Category Archives: FortiOS 6

FortiSwitch port security policy

FortiSwitch port security policy

To control network access, the managed FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The supplicant and the authentication server communicate using the switch using the EAP protocol. The managed FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the managed FortiSwitch unit.

NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1x authentication from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through the FortiGate.

The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

Optionally, you can configure a guest VLAN for unauthorized users. Alternatively, you can specify a VLAN for users whose authentication was unsuccessful.

When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

This chapter covers the following topics:

Configure the 802.1X settings for a virtual domain

To configure the 802.1X security policy for a virtual domain, use the following commands:

config switch-controller 802-1X-settings set reauth-period < int > set max-reauth-attempt < int >

set link-down-auth < *set-unauth | no-action > end

Override the virtual domain settings

Option Description
set link-down-auth If a link is down, this command determines the authentication state. Choosing set-auth sets the interface to unauthenticated when a link is down, and reauthentication is needed. Choosing no-auth means that the interface does not need to be reauthenticated when a link is down.
set reauth-period This command sets how often reauthentication is needed. The range is 11440 minutes. The default is 60 minutes. Setting the value to 0 minutes disables reauthenticaion.
set max-reauth-attempt This command sets the maximum number of reauthentication attempts. The range is 1-15. the default is 3. Setting the value to 0 disables reauthentication.

Override the virtual domain settings

You can override the virtual domain settings for the 802.1X security policy.

Using the FortiGate GUI

To override the 802.1X settings for a virtual domain:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Click on a FortiSwitch faceplate and select Edit.
  3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
  4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.
  5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
  6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does not need to be reauthenticated when a link is down.
  7. Select OK.

Using the FortiGate CLI

To override the 802.1X settings for a virtual domain, use the following commands:

config switch-controller managed-switch edit < switch > config 802-1X-settings set local-override [ enable | *disable ] set reauth-period < int >                 // visible if override enabled set max-reauth-attempt < int >             // visible if override enabled set link-down-auth < *set-unauth | no-action >   // visible if override enabled

end

next end

Define an 802.1X

For a description of the options, see Configure the 802.1X settings for a virtual domain.

Define an 802.1X security policy

You can define multiple 802.1X security policies.

Using the FortiGate GUI

To create an 802.1X security policy:

  1. Go to WiFi & Switch Controller> FortiSwitch Security Policies.
  2. Select Create New.
  3. Enter a name for the new FortiSwitch security policy.
  4. For the security mode, select Port-based or MAC-based.
  5. Select + to select which user groups will have access.
  6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
  7. Enter the number of seconds for authentication delay for guest VLANs. The range is 1-900 seconds.
  8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
  9. Enable or disable MAC authentication bypass (MAB) on this interface.
  10. Enable or disable EAP pass-through mode on this interface.
  11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
  12. Select OK.

Using the FortiGate CLI

To create an 802.1X security policy, use the following commands:

config switch-controller security-policy 802-1X edit “<policy.name>” set security-mode {802.1X | 802.1X-mac-based)

set user-group <*group_name | Guest-group | SSO_Guest_Users> set mac-auth-bypass [enable | *disable] set eap-passthru [enable | disable] set guest-vlan [enable | *disable] set guest-vlan-id “guest-VLAN-name” set guest-auth-delay <integer> set auth-fail-vlan [enable | *disable] set auth-fail-vlan-id “auth-fail-VLAN-name” set radius-timeout-overwrite [enable | *disable] set policy-type 802.1X

end end

Option Description
set security-mode You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication.

 

Option                                                Description
You can set a specific group name, Guest-group, or SSO_Guest_Users to set user-group

have access. This setting is mandatory.

set mac-auth-bypass           You can enable or disable MAB on this interface.
set eap-passthrough           You can enable or disable EAP pass-through mode on this interface.
set guest-vlan                You can enable or disable guest VLANs on this interface to allow restricted access for some users.
set guest-vlan-id “guest-

You can specify the name of the guest VLAN.

