FortiSwitchOS 7.6.1 Release Notes

Date: January 15, 2025

Document ID: 11-761-1084086-20250115

Introduction

This document provides the following information for FortiSwitchOS 7.6.1 build 1047:

Supported models on page 6
Special notices on page 7
Upgrade information on page 10
Product integration and support on page 11
Resolved issues on page 12
Known issues on page 13

See the Fortinet Document Library for FortiSwitchOS documentation.

Supported Models

FortiSwitchOS 7.6.1 supports the following models:

FortiSwitch 1xx

FS-108F, FS-108F-POE, FS-108F-FPOE, FS-110G-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE

FortiSwitch 2xx

FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE

FortiSwitch 4xx

FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, FS-448E-FPOE

FortiSwitch 5xx

FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE

FortiSwitch 6xx

FS-624F, FS-624F-FPOE, FS-648F, FS-648F-FPOE

FortiSwitch 1xxx

FS-1024E, FS-1048E, FS-T1024E, FS-T1024F-FPOE

FortiSwitch 2xxx

FS-2048F

FortiSwitch 3xxx

FS-3032E

FortiSwitch Rugged

FSR-216F-POE, FSR-424F-POE

Change Log

Date	Change Description
December 13, 2024	Initial release for FortiSwitchOS 7.6.1
January 2, 2025	Added bug 1105139.
January 8, 2025	Removed bug 1105139.
January 15, 2025	Added bug 1016796.

What's New in FortiSwitchOS 7.6.1

Release 7.6.1 provides the following new features:

The FS-424E-Fiber model now supports two Media Redundancy Protocol (MRP) rings.
The FS-6xxF models now support RFC 5549 for a simplified fabric configuration.
Dynamic VLAN pruning is now supported. Dynamic VLAN pruning prevents unnecessary traffic from unused VLANs by only allowing traffic from the VLANs required for the inter-switch link (ISL) trunks. This process makes networks more efficient and preserves bandwidth. In addition, dynamic VLAN pruning eliminates the time spent on manual VLAN pruning and reduces the chance of errors.
You can now use the new config system debug command to set the debugging level for various applications so that, after restarting the FortiSwitch unit, the debugging level is applied immediately at startup.
You can now specify in the CLI that a Precision Time Protocol (PTP)-capable interface will operate in a master-only or slave-only role.
When you scroll a data table that is longer than the window it is displayed in, the table header now stays at the top of the page, instead of scrolling off the screen.
ACL configuration has been enhanced in the CLI:
- You can now define the source and destination mask address to be matched, in addition to the source and destination MAC address, for classifiers for ACL ingress policies.
- You can now specify the layer-3 interface name for layer-3 unicast classification for ACL ingress policies.
- When you customize an SCTP, TCP, or UDP service for an ACL policy, you can now define a port mask.

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Special Notices

Upgrading MCLAG Peer Group Switches from FortiSwitchOS 7.4.x and Earlier to FortiSwitchOS 7.6.0 and Later

FortiSwitchOS 7.4.3 has changes in the MCLAG ICL communication that are incompatible with previous versions; therefore, the upgrade of the MCLAG peer group will have a longer impact than usual. Below are the recommended procedures.

From the FortiGate Switch Controller:

Disable network monitoring on the FortiGate device:

config switch-controller network-monitor-settings
set network-monitoring disable
end

Stage the FortiSwitch firmware image on the FortiSwitch units using the execute switch-controller switch-software stage command on the FortiGate device.
Restart the MCLAG peer group switches at the same time.

From the FortiSwitch CLI:

The following recommended procedure will minimize downtime when upgrading MCLAG (the expected impact is within 20 seconds) from FortiSwitchOS 7.4.x and earlier to FortiSwitchOS 7.6.0 and later.

If MCLAG split-brain protection is enabled, disable it in both switches in the MCLAG peer group.
In the FortiSwitchOS CLI, use the diagnose switch mclag icl command to find out which switch has the lower MAC address.
Stage the image in both switches using the execute stage image CLI command.
Restart the switch with the lower MAC address. In the preceding example, the local switch has the lower MAC address, so the local switch should be restarted first.
Wait for the switch to restart and check that all links come up (the LACP trunks could be in a down state).
Restart the other switch.
After MCLAG comes up, enable split-brain protection if it was enabled before the upgrade.

