Release Notes

FortiSwitchOS 7.6.1
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

December 13, 2024

FortiSwitchOS 7.6.1 Release Notes
11-761-1084086-20241213
 TABLE OF CONTENTS

Change log 4
What’s new in FortiSwitchOS 7.6.1 5
Introduction 6
Supported models 6
Special notices 7
Upgrading MCLAG peer group switches from FortiSwitchOS 7.4.x and earlier to
FortiSwitchOS 7.6.0 and later 7
Reduce configuration revisions before downgrading from 7.4.2 and later versions 8
Zero-touch management 8
By default, auto-network is enabled in FortiSwitchOS 7.2.0 and later 8
Downgrading FortiSwitchOS 7.0.0 and later to versions earlier than 6.2.6 or 6.4.4 is not
supported 8
Downgrading your FortiSwitchOS version requires converting the admin password format
first 9
Upgrade information 10
Product integration and support 11
FortiSwitchOS 7.6.1 support 11
Resolved issues 12
Known issues 13

FortiSwitchOS 7.6.1 Release Notes 3

Fortinet Inc.
Change log

Change log

Date Change Description

December 13, 2024 Initial release for FortiSwitchOS 7.6.1

FortiSwitchOS 7.6.1 Release Notes 4

Fortinet Inc.
What’s new in FortiSwitchOS 7.6.1

What’s new in FortiSwitchOS 7.6.1

Release 7.6.1 provides the following new features:

l The FS-424E-Fiber model now supports two Media Redundancy Protocol (MRP) rings.
l The FS-6xxF models now support RFC 5549 for a simplified fabric configuration.
l Dynamic VLAN pruning is now supported. Dynamic VLAN pruning is now supported. VLAN pruning prevents
unnecessary traffic from unused VLANs by only allowing traffic from the VLANs required for the inter-switch link
(ISL) trunks. This process makes networks more efficient and preserves bandwidth. In addition, dynamic VLAN
pruning eliminates the time spent on manual VLAN pruning and reduces the chance of errors.
l You can now use new config system debug command to set the debugging level for various applications so
that, after restarting the FortiSwitch unit, the debugging level is applied immediately at startup.
l You can now specify in the CLI that a Precision Time Protocol (PTP)-capable interface will operate in a master-only
or slave-only role.
l When you scroll a data table that is longer than the window it is displayed in, the table header now stays at the top of
the page, instead of scrolling off the screen.
l ACL configuration has been enhanced in the CLI:
l You can now define the source and destination mask address to be matched, in addition to the source and
destination MAC address, for classifiers for ACL ingress policies.
l You can now specify the layer-3 interface name for layer-3 unicast classification for ACL ingress policies.
l When you customize an SCTP, TCP, or UDP service for an ACL policy, you can now define a port mask.

Refer to the FortiSwitch feature matrix for details about the features supported by
each FortiSwitch model.

FortiSwitchOS 7.6.1 Release Notes 5

Fortinet Inc.
 Introduction

Introduction

This document provides the following information for FortiSwitchOS 7.6.1 build 1047:
l Supported models on page 6
l Special notices on page 7
l Upgrade information on page 10
l Product integration and support on page 11
l Resolved issues on page 12
l Known issues on page 13
See the Fortinet Document Library for FortiSwitchOS documentation.

Supported models

FortiSwitchOS 7.6.1 supports the following models:

FortiSwitch 1xx FS-108F, FS-108F-POE, FS-108F-FPOE, FS-110G-FPOE, FS-124E, FS-124E-POE, FS-

124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F,
FS-148F-POE, FS-148F-FPOE

FortiSwitch 2xx FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE

FortiSwitch 4xx FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-

448E-POE, FS-448E-FPOE

FortiSwitch 5xx FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE

FortiSwitch 6xx FS-624F, FS-624F-FPOE, FS-648F, FS-648F-FPOE

FortiSwitch 1xxx FS-1024E, FS-1048E, FS-T1024E, FS-T1024F-FPOE

FortiSwitch 2xxx FS-2048F

FortiSwitch 3xxx FS-3032E

FortiSwitch Rugged FSR-216F-POE, FSR-424F-POE

FortiSwitchOS 7.6.1 Release Notes 6

Fortinet Inc.
Special notices

Special notices

Upgrading MCLAG peer group switches from FortiSwitchOS 7.4.x

and earlier to FortiSwitchOS 7.6.0 and later

FortiSwitchOS 7.4.3 has changes in the MCLAG ICL communication that are incompatible with previous versions;
therefore, the upgrade of the MCLAG peer group will have a longer impact than usual. Below are the recommended
procedures.

