
  3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.

To upgrade the firmware on multiple FortiSwitch units at the same time:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Select the faceplates of the FortiSwitch units that you want to upgrade.
  3. Click Upgrade.

The Upgrade FortiSwitches page opens.

  1. Select FortiGuard or select Upload and then select the firmware file to upload.

If you select FortiGuard, all FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at a time for upgrading.

  1. Select Upgrade.

Using the CLI

Use the following command to display the latest version: diagnose fdsm fortisw-latest-ver <model>

Use the following command to download the image: diagnose fdsm fortisw-download <image id>

The following example shows how to download the latest image for FS224D:

FG100D3G15801204 (global) # diagnose fdsm fortisw-latest-ver FS224D FS224D – 3.4.2 b192 03004000FIMG0900904002FG100D3G15801204 (global) # diagnose fdsm fortisw-download 03004000FIMG0900904002

Download image-03004000FIMG0900904002:

################################################################################ Result=Success

Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:

config switch-controller global set https-image-push enable end

FortiSwitch log export

From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model using a single execute command. The command includes the name of a firmware image file and all of the managed FortiSwitch units compatible with that firmware image file are upgraded. For example: execute switch-controller stage-tiered-swtp-image ALL <firmware-image-file>

You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.

execute switch-controller restart-swtp-delayed ALL

FortiSwitch log export

You can enable and disable the managed FortiSwitch units to export their syslogs to the FortiGate. The setting is global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch logs.

To allow a level of filtering, FortiGate sets the user field to “fortiswitch-syslog” for each entry.

The following is the CLI command syntax:

config switch-controller switch-log set status (*enable | disable)

set severity [emergency | alert | critical | error | warning | notification |

*information | debug] end

You can override the global log settings for a FortiSwitch, using the following commands:

config switch-controller managed-switch edit <switch-id> config switch-log set local-override enable

At this point, you can configure the log settings that apply to this specific switch.

FortiSwitch per-port device visibility

In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port).

From the CLI, the following command displays information about the host devices: diagnose switch-controller dump mac-hosts_switch-ports

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

You can configure the following FortiSwitch features from the FortiGate CLI.

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

Configuring a link aggregation group (LAG)

You can configure a link aggregation group (LAG) for non-FortiLink ports on a FortiSwitch. You cannot configure ports from different FortiSwitch units in one LAG.

config switch-controller managed-switch edit <switch-id> config ports it <trunk name> set type trunk

set mode < static | lacp > Link Aggregation mode set bundle (enable | disable) set min-bundle <int> set max-bundle <int> set members < port1 port2 …>

next

end

end

end

Configuring an MCLAG with managed FortiSwitch units

A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP). For the network topology, see Dual-homed servers connected to FortiLink tier-1 FortiSwitch units using an MCLAG on page 48 and Standalone FortiGate unit with dual-homed FortiSwitch access on page 49. Notes

  • Both peer switches should be of the same hardware model and same software version. Mismatched configurations might work but are unsupported. l There is a maximum of two FortiSwitch models per MCLAG. l The routing feature is not available within an MCLAG.
  • For static MAC addresses within an MCLAG, if one FortiSwitch learns the MAC address, the second FortiSwitch will automatically learn the MAC address.

To configure an MCLAG with managed FortiSwitch unis:

  1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:

config switch trunk edit “LAG-member” set mode lacp-active set mclag-icl enable set members “<port>” “<port>”

next

  1. Enable the MCLAG on each managed FortiSwitch:

config switch-controller managed-switch edit “<switch-id>” config ports edit “<trunk name>”

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

set type trunk

set mode {static | lacp-passive | lacp-active} set bundle {enable | disable} set members “<port>,<port>” set mclag {enable | disable}

next

end

next

  1. Log into each managed FortiSwitch to check the MCLAG configuration:

diagnose switch mclag

After the FortiSwitch units are configured as MCLAG peer switches, any port that supports advanced features on the FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member ports on the peer FortiSwitch.

Configuring storm control

Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.

When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of traffic to drop: broadcast, unknown unicast, or multicast.

The storm control settings are global to all of the non-FortiLink ports on the managed switches. Use the following CLI commands to configure storm control:

config switch-controller storm-control set rate <rate> set unknown-unicast (enable | disable) set unknown-multicast (enable | disable) set broadcast (enable | disable)

end

You can override the global storm control settings for a FortiSwitch using the following commands:

config switch-controller managed-switch edit <switch-id> config storm-control set local-override enable

At this point, you can configure the storm control settings that apply to this specific switch.

Displaying port statistics

Port statistics will be accessed using the following FortiSwitch CLI command:

FG100D3G15804763 # diagnose switch-controller dump port-stats S124DP3X16000413 port8 S124DP3X16000413 0 :

{

“port8”:{

“tx-bytes”:823526672,

“tx-packets”:1402390,

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

“tx-ucast”:49047,

“tx-mcast”:804545,

“tx-bcast”:548798,

“tx-errors”:0,

“tx-drops”:3,

“tx-oversize”:0,

“rx-bytes”:13941793,

“rx-packets”:160303,

“rx-ucast”:148652,

“rx-mcast”:7509,

“rx-bcast”:4142,

“rx-errors”:0,

“rx-drops”:720,

“rx-oversize”:0,

“undersize”:0,

“fragments”:0,

“jabbers”:0,

“collisions”:0,

“crc-alignments”:0,

“l3packets”:0

}

}

Configuring QoS with managed FortiSwitch units

Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.

