Category Archives: FortiOS 5.6

FortiOS Carrier (5.6.1)

FortiOS Carrier (5.6.1)

New FortiOS Carrier features added to FortiOS 5.6.1.

 

FortiOS Carrier

GTP enhancement and GTP Performance Improvement. (423332)

The GTP changes in 5.6.1 take place in the following categories:

New GTP features and functionality enhancements.

  • GTP message filter enhancements, including: l Unknown message white list l GTPv1 and GTPv2 profile separation l Message adoption.
  • GTP IE white list.
  • Global APN rate limit, including: l sending back REJECT message with back-off timer l “APN congestion” cause value
  • GTP half-open, half-close configurable timer.

GTP performance improvements.

  • Implemented RCU on GTP-U running path. i.e, no locking needed to look up tunnel state when processing GTP-U.

Note the RCU is only applied on GTPv1 and GTPv2 tunnels. It is not used for GTPv0 tunnels, due to the fact that (1) GTPv0 traffic is relatively minor compared with GTPv1 and GTPv2, and (2) GTPv0 tunnel indexing is totally different from GTPv1 and GTPv2. GTPv0 tunnel is indexed by [IMSI, NSAPI]. GTPv1 and GTPv2 tunnel is indexed by [IP, TEID]

  • Localized CPU memory usage on GTP-U running path.
  • GTP-C: changed some GTP tables from RB tree to hash table, including l GTP request tables, and GTPv0 tunnel tables. l Testing showed, when handling millions of entries adding/deleting, hash table performance was much better.
  • 3.2 Hash table is compatible with RCU API, so we can apply RCU on these GTP-C tables later for further performance improvements.
  • GTP-C, improved GTP path management logic, so that GTP path will time out sooner when there are no tunnels linked to it

CLI Changes:

New Diagnose commands: diagnose firewall gtp

Option Description
hash-stat-tunnel GTP tunnel hash statistics.
hash-stat-v0tunnel GTPv0 tunnel hash statistics.

FortiOS Carrier (5.6.1)

Option Description
hash-stat-path GTP path hash statistics.
hash-stat-req GTP request hash statistics.
vd-apn-shaper APN shaper on VDOM level.
ie-white-list-v0v1 IE white list for GTPv0 or v1.
ie-white-list-v2 IE white list for GTPv2.

diagnose firewall gtp vd-apn-shaper

Option Description
list List

diagnose firewall gtp ie-white-list-v0v1

Option Description
list List

diagnose firewall gtp ie-white-list-v2

Option Description
list List

config gtp apn-shaperapn-shaper

Option Description
apn APN to match. Leave empty to match ANY.

“apn” field can be empty, it matches ANY apn. when configured, it is used to set a limit for any apn which is not explicitly listed; Also, if configured, such an entry should be the last entry, as it is first-match rule.

rate-limit Rate limit in packets/s (0 – 1000000, 0 means unlimited).

FortiOS Carrier

Option Description
action Action. [drop | reject]

There is no back-off timer in GTPv0, therefor the reject action is not available for V0

back-off-time Back off time in seconds (10 – 360).

back-off-time visible when action is

“reject”

Changed commands:

Under command firewall gtp, config message-filter is replaced by set message-filterv0v1

Example:

config firewall gtp edit <name> set message-filter-v0v1

New fields have been added to the config firewall gtp command context

Option Description
half-open-timeout Half-open tunnel timeout (in seconds).
half-close-timeout Half-close tunnel timeout (in seconds).

Example:

config firewall gtp edit <name> set half-open-timeout 10 set half-close-timeout 10 Models affected by change

l FortiGate 3700D l FortiGate 3700DX l FortiGate 3800D Device identification (5.6)

Getting Started (5.6)

Getting Started (5.6)

New Getting Started features added to FortiOS 5.6.

Change to CLI console (396225)

The CLI Console widget has been removed from FortiOS 5.6.0. It is accessed from the upper-right hand corner of the screen and is no longer a pop-out window but a sliding window.

System Information Dashboard widget WAN IP Information enhancement (401464)

WAN IP and location data are now available in the System Information widget. Additionally, If the WAN IP is blacklisted in the FortiGuard server, there will be a notification in the notification area, located in the upper righthand corner of the Dashboard. Clicking on the notification will open the WAN IP Blacklisted slider with the relevant blacklist information.

