Category Archives: FortiOS 5.6

FortiOS 5.6.2 What’s New

Executive Summary

This chapter briefly highlights some of the higher profile new FortiOS 5.6 features, some of which have been enhanced for FortiOS 5.6.2.

Security Fabric enhancements

Security Fabric features and functionality continue to evolve. New features include improved performance and integration, a security audit function that finds possible problems with your network and recommends solutions, security fabric dashboard widgets, improved device detection, and the remote login to other FortiGates on the fabric. See New Security Fabric features on page 20.

Security Fabric Audit

The Security Fabric Audit allows you to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance. See Security Fabric Audit and Fabric Score on page 32.

Re-designed Dashboard

The Dashboard has been enhanced to show more information with greater flexibility and more functionality. See New Dashboard Features on page 40 for details.

NGFW Policy Mode

You can operate your FortiGate in NGFW policy mode to simplify applying Application control and Web Filtering to firewall traffic. See NGFW Policy Mode (371602) on page 57.

Flow-based inspection with profile-based NGFW mode is the default inspection mode in FortiOS 5.6.

Transparent web proxy

In addition to the Explicit Web Proxy, FortiOS now supports a Transparent web proxy. You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy. See Transparent web proxy (386474) on page 49.

 

Controlled failover between wireless controllers

Administrators can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects a FortiGate unit and how the FortiAP unit fails over to a backup FortiGate unit if the primary FortiGate Fails. See Controlled failover between wireless controllers on page 68.

FortiView Endpoint Vulnerability chart

A new FortiView chart that tracks vulnerability events detected by the FortiClients running on all devices registered with the FortiGate. See New FortiView Endpoint Vulnerability Scanner chart (378647) on page 61.

FortiClient Profile changes

FortiClient profiles have been re-organized and now use the FortiGate to warn or quarantine endpoints that are not compliant with a FortiClient profile. See FortiClient Profile changes (386267, 375049).

Adding Internet services to firewall policies

Internet service objects can be added to firewall policies instead of destination addresses and services. See Adding Internet services to firewall policies (389951).

Source and destination NAT in a single Firewall policy

Extensions to VIPs support more NAT options and other enhancements. See Combining source and destination NAT in the same policy (388718).

Other highlights

l Application Control is a free service l Real time logging to FortiAnalyzer and FortiCloud l Multiple PSK for WPA Personal (393320) l VXLAN support (289354) l NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398) l FortiGate Logs can be sent to syslog servers in Common Event Format (CEF) (300128) l New PPPoE features

WiFi (5.6)

WiFi (5.6)

New WiFi features added to FortiOS 5.6.

Captive Portal Authentication with FortiAP in Bridge Mode (408915)

The FortiGate can operate as a web captive portal server to serve the captive portal local bridge mode.

A new CLI command has been added under config wireless-controller vap to set the captive portal type to CMCC, a wireless cipher.

CLI syntax

config wireless-controller vap edit <name> set portal-type { … | cmcc}

next

end

802.11kv(r) support (405498, 395037)

New CLI commands have been added under config wireless-controller vap to set various 802.11kvr settings, or Voice Enterprise (802.11kv) and Fast Basic Service Set (BSS) Transition (802.11r), to provide faster and more intelligent roaming for the client.

CLI syntax

config wireless-controller vap edit <name> set voice-enterprise {enable | disable} set fast-bss-transition {enable | disable} set ft-mobility-domain set ft-r0-key-lifetime [1-65535] set ft-over-ds {enable | disable}

next end

 

External Captive Portal authentication with FortiAP in Bridge Mode (403115, 384872)

New CLI commands have been added under config wireless-controller vap to set various options for external captive portal with FortiAP in Bridge Mode. The commands set the standalone captive portal server category, the server’s domain name or IP address, secret key to access the RADIUS server, and the standalone captive portal Access Controller (AC) name.

Note that these commands are only available when local-standalone is set to enable and security is set to captive-portal.

CLI syntax

config wireless-controller vap edit <name> set captive-portal-category {FortiCloud | CMCC} Default is FortiCloud. set captive-portal-radius-server <server> set captive-portal-radius-secret <password> set captive-portal-ac-name <name>

next

end

Japan DFS support for FAP-421E/423E/S421E/S423E (402287, 401434)

Korea and Japan Dynamic Frequency Selection (DFS) certification has been added for FAP-

421E/423E/S421E/S423E. DFS is a mechanism that allows WLANs to select a frequency that does not interfere with certain radar systems while operating in the 5 GHz band.

