What’s new for the Firewall in 5.6
New Firewall Features in 5.6.0
Optimization of the firewall Service cache (355819)
In order to improve the efficiency and performance of the firewall Service cache, the following improvements have been made:
- The logic behind the structure of the cache has been simplified. Instead of storing ranges of port numbers, we store each individual port number in the cache
- Separate caches are created for each VDOM so that cache searches are faster.
- The performance of more frequently used cases has been increased l Hash tables are used to improve the performance of complex cases. These could include such instances as:
- service names tied to specific IP Ranges
- redefinition (one port number with multiple service names)
New CLI option to prevent packet order problems for sessions offloaded to NP4 or NP6 (365497)
In order to prevent the issue of a packet, on FortiGate processing a heavy load of traffic, from being processed out of order, a new setting has been added to better control the timing of pushing the packets being sent to NP units.
The new option, delay-tcp-npc-session, has been added into the context of config firewall policy within the CLI
config firewall policy edit <Integer for policy ID> set delay-tcp-npc-session
end
Policy may not be available on units not using NP units.
GUI changes to Central NAT (371516)
The Central NAT configuration interface prevents the accidental occurrence of being able to select “all” and “none” as two objects for the same field. It only allows the selecting of a single IP pool, though it is still possible to select multiple IP pools within the CLI.
Max value for Firewall User authentication changed (378085)
Previously, the maximum time that a member of a firewall user group could remain authenticated without any activity was 24 hours (1440 minutes). The maximum value for this setting has been changed to 72 hours (4320 minutes). This allow someone to log in but not be kicked off the system due to inactivity over the course of a weekend.
The syntax in the CLI for configuring this setting is:
config user group edit <name of user group> set authtimeout 4320
end
Changes to default SSL inspection configuration (380736)
SSL is such a big part of normal traffic that SSL certificate inspection is no longer disabled by default. SSL inspection is not mandatory in both the CLI and GUI when it is applicable. The default setting is the Certificate Inspection level. As a result there have been a few changes within the CLI and the GUI.
CLI
The setting SSL-SSH-Profile, is a required option, with the default value being “certificate-inspection”, when it is applicable in the following tables:
- profile-group l firewall.policy l firewall.policy6, l firewall.proxy-policy
The following default profiles are read-only:
- certificate-inspection l deep-ssl-inspection
GUI
IPv4/IPv6 Policy and Explicit Proxy Policy edit window l The configuration and display set up for SSL/SSH Inspection is now similar to “profile-protocol-option” option l The disable/enable toggle button is no longer available for the Profile Protocol Option l The default profile is set to “certificate-inspection” IPv4/IPv6 Policy, Explicit Proxy Policy list page l There is validation for SSL-SSH-Profile when configuring UTM profiles SSL/SSH Inspection list page l There is no delete menu on GUI for default ssl profiles l The “Edit” menu has been changed to “View” for default SSL profiles l The default SSL profile entries are considered an implicit class and are grayed out SSL/SSH Inspection edit window l The only input for default SSL profiles is now download/view trusted certificate links l To return to the List page from default SSL profiles, the name of the button is now “Return” Profile Group edit window l There is no check box for SSL-SSH-Profile. It is always required.
Add firewall policy comment field content to log messages (387865)
There has been a need by some customer to have some information in the logs that includes specific information about the traffic that produced the log. The rather elegant solution is that when the log-policy-comment option is enabled, the comment field from the policy will be included in the log. In order to make the logs more useful regarding the traffic just include a customized comment in the policy and enable this setting.
Syntax
config system settings set log-policy-comment [enable | disable] end
l This setting is for all traffic and security logs. l It can be select on a per VDOM basis
Learning mode changes profile type to single (387999)
The Learning mode does not function properly when it is applied to a policy that has a UTM profile group applied to it. The logging that should be taking place from the Learning Mode profiles does not occur as intended, and the
Automatically switching the profile type to single on a policy with Learning mode enabled prevents it from being affected by the UTM policy groups.
MAC address authentication in firewall policies and captive portals (391739)
When enabled, a MAC authentication request will be sent to fnbamd on any traffic. If the authentication receives a positive response, login becomes available. If the response is negative the normal authentication process takes over.
CLI
New option in the firewall policy setting
config firewall policy edit <policy ID> set radius-mac-auth-bypass [enable |disable] end
New option in the interface setting
config system interface edit <interface> set security-mode captive-portal set security-mac-auth-bypass end
Display resolved IP addresses for FQDN in policy list (393927)
If a FQDN address object is used in a policy, hovering the cursor over the icon for that object will show a tool tip that lists the parameters of the address object. This tool tip now includes the IP address that the FQDN resolves to.