VLAN-name”

set guest-auth-delay          You can set the authentication delay for guest VLANs on this interface. The range is 1-900 seconds.
You can enable or disable authentication fail VLAN on this interface to set auth-fail-vlan allow restricted access for users who fail to access the guest VLAN.
set auth-fail-vlan-id    You can specify the name of the authentication fail VLAN “auth-fail-VLAN-name”
set radius-timeout- You can enable or disable whether the session timeout for the RADIUS overwrite server will overwrite the local timeout.
set policy-type 802.1X        You can set the policy type to the 802.1X security policy.

Apply an 802.1X security policy to a FortiSwitch port

You can apply a different 802.1X security policy to each FortiSwitch port.

Using the FortiGate GUI

To apply an 802.1X security policy to a managed FortiSwitch port:

  1. Go to WiFi & Switch Controller> FortiSwitch Ports.
  2. Select the + next to a FortiSwitch unit.
  3. In the Security Policy column for a port, click + to select a security policy.
  4. Select OK to apply the security policy to that port.

Using the FortiGate CLI

To apply an 802.1X security policy to a managed FortiSwitch port, use the following commands:

config switch-controller managed-switch edit <managed-switch> config ports

edit <port> set port-security-policy <802.1X-policy>

Test 802.1x authentication with monitor mode

next

end

next

end

Test 802.1x authentication with monitor mode

Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.

To enable or disable monitor mode, use the following commands:

config switch-controller security-policy 802-1X edit “<policy_name>” set open-auth {enable | disable}

next

end

Restrict the type of frames allowed through IEEE 802.1Q ports

You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or allows all frames access to the port. By default, all frames have access to each FortiSwitch port.

Use the following CLI commands:

config switch-controller managed-switch <SN> config ports edit <port_name> set discard-mode <none | all-tagged | all-untagged>

next

next

end

RADIUS accounting support

The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

l START—The FortiSwitch has been successfully authenticated, and the session has started. l STOP—The FortiSwitch session has ended. l INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command. l ON—FortiSwitch will send this message when the switch is turned on. l OFF—FortiSwitch will send this message when the switch is shut down.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units: config user radius

edit <RADIUS_server_name> set acct-interim-interval <seconds> config accounting-server edit <entry_ID> set status {enable | disable} set server <server_IP_address> set secret <secret_key> set port <port_number>

next

end

next end

Configuring ports using the FortiGate CLI

Configuring ports using the FortiGate CLI

Configuring port speed and status

Use the following commands to set port speed and other base port settings:

config switch-controller managed-switch edit <switch> config ports edit <port> set description <text> set speed <speed> set status {down | up}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set description “First port” set speed auto set status up

end

end

Sharing FortiSwitch ports between VDOMs

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

NOTE: You cannot use the quarantine feature while sharing FortiSwitch ports between VDOMs.

To share FortiSwitch ports between VDOMs:

  1. Create one or more VDOMs.
  2. Assign VLANs to each VDOM as required.

 

  1. From these VLANs, select one VLAN to be the default VLAN for the ports in the virtual switch:

config switch-controller global

set default-virtual-switch-vlan <VLAN>

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

When you add a new port to the VDOM, the new port will be automatically assigned to the default VLAN. You can reassign the ports to other VLANs later.

  1. Create a virtual port pool (VPP) to contain the ports to be shared:

config switch-controller virtual-port-pool edit <VPP_name> description <string>

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example:

config switch-controller virtual-port-pool edit “pool3” description “pool for port3”

next

end

  1. Share a FortiSwitch port from the VDOM that the FortiSwitch belongs to with another VDOM or export the FortiSwitch port to a VPP where it can be used by any VDOM:

config switch-controller managed-switch edit <switch.id> config ports edit <port_name> set {export-to-pool <VPP_name> | export-to <VDOM_name>} set export-tags <string1,string2,string3,…>

next

end

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example, if you want to export a port to the VPP named pool3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to-pool “pool3” set export-tags “Pool 3”

next

end

next end

For example, if you want to export a port to the VDOM named vdom3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to “vdom3” set export-tags “VDOM 3”

next

end

next

end

  1. Request a port in a VPP: execute switch-controller virtual-port-pool request <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that is requesting the port.

