Category Archives: FortiOS 5.6

FortiOS 5.6 The SSL VPN client

The SSL VPN client

The remote client connects to the SSL VPN tunnel in various ways, depending on the VPN configuration.

  • Tunnel mode establishes a connection to the remote protected network that any application can use. If the client computer runs Microsoft Windows, they can download the tunnel mode client from the web portal.

If the client computer runs Linux or Mac OS X, the user needs to download the tunnel mode client application from the Fortinet Support web site. See the Release Notes for your FortiOS firmware for the specific operating system versions that are supported.

  • The virtual desktop application creates a virtual desktop on a user’s PC and monitors the data read/write activity of the web browser running inside the virtual desktop. When the application starts, it presents a ‘virtual desktop’ to the user. The user starts the web browser from within the virtual desktop and connects to the SSL VPN web portal. The browser file/directory operation is redirected to a new location, and the data is encrypted before it is written to the local disk. When the virtual desktop application exits normally, all the data written to the disk is removed. If the session terminates abnormally (power loss, system failure, etc.), the data left behind is encrypted and unusable to the user. The next time you start the virtual desktop, the encrypted data is removed.

FortiClient

Remote users can use the FortiClient software to initiate an SSL VPN tunnel to connect to the internal network.

FortiClient uses local port TCP 1024 to initiate an SSL encrypted connection to the FortiGate unit, on port TCP 443. When connecting using FortiClient, the FortiGate unit authenticates the FortiClient SSL VPN request based on the user group options. The FortiGate unit establishes a tunnel with the client and assigns a virtual IP address to the client PC. Once the tunnel has been established, the user can access the network behind the FortiGate unit.

FortiClient software is available for download at www.forticlient.com and is available for Windows, Mac OS X, Apple iOS, and Android.

Tunnel mode client configuration

The FortiClient SSL VPN tunnel client requires basic configuration by the remote user to connect to the SSL VPN tunnel. When distributing the FortiClient software, provide the following information for the remote user to enter once the client software has been started. Once entered, they can select Connect to begin an SSL VPN session.

Connection Name If you have pre-configured the connection settings, select the connection from the list and then select Connect. Otherwise, enter the settings in the fields below.

client                                                                                             Tunnel mode client

Remote Gateway Enter the IP address or FQDN of the FortiGate unit that hosts the SSL VPN.
Username Enter your username.
Client Certificate Use this field if the SSL VPN requires a certificate for authentication.

Select the required certificate from the drop-down list. The certificate must be installed in the Internet Explorer certificate store.

 

 

FortiOS 5.6 SSL VPN Basic configuration

Basic configuration

Configuring SSL VPN involves a number of configurations within FortiOS that you need to complete to make it all come together. This chapter describes the components required, and how and where to configure them to set up the FortiGate unit as an SSL VPN server. The configurations and steps are high level, to show you the procedures needed, and where to locate the options in FortiOS. For real-world examples, see Setup examples on page 54.

There are three or four key steps to configuring an SSL VPN tunnel. The first three in the points below are mandatory, while the others are optional. This chapter outlines these key steps as well as additional configurations for tighter security and monitoring.

The key steps are:

l Create user accounts and user groups for the remote clients.

(User accounts and groups on page 17) l Create a web portal to define user access to network resources.

(Configuring SSL VPN web portals on page 22) l Configure the security policies.

(Configuring security policies on page 1) l For tunnel-mode operation, add routing to ensure that client tunnel-mode packets reach the SSL VPN interface.

(Routing in tunnel mode on page 30) l Setup logging of SSL VPN activities.

(SSL VPN logs on page 37)

This section contains the following information:

User accounts and groups

Configuring SSL VPN web portals

Configuring encryption key algorithms

Additional configuration options

User accounts and groups

The first step for an SSL VPN tunnel is to add the users and user groups that will access the tunnel. You may already have users defined for other authentication-based security policies.

The user group is associated with the web portal that the user sees after logging in. You can use one policy for multiple groups, or multiple policies to handle differences between the groups such as access to different services, or different schedules.

To create a user account:

  • In the web-based manager, go to User & Device > User Definition, and select Create New.
  • In the CLI, use the commands in config user local.

All users accessing the SSL tunnel must be in a firewall user group. User names can be up to 64 characters long.

User accounts and groups

To create user groups:

  • In the web-based manager, go to User & Device > User Groups and select Create New. l In the CLI, use the commands in config user group.

Authentication

Remote users must be authenticated before they can request services and/or access network resources through the web portal. The authentication process can use a password defined on the FortiGate unit or optionally use established external authentication mechanisms such as RADIUS or LDAP.

To authenticate users, you can use a plain text password on the local FortiGate unit, forward authentication requests to an external RADIUS, LDAP or TACACS+ server, or utilize PKI certificates.

For information about how to create RADIUS, LDAP, TACACS+ or PKI user accounts and certificates, see the Authentication Guide.

FortiOS supports LDAP password renewal notification and updates through SSL VPN.

Configuration is enabled using the CLI commands:

config user ldap edit <username>

set server <domain>

set password-expiry-warning enable        set password-renewal enable end

For more information, see the Authentication Guide.

MAC host check

When a remote client attempts to log in to the portal, you can have the FortiGate unit check against the client’s MAC address to ensure that only a specific computer or device is connecting to the tunnel. This can ensure better security should a password be compromised.

MAC addresses can be tied to specific portals and can be either the entire MAC address or a subset of the address. MAC host checking is configured in the CLI using the folowing commands:

conf vpn ssl web portal edit portal set mac-addr-check enable set mac-addr-action allow config mac-addr-check-rule edit “rule1” set mac-addr-list 01:01:01:01:01:01 08:00:27:d4:06:5d set mac-addr-mask 48

end

end

User accounts and groups

IP addresses for users

After the FortiGate unit authenticates a request for a tunnel-mode connection, the FortiGate unit assigns the SSL VPN client an IP address for the session. The address is assigned from an IP Pool, which is a firewall address defining an IP address range.

Take care to prevent overlapping IP addresses. Do not assign to clients any IP addresses that are already in use on the private network. As a precaution, consider assigning IP addresses from a network that is not commonly used (for example, 10.254.254.0/24).

To set tunnel-mode client IP address range – web-based manager:

  1. Go to Policy & Objects > Addresses and select Create New.
  2. Enter an Name, for example, SSL_VPN_tunnel_range.
  3. Select a Type of IP Range.
  4. In the Subnet/IP Range field, enter the starting and ending IP addresses that you want to assign to SSL VPN clients, for example 254.254.[80-100].
  5. In Interface, select Any.
  6. Select OK.

To set tunnel-mode client IP address range – CLI:

If your SSL VPN tunnel range is for example 10.254.254.80 – 10.254.254.100, you could enter

config firewall address edit SSL_tunnel_users set type iprange set end-ip 10.254.254.100 set start-ip 10.254.254.80

end

Authentication of remote users

When remote users connect to the SSL VPN tunnel, they must perform authentication before being able to use the internal network resources. This can be as simple as assigning users with their own passwords, connecting to an LDAP server or using more secure options. FortiOS provides a number of options for authentication as well as security option for those connected users.

The web portal can include bookmarks to connect to internal network resources. A web (HTTP/HTTPS) bookmark can include login credentials so that the FortiGate unit automatically logs the user into the website. This means that the user logs into the SSL VPN and then does not have to enter any more credentials to visit preconfigured web sites.

Both the administrator and the end user can configure bookmarks, including SSO bookmarks. To add bookmarks as a web portal user, see Using the Bookmarks widget on page 47.

User accounts and groups

Setting the client authentication timeout

The client authentication timeout controls how long an authenticated user will remain connected. When this time expires, the system forces the remote client to authenticate again. As with the idle timeout, a shorter period of time is more secure. The default value is 28800 seconds (8 hours). You can only modify this timeout value in the CLI.

For example, to change the authentication timeout to 18 000 seconds, enter the following commands in the CLI:

config vpn ssl settings set auth-timeout 18000

end

You can also set the idle timeout for the client, to define how long the user does not access the remote resources before they are logged out.

Additional timeout settings

SSL VPN timeout settings are also available to counter ‘Slowloris’ and ‘R-U-Dead-Yet’ vulnerabilities that allow remote attackers to cause a denial of service via partial HTTP requests.

The FortiGate solution involves two attributes (http-request-header-timeout and http-requestbody-timeout).

CLI syntax

config vpn ssl settings set http-request-header-timeout [1-60] (seconds) set http-request-body-timeout [1-60] (seconds)

end

Allow one-time login per user

You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again.

To allow one-time login per user – web-based manager:

Go to VPN > SSL-VPN Portals, select a portal, and enable Limit Users to One SSL-VPN Connection at a Time. It is disabled by default.

To allow one-time login per user – CLI:

config vpn ssl web portal edit <portal_name> set limit-user-logins enable

end

Strong authentication with security certificates

The FortiGate unit supports strong (two-factor) authentication through X.509 security certificates (version 1 or 3). The FortiGate unit can require clients to authenticate using a certificate, and the client can require the FortiGate unit to authenticate using a certificate.

For information about obtaining and installing certificates, see the Authentication Guide.

User accounts and groups

You can select the Require Client Certificate option so that clients must authenticate using certificates. The client browser must have a local certificate installed, and the FortiGate unit must have the corresponding CA certificate installed.

When the remote client initiates a connection, the FortiGate unit prompts the client browser for its client-side certificate as part of the authentication process.

To require client authentication by security certificates – web-based manager:

  1. Go to VPN > SSL-VPN Settings.
  2. Select Require Client Certificate.
  3. Select Apply.

To require client authentication by security certificates – CLI:

config vpn ssl settings set reqclientcert enable

end

If your SSL VPN clients require strong authentication, the FortiGate unit must offer a CA certificate that the client browser has installed.

In the FortiGate unit SSL VPN settings, you can select which certificate the FortiGate offers to authenticate itself. By default, the FortiGate unit offers its factory installed (Fortinet_CA_SSLProxy) certificate from Fortinet to remote clients when they connect. If you leave the default setting, a warning appears that recommends you purchase a certificate for your domain and upload it for use.

To enable FortiGate unit authentication by certificate – web-based manager:

  1. Go to VPN > SSL-VPN Settings.
  2. From the Server Certificate list, select the certificate that the FortiGate unit uses to identify itself to SSL VPN clients.
  3. Select Apply.

To enable FortiGate unit authentication by certificate – CLI:

For example, to use the example_cert certificate

config vpn ssl settings set servercert example_cert

end

NSA Suite B cryptography support

FortiOS supports the use of ECDSA Local Certificates for SSL VPN Suite B. The National Security Agency (NSA) developed Suite B algorithms in 2005 to serve as a cryptographic base for both classified and unclassified information at an interoperable level.

 

FortiOS allows you to import, generate, and use ECDSA certificates defined by the Suite B cryptography set. To generate ECDSA certificates, use the following command in the CLI:

exec vpn certificate local generate ec <certificate-name_str> <elliptic-curve-name> <subject_str> [<optional_information>]

Configuring SSL VPN web portals

The SSL VPN portal enables remote users to access internal network resources through a secure channel using a web browser. FortiGate administrators can configure login privileges for system users as well as the network resources that are available to the users.

FortiOS supports LDAP password renewal notification and updates through SSL VPN.

Configuration is enabled using the CLI commands:

config user ldap edit <username>

set server <domain>

set password-expiry-warning enable        set password-renewal enable end

For more information, see the Authentication Guide.

This step in the configuration of the SSL VPN tunnel sets up the infrastructure; the addressing, encryption, and certificates needed to make the initial connection to the FortiGate unit. This step is also where you configure what the remote user sees with a successful connection. The portal view defines the resources available to the remote users and the functionality they have on the network.

SSL connection configuration

To configure the basic SSL VPN settings for encryption and login options, go to VPN > SSL-VPN Settings.

Listen on Interface(s) Define the interface which the FortiGate will use to listen for SSL VPN tunnel requests. This is generally your external interface.
Listen on Port Enter the port number for HTTPS access.

 

Redirect port 80 to this login port Enable to redirect the admin HTTP port to the admin HTTPS port.

There are two likely scenarios for this:

l SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected.

l SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as shown below (note that HTTPSredirect is disabled by default):

Syntax:

config vpn ssl settings

set https-redirect [enable | disable] end

Restrict Access Restrict accessibility to either Allow access from any host or to Limit access to specific hosts as desired. If selecting the latter, you must specify the hosts.
Idle Logout Type the period of time (in seconds) that the connection can remain inactive before the user must log in again. The range is from 10 to 28800 seconds. Setting the value to 0 will disable the idle connection timeout. This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up.
Server Certificate Select the signed server certificate to use for authentication. If you leave the default setting (Fortinet_CA_SSLProxy), the FortiGate unit offers its built-in certificate from Fortinet to remote clients when they connect. A warning appears that recommends you purchase a certificate for your domain and upload it for use.
Require Client Certificate Select to use group certificates for authenticating remote clients. When the remote client initiates a connection, the FortiGate unit prompts the client for its client-side certificate as part of the authentication process.

For information on using PKI to provide client certificate authentication, see the Authentication Guide.

Address Range Select Automatically assign addresses or Specify custom IP ranges. The latter will allow you to select the range or subnet firewall addresses that represent IP address ranges reserved for tunnel-mode SSL VPN clients.
DNS Server If you select Specify, you may enter up to two DNS servers (IPv4 or IPv6) to be provided for the use of clients.

