Fortinet udostępnił najnowszą aktualizację oprogramowania dla FortiSwtich o oznaczeniu wersji 7.2.3. W nowej wersji pojawia się możliwość obsłużenia adresów IPv6 w ACL dla ruchu przychodzącego, dodano nowe komendy diagnostyczno-debugujące, dodano wsparcie dla PSK MACsec oraz dyn. CAK na portach 10G i 100G w FS-1024E oraz na portach 100G w FS-T1024E, modele FS-1024E i FS-T1024E obsługują szyfrowanie GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128 i GCM-AES-XPN-256. Aktualizacja przynosi również rozwiązanie kilku problemów zgłaszanych przez administratorów – więcej w artykule poniżej.
Co nowego w FortiSwitch 7.2.3:
- You can now use the GUI to create a policy to control routing using the Router > Config > Policy > Next Hop Groups, Router > Config > Policy > PBR Maps, and Router > Config > Policy > Interfaces pages.
- IPv6 address are now supported in access control lists (ACLs) for ingress policies.
- To support the EtherLike-MIB, the following improvements have been made to the dot3StatsTable (OID: 1.3.6.1.2.1.10.7.2.1.19):
- System interfaces are now supported in addition to switch ports.
- The table type was changed from the simple table type to the complex table type so that the table size more accurately reflects the number of available interfaces.
- The following additional nodes are now supported:
- dot3StatsFCSErrors
- dot3StatsDeferredTransmissions
- dot3StatsInternalMacTransmitErrors
- dot3StatsCarrierSenseErrors
- dot3StatsFrameTooLongs
- dot3StatsInternalMacReceiveErrors
- There are additional diagnose-debug messages.
- PSK-mode MACsec and dynamic-CAK mode are now supported on the 10G and 100G ports on FS-1024E and the 100G ports on FS-T1024E. The FS-1024E and FS-T1024E models support the GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, and GCM-AES-XPN-256 cipher suites.
- The
set eap-egress-tagged {enable | disable}command is now supported on the FS-1xxE and FS-1xxF models. When you are using the MAC move feature with EAP authentication, you can disableeap-egress-taggedto force the switch to always use the untagged EAP response. - The following changes and enhancements have been made to the
set allow-mac-movecommand:- The
set allow-mac-movecommand has been changed toset allow-mac-move-tofor FSR-124D, 200 Series, FS-4xxE, 500 Series, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E. - You can now use the
set allow-mac-move-fromcommand for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models. - You can now enable the
set allow-mac-movecommand on a global level for the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.
- The
- The new User, Security, and Fortinet columns in the 802.1X Session page provide the user name, the security group name, and the RADIUS group name.
- You can now change how the ALARM LED functions for the FSR-112D-POE model, system part number P17080-04 or later. You can check the system part number with the
get system statuscommand. Use the following command to have the ALARM LED turn red when only one power supply unit (PSU) is connected:config system global
set single-psu-fault enable
end
By default, the
set single-psu-faultcommand is disabled. - MAB-only authentication is now supported. In this mode, the FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are not sent. To enable MAB-only authentication:
config switch interface
edit <interface_name>
config port-security
set port-security-mode {802.1X | 802.1X-mac-based}
set mac-auth-bypass enable
set auth-order MAB
end
next
end
Aktualnie wspierane modele:
| FortiSwitch 1xx | FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE |
| FortiSwitch 2xx | FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE |
| FortiSwitch 4xx | FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, FS-448E-FPOE |
| FortiSwitch 5xx | FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE |
| FortiSwitch 1xxx | FS-1024D, FS-1024E, FS-1048E, FS-T1024E |
| FortiSwitch 3xxx | FS-3032E |
| FortiSwitch Rugged | FSR-112D-POE, FSR-124D |
Rozwiązane problemy:
| Bug ID | Description |
|---|---|
| 806907 | Packet loss occurs when using the SP-CABLE-FS-SFP+5 direct-attach cable with FS-124F switches. |
| 818628 | When Virtual Router Redundancy Protocol (VRRP) is being used in a layer-3 MCLAG topology, static routes disappear after the FortiSwitch unit is restarted. |
| 833450 | Layer-2 multicast traffic is flooding to ports within the same VLAN, even though IGMP snooping is enabled. |
| 833503 | The FortiGate device does not detect a standalone FS-224E-POE that is running FortiSwitchOS 7.0.5. |
| 834930 | The diagnose switch mclag peer-consistency-check command displays split ports incorrectly. |
| 837168 | The following switches make a high fan noise:
|
| 844973 | After the firmware is successfully uploaded, the FS-M426E switch fails to upgrade. |
| 845190 | FortiSwitchOS will not allow https to be removed from the set allowaccess configuration. |
| 846994 | Configuring the set group-name under config match for config user tacacs+ does not work. |
| 849465 | Using FN-TRAN-GC with the FS-108E or FS-108F switch causes link flapping or wrongly shows that the link is up when the cable is not connected. |
| 850859 | FortiSwitchOS sends the wrong OID for the SNMPv3 trap for link-down events. |
| 857391 | After upgrading to FortiSwitchOS, some switch models report that the fan has failed, although the fan status is OK. |
| 861492 | The mgmt interface MAC address is set to 00:01:02:03:04:05 after a reboot or factory reset. |
| 863009 | When running FortiSwitchOS 7.2.2, the RPS LED does not light with the appropriate color when a redundant power supply is inserted. |
Common vulnerabilities and exposures
Visit https://fortiguard.com/psirt for more information.