Reduce Configuration Revisions Before Downgrading from 7.4.2 and Later Versions

For the FS-4xx, FS-5xx, FS-6xx, FS-1024E, FS-1048E, FS-3032E, FS-T1024E, and FS-2048F models only: If you are downgrading from FortiSwitchOS 7.4.2 and later, you cannot have more than 20 saved configuration revisions.

To check how many saved configuration revisions you have:

execute revision list config

To delete a specific configuration revision:

execute revision delete config <revision_ID>

Zero-Touch Management

When a new FortiSwitch unit is started, by default, it will connect to the available manager, which can be a FortiGate device, FortiLAN Cloud, or FortiSwitch Manager. All ports are enabled for auto discovery. The "internal" interface is the DHCP client in all FortiSwitch models. If you do not want your FortiSwitch unit to be managed, you must disable the features that you do not want active.

By Default, Auto-Network is Enabled in FortiSwitchOS 7.2.0 and Later

After an execute factoryreset command is executed on a FortiSwitch unit in standalone mode, the auto-network configuration is enabled by default. If you are not using auto-network, you must manually disable it:

config switch auto-network
set status disable
end

Downgrading FortiSwitchOS 7.0.0 and Later to Versions Earlier Than 6.2.6 or 6.4.4 is Not Supported

Downgrading FortiSwitchOS 7.0.0 and later to FortiSwitchOS 6.2.6 and later 6.2 versions is supported. Downgrading FortiSwitchOS 7.0.0 and later to FortiSwitchOS 6.4.4 and later 6.4 versions is supported. Downgrading FortiSwitchOS 7.0.0 to versions earlier than FortiSwitchOS 6.2.6 or 6.4.4 is not supported.

Downgrading Your FortiSwitchOS Version Requires Converting the Admin Password Format First

Before downgrading to a FortiSwitchOS version earlier than 7.0.0, you need to ensure that the administrator password is in SHA1 format. Use the execute system admin account-convert-sha1 command to convert the administrator password to SHA1 encryption.

Before downgrading to FortiSwitchOS 7.0.0 or later, you need to ensure that the administrator password is in SHA1 or SHA256 format.

Use the execute system admin account-convert-sha1 command to convert the administrator password to SHA1 encryption.
Use the execute system admin account-convert-sha256 command to convert the password for a system administrator account to SHA256 encryption.

⚠️ If you do not convert the admin password before downgrading, the admin password will not work after the switch reboots with the earlier FortiSwitchOS version.

To convert the format of the admin password to SHA1 format:

Enter the following CLI command to convert the admin password to SHA1 encryption:
```
execute system admin account-convert-sha1 <admin_name>
```
Downgrade your firmware.

To convert the format of the admin password to SHA256 format:

Enter the following CLI command to convert the admin password to SHA256 encryption:
```
execute system admin account-convert-sha256 <admin_name>
```
Downgrade your firmware.

Upgrade Information

FortiSwitchOS 7.6.1 supports upgrading from FortiSwitchOS 3.5.0 and later.

For the FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, and FS-M426-FPOE models, there is a two-step upgrade process if you are upgrading from FortiSwitchOS 6.0.x or 6.2.x to 7.6.x:

Upgrade from FortiSwitchOS 6.0.x or 6.2.x to FortiSwitchOS 6.4.12 or later.
Upgrade from FortiSwitchOS 6.4.12 or later to 7.6.x.

? If you do not follow the two-step upgrade process, the FortiSwitch unit will not start after the upgrade, and you will need to use the serial console to conclude the upgrade (BIOS and OS).

For FortiSwitch units managed by FortiGate units, refer to the FortiLink Release Notes for upgrade information.

Product Integration and Support

FortiSwitchOS 7.6.1 Support

The following table lists FortiSwitchOS 7.6.1 product integration and support information.

Web browser	FortiOS (FortiLink Support)
Microsoft Edge 112
Mozilla Firefox version 113
Google Chrome version 113

Other web browsers may function correctly, but are not supported by Fortinet.

Refer to the FortiLink Compatibility table to find which FortiSwitchOS versions support which FortiOS versions.

Resolved Issues

The following issues have been fixed in FortiSwitchOS 7.6.1. For inquiries about a particular bug, please contact Customer Service & Support.

