Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

AppCtrl basic category filters and overrides

AppCtrl basic category filters and overrides

Once you have created an application sensor, you can define the applications that you want to control. You can add applications and filters using categories, application overrides, and/or filter overrides.

  • Categories: Choose groups of signatures based on a category type. l Application overrides: Choose individual applications. l Filter overrides: Select groups of applications and override the application signature settings for them.

Categories

Categories allow you to choose groups of signatures based on a category type.

Applications belonging to the category trigger the action set to the category.

To set category filters in the CLI:

config application list edit {id} config entries edit 1 set category {id}

 ID Select Category ID
 2  P2P
 3  VoIP
 5  Video/Audio
 6  Proxy
 7  Remote.Access
 8  Game
 12 General.Interest
 15 Network.Service
 17 Update
 21 Email
 22 Storage.Backup
 23 Social.Media
 25 Web.Client
 26 Industrial
 28 Collaboration
 29 Business
 30 Cloud.IT
 31 Mobile
set action {pass | block | reset}

pass      Pass or allow matching traffic.  block Block or drop matching traffic.

reset Reset sessions for matching traffic.

set log {enable | disable} next

end

next

end

To set category filters in the GUI:

  1. Go to Security Profiles > Application Control.
  2. Under Categories, left click the icon next to the category name to view a dropdown of actions:

l Allow l Monitor l Block l Quarantine l View signatures

  1. Select OK.

Application and filter overrides

Override type Setting
Application Type: Choose Application for application overrides.
Action: Can be set to Monitor/Allow/Block/Quarantine.
Application: Multiple app signatures can be added for one entry. A slide-in presenting an application list will be shown to select specific app signatures, and the search box can be used to filter matched signatures.
Filter Type: Choose Filter for filter overrides.
Action: Can be set to Monitor/Allow/Block/Quarantine.
Filter: Filters can be selected by behavior, application category, technology, popularity, protocol, risk, or vendor subtypes.
Search box: Can be used to determine if the input signature is included in selected filters, where matched applications are shown at the bottom.

To set overrides in the CLI:

config application list     edit {id}

config entries

edit 1 set protocols {0-47} #network protocol ID

set risk {id}

*level Risk, or impact, of allowing traffic from this application to

occur (1 – 5; Low, Elevated, Medium, High, and Critical).

set vendor {0-25}       #vendor ID

set technology {id}

All         All

  • Network-Protocol
  • Browser-Based
  • Client-Server

4           Peer-to-Peer

set behavior {id}

All         All

  • Botnet
  • Evasive
  • Excessive-Bandwidth
  • Tunneling

9           Cloud

set popularity {1-5} #Popularity level 1-5

set action {pass | block | reset}

pass    Pass or allow matching traffic.

block   Block or drop matching traffic.

reset   Reset sessions for matching traffic.

set log {enable | disable}

next

end     next end

To set overrides in the GUI:

  1. Go to Security Profiles > Application Control.
  2. Under the Application and FilterOverrides table, click Create New.
  3. To add individual applications:
    1. Select Application as the Type.
    2. Choose an action to be associated with the application.
    3. Select the + button in the Application field and choose the specific applications from the list where app signatures are displayed. Multiple applications may be selected.
    4. Select OK.
  4. To add advanced filters:
    1. Create another entry in the Application and FilterOverrides
    2. Select Filter as the Type.
    3. Select Cloud under the behavior section from the Select Entries Matched signatures are shown along the bottom.
    4. Select OK.

FortiOS 6.2.2 Release Notes

TABLE OF CONTENTS

Change Log                                                                                                                           5

 

 

Change Log

Date Change Description
2019-10-09 Initial release.
2019-10-10 Added 551119 to Resolved Issues.

Added commands to the Previous releases column in Changes in CLI defaults SSH and SSL VPN sections.

 

Introduction and supported models

This guide provides release information for FortiOS 6.2.2 build 1010.

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 6.2.2 supports the following models.

FortiGate FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E, FG-51E, FG-52E, FG-60E,

FG-60E-POE, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-92D, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E,

FG-140E-POE, FG-200E, FG-201E, FG-300D, FG-300E, FG-301E, FG-400D, FG-400E,

FG-401E, FG-500D, FG-500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D,

FG-900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG3000D, FG-3100D, FG-3200D, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1

FortiWiFi FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E
FortiGate Rugged FGR-30D, FGR-35D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS,

FG-VM64-AWSONDEMAND, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND,

FG-VM64-GCP, FG-VM64-GCPONDEMAND, FG-VM64-HV, FG-VM64-KVM,

FG-VM64-OPC, FG-VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier FortiOS Carrier 6.2.2 images are delivered on request and are not available on the Beta portal.

Special branch supported models

The following models are released on a special branch of FortiOS 6.2.2. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1010.

FGR-90D is released on build 5335.

Special notices

  • Common vulnerabilities and exposures l New Fortinet cloud services l FortiGuard Security Rating Service l FortiGate hardware limitation l CAPWAP traffic offloading
  • FortiClient (Mac OS X) SSL VPN requirements l Use of dedicated management interfaces (mgmt1 and mgmt2) l NP4lite platforms l Tags option removed from GUI l Mobile token authentication

Common vulnerabilities and exposures

FortiOS 6.2.1 is no longer vulnerable to the issue described in the following link – https://fortiguard.com/psirt/FG-IR-19144.

New Fortinet cloud services

FortiOS 6.2.0 introduced several new cloud-based services listed below. The new services require updates to FortiCare and Fortinet’s FortinetOne single sign-on (SSO) service. These updates will be available by mid-Q2 2019.

  • Overlay Controller VPN
  • FortiGuard Cloud-Assist SD-WAN Interface Bandwidth Monitoring l FortiManager Cloud l FortiAnalyzer Cloud

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate model: l FGR-30D l FGR-35D l FGT-30E l FGT-30E-MI

Special notices                                                                                                                                                          8

l FGT-30E-MN l FGT-50E l FGT-51E l FGT-52E l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E l FWF-50E-2R l FWF-51E

FortiGate hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D does not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

 

Special notices

CAPWAP traffic offloading

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip. The following models are affected: l FG-900D l FG-1000D l FG-2000E l FG-2500E

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

NP4lite platforms

FortiOS 6.2 and later does not support NP4lite platforms.

Tags option removed from GUI

The Tags option is removed from the GUI. This includes the following:

l The System > Tags page is removed. l The Tags section is removed from all pages that had a Tags section. l The Tags column is removed from all column selections.

Mobile token authentication

Mobile token authentication does not work for SSL VPN on SOC3 platforms.

Affected models include FG-60E, FG-60E-POE, FG-61E, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-100E, FG100EF, FG-101E, FG-140E, FWF-60E, FWF-61E.

Changes in default behavior

AntiVirus

l In previous releases, the scan mode controls which features are displayed based on their compatibility with proxy and flow’s [quick | full] mode (now [default | legacy]).

This release disregards this behavior, making antivirus profile scan-mode agnostic. This means that all AV options are displayed regardless of the AV profile’s scan-mode setting. Enforcement is handled by the kernel based on the firewall policy using AV. Unsupported AV features do not take effect if inspection mode is proxy or flow. l In this release, AntiVirus can do SSH inspection.

FOC

apn option under apn-shaper now accepts multiple apn or apngroup.

Previous releases 6.2.2 release
config gtp apn edit “apn1” set apn “internet”

next edit “apn2” set apn “intranet”

next

end

config gtp apngrp edit “apngrp1” set member “apn1”

next

end

config gtp apn-shaper edit 1 next end

config gtp apn edit “apn1” set apn “internet”

next edit “apn2” set apn “intranet”

next

end

config gtp apngrp edit “apngrp1” set member “apn1”

next

end

config gtp apn-shaper edit 1 set apn “apn2” “apngrp1” <==changed

next end

FortiSwitch Controller

  • FortiLink interface is on by default on FortiGate E series platform.
  • On FG-100E and higher, create an empty FortiLink aggregate interface (fortilink) by default. If aggregate interface is not supported, create a hardware switch interface instead.
  • For FortiGate models below FG-100E, create an empty FortiLink hardware switch interface (fortilink) by default. If hardware switch interface is not supported, create aggregate interface instead.
  • When the FortiLink interface is enabled, CLI displays an error message when trying to change the FortiGate to TP mode.

default behavior

Firewall

  • Only IP and Protocol are matched and source port is ignored when ISDB is applied as source in policy. l Internet-service-addition will overwrite default ports of internet-service ID if protocols are the same. l Firewall policy supports wildcard-fqdn object with FQDN type.
  • This release supports srcaddr/dstaddr/internet-service/internet-service-src negate in consolidated policy.
  • All attributes for FABRIC_DEVICE object, except for IP address and type, can be modified from CLI but not from GUI.

Log & Report

l In previous releases, FortiGate only sends event log to FAZ-Cloud. In this release, FortiGate sends both event log and UTM log to FAZ-Cloud.

Switch l Add VLAN switch feature to FG-300E and FG-301E.

System

  • API user must have at least one trust host IP Address. l Only show diagnose sys nmi-watchdog command on platforms that have “nmi” button.
  • With mgmt interface set to dedicated to management, added three kinds of cases. l When no trust host is set, all IPv4 and IPv6 addresses have access. l When only IPv4 addresses are set to trust host, IPv6 address cannot log in.
  • When only IPv6 addresses are set to trust host, IPv4 address cannot log in.
  • There is no mgmt option in GRE tunnel interface when it is set to dedicated to management. l Allow VDOM admin to create loopback interface if no physical interface in VDOM.
  • The trust-ip option in config system interface always override trusthost option in config system admin.

 

Changes in CLI defaults

AntiVirus

Add SSH inspection. This is only compatible with proxy inspection.

Previous releases 6.2.2 release
config antivirus profile edit “profile_name” next end config antivirus profile edit “profile_name” config ssh                         <==added set options scan                <==added unset archive-block             <==added unset archive-log                <==added set emulator enable             <==added set outbreak-prevention disabled <==added

end

next end

Endpoint Control

Add fortiems-cloud option under FSSO user.

Previous releases 6.2.2 release
config user fsso edit <name> next end config user fsso edit <name> set type fortiems-cloud <==added

next end

Add attribute fortinetone-cloud-authentication to endpoint control fctems.

Previous releases 6.2.2 release
config endpoint-control fctems edit <name> next end config endpoint-control fctems edit <name> set fortinetone-cloud-authentication [enable |

disable] <==added next end

Add sub-second-sampling under GTP.

Previous releases 6.2.2 release
config firewall gtp edit “gtpp” next end config firewall gtp edit “gtpp” set sub-second-sampling enable <==added set sub-second-interval 0.1   <==added

next end

Firewall

Add HTTPS as a type of health check for VIP load-balance monitor.

Previous releases 6.2.2 release
config firewall ldb-monitor edit [Monitor Name] set type ?

ping   PING health monitor. tcp       TCP-connect health monitor. http HTTP-GET health monitor.

config firewall ldb-monitor edit [Monitor Name] set type ?

ping   PING health monitor. tcp       TCP-connect health monitor. http   HTTP-GET health monitor.

https   HTTP-GET health monitor with SSL. <==added

Remove set type wildcard-fqdn and set wildcard-fqdn <string> from firewall address.

Previous releases 6.2.2 release
config firewall address edit [Address] set type wildcard-fqdn    <==removed set wildcard-fqdn <string> <==removed

next end

config firewall address edit [Address]

next end

Add CLI commands to support address and service negate in consolidated policy.

Previous releases 6.2.2 release
config firewall consolidated policy edit [Policy ID]

next end

config firewall consoli edit [Policy ID] set srcaddr-negate set dstaddr-negate dated policy

[enable | disable]   <==added

[enable | disable]   <==added

  set service-negate [enable | disable]   <==added
Previous releases 6.2.2 release
  set internet-service-negate [enable | disable]      

<==added set internet-service-src-negate [enable |

disable] <==added next end

Proxy

Previous releases 6.2.2 release
  config firewall traffic-class  <==added edit [Class-ID]             <==added end                            <==added

In protocol option profile, add ssl-offloaded command under each protocol.

Previous releases 6.2.2 release
config firewall edit “”de config end config end config end config end config end

next end

profile-protocol-options

fault-clone””

http ftp imap pop3 smtp

config firewall edit “”de config set

end config set

end config set

end config set end

profile-pr

fault-clone”” http ssl-offloaded

ftp ssl-offloaded

imap ssl-offloaded

pop3 ssl-offloaded

oto

no

no

no

no

col-options

<==added

<==added

<==added

<==added

  config smtp    
  set

end

next end

ssl-offloaded no <==added

Traffic Shaping

Add a new global CLI table to define traffic classes. This is ‘s a mapping between class-ID and naming. class-ID from shaping-policy, shaping-profile, and traffic-shaper need to be data-sourced from this CLI table.

Log & Report

Add CLI allowing user to configure socket priority and maximum log rate per remote log device.

Similar setting apply to config log fortiguard setting and config log syslogd setting.

Previous releases 6.2.2 release  
config log fortianalyzer setting end

config log fortianalyzer overridesetting end

config set set

end config

log fortianalyzer priority [default max-log-rate [Log

log fortianalyzer

setting

| low]             <==added Rate, unit is MBps] <==added

override-setting

  set priority [default | low]             <==added
  set end max-log-rate [Log Rate, unit is MBps] <==added

Add the test command option in CLI.

Previous releases 6.2.2 release
diag test application miglogd diag test application miglogd 40 <==added option “40”

SSH

Add file transfer scan over SSH (SCP and SFTP).

