Security Profiles (5.6)

Security Profiles (5.6)

New security profile features added to FortiOS 5.6.

New FortiGuard Web Filter categories (407574)

New categories added to FortiGuard Web Filter sub-categories:

  • Under Security Risk:
  • Newly Observed Domain (5.90) l Newly Registered Domain (5.91)
  • Under General Interest – Business l Charitable Organizations (7.92) l Remote Access (7.93) l Web Analytics (7.94) l Online Meeting (7.95)

Newly observed domain (NOD) applies to URLs whose domain name is not rated and were observed for the first time in the past 30 minutes.

Newly registered domain (NRD) applies to URLs whose domain name was registered in the previous 10 days.

Overall improvement to SSL inspection performance (405224)

The enabling / disabling of proxy cipher / kxp hardware acceleration in CP8/CP9 required restarting of the WAD daemon for the change to take effect; this bug has been repaired.

New CLI commands

The FortiGate will use the ssl-queue-threshold command to determine the maximum queue size of the CP SSL queue. In other words, if the SSL encryption/decryption task queue size is larger than the threshold, the FortiGate will switch to use CPU rather than CP. If less, it will employ CP.

config firewall ssl setting set ssl-queue-threshold <integer>

end

The integer represents the maximum length of the CP SSL queue. Once the queue is full, the proxy switches cipher functions to the main CPU. The range is 0 – 512 and the default is 32.

FortiClient Endpoint license updates (401721)

FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate’s model. FortiCare enforces the maximum limits when the customer is applying the license to a model.

If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum (forum.fortinet.com). Phone support is only available for paid licenses.

Model(s) Maximum Client Limit
VM00 200
FGT/FWF 30 to 90 series 200
FGT 100 to 400 series 600
FGT 500 to 900 series, VM01, VM02 2,000
FGT 1000 to 2900 series, VM04 50,000
FGT 3700D and above, VM08 and above 100,000

Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6.

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.