Bug ID	Description
940586, 958210	For the FS-148F, FS-148F-POE, and FS-148F-FPOE models, there might be packet loss after the packet sampler or packet capture is enabled.
972437, 978073, 1025772, 1072375	The FS-1048E and FS-1xxF models do not work with FN-CABLE-SFP+3.
991105	The value for the maximum number of ACL rules is incorrect for the FS-124F model.
1024979	On the FS-1024D model, a ping through a managed FortiSwitch unit to a routed IP address over a FortiGate device fails when the routing offload is enabled on the managed FortiSwitch unit.
1048096	For the FS-1024E, FS-T1024E, FS-T1024F-FPOE, FS-2048F, and FS-1048E models, when IGMP snooping is enabled, IGMP group traffic with TTL=1 is dropped.
1054735	Users cannot configure more than 32 trunks on the FS-648F model.
1062039	A PoE device is not properly powering up from FS-148F-FPOE ports.
1062740	A 500 internal server error occurs when downloading a backup configuration file with a password.
1066566	There are error messages when the VRF names are longer than 15 characters.
1068360	The way that multichassis link aggregation groups (MCLAGs) handle static MAC addresses has been improved. When an MCLAG trunk goes down, the static MAC addresses are removed from the hardware, and the traffic that was going to the static MAC addresses will flood over the interchassis link (ICL). When the MCLAG trunk goes up, the static MAC addresses are added to the hardware again.
1068688	When the reauth-period is set to 5 minutes, the client is disconnected from the network when dynamic ARP inspection (DAI) is enabled on a VLAN.
1073933	Generating the CSR from a managed FortiSwitch unit using the GUI fails.
1077911, 1081414	A phone using a port with 802.1X MAC-based authentication enabled cannot get the IP address from the DHCP server when DHCP snooping and allow-mac-move are enabled.
1080985	After upgrading the switch firmware to version 7.6.0 on the FS-624F or FS-624F-FPOE model, the LED indicators for ports 1-24 stopped working.
1087943	The FS-1024E does not work with 3-meter and 5-meter DAC cables.
1092478	Ports 49 and 50 of the FS-1048E model are intermittently transmitting power higher than 5 dBm.
1097844	The switch port status is incorrectly showing that the SFP module as not connected with cables.

Known Issues

The following known issues have been identified with FortiSwitchOS 7.6.1. For inquiries about a particular bug or to report a bug, please contact Fortinet Customer Service & Support.

Bug ID	Description
382518, 417024, 417073, 417099, 438441	DHCP snooping and dynamic ARP inspection (DAI) do not work with private VLANs (PVLANs).
414972	IGMP snooping might not work correctly when used with 802.1x Dynamic VLAN functionality.
510943	The time-domain reflectometer (TDR) function (cable diagnostics feature) reports unexpected values. Workaround: When using the cable diagnostics feature on a port (with the `diagnose switch physical-ports cable-diag <physical port name>` CLI command), ensure that the physical link on its neighbor port is down. You can disable the neighbor ports or physically remove the cables.
542031	For the FS-5xx switches, the `diagnose switch physical-ports led-flash` command flashes only the SFP port LEDs, instead of all the port LEDs.
548783	Some models support setting the mirror destination to â€œinternal.â€ This is intended only for debugging purposes and might prevent critical protocols from operating on ports being used as mirror sources.
572052	Backup files from FortiSwitchOS 3.x that have 16-character-long passwords fail when restored on FortiSwitchOS 6.x. In FortiSwitchOS 6.x, file backups fail with passwords longer than 15 characters. Workaround: Use passwords with a maximum of 15 characters for FortiSwitchOS 3.x and 6.x.
585550	When packet sampling is enabled on an interface, packets that should be dropped by uRPF will be forwarded.
606044, 610149	The results are inaccurate when running cable diagnostics on the FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.
609375	The FortiSwitchOS supports four priority levels (critical, high, medium, and low); however, The SNMP Power Ethernet MIB only supports three levels. To support the MIB, a power priority of medium is returned as low for the PoE MIB.
659487	The FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE, FS-148E, and FS-148E-POE models support ACL packet counters but not byte counters. The `get switch acl counters` commands always show the number of bytes as 0.
777647	When MACsec is enabled on a tagged port, the `set exclude-protocol` command does not work on packets with VLAN tags (ARP, IPv4, or IPv6). If you use the `set exclude-protocol` command with dot1q and packets with VLAN tags (ARP, IPv4, or IPv6), the packets are not MACsec encrypted and are transmitted as plain text. Only 0x88a8 type packets apply to qinq.
784585	When a dynamic LACP trunk has formed between switches in an MRP ring, the MRP ring cannot be closed. Deleting the dynamic LACP trunk does not fix this issue. MRP supports only physical ports and static trunks; MRP does not support dynamic LACP trunks. Workaround: Disable MRP and then re-enable MRP.
793145	VXLAN does not work with the following: log-mac-event LLDP-assigned VLANs NAC Block intra-VLAN traffic
829807	eBGP does not advertise routes to its peer by default unless the `set ebgp-requires-policy disable` command is explicitly configured or inbound/outbound policies are configured.
903001	Do not use `mgmt` as the name of a switch virtual interface (SVI). `mgmt` is reserved for the physical management switch port.
916405	FortiSwitchOS should not allow MACsec and 802.1X authentication to be configured on the same port.
940248	When both network device detection (`config switch network-monitor settings`) and the switch controller routing offload are enabled, the FS-1048E switch generates duplicate packets.
950895	In Release 7.4.1, VXLAN supports only one MSTP instance.
987504	High CPU usage occurs on the FS-1xx series when the IGMP querier is enabled and IGMP snooping is disabled. Workaround: Disable the IGMP querier when IGMP snooping is not being used.
942068, 1006513	After using a dynamic port policy to remove or add a port, the profile was not updated after the user logged out of the EAP session.
1016796	For the FSR-216F-POE model only, log-mac-event fails when the MAC address was learned on another interface at the same time as when the MAC address was moved.