802.3az support on WAVE2 WiFi APs (400558)

A new CLI command has been added under config wireless-controller wtp-profile to enable or disable use of Energy-Efficient Ethernet (EEE) on WTP, allowing for less power consumption during periods of low data activity.

CLI syntax

config wireless-controller wtp-profile edit <profile-name> set energy-efficient-ethernet {enable|disable}

end

CLI command update made in wids-profile (400263)

The CLI command rogue-scan under config wireless-controller wids-profile has been changed to sensor-mode and allows easier configuration of radio sensor mode. Note that while foreign enables radio sensor mode on foreign channels only, both enables the feature on foreign and home channels.

CLI syntax

config wireless-controller wids-profile edit <example> set sensor-mode {disable|foreign|both}

end

Channel utilization, FortiPresence support on AP mode, QoS enhancement for voice

(399134, 377562)

A new CLI command has been added, config wireless-controller qos-profile, to configure

quality of service (QoS) profiles where you can add WiFi multi-media (WMM) control and Differentiated Services Code Point (DSCP) mapping.

Note that:

  • call-capacity and bandwidth-admission-control are only available when call-admissioncontrol is set to enable. l bandwidth-capacity is only available when bandwidth-admission-control is set to enable. l All DSCP mapping options are only available when dscp-wmm-mapping is set to enable.
  • wmm is already set to enable by default. If wmm is set to disable, the following entries are not available: wmm-

uapsd, call-admission-control, and dscp-wmm-mapping.

CLI syntax

config wireless-controller qos-profile edit <example> set comment <comment> set uplink [0-2097152] Default is 0 Kbps. set downlink [0-2097152] Default is 0 Kbps. set uplink-sta [0-2097152] Default is 0 Kbps. set downlink-sta [0-2097152] Default is 0 Kbps. set burst {enable|disable} Default is disable. set wmm {enable|disable} Default is enable. set wmm-uapsd {enable|disable} Default is enable.

set call-admission-control {enable|disable} Default is disable. set call-capacity [0-60] Default is 10 phones. set bandwidth-admission-control {enable|disable} Default is disable. set bandwidth-capacity [1-600000] Default is 2000 Kbps. set dscp-wmm-mapping {enable|disable} Default is disable. set dscp-wmm-vo [0-63] Default is 48 56. set dscp-wmm-vi [0-63] Default is 32 40. set dscp-wmm-be [0-63] Default is 0 24. set dscp-wmm-bk [0-63] Default is 8 16.

QoS profiles can be assigned under the config wireless-controller vap command using qosprofile.

FortiCloud managed APs can now be applied a bandwidth restriction or rate limitation based on SSID. For instance if guest and employee SSIDs are available, you can rate limit guest access to a certain rate to accommodate for employees. This feature also applies a rate limit based on the application in use, as APs are application aware.

FAP-U421E and FAP-U423E support (397900)

Two Universal FortiAP models support FortiOS 5.6. Their default profiles are added under config wirelesscontroller wtp-profiles, as shown below:

CLI syntax

config wireless-controller wtp-profile edit “FAPU421E-default” config platform set type U421E

end set ap-country US config radio-1 set band 802.11n

end config radio-2 set band 802.11ac

end

next

end

config wireless-controller wtp-profile edit “FAPU423E-default” config platform set type U423E

end set ap-country US config radio-1 set band 802.11n

end config radio-2 set band 802.11ac

end

next

end

Minor reorganization of WiFi GUI entries (396497)

WiFi & Switch Controller GUI entries Managed FortiAPs, SSID, FortiAP Profiles, and WIDS Profiles have been reorganized.

Multiple PSK support for WPA personal (393320, 264744)

New CLI commands have been added, under config wireless-controller vap, to configure multiple WiFi Protected Access Pre-Shared Keys (WPA-PSKs), as PSK is more secure without all devices having to share the same PSK.

Note that, for the following multiple PSK related commands to become available, vdom, ssid, and passhphrase all have to be set first.

CLI syntax

config wireless-controller vap edit <example> set mpsk {enable|disable} set mpsk-concurrent-clients [0-65535] Default is 0. config mpsk-key edit key-name <example>

set passphrase <wpa-psk> set concurrent-clients [0-65535] Default is empty. set comment <comments>

next

end

end

Use the mpsk-concurrent-clients entry to set the maximum number of concurrent connected clients for each mpsk entry. Use the mpsk-key configuration method to configure multiple mpsk entries.

