LAN Edge

5. Click Set Channels to set the DFS channels.

6. When you are finished, click OK.

7. In the 6GHz radio, add a Band and select 802.11be.
8. Once you select the 802.11be band on the 6GHz Radio, the 320MHz channel width is available.

9. Click Set Channels to set the Channel Bonding Extension. You can set your channel bandwidth extensions to
320MHz-1 or 320MHz-2, and then set channels accordingly.

FortiOS 7.4.0 New Features Guide 651

Fortinet Inc.
LAN Edge

10. When you are finished, click OK.

CLI changes

FortiAP profile

New FortiAP profile CLI options have been added to configure 802.11be on the 5GHz and 6GHz radios radio of FortiAP
K-series models. When 802.11be is selected as the band for radio-3, new channel bonding options are available as
well.
config wireless-controller wtp-profile
edit <name>
config radio-2
set band 802.11be-5G
set channel-bonding 240MHz
end
config radio-3
set band 802.11be-6G
set channel-bonding 320MHz
set channel-bonding-ext {320MHz-1 | 320MHz-2}
end
next
end

channel- Channel bandwidth extension: 320 MHz-1 and 320 MHz-2 (default = 320 MHz-2).
bonding-ext l 320MHz-1: 320 MHz channel with channel center frequency numbered 31, 95, and 159.

l 320MHz-2: 320 MHz channel with channel center frequency numbered 63, 127, and 191.

VAP

New VAP CLI options have been added.

config wireless-controller vap
edit <name>

FortiOS 7.4.0 New Features Guide 652

Fortinet Inc.
LAN Edge

set security wpa3-sae

set akm24-only {enable | disable}
set rates-11be-mcs-map <string>
set rates-11be-mcs-map-160 <string>
set rates-11be-mcs-map-320 <string>
next
end

akm24-only WPA3 SAE using group-dependent hash only (default = disable).

l disable: Disable WPA3 SAE using group-dependent hash only.

l enable: Enable WPA3 SAE using group-dependent hash only.

akm24-only is only supported for Wi-Fi7 clients and there is no backward compatibility. If
you know all the clients are Wi-Fi7 capable, then the VAPs can be configured with akm24-
only enabled.
Note: WPA3-SAE SSID allows configuring either of the akm24-only and additional-
akms features.
additional-akms Additional AKMs.
l akm6: Use AKM suite employing PSK_SHA256.

l akm24: Use AKM suite employing SAE_EXT.

When additional-akms is enabled in the VAP, clients are given a choice to pick the
highest akm they support. WPA3-SAE-Transition SSID allows backward compatibility and
supports clients with mixed mode, so additional-akms has akm6 and akm24 options.
rates-11be-mcs- Comma separated list of max nss that supports EHT-MCS 0-9, 10-11, 12-13 for
map 20MHz/40MHz/80MHz bandwidth.
rates-11be-mcs- Comma separated list of max nss that supports EHT-MCS 0-9, 10-11, 12-13 for 160MHz
map-160 bandwidth.
rates-11be-mcs- Comma separated list of max nss that supports EHT-MCS 0-9, 10-11, 12-13 for 320MHz
map-320 bandwidth.

To configure a FortiAP profile with Wi-Fi 7 - CLI:

1. Create a WPA3-SAE security VAP with akm24-only enabled.

config wireless-controller vap
edit "sae-akm24"
set ssid "sae-akm24"
set security wpa3-sae
set pmf enable
set beacon-protection enable
set sae-h2e-only enable
set akm24-only enable
set local-bridging enable
set schedule "always"
set sae-password ENC
next
end

2. Create a WPA3-SAE-Transition security VAP with additional-akms enabled.

config wireless-controller vap
edit "sae-trans-akm"

FortiOS 7.4.0 New Features Guide 653

Fortinet Inc.
LAN Edge

set ssid "sae-trans-akm"

set security wpa3-sae-transition
set pmf optional
set beacon-protection enable
set additional-akms akm24
set passphrase ENC
set sae-h2e-only enable
set local-bridging enable
set schedule "always"
set sae-password ENC
next
end

3. Create a FortiAP profile for a FortiAP K-series model with Wi-Fi 7 enabled on the radio. This example uses
FAP441K.
config wireless-controller wtp-profile
edit "FAP441K-profile"
config platform
set type 441K
set ddscan enable
end
set handoff-sta-thresh 55
set allowaccess ssh
config radio-1
set band 802.11ax-2G
set vap-all manual
end
config radio-2
set band 802.11be-5G
set channel-bonding 40MHz
set vap-all manual
set vaps "sae-trans-akm"
set channel "44" "48"
end
config radio-3
set band 802.11be-6G
set channel-bonding 320MHz
set channel-bonding-ext 320MHz-1
set vap-all manual
set vaps "sae-akm24"
set channel "45" "49" "65" "69" "73" "77" "81" "85" "89" "93" "97" "101" "105"
"109" "113" "117" "121" "125"
end
config radio-4
set mode monitor
end
next
end

4. Assign the FortiAP profile to the FortiAP device.

config wireless-controller wtp
edit "FP441KTF23000051"
set wtp-profile "FAP441K-profile"
next
end

FortiOS 7.4.0 New Features Guide 654

Fortinet Inc.
LAN Edge

5. To verify that configurations have been successfully applied, run the rcfg commands on the FortiAP to see the
assigned Radio band and Channels
FortiAP-441K # rcfg
Radio 0: AP
country : cfg=US oper=US
countryID : cfg=841 oper=841
802.11d enable : enabled
802.11mc enable : disabled
sta info : 0/0
radio type : 11AX_2.4G (pure G)
...
channel : num=0
oper_chan : 1
r_ac md_cap : 1, 6, 11,
r_ac chan list : 1, 6, 11,
chan list : 1, 6, 11,
hw_chan list : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11,
...
Radio 1: AP
...
channel : num=44
oper_chan : 44+48
r_ac md_cap : 44, 48,
r_ac chan list : 44, 48,
chan list : 44, 48,
hw_chan list : 36, 40, 44, 48, 149, 153, 157, 161, 165, 169, 173, 177,
...
Radio 2: AP
...
oper_chan : 45
r_ac md_cap : 45, 49, 65, 69, 73, 77, 81, 85, 89, 93, 97, 101, 105,
109, 113, 117, 121, 125,
r_ac chan list : 45, 49, 65, 69, 73, 77, 81, 85, 89, 93, 97, 101, 105,
109, 113, 117, 121, 125,
chan list : 45, 49, 65, 69, 73, 77, 81, 85, 89, 93, 97, 101, 105, 109,
113, 117, 121, 125,
hw_chan list : 1, 5, 9, 13, 17, 21, 25, 29, 33, 37, 41, 45, 49,
53, 57, 61, 65, 69, 73, 77, 81, 85, 89, 93, 97, 101, 105, 109, 113, 117,
121, 125, 129, 133, 137, 141, 145, 149, 153, 157, 161, 165, 169, 173, 177, 181, 185,
189, 193, 197, 201, 205, 209, 213, 217, 221, 225, 229, 233,
...
Radio 3: Monitor
radio type : 2.4G 5G 6G
...

6. Run the vcfg command to see the assigned SAE and SAE-Transition VAPs.
FortiAP-441K # vcfg
-------------------------------VAP Configuration 1----------------------------
Radio Id 1 WLAN Id 0 sae-trans-akm ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0
unknown (-1)
vlanid=0, intf=wlan10, vap=0x54902c, bssid=38:c0:ea:f1:51:70
11ax high-efficiency=enabled target-wake-time=enabled
bss-color-partial=enabled
mesh backhaul=disabled
...

FortiOS 7.4.0 New Features Guide 655

Fortinet Inc.
 LAN Edge

80211k=enabled, 80211v=enabled, fast_bss_trans(802.11r)=disabled,

mbo=disabled, sae_h2e_only=enabled, sae_hnp_only=disabled, sae_pk=disabled, akm24_
only=disabled
...
ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
rates control configuration:
rates-11ac-mcs-map: 11,11,11,11,11,11,11,11.
rates-11ax-mcs-map: 11,11,11,11,11,11,11,11.
rates-11be-mcs-map-20 : 4,4,4,4 4444
rates-11be-mcs-map-160: 4,4,4,4 4444
rates-11be-mcs-map-320: 4,4,4,4 4444
primary wag:
secondary wag:
application detection engine: disabled
-------------------------------VAP Configuration 2----------------------------
Radio Id 2 WLAN Id 0 sae-akm24 ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown
(-1)
vlanid=0, intf=wlan20, vap=0x5498c5, bssid=38:c0:ea:f1:51:78
...
80211k=enabled, 80211v=enabled, fast_bss_trans(802.11r)=disabled,
mbo=disabled, sae_h2e_only=enabled, sae_hnp_only=disabled, sae_pk=disabled, akm24_
only=disabled
neighbor_report_dual_band(802.11kv)=disabled
...
ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
rates control configuration:
rates-11ac-mcs-map: 11,11,11,11,11,11,11,11.
rates-11ax-mcs-map: 11,11,11,11,11,11,11,11.
rates-11be-mcs-map-20 : 4,4,4,4 4444
rates-11be-mcs-map-160: 4,4,4,4 4444
rates-11be-mcs-map-320: 4,4,4,4 4444
primary wag:
secondary wag:
application detection engine: disabled
-------------------------------Total 2 VAP Configurations------------------------
----

Support receiving the NAS-Filter-Rule during Wi-Fi authentication - 7.4.4

This information is also available in the FortiWiFi and FortiAP 7.4 Configuration Guide:
l Configure NAS-Filter-Rule attribute to set up dACL

This release adds supports for receiving the NAS-Filter-Rule attribute after a wireless client successfully authenticates
through 802.1X authentication.
When a wireless client connects to a WPA2/WPA3 Enterprise SSID and gets authenticated by a RADIUS server, the
server sends attributes—including the NAS-Filter-Rule attribute—with an "Access-Accept" message to the FortiGate.
The FortiGate then forwards these rules to the FortiAP associated with the wireless client. The FortiAP can set up a
dynamic Access Control List (dACL) using these rules, which regulates the wireless client's access to the network.

FortiOS 7.4.0 New Features Guide 656

Fortinet Inc.
LAN Edge

The NAS-Filter-Rule attribute is only supported by Tunnel and Local Bridging mode SSIDs. It
is not supported on Local Standalone mode.
The NAS-Filter-Rule attribute is only supported when the security mode is set to WPA2/WPA3
Enterprise with a RADIUS server as the Authentication protocol.