NOTE: The FortiGate unit does not support QoS for hard or soft switch ports. The FortiSwitch unit supports the following QoS configuration capabilities:

  • Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
  • Providing eight egress queues on each port. l Policing the maximum data rate of egress traffic on the interface.

To configure the QoS for managed FortiSwitch units:

  1. Configure a Dot1p map.

A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value.

config switch-controller qos dot1p-map edit <Dot1p map name> set description <text> set priority-0 <queue number> set priority-1 <queue number> set priority-2 <queue number>

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

set priority-3 <queue number> set priority-4 <queue number> set priority-5 <queue number> set priority-6 <queue number> set priority-7 <queue number>

next

end

  1. Configure a DSCP map.

A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP precedence, you have the following choices: o network-control—Network control o internetwork-control—Internetwork control o critic-ecp—Critic and emergency call processing (ECP) o flashoverride—Flash override o flash—Flash o immediate—Immediate

o priority—Priority o routine—Routine

config switch-controller qos ip-dscp-map edit <DSCP map name> set description <text> configure map <map_name> edit <entry name> set cos-queue <COS queue number>

set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF |

CS6 | CS7} set ip-precedence {network-control | internetwork-control | critic-ecp

| flashoverride | flash | immediate | priority | routine} set value <DSCP raw value>

next

end

end

  1. Configure the egress QoS policy.

In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:

  • With strict scheduling, the queues are served in descending order (of queue number), so higher number queues receive higher priority.
  • In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one.
  • In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to 63.

config switch-controller qos queue-policy edit <QoS egress policy name> set schedule {strict | round-robin | weighted} config cos-queue

Synchronizing the FortiGate unit with the managed FortiSwitch units

edit [queue-<number>] set description <text> set min-rate <rate in kbps> set max-rate <rate in kbps>

set drop-policy {taildrop | random-early-detection} set weight <weight value>

next

end

next

end

  1. Configure the overall policy that will be applied to the switch ports.

config switch-controller qos qos-policy edit <QoS egress policy name> set default-cos <default CoS value 0-7> set trust-dot1p-map <Dot1p map name> set trust-ip-dscp-map <DSCP map name> set queue-policy <queue policy name>

next

end

Configure each switch port.

config switch-controller managed-switch edit <switch-id> config ports edit <port> set qos-policy <CoS policy>

next

end

next

end

Synchronizing the FortiGate unit with the managed FortiSwitch units

You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.

Use the following command to synchronize the full configuration of a FortiGate unit with the managed FortiSwitch unit:

execute switch-controller trigger-config-sync <FortiSwitch_serial_number>

Use one of the following commands to display the synchronization state of a FortiGate unit with a specific managed FortiSwitch unit:

execute switch-controller get-sync-status switch-id <FortiSwitch_serial_number> execute switch-controller get-sync-status name <FortiSwitch_name>

Use the following command to display the synchronization state of a FortiGate unit with a group of managed FortiSwitch units:

execute switch-controller get-sync-status group <FortiSwitch_group_name>

Replacing a managed FortiSwitch unit

Use the following command to check the synchronization state of all managed FortiSwitch units in the current VDOM: execute switch-controller get-sync-status all

For example:

FG100D3G14813513 (root) # execute switch-controller get-sync-status all Managed-devices in current vdom root:

STACK-NAME: FortiSwitch-Stack-port5

SWITCH (NAME)                               STATUS CONFIG             MAC-SYNC          UPGRADE

FS1D243Z14000173                           Up       Idle               Idle               Idle

S124DP3X16006228 (Desktop-Switch)       Up       Idle               Idle               Idle

Replacing a managed FortiSwitch unit

If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.

NOTE: Both FortiSwitch units must be of the same model. The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.

To replace a managed FortiSwitch unit:

  1. Unplug the failed FortiSwitch unit.
  2. Plug in the replacement FortiSwitch unit.
  3. Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See View and upgrade the FortiSwitch firmware version on page 100.
  4. Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset
  5. Check the serial number of the replacement FortiSwitch unit.
  6. From the FortiGate unit, go to WiFi & Switch Controller> Managed FortiSwitch.
  7. Select the faceplate of the failed FortiSwitch unit.
  8. Select Deauthorize.
  9. Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.
  10. If the failed FortiSwitch unit was part of a VDOM, enter the following commands:

config vdom edit <VDOM_name> execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>

For example:

config vdom edit vdom_new execute replace-device fortiswitch fortiswitch S124DN3W16002025 S124DN3W16002026

If the failed FortiSwitch unit was not part of a VDOM, enter the following command:

Replacing a managed FortiSwitch unit

execute replace-device fortiswitch <failed_FortiSwitch_serial_number>

<replacement_FortiSwitch_serial_number>

An error is returned if the replacement FortiSwitch unit is authorized.