Table size of qos-profile has VDOM limit (388070)

The command config wireless-controller qos-profile now has VDOM table limit; there is no longer an unlimited number of entries within each VDOM.

Add “dhcp-lease-time” setting to local-standalone-nat VAP (384229)

When a Virtual Access Point (VAP) has been configured for a FortiAP, a DHCP server is automatically configured on the FortiAP side with a hard lease time. A new CLI command under config wireless-controller vap has been added to customize the DHCP lease time for NAT IP address. This is to solve issues where the DHCP IP pool was exhausted when the number of clients grew too large for the lease time span.

Note that the new command, dhcp-lease-time, is only available when local-standalone is set to enable, then setting local-standalone-nat to enable.

CLI syntax

config wireless-controller vap edit <example> set local-standalone {enable|disable} set local-standalone-nat {enable|disable} set dhcp-lease-time [300-8640000] Default is 2400 seconds.

end

New CLI command to configure LDPC for FortiAP (383864)

Previously, LDPC value on FortiAP could only be changed on FortiAP local CLI. Syntax has been added in FortiOS CLI under the ‘wireless-controller.vap’ entry to configure the LDPC value on FortiAP.

CLI Syntax

configure wireless-controller vap edit 1 set ldpc [enable|rx|tx|disable]

end

New region code/SKU for Indonesia (382926)

A new country region code, F, has been added to meet Indonesia’s WiFi channel requirements. Indonesia previously belonged to region code W.

FortiAP RMA support added (381936)

New CLI command fortiap added under exe replace-device to replace an old FortiAP’s serial number with a new one.

CLI Syntax execute replace-device fortiap <old-fortiap-id> <new-fortiap-id>

Support fixed-length 64-hex digit for WPA-Personal passphrase (381030)

WPA-Personal passphrase now supports a fixed-length of 64 hexadecimal digits.

Allow FortiGates to manage cloud-based FortiAPs (380150)

FortiGates can now manage cloud-based FortiAPs using the new fapc-compatibility command under wireless-controller setting.

If enabled, default FAP-C wtp-profiles will be added. If disabled, FAP-C related CMDB configurations will be removed: wtp-group in vap’s vlan-pool, wtp-group, ws, wtp, wtp-profile.

CLI syntax

config wireless-controller setting set country CN

set fapc-compatibility [enable|disable] end

You will receive an error message when trying to change country while fapccompatibility is enabled. You need to disable fapc-compatibility before changing to an FAPC unsupported country.

Use IPsec instead of DTLS to protect CAPWAP tunnels (379502)

This feature is to utilize FortiAP hardware to improve the throughput of tunneled data traffic by using IPsec when data security is enabled.

“AES-256-CBC & SHA256” algorithm and “dh_group 15” are used for both CAPWAP IPsec phase1 and phase 2.

FAP320B will not support this feature due to its limited capacity of free flash.

New option added to support only one IP per one endpoint association (378207)

When users change configuration, the radiusd will reset all configurations and refresh all logons in the kernel. All these actions are done in the one loop. A CLI option has been added to enable/disable replacement of an old IP address with a new IP address for the same endpoint on RADIUS accounting start.

CLI Syntax

configure user radius edit radius-root

set rsso-ep-one-ip-only [enable|disable]

next

end

FAP-222C-K DFS support (377795)

Dynamic Frequency Selection (DFS) bands can now be configured for FortiAP 222C-K.

Note that this FortiAP model has the Korean region code (K), but ap-country under config wirelesscontroller wtp-profile still needs to be set to KR.

CLI syntax

config wireless-controller wtp-profile edit <K-FAP222C> config platform set type <222C>

end set ap-country KR config radio-2 set band <802.11ac> set vap-all <disable> set vaps “vap-vd-07”

set channel “52” “56” “60” “64” “100” “104” “108” “112” “116” “120” “124” “128”

“132” “136” “140” end

next

end

Dynamic VLAN support in standalone mode (377298)

Dynamic VLAN is now supported in standalone mode. Previously, dynamic VLAN only worked in local bridge mode.

CLI-only features added to GUI (376891)

Previously CLI-only features have been added to the GUI under FortiAP Profiles, Managed FortiAPs, and SSID. Also fixed issue where the correct value is displayed when viewing the WIDS Profile notification icon under FortiAP Profiles.