Previous releases 6.2.2 release
config ssh-filter profile edit [Profile Name] set default-command-log disable

next end

config ssh-filter profile edit [Profile Name] set block x11 shell exec port-forward tun-

forward sftp scp unknown <==added scp set log x11 shell exec port-forward tun-

forward sftp scp unknown  <==added scp set default-command-log disable

config file-filter                 <==added set status enable               <==added set log enable                  <==added set scan-archive-contents enable <==added config entries                  <==added edit [Entry]                 <==added set comment ”            <==added set action block          <==added

  set direction any         <==added
  set password-protected any <==added
  set file-type “msoffice”  <==added
Previous releases 6.2.2 release
  next

end

end

next end

SSL VPN

Remove citrix and portforward from apptype in the three entries in SSL VPN web bookmark.

Previous releases 6.2.2 release
conf vpn ssl web user-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? citrix Citrix.           <==removed ftp FTP.

portforward Port Forward. <==removed rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next

end

conf vpn ssl web user-group-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? citrix Citrix.          <==removed ftp FTP.

portforward Port Forward. <==removed rdp RDP. sftp SFTP. smb SMB/CIFS. ssh SSH.

conf vpn ssl web user-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? ftp FTP. rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next

end

conf vpn ssl web user-group-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? ftp FTP. rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next end

Previous releases 6.2.2 release  
telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next

end

conf vpn ssl web portal edit [Name] config bookmarks edit [Boormark Name] set apptype ? citrix Citrix.          <==removed ftp FTP.

portforward Port Forward. <==removed rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next end

next

end

conf vpn ssl web portal edit [Name] config bookmarks edit [Boormark Name] set apptype ? ftp FTP. rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next end

System

Add description in system security zones.

Previous releases 6.2.2 release
config system zone edit [Zone Name]

next end

config system zone edit [Zone Name] set description “” <==added

next end

Increase the maximum number of DNS servers supported in DHCP server from 3 to 4.

Previous releases 6.2.2 release
config system dhcp server edit [Server ID] set dns-server1 1.1.1.1 set dns-server2 2.2.2.2 set dns-server3 3.3.3.3

next

end

config system dhcp server edit [Server ID] set dns-server1 1.1.1.1 set dns-server2 2.2.2.2 set dns-server3 3.3.3.3 set dns-server4 4.4.4.4 <==added

next

end

VM

Remove vdom-modemulti-vdom option for cloud-based ondemand FGT-VM.

Previous releases 6.2.2 release
config sys global set vdom-mode ?

no-vdom Disable split/multiple VDOMs

mode.

split-vdom Enable split VDOMs mode.

multi-vdom Enable multiple VDOMs mode.

<==removed end

config sys global set vdom-mode ?

no-vdom Disable split/multiple VDOMs

mode. split-vdom Enable split VDOMs mode.

end

Remove security rating from FGT_VMX and FGT_SVM.

Previous releases 6.2.2 release
diagnose security-rating version <==removed  

Enable CPU hot plug in kernel configuration.

Previous releases 6.2.2 release
  execute cpu show <==added

Active CPU number: 1 Total CPU number: 8

execute cpu add 1 <==added

Active CPU number: 2

Total CPU number: 8

Collect EIP from cloud-VMS (Azure, AWS, GCP, AliCloud, and OCI).

Previous releases 6.2.2 release
pcui-cloudinit-test # execute <?>

config sys interface edit [Name] next

end

conf sys global set sslvpn-cipher-hardware-acceleration

<==removed end

pcui-cloudinit-test # execute <?> update-eip Update external IP. <==added

config sys interface edit [Name] set eip                 <==added

next

end

conf sys global end

WiFi Controller

Add portal-type external-auth when captive-portal is enabled on local-bridge VAP.

Previous releases 6.2.2 release  
config wireless-controller vap edit “wifi.fap.02” set ssid “bridge-captive” set local-bridging enable set security captive-portal set external-web

“170.00.00.000/portal/index.php” set radius-server “peap”

next end

config wireless-controller vap edit “wifi.fap.02” set ssid “bridge-captive” set local-bridging enable set security captive-portal set portal-type external-auth set external-web

“170.00.00.000/portal/index.php” set radius-server “peap”

next end

<==added

Move darrp-optimize and darrp-optimize-schedules configurations from Global level to VDOM level.

Previous releases 6.2.2 release
### Global ### config wireless-controller timers set darrp-optimize 86400 <==removed set darrp-optimize-schedules “default-

darrp-optimize” <==removed end

### VDOM ### config wireless-controller setting set darrp-optimize 86400 <==added set darrp-optimize-schedules “default-

darrp-optimize” <==added end

Add external-web-format setting under captive-portal VAP when external portal is selected.

Previous releases 6.2.2 release
config wireless-controller vap edit guestwifi set ssid “GuestWiFi” set security captive-portal set external-web

“http://170.00.00.000/portal/index.php” set selected-usergroups “Guest-group” set intra-vap-privacy enable set schedule “always”

next end

config wireless-controller vap edit guestwifi set ssid “GuestWiFi” set security captive-portal set external-web

“http://170.00.00.000/portal/index.php” set selected-usergroups “Guest-group” set intra-vap-privacy enable set schedule “always”

set external-web-format auto-detect

<==added next end

Add new WTP profiles FAPU431F-default and FAPU433F-default.

Previous releases   6.2.2 release
config wireless-controller edit [FAPU431F-default | config platform

end

wtp-profile

FAPU433F-default]

config wireless-controller edit [FAPU431F-default config platform

set type [U431F | set mode [dual-5G end

wtp-profile

| FAPU433F-default]

U433F]      <==added | single-5G] <==added

config wireless-controller edit [FAPU431F-default

default] next

end

wtp-profile | FAPU433F- config wireless-controller wtp-profile edit [FAPU431F-default | FAPU433F-

default] config radio-1             <==added set band 802.11ax-5G   <==added

end

config radio-2             <==added set band 802.11ax-5G   <==added

end

config radio-3             <==added set band 802.11n,g-only <==added

end

next

end

config wireless-controller edit [SSID name]

next

end

vap config wireless-controller vap edit [SSID name] set high-efficiency enable <==added set target-wake-time enable <==added

next

end

For DFS approved countries, add 160 MHz channel bonding support for FortiAP U421EV/U422EV/U423EV models.

Previous releases 6.2.2 release
config wireless-controller wtp-profile edit [ FAPU421EV-default |

FAPU422EV-default | FAPU423EV-default ] config radio-2 set band 802.11ac

end

next

end

config wireless-controller wtp-profile edit [ FAPU421EV-default | FAPU422EV-default |

FAPU423EV-default ] config radio-2 set band 802.11ac

set channel-bonding 160MHz <==added

end

next

end

Add MPSK schedule that allows setting valid period for MPSK.

Previous releases 6.2.2 release
config wireless-controller vap edit [SSID Interface Name] set mpsk enable config mpsk-key edit [MPSK Entry Name] set passphrase 11111111

next

end

next end

config wireless-controller vap edit [SSID Interface Name] set mpsk enable config mpsk-key edit [MPSK Entry Name] set passphrase 11111111

set mpsk-schedules “always” <==added

next

end

next end

Add GRE&L2TP support in WiFi.

Previous releases 6.2.2 release
config wireless-controller vap edit “80e_gre” set ssid “FOS-QA_Bruce_80e_gre” set local-bridging enable set vlanid 3135

next

end

config wireless-controller wag-profile <==added edit [Profile Name]               <==added

end

config wireless-controller vap edit “80e_gre” set ssid “FOS-QA_Bruce_80e_gre” set local-bridging enable set vlanid 3135 set primary-wag-profile “tunnel” <==added set secondary-wag-profile “l2tp” <==added

next

end

 

Changes in default values

AntiVirus

Change AV scan mode from [quick | full] to [default | legacy]. The default value is set to default.

Previous releases 6.2.2 release
config antivirus profile edit “profile_name” set scan-mode [quick | full]

next end

config antivirus profile edit “profile_name” set scan-mode [default | legacy] <==changed

next end

Log & Report

Change default value from disable to enable for some configuration options under fortianalyzer-cloud filter.

Previous releases 6.2.2 release
config log fortianalyzer-cloud filter set severity information set forward-traffic disable set local-traffic disable set multicast-traffic disable set sniffer-traffic disable set anomaly disable set voip disable set dlp-archive disable set filter ” set filter-type include end config log fortianalyzer-cloud filter set severity information set forward-traffic enable  <==changed set local-traffic enable    <==changed set multicast-traffic enable <==changed set sniffer-traffic enable  <==changed set anomaly enable          <==changed set voip enable             <==changed set dlp-archive disable set filter ” set filter-type include end

Changes in default values

System

After creating a new VDOM, add default certificates for ssl-cert and ssl-ca-cert under web-proxy setting.

Previous releases 6.2.2 release
show web-proxy global config web-proxy global set ssl-cert ” set ssl-ca-cert ” set proxy-fqdn “default.fqdn”

end

show web-proxy global config web-proxy global set ssl-cert ‘Fortinet_Factory’  <==changed set ssl-ca-cert ‘Fortinet_CA_SSL’ <==changed set proxy-fqdn “default.fqdn”

end

WiFi Controller

Change default LLDP setting in wtp-profile from disable to enable.

Previous releases 6.2.2 release
config wireless-controller wtp-profile edit [FAP-Profile] set lldp disable

end

end

config wireless-controller wtp-profile edit [FAP-Profile] set lldp enable <==changed

end

end

The default channel-utilization setting in wtp-profile is changed from disable to enable.

Previous releases 6.2.2 release
config wire edit [FAP config set

end config set

end

next end

less-controller wtp-profile

Profile Name] radio-1

channel-utilization disable

radio-2

channel-utilization disable

config wire edit [FAP config set

end config set

end

next end

less-controller wtp-profile

Profile Name] radio-1

channel-utilization enable <==changed

radio-2

channel-utilization enable <==changed

Increase normal WTP capacity on high end FortiGates from 1024 to 2048.

Previous releases 6.2.2 release
FGT( 1000, end ) = 1024 -> 2048 FGT( 1000, end ) = 1024 -> 2048

Upgrade Information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

  1. Go to https://support.fortinet.com.
  2. From the Download menu, select Firmware Images.
  3. Check that Select Product is FortiGate.
  4. Click the Upgrade Path tab and select the following:

l Current Product l Current FortiOS Version l Upgrade To FortiOS Version

  1. Click Go.

Device detection changes

In FortiOS 6.0.x, the device detection feature contains multiple sub-components, which are independent:

  • Visibility – Detected information is available for topology visibility and logging.
  • FortiClient endpoint compliance – Information learned from FortiClient can be used to enforce compliance of those endpoints.
  • Mac-address-based device policies – Detected devices can be defined as custom devices, and then used in devicebased policies.

In 6.2, these functionalities have changed:

  • Visibility – Configuration of the feature remains the same as FortiOS 6.0, including FortiClient information. l FortiClient endpoint compliance – A new fabric connector replaces this, and aligns it with all other endpoint connectors for dynamic policies. For more information, see Dynamic Policy FortiClient EMS (Connector) in the FortiOS 6.2.0 New Features Guide.
  • Mac-address-based policies – A new address type is introduced (Mac Address Range), which can be used in regular policies. The previous device policy feature can be achieved by manually defining MAC addresses, and then adding them to regular policy table in 6.2. For more information, see MAC Addressed-Based Policies in the FortiOS 6.2.0 New Features Guide.

If you were using device policies in 6.0.x, you will need to migrate these policies to the regular policy table manually after upgrade. After upgrading to 6.2.0:

  1. Create MAC-based firewall addresses for each device.
  2. Apply the addresses to regular IPv4 policy table.

 

FortiClient Endpoint Telemetry license

Starting with FortiOS 6.2.0, the FortiClient Endpoint Telemetry license is deprecated. The FortiClient Compliance profile under the Security Profiles menu has been removed as has the Enforce FortiClient Compliance Check option under each interface configuration page. Endpoints running FortiClient 6.2.0 now register only with FortiClient EMS 6.2.0 and compliance is accomplished through the use of Compliance Verification Rules configured on FortiClient EMS 6.2.0 and enforced through the use of firewall policies. As a result, there are two upgrade scenarios:

  • Customers using only a FortiGate device in FortiOS 6.0 to enforce compliance must install FortiClient EMS 6.2.0 and purchase a FortiClient Security Fabric Agent License for their FortiClient EMS installation.
  • Customers using both a FortiGate device in FortiOS 6.0 and FortiClient EMS running 6.0 for compliance enforcement, must upgrade the FortiGate device to FortiOS 6.2.0, FortiClient to 6.2.0, and FortiClient EMS to 6.2.0.

The FortiClient 6.2.0 for MS Windows standard installer and zip package containing FortiClient.msi and language transforms and the FortiClient 6.2.0 for macOS standard installer are included with FortiClient EMS 6.2.0.

Fortinet Security Fabric upgrade

FortiOS 6.2.2 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 6.2.0 l FortiClient EMS 6.2.0 l FortiClient 6.2.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.9 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

If Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.2.2. When Security Fabric is enabled in FortiOS 6.2.2, all FortiGate devices must be running FortiOS 6.2.2.

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.2.2 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.2.2 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.

  • Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox)
  • FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting) l LDAP server (config user ldap) l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l admin user account l session helpers l system access profiles

Amazon AWS enhanced networking compatibility issue

With this enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 6.2.2 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 6.2.2 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3
  • I2 l M4 l D2

FortiLink access-profile setting

The new FortiLink local-access profile controls access to the physical interface of a FortiSwitch that is managed by FortiGate.

After upgrading FortiGate to 6.2.2, the interface allowaccess configuration on all managed FortiSwitches are overwritten by the default FortiGate local-access profile. You must manually add your protocols to the localaccess profile after upgrading to 6.2.2.

To configure local-access profile:

config switch-controller security-policy local-access edit [Policy Name] set mgmt-allowaccess https ping ssh set internal-allowaccess https ping ssh

next

end

To apply local-access profile to managed FortiSwitch:

config switch-controller managed-switch edit [FortiSwitch Serial Number] set switch-profile [Policy Name] set access-profile [Policy Name]

next

end

FortiGate VM with V-license

This version allows FortiGate VM with V-License to enable split-vdom.