The following CLI command has been added:

config wireless-controller vap
edit <name>
set nas-filter-rule {enable | disable}
next
end

set nas-filter-rule Enable/disable NAS filter rule support (default = disable).

To enable NAS-Filter-Rule on a VAP - CLI:

1. Create a VAP with nas-filter-rule enabled.

config wireless-controller vap
edit "wifi3"
set ssid "FOS_81F"
set security wpa2-only-enterprise
set fast-bss-transition enable
set auth radius
set radius-server "peap"
set nas-filter-rule enable
set schedule "always"
next
end

2. Set up an example user account in the RADIUS server with NAS-Filter-Rules configuring access control.
test3 Cleartext-Password := "123456"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Fortinet-Group-Name = "group1",
Session-Timeout=300,
Tunnel-Private-Group-Id = 100,
Termination-Action=1,
NAS-Filter-Rule = "permit in icmp from assigned to
172.16.200.44/32\000",
NAS-Filter-Rule += "deny in tcp from assigned to 172.16.200.44/32"

3. Connect a wireless client with the authenticated example user account "test3" to the SSID and verify the NAS-Filter-
Rules are sent to the FortiAP.

FortiOS 7.4.0 New Features Guide 657

Fortinet Inc.
 LAN Edge

l From the FortiGate:

FortiWiFi-81F-2R-3G4~POE (Interim)# dia wireless-controller wlac -d sta online
vf=0 mpId=0 wtp=1 rId=2 wlan=wifi3 vlan_id=0 ip=10.30.80.2 ip6=::
mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user=test3 group=group1 signal=-28
noise=-95 idle=15 bw=0 use=5 chan=100 radio_type=11AX_5G security=wpa2_only_
enterprise mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 --
0.0.0.0:0 0,0 online=yes mimo=2

l From the FortiAP:

FortiAP-231F # usta
WTP daemon STA info:
1/1 f8:e4:e3:d8:5e:af 00:00:00:00:00:00 vId=0 type=wl----sta, vap=wlan12,FOS_
81F(0) mpsk= ip=10.30.80.2/1 mimo=2 host=WiFi-Client-2 vci= os=Linux
replycount=0000000000000002
pmksa info: size 302 ver 1 TAG-1 0,6,f8:e4:e3:d8:5e:af
nas filter rules:
permit in icmp from assigned to 172.16.200.44/32
deny in tcp from assigned to 172.16.200.44/32
Total STAs: 1
WTP daemon mhost info:
Total MHOSTs: 0

FortiAP-231F # cw_diag -c nasflt f8:e4:e3:d8:5e:af

STA f8:e4:e3:d8:5e:af IP filter rules from kernel:

====================================================================================
=====================
## Hit Count Action Dir Prot Source Address Destination Address Options

---- ---------- ------ --- ---- --------------- ------------------- -------

00 0 permit in icmp assigned 172.16.200.44
01 0 deny in tcp assigned 172.16.200.44
---- ---------- ------ --- ---- --- ---------- ------------------- --------
df 4 permit

4. Verify the wireless client follows the NAS-Filter-Rules.

a. The wireless client can ping the server 172.16.200.44.
root@WiFi-Client-2:/home/wpa-test# ping 172.16.200.44
PING 172.16.200.44 (172.16.200.44) 56(84) bytes of data.
64 bytes from 172.16.200.44: icmp_seq=1 ttl=63 time=57.0 ms
--- 172.16.200.44 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 57.013/57.013/57.013/0.000 ms

b. The wireless client is denied access to the server 172.16.200.44 over HTTP.
root@WiFi-Client-2:/home/wpa-test# curl http://172.16.200.44
root@WiFi-Client-2:/home/wpa-test#

Support MACsec on FortiAP G-series - 7.4.4

Media Access Control Security (MACsec) is a network protocol that provides authenticity and integrity for the entire
Ethernet frame as well as encryption of the Layer 2 data payload. Enabling MACsec on a FortiAP improves
communication security of Layer 2 frames passing through wired networks.

FortiOS 7.4.0 New Features Guide 658

Fortinet Inc.
LAN Edge

Since MACsec is an extension to 802.1X, which provides secure key exchange and mutual authentication for MACsec
nodes, FortiAPs must first be configured to pass 802.1X authentication as a supplicant. MACsec can be enabled from
the FortiGate or locally on a FortiAP.

l MACsec is only supported on FortiAP G-s-eries models.

l Only the MACsec dynamic-CAK model is supported; PSK mode is not supported,
l Due to technical limitations, FortiAP G-series models only support the MACsec policy
Confidentiality Offset value of 0 (default for most implementations) or 30. It does not
support 50.

Enabling MACsec on FortiAP

In deployments where all FortiAPs are managed by a FortiGate, you can configure 802.1x and MACsec on the FortiAP
profile and the configurations will be pushed to assigned FortiAPs. Then, depending on the switch used in your
deployment, configure and apply 802.1x and MACsec on the switch ports to which the FortiAPs connect. The FortiAPs
continue to communicate with their managing FortiGate and function as usual.
In deployments where you need to connect a new FortiAP to your network before it is managed by FortiGate, you can
pre-configure the FortiAP profiles while also configuring MACsec locally on the FortiAP device. Then, ensure that the
switch ports to which the FortiAPs will connect have 802.1x and MACsec configured before connecting the FortiAPs.

If MACsec is enabled on a FortiAP, but the switch port that the FortiAP connects to does not
have 802.1x and MACsec enabled, then authentication will fail and the FortiAP will lose
network connection.

To enable MACsec from a FortiAP profile - CLI:

config wireless-controller wtp-profile

edit <name>
set wan-port-auth 802.1x
set wan-port-auth-usrname "tester"
set wan-port-auth-password ENC *
set wan-port-auth-methods EAP-PEAP
set wan-port-auth-macsec enable
next
end

To enable MACsec locally from a FortiAP - CLI:

FortiAP-233G # cfg -a WAN_1X_ENABLE:=1

cfg -a WAN_1X_USERID:=tester
cfg -a WAN_1X_PASSWD:=*
cfg -a WAN_1X_METHOD:=3
cfg -a WAN_1X_MACSEC_POLICY:=1

To verify a FortiAP successfully passes MACsec authentication:

FP233G # cw_diag -c wan1x macsec

participant_idx=0
ckn=972149b46b1ff31c11d3c1d864b0bad9
mi=94a9763a40b2905ba3ec2be9

FortiOS 7.4.0 New Features Guide 659

Fortinet Inc.
 LAN Edge

mn=78974
active=Yes
participant=No
retain=No
live_peers=1
potential_peers=0
is_key_server=No
is_elected=Yes
TX SCI : 74:78:a6:98:dc:28@1
RX SCI : 70:35:09:21:cb:84@2
Cipher : GCM-AES-256
Tx Next PN: 298329
Distributed SAK Received : 1
Distributed_an : 0
AN : 0
tx : InUse
rx : InUse
Confidentiality_offset : 30
replay_protect : 0
replay_window : 0

To verify a FortiAP is registered in FortiGate with 802.1X and MACsec authentication:

FortiGate-301E (vdom1) # diagnose wireless-controller wlac -c wtp

WTP vd : vdom1, 3-FP233GTF23000132 MP00

uuid : 0d96e930-1aaf-51ef-0a3a-315f022a18d7
mgmt_vlanid : 0
region code : E invalid
refcnt : 3 own(1) wtpprof(1) ws(1) deleted(no)
apcfg status : N/A,N/A cfg_ac=0.0.0.0:0 val_ac=0.0.0.0:0 cmds T 0 P 0 U 0 I 0 M 0
apcfg cmd details:
plain_ctl : disabled
image-dl(wtp,rst): yes,no
admin : enable
wtp-profile : cfg(233G) override(disabled) oper(233G)
……….
SNMP : disabled
WAN port authentication: 802.1X
WAN port 802.1x EAP method: EAP-PEAP
WAN port 802.1x Macsec: enabled

Improve packet detection on the FortiAP sniffer - 7.4.5

This release enhances the FortiAP sniffer with improved packet detection capabilities. When the FortiAP is set to sniffer
mode, it can capture all frame types, including data frames, across specified channel bandwidths ranging from 320 MHz
to 20 MHz.
For more information about this feature, see Improve packet detection on the FortiAP sniffer.

FortiOS 7.4.0 New Features Guide 660

Fortinet Inc.
 LAN Edge

Support RADIUS MAC Authentication for MPSK on WPA3 SAE SSID - 7.4.5

This release adds support for RADIUS MAC authentication over WPA3 SAE SSIDs with an MPSK profile. This enables
wireless clients connecting to a WPA3 SAE SSID with an MPSK profile to authenticate using RADIUS MAC
authentication against a RADIUS server. Wireless clients can connect using the passphrase from the Tunnel-Password
attribute, which is provided in the RADIUS Accept-Accept packet. The first time a client connects to the SSID, the tunnel
password is cached in the RADIUS server as an MPSK SAE password. In subsequent connections, the cached
password is retrieved, streamlining the authentication process.