CLI and GUI changes to display FortiCare registration information (395254)

The changes pertain to industry and organization size of the FortiGate’s registered owner.

GUI Changes

l Add industry and organization size to FortiCare registration page l Add company and industry to license widget tooltip for FortiCare

When you hover over the Licenses widget in the FortiOS 5.6 dashboard, you can see the company and industry data, provided it has been entered in the FortiCare profile.

Getting Started (5.6)

CLI Changes

Commands are added to diagnose forticare

dia forticare direct-registration product-registration -h Options: a:A:y:C:c:T:eF:f:hI:i:l:O:o:p:P:z:R:r:S:s:t:v:

–&lt;long&gt; -&lt;short&gt; account_id a: address A: city y: company C: contract_number c: country_code T: existing_account e fax F: first_name f:

help h industry I: industry_id i: last_name l: orgsize O: orgsize_id o: password p: phone P:

postal_code z: reseller R: reseller_id r:

state S:

state_code s:

title t: version v:

(5.6)

Improved GUI for Mobile Screen Size & Touch Interface (355558)

The FortiOS web GUI on mobile screens and include functionality for touch interfaces like tap to hold are improved.

Authentication (5.6.1)

Authentication (5.6.1)

New authentication features added to FortiOS 5.6.1.

Full certificate chain CRL checking (407988)

Certificate revocation/status check for peer certificates and intermediate CAs is now supported. Redesigned fnbam_auth_cert() API to use stack type of X509 instead of array for certificate chain. Removed obsolete fnbam API and parameters. Now authd, sslvpnd, and GUI send full certificate chains to fnbamd for verification.

New option under user > setting to allow/forbid SSL renegotiation in firewall authentication (386595)

A new option auth-ssl-allow-renegotiation is now available under config user setting to allow/forbid renegotiation. The default value is disable, where a session would be terminated by authd once renegotiation is detected and this login would be recorded as failure. Other behavior follows regular auth settings.

Syntax

config user setting set auth-ssl-allow-renegotiation {enable | disable}

end

New option to allow spaces in RADIUS DN format (422978)

Previously, IKEv2 RADIUS group authentication introduced a regression because it removed spaces from ASN.1 DN peer identifier string.

Reverted default DN format to include spaces. Added a new CLI option ike-dn-format to allow the user to select either with-space or no-space. Customers using the group-authentication option can select the ike-dn-format setting to match the format used in their RADIUS user database.

Added LDAP filter when group-member-check is user-attr (403140)

Added LDAP filter when group-member-check is user-attr. LDAP filter is deployed when checking user attribute.

Syntax

config user ldap edit <name> set group-filter ?

next

end

  • group-filter is none by default, where the process is the same as before.

When group-filter is set, the LDAP filter takes effect for retrieving the group information.

 

Authentication (5.6.1)

Added Refresh button to the LDAP browser (416649)

Previously, cached LDAP data was used even if the LDAP server configuration was updated.

In FortiOS 5.6.1, a Refresh button has been added in the LDAP browser. In the LDAP server dialog page, the user can delete the DN field to browse the root level tree when clicking the Fetch DN button.

Differentiate DN option for user authentication and membership searching (435791)

Previously, LDAP used the same DN option for user authentication and membership searching. New CLI commands are introduced to config user ldap to resolve this issue:

  • group-member-check user-attr

For user attribute checking, a new attribute group-search-base is added, which indicates the starting point for the group search. If the group-search-base is not set, binddn is used as the search base. Removed searchtype when group-member-check is user-attr.

  • group-member-check group-object

For group object checking, the group names in user group match rule will be picked up as the group search base. If there are multiple matching rules, each group name will trigger the ldapsearch query once. l group-member-check posix-group-object

Changed group-object-search-base to group-search-base for posix-group-object groupmember-check.

FTM Push when FAC is auth server (408273)

This feature adds support for FortiToken Mobile (FTM) push with FortiAuthenticator server in FortiOS. It also fixes a crash when adding a node to an RB tree, by checking if the same key has already been used in the tree. If yes, remove the node using the same key before adding a new node.