To enable split-vdom:

config system global set vdom-mode [no-vdom | split vdom]

end

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.

On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.

If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard set update-server-location [usa|any]

end

FortiView widgets

FortiView widgets have been rewritten in 6.2.2. FortiView widgets created in previous versions are deleted in the upgrade.

 

Product integration and support

The following table lists FortiOS 6.2.2 product integration and support information:

Web Browsers l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Fortinet Security Fabric upgrade on page 25. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Fortinet Security Fabric upgrade on page 25. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient:

l Microsoft Windows l Mac OS X l Linux

l 6.2.0

See important compatibility information in FortiClient Endpoint Telemetry license on page 25 and Fortinet Security Fabric upgrade on page 25.

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later.

If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported.

FortiClient iOS l 6.2.0 and later
FortiClient Android and FortiClient VPN Android l 6.2.0 and later
FortiAP l 5.4.2 and later l 5.6.0 and later
FortiAP-S l 5.4.3 and later l 5.6.0 and later
FortiAP-U l 5.4.5 and later
FortiAP-W2 l 5.6.0 and later

 

FortiSwitch OS

(FortiLink support)

l 3.6.9 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l 5.0 build 0282 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2016 Core l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Windows Server 2012 Core l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2008 Core l Novell eDirectory 8.8
FortiExtender l 3.2.1
AV Engine l 6.00132
IPS Engine l 5.00035
Virtualization Environments  
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, 6.5, and 6.7

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04 / 18.04 (32-bit & 64-bit)

2336. Download from the Fortinet Developer Network: https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 61

Google Chrome version 68

Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 61

Google Chrome version 68

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
OS X El Capitan 10.11.1 Apple Safari version 11

Mozilla Firefox version 61

Google Chrome version 68

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus   Firewall
Symantec Endpoint Protection 11  
Kaspersky Antivirus 2009    
McAfee Security Center 8.1  
Trend Micro Internet Security Pro  
F-Secure Internet Security 2009  

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved issues

The following issues have been fixed in version 6.2.2. For inquires about a particular bug, please contact Customer Service & Support.

New features or enhancements

Bug ID Description
457153 Support for SSL VPN sign on using certificate and remote (LDAP or RADIUS) username/password authentication.
538760 Monitor API to check SLBC cluster checksum status. New API added – monitor/system/configsync/status.
544704 FortiOS support for 802.11ax FortiAP-U431F/U433F.
550912 Support for link aggregation LACP on entry level FortiGate is extended to all two-digit entry level box for the following models:

FGR-30D, FGR-35D, FG-30E, FG-30E-MI, FG-30E-MN, FG-50E, FG-51E, FG-52E, FG-60E,

FG-60E-POE, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-91E, FG-92D, FWF-30E, FWF-30E-MI, FWF-30E-MN, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E

554965 IPv6 is supported in communication between the following:

l Collector agent and FortiGate l Collector agent and DC_agent l Collector agent and terminal server agent

AntiSpam

Bug ID Description
559802 Spam mail can’t be checked by antispam filter on SMTP protocol.

AntiVirus

Bug ID Description
545381 When proxy-av is configured for firewall policy, FTP file upload is stopped.
553143 Redundant logs and alert emails sent when file is sent to FortiSandbox Cloud via Suspicious Files Only.
561524 Cannot send an email with PDF attachment when FortiSandbox Cloud Inspection is enabled.
562037 CDR does not disarm files when they are sent over HTTP-POST even though despite AV logs show file has been disarmed.
Bug ID Description
575177 Advanced Threat Protection Statistics widget clean file count is incorrect.
580212 Policy in flow mode blocking Adobe creative cloud desktop application.

Application Control

Bug ID Description
558380 AppCtl does not detect application with webproxy-forward-server.

DNS Filter

Bug ID Description
567172 Enforcing Safe Search in 6.0.5 blocks access to Google domains which makes Safe Search not work.
578267 DNS request to a second DNS server with same Transaction ID is discarded when DNS Filter is enabled on a policy.
581778 Cannot re-order DNS domain filter list.

Data Leak Prevention

Bug ID Description
522472 DLP logs have a wrong reference link to archived file.
540317 DLP cannot detect attached zip files when receiving emails via MAPI over HTTP.
570379 DLP only detects the first word of filename.

Explicit Proxy

Bug ID Description
543794 High CPU due to WAD process.
552334 Website does not work with SSL Deep inspection due to OCSP validation process.
557265 Browser redirect loop after re-authentication when using proxy-re-authentication-mode absolute.
561843 AppCtl unscans the traffic to forwarding to upstream proxy.
564582 Explicit proxy policy treats domain.tld in FQDN firewall address object as wildcard.
567029 WAD crashes at crypto_kxp_xform_block_enc when WAD is restarted while visiting a website after an authentication.
571034 Using disclaimer causes incorrect redirection.
Bug ID Description
572220 Unable to match the expected firewall proxy-policy when dstint is set to Zone where Zone member has PPPoE interface.
577372 WAD has signal 11 crash at wad_ssl_cert_get_auth_status.

Firewall

Bug ID Description
539421 Load Balance monitor stats reset after mode change.
540949 Health status of standby server in server load balance not available in GUI or CLI.
545056 Firewall should not be evaluated when an interface bandwidth widget is added to the dashboard.
552329 NP6 sessions dropped after any change in GUI.
554329 Schedule policy is not activated on time.
558689 Traffic dropped by anti replay in ECMP with IPS.
558690 Session timer left at half-open value once established in an ECMP with IPS context.
563471 HTTP load balancing doesn’t work after rebooting in Transparent mode.
563928 SFTP connection failure when SSH DPI and app-ctrl are enabled.
564990 Captive-portal-exempt is not supported in consolidated policy.
566951 Unexpected reverse path check failure on IPv6.
570468 FortiGate randomly not processing some NAT64 packets.
570507 Application control causing NAT hairpin traffic to be dropped.

Workaround: Create a new firewall policy from scratch and the default application control can be applied again.

571022 SNAT before encryption in policy-based VPN for local traffic after upgrade from 5.6.8 to 6.0.5.
571832 Provide different protocol/port list when the same ISDB object is used as source/destination.
577752 Policy with a VIP with a destination interface of a zone is dropping packets.

FortiView

Bug ID Description
527540 Cannot click the Quarantine Host option on a registered device.
537819 FortiView All Sessions page: tooltip of geography IP show ‘undefined’.
553627 FortiView pages cannot load with Failed to retrieve FortiView data.

GUI

Bug ID Description
445074 The MMS profiles pages have been removed from the FortiOS Carrier GUI.

Workaround: You can configure MMS profiles from the CLI using the config firewall mms-profile command.

479692 GUI shows error Image file doesn’t match platform even when the user is uploading correct image.
486230 GUI on FGT3800D with 5.6.3 is very slow – configuration with numerous policies.
493704 While accessing the FortiGate page, PC browser memory usage keeps spiking and finally PC hangs.
502740 Remove GUI instructions for Dialup-FortiClient VPN.
504829 GUI should not log out if there is 401 error on downstream device.
513157 Cannot filter on hit count “0” for policy match.
523403 GUI Protocol Port Mapping configuration should be rejected when an invalid port number such as -1 is entered.
526254 Interface page keep loading when VDOM admin have netgrp permission.
528649 vpngrp read or read-write access profile doesn’t work properly.
540056 Error message enhancement while creating packet capture in GUI with filter set to high port range.
540737 Should show warning and block user to use no-inspection SSL-SSH profile when any UTM profile is used.
543487 Collected Email Monitor page cannot list the wireless client if connected from captive-portal+emailcollection.
543637 Not able to filter the policy by multiple ID.
544313 GUI SD-WAN Monitor page keep loading.
548653 SSO_admin (super_admin) can’t open CLI window from GUI. Error says too many concurrent connection.
552552 Personal Privacy in FortiGuard category based filter mistranslated.
555121 Context menu of AP Group has unsupported actions enabled after change view on Managed FortiAPs page.
559799 Webhook automation host header incorrect.
560430 Some app-category cannot be listed on security policy editing page and get JS error.
561334 GUI SSID main passphrase and MPSK minimum length should be flexible according to new “wfacompatibility” setting.
563053 Warning message for third-party transceivers were removed for 6.2.1 to prevent excessive RMA or support tickets. 6.2.2 re-added the warning for third-party transceivers.
563445 Upgrade NGFW VDOM from v6.2.0, security policy should support virtual-wan-link interface.
Bug ID Description
564201 After OSPF change via GUI, password for virtual-link will completely disappear and must be reentered.
564601 Remove the license requirement to upload FortiGuard packages through the GUI when in USG mode.
565109 Add Selected button does not appear under Application Control slide-in when VDOM is enabled.
566666 AP comments do not appear on the columns for Managed AP page.
568176 GUI response is very slow when accessing Route-Monitor page in GUI.
569080 SD-WAN rule GUI page doesn’t show red exclamation mark for DST-negate enabled, like firewall policy.
569259 Fabric SAML with FortiManager management. Downstream FortiGate login with SAML super admin only have read-only access on most pages.
571674 GUI config changes generate misleading config event logs.
571828 GUI admin password injected as PSK when adding phase2 configuration on Chrome.
572027 In Log View/FortiView, GUI cannot list logs from FortiAnalyzer on FGT/FWF boxes.
573070 Interface widget not loading fully (keeps spinning) when a VDOM “prof_admin” is used.
573869 Log search index files are never deleted when the logdisk is out of space.
574239 AWS/AWSONDEMAND missing dropdown selection box for HTTPS server and WiFi certificates in GUI.
575756 Port Link speed option is missing on the FortiGate GUI after upgrading the managed FortiSwitch to 6.2.1.
579259 Firewall User Monitor shows “Failed to retrieve info” and no entries if session-based proxy authentication is used.
583760 After adding few Web Rating Overrides via GUI to an already existing long list of URIs, Web Rating Overrides page is not loaded and keeps spinning.

HA

Bug ID Description
543602 Unnecessary syncing process started during upgrade when it takes longer.
554187 HA slave gets FW Signature un-certified after upgrading image from the master.
555056 Enable 2-factor using vcluster in GUI gets overwritten (sync) by slave.
555998 Load balanced (A-A) slave-session doesn’t forward traffic after session is dirtied due to FortiManager policy install.
557277 FortiGate FGSP configured with standalone-config-sync will sync the FortinAlayzer source-IP configuration to the slave.
Bug ID Description
557473 FGSP found checksum mismatch after replaced one of the units in the cluster.
559172 VLAN in VDOM in virtual cluster not showing virtual MAC for the vcluster.
560096 Restoring config fails on slave when using TACACS+ (master OK).
560107 Cluster upgrade from 5.6.7 build 1653 to SB 5.6.8 build 3667 takes longer than normal.
563551 HASYNC aborts on slave unit.
569629 HA A-A local FQDN not resolving on slave unit.
574564 In an HA configuration with HA uninterruptible upgrade enabled, some signature database files may fail to synchronize upon upgrading from 5.6.9 and earlier to 5.6.10.
575715 Unable the sync the Local-GW in FGSP.
576638 HA cluster GUI change does not send logs to the slave immediately.
577115 Master unit console keeps showing message [ha_auth_set_logon_msg:228] buffer overflow.
578475 FortiGate HA reports not synced if firewall policy of master and slave does not contain the same VIP.

Intrusion Prevention

Bug ID Description
545823 Creating/editing a DoS-Policy takes a long time. GUI hangs or displays Error 500: Internal Server Error.
561623 IPS engine 5.009 crashes when updated new FFDB has different size from the old one.

IPsec VPN

Bug ID Description
449212 New dialup IPsec tunnel in policy mode/mode-cfg overwrites previously established tunnel.
537450 Site-to-site VPN policy based with DDNS destination fail to connect.
553759 ESP packets are sent to the wrong MAC after a routing change when IPsec SA is offloaded.
558693 FW90D VPN becomes unresponsive after changing VPN DDNS/Monitor.
559180 The command include-local-lan gets disabled after firewall is rebooted.
560223 Add support for EdDSA certificates for proxy-based deep-inspection / virtual-server when using TLS 1.3. This is resolved by: 0560223, 0561319, 0561820, 0561821, 0561822, 0561823, 0564510.
564237 After configuring SD-WAN and creating SD-WAN rule based on bandwidth criteria, the bandwidth value for tunnel interface is not calculated correctly.
569586 IPsec certificate based IKEv2 VPNs fail to read out certificate subject as username if ECC certificate is involved.
Bug ID Description
571209 Traffic over VLAN sub-interface pushed through the IPsec policy based VPN interface.
574115 PKI certificates with OU and/or DC as subject fail for PKI user filters.
575238 Redirected traffic on the same interface (ingress and egress interface are the same) is dropped.
575477 IKED memory leak.
577502 OCVPN cannot register – status ‘Undefined’.

Log & Report

Bug ID Description
387294 Country flags in Botnet C&C table and Top Destinations by Bandwidth table are all missing.
545948 FortiGate periodically stops sending syslog messages.
551459 srcintf is unknown-0 in traffic log for service DNS when action is IP connection error.
556199 No logs are generated when using local-in policy on ha-mgmt interface.
558702 miglogd not working until sysctl killall miglogd. Reboot does not help.
565216 Memory of miglogd increase and enter conserve mode.
565505 miglogd high CPU utilization.
566843 No log generated when traffic is blocked by setting tunnel-non-http in webproxy.
568795 Specific traffic type is not logged on FAZ/Memory.
576024 Set sniffer policy to only log logtraffic=utm but many traffic log stats are still generated in disk or FortiAnalyzer.