Example Topology

To configure a WPA3 SAE SSID to use combined MAC and MPSK authentication - CLI:

1. Configure the RADIUS server.

config user radius
edit "peap"
set server "172.16.200.55"
set secret **********
next
end

2. Configure the MPSK profile.

config wireless-controller mpsk-profile
edit "test"
set ssid "FOS_81F_3G_wpa3"
set mpsk-type wpa3-sae
config mpsk-group
edit "g1"
config mpsk-key
edit "k1"
set key-type wpa3-sae
set mac 01:02:03:04:05:06
set sae-password **********
next
end
next
end
next
end

FortiOS 7.4.0 New Features Guide 661

Fortinet Inc.
 LAN Edge

3. Create a WPA3 SAE SSID with an MPSK profile applied, then enable radius-mac-auth and radius-mac-
mpsk-auth.
config wireless-controller vap
edit "test"
set ssid "FOS_81F_3G_wpa3"
set security wpa3-sae
set pmf enable
set radius-mac-auth enable
set radius-mac-auth-server "peap"
set radius-mac-mpsk-auth enable
set schedule "always"
set mpsk-profile "test"
set dynamic-vlan enable
set quarantine disable
set sae-password ENC
next
end

4. In the RADIUS server you configured, set the Tunnel-Password attribute for the "F8-E4-E3-D8-5E-AF" account,
which is the username of the wireless client (MAC: f8:e4:e3:d8:5e:af) verified by RADIUS MAC authentication. In
this example, the Tunnel-Password is set to 111111111111.
F8-E4-E3-D8-5E-AF Cleartext-Password := "F8-E4-E3-D8-5E-AF"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 100,
Tunnel-Password = "111111111111",
Fortinet-Group-Name = group_mac

5. Confirm that the wireless client (MAC: f8:e4:e3:d8:5e:af) can connect to the SSID using the passphrase you
configured in the Tunnel-Password attribute.
FortiWiFi-81F-2R-3G4~POE (Interim)# dia wireless-controller wlac -d sta online

vf=0 mpId=0 wtp=3 rId=2 wlan=test vlan_id=100 ip=0.0.0.0 ip6=:: mac=f8:e4:e3:d8:5e:af

vci= host= user=F8-E4-E3-D8-5E-AF group=group_mac signal=-45 noise=-95 idle=0 bw=0 use=3
chan=60 radio_type=11AX_5G security=wpa3_sae mpsk= encrypt=aes cp_authed=no l3r=1,0
G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=

Add BLE integration and support for Evresys RTLS solution - 7.4.5

This release expands the FortiOS WiFi controller's BLE-based Real-Time Location Service (RTLS) to support the
Evresys platform. Support for BLE-RTLS was initially limited to just the Pole Star platform (see Integration with Pole
Star's NAO Cloud service for BLE asset tag tracking 7.4.1 on page 606). The FortiOS CLI syntax has been redesigned
so you can select between different BLE-RTLS services.

FortiOS 7.4.0 New Features Guide 662

Fortinet Inc.
LAN Edge

CLI changes

Pole Star configurations you previously made are automatically converted to the new syntax
when you upgrade to FOS 7.4.5.

config wireless-controller wtp-profile

edit <FAP-profile>
config lbs
set ble-rtls {none|polestar|evresys}
set ble-rtls-protocol {option}
set ble-rtls-server-fqdn {string}
set ble-rtls-server-path {string}
set ble-rtls-server-token {string}
set ble-rtls-server-port {integer}
set ble-rtls-accumulation-interval {integer}
set ble-rtls-reporting-interval {integer}
set ble-rtls-asset-uuid-list1 {string}
set ble-rtls-asset-uuid-list2 {string}
set ble-rtls-asset-uuid-list3 {string}
set ble-rtls-asset-uuid-list4 {string}
set ble-rtls-asset-addrgrp-list {string}
end
next
end

BLE-RTLS settings can be configured under location-based services (LBS) in the wtp-profile. The following new settings
are available under config lbs:

ble-rtls Set BLE Real Time Location Service (RTLS) support (default = none).
l none

l polestar

l evresys

ble-rtls- Select the protocol to report Measurements, Advertising Data, or Location Data to Cloud
protocol Server (default = WSS).
ble-rtls- FQDN of BLE Real Time Location Service (RTLS) Server.
server-fqdn

ble-rtls- Path of BLE Real Time Location Service (RTLS) Server.

server-path

ble-rtls- Access Token of BLE Real Time Location Service (RTLS) Server.
server-token
ble-rtls- Port of BLE Real Time Location Service (RTLS) Server (default = 443).
server-port

ble-rtls- Time that measurements should be accumulated in seconds (default = 2).

accumulation-
interval

FortiOS 7.4.0 New Features Guide 663

Fortinet Inc.
LAN Edge

ble-rtls- Time between reporting accumulated measurements in seconds (default = 2).

reporting-
interval

ble-rtls-asset- Tags and asset UUID list 1 to be reported (string in the format of 'XXXXXXXX-XXXX-XXXX-
uuid-list1 XXXX-XXXXXXXXXXXX').
ble-rtls-asset- Tags and asset UUID list 2 to be reported (string in the format of 'XXXXXXXX-XXXX-XXXX-
uuid-list2 XXXX-XXXXXXXXXXXX').
ble-rtls-asset- Tags and asset UUID list 3 to be reported (string in the format of 'XXXXXXXX-XXXX-XXXX-
uuid-list3 XXXX-XXXXXXXXXXXX').
ble-rtls-asset- Tags and asset UUID list 4 to be reported (string in the format of 'XXXXXXXX-XXXX-XXXX-
uuid-list4 XXXX-XXXXXXXXXXXX').
ble-rtls-asset- Tags and asset addrgrp list to be reported.
addrgrp-list

To configure Evresys BLE-RTLS - CLI:

The following example shows how to apply a BLE profile to a FortiAP profile and configure Evresys location-based
services.
config wireless-controller wtp-profile
edit "Evresys"
config platform
set type 433F
set ddscan enable
end
set ble-profile "testbleprofile"
set handoff-sta-thresh 55
config radio-1
set mode disabled
end
config radio-2
set band 802.11a 802.11n-5G 802.11ac-5G 802.11ax-5G
set vap-all manual
set vaps "wifi.fap.01" "wifi.fap.02" "wifi.fap.br1"
set channel "40"
end
config radio-3
set mode monitor
end
config lbs
set ble-rtls evresys
set ble-rtls-server-fqdn "stg-example.evresys.com"
set ble-rtls-server-path "/"
set ble-rtls-server-token "qmgithsktugh8plemchaqw"
set ble-rtls-accumulation-interval 1
set ble-rtls-reporting-interval 1
set ble-rtls-asset-uuid-list1 "b0000a00-0ad1-000b-b00a-0000e00c0000"
set ble-rtls-asset-addrgrp-list "evresys-test"
end
next
end

FortiOS 7.4.0 New Features Guide 664

Fortinet Inc.
 LAN Edge

To verify BLE-RTLS configurations in the FortiGate:

FortiGate-301E (vdom1) (Interim)# diagnose wireless-controller wlac -c wtpprof

WTPPROF (002/002) vdom,name: vdom1, Evresys
platform : FAP433F.
…

lbs ble-rtls : Evresys, stg-example.evresys.com:443 WSS /,qmgithsktugh8plemchaqw 1 1

evresys-test
ble-rtls uuid 1 : b0000a00-0ad1-000b-b00a-0000e00c0000
: b0000a00-0ad1-000b-b00a-0000e00c0000 - ffffffff-ffff-ffff-ffff-
ffffffffffff
ble-rtls uuid 2 :
: 00000000-0000-0000-0000-000000000000 - 00000000-0000-0000-0000-
000000000000
ble-rtls uuid 3 :
: 00000000-0000-0000-0000-000000000000 - 00000000-0000-0000-0000-
000000000000
ble-rtls uuid 4 :
: 00000000-0000-0000-0000-000000000000 - 00000000-0000-0000-0000-
000000000000

To verify FortiAP can receive BLE-RETLS related configurations from FortiGate:

FortiAP-433F# cw_diag -c ble-rtls

BLE RTLS Config:

ble_rtls_type = Evresys
ble_rtls_proto = WSS
ble_rtls_server_fqdn = stg-example.evresys.com
ble_rtls_server_path = /
ble_rtls_server_token = qmgithsktugh8plemchaqw
ble_rtls_server_port = 443
ble_rtls_acc_intv = 1
ble_rtls_rpt_intv = 1
ble_rtls_addrgrp_uuid_policy = allow
B001 b0000a00-0ad1-000b-b00a-0000e00c0000 - ffffffff-ffff-ffff-ffff-ffffffffffff
ble_rtls_addrgrp_policy = allow
S002 00:a0:50:ef:57:06
ble_rtls_ble_dev_max_rpt = 128
ble_rtls_ble_dev_max_batch = 64

Support uploading a captive portal's certificate authority to the FortiAP - 7.4.5

The FortiGate WiFi Controller now supports uploading a captive portal server's certificate to the FortiAP. This allows the
FortiAP to use the same server certificate to secure the HTTPS POST actions. With the corresponding certificate
authority (CA) imported on users' devices, authentication is smoother and free of security warnings.

CLI Changes

The following settings can be configured when the VAP is set to bridge mode with captive portal enabled:

FortiOS 7.4.0 New Features Guide 665

Fortinet Inc.
LAN Edge

config wireless-controller vap

edit <name>
set auth-cert {string}
set auth-portal-addr {string}
next
end

auth-cert Set the uploaded external portal server's certificate.

auth-portal- Set the subsequent post link in the external portal page
addr

Example topology

Example configuration

1. Verify the server certificate requirements.

a. The captive portal page is deployed on an external (or 3rd-party) HTTPS web server with a valid certificate that
is signed by a valid CA (either public or self-signed).
b. The server certificate must include a Subject Alternative Name (SAN) field, in which either a wildcard hostname
or specific hostnames can be added with the same domain, in order to validate the web server itself and the
FortiAP POST process. For example:
l A certificate with a wildcard hostname.

FortiOS 7.4.0 New Features Guide 666

Fortinet Inc.
LAN Edge

l A certificate with two specific hostname with the same domain.

c. The user's devices (or web browsers) should have imported the CA certificate (that has signed the web server’s
certificate).
In this example, a self-signed certificate has been uploaded onto the FortiGate:
FortiWiFi-80F-2R (Interim)# get vpn certificate local details portal_server
== [ portal_server ]
Name: portal_server
Subject: C = CA, ST = BC, L = Burnaby, O = Example, CN = *.fortinet.com
Issuer: C = CA, ST = BC, L = Burnaby, O = Fortinet_Example, OU = Release_
Example, CN = fortinet.com, emailAddress = [email protected]
Valid from: 2024-08-20 17:21:23 GMT
Valid to: 2026-08-20 17:21:23 GMT
Fingerprint:
35:03:FE:67:65:1A:EC:7F:3E:D9:7A:BD:3A:6F:C2:95:FA:64:C1:C7:27:97:B0:31:DA:47:67:F7:72:0
E:C8:52
Serial Num: b1:58:61:68:71:c2:ab:ee

2. Under user setting, enable auth-security-http to enforce accessing the portal page via HTTPS.

FortiOS 7.4.0 New Features Guide 667

Fortinet Inc.
LAN Edge

config user setting

set auth-secure-http enable
end

3. Create a local bridge captive portal VAP, set the uploaded authentication certificate, and configure the
authentication portal address:
config wireless-controller vap
edit "cap-br"
set ssid "FOS_80F_cap_br_fqdn"
set external-web "https://cpauth.fortinet.com/portal/index.php"
set passphrase ENC
set radius-server "peap"
set local-bridging enable
set captive-portal enable
set portal-type external-auth
set security-redirect-url "www.fortinet.com"
set auth-cert "portal_server"
set auth-portal-addr "cppost.fortinet.com"
set schedule "always"
next
end

Note: The addresses you configured for external-web and auth-portal-addr should be added in the SAN
field of the uploaded certificate portal_server (see the example certificates in step 1b)
4. After the wireless client connects to the SSID, it can access the portal page without certificate verification issue.
5. Confirm the connection is secure when accessing the portal page.

