Overview:
The FortiSwitch Access Family is tailored to meet the unique demands of enterprise branch offices and small businesses. An unparalleled combination of security, ease of use, and scalability makes FortiSwitch™ the ideal choice for Ethernet infrastructure.
Managing a remote enterprise branch or small business network can be a challenging task due to various factors including a lack of visibility of connected devices, limited time and tools for LAN management, and a shortage of skilled personnel. The FortiSwitch Secure Access family seamlessly integrates Ethernet networking with advanced security features, effectively eliminating the silos that hinder day-to-day management. Feature-rich and easy to manage with a low total cost of ownership, FortiSwitch emerges as the optimal choice for remote enterprise-branch and small-businesses Ethernet networks.
Highlights
- Standalone or Integrated FortiLink deployment option
- Zero-touch deployment
- On premise and cloudbased management options
- Intuitive management allows for ease of set up for network access and security
- Easy-to-use network access control (NAC) at no cost
- User- and device-based access control and policy enforcement
- Secure access service edge (SASE) support
- Scalable and flexible for branches or small business
- Up to 48 access ports in a compact 1 RU form factor
- Power over Ethernet and PoE+ support
- Wire-speed switching with up to 10GE uplinks
Features:
Secure Networking Through FortiLink
FortiLink is an innovative proprietary management protocol that enables seamless integration and management between a FortiGate Next-Generation Firewall and the FortiSwitch Ethernet switching platform. By using FortiLink, the FortiSwitch becomes a logical extension of the FortiGate, allowing for centralized management of both network security and access layer functions through a single interface.
Easy-to-use Network Access Control (NAC) at No Cost
FortiLink integration enables basic NAC functionality to profile and securely onboard devices as they connect. FortiLink NAC offers visibility into all connected devices, automated segmentation and security policies for IoT devices, quarantine if compromised, and virtual patching to help protect against threats.
Built-in Ethernet Port Security
Traditional Ethernet port security demands manual effort and continuous maintenance, which is impractical for IT administrators of remote branches or small business. Consequently, Ethernet ports are frequently left unprotected. FortiSwitch access switching offers IT administrators the ability secure ports ensuring only approved users and devices get access to the network. The automation of port security without requiring 802.1x makes making policy enforcement easy to implement and manage while NGFW-level policies ensure granular control and zero-trust access for users and devices.
User- and Device-Based Access Control and Policy Enforcement
Whether leveraging Fortinet Identity Access Management (IAM) or third-party identity providers, FortiLink automation can leverage user identity to make granular role-based policy decisions, allowing you to implement zero-trust principles.
Secure Access Service Edge (SASE)
This FortiSwitch enterprise architecture offers a built-in foundation for zero-trust network access (ZTNA) and secure access service edge (SASE), offering the flexibility to easily deploy the type and level of security you need at the edge of your network.
Operational Simplicity
Deploying, managing, and perfecting an Ethernet switching infrastructure can be challenging and time-consuming, particularly when done remotely or with limited staff.
FortiSwitch switching architecture can be securely deployed and managed in minutes through zero-touch deployment. Whether FortiSwitch is deployed in standalone mode or FortiLink mode, its easy-to-use intuitive workflows and unified views let you provision, manage, and optimize your small business or remote branches at scale.
Whether cloud or on-premises, centralized management delivers a unified view of the LAN, security, and in the case of SD-Branch: SD-WAN and 5G wireless gateways. This feature provides a consistent user experience for optimal operational efficiency, simplifying management, optimization, and troubleshooting. The result is a shorter mean time to repair both network and security issues.
Scalable and Flexible for Branches or Small Business
FortiSwitch access architecture scales to meet the need of today’s small business and remote branches without sacrificing security. Supporting up to 48 ports in a compact 1 RU form factor, FortiSwitch can deliver the performance and scale you require.
Eliminate Bottlenecks
With wire speed 1GE access ports and dedicated uplinks capable of speeds up 10GE, the FortiSwitch Access Series provides the performance and speed needed for next generation SD-Branch applications.
Next-Generation Power Over Ethernet Support
With PoE+ support in all models, FortiSwitch delivers and manages power for devices such as cameras, sensors, and wireless access points.
Software Features:
Refer to the FortiSwitch Feature Matrix for details about the features supported by each FortiSwitch model.