Proxy

Bug ID Description
457347 WAD crashes in wad_http_client_body_done when ICAP is enabled.
544414 WAD handles transparent FTP/FTPS traffic.
551119 Certificate blacklist not working correctly in proxy mode.
559166 In firmware 6.0.5, WAD CPU usage on all cores reaches 100% in each around 30s.
562610 FortiGate generates WAD crash wad_mem_malloc.
563154 Can’t open a particular web page via explicit proxy with deep inspection and webfilter profile enabled.
566859 In WAD conserve mode 5.6.8, max_blocks value is high on some workers.
567796 WAD constantly crashes every few seconds.
567942 FortiGate cannot block blacklist certificate against TLS 1.3 if the blacklist certificate server address
Bug ID Description
  is exempt.
568905 WAD crashes due to RCX null.
572489 SSL handshake sometimes fail due to FortiGate replying back FIN to client.
573340 WAD causing memory leak.
573721 For FortiGate with client certificate inspect mode, traffic will trigger WAD crash.
573917 Certain web pages time out.
574171 Fail to connect https://drive.google.com by TLS 1.3.
574730 Wildcard URL filter stops working after upgrade.
576852 WAD process crashes in internet_svc_entry_cmp.
579400 High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC broken between wad and authd.
581865 In Proxy inspection with Application control and certificate inspection, TLS error for certain web pages,in EDGE browser only.
582714 WAD might leak memory during SSL session ticket resumption.
583736 WAD application crashing in v6.2.1.

REST API

Bug ID Description
566837 HTTPSD process crashes when using REST API.

Routing

Bug ID Description
558979 ECMP-based session with auxiliary session and IPS is not offloaded in reply direction.
559645 Creating static route from GUI should set Dynamic Gateway disabled by default.
560633 OSPF route for AD-VPN tunnel interface flaps.
562159 ADVPN OSPF unable to ping over ADVPN linknet.
567497 FortiGate sends PIM register messages to RP for group 64.0.0.0 about nonexistent sources.
570686 FortiOS 6.2.1 introduces asymmetric return path on the HUB in SD-WAN after the link change due to SLA on the spoke.
571714 DHCPv6 relay shows no route to host when there are multiple paths to reach it.
573789 OSPF with virtual clustering not learning routes.
578623 Gradual memory increase with full BGP table.
581488 BGP confederation router sending incorrect AS to neighbor-group routers.

SSL VPN

Bug ID Description
476377 SSL VPN FortiClient login with FAC user FTM two-factor fail because it times out too fast.
478957 SSL VPN web portal login history is not displayed if logs are stored in FortiAnalyzer.
481038 Web application is not loading through SSL VPN portal.
491733 When SSL VPN receives multiple HTTPS post requests under web filter, read_request_data_ f loops even when client is stopped, which causes the SSL VPN process to use 99% of CPU.
496584 SSL VPN bad password attempt causes excessive bind requests against LDAP and lockout of accounts.
515889 SSL VPN web mode has trouble loading internal web application.
525172 A web application accessed through SSL VPN web mode triggers Error 500 on Java server.
530509 Invalid HTTP Request when SMB via SSL VPN bookmark is executed with MS Server 2016, but works fine with MS server 2008R2.
531848 FortiSIEM WebGUI does not load on web portal.
537341 SSL bookmark is not loading SAP portal information.
545177 Web mode fails for SharePoint page.
549654 Citrix bookmarks should be disabled in SSL VPN portal.
549994 SSL VPN web mode logon page should not show Skip button for remote user with Force password change on next logon.
551695 Office365 applications through SSL VPN bookmarks.
555344 Downloading PDF file throigh SSL VPN portal.
555611 SSL VPN web mode web forward not working for video camera system after upgrade to 6.0.4.
556657 Internal website not working through SSL VPN web mode.
558076 In firmware 6.2.0, RDWeb (Windows Server 2016) via SSL web portal does not work.
558080 McAfee ESM 11 display issues in SSL VPN web portal.
558473 For FG-200E, after upgrading from 6.0.4 to 6.2.0, SSL VPN HTTPS bBookmark does not load (Secure Connection Failed).
559171 With SSL VPN web mode unable to get dropdown menu from internal web page.
559785 FortiMail login page with SSL VPN portal not displaying correctly.
560505 SharePoint 2019 page access fails using web mode.
560730 SSL VPN web mode SSO doesn’t work for some site like FAc login.
560747 The referer header is not correct, and some files are not loaded properly.
561585 SSL VPN doesn’t correctly show Windows Admin center application.

 

Bug ID Description
563147 Connection to internal portal freezes when using SSL VPN web bookmark.
563798 Redirect in bookmark is not loading.
564850 Object from CARL source not showing through SSL VPN web mode.
564871 SSL VPN users create multiple connections.
567182 In SSL VPN web mode, videos on internal website won’t display.
567626 SSL VPN still allows password expired users to change password and get access.
567628 SSL VPN banned-cipher SHA256 not completely working.
567987 In SSL VPN web mode, RDP disconnects when copying long text from remote to local.
568481 Internal website using java is not accessed using SSL VPN web mode.
568838 Internal website not working through SSL VPN web mode.
569030 SSL VPN tunnel mode can only add split tunneling of user’s policy with groups and its users in different SSL VPN policies.
569711 Error for proxy ssh database through SSL VPN.
570445 CMAT application through SSL VPN not working properly.
570620 SSL VPN web mode does not work properly for the website using JavaScript.
571005 NextCloud through SSL VPN behaving strangely.
571479 Cannot access sub-menus from the internal main website through the bookmark when using SSL VPN web mode.
571721 Local portal adzh-srop-nidm02.intern.cube.ch needs more than 10 min. to load via SSL VPN bookmark.
572653 Unable to access Qlik Sense URL via SSL VPN web mode .
573527 SSL web portal CSP v3 compatibility issue.
573853 TX packet drops on ssl.root interface.
574551 Subpages on internal websites are not working via SSL VPN web mode (Tunnel mode is OK).
574724 SSL VPN conserve mode on FWF-30E when FortiGate unit enters memory less than 25%.
575248 Synology DSM login page is not displayed when accessed via SSL VPN bookmark or connection tool.
575259 SSL VPN connection is being dropped intermittently.
576013 The SSL VPN web mode webserver link is not rewritten correctly after login.
576288 VIP customer – FSSO groups set in rule with SSL VPN interface.
578581 SSL web mode VPN portal freezing when opening some websites using JavaScript.
580182 The EOASIS website is not displayed properly using SSL VPN web mode.
Bug ID Description
580384 SSL VPN web mode not redirecting URL as expected after successful login.
581863 Accessing http://nlyte.ote.gr/nlyte/ configured with bookmark name ‘NLYTE’ not getting authentication page.
582115 Third-party (Ultimo) web app does not load over SSL VPN web portal.
582161 Internal web application is not accessable through web SSL VPN.

Switch Controller

Bug ID Description
557280 Need to add FSW port information on Security Fabric and device inventory the same as before

6.0.4.

563939 802-1X timer reauth-period option 0 doesn’t work.

System

Bug ID Description
423311 200E/201E software switch span function does not work.
470875 OID seems to be COUNTER32 instead of GAUGE32.
498599 Can’t create loopback interface by VDOM admin if there’s no physical interface in VDOM.
520283 Can’t show global setting when VDOM admin run exec tac report command.
531675 SFP ports do not link down when SFP cat5 interface status of FortiGate on the other side goes down.
539970 Kernel panic on HA pair of 301E.
540083 Partial traffic outage with softirq on 100%.
545449 IPinIP traffic over another IPinIP is dropped in NP6-Lite when offloading is enabled.
550206 Memory (SKB) which is no longer needed is not released in NP6 and NP6lite drivers (100E, 140E, 3600D, 3800D).
551281 process_tunnel_timeout_notify:377, send timeout notify message error -1 1 message printed in console.
556408 Aggregate link doesn’t work for LACP mode active for 60E internal ports but works for wan1 and wan2 combination.
557172 When there are many application-control based Internet-service entries in SD-WAN, system performance is affected by high CPU usage of softirq.
557527 FortiGate as L2TP client does not negotiate correctly.
557798 High memory utilization caused by authd and WAD processes.

 

Bug ID Description
559467 Support four DNS records inside DHCP offer.
560411 3980E unresponsive with millions of sessions in TIME_WAIT.
560686 4x10G split-port does not work on FG-3700D rev 2.
561097 SD-WAN rule corrupted on reboot after ISDB update.
561234 FG-800D shows wrong HA, ALERM LED status.
561929 REST API cmdb/router/aspath-list is not inserting new values.
562049 TLS 1.3 resumption and Pre-Shared Key (PSK) fail if Hello Retry Request is received.
563232 Authorization fails when 0.0.0.0/0 is listed as the trusted host.
563497 The trust-ip-x feature on interface does not work.
564184 Split DNS not working. CNAME fails to resolve.
564579 Updated crash signal 14, object creation not allowed from cli errno=Resource temporarily unavailable.
564911 DHCPDISCOVERY NATed with TP management IP when sent to NAT VDOM .
565291 SD-WAN rule doesn’t work with nested firewall address group selected as source or destination.
565296 Wrong configuration transmitted by FOS to FortiManager under certain conditions.
565631 DHCP relay sessions are removed from the session table after applying any config change.
567487 CPU goes to 100% when modifying members of an addrgrp object.
567504 Speed test break the cluster.
568215 Kernel bug at net/core/skbuff.
569652 High memory utilization after FortiOS and IPSengine upgrade.
570227 FortiGate is not selecting an NTP server that has a clock time in the majority clique of other NTP servers.
570834 STP (Spanning Tree) flapping.
571207 DHCP with manual address does not provide subnetmask in DHCP ACK.
572411 Timezone for Canary Islands is missing.
572428 lldptx – Application Crashed – Signal 11 Segmentation Fault.
572707 Configuration is corrupted when restoring a VDOM.
572763 softirq causing high CPU when session increase in an acceptable way.
573177 GUI cannot save edits made on replacement messages in a VDOM. When using CLI, user gets logged out while editing.
574086 Kernel panic occurs after upgrading from 6.2.0 to 6.2.1.
574110 When adding admin down interface as a member of aggregate interface, it shows up and process
Bug ID Description
  the traffic.
574327 FortiGate CSR traffic to SCEP srv generated from the root VDOM instead of the VDOM we create the CSR.
574991 FortiGate can’t extract the user principal name UPN from user certificate when certificate contains UPN and additional names.
576063 Crashlog keeps having cid could not load sigs after FortiGate is authed into FortiManager.
577047 FortiGate takes a long time to reboot when it has many firewall addresses used in many policies.
577302 Virtual WAN Link process (vwl) memory usage keeps increasing after upgrading to 6.2.1.
578531 forticldd deamon resolved mgrctrl1.fortinet.com to wrong IP address.
578746 FortiGate does not accept FortiManager created country code and causes address install fails.
579524 DHCP lease is not stable and dhcpd process crashes.
580185 authd4 crashes when deleting a VDOM or rebooting the FortiGate.
580883 DNS servers acquired via PPPoE in non-management VDOMs are used for DHCP DNS server option 6.
582547 fgfmsd crash makes connection to FortiManager go down.

Upgrade

Bug ID Description
550410 Cannot edit addrgrp which includes wildcardfqdn object after upgrade from v5.6.x.
556002 Some firewall policies were deleted after upgrade from FOS 6.0.4 to FOS 6.2.0.
558995 L2 WCCP stops working after upgrade to FOS 6.0.3 or newer.
562444 The firewall policy with internet-service enabled was lost after upgrade from 6.0.5.
580450 Policies removed after an upgrade in NGFW Policy Mode: maximum number of entries has been reached.

User & Device

Bug ID Description
547657 Disclaimer+Auth Guest portal RADIUS auth failing due to FAC trying to resolve 3rd party websites as access-points.
549394 fnbamd crashes frequently.
558332 CoA from FAC is not working for FortiGate wired interface based captive portal.
561289 User-based Kerberos Authentication not working in new VDOM.
Bug ID Description
561610 src-vis process memory leak.
562185 Disclaimer redirection to IP instead of FQDN results in Certificate/SSL warning.
562861 RADIUS CoA (disconnect request) not working with use-management-vdom.
567990 Hard-timeout setting not working for captive portal.
Bug ID Description
564290 FOS can’t collaborate web-cache with FortiProxy successfully.

VM

Bug ID Description
524052 Application cloudinitd has signal 11 crash on FortiGate-VM64-GCP.
561083 VPN tunnels not coming up after HA failover in GCP.
561909 Azure SDN connector try querying invalid FQDN when using Azure Stack Integrated systems.
567137 VM in Oracle cloud has 100% CPU usage in system space.
570176 HA cluster multi AZ does not failover IPsec VPN in AWS with TGW.
571652 OCI SDN connector gets HTTP response err:500 when enabling use-metadata-iam.
573952 FGT-VM with network driver vmxnet3 has lots of fragments when testing throughput.
575400 In Azure SDN, the firewall address filter cannot fetch the secondary public and private IP addresses of the NICs.
578727 FGTVM_OPC unable to failover the route properly during failover.
578966 OpenStack PCI passthru sub interface VLAN cannot received traffic.
580738 In the Cluster setup, slave unit can have different fingerprint for the OCI SDN connector, which can cause unit to fail to connect to OCI metatdata server properly.
580911 EIP assigned to the secondary IP address on the OCI do not ‘t fail over during HA failover.
577856 Add missing AWS HA failover error log and set firewall.vip/vip46/vip6/vip64 not sync’ing when cross zone HA is configured.

VoIP

Bug ID Description
570430 SIP ALG generates a VoIP session with wrong direction.
580588 SDP information fields are not being natted in Multipart Media Encapsulation traffic.

WanOpt Web Filter

Bug ID Description
356487 When central-management is NONE, include-default-servers setting is not honored by rating.
549928 Block page images not loading for web sites protected by HSTS.
551956 Proxy web filtering blocks innocent sites due to urlsource=”FortiSandBox Block”.
565952 Proxy-based Webfilter breaks WCCP traffic.