For example:

execute switch-controller virtual-port-pool request S524DF4K15000024h port3

  1. Return a port to a VPP: execute switch-controller virtual-port-pool return <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that owns the port.

For example: execute switch-controller virtual-port-pool return S524DF4K15000024h port3

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP: execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents: execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features: l LLDP

  • 1x l STP l BPDU guard l Root guard l DHCP snooping l IGMP snooping l QoS
  • Port security l MCLAG

Limiting the number of learned MAC addresses on a FortiSwitch interface

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan edit <integer> set switch-controller-learning-limit <limit>

end

end

For example:

config switch vlan edit 100 set switch-controller-learning-limit 20

end

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config ports edit <port> set learning-limit <limit>

next

end

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set learning-limit 50

next

end

end

end

You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after 300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.

config switch-controller global set mac-aging-interval <10 to 1000000> end

For example:

config switch-controller global set mac-aging-interval 500

end

If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.

By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses are save:

config switch-controller global set mac-violation-timer <0-1500>

set log-mac-limit-violations {enable | disable}

end

For example:

config switch-controller global set mac-violation-timer 1000 set log-mac-limit-violations enable

end

To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • diagnose switch-controller dump mac-limit-violations all <FortiSwitch_serial_ number>
  • diagnose switch-controller dump mac-limit-violations interface <FortiSwitch_ serial_number> <port_name>
  • diagnose switch-controller dump mac-limit-violations vlan <FortiSwitch_serial_ number> <VLAN_ID>

For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit: diagnose switch-controller dump mac-limit-violations vlan S124DP3XS12345678 5

To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_ number>
  • execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_ number> <VLAN_ID>
  • execute switch-controller mac-limit-violation reset interface <FortiSwitch_ serial_number> <port_name>

For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:

execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5

Configuring the DHCP trust setting

The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.

Set the port as a trusted or untrusted DHCP-snooping interface:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set dhcp-snooping {trusted | untrusted}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set dhcp-snooping trusted

end

end

Configuring PoE

The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.

Enable PoE on the port

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set poe-status {enable | disable}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set poe-status enable

end

end

Reset the PoE port

Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example, wireless access points, IP cameras, and VoIP phones).

The following command resets PoE on the port:

execute switch-controller poe-reset <fortiswitch-id> <port>

Display general PoE status get switch-controller <fortiswitch-id> <port>

The following example displays the PoE status for port 6 on the specified switch:

# get switch-controller poe FS108D3W14000967 port6

Port(6) Power:3.90W, Power-Status: Delivering Power

Power-Up Mode: Normal Mode

Remote Power Device Type: IEEE802.3AT PD

Power Class: 4

Defined Max Power: 30.0W, Priority:3

Voltage: 54.00V

Current: 78mA

Configuring edge ports

Use the following commands to enable or disable an interface as an edge port:

config switch-controller managed-switch edit <switch> config ports edit <port> set edge-port {enable | disable}

end end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set edge-port enable

end

end

Configuring STP

Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

To configure global STP settings, see Configure STP settings on page 71.

Use the following commands to enable or disable STP on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-state {enabled | disabled} end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-state enabled

end

end

To check the STP configuration on a FortiSwitch, use the following command: diagnose switch-controller dump stp <FortiSwitch_serial_number> <instance_number>

For example:

FG100D3G15817028 # diagnose switch-controller dump stp S524DF4K15000024 0    
MST Instance Information, primary-Channel:

Instance ID :     0

Switch Priority : 24576

Root MAC Address :       085b0ef195e4

Root Priority:      24576

Root Pathcost:      0

Regional Root MAC Address :      085b0ef195e4

     
Regional Root Priority: 24576          
Regional Root Path Cost: Remaining Hops:  20 0          
This Bridge MAC Address : This bridge is the root 085b0ef195e4          
Port

