Category Archives: FortiOS 6

FortiSwitch Managed By FortiOS 6 – FortiLink configuration using the FortiGate CLI

FortiLink configuration using the FortiGate CLI

This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

You can also configure FortiLink mode over a layer-3 network.

Summary of the procedure

Configure FortiLink on a physical port or configure FortiLink on a logical interface.
Configure NTP.
Authorize the managed FortiSwitch unit.
Configure DHCP.

Configure FortiLink on a physical port

Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.

In the following steps, port 1 is configured as the FortiLink port.

If required, remove port 1 from the lan interface:

config system virtual-switch edit lan config port delete port1

end

Configure port 1 as the FortiLink interface:

config system interface edit port1 set auto-auth-extension-device enable set fortilink enable

end

Configure an NTP server on port 1:

config system ntp set server-mode enable set interface port1 end

Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370 set fsw-wan1-admin enable

end

NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.

Configure FortiLink on a logical interface

You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch).

NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.

Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Ensure that you configure autodiscovery on the FortiSwitch ports (unless it is auto-discovery by default).

In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.

If required, remove the FortiLink ports from the lan interface:

config system virtual-switch edit lan config port delete port4 delete port5

end

Create a trunk with the two ports that you connected to the switch:

config system interface edit flink1 (enter a name, 11 characters maximum) set allowaccess ping capwap https set vlanforward enable set type aggregate set member port4 port5 set lacp-mode static set fortilink enable

(optional) set fortilink-split-interface enable next

end

NOTE: If the members of the aggregate interface connect to more than one FortiSwitch, you must enable fortilink-split-interface.

Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370

set fsw-wan1-admin enable

end

NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed FortiSwitch ports

3 Replies

Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed FortiSwitch ports

Go to WiFi & Switch Controller> FortiSwitch Ports. Right-click any port and then enable or disable the following features:

DHCP blocking—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
IGMP snooping—IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.
Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network topology.
Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP.
STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.
STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.

STP is enabled on all ports by default. Loop guard is disabled by default on all ports.

FortiSwitch Managed By FortiOS 6 – Connecting FortiLink ports

Leave a reply

Connecting FortiLink ports

This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a FortiLink connection.

In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the switch ports (depending on the model) support auto-discovery of the FortiLink ports.

You can chose to connect a single FortiLink port or multiple FortiLink ports as a logical interface (link-aggregation group, hardware switch, or software switch).

1. Enable the switch controller on the FortiGate unit

Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the FortiGate unit with the FortiGate web-based manager or CLI to enable the switch controller. Depending on the FortiGate model and software release, this feature might be enabled by default.

Using the FortiGate GUI

Go to System > Feature Visibility.
Turn on the Switch Controller feature, which is in the Basic Features
Select Apply.

The menu option WiFi & Switch Controller now appears.

Using the FortiGate CLI

Use the following commands to enable the switch controller:

config system global set switch-controller enable

end

2. Connect the FortiSwitch unit and FortiGate unit

FortiSwitchOS 3.3.0 and later provides flexibility for FortiLink:

Use any switch port for FortiLink l Provides auto-discovery of the FortiLink ports on the FortiSwitch
Choice of a single FortiLink port or multiple FortiLink ports in a link-aggregation group (LAG)

Auto-discovery of the FortiSwitch ports

In FortiSwitchOS 3.3.0 and later releases, D-series FortiSwitch models support FortiLink auto-discovery, on automatic detection of the port connected to the FortiGate unit.

Connect the FortiSwitch unit and FortiGate unit Connecting FortiLink ports

You can use any of the switch ports for FortiLink. Before connecting the switch to the FortiGate unit, use the following FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:

config switch interface edit <port>

set auto-discovery-fortilink enable

end

By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you connect the FortiLink using one of these ports, no switch configuration is required.

In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface command on the FortiSwitch unit to see the ports that have autodiscovery enabled.

The following table lists the default auto-discovery ports for each switch model.

NOTE: Any port can be used for FortiLink if it is manually configured.

FortiSwitch Model	Default Auto-FortiLink ports
FS-108D	ports 9 and 10
FS-108D-POE	ports 9 and 10
FSR-112D	ports 9, 10, 11 and 12
FSR-112D-POE	ports 5, 6, 7, 8, 9, 10, 11, and 12
FS-124D, FS-124D-POE	ports 23, 24, 25, and 26
FS-224D-POE	ports 21, 22, 23, and 24
FS-224D-FPOE	ports 21, 22, 23, 24, 25, 26, 27, and 28
FS-248D, FS-248D-FPOE, FS-448D, FS448D-FPOE, FS-448D-POE	ports 45, 46, 47, 48, 49, 50, 51, and 52
FS-248D-POE	ports 47, 48, 49, and 50
FS-424D, FS-424D-POE, FS-424D-FPOE	ports 23, 24, 25, and 26
FS-524D, FS-524D-FPOE	ports 21, 22, 23, 24, 25, 26, 27, 28, 29, and 30
FS-548D, FS-548D-FPOE	ports 45, 46, 47, 48, 49, 50, 51, 52, 53, and 54
FS-1024D, FS-1048D, FS-3032D	all ports

Choosing the FortiGate ports

The FortiGate unit manages all of the switches through one active FortiLink. The FortiLink can consist of one port or multiple ports (for a LAG).