Fortiswitch Fortilink Mode (With FortiGate)
Management and Configuration
- Auto Discovery of Multiple Switches
- Automated detection and recommendations
- Centralized VLAN Configuration
- Dynamic Port Profiles for FortiSwitch ports
- FortiLink Secure Fabric
- FortiLink Stacking (Auto Inter-Switch Links)
- FortiSwitch Management over VXLAN
- Health Monitoring
- IGMP Snooping
- L3 Routing and Services (FortiGate)
- Link Aggregation Configuration
- LLDP/MED
- Managed Switches 8 to 300 depending on FortiGate model
- Policy-Based Routing (FortiGate)
- Provision firmware upon authorization
- Software Upgrade of Switches
- Spanning Tree
- Switch POE Control
- Virtual Domain (FortiGate)
High Availability
- Active-Active Split LAG from FortiGate to FortiSwitches for Advanced Redundancy
- LAG support for FortiLink Connection
- Support FortiLink FortiGate in HA Cluster
Security and Visibility
- Authentication 802.1X (Port-based, MAC-based, MAB)
- Block Intra-VLAN Traffic
- Clients Monitoring
- Device Detection
- DHCP Snooping
- DHCP/ARP Monitor
- FortiGuard IoT identification
- FortiSwitch recommendations in Security Rating
- Host Quarantine on Switch Port
- Integrated FortiGate Network Access Control (NAC) function
- MAC Black/While Listing (FortiGate)
- NAC Device Telemetry
- Network Device Detection
- Policy Control of Users and Devices (FortiGate)
- Port Statistics
- Security Fabric Automation
- Switch Controller traffic collector
- Syslog Collection
UTM Features
- Firewall (FortiGate)
- IPC, AV, Application Control, Botnet (FortiGate)
Fortiswitch
Layer 2
- Auto-negotiation for Port Speed and Duplex
- Auto topology
- Dynamically shared packet buffers
- Edge Port / Port Fast
- IEEE 802.1ad QinQ
- IEEE 802.1AX Link Aggregation
- IEEE 802.1D MAC Bridging/STP
- IEEE 802.1Q VLAN Tagging
- IEEE 802.1s Multiple Spanning Tree Protocol (MSTP)
- IEEE 802.1w Rapid Spanning Tree Protocol (RSTP)
- IEEE 802.3 10Base-T
- IEEE 802.3ab 1000Base-T
- IEEE 802.3ad Link Aggregation with LACP
- IEEE 802.3ae 10 Gigabit Ethernet
- IEEE 802.3az Energy Efficient Ethernet
- IEEE 802.3ba, 802.3bj, and 802.3bm 40 and 100 Gigabit Ethernet
- IEEE 802.3bz Multi Gigabit Ethernet
- IEEE 802.3 CSMA/CD Access Method and Physical Layer Specifications
- IEEE 802.3u 100Base-TX
- IEEE 802.3x Flow Control and Back-pressure
- IEEE 802.3z 1000Base-SX/LX
- Ingress Pause Metering
- Jumbo Frames
- LAG min/max bundle
- Loop Guard
- MAC, IP, Ethertype-based VLANs
- MDI/MDIX Auto-crossover
- Per-port storm control
- Priority-based Flow Control (802.1Qbb)
- Private VLAN
- Rapid PVST interoperation
- Spanning Tree Instances (MSTP/CST)
- Storm Control
- STP BPDU Guard
- STP Root Guard
- Time-Domain Reflectcometry (TDR) Support
- Unicast/Multicast traffic balance over trunking port (dst-ip, dst-mac, src-dst-ip, src-dst-mac, src-ip, src-mac)
- Virtual-Wire
- VLAN Mapping
Services
- IGMP proxy / querier
- IGMP Snooping
- MLD proxy / querier
- MLD Snooping
Layer 3
- Bidirectional Forwarding Detection (BFD)
- DHCP Relay
- DHCP server
- Dynamic Routing Protocols: OSPFv2, RIPv2, VRRP, ISIS *
- Filtering routemaps based on routing protocol
- IP conflict detection and notification
- IPv6 route filtering
- Static Routing (Hardware-based)
- Unicast Reverse Path Forwarding - uRPF
Security and Visibility
- ACL
- ACL Multiple Ingress
- ACL Multistage
- ACL Schedule
- Admin Authentication Via RFC 2865 RADIUS
- Assign VLANs via Radius attributes (RFC 4675)
- DHCP-Snooping
- Dynamic ARP Inspection
- Flow Export (NetFlow and IPFIX)
- IEEE 802.1ab Link Layer Discovery Protocol (LLDP)
- IEEE 802.1ab LLDP-MED
- IEEE 802.1ae MAC Security (MAC Sec)
- IEEE 802.1X Authentication MAC-based
- IEEE 802.1X Authentication Port-based
- IEEE 802.1X Dynamic VLAN Assignment
- IEEE 802.1X EAP pass-through
- IEEE 802.1X Guest and Fallback VLAN
- IEEE 802.1X MAC Access Bypass (MAB)
- IEEE 802.1X open auth
- IP source guard
- IPv6 RA Guard
- LLDP-MED ELIN support
- MAC-IP Binding
- Per-port and per-VLAN MAC learning limit
- Port Mirroring
- Radius Accounting
- Radius CoA (Change of Authority)
- sFlow
- Sticky MAC and MAC Limit
- Wake on LAN
High Availability
- Multi-Chassis Link Aggregation (MCLAG)
Quality of Service
- Egress priority tagging
- Explicit Congestion Notification
- IEEE 1588 PTP (Transparent Clock)
- IEEE 802.1p Based Priority Queuing
- IP TOS/DSCP Based Priority Queuing
- Percentage Rate Control
Management
- Automation Stitches
- Display Average Bandwidth and Allow Sorting on Physical Port / Interface Traffic
- Dual Firmware Support
- HTTP / HTTPS
- IPv4 and IPv6 Management
- Link Monitor
- Managed from FortiGate
- Packet Capture
- POE Control Modes
- Provide warning if L2 table is getting full
- RMON Group 1
- SNMP v1/v2c/v3
- SNMP v3 traps
- SNTP
- Software download/upload: TFTP/FTP/GUI
- SPAN, RSPAN, and ERSPAN
- Standard CLI and Web GUI Interface
- Support for HTTP REST APIs for Configuration and Monitoring
- Syslog UDP/TCP
- System alias command
- System Temperature and Alert
- Telnet / SSH
*Requires ‘Advanced Features’ License.
All Fortiswitch Models (RFC and MIB Support*)
BFD
- RFC 5880: Bidirectional Forwarding Detection (BFD)
- RFC 5881: Bidirectional Forwarding Detection (BFD) for IPv4 and IPv6 (Single Hop)
- RFC 5882: Generic Application of Bidirectional Forwarding Detection (BFD)
BGP
- RFC 1771: A Border Gateway Protocol 4 (BGP-4)
- RFC 1965: Autonomous System Confederations for BGP
- RFC 1997: BGP Communities Attribute
- RFC 2545: Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing
- RFC 2796: BGP Route Reflection - An Alternative to Full Mesh IBGP
- RFC 2842: Capabilities Advertisement with BGP-4
- RFC 2858: Multiprotocol Extensions for BGP-4
- RFC 4271: BGP-4
- RFC 6286: Autonomous-System-Wide Unique BGP Identifier for BGP-4
- RFC 6608: Subcodes for BGP Finite State Machine Error
- RFC 6793: BGP Support for Four-Octet Autonomous System (AS) Number Space
- RFC 7606: Revised Error Handling for BGP UPDATE Messages
- RFC 7607: Codification of AS 0 Processing
- RFC 7705: Autonomous System Migration Mechanisms and Their Effects on the BGP AS_PATH Attribute
- RFC 8212: Default External BGP (EBGP) Route Propagation Behavior without Policies
- RFC 8654: Extended Message Support for BGP
DHCP
- RFC 2131: Dynamic Host Configuration Protocol
- RFC 3046: DHCP Relay Agent Information Option
- RFC 7513: Source Address Validation Improvement (SAVI) Solution for DHCP
IP/IPv4
- RFC 2697: A Single Rate Three Color Marker
- RFC 3168: The Addition of Explicit Congestion Notification (ECN) to IP
- RFC 5227: IPv4 Address Conflict Detection
- RFC 5517: Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment
- RFC 7039: Source Address Validation Improvement (SAVI) Framework
IP Multicast
- RFC 2710: Multicast Listener Discovery (MLD) for IPv6 (MLDv1)
- RFC 3569: An Overview of Source-Specific Multicast (SSM)
- RFC 4541: Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches
- RFC 4605: Internet Group Management Protocol (IGMP)/Multicast Listener Discovery (MLD)-Based Multicast Forwarding (“IGMP/MLD Proxying”)
- RFC 4607: Source-Specific Multicast for IP
IPv6
- RFC 2464: Transmission of IPv6 Packets over Ethernet Networks: Transmission of IPv6 Packets over Ethernet Networks
