Firewall
Display change in Policy listing (284027)
Alias names for interfaces, if used now appear in the headings for the Interface Pair View or what used to be called the Section View.
RPC over HTTP traffic separate (288526)
How protocol options profiles and SSL inspection profiles handle RPC (Remote Procedure Calls) over HTTP traffic can now be configured separately from normal HTTP traffic.
CLI syntax changes
config firewall profile-protocol-options edit 0
set rpc-over-http {disable | enable}
end
config firewall ssl-ssh-profile edit deep-inspection
set rpc-over-http {disable | enable}
end
Disable Server Response Inspection supported (274458)
Disable Server Response Inspection (DSRI) option included in Firewall Policy (CLI only) to assist performance when only using URL filtering as it allows the system to ignore the http server responses.
CLI syntax for changing the status of the DSRI setting:
conf firewall policy|policy6 edit NNN
set dsri enable/disable end
conf firewall interface-policy|interface-policy6 edit NNN
set dsri enable/disable end
conf firewall sniffer edit NNN
set dsri enable/disable end
Policy counter improvements (277555 260743 172125)
- implicit deny policy counter added
- first-hit time tracked for each policy
- “Hit count” is tracked for each policy (total number of new sessions since last reset)
- Most counters now persist across reboots
Bidirectional Forwarding Detection (BFD) (247622)
Bidirectional Forwarding Detection (BFD) protocol support has been added to Protocol Independent Multicast (PIM), to detect failures between forwarding engines.
TCP sessions can be created without TCP syn flag checking (236078)
A Per-VDOM option is avaialble to enable or disable the creation of TCP sessions without TCP syn flag checking
Mirroring of traffic decrypted by SSL inspection (275458)
This feature sends a copy of traffic decrypted by SSL inspection to one or more FortiGate interfaces so that it can be collected by raw packet capture tool for archiving and analysis.
This feature is available if the inspection mode is set to flow-based. Use the following command to enable this feature in a policy. The following command sends all traffic decrypted by the policy to the FortiGate port1 and port2 interfaces.
conf firewall policy edit 1
set ssl-mirror enable/disable set ssl-mirror-intf port1 port2
next
Support for full cone NAT (269939)
Full cone NAT maps a public IP address and port to a LAN IP address and port. This means that a device on the Internet can send data to the internal LAN IP address and port number by directing it a the external IP address and port number. Sending to the correct IP address but a different port will cause the communication to fail. This type of NAT is also known as port forwarding.
Full cone NATing is configured only in the CLI. It is done by properly configuring an IP pool for the NATing of an external IP address. The two important settings are:
- set type – it must be set to port-block-allocation to use full cone
- set permit-any-host – enabling it is what enables full cone NAT An example fo the IP pool configuration would be:
config firewall ippool edit “full_cone-pool1”
set type port-block-allocation set startip 10.1.1.1
set endip 10.1.1.1
set permit-any-host enable end
Enable or disable inspecting IPv4 and IPv6 ICMP traffic (258734)
There is now a system setting that determines if ICMP traffic can pass through a Fortigate even if there is no existing sesson.
config sytem settings
set asymroute-icmp enable set asymroute6-imap enable
end
When feature enabled:
- Allows ICMP or ICMPv6 reply traffic can pass through firewall when there is no session existing – asmetric routing case.
- Prevents TCP ACK messages from passing through the firewall when there is no session existing.
When feature disabled:
Prevents ICMP or ICMPv6 replies from passing through firewall when there is no session existing.