Non-blocking LDAP authentication (433700)

The previous LDAP authentication in fnbamd used openldap library. OpenLDAP supports non-blocking BIND but it is not event driven.

To support non-blocking LDAP in fnbamd, we stopped using the openLDAP library in fnbamd, instead using only liblber. Instead of using openLDAP, fnbamd will create its own event-driven connection with LDAP servers over LDAP/LDAPS/STARTTLS, make it non-blocking, do CRL checking if necessary, and compose all LDAP requests using liblber (including bind, unbind, search, password renewal, password query, send request and receive response, and parse response). The whole process is done in one connection.

This doesn’t change any openLDAP implementation but moves some data structure definitions and API definitions from some internal header files to public header files.

Manual certificate SCEP renewal (423997)

Added support of manual certificate SCEP renewal besides the auto-regeneration feature that already exists.

Authentication (5.6.1)

More detailed RADIUS responses shown in connectivity test (434303)

Improved on-demand test connectivity for RADIUS servers. Test results show RADIUS server reachability, NAS client rejection, and invalid User/Password. Test also shows RADIUS Attributes returned from the RADIUS server.

Example

FG100D3G12807101 # diagnose test authserver radius-direct

<server_name or IP> <port no(0 default port)> <secret> <user> <password>

FG100D3G12807101 # diagnose test authserver radius-direct 1.1.1.1 0 dd RADIUS server ‘1.1.1.1’ status is Server unreachable

FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 dd

RADIUS server ‘172.18.5.28’ status is Secret invalid

FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 fortinet jeff1 asdfasdf

RADIUS server ‘172.18.5.28’ status is OK Access-Reject

FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 fortinet ychen1 asdfasdf

RADIUS server ‘172.18.5.28’ status is OK

Access-Accept

AVP: l=6 t=Framed-Protocol(7) Value: 1

AVP: l=6 t=Service-Type(6) Value: 2

AVP: l=46 t=Class(25)

Value: 9e 2a 08 6d 00 00 01 37 00 01 17 00 fe 80 00 00 00 00 00 00 00 00 5e fe ac 12 05

1c 01 d2 cd b6 75 a6 80 56 00 00 00 00 00 00 00 1c

AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311) VSA: l=6 t=MS-Link-Utilization-Threshold(14) Value: 50

AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311)

VSA: l=6 t=MS-Link-Drop-Time-Limit(15) Value: 120

Firewall user authentication time-out range increased (378085)

The firewall user authentication time-out max value has increased from 3 days to 30 days.

Syntax

config user group set authtimeout <0 – 43200> end

Authentication (5.6)

Authentication (5.6)

New authentication features added to FortiOS 5.6.

FortiToken Mobile Push (397912, 408273, 399839, 404872)

FortiToken Mobile push supports two-factor authentication without requiring users to enter a four-digit code to authenticate. Instead they can just accept the authentication request from their FortiToken Mobile app.

A new command has been added under config system ftm-push allowing you to configure the FortiToken

Mobile Push services server IP address and port number. The Push service is provided by Apple (APNS) and Google (GCM) for iPhone and Android smartphones respectively. This will help to avoid tokens becoming locked after an already enabled two-factor authentication user has been disabled. In addition, FortiOS supports FTM Push when FortiAuthenticator is the authentication server.

CLI syntax

config system ftm-push set server-ip <ip-address> set server-port [1-65535] Default is 4433. end

In addition, FTM Push is supported on administrator login and SSL VPN login for both iOS and Android. If an SSL VPN user authenticates with their token, then logs out and attempts to reauthenticate again within a minute, a new message will display showing “Please wait x seconds to login again.” This replaces a previous error/permission denied message.

The “x” value will depend on the calculation of how much time is left in the current time step.

CLI syntax

config system interface edit <name> set allowaccess ftm

next

end

Support V4 BIOS certificate (392960)

FortiOS now supports backwards compatibility between new BIOS version 4 and old BIOS version 3.