Protection

Speed Cost Priority Role State Edge STP-Status Loop
________________ ______ _________ _________ ___________ __________ ____ __________ ________
port1 200000000 128 DISABLED DISCARDING YES ENABLED NO
port2 200000000 128 DISABLED DISCARDING YES ENABLED NO
port3 200000000 128 DISABLED DISCARDING YES ENABLED NO
port4 200000000 128 DISABLED DISCARDING YES ENABLED NO
port5 200000000 128 DISABLED DISCARDING YES ENABLED NO
port6 200000000 128 DISABLED DISCARDING YES ENABLED NO
port7 200000000 128 DISABLED DISCARDING YES ENABLED NO
port8 200000000 128 DISABLED DISCARDING YES ENABLED NO
port9 200000000 128 DISABLED DISCARDING YES ENABLED NO
port10 200000000 128 DISABLED DISCARDING YES ENABLED NO
port11 200000000 128 DISABLED DISCARDING YES ENABLED NO
port12 200000000 128 DISABLED DISCARDING YES ENABLED NO
port13 200000000 128 DISABLED DISCARDING YES ENABLED NO
port14 200000000 128 DISABLED DISCARDING YES ENABLED NO
port15 200000000 128 DISABLED DISCARDING YES ENABLED NO
port16 200000000 128 DISABLED DISCARDING YES ENABLED NO
port17 200000000 128 DISABLED DISCARDING YES ENABLED NO
port18 200000000 128 DISABLED DISCARDING YES ENABLED NO
port19 200000000 128 DISABLED DISCARDING YES ENABLED NO
port20 200000000 128 DISABLED DISCARDING YES ENABLED NO
port21 200000000 128 DISABLED DISCARDING YES ENABLED NO
port22 200000000 128 DISABLED DISCARDING YES ENABLED NO
port23 200000000 128 DISABLED DISCARDING YES ENABLED NO
port25 200000000 128 DISABLED DISCARDING YES ENABLED NO
port26 200000000 128 DISABLED DISCARDING YES ENABLED NO
port27 200000000 128 DISABLED DISCARDING YES ENABLED NO
port28 200000000 128 DISABLED DISCARDING YES ENABLED NO
port29 200000000 128 DISABLED DISCARDING YES ENABLED NO  
port30 200000000 128 DISABLED DISCARDING YES ENABLED NO  
internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO  
__FoRtI1LiNk0__ 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO  

Configuring STP root guard

Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Use the following commands to enable or disable STP root guard on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-root-guard {enabled | disabled}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-root-guard enabled

end

end

Configuring STP BPDU guard

Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced. There are two prerequisites for using BPDU guard:

l You must define the port as an edge port with the set edge-port enable command. l You must enable STP on the switch interface with the set stp-state enabled command.

You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id>

config ports edit <port name> set stp-bpdu-guard {enabled | disabled} set stp-bpdu-guard-time <0-120>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-bpdu-guard enabled set stp-bpdu-guard-time 10

end

end

To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command: diagnose switch-controller dump bpdu-guard-status <FortiSwitch_serial_number>

For example:

FG100D3G15817028 # diagnose switch-controller dump bpdu-guard-status
S524DF4K15000024

Managed Switch : S524DF4K15000024 0

     
Portname State Status Timeout(m) Count Last-Event
_________________ _______ _________ ___________ _____ _______________
port1 enabled 10 0
port2 disabled
port3 disabled
port4 disabled
port5 disabled
port6 disabled
port7 disabled
port8 disabled
port9 disabled
port10 disabled
port11 disabled
port12 disabled
port13 disabled
port14 disabled
port15 disabled
port16 disabled
port17 disabled
port18 disabled
port19 disabled
port20 disabled
port21 disabled
port22 disabled
port23 disabled
port25 disabled
port26 disabled  
port27 disabled  
port28 disabled  
port29 disabled  
port30 disabled  
__FoRtI1LiNk0__ disabled  

Configuring loop guard

A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. By default, loop guard is disabled on all ports.

Use the following commands to configure loop guard on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set loop-guard {enabled | disabled} set loop-guard-timeout <0-120 minutes>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set loop-guard enabled set loop-guard-timeout 10

end

end

Configuring LLDP settings

The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent information from adjacent layer-2 peers.

Use the following commands to configure LLDP on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set lldp-status {rx-only | tx-only | tx-rx | disable} set lldp-profile <profile name>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024

config ports edit port2 set lldp-status tx-rx set lldp-profile default

end

end

Configuring IGMP settings

IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.

