Listen to this Post
Introduction:
Power over Ethernet (PoE) delivers both data and electrical power to devices over a single network cable, simplifying deployments for everything from IP cameras to access points. However, a recent discovery in Fortinet’s switch documentation reveals critical, non-negotiable warnings that highlight significant risks of device damage, challenging common assumptions about PoE’s inherent safety.
Learning Objectives:
- Understand the three critical warnings associated with modern PoE switches and their implications for network safety.
- Learn the commands to safely manage and disable PoE on network switches to prevent hardware damage.
- Develop a hardening checklist for deploying PoE-enabled switches in sensitive IT/OT environments.
You Should Know:
1. The Perils of Non-Negotiating PoE Ports
Modern high-power PoE standards like 802.3bt (PoE++) can deliver up to 90W. Unlike “Passive PoE,” which always sends power, standards-compliant PoE uses a negotiation protocol (LLDP) to determine if a connected device is a Powered Device (PD). However, the Fortinet warnings suggest a potential failure in this negotiation process, where power might be applied to non-PD devices, risking catastrophic damage.
2. Disabling PoE on FortiSwitch Ports
The primary mitigation is to disable PoE on any port connecting to a non-PD device (e.g., a laptop, desktop, or another switch). On FortiSwitch, this is done via the FortiOS CLI.
config switch-controller managed-switch edit <switch-id> config ports edit <port-id> set poe-status disable next end next end
Step-by-step guide: Access your FortiGate’s CLI via SSH. Navigate to the switch controller configuration and find your specific switch by its ID. Within the `config ports` section, edit the specific port interface (e.g., port1) and use the `set poe-status disable` command. Commit the changes. This must be done for every port that does not require PoE.
3. Verifying PoE Status and Power Usage
Before making changes, it’s crucial to audit current PoE status and power draw to understand your environment.
get switch-controller managed-switch <switch-id> ports | grep -f port -e poe-status -e poe-power-upon-detection
Step-by-step guide: This command filters the output of the switch port configuration to show only the lines related to PoE status and the detection method. Review this list to identify ports where `poe-status` is `enable` but may not need to be. Regular audits help maintain a known-safe state.
4. Implementing a Port Template for Security-by-Default
Manually configuring each port is inefficient. Using a “security-by-default” template that disables PoE globally and only enables it on specific, known-good ports is a best practice.
config switch-controller managed-switch edit <switch-id> set poe-pre-standard-detection disable set pre-provisioned provision config ports edit <port-id> set poe-status disable next end next end
Step-by-step guide: This configuration snippet creates a baseline template. The `set poe-pre-standard-detection disable` command is critical, as it prevents the switch from attempting to power older, non-standard devices that could be damaged. Apply this template, then only re-enable PoE (set poe-status enable) on ports that definitively require it.
5. Hardening Against Layer 1 Attacks: Cable Testing
A fundamental rule is to never trust a cable until it’s tested. Plugging an unknown cable into a powered port is a risk.
Linux: Check Ethernet interface link status and details ethtool <interface-name> Windows: View network adapter properties and power management settings Get-NetAdapter | Format-List Name, MediaConnectionState, MediaType
Step-by-step guide: Before connecting any device, use `ethtool` on Linux to verify the interface details and ensure it’s not unexpectedly receiving power. In Windows, use the `Get-NetAdapter` PowerShell cmdlet to inspect the adapter properties. Physically test cables with a simple toner or cable tester to ensure no cross-wiring exists.
6. Network Segmentation for OT/IoT PoE Devices
Isolate potentially risky PoE devices onto their own network segments to contain any damage from misconfiguration or failure.
Configure a dedicated VLAN for OT PoE devices on a FortiGate config system interface edit "OT-PoE-VLAN" set vlanid <vlan-id> set interface <physical-interface> set role lan next end Apply a strict firewall policy to limit traffic from this segment config firewall policy edit 0 set name "OT-PoE-Outbound" set srcintf "OT-PoE-VLAN" set dstintf "wan" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set inspection-mode flow next end
Step-by-step guide: Create a new VLAN interface specifically for your OT PoE devices. Then, build a firewall policy that only allows necessary traffic from this segment to the internet or other internal networks, ensuring UTM (threat inspection) is enabled to monitor for malicious activity.
7. Monitoring and Alerting on PoE Anomalies
Implement monitoring to detect when a port draws power unexpectedly, which could indicate a misconfigured device or a fault.
SNMP OIDs for monitoring PoE power (Example for FortiSwitch) IF-MIB::ifDescr.<port-number> Port Description FORTINET-FORTISWITCH-MIB::fswPortPoePowerConsumption.<port-number> Power Draw in Watts
Step-by-step guide: Configure your network monitoring system (e.g., Zabbix, Nagios, PRTG) to poll the `fswPortPoePowerConsumption` OID for each switch port. Set alerts to trigger if a port that is supposed to be disabled (poe-status disable) shows any power consumption, or if a port exceeds its expected power budget, indicating a potential short or faulty device.
What Undercode Say:
- Key Takeaway 1: The assumption that 802.3af/at/bt standards always safely negotiate is flawed. Design oversights or aggressive implementation can lead to power being applied where it shouldn’t, making manual intervention and hardening non-optional.
- Key Takeaway 2:
A “disable-by-default” posture for PoE is the only secure starting point for network deployment. Relying on manufacturers to set safe defaults is a critical mistake; operational security must be enforced through automated configuration templates and continuous auditing.
The Fortinet warnings are a stark reminder that convenience and safety are often at odds in network design. The drive for feature parity and backward compatibility can lead to engineering compromises that place the burden of safety on the end-user. This isn’t just a Fortinet issue; it’s a systemic problem in networked device design. The analysis suggests that as power levels increase with newer standards like 802.3bt (90W), the potential for catastrophic failure and even safety hazards (arc flash, fire) grows exponentially. Network architects must now treat PoE not just as a feature, but as a potential threat vector that requires active management and containment.
Prediction:
This revelation will force a broader industry reckoning on PoE safety defaults. We predict a shift towards hardware-level safety features, such as physical dip switches to enable PoE on a per-port basis, and more stringent certification requirements. In the short term, these warnings will become a focal point in cybersecurity insurance assessments, with auditors requiring proof of PoE hardening policies for policy renewals, especially in critical infrastructure and OT environments.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Varghesejm Fortinet – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