New BIOS V4 certificates:

  • Fortinet_CA l Fortinet_Sub_CA l Fortinet_Factory Authentication (5.6)

Old BIOS V3 certificates:

  • Fortinet_CA_Backup l Fortinet_Factory_Backup

When FortiOS connects to FortiGuard, FortiCloud, FortiManager, FortiAnalyzer, FortiSandbox as a client, the new BIOS certificate Fortinet_Factory will be the default client certificate. When the server returns its certificate (chain) back, FortiOS looks up the issuer of the server certificate and either keeps client certificate as is or switches to the old BIOS certificate Fortinet_Factory_Backup. This process occurs in one handshake.

When FortiOS connects to FortiCare, the new BIOS certificate Fortinet_Factory is the only client certificate and Server Name Indication (SNI) is set. There is no switchover of certificate during SSL handshake.

When FortiOS acts as a server when connected by FortiExtender, FortiSwitch, FortiAP, etc., Fortinet_Factory is the default server certificate. FortiOS detects SNI in client hello, and if no SNI is found or if the CN in SNI is different from the CN of Fortinet_CA, it switches to use the old Fortinet_Factory_Backup.

Support extendedKeyUsage for x.509 certificates (390393)

As per Network Device Collaborative Protection Profile (NDcPP) v1.0 requirements, server certificates used for TLS connections between FortiGate and FortiAnalyzer should have the “Server Authentication” and “Client Authentication” extendedKeyUsage fields in FIPS/CC mode.

To implement this, a new CLI command has been added under log fortianalyzer setting to allow you to specify the certificate used to communicate with FortiAnalyzer.

CLI syntax

config log fortianalyzer setting set certificate <name>

end

Administrator name added to system event log (386395)

The administrator’s name now appears in the system event log when the admin issues a user quarantine ban on a source address.

Support RSA-4096 bit key-length generation (380278)

In anticipation of quantum computers, RSA-4096 bit key-length CSRs can now be imported.

New commands added to config user ldap to set UPN processing method and filter name (383561)

Added two new commands to config user ldap allowing you to keep or strip domain string of UPN in the token as well as the search name for this kind of UPN.

CLI syntax:

config user ldap set account-key-processing set account-key-name

FortiOS Carrier (5.6.1)

end

User authentication max timeout setting change (378085)

To accommodate wireless hotspot users authenticated on the FortiGate, the user authentication max timeout setting has been extended to three days (from one day, previously).

Changes to Authentication Settings > Certificates GUI (374980)

Added new icons for certificate types and updated formatters to use these new icons.

Password for private key configurable in both GUI and CLI (374593)

FortiOS 5.4.1 introduced a feature that allowed you to export a local certificate and its private key in password protected p12, and later import them to any device. This option to set password for private key was available only in the CLI (when requesting a new certificate via SCEP or generating a CSR). This feature is now also configurable through the GUI.

The new Password for private key option is available under System > Certificates when generating a new CSR.

RADIUS password encoding (365145)

A new CLI command, under config user radius, has been added to allow you to configure RADIUS password encoding to use ISO-8859-1 (as per RFC 2865).

Certain RADIUS servers use ISO-8859-1 password encoding instead of others such as UTF-8. In these instances, the server will fail to authenticate the user, if the user’s password is using UTF-8.

CLI syntax

config user radius edit <example> set password-encoding <auto | ISO-8859-1>

end

This option will be skipped if the auth-type is neither auto nor pap.

RSSO supports Delegated-IPv6-Prefix and Framed-IPv6-Prefix (290990)

Two attributes, Delegated-IPv6-Prefix and Framed-IPv6-Prefix, have been introduced for RSSO to provide a /56 prefix for DSL customers. All devices connected from the same location (/56 per subscriber) can be mapped to the same profile without the need to create multiple /64 or smaller entries.

New feature catalog (5.61 and 5.6)

New feature catalog (5.61 and 5.6)

The following sections list all of the new features in FortiOS 5.6 and 5.6.1 organized alphabetically by subject area.

Getting Started (5.6.1)

New Getting Started features added to FortiOS 5.6.1.