Use the following commands to configure IGMP settings on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set igmp-snooping {enable | disable} set igmps-flood-reports {enable | disable}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set igmp-snooping enable set igmps-flood-reports enable

end

end

Configuring sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs.

NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.

sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.

The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.

sFlow can monitor network traffic in two ways:

l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample. l Counter samples—You specify how often (in seconds) the network device sends interface counters.

Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.

config switch-controller sflow collector-ip <x.x.x.x> collector-port <port_number>

end

Use the following CLI commands to configure sFlow:

config switch-controller managed-switch <FortiSwitch_serial_number> config ports edit <port_name> set sflow-sampler <disabled | enabled> set sflow-sample-rate <0-99999> set sflow-counter-interval <1-255>

next

next

end

For example:

config switch-controller sflow collector-ip 1.2.3.4 collector-port 10

end

config switch-controller managed-switch S524DF4K15000024 config ports edit port5 set sflow-sampler enabled set sflow-sample-rate 10 set sflow-counter-interval 60

next

next

end

Configuring Dynamic ARP inspection (DAI)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface edit vsw.test set switch-controller-arp-inpsection <enable | disable>

end config switch-controller managed-switch edit <sn> config ports edit <VLAN_ID> arp-inspection-trust <untrusted | trusted>

next

end

next

end

Use the following CLI command to check DAI statistics for a FortiSwitch unit: diagnose switch arp-inspection stats <FortiSwitch_Serial_Number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch arp-inspection stats clear <VLAN_ID> <FortiSwitch_Serial_Number>

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port mirroring and is typically used for external analysis and capture.

Use the following CLI commands to configure FortiSwitch port mirroring:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config mirror edit <mirror_name> set status <active | inactive> set dst <port_name>

set switching-packet <enable | disable> set src-ingress <port_name> set src-egress <port_name>

next

end

next

NOTE: The set status and set dst commands are mandatory for port mirroring.

For example:

config switch-controller managed-switch edit S524DF4K15000024 config mirror edit 2 set status active set dst port1 set switching-packet enable set src-ingress port2 port3 set src-egress port4 port5

next

end next

 

FortiSwitch port features

FortiSwitch port features

You can configure the FortiSwitch port feature settings from the FortiGate using the FortiSwitch CLI or web administration GUI.

FortiSwitch ports display

The WiFi & Switch Controller> FortiSwitch Ports page displays port information about each of the managed switches.

The following figure shows the display for a FortiSwitch 524D-FPOE:

The switch faceplate displays:

  • active ports (green) l PoE-enabled ports (blue rectangle) l FortiLink port (link icon)

PoE Status displays the total power budget and the actual power currently allocated.

The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved power (power available for additional devices on the POE ports). See the following figures:

GUI

Each entry in the port list displays the following information:

  • Port status (red for down, green for up) l Port name l Native VLAN l Allowed VLANs l Device information l PoE status
  • Bytes sent and received by the port

Configuring ports using the GUI

You can use the WiFi & Switch Controller> FortiSwitch Ports page to do the following with FortiSwitch switch ports:

l Set the native VLAN and add more VLANs l Edit the description of the port l Enable or disable the port l Enable or disable PoE for the port l Enable or disable DHCP blocking (if supported by the port) l Enable or disable IGMP snooping (if supported by the port) l Enable or disable whether a port is an edge port l Enable or disable STP (if supported by the port) l Enable or disable loop guard (if supported by the port) l Enable or disable STP BPDU guard (if supported by the port) l Enable or disable STP root guard (if supported by the port)

Resetting PoE-enabled ports

If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

FortiSwitch features configuration

FortiSwitch features configuration

Configure VLANs

Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs.)

From the FortiGate unit, you can centrally configure and manage VLANs for the managed FortiSwitch units.

In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 14095) to each of the VLANs.

You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch port.

FortiSwitch VLANs display

The WiFi & Switch Controller> FortiSwitch VLANs page displays VLAN information for the managed switches.