Connecting FortiLink ports 2. Connect the FortiSwitch unit and unit

As a general rule, FortiLink is supported on all ports that are not listed as HA ports.

configuration using the FortiGate GUI Summary of the procedure FortiLink configuration using the FortiGate GUI

This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit.

You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the CLI procedures are more complex (and therefore more prone to error).

Summary of the procedure

On the FortiGate unit, configure the FortLink port or create a logical FortLink interface.
Authorize the managed FortiSwitch unit.

Configure FortiLink as a single link

To configure the FortiLink port on the FortiGate unit:

Go to Network > Interfaces.
(Optional) If the FortiLink physical port is currently included in the internal interface, edit it and remove the desired port from the Physical Interface Members.
Edit the FortiLink port.
Set Addressing mode to Dedicated to FortiSwitch.
Configure the IP/Network Mask for your network.
Optionally select Automatically authorize devices or disable to manually authorize the FortiSwitch.
Select OK.

Configure FortiLink as a logical interface

You can configure the FortiLink as a logical interface: link-aggregation group (LAG), hardware switch, or software switch).

LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.

Connect any of the FortiLink-capable ports on the FortiGate unit to the FortiSwitch unit. Ensure that you configure auto-discovery on the FortiSwitch ports (unless it is so by default).

Go to Network > Interfaces.
(Optional) If the FortiLink physical ports are currently included in the internal interface, edit the internal interface, and remove the desired ports from the Physical Interface Members.
Select Create New > Interface.
Enter a name for the interface (11 characters maximum).
Set the Type to 3ad Aggregate, Hardware Switch, or Software Switch.
Select the FortiGate ports for the logical interface.
Set Addressing mode to Dedicated to FortiSwitch.
Configure the IP/Network Mask for your network.
Optionally select Automatically authorize devices or disable to manually authorize the FortiSwitch.
Select OK.

FortiLink split interface

You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).

You must enable the split interface on the FortiLink aggregate interface using the FortiGate CLI:

config system interface edit <name of the FortiLink interface> set fortilink-split-interface enable

end

Authorizing the FortiSwitch unit

If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the following steps:

Go to WiFi & Switch Controller > Managed FortiSwitch.
Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.

Adding preauthorized FortiSwitch units

After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.

To preauthorize a FortiSwitch:

Go to WiFi & Switch Controller> Managed FortiSwitch.
Click Create New.
In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
Move the Authorized slider to the right.
Click OK.

The Managed FortiSwitch page shows a FortiSwitch faceplate for the preauthorized switch.

configuration using the FortiGate GUI Managed FortiSwitch display

Managed FortiSwitch display

Go to WiFi & Switch Controller> Managed FortiSwitch to see all of the switches being managed by your FortiGate.

When the FortiLink is established successfully, the status is green (next to the FortiGate interface name and on the FortiSwitch faceplate), and the link between the ports is a solid line.

If the link has gone down for some reason, the line will be dashed, and a broken link icon will appear. You can still edit the FortiSwitch unit though and find more information about the status of the switch. The link to the FortiSwitch unit might be down for a number of reasons; for example, a problem with the cable linking the two devices, firmware versions being out of synch, and so on. You need to make sure the firmware running on the FortiSwitch unit is compatible with the firmware running on the FortiGate unit.

From the Managed FortiSwitch page, you can edit any of the managed FortiSwitch units, remove a FortiSwitch unit from the configuration, refresh the display, connect to the CLI of a FortiSwitch unit, or deauthorize a FortiSwitch unit.

Edit a managed FortiSwitch unit

To edit a managed FortiSwitch unit:

Go to Wifi & Switch Controller> Managed FortiSwitch.
Click on the FortiSwitch to and click Edit, right-click on a FortiSwitch unit and select Edit, or double-click on a FortiSwitch unit.

From the Edit Managed FortiSwitch form, you can:

Change the Name and Description of the FortiSwitch unit. l View the Status of the FortiSwitch unit.
Restart the FortiSwitch.
Authorize or deauthorize the FortiSwitch. l Update the firmware running on the switch.

Network interface display

On the Network > Interfaces page, you can see the FortiGate interface connected to the FortiSwitch unit. The GUI indicates Dedicated to FortiSwitch in the IP/Netmask field.

Add link aggregation groups (Trunks)

To create a link aggregation group for FortiSwitch user ports:

Go to WiFi & Switch Controller> FortiSwitch Ports.
Click Create New > Trunk.
In the New Trunk Group page, enter a Name for the trunk group.
Select two or more physical ports to add to the trunk group.
Select the Mode: Static, Passive LACP, or Active LACP.
Click OK.

