System (5.6)

System (5.6)

New system administration features added to FortiOS 5.6.

Remove CLI commands from 1-CPU platforms (405321)

Two CLI commands that set CPU affinity have been removed from 1-CPU platforms since they do not have any impact on these platforms. The commands are config system global > set miglog-affinity and config system global > set av-affinity <string>.

New SNMP trap for bypass events (307329)

When bypass mode is enabled or disabled on FortiGate units that are equipped with bypass interfaces and support AMC modules, a new SNMP trap is generated and logs bypass events.

System

Implement SNMP support for NAT Session monitoring which includes new SNMP OIDs (383661)

FortiOS 5.6 implements a new feature providing SNMP support for NAT session monitoring. The resulting new SNMP object identifier (OID) is:

FORTINET-FORTIGATE-

MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwIppools.fgFwIppTables.fgFwIppStatsTable.fgFwIppStatsEntry 1.3.6.1.4.1.12356.101.5.3.2.1.1

Additionally, there are eight new items:

.fgFwIppStatsName .1

.fgFwIppStatsType .2

.fgFwIppStatsStartIp .3

.fgFwIppStatsEndIp .4

.fgFwIppStatsTotalSessions .5

.fgFwIppStatsTcpSessions .6

.fgFwIppStatsUdpSessions .7

.fgFwIppStatsOtherSessions .8

New extended database version OIDs for AV and IPS (402162)

New extended database version OIDs ensure accurate display of the AntiVirus and IPS databases in use when you go to System > FortiGuard.

Administrator password encryption hash upgraded from SHA1 to SHA256 (391576)

The encryption has for administrator passwords is upgraded from SHA1 to SHA256.

Downgrades from FortiOS 5.6->5.4->5.2->5.0 will keep the administrator password usable. If you need to downgrade to FortiOS 4.3, remove the password before the downgrade, then login after the downgrade and reset password.

Allow multiple FortiManager addresses when configuring central management (388083)

Central management configuration can now support multiple FortiManager addresses. This feature is mainly to help the case where the FortiGate unit is behind NAT.

FortiGuard can determine a FortiGate’s location from its public IP address (393972)

A new CLI command allows users to determine a FortiGate’s location from its public IP address through FortiGuard .

The new CLI command is diagnose system waninfo.

System (5.6)

Deletion of multiple saved configurations supported (308936)

The FortiGate will save multiple configurations and images when revision-backup-on-logout and revision-image-auto-backup are enabled in config system global.

The deletion of multiple saved configurations is now possible due to changes in the CLI command execute revision delete config <revision ID>. Where the command only allowed for one revision ID at a time, it now allows almost ten.

New CLI option to limit script output size (388221)

The new CLI command set output-size limits the size of an auto script in megabytes and prevents the memory from being used up by the script’s output.

CLI Syntax

config system auto-script edit <script name> set output-size <integer>

next

end

Enter an integer value from 10 to 1024. Default is 10.

Enable / disable logging of SSL connection events (375582)

New CLI commands are added to give the user the option to enable or disable logging of SSL connection events.

CLI Syntax

config system global set log-ssl-connection {enable | disable}

end

Default is disable.

Enabling or disabling static key ciphers (379616)

There is a new option in system global to enable or disable static key ciphers in SSL/TLS connections (e.g,. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). The default is enable.

CLI Syntax

config system global set ssl-static-key-ciphers {enable | disable}

end

Enhancements to IPS Signatures page (285543)

The IPS signatures list page now shows which IPS package is currently deployed. You can also change the IPS package by hovering over the information icon next to the IPS package name. Text appears that links directly to System

the FortiGate’s System > FortiGuard page from the IPS Signatures list page.

Combine multiple commands into a CLI alias (308921)

You can add one or more CLI command to a CLI alias, then use the alias command to run the alias that you have created to execute the stored commands. For example, create the following alias to run the get system status command:

config system alias edit “version” set command “get system status”

end

Then you can use the following command to run the alias:

alias version

You can use command abbreviations (for example: g sys stat instead of get system status). Use quotes around the syntax if there are spaces (there usually are).

You can enter alias followed by a ? to view the aliases that you have added.

You can add multiple commands to an alias by pressing Ctrl-Enter after the first line. Press enter at the end of subsequent lines. And the end of the last line add second quote and press Enter to end the command.

config system alias edit “debug_flow” set command “diag debug enable diag debug flow show console enable”

end

You can include config commands in an alias as well, for example, create the following alias to bring the port1 and port2 interfaces down:

config system alias edit port12down set command “config system interface edit port1 set status down next edit port2 set status down

end”

end

You can combine config, execute, get, and diagnose commands in the same alias, for example:

config system alias edit “show-info” set command “show full-configuration alertemail setting get sys status dia sys top” end

 

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.