B&B Bezpieczeństwo w biznesie
  • Start
  • O nas
  • Produkty
  • Usługi
    • Szkolenia
    • Audyt bezpieczeństwa informacji
      • Testy penetracyjne
      • Testy ataków socjotechnicznych
    • Audyt konfiguracji Fortigate
    • Program Cyfrowy Powiat
    • Prezentacje
    • Wdrożenia
  • Blog techniczny
  • Pomoc
  • Kariera
  • RODO
  • Kontakt

Fortinet udostępnił najnowszą aktualizację oprogramowania dla FortiSwtich o oznaczeniu wersji 7.2.2. Jedną z nowości jest możliwość wykorzystania znaków wildcard aby ustawić wartości podczas konfiguracji triggerów automatyzacji które są wykorzystywane w stichach. Od tej wersji firmware możemy również wyświetlać trasy routingu według instancji VRF w monitorze routingu. Wersja 7.2.2 to również wsparcie dla VXLAN w modelu FS-3032E. Aktualizacja przynosi również rozwiązanie kilku problemów zgłaszanych przez administratorów – więcej w artykule poniżej.

Co nowego w FortiSwitch 7.2.2: 

  • You can now specify static entries for DHCP snooping and DAI by manually associating an IP address with a MAC address in the CLI.
  • You can now override the global option-82 setting for DHCP requests by specifying plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port.
  • You can now use the GUI to configure MLD snooping on FortiSwitch VLANs.
  • You can now use the following wildcard characters in the set value command for the automation trigger used for an automation stitch:
    • Use an asterisk to match any character string of any length, including 0-characters long. For example, use set value "*1567*" to match values of 81567 and 156789.
    • Use square brackets to match one of the multiple characters. For example, use set value "[aA]dmin" to match values of admin and Admin.
  • You can now configure multiple fields for the automation trigger used for an automation stitch when the event-type is event-log and the logid is set. The action is only performed if all conditions are valid (using AND logic).
  • You can use a new CLI command to change how a FortiSwitch unit with Power over Ethernet (PoE) disconnects from a powered device:

    config switch physical-port

    edit <port_name>

    set poe-disconnection-type {AC | DC | DC-delay}

    next

    end

  • VXLAN tunnels are now supported on FS-3032E.
  • If an unverified firmware image is uploaded to FortiSwitchOS, the following warning is displayed in the GUI: “WARNING: This firmware failed signature validation.”
  • You can now display IPv4 and IPv6 routes by VRF instance on the Router > Monitor > Routing and Router > Monitor > IPv6 Routing pages.
  • The default value for the set dhcp-snoop-client-req command (under config system global) is now drop-untrusted, instead of forward-untrusted.
  • The new set ebgp-requires-policy command (under config router bgp) is set to enable by default, which prevents the BGP router from learning or advertising prefixes from or to its eBGP peers.
  • Under the config router ospf command, set ucast-ttl has been renamed to set ttl. This setting now applies to multicast OSPF packets, as well as unicast OSPF packets.

Aktualnie wspierane modele:

FortiSwitch 1xx FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE
FortiSwitch 2xx FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE
FortiSwitch 4xx FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, FS-448E-FPOE
FortiSwitch 5xx FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE
FortiSwitch 1xxx FS-1024D, FS-1024E, FS-1048E, FS-T1024E
FortiSwitch 3xxx FS-3032E
FortiSwitch Rugged FSR-112D-POE, FSR-124D

Rozwiązane problemy:

718440 When 802.1X MAC-based authentication, dynamic VLAN assignment, and allow-mac-move are configured, the FortiSwitch unit incorrectly forwards packets with VLAN tags.
795041 The VM debug report (System > Debug Report) is missing information for many CLI commands.
814741 MAC authentication bypass (MAB) authentication sometimes does not work on a managed FS-108E.
818959 The DHCP server does not allow DHCP clients to move from one interface to another.
821808 After using the FortiSwitch Configuration Migration Tool, all VLANS are missing.
824283 The output of the diagnose switch physical-ports qos-stat list command shows the same number of dropped packets for queue 0 for all ports.
825614 The status of the second power supply unit is incorrectly reported as “Not OK.”
830533 After upgrading to FortiSwitchOS 7.2.1, the status of the single power supply unit is incorrectly reported as “Not OK,” and the status of the fan is incorrectly reported as more than 100 percent.
831495 The TV multicast receivers do not unsubscribe from the multicast stream.
831546 Logging in to a FortiSwitch unit that is managed by FortiSwitch Manager displays a message that incorrectly refers to FortiLink and FortiGate.

FortiSwitchOS 7.2.2 is no longer vulnerable to the following vulnerabilities and exposures:

  • CVE-2022-31116
  • CVE-2022-31117

Znane problemy:

Bug ID Description
382518, 417024, 417073, 417099, 438441 DHCP snooping and dynamic ARP inspection (DAI) do not work with private VLANs (PVLANs).
414972 IGMP snooping might not work correctly when used with 802.1x Dynamic VLAN functionality.
480605 When DHCP snooping is enabled on the FSR-112D-POE, the switched virtual interface (SVI) cannot get the IP address from the DHCP server.

Workarounds:
—Use a static IP address in the SVI when DHCP snooping is enabled on that VLAN.
—Temporarily disable dhcp-snooping on vlan, issue the execute interface dhcpclient-renew <interface> command to renew the IP address. After the SVI gets the IP address from the DHCP server, you can enable DHCP snooping.

510943 The time-domain reflectometer (TDR) function (cable diagnostics feature) reports unexpected values.

Workaround: When using the cable diagnostics feature on a port (with the diagnose switch physical-ports cable-diag <physical port name> CLI command), ensure that the physical link on its neighbor port is down. You can disable the neighbor ports or physically remove the cables.