From the FortiGate Switch Controller:

1. Disable network monitoring on the FortiGate device:

config switch-controller network-monitor-settings
set network-monitoring disable
end
2. Stage the FortiSwitch firmware image on the FortiSwitch units using the “execute switch-controller
switch-software stage” command on the FortiGate device.
3. Restart the MCLAG peer group switches at the same time.

From the FortiSwitch CLI:

The following recommended procedure will minimize downtime when upgrading MCLAG (the expected impact is within
20 seconds) from FortiSwitchOS 7.4.x and earlier to FortiSwitchOS 7.6.0 and later.
1. If MCLAG split-brain protection is enabled, disable it in both switches in the MCLAG peer group.
2. In the FortiSwitchOS CLI, use the diagnose switch mclag icl command to find out which switch has the
lower MAC address. .
3032E-1 # diagnose switch mclag icl
_FlInK1_ICL0_
icl-ports 1-2
egress-block-ports 3-5,31.1,32.1,17.3,17.4,31.2,32.2,32.3,32.4
interface-mac 84:39:8f:13:96:4d <-- local switch MAC address
local-serial-number FS3E32T422000275
peer-mac 84:39:8f:13:99:59 <-- peer switch MAC address
peer-serial-number FS3E32T422000281
Local uptime 0 days 23h:55m: 0s
Peer uptime 0 days 23h:55m: 0s
MCLAG-STP-mac 84:39:8f:13:96:4c
keepalive interval 1
keepalive timeout 60
dormant candidate Peer
split-brain Disabled

3. Stage the image in both switches using the execute stage image CLI command)
4. Restart the switch with the lower MAC address.
In the preceding example, the local switch has the lower MAC address, so the local switch should be restarted first
5. Wait for the switch to restart and check that all links come up (the LACP trunks could be in a down state).

FortiSwitchOS 7.6.1 Release Notes 7

Fortinet Inc.
Special notices

6. Restart the other switch.

7. After MCLAG comes up, enable split-brain protection if it was enabled before the upgrade.

Reduce configuration revisions before downgrading from 7.4.2 and

later versions

For the FS-4xx, FS-5xx, FS-6xx, FS-1024E, FS-1048E, FS-3032E, FS-T1024E, and FS-2048F models only: If you
are downgrading from FortiSwitchOS 7.4.2 and later, you cannot have more than 20 saved configuration revisions.

To check how many saved configuration revisions you have:

execute revision list config

To delete a specific configuration revision:

execute revision delete config <revision_ID>

Zero-touch management

When a new FortiSwitch unit is started, by default, it will connect to the available manager, which can be a FortiGate
device, FortiLAN Cloud, or FortiSwitch Manager. All ports are enabled for auto discovery. The “internal” interface is the
DHCP client in all FortiSwitch models. If you do not want your FortiSwitch unit to be managed, you must disable the
features that you do not want active.

By default, auto-network is enabled in FortiSwitchOS 7.2.0 and later

After an execute factoryreset command is executed on a FortiSwitch unit in standalone mode, the auto-network
configuration is enabled by default. If you are not using auto-network, you must manually disable it:
config switch auto-network
set status disable
end

Downgrading FortiSwitchOS 7.0.0 and later to versions earlier than

6.2.6 or 6.4.4 is not supported

Downgrading FortiSwitchOS 7.0.0 and later to FortiSwitchOS 6.2.6 and later 6.2 versions is supported. Downgrading
FortiSwitchOS 7.0.0 and later to FortiSwitchOS 6.4.4 and later 6.4 versions is supported. Downgrading FortiSwitchOS
7.0.0 to versions earlier than FortiSwitchOS 6.2.6 or 6.4.4 is not supported.

FortiSwitchOS 7.6.1 Release Notes 8

Fortinet Inc.
Special notices

Downgrading your FortiSwitchOS version requires converting the

admin password format first

Before downgrading to a FortiSwitchOS version earlier than 7.0.0, you need to ensure that the administrator password is
in SHA1 format. Use the execute system admin account-convert-sha1 command to convert the administrator
password to SHA1 encryption.
Before downgrading to FortiSwitchOS 7.0.0 or later, you need to ensure that the administrator password is in SHA1 or
SHA256 format.
l Use the execute system admin account-convert-sha1 command to convert the administrator password
to SHA1 encryption.
l Use the execute system admin account-convert-sha256 command to convert the password for a system
administrator account to SHA256 encryption.

If you do not convert the admin password before downgrading, the admin password will not
work after the switch reboots with the earlier FortiSwitchOS version.

To convert the format of the admin password to SHA1 format:

1. Enter the following CLI command to convert the admin password to SHA1 encryption:

execute system admin account-convert-sha1 <admin_name>

2. Downgrade your firmware.

To convert the format of the admin password to SHA256 format:

1. Enter the following CLI command to convert the admin password to SHA256 encryption:

execute system admin account-convert-sha256 <admin_name>

2. Downgrade your firmware.

FortiSwitchOS 7.6.1 Release Notes 9

Fortinet Inc.
Upgrade information

Upgrade information

FortiSwitchOS 7.6.1 supports upgrading from FortiSwitchOS 3.5.0 and later.

For the FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, and FS-M426-FPOE models, there is a two-step
upgrade process if you are upgrading from FortiSwitchOS 6.0.x or 6.2.x to 7.6.x:
1. Upgrade from FortiSwitchOS 6.0.x or 6.2.x to FortiSwitchOS 6.4.12 or later.
2. Upgrade from FortiSwitchOS 6.4.12 or later to 7.6.x.

If you do not follow the two-step upgrade process, the FortiSwitch unit will not start
after the upgrade, and you will need to use the serial console to conclude the
upgrade (BIOS and OS).

For FortiSwitch units managed by FortiGate units, refer to the FortiLink Release Notes for upgrade information.

FortiSwitchOS 7.6.1 Release Notes 10

Fortinet Inc.
Product integration and support

Product integration and support

FortiSwitchOS 7.6.1 support

The following table lists FortiSwitchOS 7.6.1 product integration and support information.

Web browser lMicrosoft Edge 112

lMozilla Firefox version 113
l Google Chrome version 113

Other web browsers may function correctly, but are not supported by Fortinet.

FortiOS (FortiLink Refer to the FortiLink Compatibility table to find which FortiSwitchOS versions support which
Support) FortiOS versions.

FortiSwitchOS 7.6.1 Release Notes 11

Fortinet Inc.
Resolved issues

Resolved issues

The following issues have been fixed in FortiSwitchOS 7.6.1. For inquiries about a particular bug, please contact
Customer Service & Support.

Bug ID Description

940586, For the FS-148F, FS-148F-POE, and FS-148F-FPOE models, there might be packet loss after the
958210 packet sampler or packet capture is enabled.

972437, The FS-1048E and FS-1xxF models do not work with FN-CABLE-SFP+3.
978073,
1025772,
1072375

991105 The value for the maximum number of ACL rules is incorrect for the FS-124F model.

1024979 On the FS-1024D model, a ping through a managed FortiSwitch unit to a routed IP address over a
FortiGate device fails when the routing offload is enabled on the managed FortiSwitch unit.

1048096 For the FS-1024E, FS-T1024E, FS-T1024F-FPOE, FS-2048F, and FS-1048E models, when IGMP
snooping is enabled, IGMP group traffic with TTL=1 is dropped.

1054735 Users cannot configure more than 32 trunks on the FS-648F model.

1062039 A PoE device is not properly powering up from FS-148F-FPOE ports.

1062740 A 500 internal server error occurs when downloading a backup configuration file with a password.

1066566 There are error messages when the VRF names are longer than 15 characters.

1068360 The way that multichassis link aggregation groups (MCLAGs) handle static MAC addresses has been
improved. When an MCLAG trunk goes down, the static MAC addresses are removed from the
hardware, and the traffic that was going to the static MAC addresses will flood over the interchassis
link (ICL). When the MCLAG trunk goes up, the static MAC addresses are added to the hardware
again.

1068688 When the reauth-period is set to 5 minutes, the client is disconnected from the network when
dynamic ARP inspection (DAI) is enabled on a VLAN.

1073933 Generating the CSR from a managed FortiSwitch unit using the GUI fails.

1077911, A phone using a port with 802.1X MAC-based authentication enabled cannot get the IP address from
1081414 the DHCP server when DHCP snooping and allow-mac-move are enabled.

1080985 After upgrading the switch firmware to version 7.6.0 on the FS-624F or FS-624F-FPOE model, the
LED indicators for ports 1-24 stopped working.

1087943 The FS-1024E does not work with 3-meter and 5-meter DAC cables.

1092478 Ports 49 and 50 of the FS-1048E model are intermittently transmitting power higher than 5 dBm.

1097844 The switch port status is incorrectly showing that the SFP module as not connected with cables.

FortiSwitchOS 7.6.1 Release Notes 12

Fortinet Inc.
Known issues

Known issues

The following known issues have been identified with FortiSwitchOS 7.6.1. For inquiries about a particular bug or to
report a bug, please contact Fortinet Customer Service & Support.

Bug ID Description

382518, 417024, DHCP snooping and dynamic ARP inspection (DAI) do not work with private VLANs
417073, 417099, (PVLANs).
438441

414972 IGMP snooping might not work correctly when used with 802.1x Dynamic VLAN functionality.

510943 The time-domain reflectometer (TDR) function (cable diagnostics feature) reports unexpected
values.
Workaround: When using the cable diagnostics feature on a port (with the diagnose
switch physical-ports cable-diag <physical port name> CLI command),
ensure that the physical link on its neighbor port is down. You can disable the neighbor ports
or physically remove the cables.

542031 For the FS-5xx switches, the diagnose switch physical-ports led-flash
command flashes only the SFP port LEDs, instead of all the port LEDs.

548783 Some models support setting the mirror destination to “internal.” This is intended only for
debugging purposes and might prevent critical protocols from operating on ports being used
as mirror sources.

572052 Backup files from FortiSwitchOS 3.x that have 16-character-long passwords fail when
restored on FortiSwitchOS 6.x. In FortiSwitchOS 6.x, file backups fail with passwords longer
than 15 characters.
Workaround: Use passwords with a maximum of 15 characters for FortiSwitchOS 3.x and
6.x.

585550 When packet sampling is enabled on an interface, packets that should be dropped by uRPF
will be forwarded.

606044, 610149 The results are inaccurate when running cable diagnostics on the FS-124E, FS-124E-POE,
FS-124E-FPOE, FS-148E, and FS-148E-POE models.

609375 The FortiSwitchOS supports four priority levels (critical, high, medium, and low); however,
The SNMP Power Ethernet MIB only supports three levels. To support the MIB, a power
priority of medium is returned as low for the PoE MIB.

659487 The FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE,

FS-124F, FS-124F-POE, and FS-124F-FPOE, FS-148E, and FS-148E-POE models support
ACL packet counters but not byte counters. The get switch acl counters commands
always show the number of bytes as 0.

FortiSwitchOS 7.6.1 Release Notes 13

Fortinet Inc.
Known issues

Bug ID Description

777647 l When MACsec is enabled on a tagged port, the set exclude-protocol command
does not work on packets with VLAN tags (ARP, IPv4, or IPv6).
l If you use the set exclude-protocol command with dot1q and packets with VLAN
tags (ARP, IPv4, or IPv6), the packets are not MACsec encrypted and are transmitted as
plain text.
l Only 0x88a8 type packets apply to qinq.

784585 When a dynamic LACP trunk has formed between switches in an MRP ring, the MRP ring
cannot be closed. Deleting the dynamic LACP trunk does not fix this issue. MRP supports
only physical ports and static trunks; MRP does not support dynamic LACP trunks.
Workaround: Disable MRP and then re-enable MRP.

793145 VXLAN does not work with the following:

l log-mac-event

l LLDP-assigned VLANs
l NAC
l Block intra-VLAN traffic

829807 eBGP does not advertise routes to its peer by default unless the set ebgp-requires-
policy disable command is explicitly configured or inbound/outbound policies are
configured.

903001 Do not use mgmt as the name of a switch virtual interface (SVI). mgmt is reserved for the
physical management switch port.

916405 FortiSwitchOS should not allow MACsec and 802.1X authentication to be configured on the
same port.

940248 When both network device detection (config switch network-monitor settings)
and the switch controller routing offload are enabled, the FS-1048E switch generates
duplicate packets.

950895 In Release 7.4.1, VXLAN supports only one MSTP instance.

987504 High CPU usage occurs on the FS-1xx series when the IGMP querier is enabled and IGMP
snooping is disabled.
Workaround: Disable the IGMP querier when IGMP snooping is not being used.

942068, 1006513 After using a dynamic port policy to remove or add a port, the profile was not updated after the
user logged out of the EAP session.

FortiSwitchOS 7.6.1 Release Notes 14

Fortinet Inc.
 www.fortinet.com

Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions,
and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and
other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet
enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance
metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may
change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet
reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.