WiFi Controller

Bug ID Description
540027 FortiWiFi working as client mode cannot see and connect to the hotspot SSID from iOS devices.
569966 WPA2-Enterprise SSID authentication cannot utilize the source IP setting in RADIUS server configuration.
570745 FAPs detecting BSSIDs of others FAPs managed by the same WC as Fake-ap-on-air.
573024 FAP cannot be managed by FortiGate when admin trusthost is configured.

 

Known issues

The following issues have been identified in version 6.2.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Data Leak Prevention

Bug ID Description
586689 Downloading a file with FTP client in EPSV mode will hang.
DNS Filter  
Bug ID Description
586526 Unable to change DNS filter profile category action after upgrading from 6.0.5 to 6.2.0.
FortiView  
Bug ID Description
582341 Fortiview > policies: Consolidate policy without name and tooltips, Security policy with tooltips are not working.

GUI

Bug ID Description
282160 GUI does not show byte info for aggregate and VLAN interface.
438298 When VDOM is enabled, the interface faceplate should only show data for interfaces managed by the admin.
480731 Interface filter get incorrect result (EMAC VLAN, VLAN ID, etc.) when entries are collapsed.
510685 Hardware Switch Row is shown, indicating a number of interfaces but without any interfaces below.
514632 Inconsistent Refcnt value in GUI when using ports in HA session-sync-dev.
537307 Gets “Fail to retrieve info” for ha-mgmt-interface on GUI > interface page.
540098 GUI does not display the status for VLAN and loopback under status column at Network > interfaces.
541042 Log viewer Forward Traffic cannot support double negate filter (client side issue).
542544 In Log & Report, filtering for blank values (None) always show no results.
553290 The tooltip of VLAN interface displays Failed to retrieve info on GUI.
Bug ID Description
557786 GUI response is very slow when accessing IPSec-Monitor (api/v2/monitor/vpn/ipsec is taking a long time).
559866 When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses root FortiGate via management tunnel.
565748 New interface pair consolidated policy added via CLI is not displayed on GUI policy page.
573456 FortiGate without disk Email Alert Settings page should remove Disk usage exceeds option.
574101 Empty firmware version in managed FortiSwitch from FortiGate GUI.
579711 An error occurs while running Security Rating.
583049 Internal Server Error while trying to create new interface.
584939 VPN event logs shows incorrectly when adding two action filters and if the filter action filter contains

“-“.

586749 Enable/Disable Disarm and Reconstruction on GUI only takes effect on SMTP protocol in AV profile.
Bug ID Description
573028 WAD crashes causing traffic interruption.
575224 WAD – high memory usage from worker process causing conserve mode and traffic issues.

HA

Bug ID Description
479780 Slave fails to send and receive HA heartbeat on config cfg-revert setting on FGT2500E.
575020 HA failing config sync on VM01 with error (slave and master have different hdisk status) when master is pre-configured.
581906 HA slave sending out GARP packets in 16-20 seconds after HA monitored interface failed.
586004 Moving VDOM via GUI between virtual clusters causes cluster to go out of sync but VDOM state work/standby doesn’t change.

IPsec VPN

Bug ID Description
582251 IKEv2 with eap auth peerid validation doesn’t work.

Proxy REST API

Bug ID Description
584631 REST API admin with token unable to configure HA setting (via login session can work).

Security Fabric

Bug ID Description
578268 Downstream device shows offline.
586587 Security Fabric widget keep loading when FortiSwitch is in a loop or two FortiSwitches are in mclag mode.
587758 Invalid CIDR format shows as valid by Security Fabric threat feed.

SSL VPN

Bug ID Description
505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.
563022 SSL VPN LDAP group object matching only matches the first policy, isn’t ‘t consistent with normal firewall policy.
585754 An SSL VPN bookmark failed to load the GUI of proxmox GUI interface.

Switch Controller

Bug ID Description
581370 FortiSwitch managed by FortiGate not updating RADIUS settings and user group in the FortiSwitch.
586299 Adding factory-reset device to HA fails with switch-controller.qos settings in root.

System

Bug ID Description
464340 EHP drops for units with no NP_SERVICE_MODULE.
484749 TCP traffic with tcp_ecn tag cannot go through ipip IPv6 tunnel with NP6 offload enabled.
555616 TCP packets send wrong interface and high CPU.
562212 Management tunnel to devices goes down and cannot reclaim tunnel; so policy pushes get stuck.
570759 RX/TX counters for VLAN interfaces based on LACP interface are 0.
573973 ASIC offloading sessions sticking to interfaces after SD-WAN SLA interface selection.
Bug ID Description
575013 Errors in the FortiGate’s CLI 8 debug, when FortiManager is obtaining the HA status and mgmtdata status, if ha-mgmt-status enabled.
581998 Session clash event log found on FG-6500F when passing a lot of same source IP ICMP traffic over Load balance VIP.

User & Device

Bug ID Description
569062 fnbamd takes high CPU usage and user cannot authenticate.

VM

Bug ID Description
579013 FortiGate HA failover fails in Azure stack due to invalid authentication token tenant.
579708 Should replace GUI option to register to FortiCare from AWS PAYG with link to portal for registration.
587180 FGTVM64_KVM is unable to boot up properly when doing a hard reboot with the host.
587757 FG-VM image unable to be deployed on AWS with additional disk of type HDD(st1).

WiFi Controller

Bug ID Description
555659 When FAP is managed across VDOM links, WiFi client can’t join SSID when auto-asicoffload is enabled.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

Introduction to AppCtrl sensors

Introduction to AppCtrl sensors

FortiGate units can detect and take action against network traffic depending on the application generating the traffic. Based on FortiGate Intrusion Protection protocol decoders, application control is a user-friendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non-standard ports or protocols. Applications control supports detection for traffic using the HTTP protocol (version 1.0, 1.1, and 2.0).

The FortiGate unit can recognize the network traffic generated by a large number of applications. You can create application control sensors that specify the action to take with the traffic of the applications you need to manage and the network on which they are active, and then add application control sensors to the firewall policies that control the network traffic you need to monitor.

An application control sensor has one or more options/entries configured which examines the app traffic for:

  • Application category l Application signature ID l Filters overrides l Custom signature l Default port service l Default network service

When selecting the app category, signature, or filter that you intend to work with, the following actions can be set to the specific entry:

  • Allow: App traffic will be allowed and no logs are recorded. l Monitor: The entry match is allowed and logged. l Block: Traffic matching the entry will be blocked. l Reset: The session will be dropped and a new session will be started. l Quarantine IP address: Traffic matching the entry will be blocked. The client initiating the traffic will be source-ip banned. l Shaper/Per-ip-shaper: Max-bandwidth and quaratined-bandwidth values can be set to limit the link speed.

Security Profiles – AntiVirus – FortiOS 6.2

AntiVirus

Content disarm and reconstruction for AntiVirus

Introduction

Content Disarm and Reconstruction (CDR) allows the FortiGate to sanitize Microsoft documents and PDF (disarm) by removing active content such as hyperlinks, embedded media, javascript, macros, etc. from the office document files without affecting the integrity of it’s textual content (reconstruction).

This feature allows network admins to protect their users from malicious office document files.

Files processed by CDR can have the original copy quarantined on the FortiGate, allowing admins to observe them. These original copies can also be obtained in the event of a false positive.

Support and limitations

  • CDR can only be performed on Microsoft Office Document and PDF files. l Local Disk CDR quarantine is only possible on FortiGate models that contain a hard disk.
  • CDR is only supported on HTTP, SMTP, POP3, IMAP. l SMTP splice and client-comfort mode is not supported.
  • CDR does not work on flow based inspection modes. l CDR can only work on files in .ZIP type archives.

Network topology example

Configuring the feature

In order to configure AntiVirus to work with CDR, you must enable CDR on your AntiVirus profile, set the quarantine location, and then fine tune the CDR detection parameters.

To enable CDR on your AntiVirus profile:

  1. Go to Security Profiles > AntiVirus.
  2. Enable the toggle for Content Disarm and Reconstruction under APT Protection Options.

To set a quarantine location:

  1. Go to Security Profiles > AntiVirus.
  2. Select a quarantine location from the available options, including Discard, File Quarantine, and FortiSandbox.
Discard The default setting which discards the original document file.
File Quarantine Saves the original document file to disk (if possible) or a connected FortiAnalyzer based on the FortiGate’s log settings, visible through Config Global > Config Log FortiAnalyzerSetting.
FortiSandbox Saves the original document file to a connected FortiSandbox.

To fine tune CDR detection parameters in the FortiGate CLI:

  • Select which active content to detect/process:
  • By default, all active office and PDF content types are enabled. To fine tune CDR to ignore certain content, you must disable that particular content parameter. The example below configures the CDR to ignore Microsoft Office macros.

FGT_PROXY (vdom1) # config antivirus profile

FGT_PROXY (profile) # edit av change table entry ‘av’

FGT_PROXY (av) # config content-disarm

FGT_PROXY (content-disarm) # set ? original-file-destination       Destination to send original file if active content is removed.

office-macro Enable/disable stripping of macros in Microsoft Office documents.

office-hylink               Enable/disable stripping of hyperlinks in Microsoft

Office documents.

office-linked              Enable/disable stripping of linked objects in Microsoft

Office documents.

office-embed                Enable/disable stripping of embedded objects in

Microsoft Office documents.

office-dde   Enable/disable stripping of Dynamic Data Exchange events in Microsoft Office documents.

office-action

Microsoft Office documents.

Enable/disable stripping of PowerPoint action events in
pdf-javacode documents. Enable/disable stripping of JavaScript code in PDF
pdf-embedfile documents. Enable/disable stripping of embedded files in PDF
pdf-hyperlink documents. Enable/disable stripping of hyperlinks from PDF
pdf-act-gotor access other PDF documents. Enable/disable stripping of PDF document actions that
pdf-act-launch launch other applications. Enable/disable stripping of PDF document actions that
pdf-act-sound play a sound. Enable/disable stripping of PDF document actions that
pdf-act-movie play a movie. Enable/disable stripping of PDF document actions that
pdf-act-java execute JavaScript code. Enable/disable stripping of PDF document actions that
pdf-act-form Enable/disable stripping of PDF document actions that
submit data to other targets.

cover-page   Enable/disable inserting a cover page into the disarmed document.

detect-only  Enable/disable only detect disarmable files, do not alter content.

FGT_PROXY (content-disarm) # set office-macro disable FGT_PROXY (content-disarm) #

  • Detect but do not modify active content:
  • By default, CDR will disarm any detected documents containing active content. To prevent CDR from disarming documents, you can set it to operate in detect-only mode. To do this, the option detect-only must be enabled.

FGT_PROXY (vdom1) # config antivirus profile

FGT_PROXY (profile) # edit av change table entry ‘av’ FGT_PROXY (av) # config content-disarm

FGT_PROXY (content-disarm) # set detect-only ?

disable      Disable this Content Disarm and Reconstruction feature. enable Enable this Content Disarm and Reconstruction feature.

FGT_PROXY (content-disarm) # set detect-only enable FGT_PROXY (content-disarm) #

  • Enabling/disabling the CDR cover page:
  • By default, a cover page will be attached to the file’s content when the file has been processed by CDR. To disable the cover page, the paramater cover-page needs to be disabled.

FGT_PROXY (vdom1) # config antivirus profile

FGT_PROXY (profile) # edit av change table entry ‘av’

FGT_PROXY (av) # config content-disarm

FGT_PROXY (content-disarm) # set cover-page disable  Disable this Content Disarm and Reconstruction feature. enable    Enable this Content Disarm and Reconstruction feature.

FGT_PROXY (content-disarm) # set cover-page disable

FGT_PROXY (content-disarm) #

FortiGuard Outbreak Prevention for AntiVirus

Introduction

FortiGuard Outbreak Prevention was introduced in FortiOS 6.0.0 and allows the FortiGate’s AntiVirus database to be subsidized with third-party malware hash signatures curated by the FortiGuard.

Those hash signatures are obtained from external sources such as VirusTotal, Symantec, Kaspersky, and other thirdparty websites and services.

This feature provides the mechanism for AntiVirus to query the FortiGuard with the hash of a scanned file. If the FortiGuard returns a match from its many curated signature sources, the scanned file is deemed to be malicious.

The concept of FortiGuard Outbreak Prevention is to detect zero-day malware in a collaborative approach.

Support and limitations

  • FortiGuard Outbreak Prevention can be used in both proxy-based and flow-based policy inspections across all supported protocols.
  • FortiGuard Outbreak Prevention does not support AV in quick scan mode. l FortiGate must be registered with a valid FortiGuard Outbreak Prevention license before this feature can be used.

Network topology example

Configuring the feature

In order for AntiVirus to work with an external block list, you must register the FortiGate with a FortiGuard Outbreak Prevention license and enable FortiGuard Outbreak Prevention in the AntiVirus profile.

To obtain/renew a FortiGuard AntiVirus license:

  1. See the following link for instructions on how to purchase or renew a FortiGuard Outbreak Prevention license:

https://video.fortinet.com/products/fortigate/6.0/how-to-purchase-or-renew-fortiguard-services-6-0

  1. Once the license has been activated, you can verify its status by going to Global > System > FortiGuard.

To enable FortiGuard Outbreak Prevention in the AntiVirus profile:

  1. Go to Security Profiles > AntiVirus.
  2. Select the toggle to enable Use FortiGuard Outbreak Prevention Database.
  3. Select Apply.

Diagnostics and debugging

l Check if FortiGate has Outbreak Prevention license:

  FGT_PROXY (global) # diagnose debug rating

Locale       : english

Service      : Web-filter

Status       : Enable

License      : Contract

Service      : Antispam

Status       : Disable

Service      : Virus Outbreak Prevention

Status       : Enable

License      : Contract

-=- Server List (Tue Feb 19 16:36:15 2019) -=-

   
          IP                     Weight    RTT Flags TZ

Updated Time

Packets Curr Lost Total Lost
          192.168.100.185          -218      2 DI     -8

19 16:35:55 2019

113                    0          0 Tue Feb
l Scanunit daemon showing Outbreak Prevention verdict:    
FGT_PROXY (vdom1) # diagnose debug application scanunit -1 Debug messages will be on for 30 minutes.