Managed AP GUI update (375376)

Upgraded Managed FortiAPs dialog page to a newer style, including icons for SSID and LAN port.

Bonjour gateway support (373659)

Bonjour gateway now supported for WiFi networks.

Syntax

config wireless-controller bonjour-profile edit 0 set comment “comment” config policy-list

edit 1 set description “description” set from-vlan [0-4094] Default is 0. set to-vlan [0-4094|all] Default is all.

set services [all|airplay|afp|bittorrent|ftp|ichat|itunes|printers|samba|scanners|ssh|chromecast]

next

end

next

end

FAP421E/423E wave2 support (371374)

Previously removed wave2 FAP421E and FAP423E models have been reinstated and are now supported again. The models are available again through the CLI and GUI. These models are listed under the Platform dropdown menu when creating a new FortiAP Profile under WiFi & Switch Controller > FortiAP Profiles.

CLI syntax

config wireless-controller wtp-profile edit <example> config platform set type <…|421E|423E>

end

end

WiFi Health Monitor GUI changes (308317)

The Wifi Health Monitor page has been improved, including the following changes:

  • Flowchart used for diagrams l Chart used for interference and AP clients l Removed spectrum analysis l Added functionality to upgrade FortiAP firmware
  • Added option to view both 2.4GHz and 5GHz data simultaneously

AP Profile GUI page updates (298266)

The AP Profile GUI page has been upgraded to a new style including AngularJS code.

1+1 Wireless Controller HA (294656)

Instances of failover between FortiAP units was too long and lead to extended periods of time where WiFi users were without network connection. Because WiFi is considered a primary network connection in today’s verticals (including enterprise, retail, education, warehousing, healthcare, government, and more), it is necessary for successful failover to occur as fast as possible.

You can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects the FortiGate. This process was previously decided on load-based detection, but can now be defined by each unit’s pre-determined priority. In addition, heartbeat intervals have been lowered to further improve FortiAP awareness and successful failover.

Syntax

config wireless-controller inter-controller set inter-controller-mode {disable | l2-roaming | 1+1} Default is disable. set inter-controller-key <password> set inter-controller-pri {primary | secondary} Default is primary. set fast-failover-max [3-64] Default is 10. set fast-failover-wait [10-86400] Default is 10. config inter-controller-peer edit <name> set peer-ip <ip-address> set peer-port [1024-49150] Default is 5246.

set peer-priority {primary | secondary} Default is primary. next

end

end

Support for duplicate SSID names on tunnel and bridge mode interfaces (278955)

When duplicate-ssid is enabled in the CLI, this feature allows VAPs to use the same SSID name in the same VDOM. When disabled, all SSIDs in WLAN interface will be checked—if duplicate SSIDs exist, an error message will be displayed. When duplicate-ssid is enabled in the CLI, duplicate SSID check is removed in “Edit SSID” GUI page.

Syntax

config wireless-controller setting set duplicate-ssid [enable|disable] next

end

Controlled failover between wireless controllers (249515)

Instances of failover between FortiAP units was too long and lead to extended periods of time where WiFi users were without network connection. Because WiFi is considered a primary network connection in today’s verticals (including enterprise, retail, education, warehousing, healthcare, government, and more), it is necessary for successful failover to occur as fast as possible.

Administrators can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects the FortiGate. This process was decided on load-based detection, but can now be defined by each unit’s pre-determined priority. In addition, heartbeat intervals have been lowered to further improve FortiAP awareness and successful failover.

WiFi (5.6.1)

WiFi (5.6.1)

New WiFi features added to FortiOS 5.6.1.

Support for various FortiAP models (416177) (435638)

FortiAP units FAP-U321EV, FAP-U323EV, FAP-S221E, FAP-S223E, and FAP-222E are supported by FortiOS

5.6.1.

As part of this support, new CLI attributes have been added under config wireless-controller wtpprofile to manage their profiles.

CLI syntax

config wireless-controller wtp-profile edit <model> config platform set type <model>

end set ap-country <code> config radio-1 set band 802.11n

end config radio-2 set band 802.11ac

end

next

end

New Managed AP Groups and Dynamic VLAN Assignment (436267)

The FortiGate can create FortiAP Groups, under WiFi & Switch Controller > Managed Devices > Managed FortiAPs by selecting Create New > Managed AP Group, where multiple APs can be managed. AP grouping allows specific profile settings to be applied to many APs all at once that belong to a certain AP group, simplifying the administrative workload.

Note that each AP can only belong to one group.

In addition, VLANs can be assigned dynamically based on the group which an AP belongs. When defining an SSID, under WiFi & Switch Controlller > SSID, a setting called VLAN Pooling can be enabled where you can either assign the VLAN ID of the AP group the device is connected to, to each device as it is detected, or to always assign the same VLAN ID to a specific device. Dynamic VLAN assignment allows the same SSID to be deployed to many APs, avoiding the need to produce multiple SSIDs.

GUI support for configuring multiple pre-shared keys for SSID interfaces (406321)

Multiple pre-shared keys can be created per SSID. When creating a new SSID, enable Multiple Pre-shared Keys under WiFi Settings.

(5.6.1)

FortiAP Bluetooth Low Energy (BLE) Scan (438274)

The FortiGate can configure FortiAP Bluetooth Low Energy (BLE) scan, incorporating Google’s BLE beacon profile known as Eddystone, used to identify groups of devices and individual devices.

As part of this support, new CLI attributes have been added under config wireless-controller timers and config wireless-controller wtp-profile, including a new CLI command, config wireless-controller ble-profile.

CLI syntax – Configure BLE report intervals

config wireless-controller timers set ble-scan-report-intv – (default = 30 sec)

end

CLI syntax – Assign BLE profiles to WTP profiles

config wireless-controller wtp-profile edit <name> set ble-profile <name>

next

end

CLI syntax – Configure BLE profiles

config wireless-controller ble-profile edit <name> set comment <comment>

set advertising {ibeacon | eddystone-uid | eddystone-url} set ibeacon-uuid <uuid> set major-id <0 – 65535> – (default = 1000) set minor-id <0 – 65535> – (default = 1000) set eddystone-namespace <10-byte namespace> set eddystone-instance <device id> set eddystone-url <url> set txpower <0 – 12> – (default = 0) set beacon-interval <40 – 3500> – (default = 100) set ble-scanning {enable | disable} – (default = disable)

next

end

Note that txpower determines the transmit power level on a scale of 0-12:

  • 0: -21 dBm l 1: -18 dBm l 2: -15 dBm l 3: -12 dBm l 4: -9 dBm
  • 5: -6 dBm l 6: -3 dBm l 7: 0 dBm l 8: 1 dBm l 9: 2 dBm l 10: 3 dBm l 11: 4 dBm l 12: 5 dBm

WiFi client monitor page search enhanced (440709)

WiFi Cient Monitor page (Monitor > WiFi Client Monitor) now supports search function.

VoIP/SIP (5.6)

VoIP/SIP (5.6)

This chapter describes new VoIP and SIP features added to FortiOS 5.6.

SIP strict-register enabled by default in VoIP Profiles (380830)

If strict-register is disabled, when REGISTER is received by a FortiGate, the source address (usually the IP address of PBX) and ports (usually port 5060) are translated by NAT to the external address of the FortiGate and port 65476. Pinholes are then opened for SIP and RTP. This tells the SIP provider to send incoming SIP traffic to the external address of the FortiGate on port 65476.

This creates a security hole since the port is open regardless of the source IP address so an attacker who scans all the ports by sending REGISTER messages to the external IP of the FortiGate will eventually have one register go through.

When strict-register is enabled (the new default) the pinhole is smaller because it will only accept packets from the SIP server.

Enabling strict-register can cause problems when the SIP registrar and SIP proxy server are separate entities with separate IP addresses.

SIP diagnose command improvements (376853)

A diagnose command has been added to the CLI that outputs VDOM data located in the voipd daemon.

diagnose sys sip-proxy vdom

Example

(global) # diagnose sys sip-proxy vdom VDOM list by id:

VoIP/SIP (5.6)

vdom 0 root (Kernel: root) vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 4 vdoma2 (Kernel: vdoma2) vdom 5 vdomb2 (Kernel: vdomb2) vdom 6 vdomc2 (Kernel: vdomc2) vdom 7 vdoma (Kernel: vdoma) vdom 8 vdomb (Kernel: vdomb) vdom 9 vdomc (Kernel: vdomc) VDOM list by name: vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 0 root (Kernel: root) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 7 vdoma (Kernel: vdoma) vdom 4 vdoma2 (Kernel: vdoma2) vdom 8 vdomb (Kernel: vdomb) vdom 5 vdomb2 (Kernel: vdomb2) vdom 9 vdomc (Kernel: vdomc) vdom 6 vdomc2 (Kernel: vdomc2)

 

VDOMs (5.6.1)

VDOMs (5.6.1)

This section describes new VDOM features added to FortiOS 5.6.1.

Create a virtual switch that allows multiple VDOMs to use the same physical interface or

VLAN (436206)

This feature allows multiple VDOMs to access the same network or the Internet using the same physical interface rather than requiring each VDOM to have its own Internet-facing interface.

To create this configuration, consider a FortiGate with three VDOMs:

config vdom edit root

next edit vdom1

next edit vdom2

end

Create inter-VDOM links for vdom1 and vdom2. The inter-VDOM links should have their type set to ethernet.

config system vdom-link edit “vlnk1” set type ethernet

next edit “vlnk2” set type ethernet

end

These commands create the following four interfaces:

  • vlnk1 creates the interfaces vlnk10 and vlnk11 l vlnk2 creates the interfaces vlnk20 and vlnk21

Then create a virtual switch, add it to the root VDOM, and add the first interface created for each inter-VDOM link to it along with the physical interface or VLAN that the VDOMs will use to connect to the external network. In this example, the VDOMs will all connect to the Internet through the wan1 interface.

config system switch-interface edit “vs1” set vdom “root”

set member “wan1” “vlnk10” “vlnk20”

end

Then distribute the interfaces in the virtual switch to the respective VDOMs and configure the required IP settings. In this example:

  • wan1, vlnk10, and vlnk20 are added to the root VDOM l vlnk11 is added to vdom1 l vlnk21 is added to vdom2 l wan1, vlnk11 and vlnk21 are configured with IP addresses on the same subnet. The example uses internal IP addresses that may not be appropriate for your network.

config system interface edit “wan1”

VoIP/SIP

set vdom “root”

set ip 10.1.1.101 255.255.255.0

next edit “vlnk10” set vdom “root” set type vdom-link

next edit “vlnk20” set vdom “root” set type vdom-link

next edit “vlnk11” set vdom “vdom1”

set ip 10.1.1.102 255.255.255.0 set type vdom-link

next edit “vlnk21” set vdom “vdom2”

set ip 10.1.1.103 255.255.255.0 set type vdom-link

end

System (5.6)

System (5.6)

New system administration features added to FortiOS 5.6.

Remove CLI commands from 1-CPU platforms (405321)

Two CLI commands that set CPU affinity have been removed from 1-CPU platforms since they do not have any impact on these platforms. The commands are config system global > set miglog-affinity and config system global > set av-affinity <string>.

New SNMP trap for bypass events (307329)

When bypass mode is enabled or disabled on FortiGate units that are equipped with bypass interfaces and support AMC modules, a new SNMP trap is generated and logs bypass events.

System

Implement SNMP support for NAT Session monitoring which includes new SNMP OIDs (383661)

FortiOS 5.6 implements a new feature providing SNMP support for NAT session monitoring. The resulting new SNMP object identifier (OID) is:

FORTINET-FORTIGATE-

MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwIppools.fgFwIppTables.fgFwIppStatsTable.fgFwIppStatsEntry 1.3.6.1.4.1.12356.101.5.3.2.1.1

Additionally, there are eight new items:

.fgFwIppStatsName .1

.fgFwIppStatsType .2

.fgFwIppStatsStartIp .3

.fgFwIppStatsEndIp .4

.fgFwIppStatsTotalSessions .5

.fgFwIppStatsTcpSessions .6

.fgFwIppStatsUdpSessions .7

.fgFwIppStatsOtherSessions .8

New extended database version OIDs for AV and IPS (402162)

New extended database version OIDs ensure accurate display of the AntiVirus and IPS databases in use when you go to System > FortiGuard.

Administrator password encryption hash upgraded from SHA1 to SHA256 (391576)

The encryption has for administrator passwords is upgraded from SHA1 to SHA256.

Downgrades from FortiOS 5.6->5.4->5.2->5.0 will keep the administrator password usable. If you need to downgrade to FortiOS 4.3, remove the password before the downgrade, then login after the downgrade and reset password.

Allow multiple FortiManager addresses when configuring central management (388083)

Central management configuration can now support multiple FortiManager addresses. This feature is mainly to help the case where the FortiGate unit is behind NAT.

FortiGuard can determine a FortiGate’s location from its public IP address (393972)

A new CLI command allows users to determine a FortiGate’s location from its public IP address through FortiGuard .

The new CLI command is diagnose system waninfo.

System (5.6)

Deletion of multiple saved configurations supported (308936)

The FortiGate will save multiple configurations and images when revision-backup-on-logout and revision-image-auto-backup are enabled in config system global.

The deletion of multiple saved configurations is now possible due to changes in the CLI command execute revision delete config <revision ID>. Where the command only allowed for one revision ID at a time, it now allows almost ten.

New CLI option to limit script output size (388221)

The new CLI command set output-size limits the size of an auto script in megabytes and prevents the memory from being used up by the script’s output.

CLI Syntax

config system auto-script edit <script name> set output-size <integer>

next

end

Enter an integer value from 10 to 1024. Default is 10.

Enable / disable logging of SSL connection events (375582)

New CLI commands are added to give the user the option to enable or disable logging of SSL connection events.

CLI Syntax

config system global set log-ssl-connection {enable | disable}

end

Default is disable.

Enabling or disabling static key ciphers (379616)

There is a new option in system global to enable or disable static key ciphers in SSL/TLS connections (e.g,. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). The default is enable.

CLI Syntax

config system global set ssl-static-key-ciphers {enable | disable}

end

Enhancements to IPS Signatures page (285543)

The IPS signatures list page now shows which IPS package is currently deployed. You can also change the IPS package by hovering over the information icon next to the IPS package name. Text appears that links directly to System

the FortiGate’s System > FortiGuard page from the IPS Signatures list page.

Combine multiple commands into a CLI alias (308921)

You can add one or more CLI command to a CLI alias, then use the alias command to run the alias that you have created to execute the stored commands. For example, create the following alias to run the get system status command:

config system alias edit “version” set command “get system status”

end

Then you can use the following command to run the alias:

alias version

You can use command abbreviations (for example: g sys stat instead of get system status). Use quotes around the syntax if there are spaces (there usually are).

You can enter alias followed by a ? to view the aliases that you have added.

You can add multiple commands to an alias by pressing Ctrl-Enter after the first line. Press enter at the end of subsequent lines. And the end of the last line add second quote and press Enter to end the command.

config system alias edit “debug_flow” set command “diag debug enable diag debug flow show console enable”

end

You can include config commands in an alias as well, for example, create the following alias to bring the port1 and port2 interfaces down:

config system alias edit port12down set command “config system interface edit port1 set status down next edit port2 set status down

end”

end

You can combine config, execute, get, and diagnose commands in the same alias, for example:

config system alias edit “show-info” set command “show full-configuration alertemail setting get sys status dia sys top” end

 

System (5.6.1)

System (5.6.1)

New system administration features added to FortiOS 5.6.1.

Use self-sign as default GUI certificate if BIOS cert is using SHA-1 (403152)

For increased security, SHA-1 certificate has been replaced by self-sign certificate as the default GUI certificate, if the BIOS certificate is using SHA-1.

Administrator timeout override per access profile (413543)

The GUI is often used for central monitoring. To do this requires the inactivity timeout to be increased, to avoid an admin having to constantly log in over again. This new feature allows the admintimeout value, under config system accprofile, to be overridden per access profile.

Note that this can be achieved on a per-profile basis, to avoid the option from being unintentionally set globally.

CLI Syntax – Configure admin timeout

config system accprofile edit <name> set admintimeout-override {enable | disable} set admintimeout <0-480> – (default = 10, 0 = unlimited)

next

end

New execute script command (423159)

A new execute command has been introduced to merge arbitrary configlets into the running configuration from script. The command’s authentication can be carried out using either username and password or with a certificate. This command supports FTP/TFTP and SCP.

An important benefit of this feature is that if the configuration in the script fails (i.e. a syntax error), the system will revert back to running configurations without interrupting the network.

CLI Syntax – Load script from FTP/TFTP/SCP server to firewall

execute restore scripts <ftp | tftp | scp> <dir / filename in server> <server ip> <username> <password>

FortiCache as an external cache service for FortiOS (435830)

A CLI configuration was added to allow the FortiGateto use FortiCache as an external cache service.

Global configuration

config wanopt forticache-service set status enable set local-cache-id “100d-bhan” set remote-forticache-id “3kc-bhan” set remote-forticache-ip 192.99.1.99

 

System (5.6)

end (Help Text) status Enable/disable using FortiCache as web-cache storage. local-cache-id ID that this device uses to connect to the remote FortiCache. remote-forticache-id ID of the FortiCache to which the device connects. remote-forticache-ip IP address of the FortiCache to which the device connects. (status)

# set status disable Use local disks as web-cache storage. enable Use a remote FortiCache as web-cache storage.

(local-cache-id)

# set local-cache-id

<string> please input string value

(remote-forticache-id)

# set remote-forticache-id

<string> please input string value

(remote-forticache-ip)

# set remote-forticache-ip

<any_ip> Any ip xxx.xxx.xxx.xxx

(Help Text) config wanopt auth-group Configure WAN optimization authentication groups.

SSL VPN (5.6)

SSL VPN (5.6)

New SSL VPN features added to FortiOS 5.6.

Remote desktop configuration changes (410648)

If NLA security is chosen when creating an RDP bookmark, a username and password must be provided. However there may be instances where the user might want to use a blank password, despite being highly unrecommended. If a username is provided but the password is empty, the CLI will display a warning. See example CLI below, where the warning appears as a caution before finishing the command:

config vpn ssl web user-group-bookmark edit <group-name> config bookmarks edit <bookmark-name> set apptype rdp set host 172.16.200.121 set security nla set port 3389 set logon-user <username>

next

end

Warning: password is empty. It might fail user authentication and remote desktop connection would be failed.

end

If no username (logon-user) is specified, the following warning message will appear:

Please enter user name for RDP security method NLA. object set operator error, -2010 discard the setting Command fail. Return code -2010

SSL VPN supports WAN link load balancing interface (396236)

New CLI command to set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

CLI syntax

config firewall policy edit <example> set dstintf virtual-wan-link

end

SSL VPN login timeout to support high latency (394583)

With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two new CLI commands under config vpn ssl settings have been added that allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.

SSL VPN (5.6)

CLI syntax

config vpn ssl settings edit <example> set login-timeout [10-180] Default is 30 seconds.

set dtls-hello-timeout [10-60] Default is 10 seconds.

end

SSL VPN supports Windows 10 OS check (387276)

A new CLI field has been added to the os-check-list under config vpn ssl web portal to allow OS checking for Windows 10.

CLI syntax

config vpn ssl web portal edit <example> set os-check enable config os-check-list windows-10 set action {deny | allow | check-up-to-date}

end

end

SSL VPN DNS suffix per portal and number of portals (383754)

A new CLI command under config vpn ssl web portal to implement a DNS suffix per SSL VPN portal. Each suffix setting for each specific portal will override the dns-suffix setting under config vpn ssl settings.

This feature also raises bookmark limits and the number of portals that can be supported, depending on what FortiGate series model is used:

l 650 portals on 1000D series l 1300 portals on 2000E series l 2600 portals on 3000D series

The previous limit for 1000D series models, for example, was 256 portals.

CLI syntax

config vpn ssl web portal edit <example> set dns-suffix <string>

end

New SSL VPN timeout settings (379870)

New SSL VPN timeout settings have been introduced to counter ‘Slowloris’ and ‘R-U-Dead-Yet’ vulnerabilities that allow remote attackers to cause a denial of service via partial HTTP requests.

The FortiGate solution is to add two attributes (http-request-header-timeout and http-requestbody-timeout).

(5.6)

CLI syntax

config vpn ssl settings set http-request-header-timeout [1-60] (seconds) set http-request-body-timeout [1-60] (seconds)

end

Personal bookmark improvements (377500)

You can now move and clone personal bookmarks in the GUI and CLI.

CLI syntax

config vpn ssl web user-bookmark edit ‘name’ config bookmarks move bookmark1 after/before clone bookmark1 to

next

end

New controls for SSL VPN client login limits (376983)

Removed the limitation of SSL VPN user login failure time, by linking SSL VPN user setting with config user settings and provided a new option to remove SSL VPN login attempts limitation. New CLI allows the administrator to configure the number of times wrong credentials are allowed before SSL VPN server blocks an IP address, and also how long the block would last.

CLI syntax

config vpn ssl settings set login-attempt-limit [0-10] Default is 2.

set login-block-time [0-86400] Default is 60 seconds. end

Unrated category removed from ssl-exempt (356428)

The “Unrated” category has been removed from the SSL Exempt/Web Category list.

Clipboard support for SSL VPN remote desktop connections (307465)

A remote desktop clipboard viewer pane has been added which allows user to copy, interact with and overwrite remote desktop clipboard contents.

System (5.6.1)