Mastering Fortinet FortiSwitch for Network Professionals

Name: Mastering Fortinet FortiSwitch for Network Professionals
Rating: 4.3 (66 reviews)

Dominate Network Security: The Fortinet FortiSwitch Course

Created bySecurity Gurus

Last updated 5/2024

English

What you'll learn

Network Administrators: You're responsible for the day-to-day operation
IT Professionals: You work within the IT department and may have a broader focus on network management
Security Professionals: Your primary focus is network security.
This Fortinet FortiSwitch course is designed for a variety of IT professionals

Course content

5 sections • 39 lectures • 5h 7m total length

Initial Configuration - Hostname, DNS, NTP7:34
NTP:
129.6.15.28
129.6.15.29
DNS:
1.1.1.1
1.0.0.1
config system global
set hostname FGTHQ

Initial Configuration - Fortigate Firmware Upgrade8:12
Initial Configuration - Configure VDOMS + Moving Interfaces Part113:46
Initial Configuration - Configure VDOMS + Moving Interfaces Part25:03
Initial Configuration - Configuring Interfaces between VDOM + Route7:42
Initial Configuration - Reconfiguring VDOMs & NGFW Zones + Vdom DNS6:09
config system vdom-dns
set vdom-dns enable
set primary 1.1.1.1
set primary 8.8.8.8
Initial Configuration - Creating VLANS + Interfaces Part 115:01
10.10.10.254/24 = Office LAN = Office Zone
10.10.20.254/24 = Office Wireless = Office Zone

10.10.30.254/24 = IT LAN = Office Zone
10.10.40.254/24 = IT Wireless = Office Zone

10.10.50.254/24 = Windows Servers = Servers Zone
10.10.60.254/24 = Linux Servers = Servers Zone

10.10.70.254/24 = Legacy = Legacy Zone

10.10.80.254/24 = Guest Wireless = Guest Zone

10.10.200.254/24 = MGTM VLAN
Initial Configuration - Creating Policies Part 17:21

Zero-touch management3:20
Initial Configuration - Fortilink For Switches8:17
Initial Configuration - Creating the Fortilink7:46
Initial Configuration - Fixing The Trunk - Migrating the VLANs14:36
Adding the FortiSwitches5:35
Chaging the names and Static IP11:38
Upgrade FortiSwitchOS Firmware5:11
Any port can be used for FortiLink if it is manually configured4:24
config switch interface
edit <port>
set auto-discovery-fortilink enable
end
Diagnostic & Tools and more8:34
MCLAG requirements5:31
Switch redundancy with MCLAG13:17
Configuring VLANs CLI + GUI10:50
Configuring ports using the GUI10:47
Configuring port speed, status, & more7:31
Configuring flap guard9:20
To display flap-guard information for all ports of a FortiSwitch unit:
diagnose switch-controller switch-info flapguard status S224EPTF22002817

To reset a port:
execute switch-controller flapguard reset S224EPTF22002817 port4
Enabling FortiLink VLAN optimization3:06
When inter-switch links (ISLs) are automatically formed on trunks, the switch controller allows VLANs 1-4093 on ISL ports. This configuration can increase data processing on the FortiSwitch unit. When VLAN optimization is enabled, the FortiSwitch unit allows only user-defined VLANs on the automatically generated trunks.
NOTE: VLAN optimization is enabled by default.
To enable FortiLink VLAN optimization on FortiSwitch units from the FortiGate unit:
config switch-controller global
set vlan-optimization enable
end

NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable command.

Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports7:21
Configuring loop guard & bpdu guard attack7:56
Limiting the number of learned MAC addresses on a FortiSwitch interface4:56
Controlling how long learned MAC addresses are saved4:09
Logging violations of the MAC address learning limit9:15
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port3
set learning-limit 50
next
end
end
end

config switch-controller global
set mac-violation-timer <0-1500>
set log-mac-limit-violations {enable | disable}
end

diagnose switch-controller switch-info mac-limit-violations all <FortiSwitch_serial_number>
diagnose switch-controller switch-info mac-limit-violations interface <FortiSwitch_serial_number> <port_name>
diagnose switch-controller switch-info mac-limit-violations vlan <FortiSwitch_serial_number> <VLAN_ID>

execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_number>
execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_number> <VLAN_ID>
execute switch-controller mac-limit-violation reset interface <FortiSwitch_serial_number> <port_name>
Persistent (sticky) MAC addresses8:09
Persistent (sticky) MAC addresses
You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes down or up). By default, MAC addresses are not persistent.