| Bug ID | CVE references |
|---|---|
| 855445 | FortiSwitchOS 7.2.3 is no longer vulnerable to the following CVE Reference:
|
Znane problemy:
| Bug ID | Description |
|---|---|
| 382518, 417024, 417073, 417099, 438441 | DHCP snooping and dynamic ARP inspection (DAI) do not work with private VLANs (PVLANs). |
| 414972 | IGMP snooping might not work correctly when used with 802.1x Dynamic VLAN functionality. |
| 480605 | When DHCP snooping is enabled on the FSR-112D-POE, the switched virtual interface (SVI) cannot get the IP address from the DHCP server.
Workarounds: |
| 510943 | The time-domain reflectometer (TDR) function (cable diagnostics feature) reports unexpected values.
Workaround: When using the cable diagnostics feature on a port (with the |
| 542031 | For the 5xx switches, the diagnose switch physical-ports led-flash command flashes only the SFP port LEDs, instead of all the port LEDs. |
| 548783 | Some models support setting the mirror destination to “internal.” This is intended only for debugging purposes and might prevent critical protocols from operating on ports being used as mirror sources. |
| 572052 | Backup files from FortiSwitchOS 3.x that have 16-character-long passwords fail when restored on FortiSwitchOS 6.x. In FortiSwitchOS 6.x, file backups fail with passwords longer than 15 characters.
Workaround: Use passwords with a maximum of 15 characters for FortiSwitchOS 3.x and 6.x. |
| 585550 | When packet sampling is enabled on an interface, packets that should be dropped by uRPF will be forwarded. |
| 606044/610149 | The results are inaccurate when running cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models. |
| 609375 | The FortiSwitchOS supports four priority levels (critical, high, medium, and low); however, The SNMP Power Ethernet MIB only supports three levels. To support the MIB, a power priority of medium is returned as low for the PoE MIB. |
| 659487 | The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE, FS-148E, and FS-148E-POE models support ACL packet counters but not byte counters. The get switch acl counters commands always show the number of bytes as 0. |
| 667079 | For the FSR-112D-POE model:
|
| 673433 | Some 7-meter direct-attach cables (DACs) cause traffic loss for the FS- 448E model. |
| 748210 | The MAC authentication bypass (MAB) sometimes does not work on the FS-424E when a third-party hub is disconnected and then reconnected. |
| 784585 | When a dynamic LACP trunk has formed between switches in an MRP ring, the MRP ring cannot be closed. Deleting the dynamic LACP trunk does not fix this issue. MRP supports only physical ports and static trunks; MRP does not support dynamic LACP trunks.
Workaround: Disable MRP and then re-enable MRP. |
| 793145 | VXLAN does not work with the following:
|
| 829807 | eBGP does not advertise routes to its peer by default unless the set ebgp-requires-policy disable command is explicitly configured or inbound/outbound policies are configured. |
| 833450 | Do not use multicast IP addresses in the ranges of 224-239.0.0.x and 224-239.128.0.x on the FS-2xxD, FS-2xxE, FS-4xxD, and FS-4xxE models. |
Notatki producenta: FortiSwitch 7.2.3
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