Each entry in the VLAN list displays the following information: l Name—name of the VLAN l VLAN ID—the VLAN number

l IP/Netmask—address and mask of the subnetwork that corresponds to this VLAN l Access—administrative access settings for the VLAN l Ref—number of configuration objects referencing this VLAN

Enabling and disabling switch-controller access VLANs through the FortiGate unit

Access VLANs are VLANs that aggregate client traffic solely to the FortiGate unit. This prevents direct client-toclient traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client’s network VLAN as appropriate.

NOTE: IPv6 is not supported between clients within a switch-controller access VLAN.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

config system interface edit <VLAN name> set switch-controller-access-vlan {enable | disable}

next

end

NOTE: You must configure the proxy ARP with the config system proxy-arp CLI command to be able to use the access VLANs. For example:

config system proxy-arp edit 1 set interface “V100” set ip 1.1.1.1 set end-ip 1.1.1.200

next

end

Creating VLANs

Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either the Web GUI or CLI. Using the Web administration GUI

To create the VLAN:

  1. Go to WiFi & Switch Controller> FortiSwitch VLANS, select Create New, and change the following settings:
Interface Name VLAN name
VLAN ID Enter a number (1-4094)
Color Choose a unique color for each VLAN, for ease of visual display.
IP/Network Mask IP address and network mask for this VLAN.
  1. Enable DHCP Server and set the IP range.
  2. Set the Admission Control options as required.
  3. Select OK.

To assign FortiSwitch ports to the VLAN:

  1. Go to WiFi & Switch Controller> FortiSwitch Ports.
  2. Click the desired port row.
  3. Click the Native VLAN column in one of the selected entries to change the native VLAN.
  4. Select a VLAN from the displayed list. The new value is assigned to the selected ports.
  5. Click the + icon in the Allowed VLANs column to change the allowed VLANs.
  6. Select one or more of the VLANs (or the value all) from the displayed list. The new value is assigned to the selected port.

Using the FortiSwitch CLI

  1. Create the marketing VLAN.

config system interface edit <vlan name> set vlanid <1-4094> set color <1-32>

set interface <FortiLink-enabled interface>

end

  1. Set the VLAN’s IP address.

config system interface edit <vlan name> set ip <IP address> <Network mask> end

Configure IGMP settings

  1. Enable a DHCP Server.

config system dhcp server edit 1 set default-gateway <IP address> set dns-service default set interface <vlan name> config ip-range set start-ip <IP address> set end-ip <IP address>

end

set netmask <Network mask>

end

  1. Assign ports to the VLAN.

config switch-controller managed-switch edit <Switch ID> config ports edit <port name> set vlan <vlan name> set allowed-vlans <vlan name> or

set allowed-vlans-all enable

next

end

end

Assign untagged VLANs to a managed FortiSwitch port:

config switch-controller managed-switch edit <managed-switch> config ports edit <port> set untagged-vlans <VLAN-name>

next

end

next

end

Configure IGMP settings

Use the following command to configure the global IGMP settings.

Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer value from 15 to 3600. The default value is 300.

Flood-unknown-multicast controls whether the system will flood unknown multicast messages within the VLAN.

config switch-controller igmp-snooping set aging-time <15-3600>

set flood-unknown-multicast {enable | disable} end

LLDP-MED

Configure LLDP-MED

To configure LLDP profiles:

config switch-controller lldp-profile

edit <profile number>

set 802.1-tlvs port-vlan-id set 802.3-tlvs max-frame-size set auto-isl {enable | disable} set auto-isl-hello-timer <1-30> set auto-isl-port-group <0-9> set auto-isl-receive-timeout <3-90> set med-tlvs (inventory-management | network-policy)

end

To configure LLDP settings:

config switch-controller lldp-settings

set status < enable | disable >

set tx-hold <int> set tx-interval <int> set fast-start-interval <int>

set management-interface {internal | management}

end

Variable Description
status Enable or disable
tx-hold Number of tx-intervals before the local LLDP data expires. Therefore, the packet TTL (in seconds) is tx-hold times tx-interval. The range for txhold is 1 to 16, and the default value is 4.
tx-interval How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095 seconds, and the default is 30 seconds.
fast-start-interval How often the FortiSwitch transmits the first 4 LLDP packets when a link comes up. The range is 2 to 5 seconds, and the default is 2 seconds.