VM License visibility improvement (423347)

VM License GUI items have changed as follows:

  • Added VM widget to Global > Dashboard. Includes the following:
  • License status and type. l CPU allocation usage. l License RAM usage. l VMX license information (if the VM supports VMX). l If the VM license specifies ‘unlimited’ the progress bar is blank.
  • If the VM is in evaluation mode, it is yellow (warning style) and the dashboard show evaluation days used.
  • Widget is shown by default in the dashboard of a FortiOS VM device. l Removed VM information from License widget at Global > Dashboard.
  • License info and Upload License button provided on page Global > System > FortiGuard.
  • Updated ‘Upload VM License’ page: l Added license RAM usage and VMX instance usage. l Replaced file input component.

CLI Syntax

config sys admin edit <name> config gui-dashboard edit <1> set name <name> config widget edit <2> set type {vminfo | …} <- new option set x-pos <2> set y-pos <1> set width <1> set height <1>

next

end

next

end next

Getting Started (5.6.1)

end

FortiView Dashboard Widget (434179)

Added a new widget type to the dashboard for top level FortiView. FortiView widgets have report-by, sort-by, visualization, timeframe properties, and filters subtable in the CLI.

Supported FortiViews include Source, Destination, Application, Country, Interfaces, Policy, Wifi Client, Traffic Shaper, Endpoint Vulnerability, Cloud User, Threats, VPN, Websites, and Admin and System Events.

Bubble, table, chord chart, and country visualizations are supported in the widget.

Widgets can be saved from a filtered FortiView page on to a dashboard.

Syntax

config system admin config gui-dashboard config widget set type fortiview

set report-by {source | destination | country | intfpair | srcintf | dstintf | policy | wificlient | shaper | endpoint | application | cloud | web | threat

| system | unauth | admin | vpn} set timeframe {realtime | 5min | hour | day | week} set sort-by <string>

set visualization {table | bubble | country | chord} config filters set key <filter_key> set value <filter_value>

end

end

end

end

end

Where:

l report-by = Field to aggregate the data by. l timeframe = Timeframe period of reported data. l sort-by = Field to sort the data by. l visualization = Visualization to use.

Controls added to GUI CLI console (422623)

FortiOS 5.6.1 introduces new options in the browser CLI console to export the console history. Options are now available to Clear console, Download, and Copy to clipboard.

FortiExplorer icon enhancement (423838)

FortiOS icons and colors are now exportable in the GUI shared project and FortiExplorer now uses these icons and colors. This change improves the icon colors only for the FortiExplorer GUI theme (seen only when accessing (5.6)

a web GUI page from within the FortiExplorer iOS app).

The following locations were affected: Policy List, Policy Dialogue, Address List, Address Dialogue, Virtual IP list, Virtual IP Dialogue.

NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)

NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)

NP6 processors now include HPE functionality that can protect networks from DoS attacks by categorize incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks. You can use the options in the following CLI command to limit the number packets per second received for various packet types by each NP6 processor. This rate limiting is applied very efficiently because it is done in hardware by the NP6 processor.

HPE protection is disable by default. You can use the following command to enable HPE protection for the NP6_0 NP6 processor:

config system np6 edit np6_0 config hpe set type-shaper enable

end

HPE can be enabled and configured separately for each NP6 processor. When enabled, the default configuration is designed to provide basic DoS protection. You can use the following command to adjust the HPE settings in real time if you network is experiencing an attack. For example, the following command allows you to configure HPE settings for np6_0.

config system np6 edit np6_0 config hpe set type-shaping-tcpsyn-max set type-shaping-tcp-max set type-shaping-udp-max set type-shaping-icmp-max set type-shaping-sctp-max set type-shaping-ipsec-esp-max set type-shaping-ip-frag-max set type-shaping-ip-others-max set type-shaping-arp-max set type-shaping-others-max

end Where:

type-shaping-tcpsyn-max applies shaping based on the maximum number of TCP SYN packets received per second. The range is 10,000 to 10,000,000,000 pps. The default limits the number os packets per second to 5,000,000 pps.

type-shaping-tcp-max applies shaping based on the maximum number of TCP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 5,000,000 pps.

type-shaping-udp-max applies shaping based on the maximum number of UDP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 5,000,000 pps.

type-shaping-icmp-max applies shaping based on the maximum number of ICMP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

 

NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)                                                     GUI

type-shaping-sctp-max applies shaping based on the maximum number of SCTP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-ipsec-esp-max NPU HPE shaping based on the maximum number of IPsec ESP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-ip-frag-max applies shaping based on the maximum number of fragmented IP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps..

type-shaping-ip-others-max applies shaping based on the maximum number of other IP packet types received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-arp-max applies shaping based on the maximum number of ARP packet types received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-others-max applies shaping based on the maximum number of other layer 2 packet types received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

(5.6.1)

Combining source and destination NAT in the same policy (388718)

Combining source and destination NAT in the same policy (388718)

The Service field has been added to Virtual IP objects. When service and portforward are configured, only a single mapped port can be configured. However, multiple external ports can be mapped to that single internal port.

config firewall vip edit “vip1” set type load-balance

set service “HTTP-8080” “HTTP” <—– New Service field, accepts Service/Service group names

set extip 20.0.0.0-20.0.255.255 set extintf “wan1” set portforward enable set mappedip “30.0.0.1”

set mappedport 100 <——– single port end

The reason for making this configuration possible is to allow complex scenarios where multiple sources of traffic are using multiple services to connect to a single computer, while requiring a combination of source and destination NAT and not requiring numerous VIPs bundled into VIP groups.

Combining source and destination NAT in the same policy (388718)                                                                    GUI

GUI                                                   NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)

FortiOS 5.6.2 Release Notes

Introduction

This document provides the following information for FortiOS 5.6.2 build 1486:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.2 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG50E, FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-61E, FG-70D, FG-70D-

POE, FG-80C, FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE,

FG-90D, FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E,

FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D,

FG-200D-POE, FG-200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE,

FG-300D, FG-400D, FG-500D, FG-600C, FG-600D, FG-800C, FG-800D, FG-900D,

FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E,

FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-

POE, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E,

FWF-61E, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN
Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.6.2 images are delivered upon request and are not available on the customer support firmware download page.

What’s new in FortiOS 5.6.2                                                                                                                Introduction

What’s new in FortiOS 5.6.2

For a list of new features and enhancements that have been made in FortiOS 5.6.2, see the What’s New for FortiOS 5.6.2 document.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN Requirements                                                                                Special Notices

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.2, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web

Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.6.2

FortiOS version 5.6.2 officially supports upgrading from version 5.4.4, 5.4.5, 5.6.0, and 5.6.1. To upgrade from other versions, see Supported Upgrade Paths.

Before upgrading, ensure that port 4433 is not used for admin-port or adminsport (in config system global), or for SSL VPN (in config vpn ssl settings).

If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.

Security Fabric Upgrade

FortiOS 5.6.2 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.0 l FortiClient 5.6.0 l FortiClient EMS 1.2.1 l FortiAP 5.4.2 and later l FortiSwitch 3.5.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

  • Advanced FortiClient profiles (XML configuration)
  • Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard

Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths FortiGate-VM 5.6 for VMware ESXi   Upgrade Information

  • Client-side web filtering when on-net
  • iOS and Android configuration by using the FortiOS GUI

With FortiOS 5.6.2, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec VPN, or SSL VPN) connections to FortiOS 5.6.2, but not for Security Fabric functions.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.2, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles.

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
  3. Restore the configuration.
  4. Perform the downgrade.

Amazon AWS Enhanced Networking Compatibility Issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.2 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Upgrade Information                                                                                                            FortiGate VM firmware

When downgrading from 5.6.2 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums                                                                                                    Upgrade Information

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.6.2 support

The following table lists 5.6.2 product integration and support information:

Web Browsers l Microsoft Edge 38 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 54 l Google Chrome version 59 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 40 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 10 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Security Fabric Upgrade on page 9. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Security Fabric Upgrade on page 9. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

See important compatibility information in Security Fabric Upgrade on page 9.

l 5.6.0

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient iOS l 5.4.3 and later

 

FortiOS 5.6.2 support

FortiClient Android and FortiClient VPN Android l 5.4.1 and later
FortiAP l 5.4.2 and later l 5.6.0
FortiAP-S l 5.4.3 and later l 5.6.0
FortiSwitch OS

(FortiLink support)

l 3.5.6 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0254 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExtender l 3.1.1 and later
AV Engine l 5.247
IPS Engine l 3.426
Virtualization Environments
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later

Product Integration and Support                                                                                                  Language support

VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 54

Google Chrome version 59

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54

Product Integration and Support                                                                                                  SSL VPN support

Operating System Web Browser
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 54

Google Chrome version 59

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

SSL VPN support

Product Antivirus Firewall
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 5.6.2. For inquires about a particular bug, please contact CustomerService & Support.