FortiLink configuration using the Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed

FortiSwitch Managed By FortiOS 6 – Whatʼs new in FortiOS 6.0

Leave a reply

Whatʼs new in FortiOS 6.0

The following list contains new features added in FortiOS 6.0. Click on a link to navigate to that section for further information.

l “Limiting the number of learned MAC addresses on a FortiSwitch interface (445087)” on page 12 l “Sharing FortiSwitch ports between VDOMs (391878)” on page 13 l “sFlow support (450507)” on page 15 l “Restricting the type of frames allowed through IEEE 802.1Q ports (448505)” on page 17 l “Dynamic ARP inspection (DAI) support (462511)” on page 17 l “FortiSwitch port mirroring support (457122)” on page 17 l “Quarantining MAC addresses (459525)” on page 18 l “Banning IP addresses (459525)” on page 19 l “Synchronizing the FortiGate unit with the managed FortiSwitch units (454664)” on page 19 l “Enabling the use of HTTPS to download firmware to managed FortiSwitch units (454664)” on page 20 l “RADIUS accounting support (451023)” on page 20 l “FortiLink mode supported over a layer-3 network (457103)” on page 20 l “Limiting the number of parallel process for FortiSwitch configuration (457103)” on page 22 l “CLI changes for FortiLink mode (447349, 473773)” on page 22 l “Upgrade the firmware on multiple FortiSwitch units at the same time using the GUI (462553)” on page 23 l “Network-assisted device detection (377467) ” on page 23

FortiOS 6.0

These features first appeared in FortiOS 6.0.

Limiting the number of learned MAC addresses on a FortiSwitch interface (445087)

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan edit <integer> set switch-controller-learning-limit <limit>

end end

For example:

config switch vlan edit 100 set switch-controller-learning-limit 20

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config ports edit <port> set learning-limit <limit>

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set learning-limit 50

end

Sharing FortiSwitch ports between VDOMs (391878)

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

NOTE: You cannot use the quarantine feature while sharing FortiSwitch ports between VDOMs.

To share FortiSwitch ports between VDOMs:

Create one or more VDOMs.
Assign VLANs to each VDOM as required.
From these VLANs, select one VLAN to be the default VLAN for the ports in the virtual switch:

config switch-controller global

set default-virtual-switch-vlan <VLAN>

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

When you add a new port to the VDOM, the new port will be automatically assigned to the default VLAN. You can

reassign the ports to other VLANs later.

Create a virtual port pool (VPP) to contain the ports to be shared:

config switch-controller virtual-port-pool edit <VPP_name> description <string>

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example:

config switch-controller virtual-port-pool edit “pool3” description “pool for port3”

end

Share a FortiSwitch port from the VDOM that the FortiSwitch belongs to with another VDOM or export the FortiSwitch port to a VPP where it can be used by any VDOM:

config switch-controller managed-switch edit <switch.id> config ports edit <port_name> set {export-to-pool <VPP_name> | export-to <VDOM_name>} set export-tags <string1,string2,string3,…>

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example, if you want to export a port to the VPP named pool3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to-pool “pool3” set export-tags “Pool 3”

end

For example, if you want to export a port to the VDOM named vdom3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to “vdom3” set export-tags “VDOM 3” next

end

Request a port in a VPP: execute switch-controller virtual-port-pool request <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that is requesting the port.

For example:

execute switch-controller virtual-port-pool request S524DF4K15000024h port3

Return a port to a VPP: execute switch-controller virtual-port-pool return <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that owns the port.

For example: execute switch-controller virtual-port-pool return S524DF4K15000024h port3

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP: execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents: execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features: l LLDP

l 802.1x l STP l BPDU guard l Root guard l DHCP snooping l IGMP snooping l QoS

l Port security l MCLAG sFlow support (450507)

sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs.

NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.

sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.

The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.

sFlow can monitor network traffic in two ways:

l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample. l Counter samples—You specify how often (in seconds) the network device sends interface counters.

Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.

config switch-controller sflow collector-ip <x.x.x.x> collector-port <port_number>

end

Use the following CLI commands to configure sFlow:

config switch-controller managed-switch <FortiSwitch_serial_number> config ports edit <port_name> set sflow-sampler <disabled | enabled> set sflow-sample-rate <0-99999> set sflow-counter-interval <1-255>

end

For example:

config switch-controller sflow collector-ip 1.2.3.4 collector-port 10

end

config switch-controller managed-switch S524DF4K15000024 config ports edit port5 set sflow-sampler enabled set sflow-sample-rate 10 set sflow-counter-interval 60

next end

Restricting the type of frames allowed through IEEE 802.1Q ports (448505)

You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or allows all frames access to the port. By default, all frames have access to each FortiSwitch port.

Use the following CLI commands:

config switch-controller managed-switch <SN> config ports edit <port_name> set discard-mode <none | all-tagged | all-untagged>

end

Dynamic ARP inspection (DAI) support (462511)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface edit vsw.test set switch-controller-arp-inpsection <enable | disable>

end

config switch-controller managed-switch edit <sn> config ports edit <VLAN_ID> arp-inspection-trust <untrusted | trusted>

end

Use the following CLI command to check DAI statistics for a FortiSwitch unit: diagnose switch arp-inspection stats <FortiSwitch_Serial_Number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch arp-inspection stats clear <VLAN_ID> <FortiSwitch_Serial_Number>

FortiSwitch port mirroring support (457122)

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port mirroring and is typically used for external analysis and capture.

Use the following CLI commands to configure FortiSwitch port mirroring:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config mirror edit <mirror_name>

set status <active | inactive> set dst <port_name>

set switching-packet <enable | disable> set src-ingress <port_name> set src-egress <port_name>

end

NOTE: The set status and set dst commands are mandatory for port mirroring.

For example:

config switch-controller managed-switch edit S524DF4K15000024 config mirror

edit 2

set status active set dst port1 set switching-packet enable set src-ingress port2 port3 set src-egress port4 port5

end

Quarantining MAC addresses (459525)

To create a permanent quarantine of specific MAC addresses, use the following CLI commands:

config user quarantine

set quarantine enable config targets edit <MAC_address>

set description <string>

set tags <tag1 tag2 tag3 …>

end

Option	Description
MAC_address_1, MAC_ address_2	A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc
string	Optional. A description of the MAC address being quarantined.
tag1 tag2 tag3 …	Optional. A list of arbitrary strings.

For example:

config user quarantine

set quarantine enable config targets edit 00:00:00:aa:bb:cc set description “infected by virus” set tags “quarantined”

end

Previously, this feature used the config switch-controller quarantine CLI command.

You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.

Banning IP addresses (459525)

To temporarily ban an IP address, use the following CLI command: diagnose user ban add src4 <IPv4_address>

Previously, this feature used the diagnose user quarantine CLI command.

Synchronizing the FortiGate unit with the managed FortiSwitch units (454664)

You can now synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.

Use the following command to synchronize the full configuration of a FortiGate unit with the managed FortiSwitch unit:

execute switch-controller trigger-config-sync <FortiSwitch_serial_number>

Use one of the following commands to display the synchronization state of a FortiGate unit with a specific managed FortiSwitch unit:

execute switch-controller get-sync-status switch-id <FortiSwitch_serial_number> execute switch-controller get-sync-status name <FortiSwitch_name>

Use the following command to display the synchronization state of a FortiGate unit with a group of managed FortiSwitch units:

execute switch-controller get-sync-status group <FortiSwitch_group_name>

Use the following command to check the synchronization state of all managed FortiSwitch units in the current VDOM: execute switch-controller get-sync-status all

For example:

FG100D3G14813513 (root) # execute switch-controller get-sync-status all Managed-devices in current vdom root:

STACK-NAME: FortiSwitch-Stack-port5

SWITCH (NAME) STATUS CONFIG MAC-SYNC UPGRADE

FS1D243Z14000173 Up Idle Idle Idle S124DP3X16006228 (Desktop-Switch) Up Idle Idle Idle

Enabling the use of HTTPS to download firmware to managed FortiSwitch units (454664)

Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:

config switch-controller global set https-image-push enable

end

RADIUS accounting support (451023)

The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

START—The FortiSwitch has been successfully authenticated, and the session has started.
STOP—The FortiSwitch session has ended.
INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command. l ON—FortiSwitch will send this message when the switch is turned on. l OFF—FortiSwitch will send this message when the switch is shut down.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units:

config user radius edit <RADIUS_server_name> set acct-interim-interval <seconds> config accounting-server edit <entry_ID> set status {enable | disable} set server <server_IP_address> set secret <secret_key> set port <port_number>

end

FortiLink mode supported over a layer-3 network (457103)

This feature allows FortiSwitch islands (FSIs) to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FSIs contain one or more FortiSwitch units.

The following limitations apply to FSIs operating in FortiLink mode over a layer-3 network:

All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
All FortiSwitch units within an FSI must be connected to the same FortiGate unit.
The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x.
Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FSI can contain only one FortiSwitch unit. All switch ports must remain in standalone mode.
Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.

To configure a FortiSwitch unit to operate in a layer-3 network:

Reset the FortiSwitch to factory default settings with the execute factoryreset
Manually set the FortiSwitch unit to FortiLink mode:

config system global

set switch-mgmt-mode fortilink end

Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery.

To use DHCP discovery:

config switch-controller global

ac-discovery dhcp

dhcp-option-code <integer>

end end

To use static discovery:

config switch-controller global

ac-discovery static config ac-list

id <integer>

set ipv4-address <IPv4_address>

end

Configure at least one port of the FortiSwitch unit as an uplink port. When the FortiSwitch is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

config switch interface edit <port_number> set fortilink-l3-mode enable

end

NOTE: The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.

Limiting the number of parallel process for FortiSwitch configuration (457103)

Use the following CLI commands to reduce the number of parallel process that the switch controller uses for configuring FortiSwitch units: config global config switch-controller system set parallel-process-override enable set parallel-process <1-300>

end

CLI changes for FortiLink mode (447349, 473773)

There are changes to the execute switch-controller get-physical-connection, execute switch-controller get-conn-status, and diagnose switch-controller dump networkupgrade status CLI commands.

The execute switch-controller get-physical-connection CLI command has new parameters:

Use the execute switch-controller get-physical-connection standard command to get the FortiSwitch stack connectivity graph in the standard output format.

Use the execute switch-controller get-physical-connection dot command to get the

FortiSwitch stack connectivity graph in a .dot (Graphviz) output format.

The execute switch-controller get-conn-status CLI command output now includes virtual

FortiSwitch units. Virtual FortiSwitch units are indicated by an asterisk (*) after the switch identifier. For example:

execute switch-controller get-conn-status

STACK-NAME: FortiSwitch-Stack-port2
SWITCH-ID VERSION	STATUS	ADDRESS	JOIN-TIME		NAME
S108DV2EJZDAC42F v3.6.0	Authorized/Up	169.254.2.4	Thu Feb	8 17:07:35 2018	–
S108DV4FQON40Q07 v3.6.0	Authorized/Up	169.254.2.5	Thu Feb	8 17:08:37 2018	–
S108DVBWVLH4QGEB v3.6.0	Authorized/Up	169.254.2.6	Thu Feb	8 17:09:13 2018	–
S108DVCY19SA0CD8 v3.6.0	Authorized/Up	169.254.2.2	Thu Feb	8 17:04:41 2018	–
S108DVD98KMQGC44* v3.6.0	Authorized/Up	169.254.2.7	Thu Feb	8 17:10:50 2018	–
S108DVGGBJLQQO48* v3.6.0	Authorized/Up	169.254.2.3	Thu Feb	8 17:06:57 2018	–
S108DVKM5T2QEA92 v3.6.0	Authorized/Up	169.254.2.8	Thu Feb	8 17:11:00 2018	–
S108DVZX3VTAOO45 v3.6.0	Authorized/Up	169.254.2.9	Thu Feb	8 17:11:00 2018	–
Managed-Switches: 8	UP: 8	DOWN: 0

The diagnose switch-controller dump network-upgrade status CLI command output now

includes the location of the image that is loaded when the FortiSwitch unit is restarted. If the Next boot column is blank, the FortiSwitch unit uses the same location each it is restarted. The status column shows the percentage downloaded, the percentage erased in flash memory, and the percentage written to flash memory.

For example:

diagnose switch-controller dump network-upgrade status

Running Status Next boot

__________________ ________________________________________ _________ ___________________________ VDOM : root

S108DVCY19SA0CD8 S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0) S108DV-v3.7.0build4277,171207 (Interim)

S108DV2EJZDAC42F S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0)

Upgrade the firmware on multiple FortiSwitch units at the same time using the GUI (462553)

To upgrade the firmware on multiple FortiSwitch units at the same time:

Go to WiFi & Switch Controller> Managed FortiSwitch.
Select the faceplates of the FortiSwitch units that you want to upgrade.
Click Upgrade.

The Upgrade FortiSwitches page opens.

Select FortiGuard or select Upload and then select the firmware file to upload.

You can select only one firmware image to use to upgrade the selected FortiSwitch units. If the FortiSwitch unit already has the latest firmware image, it will not be upgraded.

Select Upgrade.

Network-assisted device detection (377467)

Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by the managed FortiSwitch unit.

To enable network-assisted device detection on a VDOM:

config switch-controller network-monitor-settings set network-monitoring enable end

Connecting FortiLink ports 1. Enable the switch controller on the unit

FortiSwitch Managed By FortiOS 6 – Introduction

Leave a reply

Supported models

Introduction

NOTE: FortiLink is not supported in Transparent mode.

The maximum number of supported FortiSwitch units depends on the FortiGate model:

FortiGate Model Range

Number of FortiSwitch Units Supported

Up to FortiGate-98 and FortiGate-VM01 8

FortiGate-100 to 280 and FortiGate-VM02 24

FortiGate-300 to 5xx 48

FortiGate-600 to 900 and FortiGate-VM04 64

FortiGate-1000 and up 128

FortiGate-3xxx and up and FortiGate-VM08 and up 300

Supported models

The following table shows the FortiSwitch models that support FortiLink mode when paired with the corresponding FortiGate models and the listed minimum software releases. For example, the FGT-500E model with FortiOS 5.6.3 and later supports all FortiSwitch D-series and E-series models running FortiSwitchOS 3.6.0 and later.

Each row includes support for earlier FortiGate models. For example, the FGT-500E row includes support by the FortiGate models in the rows above it.