6. Confirm the wireless client can pass authentication with the correct user credential.
FortiWiFi-80F-2R (Interim)# dia wireless-controller wlac -d sta online
vf=0 mpId=6 wtp=7 rId=2 wlan=cap-br vlan_id=0 ip=10.0.1.16 ip6=2001:192:168:10::1001
mac=54:27:1e:b7:4a:95 vci=MSFT 5.0 host=DESKTOP-05HBKE1 user=tester group=peap signal=-
60 noise=-95 idle=11 bw=166 use=6 chan=149 radio_type=11AC_5G security=wpa2_only_
personal+captive mpsk= encrypt=aes cp_authed=yes l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 --
0.0.0.0:0 0,0 online=yes mimo=1
ip6=fe80::dc46:a41f:5546:f07f,59, *2001:192:168:10::1001,30,

Switch controller

This section includes information about switch-controller-related new features:

l Specify FortiSwitch names to use in switch-controller CLI commands on page 669
l Support user-configurable ACL on page 670

FortiOS 7.4.0 New Features Guide 668

Fortinet Inc.
 LAN Edge

l Support configuring DHCP-snooping option-82 settings on page 674

l Display DHCP-snooping option-82 data on page 676
l Support automatically allowing and blocking intra-VLAN traffic based on FortiLink connectivity 7.4.1 on page 676
l Support the FortiOS one-arm sniffer on a mirrored VLAN interface 7.4.1 on page 677
l Support new commands for Precision Time Protocol configuration 7.4.1 on page 681
l Support inter-VLAN routing by managed FortiSwitch units 7.4.1 on page 683
l Support security rating recommendations for tier-2 and tier-3 MCLAGs 7.4.1 on page 686
l Support for the authentication and encryption of fabric links 7.4.1 on page 690
l Synchronize the FortiOS interface description with the FortiSwitch VLAN description 7.4.1 on page 694
l Support FortiSwitch management using HTTPS 7.4.2 on page 695
l Set the priority for dynamic or egress VLAN assignment 7.4.2 on page 698
l Specify how RADIUS request attributes are formatted 7.4.2 on page 699
l Dynamically assign the NAS-IP-Address attribute 7.4.2 on page 700
l Support LACP fallback mode 7.4.4 on page 701
l Support dynamic access control lists for managed switches 7.4.4 on page 702
l Use FortiSwitch event log IDs as triggers for automation stitches 7.4.4 on page 706
l Enhanced device-matching logic based on policy priority 7.4.4 on page 712
l Specify a tagged VLAN for when the authentication server is unavailable 7.4.4 on page 713

Specify FortiSwitch names to use in switch-controller CLI commands

You can now use names for managed FortiSwitch units in switch-controller CLI commands. The user-defined name is
also used in the FortiOS GUI and logs. The FortiSwitch unitʼs serial number is saved in a new read-only field.
Follow these rules for defining a managed FortiSwitch name:
l The name can be a maximum of 16 characters in length.
l Use numbers (0-9), letters (a-z and A-Z), dashes, and underscores for the managed FortiSwitch name.
When you upgrade from FortiOS 7.4.0, the FortiSwitch unitʼs serial number is used as the managed FortiSwitch name if
a managed FortiSwitch name has not been defined. If you downgrade from FortiOS 7.4.0 to FortiOS 6.4.x, the managed
FortiSwitch name is changed to the FortiSwitch unitʼs serial number.

Using the GUI

1. Go to WiFi & Switch Controller > Managed FortiSwitches.

2. Select an unauthorized FortiSwitch unit and then click Edit.
3. In the Name field, enter a name for the managed FortiSwitch unit.
4. Click OK to save the new name.

Using the CLI

config switch-controller managed-switch

rename <FortiSwitch_serial_number> to <managed_FortiSwitch_name>
end

For example:
config switch-controller managed-switch

FortiOS 7.4.0 New Features Guide 669

Fortinet Inc.
 LAN Edge

rename S524DN4K16000116 to Distribution

end

Other CLI changes

When you pre-configure a managed switch, you must use the new set sn command under config switch-
controller managed-switch to store the FortiSwitch serial number. For example:
config switch-controller managed-switch
edit switch1
set sn S524DNTV21000212
set fsw-wan1-peer fortilink
set fsw-wan1-admin enable
next
end

The execute switch-controller get-sync-status switch-id <managed_FortiSwitch_name>

command uses the user-defined switch name, and the execute switch-controller get-sync-status
serial <FortiSwitch_serial_number> command uses the FortiSwitch serial number. For example:
l execute switch-controller get-sync-status serial S524DN4K16000116
l execute switch-controller get-sync-status switch-id Racktray-127

There is a new set isl-peer-device-sn command under config switch-controller managed-switch to

store the serial number of the ISL peer device. For example:
config switch-controller managed-switch
edit Distribution
config ports
edit port2
set isl-local-trunk-name isltrunk1
set isl-peer-port-name port23
set isl-peer-device-name islpeerswitch
set isl-peer-device-sn S124EN5918003682
next
end
next
end

The following switch-controller CLI commands now use the user-defined FortiSwitch name:
l diagnose switch-controller trigger config-sync <managed_FortiSwitch_name>
l execute switch-controller get-conn-status
l execute switch-controller get-physical-conn standard <port_name>
l execute switch-controller get-sync-status all
l execute switch-controller get-upgrade-status

Support user-configurable ACL

You can now use an access control list (ACL) to configure a policy for the ingress stage of the pipeline for incoming
traffic. After creating an ACL group for the ingress policy, you apply the ACL group to a managed switch port.

FortiOS 7.4.0 New Features Guide 670

Fortinet Inc.
LAN Edge

A user-configurable ACL might conflict with or be overridden by an ACL implemented by other

managed FortiSwitch features. If a user-configurable ACL and an internal ACL do not conflict,
the resulting behavior depends on the FortiSwitch model. Fortinet recommends validating
user-configurable ACLs to make certain that they operate correctly with other enabled
features.

To use an ACL:

1. Create an ACL ingress policy.

2. Create an ACL group and add the ingress policy to it.
3. Apply the ACL group to a managed switch port.
4. View the counters on page 673.

Create an ACL ingress policy

The ACL ingress policy includes the following key attributes:

l Interface—The port on which traffic arrives at the switch. The policy applies to ingress traffic only (not egress traffic).
l Classifier—The classifier identifies the packets that the policy will act on. Each packet can be classified based on
one or more criteria. The supported criteria are source and destination MAC address, VLAN identifier, and source
and destination IP address.
l Actions—If a packet matches the classifier criteria for a given ACL, the following types of action can be applied to
the packet:
l Allow or block the packet
l Count the number of ingress packets
The switch uses specialized TCAM memory to perform ACL matching.

The order of the classifiers provided during group creation (or during an ACL update in a group
when new classifiers are added ) matter. Hardware resources are allocated as best fit at the
time of creation, which can cause some fragmentation and segmentation of hardware
resources because not all classifiers are available at all times. Because the availability of
classifiers is order dependent, some allocations succeed or fail at different times.

To create an ACL ingress policy in the CLI:

config switch-controller acl ingress

edit <policy_identifier>
config action
set count {enable | disable}
set drop {enable | disable}
end
config classifier
set dst-ip-prefix <IPv4_address> <netmask>
set dst-mac <destination_MAC_address>
set src-ip-prefix <IPv4_address> <netmask>
set src-mac <source_MAC_address>
set vlan <1-4094>
end
next

FortiOS 7.4.0 New Features Guide 671

Fortinet Inc.
LAN Edge

end

Create an ACL group

An ACL group contains one or more ACLs.

The ACL ingress policies are assigned to ACL group 3 in the managed FortiSwitch unit. If the
managed FortiSwitch unit does not support ACL group 3, the user-configurable ACL is not
supported.

To create an ACL group in the CLI:

config switch-controller acl group

edit "<ACL_group_name>"
set ingress <policy_identifier1> <policy_identifier2> ...
next
end

For example:
config switch-controller acl group
edit "ACLgroup1"
set ingress 2 3 4
next
end

Apply the ACL group to a managed switch port

You can apply one or more ACL groups to a managed switch port.

To apply an ACL group to a managed switch port in the CLI:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>
config ports
edit <managed_switch_port_name>
set acl-group "<ACL_group_name1> <ACL_group_name2> ..."
next
end
next
end

For example:
config switch-controller managed-switch
edit FS1D243Z14000016
config ports
edit port10
set acl-group "ACLgroup1 ACLgroup2 ACLgroup3"
next
end
next
end

FortiOS 7.4.0 New Features Guide 672

Fortinet Inc.
LAN Edge

View the counters

On the 4xxE, 1xxE, and 1xxF platforms, the ACL byte counters are not available (they will
always show as 0 on the CLI). The packet counters are available.

You can use the CLI to view the counters associated with the ingress policies.

To view the counters in the CLI:

diagnose switch-controller switch-info acl-counters <FortiSwitch_serial_number>

For example:
diagnose switch-controller switch-info acl-counters FS1D243Z14000016

Configuration example

In the following example, the ingress ACL policy prevents a PC connected to S248EPTF18001384 (which is managed
by a FortiGate device) from accessing 8.8.8.8 255.255.255.255.

config switch-controller acl ingress

edit 1
config action
set drop enable
end
config classifier
set dst-ip-prefix 8.8.8.8 255.255.255.255
set src-mac 00:0c:29:d4:4f:3c
end
next
end

config switch-controller acl group

edit "group1"
set ingress 1
next
end

config switch-controller managed-switch

edit "S248EPTF18001384"
config ports
edit "port6"
set acl-group "group1"

FortiOS 7.4.0 New Features Guide 673

Fortinet Inc.
 LAN Edge

next
end
next
end

Support configuring DHCP-snooping option-82 settings

This feature requires FortiSwitchOS 7.2.2 or later.