Added comment for acl-policy, interface-policy and DoS-policy (396569)
A comment field has been added to the following policy types: l acl-policy l interface-policy l DoS-policy
Comments of up to 1023 characters can be added through the CLI.
Examples:
DoS policy
config firewall DoS-policy
edit 1
set comment “you can put a comment here(Max 1023).”
set interface “internal” set srcaddr “all” set dstaddr “all” set service “ALL” config anomaly edit “tcp_syn_flood” set threshold 2000
next
end
end
Interface policy
config firewall interface-policy
edit 1
set comment “you can put a comment here(max 1023).”
set interface “dmz2” set srcaddr “all” set dstaddr “all” set service “ALL” end
Firewall ACL
config firewall acl
edit 1 set status disable
set comment “you can put a comment here(max 1023).”
set interface “port5” set srcaddr “all” set dstaddr “all” set service “ALL”
end
Internet service settings moved to more logical place in CLI (397029)
The following settings have moved from the application context of the CLI to the firewall context:
internet-service internet-service-custom
Example of internet-service
config firewall internet-service 1245324
set name “Fortinet-FortiGuard” set reputation 5 set icon-id 140 set offset 1602565
config entry
edit 1
set protocol 6
set port 443 set ip-range-number 27 set ip-number 80
next
edit 2
set protocol 6 set port 8890 set ip-range-number 27 set ip-number 80
next
edit 3
set protocol 17 set port 53
set ip-range-number 18
set ip-number 31
next
edit 4
set protocol 17 set port 8888 set ip-range-number 18
set ip-number 31 next
end
Example of internet-service-custom
config firewall internet-service-custom
edit “custom1” set comment “custom1”
config entry
edit 1
set protocol 6 config port-range
edit 1
set start-port 30 set end-port 33
next
end
set dst “google-drive” “icloud”
next
end
next
end
Example of get command:
get firewall internet-service-summary
Version: 00004.00002
Timestamp: 201611291203
Number of Entries: 1349
Certificate key size selection (397883)
FortiOS will now support different SSL certificate key lengths from the HTTPS server. FortiOS will select a key size from the two options of 1024 and 20148, to match the key size (as close as possible, rounding up) on the HTTS server. If the size of the key from the server is 512 or 1024 the proxy will select a 1024 key size. If the key size from the servers is over 1024, the proxy will select a key size of 2048.
CLI changes:
In ssl-ssh-profile remove:
- certname-rsa l certname-dsa l certname-ecdsa
In vpn certificate setting, add the following options :
- certname-rsa1024 l certname-rsa2048 l certname-dsa1024 l certname-dsa2048 l certname-ecdsa256 l certname-ecdsa384
AWS API integration for dynamic firewall address object (400265)
Some new settings have been added to the CLI that will support instance information being retrieved directly from the AWS server. The IP address of a newly launched instance can be automatically added to a certain firewall address group if it meets specific requirements. The new address type is:ADDR_TYPE_AWS New CLI configuration settings:
The AWS settings
config aws set access-key set secret-key set region set vpc-id set update-interval
l access-key – AWS access key. l secret-key – AWS secret key. l region – AWS region name. vpc-id – AWS VPC ID. update-interval – AWS service update interval (60 – 600 sec, default = 60).
The AWS address:
config firewall address edit <address name> set type aws set filter <filter values>
The filter can be a combination of any number of conditions, as long as the total length of filter is less than 2048 bytes. The syntax for the filter is:
<key1=value1> [& <key2=value2>] [| <key3=value3>]
For each condition, it includes a key and value, the supported keys are:
- instanceId, (e.g. instanceId=i-12345678)
- instanceType, (e.g. instanceType=t2.micro)
- imageId, (e.g. imageId=ami-123456)
- keyName, (e.g. keyName=aws-key-name)
- architecture, (e.g. architecture=x86)
- subnetId, (e.g. subnetId=sub-123456)
- availabilityzone, (e.g. placement.availabilityzone=us-east-1a)
- groupname, (e.g. placement.groupname=group-name)
- tenancy, (e.g. placement.tenancy=tenancy-name)
- privateDnsName, (e.g. privateDnsName=ip-172-31-10-211.us-west-2.compute.internal)
- publicDnsName, (e.g. publicDnsName=ec2-54-202-168-254.us-west-2.compute.amazonaws.com)
- AWS instance tag, each tag includes a key and value, the format of tag set is: tag.Name=Value, maximum of 8 tags are supported.
Internet service configuration (405518)
To make the CLI configuration of Internet service configuration more intuitive, the settings for Internet service in Explicit Web proxy are closer to those in the Firewall police. An Internet service enable switch has been added to the Explicit Web proxy with the same text description as the Firewall policy.