		FortiSwitch Models
FortiGate and FortiWiFi Models	Earliest FortiOS	FortiSwitch Models
FGT-90D	5.2.2	FS-224D-POE

Supported models


FortiGate and FortiWiFi Models	Earliest FortiOS	FortiSwitch Models
FGT-60D FGT-100D, 140D, 140D-POE, 140D-T1 FGT-200D, 240D, 280D, 280D-POE FGT-600C FGT-800C FGT-1000C, 1200D, 1500D FGT-3700D, FGT-3700DX	5.2.3	FSR-112D-POE FS-108D-POE FS-124D (POE) FS-224D-POE and FPOE
	5.4.0	All FortiSwitch D-series models. FortiSwitchOS 3.3.x or 3.4.0 is recommended.
FGT and FWF-30D, 30D-POE, 30E FGT and FWF-50E, 51E FGR-60D FGT-70D, 70D-POE FGT-80D FGR-90D FGT and FWF-92D FGT-94D-POE, 98D-POE FGT-300D FGT-400D FGT-500D FGT-600D FGT-900D FGT-1000D FGT-3000D, 3100D, 3200D, 3240C, 3600C, 3810D, 3815D FGT_VM, VM64, VM64-AWS, VM64AWSONDEMAND, VM64-HV, VM64-KVM, VMVMX, VM64-XEN	5.4.1	All FortiSwitch D-series models. FortiSwitchOS 3.4.2 or later is required for all managed switches.
FGT and FWF- 60E, 61E FGT-100E, 101E	5.4.2	All FortiSwitch D-series models. FortiSwitchOS 3.4.2 or later is required for all managed switches.
FGT-80E, 80E-POE, 81E, 81E-POE FGT-100EF	5.4.3	All FortiSwitch D-series models. FortiSwitchOS 3.4.2 or later is required for all managed switches.
FGT-90E, 91E FGT-200E, 201E FGT-2000E, 2500E	5.6.0	All FortiSwitch D-series models. FortiSwitchOS 3.5.4 or later is required for all managed switches.

Support of FortiLink features

FortiSwitch Models

FortiGate and FortiWiFi Models

Earliest FortiOS

FGT-500E

5.6.3

All FortiSwitch D-series and E-series models.

FortiSwitchOS 3.6.0 or later is required for all managed switches.

Support of FortiLink features

The following table lists the FortiSwitch models supported by FortiLink features.

FortiLink Features	FortiSwitch Models
Centralized VLAN Configuration	D-series, E-series
Switch POE Control	D-series, E-series
Link Aggregation Configuration	D-series, E-series
Spanning Tree Protocol (STP)	D-series, E-series
LLDP/MED	D-series, E-series
IGMP Snooping	Not supported on 112D-POE, 1xxE-Series
802.1x Authentication (Port-based, MAC-based, MAB)	D-series, E-series
Syslog Collection	D-series, E-series
DHCP Snooping	Not supported on 1xxE-Series
Device Detection	D-series, E-series
Support FortiLink FortiGate in HA Cluster	D-series, E-series
LAG support for FortiLink Connection	D-series, E-series
Active-Active Split MLAG from FortiGate to FortiSwitch units for Advanced Redundancy	Not supported on FS-1xx Series
sFlow	Not supported on 1xxE-Series
Dynamic ARP Inspection (DAI)	Not supported on 1xxE-Series
Port Mirroring	D-series, E-series

Before you begin

FortiLink Features	FortiSwitch Models
RADIUS Accounting Support	Not supported on 1xxE-Series
Centralized Configuration	D-series, E-series
Access VLAN	Not supported on 1xxE-Series, 112D-POE
STP BDPU Guard, Root Guard, Edge Port	D-series, E-series
Loop Guard	D-series, E-series
Switch admin Password	D-series, E-series
Storm Control	D-series, E-series
802.1x-Authenticated Dynamic VLAN Assignment	D-series, E-series
Host Quarantine on Switch Port	Not supported on 1xxE Series, 112D-POE
QoS	Not supported on 1xxE-Series, 112D-POE
Centralized Firmware Management	D-series, E-series

Before you begin

Before you configure the managed FortiSwitch unit, the following assumptions have been made in the writing of this manual:

You have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model, and you have administrative access to the FortiSwitch web-based manager and CLI.
You have installed a FortiGate unit on your network and have administrative access to the FortiGate web-based manager and CLI.

How this guide is organized

This guide contains the following sections:

Whatʼs new in FortiOS 6.0 describes the new features for this release. l Connecting FortiLink ports describes how to connect FortiSwitch ports to FortiGate ports. l FortiLink configuration using the FortiGate GUI describes how to use the FortiGate GUI for FortiLink configuration. l FortiLink configuration using the FortiGate CLI describes how to use the FortiGate CLI for FortiLink configuration. l Network topologies for managed FortiSwitch units describes the configuration for various network topologies.
Optional setup tasks describes other setup tasks that are optional. l FortiSwitch features configuration describes how to configure managed FortiSwitch features, including VLANs. l FortiSwitch port features describe how to configure ports and PoE from the FortiGate unit.

What’s New In FortiOS 6

Leave a reply

Security Fabric

This section introduces new Security Fabric features in FortiOS 6.0.

Security Fabric Automation

User-defined Automations allow you to improve response times to security events by automating the activities between devices in the Security Fabric. You can monitor events from any source in the Security Fabric and set up action responses to any destination. To create an Automation, you can set up a Trigger event and response Actions that cause the Security Fabric to respond in a predetermined way. From the root FortiGate, you can set up event triggers for the following event types: compromised host, event log, reboot, conserve mode, high CPU, license expiry, High Availability (HA) failover, and configuration changes. The workflows have the means to launch the following actions in response: email, FortiExplorer notification, AWS Lambda and webhook. Additional actions are available for compromised hosts, such as: access layer quarantine, quarantine FortiClient via EMS, and IP ban.

For more information, see the Security Fabric Handbook.

Security Rating

The Security Rating feature (previously called the Security Fabric Audit) includes new security checks that can help you make improvements to your organization’s network, such as enforce password security, apply recommended login attempt thresholds, encourage two factor authentication, and more.

For more information, see the Fortinet Recommended Security Best Practices document.

Security Rating FortiGuard service

Security Rating is now a subscription service that FortiGuard offers when you purchase a Security Rating license. This service allows you to:

l Dynamically receive updates from FortiGuard. l Run Security Rating checks for each licensed device in a Security Fabric. l Run Security Rating checks in the background or on demand. l Submit rating scores to FortiGuard and receive rating scores from FortiGuard, for ranking customers by percentile.

For more information, see the Security Fabric Handbook.

Solution and service integration

In FortiOS 6.0, the Security Fabric extends to include more Fortinet products.

Wireless user quarantine

When you create or edit an SSID, you can enable the Quarantine Host option to quarantine devices that are connected in Tunnel-mode. The option to quarantine a device is available from the Topology and FortiView WiFi pages.

When a host is put into quarantine VLAN, it will get its IP from the quarantine VLAN’s DHCP server, and become part of the quarantined network.

For more information, see the FortiWiFi and FortiAP Configuration Guide.

Fortinet products can join the Security Fabric by serial number

Fortinet products can now easily and securely join the Security Fabric using an authorized device serial number.

To learn how to allow a Fortinet product to join your Security Fabric, see the Security Fabric Handbook.

FortiMail integration

You can now add a FortiMail stats widget to the FortiGate Dashboard page to show mail detection stats from FortiMail. Other FortiMail integrations include the following:

A FortiMail section that displays the FortiMail name, IP address, login and password is now available in the Security Fabric Settings page.
FortiMail is now shown as a node in the topology tree view in the Fabric Settings page and in the Physical Topology and Logical Topology views.
The topology views now show the number of FortiMail devices in the Security Fabric in the device summary.

For more information, see the Security Fabric Handbook.

Synchronize the FortiManager IP address among all Security Fabric members

When you add a FortiManager to the Root FortiGate of the Security Fabric, its configuration is now automatically synchronized with all devices in the Security Fabric. Central management features are now configured from the Security Fabric Settings page.

For more information, see the Security Fabric Handbook.

Improve FortiAP and FortiSwitch support in Security Fabric views

The Security Fabric widget on the dashboard and the Security Fabric Settings page now show the FortiAP and FortiSwitch devices in the Security Fabric.

You can now use new shortcuts to easily authorize any newly discovered devices and manage them.
Switch stacking is now supported in the Physical and Logical topology views, and Inter-switch Link (ISL-LAG) is now identified by a thicker single line.

For more information, see the Security Fabric Handbook.

EMS server support in Security Fabric topology

The FortiClient Endpoint Management System (EMS) can be enabled in FortiClient Endpoint profiles. This feature allows you to maintain FortiClient endpoint protection from FortiClient EMS and dynamically push configuration changes from the EMS to FortiClient endpoints. EMS server support is also integrated with Security Fabric Automation.

For more information, see the Security Fabric Handbook.

Multi-cloud support (Security Fabric connectors)

Security Fabric multi-cloud support adds Security Fabric connectors to the Security Fabric configuration. Security Fabric connectors allow you to integrate Application Centric Infrastructure (ACI), Amazon Web Services (AWS), Microsoft Azure, VMware NSX, and Nuage Virtualized Services Platform configurations into the Security Fabric.

Additionally Cloud init support for Azure is now native to the cloud. FortiGate VM for Azure also supports bootstrapping.

For more information, see the Security Fabric Handbook and the Virtual FortiOS Handbook.

Manageability

This section introduces new manageability features in FortiOS 6.0.

Asset tagging

You can use the new Asset Tagging system to create tags to separate and categorize network objects, interfaces, and devices. Tags are flexible, easy to configure, and useful for comprehensive monitoring, audit reporting, and more.

For more information, see the System Administration Handbook.

FortiSwitch network assisted device detection and destination name resolution

Device detection now extends to managed FortiSwitches since some devices may not be visible to the FortiGate that manages them. Devices that are connected to a FortiSwitch are more visible to the FortiGate that manages them and to the Security Fabric.

FortiSwitch destination name resolution clearly presents destination objects and the aggregation of related IP addresses with domains. It also applies Internet service data base (ISDB) mapping for destination data.

For more information, see the Managing Devices Handbook and the FortiSwitch Devices Managed by FortiOS 6.0 Handbook.

