Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asanzd
Staff
Staff

Created on ‎05-01-2025 07:05 AM

Article Id 390053

Technical Tip: New feature in FortiOS 7.4 to authenticate FortiSwitch from FortiGate

Description This article shows a new feature available since FortiOS 7.4.1 to authenticate FortiSwitches on security fabric
Scope FortiGate, FortiSwitch.
Solution

FortiOS 7.4.1 has introduced a new feature to allow FortiGate to authorize the FortiSwitch.

 

This guarantees that both FortiGate and FortiSwitch share the same certificate, and that the certificate is the authentication keypoint that is validated to allow FortiGate to authorize the switch.

Normally, only original FortiSwitches are connected to FortiGate to work in a managed state, but this feature still provides a security layer for the authorization process.

 

There are three configuration options for this feature:

  • Legacy: This mode is the default. There is no authentication.
  • Relax: If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, FortiOS forms a restricted ISL trunk.

A restricted ISL trunk is the same as a regular ISL trunk, but FortiOS does not add any user VLANs. The restricted ISL trunk allows limited access so that users can authenticate unauthenticated switches. Use a restricted ISL trunk for a new FortiSwitch unit that was just added to the Security Fabric or a FortiSwitch unit that does not support authentication or encryption.

  • Strict: If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, no ISL trunk is formed.

 

'Strict' guarantees that a secure ISL trunk will be built only if the authentication has completed successfully.

 

With the 'strict' option, the certificate to check must be configured under the lldp-profile:

 

config switch-controller lldp-profile

    edit customLLDPprofile <----- Customized profile.

        set auto-isl-auth strict

        set auto-isl-auth-user Fortinet_Factory <----- Fortinet_Factory certificate or another one.

        set auto-isl-auth-identity fortilink

        set auto-isl-auth-reauth 60

        set auto-isl-auth-encrypt mixed <---- mixed is the option to encrypt.

        set auto-isl-auth-macsec-profile default-macsec-auto-isl <---- Default macsec-auto-isl profile.

    next

end

 

If authentication is configured ('relax' or 'strict'), encryption can be enabled ('mixed' or 'must', as indicated below for 'set auto-isl-auth-encrypt'). 'Mixed' should be chosen to prevent ISL trunks failing to build in cases where ports do not support MACsec (FortiGate ports):

  • None: There is no encryption, and FortiOS does not enable MACsec on the ISL trunk members.

  • Mixed: FortiOS enables MACsec on the ISL trunk ports that support MACsec: the ISL trunk members act as encrypted links. FortiOS disables MACsec on the ISL members that do not support MACsec - these ISL trunk members act as unencrypted links.

  • Must: FortiOS enables MACsec on all ISL trunk members. If the port supports MACsec, the port acts as an encrypted link. If the port does not support MACsec, the port is removed from the ISL trunk, but the port still functions as a user port.

See the FortiGate 7.4.0 New Features for more information.
If a different certificate than the Fortinet factory certificate is required, it must be imported on the FortiSwitch and FortiGate themselves (see 'Requirements and limitations' in the previous reference document).

 

282
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.