FGT_PROXY (vdom1) # diagnose debug enable

FGT_PROXY (vdom1) # su 4739 job 1 open

su 4739 req vfid 1 id 1 ep 0 new request, size 313, policy id 1, policy type 0 su 4739 req vfid 1 id 1 ep 0 received; ack 1, data type: 0 su 4739 job 1 request info: su 4739 job 1 client 10.1.100.11:39412 server 172.16.200.44:80 su 4739 job 1 object_name ‘zhvo_test.com’ su 4739 file-typing NOT WANTED options 0x0 file_filter no su 4739 enable databases 0b (core mmdb extended) su 4739 job 1 begin http scan su 4739 scan file ‘zhvo_test.com’ bytes 68

su 4739 job 1 outbreak-prevention scan, level 0, filename ‘zhvo_test.com’ su 4739 scan result 0 su 4739 job 1 end http scan su 4739 job 1 inc pending tasks (1)

su 4739 not wanted for analytics: analytics submission is disabled (m 0 r 0) su 4739 job 1 suspend su 4739 outbreak-prevention recv error su 4739 ftgd avquery id 0 status 1

su 4739 job 1 outbreak-prevention infected entryid=0 su 4739 report AVQUERY infection priority 1

su 4739 insert infection AVQUERY SUCCEEDED loc (nil) off 0 sz 0 at index 0 total infections 1 error 0 su 4739 job 1 dec pending tasks 0 su 4739 job 1 send result su 4739 job 1 close su 4739 outbreak-prevention recv error

External malware blocklist for Antivirus

Introduction

External Malware Blocklist is a new feature introduced in FortiOS 6.2.0 which falls under the umbrella Outbreak Prevention.

This feature provides another means of supporting the AV Database by allowing users to add their own malware signatures in the form of MD5, SHA1, and SHA256 hashes.

This feature provides a mechanism for Antivirus to retrieve an external malware hash list from a remote server and polls the hash list every n minutes for updates.

Support and limitations

Malware detection using External Malware Blocklist can be used in both proxy-based and flow-based policy inspections.

Just like FortiGuard Outbreak Prevention, External Dynamic Block List is not supported in AV quick scan mode.

Using different types of hash simultaneously may slow down the performance of malware scanning. For this reason, users are recommended to only using one type of hash (either MD5, SHA1, or SHA256), not all three simultaneously.

Network topology example

Configuring the feature

To configure AntiVirus to work with External Block List:

  1. Creating the Malware Hash List

The malware hash list follows a strict format in order for its contents to be valid. Malware hash signatures entries must be separated into each line. A valid signature needs to follow the format below:

# MD5 Entry with hash description aa67243f746e5d76f68ec809355ec234 md5_sample1

# SHA1 Entry with hash description a57983cb39e25ab80d7d3dc05695dd0ee0e49766 sha1_sample2

# SHA256 Entry with hash description ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379 sha256_sample1

# Entry without hash description

0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521

# Invalid entries

7688499dc71b932feb126347289c0b8a_md5_sample2

7614e98badca10b5e2d08f8664c519b7a906fbd5180ea5d04a82fce9796a4b87sha256_sample3

  1. Configure External Malware Blocklist source:

 

Create new external source on Global > Security Fabric > Fabric Connectors page:

  • Select Malware Hash:

Fill out the fields as shown below. URI should point to the malware hashlist on the remote server:

  • Malware Hash source object is now created:

User can view entries inside the malware blocklist by clicking the View Entries button:

  • Malware Has Threatfeed hash_list is shown.
  1. Enable External Malware Blocklist in Antivirus profile

Enable External Malware Blocklist on the AntiVirus profile and apply the change:

Antivirus is now ready to use external malware blocklist.

Diagnostics and debugging

Check if scanunit daemon has updated itself with the external hashes:

FGT_PROXY # config global

FGT_PROXY (global) # diagnose sys scanunit malware-list list

md5 ‘aa67243f746e5d76f68ec809355ec234’ profile ‘hash_list’ description ‘md5_sample1’ sha1 ‘a57983cb39e25ab80d7d3dc05695dd0ee0e49766’ profile ‘hash_list’ description ‘sha1_sample2’ sha256 ‘0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521’ profile ‘hash_list’ description ”

sha256 ‘ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379’ profile ‘hash_list’ description ‘sha256_sample1’

Traffic shaping

Traffic shaping

Interface bandwidth limit

You can limit interface bandwidth for arriving and departing traffic. In some cases, the traffic received on an interfaces could exceed the maximum bandwidth limit defined in the security policy. Rather than waste processing power on packets that will get dropped later in the process, you can configure FortiGate to preemptively drop excess packets when they’re received at the source interface. A similar command is available to the outgoing interface.

The following diagram shows how excess packets going from LAN to WAN1 can be intercepted and dropped at the source interface.

To configure an interface bandwidth limit on the FortiOS GUI:

  1. Go to Interface.
  2. Click interface port1, and click Edit on top menu bar.
  3. Go to the Traffic Shaping section, and set the following options:
    1. Enable Inbound Bandwidth and type 200. The default bandwidth unit is kbps.
    2. Enable Outbound Bandwidth and type 400.

The default bandwidth unit is kbps.

  1. Click OK.

To configure an interface bandwidth limit on the FortiOS CLI:

  1. On the FortiGate, configure the interface bandwidth limit:

config system interface edit “port1” …..

set inbandwidth 200 set outbandwidth 400 ….. next

end

ToS-based traffic prioritization

This traffic prioritization method puts packets into the following queues based on its Type of Service (ToS) value: l High l Medium l Low

ToS-based traffic prioritization cannot be used to apply bandwidth limits and guarantees, but it can be used to prioritize traffic at per-packet levels.

You can use the following command to configure the default system-wide level of priority:

config system global set traffic-priority-level {high | low | medium}

end

You can also prioritize packets according to the ToS bit value in the packet’s IP header by using the following command: config system tos-based-priority edit <id_int> set tos [0-15]

set priority {high | low | medium}

next

end

Example

The following configuration shows that packets with ToS bit values of 10 are prioritized as medium and packets with ToS bit values of 20 are prioritized as high. All the other traffic is prioritized as low.

config system global set traffic-priority-level low end

config system tos-based-priority edit 1 set tos 10 set priority medium

next edit 2 set tos 20 set priority high

next

end

Shared traffic shaper

Shared traffic shaper is used in a firewall shaping policy to indicate the priority and guaranteed and maximum bandwidth for a specified type of traffic use.

The maximum bandwidth indicates the largest amount of traffic allowed when using the policy. You can set the maximum bandwidth to a value between 1 and 16776000 Kbps. The GUI displays an error if any value outside this range is used. If you want to allow unlimited bandwidth, use the CLI to enter a value of 0.

The guaranteed bandwidth ensures that there is a consistent reserved bandwidth available. When setting the guaranteed bandwidth, ensure that the value is significantly less than the interface’s bandwidth capacity. Otherwise, the interface will allow very little or no other traffic to pass through, potentially causing unwanted latency.

In a shared traffic shaper, the administrator can prioritize certain traffic as high, medium, or low. FortiOS provides bandwidth to low priority connections only when high priority connections do not need the bandwidth. For example, you should assign a high traffic priority to a policy for connecting a secure web server that needs to support e-commerce traffic. You should assign less important services a low priority.

When you configure a shared traffic shaper, you can apply bandwidth shaping per policy or for all policies. By default, a shared traffic shaper applies traffic shaping evenly to all policies that use the shared traffic shaper.

When configuring a per-policy traffic shaper, FortiOS applies the traffic shaping rules defined for each security policy individually. For example, if a per-policy traffic shaper is configured with a maximum bandwidth of 1000 Kbps, any security policies that have that traffic shaper enabled get 1000 Kbps of bandwidth each.

If a traffic shaper for all policies is configured with a maximum bandwidth of 1000 Kbps, all policies share the 1000 Kbps on a first-come, first-served basis.

The configuration is as follows:

config firewall shaper traffic-shaper edit “traffic_shaper_name” set per-policy enable

next

end

The shared traffic shaper selected in the traffic shaping policy affects traffic in the direction defined in the policy. For example, if the source port is LAN and the destination is WAN1, the traffic shaping affects the flow in this direction only, affecting the outbound traffic’s upload speed. You can define the traffic shaper for the policy in the opposite direction (reverse shaper) to affect the inbound traffic’s download speed. In this example, that would be from WAN1 to LAN.

The following example shows how to apply different speeds to different types of service. The example configures two shared traffic shapers to use in two firewall shaping policies. One policy guarantees a speed of 10 Mbps for VoIP traffic.

The other policy guarantees a speed of 1 Mbps for other traffic. In the example, FortiOS communicates with a PC using port10 and the Internet using port9.

To configure shared traffic shapers in the FortiOS GUI:

  1. Create a firewall policy:
    1. Go to Policy & Objects > IPv4 Policy. Click Create New.
    2. In the Name field, enter Internet Access.
    3. From the Incoming Interface dropdown list, select port10.
    4. From the Outgoing Interface dropdown list, select port9.
    5. For the Source and Destination fields, select all.
    6. From the Schedule dropdown list, select always.
    7. For the Service field, select ALL.
    8. Click OK.
  2. Create the shared traffic shapers:
    1. Go to Policy & Objects > Traffic Shapers. Click Create New.
    2. In the Name field, enter 10Mbps. This shaper is for VoIP traffic.
    3. From the Traffic Priority dropdown list, select High.
    4. Enable Max Bandwidth and enter 20000. This equates to 20 Mbps.
    5. Enable Guaranteed Bandwidth and enter 10000. This equates to 10 Mbps.
    6. Click OK.
    7. Repeat the process above to create another traffic shaper named 1Mbps. Set the Traffic Priority to Low, the Max Bandwidth and Guaranteed Bandwidth to 10000.
  3. Create a firewall shaping policy:
    1. Go to Policy & Objects > Traffic Shaping Policy. Click Create New.
    2. In the Name field, enter VoIP_10Mbps_High. This policy is for VoIP traffic.
    3. For the Source and Destination fields, select all.
    4. For the Service field, select all VoIP services.
    5. For the Outgoing Interface field, select port9.
    6. Enable Shared shaper. Select 10Mbps from the dropdown list.
    7. Enable Reverse shaper. Select 10Mbps from the dropdown list.
    8. Click OK.
    9. Repeat the process above to create a firewall shaping policy named Other_1Mbps_Low for other traffic. Set the Source and Destination to all, Service to ALL, Outgoing Interface to port9, and Shared shaper and Reverse shaper to 1Mbps.

To configure shared traffic shapers using the FortiOS CLI:

  1. Create a firewall policy:

config firewall policy edit 1 set name “Internet Access” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept

set schedule “always” set service “ALL” set fsso disable set nat enable

next

end

  1. Create the shared traffic shapers:

config firewall shaper traffic-shaper edit “10Mbps” set guaranteed-bandwidth 10000 set maximum-bandwidth 20000

next edit “1Mbps” set guaranteed-bandwidth 1000 set maximum-bandwidth 10000 set priority low

next

end

  1. Create a firewall shaping policy:

config firewall shaping-policy edit 1 set name “VOIP_10Mbps_High”

set service “H323” “IRC” “MS-SQL” “MYSQL” “RTSP” “SCCP” “SIP” “SIP-MSNmessenger” set dstintf “port9” set traffic-shaper “10Mbps” set traffic-shaper-reverse “10Mbps”

set srcaddr “all” set dstaddr “all”

next edit 2 set name “Other_1Mbps_Low” set service “ALL” set dstintf “port9” set traffic-shaper “1Mbps” set traffic-shaper-reverse “1Mbps”

set srcaddr “all” set dstaddr “all”

next

end

To troubleshoot shared traffic shapers:

  1. To check if specific traffic is attached to the correct traffic shaper, run the diagnose firewall iprope list 100015 command. The example output shows the traffic attached to the 10Mbps and 1Mbps shapers:

# diagnose firewall iprope list 100015

policy index=1 uuid_idx=0 action=accept flag (0):

shapers: orig=10Mbps(2/1280000/2560000) cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000 split=00000000 host=4 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(1): 38

source(1): 0.0.0.0-255.255.255.255, uuid_idx=0, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0, service(15):

[6:0x0:0/(1,65535)->(1720,1720)] helper:auto

[6:0x0:0/(1,65535)->(1503,1503)] helper:auto

[17:0x0:0/(1,65535)->(1719,1719)] helper:auto

[6:0x0:0/(1,65535)->(6660,6669)] helper:auto

[6:0x0:0/(1,65535)->(1433,1433)] helper:auto

[6:0x0:0/(1,65535)->(1434,1434)] helper:auto

[6:0x0:0/(1,65535)->(3306,3306)] helper:auto

[6:0x0:0/(1,65535)->(554,554)] helper:auto

[6:0x0:0/(1,65535)->(7070,7070)] helper:auto

[6:0x0:0/(1,65535)->(8554,8554)] helper:auto

[17:0x0:0/(1,65535)->(554,554)] helper:auto

[6:0x0:0/(1,65535)->(2000,2000)] helper:auto

[6:0x0:0/(1,65535)->(5060,5060)] helper:auto

[17:0x0:0/(1,65535)->(5060,5060)] helper:auto [6:0x0:0/(1,65535)->(1863,1863)] helper:auto

policy index=2 uuid_idx=0 action=accept flag (0):

shapers: orig=1Mbps(4/128000/1280000) cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000 split=00000000 host=4 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(1): 38

source(1): 0.0.0.0-255.255.255.255, uuid_idx=0, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0, service(1):

[0:0x0:0/(0,0)->(0,0)] helper:auto

  1. To check if the correct traffic shaper is applied to the session, run the diagnose sys session list command. The example output shows that the 1Mbps shaper is applied to the session:

# dia sys session list

session info: proto=6 proto_state=01 duration=11 expire=3599 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper=1Mbps prio=4 guarantee 128000Bps max 1280000Bps traffic 1050Bps drops 0B reply-shaper= per_ip_shaper=

class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255 state=may_dirty npu npd os mif route_preserve

statistic(bytes/packets/allow_err): org=868/15/1 reply=752/10/1 tuples=2

tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 66/0 orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.11:58241->172.16.200.55:21(172.16.200.1:58241) hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58241(10.1.100.11:58241) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=4 serial=0003255f tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x100000

npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000

vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason: offload-denied helper total session 1

  1. To check statuses of shared traffic shapers, run the diagnose firewall shaper traffic-shaper list command. The output should resemble the following: # dia firewall shaper traffic-shaper list

name 10Mbps maximum-bandwidth 2500 KB/sec guaranteed-bandwidth 1250 KB/sec current-bandwidth 0 B/sec priority 2 tos ff packets dropped 0 bytes dropped 0

name 1Mbps maximum-bandwidth 1250 KB/sec guaranteed-bandwidth 125 KB/sec current-bandwidth 0 B/sec priority 4 tos ff packets dropped 0 bytes dropped 0

Per-IP traffic shaper

With per-IP traffic shaping, you can limit each IP address’s behavior to avoid a situation where one user uses all of the available bandwidth. In addition to controlling the maximum bandwidth used per IP address, you can also define the maximum number of concurrent sessions for an IP address. For example, if you apply a per-IP shaper of 1 Mbps to your entire network, FortiOS allocates each user/IP address 1 Mbps of bandwidth. Even if the network consists of a single user, FortiOS allocates them 1 Mbps. If there are ten users, each user gets 1 Mbps of bandwidth, totaling 10 Mbps of outgoing traffic.

For shared shapers, all users share the set guaranteed and maximum bandwidths. For example, if you set a shared shaper for all PCs using an FTP service to 10 Mbps, all users uploading to the FTP server share the 10 Mbps.

Shared shapers affect upload speed. If you want to limit the download speed from the FTP server in the example, you must configure the shared shaper as a reverse shaper. Per-IP shapers apply the speed limit on both upload and download operations.

The following example shows how to apply a per-IP shaper to a traffic shaping policy. This shaper assigns each user a maximum bandwidth of 1 Mbps and allows each user to have a maximum of ten concurrent connections to the FTP server. In the example, FortiOS communicates with users using port10 and the FTP server using port9.

To configure a per-IP shaper in the FortiOS GUI:

  1. Create a firewall policy:
    1. Go to Policy & Objects > IPv4 Policy. Click Create New.
    2. In the Name field, enter FTP Access.
    3. From the Incoming Interface dropdown list, select port10.
    4. From the Outgoing Interface dropdown list, select port9.
    5. For the Source and Destination fields, select all and FTP_Server, respectively.
    6. From the Schedule dropdown list, select always.
    7. For the Service field, select ALL.
    8. Click OK.
  2. Create the per-IP traffic shaper:
  3. Go to Policy & Objects > Traffic Shapers. Click Create New.
  4. For Type, select Per-IP.
  5. In the Name field, enter FTP_Max_1M. This shaper is for VoIP traffic.
  6. Enable Max Bandwidth and enter 1000. This equates to 1 Mbps.
  7. Enable Max Concurrent Connections and enter 10. This means that each user can have up to ten concurrent connections to the FTP server.
  8. Click OK.
  9. Create a firewall shaping policy:
  10. Go to Policy & Objects > Traffic Shaping Policy. Click Create New.
  11. In the Name field, enter FTP speed 1M.
  12. For the Source fields, select the users that need to access the FTP server.
  13. For the Destination field, select FTP_Server.
  14. For the Service field, select ALL.
  15. For the Outgoing Interface field, select port9.
  16. Enable Per-IP shaper. Select FTP_Max_1M from the dropdown list.
  17. Click OK.

To configure a per-IP traffic shaper using the FortiOS CLI:

  1. Create a firewall policy:

config firewall policy edit 1 set name “FTP Access” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “FTP_Server” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable

next

end

  1. Create the per-IP traffic shaper:

config firewall shaper per-ip-shaper edit “FTP_Max_1M” set max-bandwidth 1000 set max-concurrent-session 10

next

end

  1. Create a firewall shaping policy:

config firewall shaping-policy edit 1 set name “FTP speed 1M” set service “ALL” set dstintf “port9”

set per-ip-shaper “FTP_Max_1M” set srcaddr “PC1” “WinPC” “PC2” set dstaddr “FTP_Server”

next

end

To troubleshoot per-IP traffic shapers:

  1. To check if specific traffic is attached to the correct traffic shaper, run the diagnose firewall iprope list 100015 command. The example output shows the traffic attached to the FTP_Max_1M shaper:

# diagnose firewall iprope list 100015

policy index=3 uuid_idx=0 action=accept flag (0): shapers: per-ip=FTP_Max_1M cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000 split=00000000 host=2 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(1): 38

source(3): 10.1.100.11-10.1.100.11, uuid_idx=30, 10.1.100.143-10.1.100.143, uuid_idx=32,

10.1.100.22-10.1.100.22, uuid_idx=31, dest(1): 172.16.200.55-172.16.200.55, uuid_idx=89, service(1):

[0:0x0:0/(0,65535)->(0,65535)] helper:auto

  1. To check if the correct traffic shaper is applied to the session, run the diagnose sys session list command. The example output shows that the FTP_Max_1M shaper is applied to the session:

# dia sys session list

session info: proto=6 proto_state=01 duration=36 expire=3567 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4

origin-shaper= reply-shaper= per_ip_shaper=FTP_Max_1M

class_id=0 shaping_policy_id=3 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255 state=may_dirty per_ip npu npd mif route_preserve

statistic(bytes/packets/allow_err): org=506/9/1 reply=416/6/1 tuples=2

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.11:58275->172.16.200.55:21(172.16.200.1:58275) hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58275(10.1.100.11:58275) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2 serial=0000211a tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x100000

npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000

vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason: offload-denied helper

  1. To check statuses of per-IP traffic shapers, run the diagnose firewall shaper per-ip-shaper list command. The output should resemble the following: # diagnose firewall shaper per-ip-shaper list

name FTP_Max_1M maximum-bandwidth 125 KB/sec maximum-concurrent-session 10

tos ff/ff packets dropped 0 bytes dropped 0 addr=10.1.100.11 status: bps=0 ses=3

Type of Service-based prioritization and policy-based traffic shaping

Priority queues

After packet acceptance, FortiOS classifies traffic and may apply Quality of Service techniques such as prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits and priority queue adjustment to assist packets in achieving the guaranteed rate.

If you have configured prioritization, FortiOS prioritizes egressing packets by distributing them among first in first out queues associated with each possible priority number. Each physical interface has six priority queues. Virtual interfaces use the priority queues of the physical interface to which they are bound.

Each physical interface’s six queues are queue 0 to queue 5, where queue 0 is the highest priority queue. However, you may observe that your traffic uses only a subset of those six queues. For example, some traffic may always use a certain queue number. Queuing may also vary by the packet rate or mixture of services. Some queue numbers may only be used by through traffic for which you have configured traffic shaping in the security policy that applies to that traffic session.

Administrative access traffic always uses queue 0.

Traffic matching firewall policies without traffic shaping may use queue 0, queue 1, or queue 2. The queue is selected based on the priority value you have configured for packets with that Type of Service (ToS) bit value, if you have configured ToS-based priorities.

Traffic matching firewall shaping policies with traffic shaper enabled may use any queue. The queue is selected based on whether the packet rate is currently below the guaranteed bandwidth (queue 0), or above the guaranteed bandwidth. Packets at rates greater than the maximum bandwidth limit are dropped.

Priority types

Packets can be assigned a priority in one of three types:

  • On entering ingress – for packets flowing through the firewall. l Upon generation – for packets generated by the firewall (including packets generated due to AV proxying).
  • On passing through a firewall policy – for packets passing through a firewall policy (firewall shaping policy) that has a traffic shaper defined.

ToS priority

The first and second types, ingress priority and priority for generated packets, are controlled via two different CLI settings, as shown below:

config system global set traffic-priority-level {high|medium|low}

end

config system tos-based-priority edit 1 set tos [0-15] -> type of service bit in the IP datagram header with a value between 0 and 15

set priority (high|medium|low)-> priority of this type of service

next

end

Each priority level is mapped to a value as follows:

ToS priority Value
High 0
Medium 1
Low 2

Firewall shaping policy priority

In a firewall shaping policy, you can enable traffic shaping. In the shared traffic shaper, you can set the firewall priority to high, medium, or low, as shown below:

config firewall shaper traffic-shaper edit “1” set priority (high|medium|low)

next

end

Since the priority in a traffic shaper is set to high by default, you must set some traffic at a lower priority to see results. Each priority level is mapped to a value as follows:

Firewall policy priority Value
High (default) 1
Medium 2
Low 3

Combination of two priority types

To combine the two priority types, the global or ingress ToS-based priority value is combined with the firewall policy priority value:

ToS priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number)

Consider the following scenarios:

  • If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. Packet priority is 0. l If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.
  • If the current packet rate is greater than the guaranteed bandwidth but less than the maximum bandwidth, FortiOS assigns a priority queue by adding the ToS-based priority and the firewall priority. For example, if you have enabled traffic shaping in the security policy and the security policy’s traffic priority is low (value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), the packets have a total packet priority of 4, and use priority queue 4.

Interface-based traffic shaping profile

Priority Queues

After packet acceptance, FortiGate classifies traffic and might apply Quality of Service (QoS) techniques, such as prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits and priority queue adjustment to assist packets in achieving the guaranteed rate.

If you have configured prioritization, the FortiGate unit prioritizes egressing packets by distributing them among FIFO (first in, first out) queues associated with each possible priority number. Each physical interface has six priority queues. Virtual interfaces use the priority queues of the physical interface to which they are bound.

Each physical interface’s six queues are queue 0 to queue 5, where queue 0 is the highest priority queue. However, you might observe that your traffic uses only a subset of those six queues. For example, some traffic might always use a certain queue number. Queuing may also vary by the packet rate or mixture of services. Some queue numbers might only be used by through traffic for which you have configured traffic shaping in the security policy that applies to that traffic session.

  • Administrative access traffic will always use queue 0.
  • Traffic matching firewall policies without traffic shaping may use queue 0, queue 1, or queue 2. The queue is selected based on the priority value you have configured for packets with that ToS (Type of Service) bit value, if you have configured ToS-based priorities.
  • Traffic matching firewall shaping policy with traffic shaper enabled may use any queue. The queue is selected based on whether the packet rate is currently below the guaranteed bandwidth (queue 0), or above the guaranteed bandwidth. Packets at rates greater than the maximum bandwidth limit are dropped.
  • For Example, if the global ToS-based-priority is low (3) and the priority in a traffic-shaper is medium (2), when a packet flows through a policy that refers to the shaper, the packet will be assigned the priority defined by the shaper. In this case, medium (2).

Types of priority

Packets can be assigned a priority in one of three types:

  1. On entering ingress – for packets flowing through the firewall.
  2. Upon generation – for packets generated by the firewall (including packets generated due to AV proxying).
  3. On passing through a firewall policy – for packets passing through a firewall policy(firewall shaping policy) that has a traffic shaper defined.

Type of Service (ToS) priority

The first and second types (ingress priority and priority for generated packets) are controlled via two different CLI settings:

config system global set traffic-priority-level {high|medium|low}

end And

config system tos-based-priority edit 1 set tos [0-15] -> type of service bit in the IP datagram header with a value between 0 and 15

set priority (high|medium|low)-> priority of this type of service

next

end

Each priority level is mapped to a value like following:

ToS Priority Value
High 0
Medium 1
Low 2

Firewall shaping policy priority

In a firewall shaping policy, you can enable traffic shaping. In the shared traffic shaper, you can set the firewall priority to high, medium, or low:

config firewall shaper traffic-shaper edit “1” set priority (high|medium|low)

next

end

Since priority in traffic shaper are set to “high” priority by default, it is necessary to set some traffic at a lower priority to get results. Each priority level is mapped to a value like following:

Firewall Policy Priority Value
High (default) 1
Medium 2
Low 3

Combination priority

The global or ingress ToS-based priority value is combined with the firewall policy priority value:

Tos priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number) Let’s take a look at some scenarios:

Case 1: If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. In other words, packet priority = 0.

Case 2:If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.

Case 3:If the current packet rate is greater than the guaranteed bandwidth, but less than maximum bandwidth, the FortiGate unit assigns a priority queue by adding the ToS-based priority and the firewall priority.

For example, if you have enabled Traffic Shaping in the security policy, and the security policy’s Traffic Priority is Low (value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), then packets have a total packet priority of 4, and use priority queue 4.

 

Multicast processing and basic Multicast policy

Multicast processing and basic Multicast policy

You need to add firewall policies to allow packets to pass from one interface to another. Multicast packets require multicast security policies. Similar to firewall policies, in a multicast policy, the administrator specifies the source interface, destination interfaces, the allowed source address ranges, and destination addresses of the multicast traffic. You can also use multicast policies to configure source NAT and destination NAT for multicast packets.

Multicast forwarding in NAT mode

When multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header is reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast packets through the FortiGate.

If multicast-forward is disabled, then FortiGate unit drops packets that have multicast source or destination addresses.

In NAT mode, there is a per-VDOM configuration to disable forwarding any multicast traffic. This command is only available in NAT mode.

config system settings set multicast-forward <disable|enable(default)>

end

You can also use the multicast-ttl-notchange option so that FortiGate doesn’t increase the TTL value for forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.

config system settings

set multicast-ttl-notchange enable end

Multicast processing in TP mode

When multicast-skip-policy is enabled, no check is performed based on multicast policy. A multicast packet received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the same forwarding domain. Multicast packets are forwarded even when there is no multicast policy or the multicast policy is set to deny. To forward multicast traffic based on multicast policy, multicast-skip-policy must be disabled.

In transparent mode, there is a per-VDOM configuration to skip policy check and forward all multicast traffics. This command is only available in transparent mode.

config system settings set multicast-skip-policy <disable(default)|enable>

end

Sample configuration

To allow RIP2 packets from port1 to port2 using the GUI:

  1. Go to Policy & Object > Multicast Policy.
  2. Click Create New.
  3. For Incoming Interface, select port1.
  4. For Outgoing Interface, select port2.
  5. For Source Address, select 10.0.10/32.
  6. For Destination Address, select RIPv2.
  7. Click OK.

To allow RIP2 packets from port1 to port2 using the CLI:

config firewall address edit “10.10.0.10/32” set subnet 10.10.0.10 255.255.255.255

next

end

config firewall multicast-address edit “RIPv2” set start-ip 224.0.0.9 set end-ip 224.0.0.9

next

end

config firewall multicast-policy edit 2 set srcintf “port1” set dstintf “port2” set srcaddr “10.10.0.10/32” set dstaddr “RIPv2”

next end

IPv4/IPv6 access control lists

Access control lists (ACL) in the FortiOS firmware is a granular or more specifically targeted blacklist. ACL drop IPv4 and IPv6 packets at the physical network interface before the packets are analyzed by the CPU. On a busy appliance, this can really improve performance.

ACL is available on FortiGates with NP6-accelerated interfaces. ACL checking is one of the first things that happens to the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or memory resources.

The following platforms support ACL:

  • FGT_100D, FGT_100E, FGT_100EF, FGT_101E. l FGT_140D, FGT_140D_POE, FGT_140E, FGT_140E_POE. l FGT_301E, FGT_500E, FGT_501E. l FGT_1200D, FGT_1500D, FGT_1500DT.
  • FGT_2000E, FGT_2500E. l FGT_3000D, FGT_3100D, FGT_3200D, FGT_3700D. l FGT_3800D, FGT_3810D, FGT_3815D. l FGT_3960E, FGT_3980E.

Limitation

The configuration of ACL allows you to specify which interface the ACL is applied to. You should be aware of a hardware limitation. The ACL is a Layer 2 function and is offloaded to the ISF hardware. Therefore no CPU resources are used in the processing of the ACL. It is handled by the inside switch chip which can do hardware acceleration, which increases the performance of the FortiGate. The drawback is that the ACL function is only supported on switch fabric driven interfaces. It also cannot be applied to hardware switch interfaces or their members. Ports such as WAN1 or WAN2 on some models that use network cards that connect to the CPU through a PCIe bus do support ACL.

Sample configuration

To block all IPv4 and IPv6 Telnet traffic from port2 to Company_Servers using the CLI:

config firewall acl edit 1 set interface “port2” set srcaddr “all” set dstaddr “Company_Servers” set service “TELNET”

next

end

config firewall acl6 edit 1 set interface “port2” set srcaddr “all”

set dstaddr “Company_Servers_v6” set service “TELNET”

next end

Sample troubleshooting

To check the number of packets drop by an ACL:

# diag firewall acl counter ACL id 1 dropped 0 packets

To clear the packet drop counter:

# diag firewall acl clearcounter Use the same commands for IPv6 ACL.

# dia firewall acl

counter Show number of packets dropped by ACL.
counter6 Show number of packets dropped by ACL6.
clearcounter Clear ACL packet counter.
clearcounter6 Clear ACL6 packet counter.

NAT46 policy

NAT46 policy

NAT46 refers to the mechanism that allows IPv4 addressed hosts to communicate with IPv6 hosts. Without such a mechanism, IPv4 environments cannot connect to IPv6 networks.

Sample topology

In this example, an IPv4 client tries to connect to an IPv6 server. A VIP is configured on FortiGate to map the server IPv6 IP address 2000:172:16:200:55 to an IPv4 address 10.1.100.55. On the other side, an IPv6 IP pool is configured and the source address of packets from client are changed to the defined IPv6 address. In this setup, the client PC can access the server by using IP address 10.1.100.55.

Sample configuration

To enable display for IPv6 and NAT46/NAT64 using the GUI:

  1. Go to System > Feature Visibility.
  2. In the Basic Features section, enable IPv6.
  3. In the Additional Features section, enable NAT46 & NAT64.
  4. Click Apply.

To enable display for IPv6 and NAT46/NAT64 using the CLI:

config system global set gui-ipv6 enable

end config system settings set gui-nat46-64 enable

end

To configure VIP46 using the GUI:

  1. Go to Policy & Object > Virtual IPs.
  2. Click Create New.
  3. For Name, enter vip46_server.
  4. For External IP Address/Range, enter 1.100.55-10.1.100.55.
  5. For Mapped IP Address/Range, enter 2000:172:16:200::55.
  6. Click OK.

To configure VIP46 using the CLI:

config firewall vip46 edit “vip46_server” set extip 10.1.100.55 set mappedip 2000:172:16:200::55

next

end

To configure IPv6 IP pool using the GUI:

  1. Go to Policy & Object > IP Pools.
  2. Click Create New.
  3. For Name, enter client_expternal.
  4. For External IP Range, enter 2000:172:16:201::11- 2000:172:16:201::20.
  5. Click OK.

To configure IPv6 IP pool using the CLI:

config firewall ippool6 edit “client_external” set startip 2000:172:16:201::11 set endip 2000:172:16:201::20

next

end

To enable NAT64 and configure address prefix using the CLI:

config system nat64 set status enable set secondary-prefix-status enable config secondary-prefix edit “1” set nat64-prefix 2000:172:16:201::/96

next

end

end

To create NAT46 policy using the GUI:

  1. Go to Policy & Object > NAT46 Policy.
  2. Click Create New.
  3. For Incoming Interface, select port10.
  4. For Outgoing Interface, select port9.
  5. For Source Address, select all.
  6. For Destination Address, select vip46_server.
  7. Set IP Pool Configuration to Use Dynamic IP Pool and select the IP pool client_expernal.
  8. Click OK.

To create NAT46 policy using the CLI:

config firewall policy46 edit 1 set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “vip46_server” set action accept set schedule “always” set service “ALL” set ippool enable set poolname “client_external”

next

end

Sample troubleshooting

Example to trace flow to see the whole process.

# dia de flow filter saddr 10.1.100.11 # dia de flow show function-name enable show function name

# dia de flow show iprope enable show trace messages about iprope # dia de flow trace start 5

id=20085 trace_id=1 func=print_pkt_detail line=5401 msg=”vd-root:0 received a packet(proto=1, 10.1.100.11:27592->10.1.100.55:2048) from port10. type=8, code=0, id=27592, seq=1.” id=20085 trace_id=1 func=init_ip_session_common line=5561 msg=”allocate a new session-

000003b9″

id=20085 trace_id=1 func=iprope_dnat_check line=4948 msg=”in-[port10], out-[]” id=20085 trace_id=1 func=iprope_dnat_tree_check line=822 msg=”len=1″

id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4822 msg=”checking gnum-100000 policy-1″

id=20085 trace_id=1 func=get_vip46_addr line=998 msg=”find DNAT46: IP-2000:172:16:200::55, port-27592″

id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4904 msg=”matched policy-1, actt=accept, vip=1, flag=100, sflag=2000000″

id=20085 trace_id=1 func=iprope_dnat_check line=4961 msg=”result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000100″

id=20085 trace_id=1 func=fw_pre_route_handler line=183 msg=”VIP-10.1.100.55:27592, outdevunkown”

id=20085 trace_id=1 func=__ip_session_run_tuple line=3220 msg=”DNAT 10.1.100.55:8-

>10.1.100.55:27592″

id=20085 trace_id=1 func=vf_ip_route_input_common line=2594 msg=”find a route: flag=80000000 gw-10.1.100.55 via root” id=20085 trace_id=1 func=ip4_nat_af_input line=601 msg=”nat64 ipv4 received a packet proto=1″ id=20085 trace_id=1 func=__iprope_check line=2112 msg=”gnum-100012, check-ffffffffa0024ebe” id=20085 trace_id=1 func=__iprope_check_one_policy line=1873 msg=”checked gnum-100012 policy-

1, ret-matched, act-accept”

id=20085 trace_id=1 func=__iprope_user_identity_check line=1677 msg=”ret-matched” id=20085 trace_id=1 func=get_new_addr46 line=1047 msg=”find SNAT46: IP-2000:172:16:201::13

(from IPPOOL), port-27592″

id=20085 trace_id=1 func=__iprope_check_one_policy line=2083 msg=”policy-1 is matched, actaccept”

id=20085 trace_id=1 func=__iprope_check line=2131 msg=”gnum-100012 check result: ret-matched, act-accept, flag-08050500, flag2-00200000″

id=20085 trace_id=1 func=iprope_policy_group_check line=4358 msg=”after check: ret-matched, act-accept, flag-08050500, flag2-00200000″ id=20085 trace_id=1 func=resolve_ip6_tuple line=4389 msg=”allocate a new session-00000081″

NAT64 policy and DNS64 (DNS proxy)

NAT64 policy and DNS64 (DNS proxy)

NAT64 policy translates IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.

NAT64 policy is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. DNS proxy and DNS64 are interchangeable terms.

Sample topology

In this example, a host on the internal IPv6 network communicates with ControlPC.qa.fortinet.com that only has IPv4 address on the Internet.

  1. The host on the internal network does a DNS lookup for qa.fortinet.com by sending a DNS query for an AAAA record for ControlPC.qa.fortinet.com.
  2. The DNS query is intercepted by the FortiGate DNS proxy. The DNS proxy performs an A-record query for qa.fortinet.com and gets back an RRSet containing a single A record with the IPv4 address 172.16.200.55.
  3. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is 64:ff9b::172.16.200.55.
  4. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address 64:ff9b::172.16.200.55.
  5. The packet is routed to the FortiGate internal interface (port10) where it is accepted by the NAT64 security policy.
  6. The FortiGate unit translates the destination address of the packets from IPv6 address

64:ff9b::172.16.200.55 to IPv4 address 172.16.200.55 and translates the source address of the packets to 172.16.200.200 (or another address in the IP pool range) and forwards the packets out the port9 interface to the Internet.

Sample configuration

To enable display for IPv6, NAT46/NAT64, and DNS Database using the GUI:

  1. Go to System > Feature Visibility.
  2. In the Basic Features section, enable IPv6.
  3. In the Additional Features section, enable the following features: l NAT46 & NAT64 l DNS Database
  4. Click Apply.

To enable display for IPv6, NAT46/NAT64, and DNS Database using the CLI:

config system global set gui-ipv6 enable

end

config system settings set gui-nat46-64 enable set gui-dns-database enable

end

To enable DNS proxy on the IPv6 interface using the GUI:

  1. Go to Network > DNS Servers.
  2. In DNS Service on Interface, click Create New.
  3. For Interface, select port10.
  4. Click OK.

To enable DNS proxy on the IPv6 interface using the CLI:

config system dns-server edit “port10” set mode forward-only

next

end

To configure IPv6 DHCP server using the CLI:

config system dhcp6 server edit 1 set subnet 2001:db8:1::/64 set interface “port10” config ip-range edit 1 set start-ip 2001:db8:1::11 set end-ip 2001:db8:1::20

next

end

set dns-server1 2001:db8:1::10

next

end

To enable NAT64 and related settings using the CLI:

Enabling NAT64 with the config system nat64 command means that all IPv6 traffic received by the current VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.

By default, the setting always-synthesize-aaaa-record is enabled. If you disable this setting, the DNS proxy (DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6 addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.

nat64-prefix setting is the nat64 prefix. By default, it is 64:ff9b::/96.

config system nat64 set status enable end

To create NAT64 policy using the GUI:

  1. Add an IPv4 firewall address for the external network.
    1. Go to Policy & Object > Addresses.
    2. Click Create New.
    3. For Name, enter external-net4.
    4. For IP/Network, enter 200.0/24.
    5. For Interface, select
    6. Click OK.
  2. Add an IPv6 firewall address for the internal network.
    1. Go to Policy & Object > Addresses.
    2. Click Create New.
    3. Change Category to IPv6 Address.
    4. For Name, enter internal-net6.
    5. For IPv6 Address, enter 2001:db8:1::/48.
    6. Click OK.
  3. Add an IP pool containing the IPv4 address that is used as the source address of the packets exiting port9.
    1. Go to Policy & Object > IP Pools.
    2. Click Create New.
    3. For Name, enter exit-pool4.
    4. For External IP Range, enter 16.200.200-172.16.200.210.
    5. Click OK.
  4. Add a NAT64 policy that allows connections from the internal IPv6 network to the external IPv4 network.
    1. Go to Policy & Object > NAT64 Policy.
    2. Click Create New.
    3. For Incoming Interface, select port10.
    4. For Outgoing Interface, select port9.
    5. For Source Address, select internal-net6.
    6. For Destination Address, select external-net4.
    7. Set IP Pool Configuration to Use Dynamic IP Pool and select the IP pool exit-pool4. Click OK.

To create NAT64 policy using the CLI:

config firewall address edit “external-net4” set associated-interface “port9” set subnet 172.16.200.0 255.255.255.0

next

end

config firewall address6 edit “internal-net6” set ip6 2001:db8:1::/48

next

end

config firewall ippool edit “exit-pool4”

set startip 172.16.200.200 set endip 172.16.200.210

next

end

config firewall policy64 edit 1 set srcintf “port10” set dstintf “port9” set srcaddr “internal-net6” set dstaddr “external-net4” set action accept set schedule “always” set service “ALL” set ippool enable set poolname “exit-pool4”

next

end