You can now include option-82 data in the DHCP request for DHCP snooping. DHCP option-82 data provides additional
security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources.
You can select a fixed format (set dhcp-option82-format legacy) for the Circuit ID and Remote ID fields or
select which values appear in the Circuit ID and Remote ID fields (set dhcp-option82-format ascii).
The following is the fixed format for the option-82 Circuit ID field:
hostname-[<vlan:16><mod:8><port:8>].32bit

The following is the fixed format for the option-82 Remote ID field:
[mac(0..6)].48bit

If you want to select which values appear in the Circuit ID and Remote ID fields:
l For the Circuit ID field, you can include the interface name, VLAN name, host name, mode, and description.
l For the Remote ID field, you can include the MAC address, host name, and IP address.
You can specify whether the DHCP-snooping client only broadcasts packets on trusted ports in the VLAN (set dhcp-
snoop-client-req drop-untrusted) or broadcasts packets on all ports in the VLAN (set dhcp-snoop-
client-req forward-untrusted).
You can set a limit for how many entries are in the DHCP-snooping binding database for each port with the set dhcp-
snoop-db-per-port-learn-limit command. By default, the number of entries is 64. The range of values depends
on the switch model.

Before configuring the learning limit, check the range for your switch model by typing set
dhcp-snoop-db-per-port-learn-limit ?.

You can also specify how long entries are kept in the DHCP-snooping server database with the set dhcp-snoop-
client-db-exp command. By default, the entries are kept for 86,400 seconds. The range of values is 300-259,200
seconds.
If you have included option-82 data in the DHCP request, it applies globally. You can override the global option-82
setting to specify plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port. If dhcp-
snoop-option82-override is not configured for the incoming VLAN and switch interface, the settings for the Circuit
ID and Remote ID fields are taken from the global option-82 configuration.
NOTE: The values for the Circuit ID and Remote ID field are either both taken from the global option-82 configuration or
both taken from the dhcp-snoop-option82-override settings. The system cannot take one value at the global level
and the other value from the override settings.

FortiOS 7.4.0 New Features Guide 674

Fortinet Inc.
LAN Edge

Each plain text string can be a maximum of 256 characters long. Together, the combined length of both plain text strings
can be a maximum of 256 characters long.
NOTE: You can override the option-82 settings for DHCP snooping but not for DHCP relay.

To configure the option-82 data on a global level:

config switch-controller global

set dhcp-option82-format {ascii | legacy}
set dhcp-option82-circuit-id {intfname <interface_name> | vlan <VLAN_name> | hostname
<host_name> | mode <mode> | description <string>}
set dhcp-option82-remote-id {mac <MAC_address> | hostname <host_name> | ip <IP_address>}
set dhcp-snoop-client-req {drop-untrusted | forward-untrusted}
set dhcp-snoop-client-db-exp <300-259200>
set dhcp-snoop-db-per-port-learn-limit <integer>
end

To override the option-82 global settings for a specific VLAN on a port:

config switch-controller managed-switch

edit "<FortiSwitch_serial_number>"
config ports
edit "<port_name>"
config dhcp-snoop-option82-override
edit <VLAN_name>
set remode-id <string>
set circuit-id <string>
next
end
next
end
next
end

For example:
config switch-controller managed-switch
edit "S524DF4K15000024"
config ports
edit "port10"
config dhcp-snoop-option82-override
edit vlan15
set remode-id "remote-id test"
set circuit-id "circuit-id test"
next
end
next
end
next
end

FortiOS 7.4.0 New Features Guide 675

Fortinet Inc.
 LAN Edge

Display DHCP-snooping option-82 data

This feature requires FortiSwitchOS 7.2.2 or later. The managed FortiSwitch units must be
configured with DHCP-snooping option -82 settings.

You can use the diagnose switch-controller switch-info option82-mapping snooping command to
display option-82 Circuit ID and Remote ID values in ASCII or hexadecimal format. This command requires the serial
number of the managed switch unit and VLAN identifier. Specifying the port name is optional.

To display option-82 Circuit ID and Remote ID values in ASCII format:

diagnose switch-controller switch-info option82-mapping snooping ascii <FortiSwitch_serial_

number> <VLAN_ID> <port_name>

For example:
diagnose switch-controller switch-info option82-mapping snooping ascii S524DN4K16000116
vlan11 port3

To display option-82 Circuit ID and Remote ID values in hexadecimal format:

diagnose switch-controller switch-info option82-mapping snooping hex <FortiSwitch_serial_

number> <VLAN_ID> <port_name>

For example:
diagnose switch-controller switch-info option82-mapping snooping hex S524DN4K16000116
vlan11 port5

Support automatically allowing and blocking intra-VLAN traffic based on FortiLink

connectivity - 7.4.1

You can now allow or block intra-VLAN traffic on the managed FortiSwitch units when the connection to the FortiGate
device is lost.

To allow or block intra-VLAN traffic when the connection to the FortiGate device is lost:

config switch-controller fortilink-settings

edit "<FortiLink_interface>"
set access-vlan-mode { legacy | fail-open | fail-close}
next
end

Option Description

legacy This is the default. When the connection to the FortiGate device is lost, intra-VLAN traffic on
the managed FortiSwitch units is blocked.

fail-open When the connection to the FortiGate device is lost, intra-VLAN traffic on the managed
FortiSwitch units is allowed.

FortiOS 7.4.0 New Features Guide 676

Fortinet Inc.
 LAN Edge

Option Description

fail-close When the connection to the FortiGate device is lost, intra-VLAN traffic on the managed
FortiSwitch units is blocked.

Support the FortiOS one-arm sniffer on a mirrored VLAN interface - 7.4.1

You can now use the FortiOS one-arm sniffer to configure a VLAN interface on a managed FortiSwitch unit as an
intrusion detection system (IDS). Traffic sent to the interface is examined for matches to the configured security profile.
The matches are logged, and the unmatched sniffed traffic is not forwarded to the FortiGate device. Sniffing only reports
on attacks; it does not deny or influence traffic.
Traffic scanned on the FortiOS one-arm sniffer interface is processed by the CPU. The FortiOS one-arm sniffer might
cause higher CPU usage and perform at a lower level than traditional inline scanning.
The absence of high CPU usage does not indicate the absence of packet loss. Packet loss might occur due to the
capacity of the TAP devices hitting maximum traffic volume during mirroring or, on the FortiGate device, when the kernel
buffer size is exceeded and it is unable to handle bursts of traffic.

To configure the FortiOS one-arm sniffer in the CLI:

1. Specify the managed switch port to use to mirror traffic in RSPAN or ERSPAN mode on page 677.
2. Enable the FortiOS one-arm sniffer on the VLAN interface that will mirror traffic on page 678.
3. Configure the FortiOS one-arm sniffer in a firewall policy on page 678.
4. Generate traffic on the client.
5. Review the logs for the sniffer policy on page 679.

1. Specify the managed switch port to use to mirror traffic in RSPAN or ERSPAN mode

You can mirror traffic in RSPAN or ERSPAN mode on a layer-2 VLAN. Specify which ingress port you want to use for a
mirroring source.
config switch-controller traffic-sniffer
set mode {rspan | erspan-auto}
config target-port
edit <FortiSwitch_serial_number>
set in-ports <port_name>
next
end
end

For example:
config switch-controller traffic-sniffer
set mode rspan
config target-port
edit S524DF4K15000024
set in-ports port6
next
end
end

FortiOS 7.4.0 New Features Guide 677

Fortinet Inc.
LAN Edge

2. Enable the FortiOS one-arm sniffer on the VLAN interface that will mirror traffic

After you enable ips-sniffer-mode, switch-controller-access-vlan and switch-controller-rspan-

mode are enabled by default, and switch-controller-traffic-policy is set to sniffer by default.
config system interface
edit <interface_name>
set ips-sniffer-mode enable
set switch-controller-access-vlan enable
set switch-controller-traffic-policy sniffer
set switch-controller-rspan-mode enable
next
end

For example:
config system interface
edit rspan
set ips-sniffer-mode enable
set switch-controller-access-vlan enable
set switch-controller-traffic-policy sniffer
set switch-controller-rspan-mode enable
next
end

3. Configure the FortiOS one-arm sniffer in a firewall policy

Specify the same interface that you used in step 2. Enable the security profiles that you want to use and specify the
sniffer-profile profile for each security profile. By default, all security profiles are disabled.
config firewall sniffer
edit <sniffer_ID>
set logtraffic {all | utm}
set interface <interface_name>
set av-profile-status {enable | disable}
set av-profile "sniffer-profile"
set webfilter-profile-status {enable | disable}
set webfilter-profile "sniffer-profile"
set application-list-status {enable | disable}
set application-list "sniffer-profile"
set ips-sensor-status {enable | disable}
set ips-sensor "sniffer-profile"
set file-filter-profile-status {enable | disable}
set file-filter-profile "sniffer-profile"
next
end

For example:
config firewall sniffer
edit 50
set logtraffic all
set interface rspan
set av-profile-status enable
set av-profile sniffer-profile
set webfilter-profile-status enable
set webfilter-profile sniffer-profile
set application-list-status enable

FortiOS 7.4.0 New Features Guide 678

Fortinet Inc.
LAN Edge

set application-list sniffer-profile

set ips-sensor-status enable
set ips-sensor sniffer-profile
set file-filter-profile-status enable
set file-filter-profile sniffer-profile
next
end

5. Review the logs for the sniffer policy

execute log display

Configuration example

The following example shows how a managed FortiSwitch unit mirrors traffic from a client and then sends the traffic to
the FortiGate device for analysis. In this example, enable the FortiOS one-arm sniffer in the FortiOS CLI and then use
the FortiOS GUI for the rest of the example.

1. Enable the FortiOS one-arm sniffer.

config system interface
edit "rspan.17"
set ips-sniffer-mode enable
set vdom root
set interface port11
set vlanid 4092
next
end
2. Go to Network > Interfaces.
3. Select rspan.17 (under port11) and click Edit.
4. Enable the security profiles that you want to use.

FortiOS 7.4.0 New Features Guide 679

Fortinet Inc.
LAN Edge

5. Click OK.
6. Generate traffic on the client.
7. Go to Log & Report > Sniffer Traffic.
The logs generated from the mirrored traffic are listed.

In the FortiOS CLI, use the execute log display command to view the logs:
784 logs found.

