Networking (5.6.1)

Networking (5.6.1)

New networking features added to FortiOS 5.6.1.

IPv6 Router Advertisement options for DNS enhanced with recursive DNS server option (399406)

This feature is based on RFC 6106 and it adds the ability to obtain DNS search list options from upstream DHCPv6 servers and the ability to send them out through either Router Advertisement or FortiGate’s DHCP server.

FortiOS 5.6 supported the following:

To get the information from the upstream ISP server:

config system interface edit wan1 config ipv6 set dhcp6-prefix-delegation enable

next

next

end

To use Routing Advertisement to send the DNS search list:

config system interface edit port 1 config IPv6 set ip6-address 2001:10::/64 set ip6-mode static set ip6-send-adv enable config ip6-delegated-prefix-list edit 1 set upstream-interface WAN set subnet 0:0:0:11::/64 set autonomous-flag enable set onlink-flag enable

next

next

end

end

To use DHCPv6 server to send DNS search list:

config system dhcp6 server edit 1 set interface port2 set upstream-interface WAN set ip-mode delegated set dns-service delegated

set dns-search-list delegated // this is a new command set subnet 0:0:0:12::/64

next end

 

(5.6.1)

In FortiOS 5.6.1 this feature has been enhanced to include the recursive DNS server option that sends the IPv6 recursive DNS server option to downstream clients with static prefix RA.

The new options include rdnss and dnssl in the following syntax:

config system interface edit port1 config ipv6 config ip6-prefix-list edit 2001:db8::/64 set autonomous-flag enable set onlink-flag enable

set rdnss 2001:1470:8000::66 2001:1470:8000::72 set dnssl fortinet.com fortinet.ca end

Temporarily mask interface failure (435426)

In some situations during normal operation, attached network equipment may cause a ForiGate interface to appear to have disconnected from the network. And in some cases you may not want to the FortiGate interface to

detect and respond to the apparent interruption. For example, when Lawful Intercept (LI) devices are inserted/removed from the network path using a switch mechanism the signal is entirely interrupted. That interruption is seen by the FortiGate as an interface failure.

When the network path is interrupted, the FortiGate normally declares that the interface is down. All services using the interface are notified and act accordingly.

This new feature allows the FortiGate interface to temporarily delay detecting that the interface is down. If the connection is restored during the delay period, the FortiGate ignores the interface down condition and services using the interface resume without apparent interruption.

Use the following command to enable and configure the down time for a FortiGate interface:

config system interface edit port1 set disconnect-threshold <delay>

end

<delay> is the time to wait before sending a notification that this interface is down or disconnected (0 – 1000 ms, default = 0).

Policy Routes now appear on the routing monitor (411841)

You can go to Monitor > Routing Monitor and select Policy to view the active policy routes on your FortiGate.

Control how the system behaves during a routing change (408971)

FortiOS allows you to dynamically make routing changes while the FortiGate unit is processing traffic. Routing changes that affect the routing used for current sessions may affect how the FortiGate continues to process the session after the routing change has been made.

Using the following command you can control whether FortiOS keeps (preserves) the routing for the sessions that are using the route or causes the changed routing table to be applied to active sessions, possiby causing their destinations to change.

config system interface edit port2 set preserve-session-route {enable | disable}

end

If enabled (the default), all sessions passing through port2 are allowed to finish without being affected by the routing changes. If disabled, when a route changes the new routing table is applied to the active sessions through port2 which may cause their destinations to change.

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.