Networking
Internet-Service database (288672 281333 291858)
Go to Policy & Objects > Internet Service Database to view the Internet Service Database. The database contains detailed information about services available on the Internet such as DNS servers provided by Adobe, Google, Fortinet, Apple and so on and a wide range of other services. For each service the database includes the IP addresses of the servers that host the service as well as the port and protocol number used by each IP address.
Interfaces assigned to Virtual Wired Pairs don’t have “roles” (296519 )
Assigning an interface to be part of a virtual wire pairing will remove the “role” value from the interface.
FortiHeartBeat replaces FortiClient Access and other FortiClient interface settings (299371)
To configure an interface to listen for connections from devices with FortiClient installed, enable FortiHeartBeat
Administrative Access. FortiHeartBeat was called FCT-Access or FortiClient Access in FortiOS 5.2.
After enabling FortiHeartBeat, under Admission Control you can select Enforce FortiHeartBeat for all FortiClients to require clients to have FortiClient installed to be able to get access through the FortiGate. If you enable this feature you should also go to Security Profiles > FortiClient Profiles and configure FortiClient Profiles. Then you should add the configured FortiClient Profiles to firewall policies with device detection.
Use the following CLI command to enable FortiHeartBeat on an interface and enable enforcing FortiHeartBeat for all FortiClients:
config system interface edit port1
set listen-forticlient-connection enable set endpoint-compliance enable
end
After enabling FortiHeartBeat, you can also enable DHCP server and turn on FortiClient On-Net Status to display the on-net status of FortiClient devices on the FortiClient Monitor (go to Monitor > FortiClient Monitor).
Use the following CLI command to enable FortiClient on-net status for a DHCP server added to the port1 interface:
config system dhcp server edit 1
set interface port1
set forticlient-on-net-status enable end
STP (Spanning Tree Protocol) support for models with hardware switches (214901 291953)
STP used to be only available on the old style switch mode for the internal ports. It is now possible to activate STP on the hardware switches found in the newer models. These models use a virtual switch to simulate the old Switch Mode for the Internal ports.
The syntax for enabling STP is as follows:
config system interface edit lan
set stp [enable | disable]
end
Command to determine interface transceiver optical signal strength (205138 282307)
The ew get system interface transceiver command can be used to determine optical signal strength when using SFP/SFP+ modules. The command can be used for trouble shooting fiber optic connections to
service providers. This command is hardware dependent and currently supported by FortiGate models that include various SPF/SFP+ interfaces including the FortiGate-100D/200D- POE/400D/500D/900D/1000D/1200D/1500D/3700D/3700DX) models.
I’m running FortiOS 5.6.7 on FG-1500D’s. We have virtual wire pairs set up for our VDOM’s that run in transparent mode, with no port channeling. One of the SFP’s is twinax (connecting to a Cisco Firepower) and the other is fiber (going into a Cisco switch). Does that cause issues, or is the Fortigate OK with media not being exactly the same on both ports?
I like to keep things identical for standardization sake. It won’t break anything though.