Use the following commands to configure the persistence of MAC addresses on an interface:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set sticky-mac {enable | disable}
next
end
You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the following commands to save persistent MAC addresses for a specific interface or all interfaces:
execute switch-controller switch-action sticky-mac save interface <FortiSwitch_serial_number> <port_name>
execute switch-controller switch-action sticky-mac save all <FortiSwitch_serial_number>
Use one of the following commands to delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:

execute switch-controller switch-actionex sticky-mac delete-unsaved all <FortiSwitch_serial_number>
execute switch-controller switch-action sticky-mac delete-unsaved interface <FortiSwitch_serial_number> <port_name>
Configuring storm control8:56
config switch-controller storm-control
set rate <rate>
set unknown-unicast {enable | disable}
set unknown-multicast {enable | disable}
set broadcast {enable | disable}
end

config switch-controller storm-control-policy
edit <storm_control_policy_name>
set description <description_of_the_storm_control_policy>
set storm-control-mode override
set rate <1-10000000 or 0 to drop all packets>
set unknown-unicast {enable | disable}
set unknown-multicast {enable | disable}
set broadcast {enable | disable}
next
end

config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit port5
set storm-control-policy <storm_control_policy_name>
next
end

Disabling the FortiSwitch console port login6:30
Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, administrators can use the FortiSwitch profile to control whether users can log in with the managed FortiSwitchOS console port. By default, users can log in with the managed FortiSwitchOS console port.
To change the FortiSwitch profile:
config switch-controller switch-profile
edit {default | <FortiSwitch_profile_name>}
set login {enable | disable} enabled by default
end
To disable logging in to the managed FortiSwitch consort port in the default FortiSwitch profile:
config switch-controller switch-profile
edit default
set login disable
end
To change which FortiSwitch profile is used by a managed switch
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set switch-profile {default | <FortiSwitch_profile_name>}
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
set switch-profile new_switch_profile
end
Configuring access to management and internal interfaces5:46
The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have different access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-access security policy with the following commands:
config switch-controller security-policy local-access
edit <policy_name>
set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
end
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set access-profile <name_of_policy>
end
For example:
config switch-controller security-policy local-access
edit policy1
set mgmt-allowaccess https ping ssh radius-acct
set internal-allowaccess https ssh snmp telnet
end
config switch-controller managed-switch
edit S524DF4K15000024
set access-profile policy1
end

NOTE: After you upgrade to FortiOS 6.2, the allowaccess settings for the FortiSwitch mgmt and internal interfaces are overridden by the default local-access security policy.
set min-bundle <int>
set max-bundle <int>
set members <port1 port2 ...>
next
end
end
end
Changing the admin password on the FortiGate for all managed FortiSwitch units5:21
Changing the admin password on the FortiGate for all managed FortiSwitch units
By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:

see which profile it is using:
config switch-controller managed-switch
edit S524DF4K15000024
show

config switch-controller switch-profile
edit default
set login-passwd-override {enable | disable}
set login-passwd <password>
next
end
If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set password will remain in the FortiSwitch. For example:
config switch-controller switch-profile
edit default
set login-passwd-override enable
unset login-passwd
next
end
SSH and HTTPS to the switch11:25
Configuring the DHCP trust setting5:24
Configuring the DHCP server access list7:36
Configuring dynamic ARP inspection (DAI)9:16
Configuring DHCP-snooping static entries4:42

Requirements

Basic Networking Knowledge: A foundational understanding of networking concepts like IP addressing, network protocols (TCP/IP)
Familiarity with Networking Devices: If you've previously worked with network switches from any vendor
Interest in Network Security: A desire to understand and implement network security measures is key

Description

Master the deployment, configuration, and management of Fortinet FortiSwitch for robust network security.

This comprehensive Udemy course equips you with the skills to confidently manage Fortinet FortiSwitch devices within your network infrastructure. Whether you're a seasoned network professional or new to Fortinet security solutions, this course provides a clear path to proficiency.

In this course, you'll delve into:

Initial Configuration: Get up and running quickly with a step-by-step guide to setting up your FortiSwitch device for optimal functionality.
VLANs & Port Management: Master the creation and configuration of VLANs and switch ports to segregate traffic and enhance network security and organization.
Essential Switching Features: Explore and configure crucial switching features like Spanning Tree Protocol, Link Aggregation Groups (LAGs), and more to optimize network performance and eliminate potential loops.
FortiSwitch Security: Uncover the built-in security features of FortiSwitch, enabling you to implement access control lists (ACLs), port security, and other measures to protect your network.
FortiLink Integration: Learn how to seamlessly integrate FortiSwitch with your existing Fortinet security infrastructure using FortiLink for unified management and enhanced security.
MCLAG for Advanced Redundancy: Explore Multi-Chassis Link Aggregation Group (MCLAG) technology to configure redundant links across multiple FortiSwitch devices, maximizing network uptime and performance.

By the end of this course, you'll be able to:

Confidently configure your FortiSwitch device for optimal operation.
Create and manage VLANs and switch ports for improved network organization and security.
Implement essential switching features to optimize network performance and stability.
Leverage built-in FortiSwitch security tools to safeguard your network.
Integrate FortiSwitch with your Fortinet Security Fabric using FortiLink for centralized management.
Configure MCLAG for increased network redundancy and resilience.

Who this course is for:

Network professionals with no prior Fortinet experience: This course is designed for beginners
Anyone interested in learning about network security best practices with Fortinet FortiSwitch

Mastering Fortinet FortiSwitch for Network Professionals

What you'll learn

Explore related topics

Course content

Introduction1 lecture • 8min

Initial Configuration7 lectures • 1hr 3min

FortiSwitch - Configuring FortiSwitch VLANs and ports16 lectures • 2hr 10min

FortiSwitch - Configuring switching features7 lectures • 51min

FortiSwitch security8 lectures • 56min

Requirements

Description

Who this course is for: