Producent oprogramowania Fortinet udostępnił właśnie nową wersję oprogramowania dla produktu FortiSwitch w wersji 6.4.5. W najnowszej wersji rozwiązano min. problem z parity errors które czasami powodowały 100% wykorzystania procesora. Rozwiązano również problem który, po skonfigurowaniu wymuszenia na użytkownikach zmiany haseł podczas pierwszego logowania w programie GUI, nie monituje użytkowników o zmianę haseł. Producent poradził sobie również z problemem zadań konserwacyjnych które na niektórych platformach mogą powodować nawet o 30 procent dodatkowego przetwarzania. Po większą dawkę informacji zapraszamy do dalszej części artykułu.
Wspierane modele:
FortiSwitch 1xx FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-
FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-
148F, FS-148F-POE, FS-148F-FPOE
FortiSwitch 2xx FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-
FPOE
FortiSwitch 4xx FS-424D, FS-424D-FPOE, FS-424D-POE, FS-424E, FS-424E-POE, FS-424E-
FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448D, FS-448D-FPOE, FS-448D-
POE, FS-448E, FS-448E-POE, FS-448E-FPOE
FortiSwitch 5xx FS-524D-FPOE, FS-524D, FS-548D, FS-548D-FPOE
FortiSwitch 1xxx FS-1024D, FS-1048D, FS-1048E
FortiSwitch 3xxx FS-3032D, FS-3032E
FortiSwitch Rugged FSR-112D-POE, FSR-124D
Nowości w wersji 6.4.5:
The maximum number of IGMP-snooping and MLD-snooping groups has been increased. The following are the
maximum number of groups:
FSR-112D-POE – 4,096
FSR-124D, FS-2xxD, FS-2xxE, FS-4xxD, FS-
4xxE, FS-M426E-FPOE -1,024
FS-124E, FS-124F, and FS-108E 1,024
FS-148E and FS-148F -4,096
FS-5xx – 8,192 (IGMP snooping) and 6,144 (MLD snooping)
FS-1048E- 8,192
FS-1048D and FS-1024D – 4,096
FS-3032D and FS-3032E – 8,192
You can now use the diagnostic monitoring interface (DMI) to monitor QSFP28 transceivers.
Rozwiązane problemy:
Bug ID Description
488900 Maintenance tasks on some platforms can cause as much as 30 percent extra processing.
621628 Parity errors sometimes cause 100 percent CPU usage.
668038 The maximum limit of multicast groups supported by a FortiSwitch unit is reduced by
counting each port registered to a multicast channel as an independent group.
666841 Setting the STP state on a port, if that port is part of the FortLink uplink trunk, can occasionally cause a memory leak.
669844 A trunk name that contains the “/” character causes problems with synchronizing the FortiSwitch trunk configuration.
670281 STP states flap for the inter-chassis link (ICL) in a multiple-site FortiLink redundancy topology.
672607 After FortiSwitchOS is configured to force users to change their passwords when first logging in, the GUI does not prompt users to change their passwords.
673673 When a trusted host is added to the admin profiles, those admins cannot log in to the FortiSwitch GUI or CLI from FortiSwitch Cloud.
677786 After upgrading the core FortiSwitch unit to 6.4.4, the access FortiSwitch unit has a high CPU usage.
678608 When packet sampling is enabled on the uplinks, the internal interfaces of the FS-3032 and FS-1048 models rise intermittently to 150 petabits per second.
680477 The time zone of a managed FortiSwitch unit is not synchronized with the FortiGate time zone.
Znane problemy do rozwiązania:
382518, 417024,
417073, 417099, DHCP snooping and dynamic ARP inspection (DAI) do not work with private VLANs (PVLANs).
438441
414972 IGMP snooping might not work correctly when used with 802.1x Dynamic VLAN functionality.
480605 When DHCP snooping is enabled on the FSR-112D-POE, the switched virtual interface (SVI) cannot get the IP address from the DHCP server.
Workarounds:
—Use a static IP address in the SVI when DHCP snooping is enabled on that
VLAN.
—Temporarily disable dhcp-snooping on vlan, issue the execute interface
dhcpclient-renew <interface> command to renew the IP address. After
the SVI gets the IP address from the DHCP server, you can enable DHCP
snooping.
510943 The time-domain reflectometer (TDR) function (cable diagnostics feature) reports unexpected values.
Workaround: When using the cable diagnostics feature on a port (with the
diagnose switch physical-ports cable-diag <physical port
name> CLI command), ensure that the physical link on its neighbor port is down.
You can disable the neighbor ports or physically remove the cables.
520954 When a “FortiLink mode over a layer-3 network” topology has been configured, the FortiGate GUI does not always display the complete network.
542031 For the 5xx switches, the diagnose switch physical-ports led-flash command flashes only the SFP port LEDs, instead of all the port LEDs.
548783 Some models support setting the mirror destination to “internal.” This is intended only for debugging purposes and might prevent critical protocols from operating on
ports being used as mirror sources.
572052 Backup files from FortiSwitchOS 3.x that have 16-character-long passwords fail
when restored on FortiSwitchOS 6.x. In FortiSwitchOS 6.x, file backups fail with
passwords longer than 15 characters. Workaround: Use passwords with a maximum of 15 characters for FortiSwitchOS
3.x and 6.x.
585550 When packet sampling is enabled on an interface, packets that should be dropped by uRPF will be forwarded.
606044 The value for cable length is wrong when running cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE,
FS-148E, and FS-148E-POE models.
609375 The FortiSwitchOS supports four priority levels (critical, high, medium, and low);
however, The SNMP Power Ethernet MIB only supports three levels. To support
the MIB, a power priority of medium is returned as low for the PoE MIB.
610149 The results are inaccurate for open and short cables when running cable
diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-124E-
POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.
617755 The internal interface cannot obtain IPv6 addresses with dhcpv6-snooping enabled on the native VLAN.
673433 Some 7-meter DAC cables cause traffic loss for the FS- 448E model.
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
