FortiSwitch 7.0.6 - B&B Bezpieczeństwo w biznesie

Fortinet udostępnił aktualizację oprogramowania dla FortiSwitch o oznaczeniu wersji 7.0.6. Nowością w tej wersji oprogramowania jest wsparcie dla atrybutów RADIUS podczas żądań płynących z mechanizmu CoA (Change of Authorization). Aktualizacja przynosi również rozwiązanie kilku problemów zgłaszanych przez administratorów – więcej w artykule poniżej.

Co nowego w FortiSwitch 7.0.6:

Release 7.0.6 provides the following new features:

Three RADIUS attributes are now supported for RADIUS CoA-Request messages:
- Tunnel-Type—VLAN (13)
- Tunnel-Medium-Type—IEEE-802 (6)
- Tunnel-Private-Group-ID—VLAN ID or VLAN name (13)
NOTE: These attributes are also supported in FortiSwitchOS 6.4.12 and 7.2.2 or later.
The default value for the set dhcp-snoop-client-req command (under config system global) is now drop-untrusted, instead of forward-untrusted.

Aktualnie wspierane modele:

FortiSwitch 1xx	FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE
FortiSwitch 2xx	FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE
FortiSwitch 4xx	FS-424D, FS-424D-FPOE, FS-424D-POE, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448D, FS-448D-FPOE, FS-448D-POE, FS-448E, FS-448E-POE, FS-448E-FPOE
FortiSwitch 5xx	FS-524D-FPOE, FS-524D, FS-548D, FS-548D-FPOE
FortiSwitch 1xxx	FS-1024D, FS-1024E, FS-1048D, FS-1048E, FS-T1024E
FortiSwitch 3xxx	FS-3032D, FS-3032E
FortiSwitch Rugged	FSR-112D-POE, FSR-124D

Rozwiązane problemy:

Bug ID	Description
801678	After enabling MAC authentication bypass (MAB) on some FortiSwitch models, the FortiGate device removes the NAC device after an inactivity timeout.
806907	Packet loss occurs when using the SP-CABLE-FS-SFP+5 direct-attach cable with FS-124F switches.
824605	The object identifier (OID) 1.3.6.1.2.1.10.7.2.1.19 does not work on FS-1048E.
831495	The TV multicast receivers do not unsubscribe from the multicast stream.
831546	Logging in to a FortiSwitch unit that is managed by FortiSwitch Manager displays a message that incorrectly refers to FortiLink and FortiGate.
837168	The following switches make a high fan noise: FS-224D-FPOE FS-224E-POE FS-248D FS-424D FS-424D-POE FS-424D-FPOE FS-448D FS-448D-FPOE
846994	Configuring the `set group-name`command under `config match` for `config user tacacs+` does not work.
848619	After configuring the `set speed auto-module` command (under `config switch physical-port`) on some switches (such as the FS-124F or FS-148F), the fiber interface does not come up.
849465	Using FN-TRAN-GC with the FS-108E or FS-108F switch causes link flapping or wrongly shows that the link is up when the cable is not connected.
850859	FortiSwitchOS sends the wrong OID for the SNMPv3 trap for link-down events.
857391	After upgrading FortiSwitchOS, some switch models report that the fan has failed, although the fan status is OK.
858223	The “System reboot is required after disk error” log entry is incorrectly labeled as “notice,” instead of “emergency.”
861492	The mgmt interface MAC address is set to 00:01:02:03:04:05 after a reboot or factory reset.
866231	The `set status down` command (under `config switch physical-port`) does not work on the SFP+ ports on the FS-426E-FPOE for certain versions of FortiSwitchOS. If you need to shut down any of the SFP+ ports on the FS-426E-FPOE, do not use FortiSwitchOS 7.0.5, 7.2.0, 7.2.1, or 7.2.2.
867758	FortiSwitch units using IPv6 do not respond to SNMPv3 requests.
869616	The FortiAnalyzer and FortiSwitch logs have multiple entries about the fan tray being detected or undetected on an FS-1048E switch, although the fan status is good.

Znane problemy:

Bug ID	Description
382518, 417024, 417073, 417099, 438441	DHCP snooping and dynamic ARP inspection (DAI) do not work with private VLANs (PVLANs).
414972	IGMP snooping might not work correctly when used with 802.1x Dynamic VLAN functionality.
463161	Upgrading the FS-448D from FortiSwitchOS 3.5.6 to 3.6.3 fails with an “Invalid root configuration data.” error.
480605	When DHCP snooping is enabled on the FSR-112D-POE, the switched virtual interface (SVI) cannot get the IP address from the DHCP server. Workarounds: —Use a static IP address in the SVI when DHCP snooping is enabled on that VLAN. —Temporarily disable dhcp-snooping on vlan, issue the `execute interface dhcpclient-renew <interface>` command to renew the IP address. After the SVI gets the IP address from the DHCP server, you can enable DHCP snooping.
510943	The time-domain reflectometer (TDR) function (cable diagnostics feature) reports unexpected values. Workaround: When using the cable diagnostics feature on a port (with the `diagnose switch physical-ports cable-diag <physical port name>` CLI command), ensure that the physical link on its neighbor port is down. You can disable the neighbor ports or physically remove the cables.
542031	For the 5xx switches, the `diagnose switch physical-ports led-flash` command flashes only the SFP port LEDs, instead of all the port LEDs.
548783	Some models support setting the mirror destination to “internal.” This is intended only for debugging purposes and might prevent critical protocols from operating on ports being used as mirror sources.
572052	Backup files from FortiSwitchOS 3.x that have 16-character-long passwords fail when restored on FortiSwitchOS 6.x. In FortiSwitchOS 6.x, file backups fail with passwords longer than 15 characters. Workaround: Use passwords with a maximum of 15 characters for FortiSwitchOS 3.x and 6.x.
585550	When packet sampling is enabled on an interface, packets that should be dropped by uRPF will be forwarded.
606044, 610149	The results are inaccurate when running cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.
609375	The FortiSwitchOS supports four priority levels (critical, high, medium, and low); however, The SNMP Power Ethernet MIB only supports three levels. To support the MIB, a power priority of medium is returned as low for the PoE MIB.
667079	For the FSR-112D-POE model: If you have enabled IGMP snooping or MLD snooping, the FortiSwitch unit does not support IPv6 functionalities and cannot pass IPv6 protocol packets transparently. If you want to use IGMP snooping or MLD snooping with IPv6 functionalities, you need to enable `set flood-unknown-multicast` under the `config switch global` command.
673433	Some 7-meter DAC cables cause traffic loss for the FS-448E model.
724813	The `set enforce-first-as {disable \| enable}` command should have been placed under `config neighbor` and does not work in its current location (directly under `config router bgp`). There is no patch available for this issue.
784585	When a dynamic LACP trunk has formed between switches in an MRP ring, the MRP ring cannot be closed. Deleting the dynamic LACP trunk does not fix this issue. MRP supports only physical ports and static trunks; MRP does not support dynamic LACP trunks. Workaround: Disable MRP and then re-enable MRP.
833450	Do not use multicast IP addresses in the ranges of 224-239.0.0.x and 224-239.128.0.x on the FS-2xxD, FS-2xxE, FS-4xxD, and FS-4xxE models.

Notatki producenta: FortiSwitch 7.0.6

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

Post Views: 1 485

Fortinet FortiSwitch fortiswitchos