Legal Information

Copyright Â© yyyy Fortinet, Inc. All rights reserved. FortinetÂ®, FortiGateÂ®, FortiCareÂ® and FortiGuardÂ®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

	FortiSwitchOS 7.2.6 Release Notes This document provides release notes for FortiSwitchOS 7.2.6, detailing new features, supported models, special notices, upgrade information, product integration, resolved issues, and known issues.
	FortiSwitchOS 7.4.2 Release Notes This document provides release notes for FortiSwitchOS version 7.4.2, detailing new features, supported models, upgrade information, product integration, resolved issues, and known issues.
	FortiSwitch Ordering Guide - Fortinet Network Switches This guide provides detailed ordering information for Fortinet's FortiSwitch product line, covering various models for retail, branch, campus, data center, and industrial environments. It includes specifications, port configurations, power supply options, and transceiver compatibility.
	FortiSwitch Secure Access Family Data Sheet This data sheet provides comprehensive information on the FortiSwitch Secure Access Family, detailing its security, performance, and manageability features. It covers various models, their specifications, deployment options, and order information, highlighting integration with FortiGate for SD-Branch and other network environments.
	FortiSwitch Secure Access Family: Secure, Scalable Ethernet Networking The Fortinet FortiSwitch™ Secure Access family provides robust Ethernet switching solutions designed for enterprise branch offices and small businesses. This series offers an unparalleled combination of security, ease of use, and scalability, making it an ideal choice for modern network infrastructure. Key features include seamless integration with FortiGate firewalls via FortiLink, zero-touch deployment, intuitive management, and cost-effective Network Access Control (NAC). FortiSwitch also supports Secure Access Service Edge (SASE) principles, user- and device-based access control, and offers Power over Ethernet (PoE+) capabilities for powering connected devices. With wire-speed switching and high-speed uplinks, FortiSwitch ensures performance for demanding applications.
	FortiSwitch Secure Access Family Data Sheet This data sheet provides detailed specifications and features of the FortiSwitch Secure Access Family, including various models like 108E, 124E, 148E, 224D, 224E, 248D, 248E, 424D, 424E, 448D, 524D, 548D, and their PoE variants. It highlights their integration with FortiGate via FortiLink for centralized management, security fabric capabilities, and performance metrics.
	FortiSwitchOS 7.4.4 Administration Guide: Standalone Mode Configuration Comprehensive guide for administering FortiSwitch units in standalone mode with FortiSwitchOS 7.4.4. Covers system configuration, network management, port settings, security, and advanced features.
	FortiSwitch Secure Campus Data Sheet FortiSwitch Secure Campus family offers unparalleled security, performance, and manageability for enterprise campuses. Features include FortiLink integration, native NAC, dynamic segmentation, and SASE support. Available in various models with different port configurations and PoE capabilities.