Set this variable to zero to disable fast start.

management-interface Primary management interface to be advertised in LLDP and CDP PDUs.

Create LLDP asset tags for each managed FortiSwitch

You can use the following commands to add an LLDP asset tag for a managed FortiSwitch:

config switch-controller managed-switch

edit <fsw> set switch-device-tag <string>

Configure LLDP-MED

end

Add media endpoint discovery (MED) to an LLDP configuration

You can use the following commands to add media endpoint discovery (MED) features to an LLDP profile:

config switch-controller lldp-profile edit <lldp-profle> config med-network-policy edit guest-voice set status {disable | enable}

next

edit guest-voice-signaling set status {disable | enable}

next

edit guest-voice-signaling set status {disable | enable}

next

edit softphone-voice set status {disable | enable}

next

edit streaming-video set status {disable | enable}

next

edit video-conferencing set status {disable | enable}

next

edit video-signaling set status {disable | enable}

next edit voice set status {disable | enable}

next

edit voice-signaling set status {disable | enable}

end

config custom-tlvs edit <name> set oui <identifier> set subtype <subtype> set information-string <string>

end

end

Display LLDP information

You can use the following commands to display LLDP information:

diagnose switch-controller dump lldp stats <switch> <port> diagnose switch-controller dump lldp neighbors-summary <switch> diagnose switch-controller dump lldp neighbors-detail <switch>

the MAC sync interval

Configure the MAC sync interval

Use the following commands to configure the global MAC synch interval.

The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the default value is 60.

config switch-controller mac-sync-settings set mac-sync-interval <30-600>

end

Configure STP settings

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

Use the following CLI commands for global STP configuration. This configuration applies to all managed FortiSwitch units:

config switch-controller stp-settings set name <name> set revision <stp revision> set hello-time <hello time> set forward-time <forwarding delay> set max-age <maximum aging time> set max-hops <maximum number of hops>

end

You can override the global STP settings for a FortiSwitch unit using the following commands:

config switch-controller managed-switch edit <switch-id> config stp-settings set local-override enable

Quarantines

Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit.

Quarantined MAC addresses are isolated from the rest of the network and LAN by using a separate VLAN.

Quarantining MAC addresses

You can use the FortiGate GUI or CLI to quarantine a MAC address.

NOTE: If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.

 

Using the FortiGate GUI

In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.

  1. Select the host to quarantine.
    • Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on FortiSwitch.
  2. Select Accept to confirm that you want to quarantine the host.

Using the FortiGate CLI

NOTE: Previously, this feature used the config switch-controller quarantine CLI command.

By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was disabled in the older configuration, it will be disabled after the upgrade.

You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.

The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined per quarantine entry.

config user quarantine set quarantine enable config targets edit <quarantine_entry_name> set description <string> config macs edit <MAC_address_1> next

edit <MAC_address_2> next

edit <MAC_address_3> next

end end

Quarantines

end

Option Description
quarantine_entry_name A name for this quarantine entry.
string Optional. A description of the MAC addresses being quarantined.
MAC_address_1, MAC_ address_2, MAC_address_3 A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc

For example:

config user quarantine set quarantine enable config targets edit quarantine1 config macs set description “infected by virus”

edit 00:00:00:aa:bb:cc next

edit 00:11:22:33:44:55 next

edit 00:01:02:03:04:05 next

end

end

end

Viewing quarantine entries

Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.

Using the FortiGate GUI

  1. Go to Monitor> Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.

The Quarantined on FortiSwitch button is only available if a device is detected behind the FortiSwitch unit, which requires Device Detection to be enabled.

Using the FortiGate CLI

Use the following command to view the quarantine list of MAC addresses: show user quarantine

For example: show user quarantine config user quarantine

set quarantine enable config targets edit quarantine1 config macs set description “infected by virus”

edit 00:00:00:aa:bb:cc next

edit 00:11:22:33:44:55 next

edit 00:01:02:03:04:05 next

end

end

end

When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_ name>) and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.