GUI

Bug ID Description
442145 httpsd daemon signal 11 crash due to missing default parameter for /endpointcontrol/avatar/download.
442939 Switch-controller Managed FortiSwitch failed to be displayed and triggered Internal Server Error.

SSL VPN

Bug ID Description
442808 SSL VPN daemon crash and users disconnected when any one of tunnel users log out.

 

Known Issues

The following issues have been identified in version 5.6.2. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Application Control

Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.
441996 No UTM AppCtrl log for signature Gmail_Attachment.Download when action is blocked.
Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.

Firewall

Bug ID Description
434959 NGFW policy with App Control policy blocks traffic.

FortiGate 3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.

FortiLink

Bug ID Description
434470 Explicit policy for traffic originating from interface dedicated to FortiLink.
441300 Limited options in FortiLink quarantine stanza to use, giving users no way to trigger the quarantine function.

FortiSwitch-Controller/FortiLink

Known Issues

Bug ID Description
404399 FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.
408082 Operating a dedicated hardware switch into FortiLink changes STP from enable to disable.
415380 DHCP snooping enabled on FortiSwitch VLAN interfaces may prevent clients from obtaining addresses through DHCP.

Workaround: disable switch-controller-dhcp-snooping on FortiLink VLAN interfaces.

445373 For 802.1X, FortiSwitch port disappeared after upgrading FortiGate from 5.6.0 to 5.6.1 with 802.1X enabled without security-group/user-group.

FortiView

Bug ID Description
366627 FortiView Cloud Application may display the incorrect drill down File and Session list in the Applications View.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
402507 In physical/logical topology, threat drill down fails and keeps GUI loading unexpectedly.
408100 Log fields are not aligned with columns after drill down on FortiView and Log details.
441835 Drill down a auth-failed wifi client entry in “Failed Authentication” could not display detail logs when CSF enabled.
442238 FortiView VPN map can’t display Google map (199 dialup VPN tunnel).
442367 In FortiView > Cloud Applications, when the cloud users column is empty, drill down will not load.

GUI

Bug ID Description
374247 GUI list may list another VDOM interface when editing a redundant interface.
375036 The Archived Data in the Sniffer Traffic log may not display detailed content and download.
375383 If the policy includes the wan-load-balance interface, the policy list page may receive a javascript error when clicking the search box.

 

Known Issues

Bug ID Description
398397 Slowness in accessing Policy and Address page in GUI after upgrading from 5.2.2 to 5.4.1.
402775 Add multiple ports and port range support in the explicit FTP/web proxy.
403146 Slow GUI Policy tab with more than 600 policies.
412401 Incorrect throughput reading in GUI-System-HA page.
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is

FortiAnalyzer.

442231 Link cannot show different colors based on link usage legend in logical topology real time view.
Bug ID Description
412649 In NGFW Policy mode, FGT does not create webfilter logs.
438858 Synchronized log destination with Log View and FortiView display source.
441476 Rolled log file is not uploaded to FTP server by max-log-file-size.

HA

Bug ID Description
439152 FGSP – standalone config sync – synchronizes BGP neighbor.
441078 The time duration of packet-transporting process stops to pre-master node after HA failover takes too long.
441716 Traffic stops when load-balance-all is enabled in active-active HA when npu_vlink is used in the path.
436585 Issues with different hardware generation when operating in a HA cluster.

IPsec

Bug ID Description
416102 Traffic over IPsec VPN gets dropped after two pings when it is getting offloaded to NPU.

Log & Report

Known Issues

Proxy

Bug ID Description
442252 WAD stops forwarding traffic on both transparent proxy and explicit web proxy after IPS test over web proxy.