542031 For the 5xx switches, the diagnose switch physical-ports led-flash command flashes only the SFP port LEDs, instead of all the port LEDs.
548783 Some models support setting the mirror destination to “internal.” This is intended only for debugging purposes and might prevent critical protocols from operating on ports being used as mirror sources.
572052 Backup files from FortiSwitchOS 3.x that have 16-character-long passwords fail when restored on FortiSwitchOS 6.x. In FortiSwitchOS 6.x, file backups fail with passwords longer than 15 characters.

Workaround: Use passwords with a maximum of 15 characters for FortiSwitchOS 3.x and 6.x.

585550 When packet sampling is enabled on an interface, packets that should be dropped by uRPF will be forwarded.
606044/610149 The results are inaccurate when running cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.
609375 The FortiSwitchOS supports four priority levels (critical, high, medium, and low); however, The SNMP Power Ethernet MIB only supports three levels. To support the MIB, a power priority of medium is returned as low for the PoE MIB.
659487 The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE, FS-148E, and FS-148E-POE models support ACL packet counters but not byte counters. The get switch acl counters commands always show the number of bytes as 0.
667079 For the FSR-112D-POE model:

  • If you have enabled IGMP snooping or MLD snooping, the FortiSwitch unit does not support IPv6 functionalities and cannot pass IPv6 protocol packets transparently.
  • If you want to use IGMP snooping or MLD snooping with IPv6 functionalities, you need to enable set flood-unknown-multicast under the config switch global command.
673433 Some 7-meter DAC cables cause traffic loss for the FS- 448E model.
748210 The MAC authentication bypass (MAB) sometimes does not work on the FS-424E when a third-party hub is disconnected and then reconnected.
784585 When a dynamic LACP trunk has formed between switches in an MRP ring, the MRP ring cannot be closed. Deleting the dynamic LACP trunk does not fix this issue. MRP supports only physical ports and static trunks; MRP does not support dynamic LACP trunks.

Workaround: Disable MRP and then re-enable MRP.

793145 VXLAN does not work with the following:

  • log-mac-event
  • DHCP snooping
  • LLDP-assigned VLANs
  • NAC
829807 eBGP does not advertise routes to its peer by default unless the set ebgp-requires-policy disable command is explicitly configured or inbound/outbound policies are configured.

 

Notatki producenta: FortiSwitch 7.2.2

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

Post Views: 174

Fortinet FortiSwitch fortiswitch 7.2.2

Poprzedni artykułVMware vCenter Server 7.0 Update 3hNastępny artykuł FortiMail 6.2.9

Najnowsze

FortiClientEMS 7.2.07 lutego 2023
FortiAnalyzer 7.2.27 lutego 2023
FortiManager 7.2.27 lutego 2023

Kategorie

  • Acronis
  • Aktualności
  • Bez kategorii
  • ESET
  • F-Secure
  • FortiAnalyzer
  • FortiAP
  • FortiAuthenticator
  • FortiClient
  • FORTIGATE
  • FORTIMAIL
  • FortiManager
  • FortiNAC
  • FORTISWITCH
  • FortiWeb
  • NAKIVO
  • Qnap
  • Stormshield
  • Szkolenia
  • Veeam
  • VMware

Tagi

6.0.6 6.2.1 6.2.2 6.2.7 6.4.0 6.4.2 6.4.3 6.4.4 6.4.5 6.4.8 7.0.0 7.0.2 7.0.5 7.2.0 acronis ems Eset eset endpoint antivirus eset endpoint security ESET Protect ESET Protect Cloud F-Secure f-secure client security f-secure policy manager FMG FortiAnalyzer FortiAP fortiap-s fortiap-w2 FortiAuthenticator FortiClient FortiClientEMS FortiGate FortiMail FortiManager FortiNAC Fortinet FortiOS FortiSwitch FortiWeb vCenter vCenter Server VMware vmware vcenter VMware vCenter Server

MENU

  • Start
  • O nas
  • Produkty
  • Usługi
    • Szkolenia
    • Audyt bezpieczeństwa informacji
      • Testy penetracyjne
      • Testy ataków socjotechnicznych
    • Audyt konfiguracji Fortigate
    • Program Cyfrowy Powiat
    • Prezentacje
    • Wdrożenia
  • Blog techniczny
  • Pomoc
  • Kariera
  • RODO
  • Kontakt

BLOG TECHNICZNY

FortiClientEMS 7.2.07 lutego 2023
FortiAnalyzer 7.2.27 lutego 2023
FortiManager 7.2.27 lutego 2023

KONTAKT

+48 500-413-313
biuro@b-and-b.plhttps://www.b-and-b.pl
8:00-16:00
BEZPIECZEŃSTWO W BIZNESIE 2022 - wszystkie prawa zastrzeżone

MENU

  • Start
  • O nas
  • Produkty
  • Usługi
    • Szkolenia
    • Audyt bezpieczeństwa informacji
      • Testy penetracyjne
      • Testy ataków socjotechnicznych
    • Audyt konfiguracji Fortigate
    • Program Cyfrowy Powiat
    • Prezentacje
    • Wdrożenia
  • Blog techniczny
  • Pomoc
  • Kariera
  • RODO
  • Kontakt

BLOG TECHNICZNY

FortiClientEMS 7.2.07 lutego 2023
FortiAnalyzer 7.2.27 lutego 2023
FortiManager 7.2.27 lutego 2023

Kontakt

+48 500-413-313
biuro@b-and-b.pl
8:00-16:00