Category Archives: FortiOS 5.6

Web Filter profile page GUI updates (309012)

Web Filter profile page GUI updates (309012)

The GUI for the Web Filter security profile and Web Profile Overrides pages are changed.

Web Filter profile page

  • removed multilist for override user group and profile l replaced FortiGuard categories actions icons with font icons
  • added tooltip for Allow users to override blocked categories to explain the policy group dependency Web Profile Overrides page
  • removed multilist of user, user group, original profile, new profile l duplicate profile for new profile (for bug #284239)

DLP sensor GUI changes (307225)

DLP sensor GUI changes (307225)

The DLP sensor for file size has been corrected to indicate that the file size has to be greater than the number of KB entered. Previously, the GUI incorrectly showed that the files size could be greater than or equal to the number of KB entered.

Restricting access to YouTube (replacement for the YouTube Education filter feature) (378277)

Restricting access to YouTube (replacement for the YouTube Education filter feature) (378277)

Previous versions of FortiOS supported YouTube for Schools (YTfS). As of July 1, 2016 this feature is no longer supported by YouTube. Instead you can use the information in the YouTube support article Restrict YouTube content on your network or managed devices to achieve the same result. FortiOS supports applying Strict or Moderate restrictions using HTTP headers as described in this article.

In FortiOS 5.6 with inspection mode set to proxy-based, in a Web Filter profile under Search Engines you can select Restrict YouTube Access and select either Strict or Moderate.

SSL/SSH profile certificate handling changes (373835)

SSL/SSH profile certificate handling changes (373835)

In order to support DSA and ECDSA key exchange (in addition to RSA) in SSL resign and replace mode, CLI commands for deep-inspection have changed. The certname command in ssl-ssh-profile has been removed.

To select from the list of available certificates in the system, use the CLI below.

edit deep-inspection set server-cert-mode re-sign set certname-{rsa | dsa | ecdsa}

New diagnose command to delete avatars (388634)

New diagnose command to delete avatars (388634)

Commands to delete avatars by FortiClient UID or avatar name have been added to the CLI.

the two following commands has been added to diagnose endpoint avatar: l diagnose endpoint avatar delete <ftcl_uid> l diagnose endpoint avatar delete <ftcl_uid> <username>

The attribute delete did not exist before. The values <fctl_uid> and <user_name> describe a set of avatars. If only <fctl_uid> is defined, all avatars belonging to this FortiClient UID that are not being used will be removed. If both values are defined, the avatar belonging to them will be removed unless they are being used in which case this call will cause an error to user.

CASI functionality moved into application control (385183 372103)

CASI functionality moved into application control (385183 372103)

Cloud Access Security Inspection (CASI) is merged with Application Control resulting in changes to the GUI and the CLI.

GUI Changes

  • Toggle option added to quickly filter CASI signatures in the Application Signatures list.
  • Application Overrides table now shows any parent-child hierarchy using the –parent metadata on signatures. Deleting a parent app also deletes its child apps. And conversely, adding a child app will add all its parent apps but with implicit filter action.
  • A policy breakdown is shown on existing application control profiles for policies using the profile. The breakdown indicates which policies are using a deep inspection.
  • A breakdown is shown for application categories and filter overrides to indicate the number of CASI and non-CASI signatures. A lock icon is shown for applications requiring deep inspection.

CLI Changes

Commands removed:

l config application casi profile l casi profile in config firewall policy l casi profile in config firewall policy6 l casi-profile-status and casi-profile under config firewall sniffer l casi-profile-status and casi-profile under config firewall interface-policy