0% found this document useful (0 votes)
38 views4 pages

Technical Tip - New Feature in FortiOS 7.4 To Authe... - Fortinet Community

FortiOS 7.4.1 introduces a feature that allows FortiGate to authenticate FortiSwitches using shared certificates, enhancing security in the authorization process. Three configuration options are available: Legacy (no authentication), Relax (limited access with restricted ISL trunk), and Strict (secure ISL trunk only if authentication succeeds). Additionally, encryption options can be configured to ensure secure communication between FortiGate and FortiSwitches.

Uploaded by

kushika
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
38 views4 pages

Technical Tip - New Feature in FortiOS 7.4 To Authe... - Fortinet Community

FortiOS 7.4.1 introduces a feature that allows FortiGate to authenticate FortiSwitches using shared certificates, enhancing security in the authorization process. Three configuration options are available: Legacy (no authentication), Relax (limited access with restricted ISL trunk), and Strict (secure ISL trunk only if authentication succeeds). Additionally, encryption options can be configured to ensure secure communication between FortiGate and FortiSwitches.

Uploaded by

kushika
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Technical Tip: New feature in FortiOS 7.4 to authe... - Fortinet Community https://community.fortinet.com/t5/tkb/articleprintpage/tkb-id/TKB20/artic...

Fortinet Community > Knowledge Base > FortiGate


> Technical Tip: New feature in FortiOS 7.4 to authe...

asanzd Staff

Created on 05-01-2025 07:05 AM

Article Id 390053
Technical Tip: New feature in FortiOS 7.4 to authenticate FortiSwitch from
FortiGate

Description This article shows a new feature available since FortiOS 7.4.1 to authenticate
FortiSwitches on security fabric
Scope FortiGate, FortiSwitch.

1 de 4 07/05/2025, 18:05
Technical Tip: New feature in FortiOS 7.4 to authe... - Fortinet Community https://community.fortinet.com/t5/tkb/articleprintpage/tkb-id/TKB20/artic...

Solution FortiOS 7.4.1 has introduced a new feature to allow FortiGate to authorize the
FortiSwitch.

This guarantees that both FortiGate and FortiSwitch share the same certificate,
and that the certificate is the authentication keypoint that is validated to allow
FortiGate to authorize the switch.
Normally, only original FortiSwitches are connected to FortiGate to work in a
managed state, but this feature still provides a security layer for the authorization
process.

There are three configuration options for this feature:


• Legacy: This mode is the default. There is no authentication.
• Relax: If authentication succeeds, FortiOS forms a secure ISL trunk. If
authentication fails, FortiOS forms a restricted ISL trunk.

A restricted ISL trunk is the same as a regular ISL trunk, but FortiOS does
not add any user VLANs. The restricted ISL trunk allows limited access so
that users can authenticate unauthenticated switches. Use a restricted ISL
trunk for a new FortiSwitch unit that was just added to the Security Fabric or
a FortiSwitch unit that does not support authentication or encryption.
• Strict: If authentication succeeds, FortiOS forms a secure ISL trunk. If
authentication fails, no ISL trunk is formed.

'Strict' guarantees that a secure ISL trunk will be built only if the authentication
has completed successfully.

With the 'strict' option, the certificate to check must be configured under the lldp-
profile:

config switch-controller lldp-profile


edit customLLDPprofile <----- Customized profile.
set auto-isl-auth strict
set auto-isl-auth-user Fortinet_Factory <-----
Fortinet_Factory certificate or another one.

2 de 4 07/05/2025, 18:05
Technical Tip: New feature in FortiOS 7.4 to authe... - Fortinet Community https://community.fortinet.com/t5/tkb/articleprintpage/tkb-id/TKB20/artic...

set auto-isl-auth-identity fortilink


set auto-isl-auth-reauth 60
set auto-isl-auth-encrypt mixed <---- mixed is the option
to encrypt.
set auto-isl-auth-macsec-profile default-macsec-
auto-isl <---- Default macsec-auto-isl profile.
next
end

If authentication is configured ('relax' or 'strict'), encryption can be enabled


('mixed' or 'must', as indicated below for 'set auto-isl-auth-encrypt'). 'Mixed'
should be chosen to prevent ISL trunks failing to build in cases where ports do
not support MACsec (FortiGate ports):
• None: There is no encryption, and FortiOS does not enable MACsec on the
ISL trunk members.
• Mixed: FortiOS enables MACsec on the ISL trunk ports that support
MACsec: the ISL trunk members act as encrypted links. FortiOS disables
MACsec on the ISL members that do not support MACsec - these ISL trunk
members act as unencrypted links.
• Must: FortiOS enables MACsec on all ISL trunk members. If the port
supports MACsec, the port acts as an encrypted link. If the port does not
support MACsec, the port is removed from the ISL trunk, but the port still
functions as a user port.

See the FortiGate 7.4.0 New Features for more information.


If a different certificate than the Fortinet factory certificate is required, it must be
imported on the FortiSwitch and FortiGate themselves (see 'Requirements and
limitations' in the previous reference document).

108
 0 Kudos

Article Feedback

3 de 4 07/05/2025, 18:05
Technical Tip: New feature in FortiOS 7.4 to authe... - Fortinet Community https://community.fortinet.com/t5/tkb/articleprintpage/tkb-id/TKB20/artic...

4 de 4 07/05/2025, 18:05

You might also like