FortiOS 7.4.0 New Features Guide 680

Fortinet Inc.
 LAN Edge

10 logs returned.
1: date=2023-07-31 time=16:28:13 eventtime=1690846092971957519 tz="-0700"
logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="vdom1"
srcip=5.4.4.2 srcport=51293 srcintf="rspan.17" srcintfrole="undefined"
dstip=96.45.45.45 dstport=53 dstintf="rspan.17" dstintfrole="undefined"
srccountry="Germany" dstcountry="United States" sessionid=784 proto=17
action="accept" policyid=1 policytype="sniffer" service="DNS" trandisp="snat"
transip=0.0.0.0 transport=0 duration=180 sentbyte=70 rcvdbyte=0 sentpkt=1 rcvdpkt=0
appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" utmaction="allow"
countapp=1 sentdelta=70 rcvddelta=0 mastersrcmac="00:0c:29:38:2a:c6"
srcmac="00:0c:29:38:2a:c6" srcserver=0 masterdstmac="04:d5:90:bf:f3:50"
dstmac="04:d5:90:bf:f3:50" dstserver=0
2: date=2023-07-31 time=16:27:39 eventtime=1690846059062169260 tz="-0700"
logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="vdom1"
srcip=5.4.4.2 srcport=37800 srcintf="rspan.17" srcintfrole="undefined"
dstip=96.45.45.45 dstport=53 dstintf="rspan.17" dstintfrole="undefined"
srccountry="Germany" dstcountry="United States" sessionid=782 proto=17
action="accept" policyid=1 policytype="sniffer" service="DNS" trandisp="snat"
transip=0.0.0.0 transport=0 duration=180 sentbyte=70 rcvdbyte=0 sentpkt=1 rcvdpkt=0
appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" utmaction="allow"
countapp=1 sentdelta=70 rcvddelta=0 mastersrcmac="00:0c:29:38:2a:c6"
srcmac="00:0c:29:38:2a:c6" srcserver=0 masterdstmac="04:d5:90:bf:f3:50"
dstmac="04:d5:90:bf:f3:50" dstserver=0 utmref=0-6524
3: date=2023-07-31 time=16:27:39 eventtime=1690846059062027560 tz="-0700"
logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="vdom1"
srcip=5.4.4.2 srcport=52702 srcintf="rspan.17" srcintfrole="undefined"
dstip=96.45.45.45 dstport=53 dstintf="rspan.17" dstintfrole="undefined"
srccountry="Germany" dstcountry="United States" sessionid=780 proto=17
action="accept" policyid=1 policytype="sniffer" service="DNS" trandisp="snat"
transip=0.0.0.0 transport=0 duration=180 sentbyte=61 rcvdbyte=0 sentpkt=1 rcvdpkt=0
appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" utmaction="allow"
countapp=1 sentdelta=61 rcvddelta=0 mastersrcmac="00:0c:29:38:2a:c6"
srcmac="00:0c:29:38:2a:c6" srcserver=0 masterdstmac="04:d5:90:bf:f3:50"
dstmac="04:d5:90:bf:f3:50" dstserver=0 utmref=0-6510

Support new commands for Precision Time Protocol configuration - 7.4.1

The CLI commands for configuring Precision Time Protocol (PTP) transparent-clock mode have changed. FortiOS
supports the previous CLI commands, as well as the new ones.
Use the following steps to configure PTP transparent-clock mode:
1. Configure a PTP profile or use the default profile.
2. Configure the PTP settings.
By default, PTP is disabled. Enable PTP and select which PTP profile will use these PTP settings. The default
profile is automatically selected.
3. Configure the default PTP policy or create a custom PTP policy.
Select which VLAN will use the PTP policy and the priority of the VLAN. The default PTP policy is applied to all
ports. If you want to select which ports to apply the PTP policy to, you need to create a custom PTP policy.
4. If you are not using the default PTP policy, select which port to apply your custom PTP policy to.
By default, the PTP status is enabled.

To configure a PTP profile:

config switch-controller ptp profile

edit {default | name_of_PTP_profile}
set description <description_of_PTP_profile>

FortiOS 7.4.0 New Features Guide 681

Fortinet Inc.
LAN Edge

set mode {transparent-e2e | transparent-p2p}

set ptp-profile C37.238-2017
set transport l2-mcast
set domain <0-255> // the default is 254
set pdelay-req-interval {1sec | 2sec | 4sec | 8sec | 16sec | 32sec} // 1sec default
next
end

For example:
config system ptp profile
edit newPTPprofile
set description "New PTP profile"
set mode transparent-p2p
set ptp-profile C37.238-2017
set transport l2-mcast
set domain 1
set pdelay-req-interval 2sec
next
end

To configure the PTP settings:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>
set ptp-status {enable | disable} // the default is disable
set ptp-profile {default | name_of_PTP_profile} // the default is "default"
next
end

For example:
config switch-controller managed-switch
edit S524DF4K15000024
set ptp-status enable
set ptp-profile newPTPprofile
next
end

To configure the default PTP policy or create a custom PTP policy:

config switch-controller ptp interface-policy

edit {default | <policy_name>}
set description <description_of_PTP_policy>
set vlan <VLAN_name> //no default
set vlan-pri <0-7> // the default is 4
next
end

For example:
config switch-controller ptp interface-policy
edit ptppolicy1
set description "New custom PTP policy"
set vlan vlan10
set vlan-pri 3
next
end

FortiOS 7.4.0 New Features Guide 682

Fortinet Inc.
 LAN Edge

To apply your custom PTP policy to a port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set ptp-status {enable | disable} // the default is enable
set ptp-policy {default | <policy_name>} // the default is "default"
end
end

For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port5
set ptp-status enable
set ptp-policy ptppolicy1
end
end

Support inter-VLAN routing by managed FortiSwitch units - 7.4.1

Starting in FortOS 7.4.1 with FortiSwitchOS 7.4.1, managed FortiSwitch units can perform inter-VLAN routing. The
FortiGate device can program the FortiSwitch unit to do the layer-3 routing of trusted traffic between specific VLANs. In
this case, the traffic flows are trusted by the user and do not need to be inspected by the FortiGate device.
Inter-VLAN routing offload is applied to the supported FortiSwitch model located closest to FortiGate device in the
topology. Refer to the FortiLink Compatibility table to find which FortiSwitchOS models support this feature.
You can use an MCLAG with inter-VLAN routing.
l If you use an MCLAG, you can have two FortiSwitch units per stack.
NOTE: To use an MCLAG, you need VRRP, which requires an advanced features license. For more information,
refer to Adding a license.
l If you do not use an MCLAG, you can have only one FortiSwitch unit per stack.

To configure inter-VLAN routing:

1. Configure both VLANs for routing offload.

2. Configure the switches for routing offload.

Configure both VLANs for routing offload

By default, switch-controller-offload and switch-controller-offload-gw are disabled.

The switch-controller-offload-ip option is available only when switch-controller-offload is enabled.
The set allowaccess ping command is configured automatically if it is not already specified.
Enable switch-controller-offload-gw on a single VLAN interface. The clients can use the offload IP addresses
(configured in the set switch-controller-offload-ip command) as the default gateway, which is executed on

FortiOS 7.4.0 New Features Guide 683

Fortinet Inc.
LAN Edge

the FortiSwitch unit. If you are using a DHCP server on the offloaded FortiSwitch VLANs, adjust the DHCP gateway
address to match the switch-controller-offload-ip address.
config system interface
edit <VLAN_name>
set ip <IP_address_netmask>
set switch-controller-offload {enable | disable}
set switch-controller-offload-ip <IP_address>
set switch-controller-offload-gw {enable | disable}
next
end

Configure the switches for routing offload

By default, route-offload and route-offload-mclag are disabled.

When you have an MCLAG configured, you need to enable route-offload-mclag and configure config route-
offload.
The config route-offload commands are available only when route-offload-mclag is enabled.
Use router-ip to specify the router IP address for VRRP.
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set route-offload {enable | disable}
set route-offload-mclag {enable | disable}
config route-offload
edit <VLAN_name_1>
set router-ip <IP_address_1>
next
edit <VLAN_name_2>
set router-ip <IP_address_2>
next
end
next
end

Configuration example

The following example shows how the default routing between Host A and Host B uses the active FortiGate device in HA
mode. When inter-VLAN routing is enabled, VLAN10 on Host A routes through FortiSwitch 3, FortiSwitch 1, FortiSwitch
2, and FortiSwitch 5 to VLAN 20 on Host B.

FortiOS 7.4.0 New Features Guide 684

Fortinet Inc.
LAN Edge

1. Configure both VLANs for routing offloading

config system interface
edit "vlan.10"
set ip 192.168.10.1/24
set switch-controller-offload enable
set switch-controller-offload-ip 192.168.10.2
set switch-controller-offload-gw enable
next
edit "vlan.20"
set ip 192.168.20.1/24
set switch-controller-offload enable
set switch-controller-offload-ip 192.168.20.2
next
end
2. Configure FortiSwitch 1 to route to Host A and Host B. Because this example uses MCLAG, you need to enable
route-offload-mclag and configure config route-offload.
config switch-controller managed-switch
edit ST1E24TF21000347
set route-offload enable
set route-offload-mclag enable
config route-offload
edit "vlan.10"
set router-ip 192.168.10.3
next
edit "vlan.20"
set router-ip 192.168.20.3
next
end
next
end

FortiOS 7.4.0 New Features Guide 685

Fortinet Inc.
 LAN Edge

3. Configure FortiSwitch 2 to route to route to Host A and Host B. Because this example uses MCLAG, you need to
enable route-offload-mclag and configure config route-offload.
config switch-controller managed-switch
edit ST1E24TF21000408
set route-offload enable
set route-offload-mclag enable
config route-offload
edit "vlan.10"
set router-ip 192.168.10.4
next
edit "vlan.20"
set router-ip 192.168.20.4
next
end
next
end

Support security rating recommendations for tier-2 and tier-3 MCLAGs - 7.4.1

More tests have been added to the FortiSwitch recommendations to help optimize your network:
l When a connected tier-1 MCLAG peer group is detected and FortiOS detects a possible tier-2 MCLAG pair of
switches, FortiOS recommends forming a tier-2 MCLAG.
After you accept the recommendation, the set lldp-profile default-auto-mclag-icl command is
configured on the two switches with the recommended interchassis link (ICL) ports, and the config switch
auto-isl-port-group command is configured on the parent MCLAG peer group.
l When a connected tier-2 MCLAG peer group is detected and FortiOS detects a possible tier-3 MCLAG pair of
switches, FortiOS recommends forming a tier-3 MCLAG.
After you accept the recommendation, the set lldp-profile default-auto-mclag-icl command is
configured on the two switches with the recommended ICL ports, and the config switch auto-isl-port-
group command is configured on the parent MCLAG peer group.