Use the following command to view the quarantine VLAN: show system interface qtn.<FortiLink_port_name>

For example:

show system interface qtn.port7

config system interface edit “qtn.port7” set vdom “vdom1” set ip 10.254.254.254 255.255.255.0 set description “Quarantine VLAN” set security-mode captive-portal

set replacemsg-override-group “auth-intf-qtn.port7” set device-identification enable set device-identification-active-scan enable set snmp-index 34

set switch-controller-access-vlan enable

set color 6 set interface “port7” set vlanid 4093

next

end

Use the following commands to view the quarantine DHCP server:

show system dhcp server config system dhcp server

edit 2 set dns-service default set default-gateway 10.254.254.254 set netmask 255.255.255.0 set interface “qtn.port7” config ip-range

edit 1 set start-ip 10.254.254.192 set end-ip 10.254.254.253 next

Quarantines

end

set timezone-option default

next

end

Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports: show switch-controller managed-switch

For example: show switch-controller managed-switch

config switch-controller managed-switch edit “FS1D483Z15000036” set fsw-wan1-peer “port7” set fsw-wan1-admin enable set version 1 set dynamic-capability 503 config ports edit “port1” set vlan “vsw.port7” set allowed-vlans “qtn.port7” set untagged-vlans “qtn.port7”

next edit “port2” set vlan “vsw.port7” set allowed-vlans “qtn.port7” set untagged-vlans “qtn.port7”

next edit “port3” set vlan “vsw.port7” set allowed-vlans “qtn.port7” set untagged-vlans “qtn.port7”

next …

end

end

Releasing MAC addresses from quarantine

Using the FortiGate GUI

  1. Go to Monitor> Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.
  3. Right-click on one of the entries and select Delete or Remove All.
  4. Click OK to confirm your choice.

Using the FortiGate CLI

To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all quarantined MAC addresses from quarantine.

To delete a single quarantined MAC address:

config user quarantine config targets edit <quarantine_entry_name> config macs delete <MAC_address_1>

end

end

end

To delete all MAC addresses in a quarantine entry:

config user quarantine config targets delete <quarantine_entry_name>

end

end

To disable the quarantine feature:

config user quarantine set quarantine disable end

Limiting the number of parallel process for FortiSwitch configuration

Limiting the number of parallel process for FortiSwitch configuration

Use the following CLI commands to reduce the number of parallel process that the switch controller uses for configuring FortiSwitch units:

config global

config switch-controller system

set parallel-process-override enable

set parallel-process <1-300>

end end

Enabling network-assisted device detection

Enabling network-assisted device detection

Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by the managed FortiSwitch unit.

To enable network-assisted device detection on a VDOM:

config switch-controller network-monitor-settings set network-monitoring enable

end

You can display a list of detected devices from the Device Inventory menu in the GUI. To list the detected devices in the CLI, enter the following command: diagnose user device list

Changing the admin password on the FortiGate for all managed FortiSwitch units

Changing the admin password on the FortiGate for all managed FortiSwitch units

By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:

config switch-controller switch-profile edit default

set login-passwd-override {enable | disable} set login-passwd <password>

next

end

If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set password will remain in the FortiSwitch. For example:

config switch-controller switch-profile edit default set login-passwd-override enable unset login-passwd

next

end

Converting to FortiSwitch standalone mode

Converting to FortiSwitch standalone mode

Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no longer be managed by a FortiGate:

  • execute switch-controller factory-reset <switch-id>

This command returns the FortiSwitch to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example:

execute switch-controller factory-reset S1234567890

  • execute switch-controller set-standalone <switch-id>

This command returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from automatically detecting and authorizing the FortiSwitch. For example: execute switch-controller set-standalone S1234567890

You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:

config switch-controller global set disable-discovery <switch-id>

end

For example:

config switch-controller global set disable-discovery S1234567890

end

You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using the following commands:

config switch-controller global append disable-discovery <switch-id> unselect disable-discovery <switch-id>

end

For example:

config switch-controller global append disable-discovery S012345678 unselect disable-discovery S1234567890

end