CLI:
The relevant options in the firewall policy are:
config firewall policy edit 1 set internet-service enable
set internet-service-id 327681 1572864 917519 393225 1572888 1572877 917505
next end
The Explicit Web proxy is now has these options:
config firewall proxy-policy
edit 1
set uuid f68e0426-dda8-51e6-ac04-37fc3f92cadf set proxy explicit-web set dstintf “port9” set srcaddr “all” set internet-service 2686980 set action accept set schedule “always” set logtraffic all
next end
Changes to SSL abbreviate handshake (407544)
The SSL handshake process has changed to make troubleshooting easier.
- In order to better identify which clients have caused SSL errors, the WAD SSL log will use the original source address rather than the source address of packets. l The return value of wad_ssl_set_cipher is checked.
- The wad_ssl_session_match has been removed because it will add the connection into bypass cache and bypass further inspection.
- DSA and ECDSA certificates are filtered for admin-server-cert l cert-inspect is reset after a WAD match to a Layer 7 policy l An option to disable the use of SSL abbreviate handshake has been added
CLI addition
config firewall ssl setting set abbreviate-handshake [enable|disable]
NGFW mode in the VDOM – NAT & SSL Inspection considerations (407547)
Due to how the NGFW Policy mode works, it can get complicated in the two areas of NAT and SSL Deep
Inspection. To match an application against a policy, some traffic has to pass through the FortiGate in order to be properly identified. Once that happens may end up getting mapped to a different policy, where the new policy will be appropriately enforced.
NAT
In the case of NAT being used, the first policy that is triggered to identify the traffic might require NAT enabled for it to work correctly. i.e., without NAT enabled it may never be identified, and thus not fall through. Let’s use a very simple example:
Policy 1: Block Youtube
Policy 2: Allow everything else (with NAT enabled)
Any new session established will never be identified immediately as Youtube, so it’ll match policy #1 and let some traffic go to try and identify it. Without NAT enabled to the Internet, the session will never be setup and thus stuck here.
Solution:
NAT for NGFW policies must be done via Central SNAT Map
Central SNAT Map entries now have options for ‘srcintf’, ‘dstintf’ and ‘action’.
- If no IP-pools are specified in the Central SNAT entry, then the outgoing interface address will be used.
- NGFW policies now must use a single default ssl-ssh-profile. The default ssl-ssh-profile can be configured under the system settings table.
SSL
In the case of SSL inspection, the issue is a bit simpler. For each policy there are 3 choices:
- No SSL,
- Certificate Only
- Deep Inspection.
For 1. and 2. there is no conflict and the user could enable them inter-changeably and allow policy fallthrough.
The issue happens when:
- The first policy matched, uses Certificate Only
- After the application is detected, it re-maps the session to a new policy which has Deep Inspection enabled This switching of behavior is the main cause of the issue.
Solution:
- Multiple SSL profiles have been replaced with a single page of settings l The user can setup exemptions for destination web category, source IP or etc.
CLI
Changes
config system settings set inspection-mode flow set policy-mode [standard | ngfw]
Has been changed to:
config system settings set inspection-mode flow
set ngfw-mode [profile-based | policy-based]
l ngfw-mode – Next Generation Firewall mode. l profile-based – Application and web-filtering is configured using profiles applied to policy entries. l policy-based – Application and web-filtering is configured as policy match conditions.
Additions
Setting the vdom default ssl-ssh-profile
config system settings set inspection-mode flow set ngfw-mode policy-based set ssl-ssh-profile <profile>
ssl-ssh-profile – VDOM SSL SSH profile.
Setting srcintf, dstintf, action on the central-snat policy
config firewall central-snat-map edit <id> set srcintf <names or any> set dstintf <names or any> set action (permit | deny)
l srcintf – Source interface name. l dstintf – Destination interface name. l action – Action of central SNAT policy.
GUI
System settings, VDOM settings list/dialog: l A field has been added to show the default ssl-ssh-profile IPv4/v6 Policy list and dialogs:
- In NGFW policy-based mode, there are added tool tips under NAT columns/fields to indicate that NAT must be configured via Central SNAT Map. Additionally, links to redirect to Central SNAT list were added.
- Default ssl-ssh-profile is shown in the policy list and dialog for any policies doing NGFW (`application, application-categories, url-categories`) or UTM (`av-profile etc.) inspection. l Default ssl-ssh-profile is disabled from editing in policy list dialog Central SNAT Policy list and dialogs:
- In both profile-based & policy-basedngfw-mode, fields for srcintf, dstintf were added to Central
SNAT policies entries.
- In policy-based mode only, a toggle-switch for NAT Action was added in Central SNAT policy dialog. The action is also configurable from the Action column in Central SNAT policy list.