Security Fabric

Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
409156 In Security Fabric Audit, The unlicensed FDS FortiGate shouldn’t be marked Passed in Firmware & Subscriptions.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
414013 Log Settings shows Internal CLI error when enabling historical FortiView at the same time as disk logging.

SSL VPN

Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.

System

Bug ID Description
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
436580 PDQ_ISW_SSE drops at +/-100K CPS on FG-3700D with FOS 5.4 only.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
437801 FG-30E WAN interface MTU override drop packet issue.
438405 HRX/PKTCHK drops over NP6 with 1.5 Gbps.

Known Issues

Bug ID Description
439126 Auto-script using diagnose command fails with Unknown action 0 after rebooting FortiGate.
439553 Virtual wire pair config missing after reboot.
440411 Monitor NP6 IPsec engine status.
440412 SNMP trap for per-CPU usage.
440448 FG-800C will not get IP on the LTE-modem interface using Novatel U620.
441532 Suggest to add SNMP/CLI monitoring capabilities of NP6 session table.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

Adding Internet services to firewall policies (389951)

Adding Internet services to firewall policies (389951)

In 5.4, support was added for Internet Service objects which could be used with FortiView, Logging, Routing and WAN Load Balancing. Now they can be added to firewall policies as well.

There is an either or relationship between Internet Service objects and destination address and service combinations in firewall policies. This means that a destination address and service can be specified in the policy OR an Internet service, not both.

CLI

The related CLI options/syntax are:

config firewall policy edit 1 set internet-service 1 5 10 set internet-service-custom test set internet-service-negate [enable|disable]

end

GUI

In the policy listing page you will notice that is an Internet Service object is used, it will be found in both the Destination and Service column.

In the policy editing page the Destination Address, now Destination field now has two types, Address and Internet Service.

 

New PPPoE features

New PPPoE features

PPPoE dynamic gateway support (397628)

Original design for PPPoE requires to configure a static gateway. Although it works in many scenarios, some customers require to add support for dynamic gateway for internet-service based routes.

No changes to the CLI neither to the GUI.

Support multiple PPPoE connections on a single interface (363958)

Multiple PPPoE connections on a single physical or vlan interface are now supported by the FortiGate. In addition the interface can be on demand PPPoE.

 

New PPPoE features                                            Support multiple PPPoE connections on a single interface (363958)

GUI

CLI

config system pppoe-interace edit <name> set dial-on-demand [enable|disable] set ipv6 [enable|disable] set device <interface> set username <string> set password <string>

set auth-type [auto|pap|chap|mschapv1|mschapv2] set ipunnumbered <class_ip>

set pppoe-unnumbered-negotiate [enable|disable] set idle-timeout <integer> set disc-retry-timeout <integer> set padt-retry-timeout <integer> set service-name <string> set ac-name <string>

Support multiple PPPoE connections on a single interface (363958)                                            New PPPoE features

set lcp-echo-interval <integer> set lcp-max-echo-fails <integer>

  • dial-on-demand- Enable/disable the dial on demand.feature l ipv6 – Enable/disable the use of IPv6. l device – The name of the physical interface.
  • username – User name for credentials l password – Password matching the above username l auth-type – The type of PPP authentication to be used.
  • auto – Automatic choice of authentication l pap – PAP authentication l chap – CHAP authentication l mschapv1 – MS-CHAPv1 authentication l mschapv2 – MS-CHAPv2 authentication
  • ipunnumbered – PPPoE unnumbered IP. l pppoe-unnumbered-negotiate – Enable/disable PPPoE unnumbered negotiation. l idle-timeout – Idle time in seconds before PPPoE auto disconnects. 0 (zero) for no timeout. l disc-retry-timeout – Timeout value in seconds for PPPoE initial discovery. 0 to 4294967295. Default = 1. l padt-retry-timeout – Timeout value in seconds for PPPoE terminatation. 0 to 4294967295. Default = 1.
  • service-name – PPPoE service name.) l ac-name – PPPoE AC name. l lcp-echo-interval – Interval in seconds allowed for PPPoE LCP echo. 0 to 4294967295. Default = 5.
  • lcp-max-echo-fails – Maximum number of missed LCP echo messages before disconnect. 0 to 4294967295. Default = 3.

Adding Internet services to firewall policies (389951)                                                                                           CLI