For detection to be successful, there must be fully meshed connection (each tier-2
FortiSwitcch unit must have a connection to each tier-1 FortiSwitch unit; each tier-3
FortiSwitch unit must have a connection to each tier-2 FortiSwitch unit.

Example

In this example, a FortiGate device manages four FortiSwitch units. Two of the switches already form an MCLAG, and
the user wants a second MCLAG tier for redundancy.

FortiOS 7.4.0 New Features Guide 686

Fortinet Inc.
LAN Edge

1. In the FortiOS GUI, go to WiFi & Switch Controller > Managed FortiSwitches and verify that the two tier-2
FortiSwitch units are the same model so that they can form an MCLAG.

2. Go to Security Fabric > Security Rating and click Run Now.

FortiOS 7.4.0 New Features Guide 687

Fortinet Inc.
LAN Edge

3. After the security rating report has run, expand the Optimization results to see Enable MC-LAG Tier 2/3.

4. Go to WiFi & Switch Controller > Managed FortiSwitches and hover over the link connecting the two tier-2
FortiSwitch units. Click Create MC-LAG pair.

FortiOS 7.4.0 New Features Guide 688

Fortinet Inc.
LAN Edge

5. In the Create MC-LAG Pair panel, enter the ISL port group name.

6. The Managed FortiSwitches page shows that the MCLAG is formed for the tier-2 managed FortiSwitch units.

FortiOS 7.4.0 New Features Guide 689

Fortinet Inc.
 LAN Edge

Support for the authentication and encryption of fabric links - 7.4.1

The FortiLink secured fabric provides authentication and encryption to all fabric links, wherever possible, making your
Security Fabric more secure.
By default, authentication and encryption are disabled on the Security Fabric. After you specify the authentication mode
and encryption mode for the FortiLink secured fabric in the LLDP profile:
1. FortiOS authenticates the connected LLDP neighbors.
2. FortiOS forms an authenticated secure inter-switch link (ISL) trunk.
3. Ports that are members of the authenticated secure ISL trunk are encrypted with Media Access Control security
(MACsec) (IEEE 802.1AE-2018).
4. After the peer authentication (and MACsec encryption, if enabled) is complete, FortiOS configures the user VLANs.
5. If FortiOS detects a new FortiSwitch unit in the Security Fabric, one of the FortiSwitch peers validates whether the
new switch has a Fortinet factory SSL certificate chain. If the new FortiSwitch unit has a valid certificate, it becomes
a FortiSwitch peer in the Fortinet secured fabric.
The following figure shows the FortiLink secured fabric. The links between the FortiGate device and the managed
FortiSwitch units are always unencrypted. The green links between FortiSwitch peers are encrypted ISLs. The orange
links between FortiSwitch peers are unencrypted ISLs.

FortiOS 7.4.0 New Features Guide 690

Fortinet Inc.
LAN Edge

Authentication modes

By default, there is no authentication. You can select one of three authentication modes:
l Legacy—This mode is the default. There is no authentication.
l Relax—If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, FortiOS forms a
restricted ISL trunk.
A restricted ISL trunk is the same as a regular ISL trunk, but FortiOS does not add any user VLANs. The restricted
ISL trunk allows limited access so that users can authenticate unauthenticated switches. Use a restricted ISL trunk
for a new FortiSwitch unit that was just added to the Security Fabric or a FortiSwitch unit that does not support
authentication or encryption.
l Strict—If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, no ISL trunk is formed.

FortiOS 7.4.0 New Features Guide 691

Fortinet Inc.
LAN Edge

Encryption modes

By default, there is no encryption. You must select the strict or relax authentication mode before you can select the
mixed or must encryption mode.
l None—There is no encryption, and FortiOS does not enable MACsec on the ISL trunk members.
l Mixed—FortiOS enables MACsec on the ISL trunk ports that support MACsec; the ISL trunk members act as
encrypted links. FortiOS disables MACsec on the ISL members that do not support MACsec; these ISL trunk
members act as unencrypted links.
l Must—FortiOS enables MACsec on all ISL trunk members. If the port supports MACsec, the port acts as an
encrypted link. If the port does not support MACsec, the port is removed from the ISL trunk, but the port still
functions as a user port.

Configuring the FortiLink secured fabric

To configure the FortiLink secured fabric:

1. Configure the LLDP profile.
2. Assign the LLDP profile to a FortiSwitch physical port.

To configure the LLDP profile:

config switch-controller lldp-profile

edit {LLDP_profile_name | default-auto-isl | default-auto-mclag-icl}
set auto-isl-auth {legacy | relax | strict}
set auto-isl-auth-user <string>
set auto-isl-auth-identity <string>
set auto-isl-auth-reauth <10-3600>
set auto-isl-auth-encrypt {none | mixed | must}
set auto-isl-auth-macsec-profile default-macsec-auto-isl
next
end

Option Description Default

{LLDP_profile_name | default-auto-isl | Select one of the two default LLDP profiles No default
default-auto-mclag-icl} (default-auto-isl or default-auto-
mclag-icl) or create your own LLDP
profile.

auto-isl-auth {legacy | relax | strict} Select the authentication mode. legacy

auto-isl-auth-user <string> Select the user certificate, such as No default

Fortinet_Factory.
This option is available when auto-isl-
auth is set to relax or strict.

auto-isl-auth-identity <string> Enter the identity, such as fortilink. No default

This option is available when auto-isl-
auth is set to relax or strict.

FortiOS 7.4.0 New Features Guide 692

Fortinet Inc.
LAN Edge

Option Description Default

auto-isl-auth-reauth <10-3600> Enter the reauthentication period in 3600

minutes.
This option is available when auto-isl-
auth is set to relax or strict.

auto-isl-auth-encrypt {none | mixed | Select the encryption mode. none

must} This option is available when auto-isl-
auth is set to strict or relax.

auto-isl-auth-macsec-profile <string> Use the default-macsec-auto-isl default-macsec-auto-isl

profile.
This option is available when auto-isl-
auth-encrypt is set to mixed or must.

Configuration example

config switch-controller lldp-profile

edit customLLDPprofile
set auto-isl-auth relax
set auto-isl-auth-user Fortinet_Factory
set auto-isl-auth-identity fortilink
set auto-isl-auth-reauth 60
set auto-isl-auth-encrypt mixed
set auto-isl-auth-macsec-profile default-macsec-auto-isl
next
end

config switch physical-port

edit port49
set lldp-profile customLLDPprofile
set speed auto-module
set storm-control-mode disabled
next
end

Viewing the FortiLink secured fabric

To get information from the FortiGate device about which FortiSwitch units ports are authenticated,
secured, or restricted:

execute switch-controller get-physical-conn {dot | standard} <FortiLink_interface>

To get the FortiLink authentication status for the port from the FortiSwitch unit:

diagnose switch fortilink-auth status <port_name>

To get the FortiLink authentication traffic statistics for the port from the FortiSwitch unit:

diagnose switch fortilink-auth statistics <port_name>

FortiOS 7.4.0 New Features Guide 693

Fortinet Inc.
 LAN Edge

To delete the FortiLink authentication traffic statistics for the port from the FortiSwitch unit:

execute fortilink-auth clearstat physical-port <port_name>

To reauthenticate FortiLink secured fabric peers from the specified port from the FortiSwitch unit:

execute fortilink-auth reauth physical-port <port_name>

To reset the authentication for the FortiLink secured fabric from the FortiSwitch unit on the specified
port:

execute fortilink-auth reset physical-port <port_name>

To display statistics and status of the FortiLink secured fabric for the port from the FortiSwitch unit:

get switch lldp auto-isl-status <port_name>

To display the status of the FortiLink secured fabric for the trunk from the FortiSwitch unit:

get switch trunk

Requirements and limitations

l FortiOS 7.4.1 or later and FortiSwitchOS 7.4.1 or later are required.

l FortiLink mode over a layer-2 network and FortiLink mode over a layer-3 network are supported.
l VXLAN is not supported.
l When a new FortiSwitch unit is added to the fabric, it must have a Fortinet factory SSL certificate before it is allowed
to become an authenticated peer within the FortiLink secured fabric.
l When a new FortiSwitch unit is added to the FortiLink secured fabric with the strict authentication mode, the
restricted ISL trunk is not formed. You must configure the FortiSwitch unit manually (under the config switch
lldp-profile command).
l You need to manually import a custom certificate on the managed FortiSwitch units first; then you can specify the
custom certificate on the FortiLink secured fabric with the set auto-isl-auth-user command under config
switch-controller lldp-profile. After that, you can configure the custom certificate on the running
Security Fabric.

Synchronize the FortiOS interface description with the FortiSwitch VLAN

description - 7.4.1

Starting in FortiOS 7.4.1, the FortiOS switch controller supports the synchronization of the FortiGate system interface
description to the switch VLAN description (up to the first 63 characters of FortiSwitch VLAN description field in FortiOS).
This allows a more flexible use of the Tunnel-Private-Group-Id RADIUS attribute. To use the maximum length of 63
characters, set the vlan-identity command to description (under config switch-controller global).

FortiOS 7.4.0 New Features Guide 694

Fortinet Inc.
 LAN Edge

Configuration example

To synchronize the FortiGate system interface description to the switch VLAN description:

1. Configure the FortiSwitch VLAN on the FortiGate device:

config system interface
edit "vlan11"
set vdom "vdom1"
set ip 6.6.6.1 255.255.255.0
set allowaccess ping https ssh http fabric
set description "Test VLAN"
set device-identification enable
set role lan
set snmp-index 45
set interface "port11"
set vlanid 111
next
end
2. On the FortiSwitch unit, check that the FortiLink interface name is stored in the value for the set description
command.
config switch vlan
edit 11
set description "Test VLAN"
next
end

Support FortiSwitch management using HTTPS - 7.4.2

Starting in FortiOS 7.4.2 with FortiSwitchOS 7.4.2, you can use FortiLink with HTTPS to manage FortiSwitch units. Using
FortiLink with HTTPS simplifies the management process and improves the user experience and efficiency.
The FortiGate device supports using both the CAPWAP protocol and HTTPS at the same time. Each FortiSwitch unit
supports using the CAPWAP protocol or HTTPS; you cannot use both protocols to manage the same FortiSwitch unit.
FortiLink with HTTPS uses the same technology as FortiLAN Cloud to operate over both layer 2 and layer 3.
When you are using FortiLink with HTTPS to manage FortiSwitch units, the same FortiLink features are supported as
when you are using FortiLink with the CAPWAP protocol.