SSL/SSH Inspection list:
- In policy-based mode only, the navigation bar link to SSL/SSH Inspection redirects to the profiles list l In policy-based mode only, the SSL/SSH Inspection list table indicates which profile is the current VDOM default.
Additionally, options are provided in the list menu and context menu to change the current VDOM default.
Support HTTP policy for flow-based inspection (411666)
It is possible to impliment an HTTP-policy in a VDOM that is using the Flow-based inspection mode. Enabling the
HTTP-policy causes the traffic to be redirected to WAD so that the traffic can be properly matched and processed.
Support for CA chain downloading to improve certificate verification (369270)
During certificate verification, if the certificate chain is not complete and CA issuer information exists in the certifcate, FortiOS attempts to download intermediate/root CAs from the HTTP server and attempts to perform chain verification. The downloaded CAs are saved in a cache (max 256) to be re-used for future certificate validation. CAs are removed from the cache if they are inactive or not needed for more than 1 hour.
CA chain downloading is used to improve verification results for certificates that are difficult to verify. The CAs are kept in the cache to improve performance.
New WAN Optimization Features in 5.6
WAN Optimization GUI changes (283422)
Improvements have been made to the WAN Optimization Profiles and Authentication Group pages.
New Proxy Features in 5.6
Explicit proxy supports multiple incoming ports and port ranges (402775, 398687)
Explicit proxy can now be configured to listen on multiple ports on the same IP as well as listen for HTTP and HTTPS on those same (or different) ports.
Define the IP ranges using a hyphen (–). As shown below, port_high is not necessary to specify if port_low is equal to port_high.
CLI syntax
config web-proxy explicit set http-incoming-port <port_low> [-<port_high>]
end
Explicit proxy supports IP pools (402221)
Added a new command, poolname, to config firewall proxy-policy. When setting the IP pool name with this command, the outgoing IP will be selected.
CLI syntax
config firewall proxy-policy edit <example> set poolname <name>
end
New Proxy Features
Option to remove unsupported encoding from HTTP headers (392908)
Added a new command to config web-proxy profile that, when enabled, allows the FortiGate to strip out unsupported encoding from request headers, and correctly block banned words. This is to resolve issues when attempting to successfully block content using Google Chrome.
CLI syntax:
config web-proxy profile edit <example> set strip-encoding {enable | disable}
end
New authentication process for explicit web proxying (386474, 404355)
While in Proxy inspection mode, explicit proxy options can be set under Network > Explicit Proxy. These settings will affect what options are available for creating proxy policies under Policy & Objects > Proxy Policy. From here you may create new policies with Proxy Type set to either Explicit Web, Transparent Web, or FTP.
Authentication will be triggered differently when configuring a transparent HTTP policy. Before such a policy can be configured, you must enable HTTP Policy Redirect under Security Profiles > Proxy Options.
Added Internet services to explicit proxy policies (386182)
Added two new commands to config firewall proxy-policy. FortiOS can use the Internet Service Database (introduced in 5.4.1) as the web-proxy policy matching factor.
CLI syntax:
config firewall proxy-policy edit <example> set internet-service <application-id> set internet-service-custom <application-name>
Virtual WAN link in an explicit proxy firewall policy (385849, 396780)
Virtual WAN link (VWL) interfaces may now be set as the destination interface in an explicit proxy policy, routing traffic properly using basic virtual WAN link load balance settings. This is now configurable through both the CLI under firewall proxy-policy and the GUI.
Added application ID and category setting on the explicit proxy enabled service (379330)
This feature introduces support for application ID/category in the service of explicit proxy as one policy selection factor. The intent is to identify the application type based on the HTTP request with IPS application type detection function. It is similar to the current firewall explicit address, but it is implemented as a service type, and you can select the application ID/ category to define explicit service. Of course, now it must be an HTTP-based application.
CLI syntax config firewall service custom
Proxy Features in 5.6
edit “name” set app-service-type [disable|app-id|app-category]
next
end
Explicit Proxy – populate pac-file-url in transparent mode (373977)
You can now use manageip to populate pac-file-url in transparent opmode. Previously, in the CLI, when displaying pac-file-url, the code only tries to get interface IP to populate pac-file-url.
CLI syntax
config vdom edit root config system settings set opmode transparent set manageip 192.168.0.34/24
end config web-proxy explicit set pac-file-server-status enable get pac-file-url [url.pac]
end
SSL deep inspection OCSP support for Explicit Proxy (365843)
OCSP support for SSL deep inspection added for Explicit Proxy.
CLI syntax
config vpn certificate setting set ssl-ocsp-status [enable|disable] set ssl-ocsp-option [certificate|server]
end
Timed out authentication requests are now logged (357098)
CLI syntax
config web-proxy explicit set trace-auth-no-rsp [enable|disable] end