- RFC 2474: Definition of the Differentiated Services Field (DS Field) in the and IPv6 Headers (DSCP)
- RFC 2893: Transition Mechanisms for IPv6 Hosts and Routers
- RFC 4213: Basic Transition Mechanisms for IPv6 Hosts and Router
- RFC 4291: IP Version 6 Addressing Architecture
- RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification
- RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
- RFC 4862: IPv6 Stateless Address Auto configuration
- RFC 5095: Deprecation of Type 0 Routing Headers in IPv6
- RFC 6724: Default Address Selection for Internet Protocol version 6 (IPv6)
- RFC 7113: IPv6 RA Guard
- RFC 8200: Internet Protocol, Version 6 (IPv6) Specification
- RFC 8201: Path MTU Discovery for IP version 6
IS-IS
- RFC 1195: Use of OSI IS-IS for Routing in TCP/IP and Dual Environments
- RFC 5308: Routing IPv6 with IS-IS
MIB
- RFC 1213: MIB II parts that apply to FortiSwitch 100 units
- RFC 1354: IP Forwarding Table MIB
- RFC 1493: Bridge MIB
- RFC 1573: SNMP MIB II
- RFC 1643: Ethernet-like Interface MIB
- RFC 1724: RIPv2-MIB
- RFC 1850: OSPF Version 2 Management Information Base
- RFC 2233: The Interfaces Group MIB using SMIv2
- RFC 2618: Radius-Auth-Client-MIB
- RFC 2620: Radius-Acc-Client-MIB
- RFC 2665: Definitions of Managed Objects for the Ethernet-like Interface Types
- RFC 2674: Definitions of Managed Objects for Bridges with Traffic Classes, Multicast
Filtering and Virtual LAN extensions
- RFC 2787: Definitions of Managed Objects for the Virtual Router Redundancy Protocol
- RFC 2819: Remote Network Monitoring Management Information Base
- RFC 2863: The Interfaces Group MIB
- RFC 2932: IPv4 Multicast Routing MIB
- RFC 2934: Protocol Independent Multicast MIB for IPv4
- RFC 3289: Management Information Base for the Differentiated Services Architecture
- RFC 3433: Entity Sensor Management Information Base
- RFC 3621: Power Ethernet MIB
- RFC 6933: Entity MIB (Version 4)
OSPF
- RFC 1583: OSPF version 2
- RFC 1765: OSPF Database Overflow
- RFC 2328: OSPF version 2
- RFC 2370: The OSPF Opaque LSA Option
- RFC 2740: OSPF for IPv6
- RFC 3101: The OSPF Not-So-Stubby Area (NSSA) Option
- RFC 3137: OSPF Stub Router Advertisement
- RFC 3623: OSPF Graceful Restart
- RFC 5340: OSPF for IPv6 (OSPFv3)
- RFC 5709: OSPFv2 HMAC-SHA Cryptographic Authentication
- RFC 6549: OSPFv2 Multi-Instance Extensions
- RFC 6845: OSPF Hybrid Broadcast and Point-to-Multipoint Interface Type
- RFC 6860: Hiding Transit-Only Networks in OSPF
- RFC 7474: Security Extension for OSPFv2 When Using Manual Key Management
- RFC 7503: OSPF for IPv6
- RFC 8042: CCITT Draft Recommendation T.4
- RFC 8362: OSPFv3 Link State Advertisement (LSA) Extensibility
OTHER
- RFC 2030: SNTP
- RFC 3176: InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks
- RFC 3768: VRRP
- RFC 3954: Cisco Systems NetFlow Services Export Version 9
- RFC 5101: Specification of the IP Flow Information Export (IPFIX) Protocol for the
- Exchange of Flow Information
- RFC 5798: VRRPv3 (IPv4 and IPv6)
RADIUS
- RFC 2865: Admin Authentication Using RADIUS
- RFC 2866: RADIUS Accounting
- RFC 4675: RADIUS Attributes for Virtual LAN and Priority Support
- RFC 5176: Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
RIP
- RFC 1058: Routing Information Protocol
- RFC 2080: RIPng for IPv6
- RFC 2082: RIP-2 MD5 Authentication
- RFC 2453: RIPv2
- RFC 4822: RIPv2 Cryptographic Authentication
SNMP
- RFC 1157: SNMPv1/v2c
- RFC 2571: Architecture for Describing SNMP
- RFC 2572: SNMP Message Processing and Dispatching
- RFC 2573: SNMP Applications
- RFC 2576: Coexistence between SNMP versions
* RFC and MIB supported by FortiSwitch Operating System