To use FortiLink with HTTPS:

1. On the FortiSwitch unit, enable the FortiLink HTTPS management mode (CAPWAP remains enabled):
config switch-controller global
set mgmt-mode https
end

FortiOS 7.4.0 New Features Guide 695

Fortinet Inc.
LAN Edge

2. On the FortiSwitch unit, set the FortiLAN Cloud service to FortiLink with HTTPS, enter the FortiLink IPv4 address,
and enable the status:
config system flan-cloud
set service-type fortilink-https
set name <FortiLink_IPv4_addresss>
set status enable
end
3. On the FortiGate device, authorize the FortiSwitch unit if it has not already been authorized:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set fsw-wan1-admin enable
next
end
4. On the FortiGate device, check that the tunnel has been established to allow FortiLink with HTTPS:
execute switch-controller get-conn-status
For example:
FGT_A (vdom1) (Interim)# execute switch-controller get-conn-status
Managed-devices in current vdom vdom1:

FortiLink interface : port11

SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME
SERIAL
S524DN4K16000116 v7.4.0 (0796) Authorized/Up 2T 10.255.1.2 Mon Dec 18
15:41:34 2023 S524DN4K16000116
S248EPTF18001384 v7.4.1 (787) Authorized/Up 2 10.255.1.5 Mon Dec 18
15:41:43 2023 S248EPTF18001384
S248EPTF18001827 N/A Discovered/Down 2 N/A
S248EPTF18001827
S124EN5918003682 N/A Discovered/Down 2 N/A
S124EN5918003682

Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync
error, 2=L2, 3=L3, V=VXLAN, T=tunnel, X=External
Managed-Switches: 4 (UP: 2 DOWN: 2 MAX: 72)

5. On the FortiSwitch unit, check that FortiLAN Cloud has established the FortiLink connection:
S224DF3X15000367 # get system flan-cloud-mgr connection-info
For example:
S524DN4K16000116 # get system flan-cloud-mgr connection-info

Service Name: : FortiLink

User Account-ID : 0
SSL verify Code : ok
Access Service : IP= 10.255.1.1, Port= 443, Connected on: 2023-12-18 15:41:33
Bootstrap Service : hostname= , Port= 0

State-Machine : State= FLAN_MGR_STATE_READY, Event= EV_READY_SSL_SESSION_ESTD

SSL Local End-Point : Interface: internal, IP: 10.255.1.2

SSL Tunnel Uptime : Days: 0 Hours: 0 Mins: 2 [Connected @2023-12-18 15:41:33]
SSL Tunnel stats : restart-count= 279, Restart Reason= Boot-Strap fails to setup
SSL to Cloud

FortiOS 7.4.0 New Features Guide 696

Fortinet Inc.
LAN Edge

Stats:
========
Switch Keep Alive Tx/Reply := 3 / 1
Manager Keep Alive Rx/Error := 2 / 0

Socks Req Rx/Last Stream-ID := 1193 / 5

Reset Req Rx/last Stream-ID := 137 / 276
Goaway Req Rx := 0
Unknown Req Rx := 0

Syslog FD/Tx/Err := 10 / 62 / 0

FortiLink details
=======================
stream_id : 5
online state_id : 7
localSock fd : 11
stpTelSock fd : 12
dhcpTelSock fd : 13
igmpsTelSock fd : 14
macSock fd : 15
cmfSock fd : 16
FortiGate - no response counter : 0
FortiGate - [Last no response time @1969-12-31 16:00:00]
online TX counter : 6
online RX_ACK counter : 6
online RX_NACK counter : 0
topology req : 8
topology resp : 4
system telemetry req : 8
system telemetry resp : 3
interface telemetry req : 2
interface telemetry resp : 2
mac telemetry req : 0
mac telemetry resp : 0
dot1x user req : 0
dot1x user resp : 0
lldp nbr req : 0
lldp nbr resp : 0
mac cache req : 0
mac cache resp : 0
trunk state req : 21
trunk state resp : 7
port state req : 4
port state resp : 2
poe status req : 0
poe status resp : 0

Used SOCKS stream-id:

=======================
SID SockFd Proxy-Ports State Description

___________________________________________________________________
1 0 UNKNOWN:0<-->0 DATA BOOTSTRAP
3 0 UDP:9514<-->0 DATA SYSLOG DATA
5 0 UNKNOWN:0<-->0 DATA FORTILINK

FortiOS 7.4.0 New Features Guide 697

Fortinet Inc.
 LAN Edge

To log in from the FortiGate device to a switch managed by FortiLink with HTTPS:

execute switch-controller ssh <FortiSwitch_user_name> <FortiSwitch_serial_number>

For example:
execute switch-controller ssh admin S524DF4K15000024

Set the priority for dynamic or egress VLAN assignment - 7.4.2

Starting in FortiOS 7.4.2 with FortiSwitchOS 7.4.2, you can change how a managed FortiSwitch unit searches for VLANs
with names (specified in the set description command) that match the Tunnel-Private-Group-Id or Egress-VLAN-
Name attribute.
Before FortiOS 7.4.2 and FortiSwitchOS 7.4.2, if there was more than one VLAN with the same name (specified in the
set description command), the managed FortiSwitch unit selected the VLAN with the lowest VLAN ID that matched
the Tunnel-Private-Group-Id or Egress-VLAN-Name attribute.
In the following example, the Tunnel-Private-Group-Id attribute is set to testVLAN, and three VLANs have the same
name of testVLAN. The managed FortiSwitch unit matches the Tunnel-Private-Group-Id attribute with the VLAN with
the lowest ID, VLAN 4.

VLAN ID VLAN name

4 testVLAN

5 testVLAN

6 testVLAN

In FortiOS 7.4.2 with FortiSwitchOS 7.4.2, you can assign a priority to each VLAN. If there is more than one VLAN with
the same name (specified in the set description command), the managed FortiSwitch unit selects the VLAN with
the lowest assignment-priority value (which is the highest priority) of the VLANs with names that match the
RADIUS Tunnel-Private-Group-Id or Egress-VLAN-Name attribute. The assignment-priority value can be 1-255.
By default, the assignment-priority is 128. The lowest assignment-priority value gets the highest priority.
In the following example, the Tunnel-Private-Group-Id attribute is set to localVLAN, and four VLANs have the same
name of localVLAN. The managed FortiSwitch unit matches the Tunnel-Private-Group-Id attribute with the VLAN with
the lowest priority, VLAN 5.

VLAN ID VLAN name VLAN priority

4 localVLAN 50

5 localVLAN 25

6 localVLAN 75

7 localVLAN 100

To set the priority on the managed FortiSwitch unit for matching VLAN names:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>
config vlan
edit <VLAN_name>

FortiOS 7.4.0 New Features Guide 698

Fortinet Inc.
 LAN Edge

set assignment-priority <1-255>

next
end
next
end

For example:
config switch-controller managed-switch
edit "S524DF4K15000024"
config vlan
edit vlan5
set assignment-priority 200
next
end
next
end

Specify how RADIUS request attributes are formatted - 7.4.2

Starting in FortiOS 7.4.2 with FortiSwitchOS 7.4.1, you can specify how the following RADIUS request attributes are
formatted when they are sent to the RADIUS server:
l User-Name
You can select a colon, hyphen, or single hyphen to use as a delimiter, or you can select none for no delimiter. By
default, you can use a hyphen as the delimiter.
l User-Password
You can select a colon, hyphen, or single hyphen to use as a delimiter, or you can select none for no delimiter. By
default, you can use a hyphen as the delimiter.
l Called-Station-Id
You can select a colon, hyphen, or single hyphen to use as a delimiter, or you can select none for no delimiter. By
default, you can use a hyphen as the delimiter.
l Calling-Station-Id
You can select a colon, hyphen, or single hyphen to use as a delimiter, or you can select none for no delimiter. By
default, you can use a hyphen as the delimiter.
The following are examples of MAC addresses with the different delimiters:
l Using a colon as a delimiter: 00:11:22:33:44:55
l Using a hyphen as a delimiter: 00-11-22-33-44-55
l Using a single hyphen as a delimiter: 001122-334455
l Using none for no delimiter: 001122334455
You can also select whether to use lowercase or uppercase letters in MAC addresses. By default, lowercase letters are
used.

To specify how RADIUS request attributes are formatted:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>
config 802-1X-settings
set local-override enable
set mac-username-delimiter {colon| hyphen | none | single-hyphen}

FortiOS 7.4.0 New Features Guide 699

Fortinet Inc.
 LAN Edge

set mac-password-delimiter {colon| hyphen | none | single-hyphen}

set mac-calling-station-delimiter {colon| hyphen | none | single-hyphen}
set mac-called-station-delimiter {colon| hyphen | none | single-hyphen}
set mac-case {lowercase | uppercase}
end
next
end

Dynamically assign the NAS-IP-Address attribute - 7.4.2

Starting in FortiOS 7.4.2, you can dynamically assign a different NAS-IP-Address attribute to the managed switches
when authenticating users with a RADIUS server. When this feature is enabled, the NAS-IP-Address attribute is based
on the FortiLink IP address when the IP address is IPv4.
If needed, you can override the dynamic NAS-IP-Address attribute and manually assign the NAS-IP-Address attribute to
individual managed switches.

l FortiSwitchOS supports only IPv4 addresses for the NAS-IP-Address attribute.

l You can enable switch-controller-nas-ip-dynamic only when the nas-ip value
is not set (under the config user radius command).
l When radius-nas-ip-override is enabled and the radius-nas-ip value is set,
the IP address is assigned to the NAS-IP-Address attribute, even if switch-
controller-nas-ip-dynamic is not enabled and the nas-ip value is not set.

To dynamically assign a different NAS-IP-Address attribute on the FortiGate device to all managed
switches:

config user radius

edit <RADIUS_server_name>
set switch-controller-nas-ip-dynamic enable
next
end

To override the dynamic NAS-IP-Address attribute on the FortiGate device for a specific managed
switch:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>
set radius-nas-ip-override enable
set radius-nas-ip <IPv4_address>
next
end

For example:
config switch-controller managed-switch
edit S524DF4K15000024
set radius-nas-ip-override enable
set radius-nas-ip 1.2.3.4
next
end

FortiOS 7.4.0 New Features Guide 700

Fortinet Inc.