Global security profiles

Global Security Profiles can be used by multiple VDOMs instead of creating identical profiles for each VDOM. You can create global security profiles for the following security features:

l Antivirus l Application control l Data leak prevention l Intrusion protection l Web filtering

For more information, see the Virtual Domains handbook.

Networking

This section introduces new Networking features in FortiOS 6.0.

SD-WAN improvements

FortiOS 6.0 introduces the following SD-WAN features:

Multiple server support for health checks l Internet service groups l Bandwidth options in SD-WAN rules l Custom profiles in SD-WAN rules
DSCP tagging of forwarded packets in SD-WAN rules For more information, see the Networking Handbook.

Multipath intelligence and performance SLAs

SD-WAN performance Service-Level Agreements (SLAs) incorporate multilayer SLA monitoring of link selection. To help handle emergency load or outages you can select links based on weight and SLA priority and then return to defaults once the network stabilizes. Also, traffic shaping and application intelligence have been added to the SD-WAN configuration, which gives you more control of SD-WAN traffic.

For more information, see the Networking Handbook.

Application awareness

You can now use application control and application control group options in SD-WAN rules.

Internet Service support is also increased from a single Internet Service to Internet Service groups.

For more information, see the Networking Handbook.

BGP dynamic routing and IPv6 support for SD-WAN

FortiOS 6.0 introduces support for dynamic router for an SD-WAN configuration. You can set up a route map and add a route tag to the route map. Then, you can create an SD-WAN configuration, a health check, and a service for it. When you create the service, you add the configured route tag that you created in the route map to the service.

For more information, see the Networking Handbook.

Interface-based traffic shaping

In FortiOS 6.0, you can now enable traffic shaping on an interface. Interface-based traffic shaping allows you to enforce bandwidth limits by traffic type for individual interfaces.

For more information, see the Traffic Shaping Handbook.

Cloud-assisted One-Click VPN

One-Click VPN (OCVPN) is a cloud-based solution that greatly simplifies the provisioning and configuration of IPsec VPN. The administrator enables OCVPN with a single click, adds the required subnets, and then the configuration is complete. The OCVPN updates each FortiGate automatically as devices join and leave the VPN, as subnets are added and removed, when dynamic external IP addresses change (for example, DHCP or PPPoE), and when WAN interface bindings change (as in the case of dual WAN redundancy).

For more information, see the IPsec VPN Handbook.

IPv6 enhancements

The following new IPv6 features have been added.

l IPv6 captive portal l IPv6 FQDN and wildcard firewall addresses l IPv6 ISIS dynamic routing l DHCPv6 server prefix delegation l IPv6 DFD and VRRP

For more information, see the Firewall Handbook.

NAT enhancements

The following new NAT features have been added.

Central source NAT (SNAT) policies now include a comment field l Port block allocation timeout is configurable l NAT 46 IP Pools
VRRP HA supports firewall virtual IPs (VIPs) and IP pools For more information, see the Firewall Handbook.

EMAC-VLAN support

The media access control (MAC) virtual local area network (VLAN) feature in Linux allows you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

For more information, see the Networking Handbook.

Security

This section introduces new security features in FortiOS 6.0.

FortiGuard virus outbreak prevention

FortiGuard virus outbreak prevention is an additional layer of protection that keeps your network safe from newly emerging malware. Quick virus outbreaks can infect a network before signatures can be developed to stop them. Outbreak protection stops these virus outbreaks until signatures become available in FortiGuard.

For more information, see the Security Profiles Handbook.

FortiGuard content disarm and reconstruction

Content Disarm and Reconstruction (CDR) removes exploitable content and replaces it with content that’s known to be safe. As files are processed through an enabled AntiVirus profile, content that’s found to be malicious or unsafe is replaced with content that allows the traffic to continue, but doesn’t put the recipient at risk.

Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols (such as, HTTP web download, SMTP email send, IMAP and POP3 email retrieval—MAPI isn’t supported).

This feature work even if FortiSandbox is not configured, but only if you want to discard the original file. If FortiSandbox is configured and it responds that the file is clean, it passes the content unmodified.

For more information, see the Security Profiles Handbook.

Application groups for NGFW policies

When a FortiGate operates in NGFW policy mode, you can create application groups when you add NGFW policies. Then, when you add IPv4 or IPv6 policies you can create application groups to simplify policy creation.

For more information, see the Firewall Handbook.

Application control rule sequencing

To have more control over application control outcomes, you can control the order that application signatures appear in application control sensors. Signatures for applications that are more sensitive can appear higher in the list so they get matched first.

For more information, see the Security Profiles Handbook.

External dynamic block lists

This feature introduces the ability to dynamically import external block lists from an HTTP server. You can use the block lists to enforce special security requirements that your organization has. This can include long term policies to always block access to some websites or short time requirements to block access to known compromised locations. Since the lists are dynamically imported any changes made to the list are instantly imported by FortiOS. Dynamic block lists can be added to:

l Web Filter profiles and SSL inspection exemptions. l DNS Filter profiles and “Source/Destination” addresses in proxy policies.

In each profile, the administrator can configure multiple external block lists.

For more information, see the Security Profiles Handbook.