System (5.6.1)

System (5.6.1)

New system administration features added to FortiOS 5.6.1.

Use self-sign as default GUI certificate if BIOS cert is using SHA-1 (403152)

For increased security, SHA-1 certificate has been replaced by self-sign certificate as the default GUI certificate, if the BIOS certificate is using SHA-1.

Administrator timeout override per access profile (413543)

The GUI is often used for central monitoring. To do this requires the inactivity timeout to be increased, to avoid an admin having to constantly log in over again. This new feature allows the admintimeout value, under config system accprofile, to be overridden per access profile.

Note that this can be achieved on a per-profile basis, to avoid the option from being unintentionally set globally.

CLI Syntax – Configure admin timeout

config system accprofile edit <name> set admintimeout-override {enable | disable} set admintimeout <0-480> – (default = 10, 0 = unlimited)

next

end

New execute script command (423159)

A new execute command has been introduced to merge arbitrary configlets into the running configuration from script. The command’s authentication can be carried out using either username and password or with a certificate. This command supports FTP/TFTP and SCP.

An important benefit of this feature is that if the configuration in the script fails (i.e. a syntax error), the system will revert back to running configurations without interrupting the network.

CLI Syntax – Load script from FTP/TFTP/SCP server to firewall

execute restore scripts <ftp | tftp | scp> <dir / filename in server> <server ip> <username> <password>

FortiCache as an external cache service for FortiOS (435830)

A CLI configuration was added to allow the FortiGateto use FortiCache as an external cache service.

Global configuration

config wanopt forticache-service set status enable set local-cache-id “100d-bhan” set remote-forticache-id “3kc-bhan” set remote-forticache-ip 192.99.1.99

 

System (5.6)

end (Help Text) status Enable/disable using FortiCache as web-cache storage. local-cache-id ID that this device uses to connect to the remote FortiCache. remote-forticache-id ID of the FortiCache to which the device connects. remote-forticache-ip IP address of the FortiCache to which the device connects. (status)

# set status disable Use local disks as web-cache storage. enable Use a remote FortiCache as web-cache storage.

(local-cache-id)

# set local-cache-id

<string> please input string value

(remote-forticache-id)

# set remote-forticache-id

<string> please input string value

(remote-forticache-ip)

# set remote-forticache-ip

<any_ip> Any ip xxx.xxx.xxx.xxx

(Help Text) config wanopt auth-group Configure WAN optimization authentication groups.

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.