Fortinet udostępnił najnowszą aktualizację oprogramowania dla FortiSwtich o oznaczeniu wersji 7.2.2. Jedną z nowości jest możliwość wykorzystania znaków wildcard aby ustawić wartości podczas konfiguracji triggerów automatyzacji które są wykorzystywane w stichach. Od tej wersji firmware możemy również wyświetlać trasy routingu według instancji VRF w monitorze routingu. Wersja 7.2.2 to również wsparcie dla VXLAN w modelu FS-3032E. Aktualizacja przynosi również rozwiązanie kilku problemów zgłaszanych przez administratorów – więcej w artykule poniżej.
Co nowego w FortiSwitch 7.2.2:
- You can now specify static entries for DHCP snooping and DAI by manually associating an IP address with a MAC address in the CLI.
- You can now override the global option-82 setting for DHCP requests by specifying plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port.
- You can now use the GUI to configure MLD snooping on FortiSwitch VLANs.
- You can now use the following wildcard characters in the
set valuecommand for the automation trigger used for an automation stitch:- Use an asterisk to match any character string of any length, including 0-characters long. For example, use
set value "*1567*"to match values of81567and156789. - Use square brackets to match one of the multiple characters. For example, use
set value "[aA]dmin"to match values ofadminandAdmin.
- Use an asterisk to match any character string of any length, including 0-characters long. For example, use
- You can now configure multiple fields for the automation trigger used for an automation stitch when the
event-typeisevent-logand thelogidis set. The action is only performed if all conditions are valid (using AND logic). - You can use a new CLI command to change how a FortiSwitch unit with Power over Ethernet (PoE) disconnects from a powered device:
config switch physical-port
edit <port_name>
set poe-disconnection-type {AC | DC | DC-delay}
next
end
- VXLAN tunnels are now supported on FS-3032E.
- If an unverified firmware image is uploaded to FortiSwitchOS, the following warning is displayed in the GUI: “WARNING: This firmware failed signature validation.”
- You can now display IPv4 and IPv6 routes by VRF instance on the Router > Monitor > Routing and Router > Monitor > IPv6 Routing pages.
- The default value for the
set dhcp-snoop-client-reqcommand (underconfig system global) is nowdrop-untrusted, instead offorward-untrusted. - The new
set ebgp-requires-policycommand (underconfig router bgp) is set toenableby default, which prevents the BGP router from learning or advertising prefixes from or to its eBGP peers. - Under the
config router ospfcommand,set ucast-ttlhas been renamed toset ttl. This setting now applies to multicast OSPF packets, as well as unicast OSPF packets.
Aktualnie wspierane modele:
| FortiSwitch 1xx | FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE |
| FortiSwitch 2xx | FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE |
| FortiSwitch 4xx | FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, FS-448E-FPOE |
| FortiSwitch 5xx | FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE |
| FortiSwitch 1xxx | FS-1024D, FS-1024E, FS-1048E, FS-T1024E |
| FortiSwitch 3xxx | FS-3032E |
| FortiSwitch Rugged | FSR-112D-POE, FSR-124D |
Rozwiązane problemy:
| 718440 | When 802.1X MAC-based authentication, dynamic VLAN assignment, and allow-mac-move are configured, the FortiSwitch unit incorrectly forwards packets with VLAN tags. |
| 795041 | The VM debug report (System > Debug Report) is missing information for many CLI commands. |
| 814741 | MAC authentication bypass (MAB) authentication sometimes does not work on a managed FS-108E. |
| 818959 | The DHCP server does not allow DHCP clients to move from one interface to another. |
| 821808 | After using the FortiSwitch Configuration Migration Tool, all VLANS are missing. |
| 824283 | The output of the diagnose switch physical-ports qos-stat list command shows the same number of dropped packets for queue 0 for all ports. |
| 825614 | The status of the second power supply unit is incorrectly reported as “Not OK.” |
| 830533 | After upgrading to FortiSwitchOS 7.2.1, the status of the single power supply unit is incorrectly reported as “Not OK,” and the status of the fan is incorrectly reported as more than 100 percent. |
| 831495 | The TV multicast receivers do not unsubscribe from the multicast stream. |
| 831546 | Logging in to a FortiSwitch unit that is managed by FortiSwitch Manager displays a message that incorrectly refers to FortiLink and FortiGate. |
FortiSwitchOS 7.2.2 is no longer vulnerable to the following vulnerabilities and exposures:
- CVE-2022-31116
- CVE-2022-31117
Znane problemy:
| Bug ID | Description |
|---|---|
| 382518, 417024, 417073, 417099, 438441 | DHCP snooping and dynamic ARP inspection (DAI) do not work with private VLANs (PVLANs). |
| 414972 | IGMP snooping might not work correctly when used with 802.1x Dynamic VLAN functionality. |
| 480605 | When DHCP snooping is enabled on the FSR-112D-POE, the switched virtual interface (SVI) cannot get the IP address from the DHCP server.
Workarounds: |
| 510943 | The time-domain reflectometer (TDR) function (cable diagnostics feature) reports unexpected values.
Workaround: When using the cable diagnostics feature on a port (with the |
| 542031 | For the 5xx switches, the diagnose switch physical-ports led-flash command flashes only the SFP port LEDs, instead of all the port LEDs. |
| 548783 | Some models support setting the mirror destination to “internal.” This is intended only for debugging purposes and might prevent critical protocols from operating on ports being used as mirror sources. |
| 572052 | Backup files from FortiSwitchOS 3.x that have 16-character-long passwords fail when restored on FortiSwitchOS 6.x. In FortiSwitchOS 6.x, file backups fail with passwords longer than 15 characters.
Workaround: Use passwords with a maximum of 15 characters for FortiSwitchOS 3.x and 6.x. |
| 585550 | When packet sampling is enabled on an interface, packets that should be dropped by uRPF will be forwarded. |
| 606044/610149 | The results are inaccurate when running cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models. |
| 609375 | The FortiSwitchOS supports four priority levels (critical, high, medium, and low); however, The SNMP Power Ethernet MIB only supports three levels. To support the MIB, a power priority of medium is returned as low for the PoE MIB. |
| 659487 | The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE, FS-148E, and FS-148E-POE models support ACL packet counters but not byte counters. The get switch acl counters commands always show the number of bytes as 0. |
| 667079 | For the FSR-112D-POE model:
|
| 673433 | Some 7-meter DAC cables cause traffic loss for the FS- 448E model. |
| 748210 | The MAC authentication bypass (MAB) sometimes does not work on the FS-424E when a third-party hub is disconnected and then reconnected. |
| 784585 | When a dynamic LACP trunk has formed between switches in an MRP ring, the MRP ring cannot be closed. Deleting the dynamic LACP trunk does not fix this issue. MRP supports only physical ports and static trunks; MRP does not support dynamic LACP trunks.
Workaround: Disable MRP and then re-enable MRP. |
| 793145 | VXLAN does not work with the following:
|
| 829807 | eBGP does not advertise routes to its peer by default unless the set ebgp-requires-policy disable command is explicitly configured or inbound/outbound policies are configured. |
Notatki producenta: FortiSwitch 7.2.2
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie