Category Archives: FortiOS 5.6

SSL VPN (5.6.1)

SSL VPN (5.6.1)

New SSL VPN features added to FortiOS 5.6.1.

Added a button to send Ctrl-Alt-Delete to the remote host for VNC and RDP desktop connections (401807)

Previously, users were unable to send Ctrl-Alt-Delete to the host machine in an SSL VPN remote desktop connection.

FortiOS 5.6.1 adds a new button that allows users to send Ctrl-Alt-Delete in remote desktop tools (also fixes 412456, preserving the SSL VPN realm after session timeout prompts a logout).

Improved SSL VPN Realms page (0392184)

Implemented minor functional changes to the dialog on the SSL VPN > Realms page:

l URL preview uses info message similar to that seen on the SSL VPN settings dialog. l Virtual-Host input is now visible when set in the CLI. l Added help tooltip describing what the virtual-host property does.

Customizable FortiClient Download URL in SSL VPN Web Portal (437883)

A new attribute, customize-forticlient-download-url, is added to vpn.ssl.web.portal.

The added attribute indicates whether to support a customizable download URI for FortiClient. This attribute is disabled by default. If enabled, two other attributes, windows-forticlient-download-url and macosforticlient-download-url, will appear through which the user can customize the download URI for

FortiClient.

Syntax

config vpn ssl web portal edit <portal> set customize-forticlient-download-url {enable | disable} set windows-forticlient-download-url <custom URL for Windows> set macos-forticlient-download-url <custom URL for Mac OS>

next

end

Added split DNS support for SSL VPN (434512)

Split DNS is now supported for SSL VPN. This feature allows you to specify which domains will be resolved by the DNS server specified by the VPN while all other domains will be resolved by the locally specified DNS.

This feature is useful in both Enterprise and MSP scenarios (when hosting multiple SSL VPN portals).

Syntax config vpn ssl web portal

SSL VPN (5.6.1)

edit <name> config split-dns-domains edit 1 set domains “abc.com, cde.com” set dns-server1 192.168.1.1 set dns-server2 192.168.1.2 set ipv6-dns-server1 2000:2:3:4::5 set ipv6-dns-server2 2000:2:3:4::6

next …

end

end

Support SSL VPN function in browsers without plugins: Citrix/RDPNative/Port forward

(437886)

Syntax

config vpn ssl web user-bookmark edit <name> config bookmarks edit “rdpnative” set apptype rdpnative set description “rdpnative” set host “172.16.68.188” set additional-params ” unset full-screen-mode set screen-height 768 set screen-width 1024

next

end

next

end

SSL VPN SSO Support for HTML5 RDP (417248)

This feature adds support for SSO from the SSL VPN portal to an RDP bookmark. If SSO is used, then the credentials used to login to SSL VPN will be automatically used when connecting to a remote RDP server.

Syntax

conf vpn ssl web user-bookmark edit <name> config bookmarks edit <name> set apptype rdp set host “x.x.x.x” set port <value> set sso [disable | auto]

next

end

next end

(5.6)

Session-aware Load Balancing (SLBC) (5.6.1)

Session-aware Load Balancing (SLBC) (5.6.1)

New SLBC features added to FortiOS 5.6.1.

FortiController-5000 series independent port splitting (42333)

FortiOS 5.6.1 supports splitting some 40G FortiController front panel fiber channel front panel interfaces in to 10G ports. In previous versions of FortiOS this configuration was not supported and all FortiController fiber channel front panel interfaces had to operate at the same speed.

(5.6.1)

Server Load balancing (5.6)

Server Load balancing (5.6)

New load balancing features added to FortiOS 5.6.

IPv6, 6to4, and 4to6 server load balancing (280073)

Sever load balancing is supported for:

Server Load balancing (5.6)

l IPv6 VIPs (config firewall vip6) l IPv6 to IPv4 (6to4) VIPs (config firewall vip64) l IPv4 to IPv6 (4to6) VIPs (config firewall vip46)

Configuration is the same as IPv4 VIPs, except support for advanced HTTP and SSL related features is not available. IPv6 server load balancing supports all the same server types as IPv4 server load balancing (HTTP, HTTPS, IMAPS, POP3S, SMTPS, SSL, TCP, UDP, and IP). IPv4 to IPv6 and IPv6 to IPv4 server load balancing supports fewer server types (HTTP, TCP, UDP, and IP).

Improved Server load balancing GUI pages (404169)

Server load balancing GUI pages have been updated and now include more functionality and input verification.

 

Server Load balancing (5.6.1)

Server Load balancing (5.6.1)

New load balancing features added to FortiOS 5.6.1.

Add server load balancing real servers on the Virtual Server GUI page (416709)

In previous versions of the FortiOS GUI, after adding a Virtual Server you would go to Policy & Objects > Real Servers to add real servers and associate each real server with a virtual server.

In FortiOS 5.6.1 you now go to Policy & Objects > Virtual Servers, configure a virtual server and then from the same GUI page add real servers to the virtual server. In addition, on the Virtual Server GUI page the option Outgoing Interface is renamed Interface and the load balancing method Source IP Hash has been renamed

Static.

Server Load balancing

FortiGate conserve mode changes (242562, 386503)

FortiGate conserve mode changes (242562, 386503)

The following changes were made to rework conserve mode and facilitate its implementation:

  • Implemented CLI commands to configure extreme, red, and green memory usage thresholds in percentages of total RAM. Memory used is the criteria for these thresholds, and set at 95% (extreme), 88% (red) and 82% (green).
  • Removed structure av_conserve_mode, other changes in kernel to obtain and set memory usage thresholds from the kernel
  • Added conserve mode diagnostic command diag hardware sysinfo conserve, which displays information about memory conserve mode.
  • Fixed conserve mode logs in the kernel
  • Added conserve mode stats to the proxy daemon through command diag sys proxy stats all | grep conserve_mode

Web Filter Quota traffic can no longer be set to 0 (374380)

Web Filter Quota traffic can no longer be set to 0 (374380)

To fix a bug in older major release, the CLI has been changed so that minimum traffic quota does not allow 0 as an entry. The value entered must be in the range of 1 – 4,294,967,295; if 0 is entered, then an error message will be returned.

CLI Commands:

config webfilter profile edit default config ftgd-wf config quota edit 1 set type traffic set value {a number in the range of 1 – 4,294,967,295}