Networking (5.6)

Networking (5.6)

New networking features added to FortiOS 5.6.

New command to get transceiver signal strength (205138)

On most FortiGate models with SFP/SFP+ interfaces you can use the following command to display information about the status of the transceivers installed in the SFP/SFP+ interfaces of the FortiGate.

The command output lists all of SFP/SFP+ interfaces and if they include a transceiver the output displays information about it. The command output also includes details about transceiver operation that can be used to diagnose transmission problems.

get system interface transceiver …

Interface port14 – Transceiver is not detected.

Interface port15 – SFP/SFP+

Vendor Name :     FIBERXON INC. Part No.     :      FTM-8012C-SLG

Serial No. :             101680071708917

Interface port16 – SFP/SFP+

Vendor Name :            FINISAR CORP.

Part No.     :            FCLF-8521-3

Serial No. :             PS62ENQ

Optical Optical Optical
SFP/SFP+     Temperature Voltage      Tx Bias Tx Power Rx Power
Interface    (Celsius)    (Volts)      (mA) (dBm) (dBm)
———— ———— ———— ———— ———— ————

port15 N/A    N/A    N/A    N/A    N/A port16   N/A    N/A    N/A    N/A       N/A

++ : high alarm, + : high warning, – : low warning, — : low alarm, ? : suspect.

New BGP local-AS support (307530)

Use the following command to configure BGP local-AS support:

config router bgp

(5.6)

config neighbor edit “neighbor” …

set local-as 300 set local-as-no-prepend disable|enable set local-as-replace-as disable|enable

end

Enable local-as-no-prepend if you do not want to prepend local-as to incoming updates.

Enable local-as-replace-as to replace a real AS with local AS in outgoing updates.

Interface setting removed from SNMP community (310665)

The SNMP GUI has been cleaned up by removing the Interface setting.

RPF checks can be removed from the state evaluation process (311005)

You can remove stateful firewall RFP state checks without fully enabling asymmetric routing. State checks can be disabled on specific interfaces. The following command shows how to disable state checks for traffic received by the wan1 interface.

config system interface edit wan1 set src-check disable

end

BGP graceful-restart-end-on-timer, stale-route, and linkdown-failover options (374140)

If graceful-end-on-timer is enabled, the BGP graceful restart process will be stopped upon expiration of the restart timer only.

If linkdown-failover is enabled for a BGP neighbor, the neighbor will be down when the outgoing interface is down.

If stale-route is enabled for a BGP neighbor, the route learned from the neighbor will be kept for the graceful-stalepath-time after the neighbor is down due to hold timer expiration or TCP connection failure.

config router bgp set graceful-end-on-timer disable|enable config neighbor edit 192.168.1.1 set linkdown-failover disable|enable set stale-route disable|enable

graceful-end-on-timer stops BGP graceful restart process on timer only.

linkdown-failover and stale-route are options to bring down BGP neighbors upon link down and to keep routes for a period after the neighbor is down.

FQDNs can be destination addresses in static routes (376200)

FQDN firewall addresses can now be used as destination addresses in a static route.

From the GUI, to add a FQDN firewall address (or any other supported type of firewall address) to a static route in the firewall address configuration you must enable the Static Route Configuration option. Then when configuring the static route set Destination to Named Address.

From the CLI, first configure the firewall FQDN address:

config firewall address edit ‘Fortinet-Documentation-Website’ set type fqdn set fqdn docs.fortinet.com set allow-routing enable

end

Then add the FQDN address to a static route.

config router static edit 0 set dstaddr Fortinet-Documentation-Website … end

Priority for Blackhole routes (378232)

You can now add a priority to a blackhole route to change its position relative to kernel routes in the routing table. Use the following command to add a blackhole route with a priority:

config router static edit 23 set blackhole enable set priority 200

end

New DDNS refresh interval (383994)

A new DDNS option has been added to configure the FortiGate to refresh DDNS IP addresses by periodically checking the configured DDNS server.

config system ddns edit 1 set ddns-server FortiGuardDDNS set use-public-ip enable set update-interval seconds

end

The default update-interval is 300 seconds and the range is 60 to 2592000 seconds.

Support IPv6 blackhole routes on GUI (388599)

IPv6 blackhole routes are now supported from GUI, go to Network > Static Routes and select Create New > IPv6 Route.

Choose Blackhole for Device field.

(5.6)

SSL-VPN can use a WAN link load balancing interface (396236)

Virtual-wan-link interface can now be set as a destination interface in SSLVPN policy.

Also SSL-VPN interface can now be set as a source interface for WAN LLB.

DDNS support for noip.com (399126)

Noip.com, and provider for Dynamic DNS has been added as a supported option for a ddns-server.

CLI

config system ddns edit <ddns_ip> set ddns-server

[dyndns.org|dyns.net|ods.org|tzo.com|vavic.com|dipdns.net|now.net.cn||dhs.org|ea sydns.com|genericDDNS|FortiGuardDDNS|noip.com]

IPv6 Router Advertisement options for DNS (399406)

This feature is based on RFC 6106 and it adds the ability to obtain DNS search list options from upstream DHCPv6 servers and the ability to send them out through either Router Advertisement or FortiGate’s DHCP server.

Configuration example:

To get the information from the upstream ISP server:

config system interface edit wan1 config ipv6 set dhcp6-prefix-delegation enable

next

next

end

To use Routing Advertisement to send the DNS search list:

config system interface edit port 1

config IPv6 set ip6-address 2001:10::/64 set ip6-mode static set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface WAN set subnet 0:0:0:11::/64 set autonomous-flag enable set onlink-flag enable

next

next

end

end

To use DHCPv6 server to send DNS search list:

config system dhcp6 server edit 1 set interface port2 set upstream-interface WAN set ip-mode delegated set dns-service delegated

set dns-search-list delegated // this is a new command set subnet 0:0:0:12::/64

next

end

WAN LLB to SD-WAN on GUI (403102)

To be more consistent with current terminology, the term WAN LLB has been changed in the GUI to the more recognizable SD-WAN.

 

New RFCs

New RFCs

The following RFCs are now supported by FortiOS 5.6.1 or the support for these RFCs has been enhanced in FortiOS 5.6.1:

  • RFC 6954 Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol

Version 2 (IKEv2) (412795) l RFC 6106 IPv6 Router Advertisement Options for DNS Configuration (399406)

  • RFC 4787 Network Address Translation (NAT) Behavioral Requirements for Unicast UDP (408875)

The following RFCs are now supported by FortiOS 5.6 or the support for these RFCs has been enhanced in FortiOS 5.6:

  • RFC 7427 Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) (389001) l RFC 7348 Virtual eXtensible Local Area Network (VXLAN) or VTEP (289354) l RFC 5996 (section 15) IKEv2 asymmetric authentication (393073) l RFC 6106 IPv6 Router Advertisement Options for DNS (399406) l RFC 7383 Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation (371241) l RFC 3971 IPv6 Secure Neighbor Discovery (SEND) (355946) l RFC 6023 Childless IKEv2 Initiation (381650)
This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.