FortiView (5.6.1)

New FortiView features added to FortiOS 5.6.1.

FortiView Dashboard Widget (434179)

A new widget type has been added to the FortiGate Dashboard, that displays compact FortiView data. Supported

FortiViews include Source, Destination, Application, Country, Interfaces, Policy, Wifi Client, Traffic Shaper, Endpoint Vulnerability, Cloud User, Threats, VPN, Websites, Admin, and System. All usual visualizations are supported.

Widgets can be saved directly to the Dashboard from a filtered page in FortiView, or configured in the CLI.

Interface Categories (srcintfrole, etc) added to log data (434188)

In 5.6, logs and FortiView both sort log traffic into two interface categories: “Traffic from LAN/DMZ”, and “Traffic from WAN.” For greater compatibility and troubleshooting of FortiAnalyzer and FortiCloud setups, interface category fields that expose this information have been added to general log data in 5.6.1: srcintfrole and dstintfrole for better backend control and monitoring.

Managed FortiSwitch OS 3.6.0 (FortiOS 5.6)

New managed FortiSwitch features added to FortiOS 5.6 if the FortiSwitch is running FortiSwitch OS 3.6.0.

IGMP snooping (387515)

The GUI and CLI support the ability to configure IGMP snooping for managed switch ports.

To enable IGMP snooping from the GUI, go to WiFi & Switch Controller > FortiSwitch VLANs, edit a VLAN and turn on IGMP Snooping under Networked Devices.

From the CLI, start by enabling IGMP snooping on the FortiGate:

config switch-controller igmp-snooping set aging-time <int>

set flood-unknown-multicast (enable | disable)

end

Then enable IGMP snooping on a VLAN:

config system interface edit <vlan> set switch-controller-igmp-snooping (enable | disable)

end

Use the following command to enable IGMP snooping on switch ports, and to override the global parameters for a specific switch.

config switch-controller managed-switch edit <switch> config ports edit port <number> set igmp-snooping (enable | disable) set igmps-flood-reports (enable | disable)

next

config igmp-snooping globals set aging-time <int>

set flood-unknown-multicast (enable | disable)

end

next

end

User-port link aggregation groups (378470)

The GUI now supports the ability to configure user port LAGs on managed FortiSwitches.

To create a link aggregation group for FortiSwitch user ports:

5.6)

1. Go to WiFi & Switch Controller > FortiSwitch Ports

2. Click Create New > Trunk.
3. In the New Trunk Group page:
   1. Enter a name for the trunk group
   2. Select two or more physical ports to add to the trunk group
   3. Select the mode: Static, Passive LACP, or Active LACP
4. Click OK.

DHCP blocking, STP, and loop guard on managed FortiSwitch ports (375860)

The managed FortiSwitch GUI now supports the ability to enable/disable DHCP blocking, STP and loop guard for FortiSwitch user ports.

Go to to WiFi & Switch Controller > FortiSwitch Ports. For any port you can select DHCP Blocking, STP, or Loop Guard. STP is enabled on all ports by default. Loop guard is disabled by default on all ports.

Switch profile enhancements (387398)

Defaults switch profiles are bound to every switch discovered by the FortiGate. This means that an administrator can establish a password for this profile or create a new profile and bind that profile to any switch. Consquently, the password provided shall be configured on the FortiSwitch against the default “admin” account already present.

Number of switches per FortiGate based on model (388024)

The maximum number of supported FortiSwitches depends on the FortiGate model:

FortiGate Model Range

Number of FortiSwitches Supported

Up to FortiGate-98 and FortiGate-VM01                                8

FortiGate-00 to 280 and FortiGate-VM02                              24

FortiGate-300 to 5xx                                                           48

FortiGate-600 to 900 and FortiGate-VM04                             64

FortiGate-000 and up                                                         128

FortiGate-3xxx and up, and FortiGate-VM08 and up               256

Miscellanous configuration option changes

• The default value of dhcp-Snooping (also called DHCP-blocking) is changed from trusted in FortiOS 5.4 to untrusted in FortiOS 5.6.
• The default value of edge-port is changed from disabled in FortiOS 5.4 to enabled in FortiOS 5.6.0.

FortiView (5.6.1)

Additional GUI support

• Link aggregation of FortiSwitch ports l DHCP trusted/untrusted, loop guard, and STP for FortiSwitch ports l Connect to CLI support for FortiSwitch

Adding preauthorized FortiSwitches (382774)

After you preauthorize a FortiSwitch, you can assign the FortiSwitch ports to a VLAN.

To preauthorize a FortiSwitch:

 

Managed FortiSwitch OS 3.6.0 (FortiOS 5.6)

1. Go to WiFi & Switch Controller > Managed FortiSwitch.
2. Click Create New.
3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
4. Move the Authorized slider to the right.
5. Click OK.

The Managed FortiSwitch page shows a FortiSwitch faceplate for the preauthorized switch.

Reset PoE-enabled ports from the GUI (387417)

If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

Configure QoS with managed FortiSwitches (373581)

Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows. NOTE: FortiGate does not support QoS for hard or soft switch ports.

To configure the QoS for managed FortiSwitches:

1. Configure a Dot1p map.

config switch-controller qos dot1p-map edit <Dot1p map name> set description <text> set priority-0 <queue number> set priority-1 <queue number> set priority-2 <queue number> set priority-3 <queue number> set priority-4 <queue number> set priority-5 <queue number> set priority-6 <queue number> set priority-7 <queue number>

next

end

2. Configure a DSCP map.

config switch-controller qos ip-dscp-map edit <DSCP map name> set description <text> configure map <map_name> edit <entry name> set cos-queue <COS queue number>

set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF |

CS6 | CS7} set ip-precedence {network-control | internetwork-control | critic-ecp

| flashoverride | flash | immediate | priority | routine} set value <DSCP raw value>

next

end end

3. Configure the egress QoS policy.

config switch-controller qos queue-policy edit <QoS egress policy name> set schedule {strict | round-robin | weighted}

config cos-queue edit [queue-<number>] set description <text> set min-rate <rate in kbps> set max-rate <rate in kbps>

set drop-policy {taildrop | random-early-detection} set weight <weight value>

next

end

next

end

4. Configure the overall policy that will be applied to the switch ports.

config switch-controller qos qos-policy edit <QoS egress policy name> set default-cos <default CoS value 0-7> set trust-dot1p-map <Dot1p map name> set trust-ip-dscp-map <DSCP map name> set queue-policy <queue policy name>

next

end

5. Configure each switch port.

config switch-controller managed-switch edit <switch-id> config ports edit <port> set qos-policy <CoS policy>

next

end

next end

Configure an MCLAG with managed FortiSwitches (366617)

To configure a multichassis LAG (MCLAG) with managed FortiSwitches:

1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:

config switch trunk edit “LAG-member” set mode lacp-active set mclag-icl enable set members “<port>” “<port>”

next

2. Enable the MCLAG on each managed FortiSwitch:

config switch-controller managed-switch edit “<switch-id>” config ports edit “<trunk name>” set type trunk

set mode {static | lacp-passive | lacp-active} set bundle {enable | disable}

set members “<port>,<port>” set mclag {enable | disable}

next

end

next

3. Log into each managed FortiSwitch to check the MCLAG configuration:

diagnose switch mclag

After the FortiSwitches are configured as MCLAG peer switches, any port that supports advanced features on the FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member ports on the peer FortiSwitch.

Override the admin password for all managed FortiSwitches (416261)

By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitches managed by a FortiGate, use the following commands:

config switch-controller switch-profile edit default set login-passwd-override {enable | disable} set login-passwd <password>

next

end

If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and use the unset login-passwd command; otherwise, your previously set password will remain in the FortiSwitch.

Enable and disable switch-controller access VLANs through FortiGate (406718)

Access VLANs are VLANs that aggregate client traffic solely to the FortiGate. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate. After the client traffic reaches the FortiGate, the FortiGate can then determine whether to allow various levels of access to the client by shifting the client’s network VLAN as appropriate.

config system interface edit <VLAN name> set switch-controller-access-vlan {enable | disable}

next

end