Category Archives: FortiOS 5.6

Enable “sync-session-ttl” in “config ips global” CLI by default (399737)

Enable “sync-session-ttl” in “config ips global” CLI by default (399737)

sync-session-ttl is now set to enable by default in order to:

l enhance detection of P2P traffic. Efficient detection of P2P is important on hardware accelerated platforms l ensure that IPS and the kernel use the same ttl l ensure that IPS sessions time out sooner

Change to CLI commands for configuring custom Internet services (397029)

Change to CLI commands for configuring custom Internet services (397029)

Custom internet services are no longer configured through use of the commands config application internet-service and config application internet-service-custom in the CLI.

These commands are replaced by config firewall internet-service and config firewall internet-service-custom.

CLI Syntax – examples

config firewall internet-service 1245324 set name “Fortinet-FortiGuard”

set reputation 5 set icon-id 140 set offset 1602565 config entry edit 1 set protocol 6 set port 443 set ip-range-number 27

set ip-number 80

next edit 2 set protocol 6 set port 8890 set ip-range-number 27 set ip-number 80

next edit 3 set protocol 17 set port 53 set ip-range-number 18 set ip-number 31

next edit 4 set protocol 17 set port 8888 set ip-range-number 18 set ip-number 31

next

end

end

config firewall internet-service-custom edit “custom1” set comment “custom1” config entry edit 1 set protocol 6 config port-range edit 1 set start-port 30 set end-port 33

next

end

set dst “google-drive” “icloud”

next

end

next

end

Security Fabric audit check for endpoint vulnerability and unauthorized FAP and FSW (401462)

Security Fabric audit check for endpoint vulnerability and unauthorized FAP and FSW (401462)

The new Security Fabric Audit feature allows for the display of endpoint vulnerability status in real-time. Users can see:

l FortiClient devices that have critical vulnerabilities detected. l Discovered FortiSwitches that have not yet been authorized. l Discovered FortiAPs that have not yet been authorized.

Botnet database changes (390756)

Botnet database changes (390756)

Starting in FortiOS 5.6, FortiGate units and FortiGuard Distribution Servers (FDS0 will use object IDs IBDB and DBDB to download and update the Botnet database. Botnet protection will be part of the AntiVirus contract.

FortiOS 5.4 uses object IDs IRDB and BDDB.

Block Google QUIC protocol in default Application Control configuration (385190)

Block Google QUIC protocol in default Application Control configuration (385190)

QUIC is an experimental protocol from Google. With recent Google Chrome versions (52 and above), and updated Google services, more than half of connections to Google servers are now in QUIC. This affects the accuracy of Application Control. The default configuration for Application control blocks QUIC.

Users may enable QUIC with CLI commands.

CLI Syntax

config application list edit <profile-name> set options allow-quic

end

Changes to default SSL inspection configuration (380736)

Changes to default SSL inspection configuration (380736)

SSL inspection is mandatory in the CLI and GUI and is enabled by default.

GUI Changes

  • Updated edit dialogues for IPv4/IPv6 Policy and Explicit Proxy Policy l SSL/SSH inspection data displayed in muted palette l disabled the toggle button for this option l set the default profile as “certificate-inspection”
  • Updated list pages for IPv4/IPv6 Policy and Explicit Proxy Policy l Add validation for “ssl-ssh-profile” when configuring UTM profiles
  • Updated SSL/SSH Inspection list page l disabled delete menu on GUI for default ssl profiles l changed “Edit” menu to “View” menu for default ssl profiles l added implicit class (grayed) the default ssl profile entries
  • Updated SSL/SSH Inspection edit dialog l disabled all the inputs for default ssl profiles except download/view trusted certificate links l changed button to “Return” for default ssl profiles to return the list page
  • Updated Profile Group edit dialog l removed checkbox for “ssl-ssh-profile” option, make it always required.

CLI changes

  1. ssl-ssh-profile default value is certificate-inspection when applicable in table firewall.profile-group, firewall.policy, firewall.policy6, explicit-proxy-policy
  2. make default profiles “certificate-inspection”, “deep-ssl-inspection’ read only in table firewall.ssl-ssh-profile

Application control and Industrial signatures separate from IPS signatures (382053)

Application control and Industrial signatures separate from IPS signatures (382053)

IPS, Application control and industrial signatures have been separated. The get system status command shows the versions of each signature database:

get system status

Version: FortiGate-5001D v5.6.0,build1413,170121 (interim)

Virus-DB: 42.00330(2017-01-23 01:16)

Extended DB: 1.00000(2012-10-17 15:46)

Extreme DB: 1.00000(2012-10-17 15:47) IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 0.00000(2001-01-01 00:00)

APP-DB: 6.00741(2015-12-01 02:30)

DNS profile supports safe search (403275)

DNS profile supports safe search (403275)

Users can take advantage of pre-defined DNS doctor rules to edit DNS profiles and provide safe search for Google, Bing, and YouTube.

To add safe search to a DNS profile – GUI

  1. Go to Security Profiles > DNS Filter.
  2. Edit the default filter or create a new one.
  3. Enable Enforce ‘Safe Search on Google, Bing, YouTube.
  4. Select Strict or Moderate level of restriction for YouTube Access.

To add safe search to a DNS profile – CLI

config dnsfilter profile edit “default” set safe-search enable

set youtube-restrict {strict | moderate} (only available is safe-search enabled)

next

end