Firewall (5.6)

New firewall features added to FortiOS 5.6.

Optimization of the firewall Service cache (355819)

In order to improve the efficiency and performance of the firewall Service cache, the following improvements have been made:

  • The logic behind the structure of the cache has been simplified. Instead of storing ranges of port numbers, we store each individual port number in the cache
  • Separate caches are created for each VDOM so that cache searches are faster.
  • The performance of more frequently used cases has been increased l Hash tables are used to improve the performance of complex cases. These could include such instances as:
  • service names tied to specific IP Ranges
  • redefinition (one port number with multiple service names)

New CLI option to prevent packet order problems for sessions offloaded to NP4 or NP6 (365497)

In order to prevent the issue of a packet, on FortiGate processing a heavy load of traffic, from being processed out of order, a new setting has been added to better control the timing of pushing the packets being sent to NP units.

The new option, delay-tcp-npc-session, has been added into the context of config firewall policy within the CLI

config firewall policy edit <Integer for policy ID> set delay-tcp-npc-session end

Policy may not be available on units not using NP units.

 

GUI changes to Central NAT (371516)

The Central NAT configuration interface prevents the accidental occurrence of being able to select “all” and “none” as two objects for the same field. It only allows the selecting of a single IP pool, though it is still possible to select multiple IP pools within the CLI.

Max value for Firewall User authentication changed (378085)

Previously, the maximum time that a member of a firewall user group could remain authenticated without any activity was 24 hours (1440 minutes). The maximum value for this setting has been changed to 72 hours (4320 minutes). This allow someone to log in but not be kicked off the system due to inactivity over the course of a weekend.

The syntax in the CLI for configuring this setting is: config user group edit <name of user group> set authtimeout 4320 end

Changes to default SSL inspection configuration (380736)

SSL is such a big part of normal traffic that SSL certificate inspection is no longer disabled by default. SSL inspection is not mandatory in both the CLI and GUI when it is applicable. The default setting is the Certificate Inspection level. As a result there have been a few changes within the CLI and the GUI.

CLI

The setting SSL-SSH-Profile, is a required option, with the default value being “certificate-inspection”, when it is applicable in the following tables:

  • profile-group l firewall.policy l firewall.policy6, l firewall.explicit-proxy-policy

The following default profiles are read-only:

  • certificate-inspection l deep-ssl-inspection

GUI

IPv4/IPv6 Policy and Explicit Proxy Policy edit window l The configuration and display set up for SSL/SSH Inspection is now similar to “profile-protocol-option” option l The disable/enable toggle button is no longer available for the Profile Protocol Option l The default profile is set to “certificate-inspection” IPv4/IPv6 Policy, Explicit Proxy Policy list page l There is validation for SSL-SSH-Profile when configuring UTM profiles

SSL/SSH Inspection list page

l There is no delete menu on GUI for default ssl profiles l The “Edit” menu has been changed to “View” for default SSL profiles l The default SSL profile entries are considered an implicit class and are grayed out SSL/SSH Inspection edit window l The only input for default SSL profiles is now download/view trusted certificate links l To return to the List page from default SSL profiles, the name of the button is now “Return” Profile Group edit window l There is no check box for SSL-SSH-Profile. It is always required.

Add firewall policy comment field content to log messages (387865)

There has been a need by some customer to have some information in the logs that includes specific information about the traffic that produced the log. The rather elegant solution is that when the log-policy-comment option is enabled, the comment field from the policy will be included in the log. In order to make the logs more useful regarding the traffic just include a customized comment in the policy and enable this setting.

Syntax

config system settings set log-policy-comment [enable | disable] end

l This setting is for all traffic and security logs. l It can be select on a per VDOM basis

Learning mode changes profile type to single (387999)

The Learning mode does not function properly when it is applied to a policy that has a UTM profile group applied to it. The logging that should be taking place from the Learning Mode profiles does not occur as intended, and the

Automatically switching the profile type to single on a policy with Learning mode enabled prevents it from being affected by the UTM policy groups.

MAC address authentication in firewall policies and captive portals (391739)

When enabled, a MAC authentication request will be sent to fnbamd on any traffic. If the authentication receives a positive response, login becomes available. If the response is negative the normal authentication process takes over.

CLI

New option in the firewall policy setting

config firewall policy edit <policy ID> set radius-mac-auth-bypass [enable |disable] end

New option in the interface setting config system interface

edit <interface> set security-mode captive-portal set security-mac-auth-bypass end

Display resolved IP addresses for FQDN in policy list (393927)

If a FQDN address object is used in a policy, hovering the cursor over the icon for that object will show a tool tip that lists the parameters of the address object. This tool tip now includes the IP address that the FQDN resolves to.

Added comment for acl-policy, interface-policy and DoS-policy (396569)

A comment field has been added to the following policy types: l acl-policy l interface-policy l DoS-policy

Comments of up to 1023 characters can be added through the CLI.

Examples:

DoS policy

config firewall DoS-policy edit 1 set comment “you can put a comment here(Max 1023).”

set interface “internal” set srcaddr “all” set dstaddr “all” set service “ALL” config anomaly edit “tcp_syn_flood” set threshold 2000

next

end

end

Interface policy

config firewall interface-policy edit 1 set comment “you can put a comment here(max 1023).”

set interface “dmz2” set srcaddr “all” set dstaddr “all” set service “ALL” end

Firewall ACL

config firewall acl edit 1 set status disable

set comment “you can put a comment here(max 1023).”

set interface “port5” set srcaddr “all” set dstaddr “all” set service “ALL”

end

Internet service settings moved to more logical place in CLI (397029)

The following settings have moved from the application context of the CLI to the firewall context: l internet-service l internet-service-custom

Example of internet-service

config firewall internet-service 1245324 set name “Fortinet-FortiGuard”

set reputation 5 set icon-id 140 set offset 1602565 config entry

edit 1

set protocol 6 set port 443 set ip-range-number 27 set ip-number 80

next

edit 2

set protocol 6 set port 8890 set ip-range-number 27 set ip-number 80

next

edit 3

set protocol 17 set port 53 set ip-range-number 18 set ip-number 31

next

edit 4

set protocol 17 set port 8888 set ip-range-number 18 set ip-number 31

next

end

Example of internet-service-custom

config firewall internet-service-custom edit “custom1” set comment “custom1”

config entry

edit 1

set protocol 6 config port-range

edit 1

set start-port 30 set end-port 33

next

end

set dst “google-drive” “icloud”

next

end

next

end

Example of get command:

get firewall internet-service-summary

Version: 00004.00002

Timestamp: 201611291203

Number of Entries: 1349

Certificate key size selection (397883)

FortiOS will now support different SSL certificate key lengths from the HTTPS server. FortiOS will select a key size from the two options of 1024 and 20148, to match the key size (as close as possible, rounding up) on the HTTS server. If the size of the key from the server is 512 or 1024 the proxy will select a 1024 key size. If the key size from the servers is over 1024, the proxy will select a key size of 2048.

CLI changes:

In ssl-ssh-profile remove:

  • certname-rsa l certname-dsa l certname-ecdsa

In vpn certificate setting, add the following options :

  • certname-rsa1024 l certname-rsa2048 l certname-dsa1024 l certname-dsa2048 l certname-ecdsa256 l certname-ecdsa384
This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.