Note: It is possible to implement a unique DNS suffix per SSL VPN portal using the CLI. Each suffix setting for each specific portal will override the dns-suffix setting under config vpn ssl settings. This is a

CLI-only option, using the following syntax:

config vpn ssl web portal edit <example> set dns-suffix <string>

end

Specify WINS Servers Enable to access options for entering up to two WINS servers (IPv4 or IPv6) to be provided for the use of clients.
Allow Endpoint

Registration

Select so that FortiClient registers with the FortiGate unit when connecting. If you configured a registration key by going to System > Config > Advanced, the remote user is prompted to enter the key. This only occurs on the first connection to the FortiGate unit.

Portal configuration

The portal configuration determines what the remote user sees when they log in to the portal. Both the system administrator and the user have the ability to customize the SSL VPN portal.

To view the portals settings page, go to VPN > SSL-VPN Portals.

There are three pre-defined default portal configurations available:

l full-access l tunnel-access l web-access

Each portal type includes similar configuration options. Select between the different portals by double-clicking one of the default portals in the list. You can also create a custom portal by selecting the Create New option at the top.

Portal Setting Description
Name The name for the portal.
Limit Users to One SSL-VPN Connection at a Time You can set the SSL VPN tunnel such that each user can only log into the tunnel one time concurrently per user per login. That is, once logged into the portal, they cannot go to another system and log in with the same credentials again. This option is disabled by default.
Tunnel Mode These settings determine how tunnel mode clients are assigned IPv4 addresses.

 

Portal Setting Description
Enable Split Tunneling Select so that the VPN carries only the traffic for the networks behind the FortiGate unit. The user’s other traffic follows its normal route.

If you enable split tunneling, you are required to set the Routing Address, which is the address that your corporate network is using. Traffic intended for the Routing Address will not be split from the tunnel.

Source IP Pools Select an IP Pool for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.
Tunnel Mode Client Options These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.

l Allow client to save password – When enabled, if the user

selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN.

l Allow client to connect automatically – When enabled, if the

user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.

l Allow client to keep connections alive – When enabled, if the

user selects this option, the FortiClient should try to reconnect once it detects the VPN connection is down unexpectedly (not manually disconnected by user).

Enable Web Mode Select to enable web mode access.
Portal Message This is a text header that appears on the top of the web portal.
Theme Select a color styling specifically for the web portal.
Show Session Information The Show Session Information widget displays the login name of the user, the amount of time the user has been logged in and the inbound and outbound traffic statistics.
Show Connection Launcher Displays the Connection Launcher widget in the web portal.
Show Login History Select to include user login history on the web portal.
Portal Setting Description
User Bookmarks Enable to allow users to add their own bookmarks in the web portal.
Predefined Bookmarks Select to include bookmarks on the web portal. Bookmarks are used as links to internal network resources. When a bookmark is selected from a bookmark list, a pop-up window appears with the web page. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML filebrowser.

Options to allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to

Automatically assign addresses in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.

If your network configuration does not contain a default SSL VPN portal, you might receive the error message “Input value is invalid” when you attempt to access VPN > SSL-VPN Portals.

            To enable a default portal – CLI:

config vpn ssl settings set default-portal <full-access | tunnel-access |

web-access> end

Adding bookmarks

A web bookmark can include login credentials to automatically log the SSL VPN user into the website. When the administrator configures bookmarks, the website credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the website.

To add a bookmark – web-based manager:

  1. On the VPN > SSL-VPN Portals page, ensure Enable User Bookmarks is enabled.
  2. Select Create New and enter the following information:
Category Select a category, or group, to include the bookmark. If this is the first bookmark added, you will be prompted to add a category. Otherwise, select Create from the drop-down list.
Name Enter a name for the bookmark.
Type Select the type of link from the drop-down list. Telnet, VNC, and RDP require a browser plugin. FTP and Samba replace the bookmarks page with an HTML file-browser.
URL Enter the IP address source.
Description Enter a brief description of the link.
Single Sign-On Enable if you wish to use Single Sign-On (SSO) for any links that require authentication.

When including a link using SSO, be sure to use the entire URL. For example, http://10.10.1.0/login, rather than just the IP address.

  1. Select OK.

For more configuration options, see Configuring SSL VPN web portals on page 22.

Personal bookmarks

The administrator has be ability to view bookmarks the remote client has added to their SSL VPN login in the bookmarks widget. This enables the administrator to monitor and, if needed, remove unwanted bookmarks that do not meet with corporate policy.

To view and maintain remote client bookmarks, go to VPN > SSL-VPN Personal Bookmarks.

For more information about available bookmark applications, see Applications available in the web portal on page 46

To enable personal bookmarks:

  1. Go to System > Feature Select.
  2. Enable SSL-VPN Personal Bookmark Management.
  3. Select Apply.

Moving and cloning bookmarks

The administrator also has the ability to move and clone personal bookmarks in the GUI and CLI.

CLI syntax

config vpn ssl web user-bookmark edit ‘name’ config bookmarks move bookmark1 after/before clone bookmark1 to

next

end

Group-based SSL VPN bookmarks

The administrator can add bookmarks for groups of users. SSL VPN will only output the matched group-name entry to the client. This can only be done via the CLI.

To add group-based SSL VPN bookmarks – CLI:

config vpn ssl web portal edit “portal-name”

set user-group-bookmark enable*/disable

next

end

config vpn ssl web user-group-bookmark edit “group-name” config bookmark edit “bookmark1” ….

next

end

next

end

Remote desktop bookmark creation with no password

If NLA security is chosen when creating an RDP bookmark, a username and password must be provided. However there may be instances where the user might want to use a blank password, despite being highly unrecommended. If a username is provided but the password is empty, the CLI will display a warning. See example CLI below, where the warning appears as a caution before finishing the command:

config vpn ssl web user-group-bookmark edit <group-name> config bookmarks edit <bookmark-name> set apptype rdp set host 172.16.200.121 set security nla set port 3389 set logon-user <username>

next

end

Warning: password is empty. It might fail user authentication and remote desktop connection would be failed.

end

If no username (logon-user) is specified, the following warning message will appear:

Please enter user name for RDP security method NLA. object set operator error, -2010 discard the setting Command fail. Return code -2010

SSL VPN Realms

You can go to VPN > SSL-VPN Realms and create custom login pages for your SSL VPN users. You can use this feature to customize the SSL VPN login page for your users and also to create multiple SSL VPN logins for different user groups.

In order to create a custom login page using the web-based manager, this feature must be enabled using Feature Select.

 

Configuring encryption key algorithms

To configure SSL VPN Realms – web-based manager:

  1. Configure a custom SSL VPN login by going to VPN > SSL-VPN Realms and selecting Create New. Users access different portals depending on the URL they enter.
  2. The first option in the custom login page is to enter the path of the custom URL.

This path is appended to the address of the FortiGate unit interface to which SSL VPN users connect. The actual path for the custom login page appears beside the URL path field.

  1. You can also limit the number of users that can access the custom login at any given time.
  2. You can use HTML code to customize the appearance of the login page.
  3. After adding the custom login, you must associate it with the users that will access the custom login. Do this by going to VPN > SSL-VPN Settings and adding a rule to the Authentication/Portal Mapping
  4. Under Authentication/Portal Mapping, click Create New and select the user group(s) and the associated Realm.

To configure SSL VPN Realms – CLI:

config vpn ssl web realm edit <url-path> set login-page <content_str> set max-concurrent-user <int> set virtual-host <hostname_str>

end

Where the following variables are set:

Variable Description Default
edit <url-path> Enter the URL path to access the SSL-VPN login page.

Do not include “http://”.

No default.
login-page <content_str> Enter replacement HTML for SSL-VPN login page. No default.
max-concurrent-user <int> Enter the maximum number of concurrent users allowed. Range 0-65 535. 0 means unlimited. 0
virtual-host <hostname_str> Enter the virtual host name for this realm. Optional. Maximum length 255 characters. No default.

Configuring encryption key algorithms

The FortiGate unit supports a range of cryptographic cipher suites to match the capabilities of various web browsers. The web browser and the FortiGate unit negotiate a cipher suite before any information (for example, a user name and password) is transmitted over the SSL link. You can only configure encryption key algorithms for SSL VPN in the CLI.

To configure encryption key algorithms – CLI:

Use the following CLI command,

config vpn ssl settings set algorithm <cipher_suite>

end

where one of the following variables replaces <cipher_suite>:

Variable Description
low Use any cipher suite; AES, 3DES, RC4, or DES.
medium Use a 128-bit or greater cipher suite; AES, 3DES, or RC4.
high Use a ciper suite grather than 128 bits; AES or 3DES.

Note that the algorithm <cipher_suite> syntax is only available when the sslvpn-enable attribute is set to enable.

Controlling the use of specific cipher suites

Administrators can ban the use of specific cipher suites in the CLI for SSL VPN, so PCI-DSS (Payment Card Industry Data Security Standard) certification can be met.

To ban the use of specific cipher suites for SSL VPN – CLI:

config vpn ssl settings

set banned-cipher [RSA | DH | DHE | ECDH | ECDHE | DSS | ECDSA | AES | AESGCM | CAMELLIA | 3DES | SHA1 | SHA256 | SHA384]

Additional configuration options

Beyond the basics of setting up the SSL VPN, you can configure a number of other options that can help to ensure your internal network is secure and can limit the possibility of attacks and viruses entering the network from an outside source.

Routing in tunnel mode

If you are creating a SSL VPN connection in tunnel mode, you need to add a static route so that replies from the protected network can reach the remote SSL VPN client.

To add the tunnel mode route – web-based manager:

  1. Go to Network > Static Routes and select Create New.
  2. Enter the Destination IP/Mask of the tunnel IP address that you assigned to the users of the web portal.
  3. Select the SSL VPN virtual interface for the Device.
  4. Select OK.

To add the tunnel mode route – CLI:

If you assigned 10.11.254.0/24 as the tunnel IP range, you would enter:

config router static

edit <id> set device ssl.root set dst 10.11.254.0/24

end

Changing the port number for web portal connections

You can specify a different TCP port number for users to access the web portal login page through the HTTPS link. By default, the port number is 443 and users can access the web portal login page using the following default URL:

https://:443/remote/login

where <FortiGate_IP_address> is the IP address of the FortiGate interface that accepts connections from remote users.

To change the SSL VPN port – web-based manager:

  1. If Current VDOM appears at the bottom left of the screen, select Global from the list of VDOMs.
  2. Go to VPN > SSL-VPN Settings.
  3. Type an unused port number in the Listen on Port field and select Apply.

To change the SSL VPN port – CLI:

This is a global setting. For example, to set the SSL VPN port to 10443, enter the following:

config vpn ssl settings set port 10443

end

HTTP to HTTPS redirect support

The admin HTTP port can be redirected to the admin HTTPS port. This is enabled in VPN > SSL-VPN Settings using the option Redirect port 80 to this login port.

There are two likely scenarios for this:

l SSL VPN is not in use, in which case the admin GUI runs on port 443 or 10443, and port 80 is redirected. l SSL VPN runs on port 443, in which case port 80 is redirected to 443 and the admin port runs on 10443.

If the administrator chooses to run SSL VPN on port 80, the redirect option is invalid.

This can also be configured in the CLI as described below:

To redirect HTTP to HTTPS port – CLI:

config vpn ssl settings set https-redirect [enable | disable] (default: disabled)

end

SSL offloading

To configure SSL offloading, which allows or denies client renegotiation, you must use the CLI. This helps to resolve the issues that affect all SSL and TLS servers that support renegotiation, identified by the Common Vulnerabilities and Exposures system in CVE-2009-3555. The SSL offloading renegotiation feature is considered a workaround until the IETF permanently resolves the issue.

The CLI command is ssl-client-renegotiation and is found under the config firewall vip syntax.

Host check

When you enable AV, FW, or AV-FW host checking in the web portal Security Control settings, each client is checked for security software that is recognized by the Windows Security Center. As an alternative, you can create a custom host check that looks for security software selected from the Host Check list. For more information, see Additional configuration options on page 30.

The Host Check list includes default entries for many security software products.

To configure host checking – CLI:

To configure the full-access portal to check for AV and firewall software on client Windows computers, you would enter the following:

config vpn ssl web portal edit full-access set host-check av-fw

end

To configure the full-access portal to perform a custom host check for FortiClient Host Security AV and firewall software, you would enter the following:

config vpn ssl web portal edit full-access set host-check custom

set host-check-policy FortiClient-AV FortiClient-FW

end

Replacing the host check error message

You can add your own host security check error message using either the web-based manager or the CLI. The default message reads: “Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface.”

To replace the host check error message – web-based manager:

  1. Navigate to System > Replacement Messages and select Extended View in the upper right corner.
  2. Scroll down to SSL VPN and select Hostcheck Error Message.
  3. Edit the text in the right-hand column below and select Save.

If you are unhappy with the new message, you can restore the message to its default by selecting Restore Default instead of Save.

To replace the host check error message – CLI:

Configure the host check error message using the following command.

config system replacemsg sslvpn hostcheck-error

Creating a custom host check list

You can add your own software requirements to the host check list using the CLI. Host integrity checking is only possible with client computers running Microsoft Windows platforms. Enter the following commands:

config vpn ssl web host-check-software edit <software_name> set guid <guid_value> set type <av | fw> set version <version_number>

end

If known, enter the Globally Unique Identifier (GUID) for the host check application. Windows uses GUIDs to identify applications in the Windows Registry. The GUID can be found in the Windows registry in the HKEY_ CLASSES_ROOT section.

To obtain the exact versioning, in Windows, right-click on the .EXE file of the application and select Properties, then select the Version tab.

Example Tunnel Mode Host Check – Registry Key Check

l Check to see if a required registry key is present:

config vpn ssl web host-check-software edit <computer_name> config check-item-list edit 1 set target “HKEY_LOCAL_

MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveCompute rName:ComputerName=WINXP32SP3B62”

set type registry <<<—–

next

end

next

end

Example Tunnel Mode Host Check – Application Running Check

l Check to see if a required application is isntalled and/or running:

config vpn ssl web host-check-software edit “calc” config check-item-list edit 1 set target “calc.exe” set type process <<<—–

next

end

next end

Example Tunnel Mode Host Check – File Check

l Check to see if a specific file exists at a specific location:

config vpn ssl web host-check-software edit “putty” config check-item-list edit 1 set target “C:\\software\\putty.txt”

set md5s <ENC>

next

end

next

end

Configuring virtual desktop

Available for 32-bit Windows XP, Windows Vista, and Windows 7 client PCs, the virtual desktop feature completely isolates the SSL VPN session from the client computer’s desktop environment. All data is encrypted, including cached user credentials, browser history, cookies, temporary files, and user files created during the session. When the SSL VPN session ends normally, the files are deleted. If the session ends due to a malfunction, files might remain, but they are encrypted so that the information is protected.

When the user starts an SSL VPN session that has virtual desktop enabled, the virtual desktop replaces the user’s normal desktop. When the virtual desktop exits, the user’s normal desktop is restored.

Virtual desktop requires the Fortinet cache cleaner plugin. If the plugin is not present, it automatically downloads to the client computer.

To enable virtual desktop :

To enable virtual desktop on the full-access portal and apply the application control list ‘List1’, for example, you would enter:

config vpn ssl web portal edit full-access set virtual-desktop enable set virtual-desktop-app-list List1

end

Configuring virtual desktop application control

You can control which applications users can run on their virtual desktop. To do this, you create an Application Control List of either allowed or blocked applications. When you configure the web portal, you select the list to use.

Configure the application control list in the CLI.

To create an Application Control List – CLI:

If you want to add ‘BannedApp’ to ‘List1’, a list of blocked applications, you would enter:

config vpn ssl web virtual-desktop-app-list edit “List1” set action block config apps edit “BannedApp”

set md5s “06321103A343B04DF9283B80D1E00F6B”

end

end

Configuring client OS Check

The SSLVPN client OS Check feature can determine if clients are running the Windows 2000, Windows XP, Windows Vista, Windows 7, or Windows 10 operating system. You can configure the OS Check to do any of the following:

  • Allow the client access.
  • Allow the client access only if the operating system has been updated to a specified patch (service pack) version.
  • Deny the client access.

The OS Check has no effect on clients running other operating systems.

The Windows patch check enables you to define the minimum Windows version and patch level allowed when connecting to the SSL VPN portal. When the user attempts to connect to the web portal, FortiOS performs a query on the version of Windows the user has installed. If it does not match the minimum requirement, the connection is denied. The Windows patch check is configured in the CLI.

To specify the acceptable patch level, you set the latest-patch-level and the tolerance. The lowest acceptable patch level is latest-patch-level minus tolerance. In this case, latest-patch-level is 3 and tolerance is 1, so 2 is the lowest acceptable patch level.

To configure OS Check:

OS Check is configurable only in the CLI.

config vpn ssl web portal edit <portal_name> set os-check enable config os-check-list [windows-2000 | windows-xp | windows-vista | windows-7 | windows-10]

set action [allow | check-up-to-date | deny] set latest-patch-level [disable | 0 – 255]

set tolerance <tolerance_num>

end

end

Host check for Windows firewall

The Windows built-in firewall does not have a GUID in root\securitycenter or root\securitycenter2, but you can use a registry value to detect the firewall status.

If Windows firewall is on, the following registry value will be set to 1:

l KeyName: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\

FirewallPolicy\StandardProfile l ValueName: EnableFirewall

In FortiOS, use the registry-value-check feature to define the Windows Firewall software by entering the following in the CLI:

config vpn ssl web host-check-software edit “Microsoft-Windows-Firewall” config check-item-list

edit 1 set target

“HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firew allPolicy\\StandardProfile:EnableFirewall==1”

set type registry

next edit 2 set target

“HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firew allPolicy\\PublicProfile:EnableFirewall==1”

set type registry

next edit 3 set target

“HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\Firew allPolicy\\DomainProfile:EnableFirewall==1”

set type registry

next

end

set type fw next

set host-check custom set host-check-policy Microsoft-Windows-Firewall

Adding WINS and DNS services for clients

You can specify the WINS or DNS servers that are made available to SSL-VPN clients.

DNS servers provide the IP addresses that browsers need to access web sites. For Internet sites, you can specify the DNS server that your FortiGate unit uses. If SSL VPN users will access intranet sites using URLs, you need to provide them access to the intranet’s DNS server. You specify a primary and a secondary DNS server.

A WINS server provides IP addresses for named servers in a Windows domain. If SSL VPN users will access a Windows network, you need to provide them access to the domain WINS server. You specify a primary and a secondary WINS server.

To specify WINS and DNS services for clients – web-based manager:

  1. Go to VPN > SSL-VPN Settings.
  2. Next to DNS Server select Specify.
  3. Enter the IP addresses of DNS servers in the DNS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
  4. Select Specify WINS Servers, and enter the IP addresses of WINS servers in the WINS Server fields as needed. Fields are available for both IPv4 and IPv6 addresses.
  5. Select Apply.

To specify WINS and DNS services for clients – CLI:

config vpn ssl settings set dns-server1 <address_ipv4> set dns-server2 <address_ipv4> set wins-server1 <address_ipv4> set wins-server2 <address_ipv4> end

Idle timeout

The idle timeout setting controls how long the connection can remain idle before the system forces the remote user to log in again. For security, keep the default value of 5000 seconds or less. Set the timeout value to 0 to disable idle timeouts.

To set the idle timeout – web-based manager:

  1. Go to VPN > SSL-VPN Settings and enable Idle Logout.
  2. In the Inactive For field, enter the timeout value. The valid range is from 10 to 28800 seconds.
  3. Select Apply.

To set the idle timeout – CLI:

config vpn ssl settings set idle-timeout <seconds_int>

end

Login timeout

With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two CLI commands under config vpn ssl settings allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.

CLI syntax

config vpn ssl settings edit <example> set login-timeout [10-180] Default is 30 seconds.

set dtls-hello-timeout [10-60] Default is 10 seconds.

end

Login failure limit

The following CLI allows the administrator to configure the number of times wrong credentials are allowed before the SSL VPN server blocks an IP address, and also how long the block would last.

CLI syntax

config vpn ssl settings set login-attempt-limit [0-10] Default is 2.

set login-block-time [0-86400] Default is 60 seconds. end

SSL VPN logs

Logging is available for SSL VPN traffic so you can monitor users connected to the FortiGate unit and their activity. For more information on configuring logs on the FortiGate unit, see the Logging and Reporting Guide.

To enable logging of SSL VPN events – web-based manager:

  1. Go to Log & Report > Log Settings.
  2. Enable Event Logging, and select VPN activity event.
  3. Select Apply.

To view the SSL VPN log data, in the web-based manager, go to Log & Report and select either the Event Log or Traffic Log.

In event log entries, look for the sub-types “sslvpn-session” and “sslvpn-user”.

For information about how to interpret log messages, see the FortiGate Log Message Reference.

Monitoring active SSL VPN sessions

You can go to User & Device > Monitor to view a list of active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time the connection was made. You can also see which services are being provided, and delete an active web session from the FortiGate unit.

To monitor SSL VPNs – web-based manager:

To view the list of active SSL VPN sessions, go to Monitor > SSL-VPN Monitor.

When a tunnel-mode user is connected, the Description field displays the IP address that the FortiGate unit assigned to the remote host.

If required, you can end a session/connection by selecting its checkbox and then clicking the Delete icon.

Importing and using a CA-signed SSL certificate

Use the following set of instructions to import a CA-signed SSL certificate and configure an SSL VPN using that certificate.

Import the signed certificate into your FortiGate device

  1. Unzip the file downloaded from the CA.

There should be two .CRT files: a CA certificate with bundle in the file name, and a local certificate.

  1. Log in to your FortiGate unit and browse to System > Certificates.
  2. Select Create New > Local Certificate to import the local certificate. The status of the certificate will change from PENDING to OK.
  3. Import the CA certificate by selecting Import > CA Certificate.

It will be listed in the CA Certificates section of the certificates list. You can now configure SSL VPN using the signed certificate.

Configure your FortiGate device to use the signed certificate

  1. Log in to your FortiGate unit and browse to VPN > SSL-VPN Settings.
  2. In the Connection Settings section, locate the Server Certificate
  3. Select the new certificate from the drop-down menu.
  4. Select Apply to configure SSL VPN to use the new certificate.

Implement post-authentication CSRF protection in SSL VPN web mode

This attribute can enable/disable verification of a referrer in the HTTP request header in order to prevent a CrossSite Request Forgery attack.

CLI Syntax

config vpn ssl settings set check-referer [enable|disable]

end

DTLS support

The Datagram Transport Layer Security (DTLS) protocol is supported for SSL VPN connections. DTLS allows datagram-based applications to communicate in a way that prevents eavesdropping, tampering, or message forgery. It can also be used to improve upload/download throughput. It is similar to the Transport Layer Security (TLS) protocol.

DTLS support can be enabled in the CLI as described below.

CLI Syntax

config vpn ssl settings set dtls-tunnel [enable | disable] (default: enabled)

end

Allow firewall address to be used in routing table for SSL VPN

If destination Named Address is set in Network > Static Routes and Address Range is set to

Automatically assign addresses is enabled in VPN > SSL-VPN Settings, SSL VPN should refresh the routing table automatically.

To view the routes in the routing table, go to Monitor > Routing Monitor.

WAN link load balancing

You can set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

CLI syntax

config firewall policy edit <example> set dstintf virtual-wan-link

end

 

FortiOS 5.6 SSL VPN Overview

SSL VPN Overview

As organizations have grown and become more complex, secure remote access to network resources has become critical for day-to-day operations. In addition, businesses are expected to provide clients with efficient, convenient services including knowledge bases and customer portals. Employees traveling across the country or around the world require timely and comprehensive access to network resources. As a result of the growing need for providing remote/mobile clients with easy, cost-effective and secure access to a multitude of resources, the concept of a Virtual Private Network (VPN) was developed.

SSL VPNs establish connectivity using SSL, which functions at Levels 4 – 5 (Transport and Session layers). Information is encapsulated at Levels 6 – 7 (Presentation and Application layers), and SSL VPNs communicate at the highest levels in the OSI model. SSL is not strictly a Virtual Private Network (VPN) technology that allows clients to connect to remote networks in a secure way. A VPN is a secure logical network created from physically separate networks. VPNs use encryption and other security methods to ensure that only authorized users can access the network. VPNs also ensure that the data transmitted between computers cannot be intercepted by unauthorized users. When data is encoded and transmitted over the Internet, the data is said to be sent through a “VPN tunnel”. A VPN tunnel is a non-application oriented tunnel that allows the users and networks to exchange a wide range of traffic regardless of application or protocol.

The advantages of a VPN over an actual physical private network are two-fold. Rather than utilizing expensive leased lines or other infrastructure, you use the relatively inexpensive, high-bandwidth Internet. Perhaps more important though is the universal availability of the Internet. In most areas, access to the Internet is readily obtainable without any special arrangements or long wait times.

SSL (Secure Sockets Layer) as HTTPS is supported by most web browsers for exchanging sensitive information securely between a web server and a client. SSL establishes an encrypted link, ensuring that all data passed between the web server and the browser remains private and secure. SSL protection is initiated automatically when a user (client) connects to a web server that is SSL-enabled. Once the successful connection is established, the browser encrypts all the information before it leaves the computer. When the information reaches its destination, it is decrypted using a secret (private) key. Any data sent back is first encrypted, and is decrypted when it reaches the client.

FortiOS supports the SSL and TLS versions defined below:

SSL and TLS version support table

Version RFC
SSL 2.0 RFC 6176
SSL 3.0 RFC 6101
TLS 1.0 RFC 2246
TLS 1.1 RFC 4346
TLS 1.2 RFC 5246

SSL VPN modes of operation

SSL VPN modes of operation

When a remote client connects to the FortiGate unit, the FortiGate unit authenticates the user based on username, password, and authentication domain. A successful login determines the access rights of remote users according to user group. The user group settings specify whether the connection will operate in web-only mode or tunnel mode.

Web-only mode

Web-only mode provides remote users with a fast and efficient way to access server applications from any thin client computer equipped with a web browser. Web-only mode offers true clientless network access using any web browser that has built-in SSL encryption and the Sun Java Runtime Environment (note that there is no minimum Java/JRE version requirement—any version of Java/JRE currently supported by the supplier of the Java/JRE for the operating system should work).

Support for SSL VPN web-only mode is built into FortiOS. The feature comprises of an SSL daemon running on the FortiGate unit, and a web portal, which provides users with access to network services and resources including HTTP/HTTPS, Telnet, FTP, SMB/CIFS, VNC, RDP, and SSH.

In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. After successful authentication, the FortiGate unit redirects the web browser to the web portal home page and the user can access the server applications behind the FortiGate unit.

When the FortiGate unit provides services in web-only mode, a secure connection between the remote client and the FortiGate unit is established through the SSL VPN security in the FortiGate unit and the SSL security in the web browser. After the connection has been established, the FortiGate unit provides access to selected services and network resources through a web portal.

FortiGate SSL VPN web portals have a 1- or 2-column page layout and portal functionality is provided through small applets called widgets. Widget windows can be moved or minimized. The controls within each widget depend on its function. There are predefined web portals and the administrator can create additional portals.

Configuring the FortiGate unit involves selecting the appropriate web portal configuration in the user group settings. These configuration settings determine which server applications can be accessed. SSL encryption is used to ensure traffic confidentiality.

The following table lists the operating systems and web browsers supported by SSL VPN web-only mode.

VPN Web-only Mode, supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit/64bit) l Microsoft Internet Explorer version 11 l Mozilla Firefox version 46
Microsoft Windows 8/8.1 (32-bit/64bit) l Microsoft Internet Explorer version 11 l Mozilla Firefox version 46

 

SSL VPN Overview                                                                                                   SSL VPN modes of operation

Operating System Web Browser
Mac OS 10.11 l Safari version 9 l Chrome version 56
Linux CentOS version 6.5 l Mozilla Firefox version 46

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

Tunnel mode

In Tunnel mode, remote clients connect to a FortiGate unit that acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group.

The SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate unit through an SSL VPN tunnel over the HTTPS link between the user and the FortiGate unit. Another option is split tunneling, which ensures that only the traffic for the private network is sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route. This conserves bandwidth and alleviates bottlenecks.

When the user initiates a VPN connection with the FortiGate unit through the SSL VPN client, the FortiGate unit establishes a tunnel with the client and assigns the client a virtual IP address from a range of reserved addresses. The client uses the assigned IP address as its source address for the duration of the connection. After the tunnel has been established, the user can access the network behind the FortiGate unit.

SSL VPN conserve mode

FortiGate units perform all security profile processing in physical RAM. Since each model has a limited amount of memory, Kernel conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service.

SSL VPN also has its own conserve mode. The FortiGate enters the SSL VPN conserve mode before the Kernel conserve mode in an attempt to prevent the Kernel conserve mode from triggering. During the SSL VPN conserve mode, no new SSL connections are allowed. It starts when free memory is <25% of the total memory (when the memory on the FortiGate is less than 512Mb) or <10% of the total memory (when the FortiGate has more than 512Mb built in).

To determine if the FortiGate has entered SSL VPN conserve mode – CLI

Run the following command in the CLI Console: diagnose vpn ssl statistics

Result (showing conserve mode state in red):

SSLVPN statistics: ——————
Memory unit: 1
System total memory: 2118737920
System free memory: 218537984
SSLVPN memory margin: 314572800
SSLVPN state: conserve

Port forwarding mode

Max number of users:            2

Max number of tunnels:          0

Max number of connections:      13

Current number of users:        1

Current number of tunnels:      0

Current number of connections: 1

Port forwarding mode

While tunnel mode provides a Layer 3 tunnel that users can run any application over, the user needs to install the tunnel client, and have the required administrative rights to do so. In some situations, this may not be desirable, yet the simple web mode does not provide enough flexibility for application support (for example, if you wish to use an email client that communicates with a POP3 server). The port forward mode, or proxy mode, provides this middle ground between web mode and tunnel mode.

SSL VPN port forwarding listens on local ports on the user’s computer. When it receives data from a client application, the port forward module encrypts and sends the data to the FortiGate unit, which then forwards the traffic to the application server.

The port forward module is implemented with a Java applet, which is downloaded and runs on the user’s computer. The applet provides the up-to-date status information such as addressing and bytes sent and received.

On the user end, the user logs into the FortiGate SSL VPN portal, and selects a port forward bookmark configured for a specific application. The bookmark defines the server address and port as well as which port to listen to on the user’s computer.

The user must configure the application on the PC to point to the local proxy instead of the application server. For information on this configuration change, see the application documentation.

This mode only supports client/server applications that are using a static TCP port. It will not support client/server applications using dynamic ports or traffic over UDP.

Application support

With Citrix application servers, the server downloads an ICA configuration file to the user’s PC. The client application uses this information to connect to the Citrix server. The FortiGate unit will read this file and append a SOCKS entry to set the SOCKS proxy to ‘localhost’. The Citrix client will then be able to connect to the SSL VPN port forward module to provide the connection. When configuring the port forwarding module, a selection is available for Citrix servers.

For Windows Remote Desktop Connections, when selecting the RDP option, the tunnel will launch the RDP client and connect to the local loopback address after the port forward module has been initiated.

Note that the RDP/VNC web portals are not supported for the following platforms:

SSL VPN Overview                                                                                                              Port forwarding mode

Platform Model
FortiGate 80D, 92D, 200D, 200D-POE, 240D, 240D-POE, 600C, 800C, 1000C,

3240C, 3600C, and 5001C

FortiGate-Rugged 90D
FortiWiFi 92D

Antivirus and firewall host compatibility

The following tables list the antivirus and firewall client software packages that are supported in FortiOS.

Supported Windows XP antivirus and firewall software

Product supported Antivirus Firewall
Symantec Endpoint Protection V11
Kaspersky Antivirus 2009
McAfee Security Center v8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Windows 7 32-bit and 64-bit antivirus and firewall software

Product supported Antivirus Firewall
CA Internet Security 2011
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360TM Version 4.0
NortonTM Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite

Traveling and security

Product supported Antivirus Firewall
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

Traveling and security

Because SSL VPN provides a means for “on-the-go” users to dial in to the network while away from the office, you need to ensure that wherever and however they choose to dial in is secure, and not potentially compromising the corporate network.

Host check

To reinforce security, you can enable a host integrity checker to scan the remote client. The integrity checker probes the remote client computer to verify that it is safe before access is granted. Security attributes recorded on the client computer (for example, in the Windows registry, in specific files, or held in memory due to running processes) are examined and uploaded to the FortiGate unit. For more information, see Host check on page 32.

Host Check is applicable for both SSL VPN Web Mode and SSL VPN Tunnel mode.

SSL VPN and IPv6

FortiOS supports SSL VPN with IPv6 addressing, and is available for all the java applets (Telnet, VNC, RDP, and so on). IPv6 configurations for security policies and addressing include:

  • Policy matching for IPv6 addresses l Support for DNS resolving in SSL VPN l Support IPv6 for ping l FTP applications
  • SMB

In essentially any of the following instructions, replace IPv4 with IPv6 to achieve the same desired results, but for IPv6 addresses and configurations.

 

What’s new in FortiOS 5.6 SSL VPN

What’s new in FortiOS 5.6

The following section describes new SSL VPN features added to FortiOS 5.6.0.

Remote desktop configuration changes (410648)

If NLA security is chosen when creating an RDP bookmark, a username and password must be provided. However there may be instances where the user might want to use a blank password, despite being highly unrecommended. If a username is provided but the password is empty, the CLI will display a warning. See example CLI below, where the warning appears as a caution before finishing the command:

config vpn ssl web user-group-bookmark edit <group-name> config bookmarks edit <bookmark-name> set apptype rdp set host 172.16.200.121 set security nla set port 3389 set logon-user <username>

next

end

Warning: password is empty. It might fail user authentication and remote desktop connection would be failed.

end

If no username (logon-user) is specified, the following warning message will appear:

Please enter user name for RDP security method NLA. object set operator error, -2010 discard the setting Command fail. Return code -2010

SSL VPN supports WAN link load balancing interface (396236)

New CLI command to set virtual-wan-link as the destination interface in a firewall policy (when SSL VPN is the source interface) for WAN link load balancing. This allows logging into a FortiGate via SSL VPN for traffic inspection and then have outbound traffic load balanced by WAN link load balancing.

CLI syntax

config firewall policy edit <example> set dstintf virtual-wan-link

end

SSL VPN login timeout to support high latency (394583)

With long network latency, the FortiGate can timeout the client before it can finish negotiation processes, such as DNS lookup and time to enter a token. Two new CLI commands under config vpn ssl settings have been added that allow the login timeout to be configured, replacing the previous hard timeout value. The second command can be used to set the SSL VPN maximum DTLS hello timeout.

What’s new in FortiOS 5.6

CLI syntax

config vpn ssl settings edit <example> set login-timeout [10-180] Default is 30 seconds.

set dtls-hello-timeout [10-60] Default is 10 seconds.

end

SSL VPN supports Windows 10 OS check (387276)

A new CLI field has been added to the os-check-list under config vpn ssl web portal to allow OS checking for Windows 10.

CLI syntax

config vpn ssl web portal edit <example> set os-check enable config os-check-list windows-10 set action {deny | allow | check-up-to-date}

end

end

SSL VPN DNS suffix per portal and number of portals (383754)

A new CLI command under config vpn ssl web portal to implement a DNS suffix per SSL VPN portal. Each suffix setting for each specific portal will override the dns-suffix setting under config vpn ssl settings.

This feature also raises bookmark limits and the number of portals that can be supported, depending on what FortiGate series model is used:

l 650 portals on 1000D series l 1300 portals on 2000E series l 2600 portals on 3000D series

The previous limit for 1000D series models, for example, was 256 portals.

CLI syntax

config vpn ssl web portal edit <example> set dns-suffix <string>

end

New SSL VPN timeout settings (379870)

New SSL VPN timeout settings have been introduced to counter ‘Slowloris’ and ‘R-U-Dead-Yet’ vulnerabilities that allow remote attackers to cause a denial of service via partial HTTP requests.

The FortiGate solution is to add two attributes (http-request-header-timeout and http-requestbody-timeout).

 

What’s new in FortiOS 5.6

CLI syntax

config vpn ssl settings set http-request-header-timeout [1-60] (seconds) set http-request-body-timeout [1-60] (seconds)

end

Personal bookmark improvements (377500)

You can now move and clone personal bookmarks in the GUI and CLI.

CLI syntax

config vpn ssl web user-bookmark edit ‘name’ config bookmarks move bookmark1 after/before clone bookmark1 to

next

end

New controls for SSL VPN client login limits (376983)

Removed the limitation of SSL VPN user login failure time, by linking SSL VPN user setting with config user settings and provided a new option to remove SSL VPN login attempts limitation. New CLI allows the administrator to configure the number of times wrong credentials are allowed before SSL VPN server blocks an IP address, and also how long the block would last.

CLI syntax

config vpn ssl settings set login-attempt-limit [0-10] Default is 2.

set login-block-time [0-86400] Default is 60 seconds. end

Unrated category removed from ssl-exempt (356428)

The “Unrated” category has been removed from the SSL Exempt/Web Category list.

Clipboard support for SSL VPN remote desktop connections (307465)

A remote desktop clipboard viewer pane has been added which allows user to copy, interact with and overwrite remote desktop clipboard contents.

FortiOS 5.6 SSL VPN

Introduction

This document provides a general introduction to SSL VPN technology, explains the features available with SSL VPN and gives guidelines to decide what features you need to use, and how the FortiGate unit is configured to implement the features.

The following chapters are included in this document:

SSL VPN Overview provides useful general information about VPN and SSL, how the FortiGate unit implements them, and gives guidance on how to choose between SSL and IPsec.

Basic configuration explains how to configure the FortiGate unit and the web portal. Along with these configuration details, this chapter also explains how to grant unique access permissions, how to configure the SSL encryption key algorithm, and describes the SSL VPN OS Patch Check feature that allows a client with a specific OS patch to access SSL VPN services.

The SSL VPN client provides an overview of the FortiClient software required for tunnel mode, where to obtain the software, how to install it, and the configuration information required for remote users to connect to the internal network.

The SSL VPN web portal provides an overview of the SSL VPN web portal, with explanations of how to use and configure the web portal features.

Setup examples explores several configuration scenarios with step-by-step instructions. While the information provided is enough to set up the described SSL VPN configurations, these scenarios are not the only possible SSL VPN setups.

Troubleshooting provides some general maintenance and troubleshooting procedures for SSL VPNs.

FortiOS 5.6 Release Notes

Introduction

This document provides the following information for FortiOS 5.6.0 build 1449:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.0 supports the following models.

FortiGate FG-30D, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30D-POE, FG50E, FG-51E, FG-52E, FG-60D, FG-60E, FG-61E, FG-70D, FG-70D-POE, FG-80C,

FG-80CM, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D, FG90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF,

FG-101E, FG-140D, FG-140D-POE, FG- 200D, FG-200D-POE, FG-240D, FG-240D-

POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG-600C, FG-600D, FG-800C,

FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-

3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3800D, FG-

3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-30D-

POE, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60E, FWF-61E,

FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN
Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.6.0 images are delivered upon request and are not available on the customer support firmware download page.

What’s new in FortiOS 5.6.0                                                                                                                Introduction

What’s new in FortiOS 5.6.0

For a list of new features and enhancements that have been made in FortiOS 5.6.0, see the What’s New for FortiOS 5.6.0 document.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.0, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web

Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.6.0

FortiOS version 5.6.0 officially supports upgrading from version 5.4.3 and 5.4.4.

Security Fabric Upgrade

FortiOS 5.6.0 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.0 l FortiClient 5.6.0 l FortiClient EMS 1.2.0 l FortiAP 5.4.2 and later l FortiSwitch 3.5.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

  • Advanced FortiClient profiles (XML configuration)
  • Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard

Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths l Client-side web filtering when on-net

  • iOS and Android configuration by using the FortiOS GUI

With FortiOS 5.6.0, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec, VPN, or SSL VPN) connections to FortiOS 5.6.0, but not for Security Fabric functions.

Upgrade Information                                                                                          FortiGate-VM 5.6 for VMware ESXi

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.0, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles.

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

  1. Back up your configuration.
  2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
  3. Restore the configuration.
  4. Perform the downgrade.

Amazon AWS Enhanced Networking Compatibility Issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.0 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 5.6.0 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

 

FortiGate VM firmware                                                                                                            Upgrade Information

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.6.0 support

The following table lists 5.6.0 product integration and support information:

Web Browsers l Microsoft Edge 25 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 46 l Google Chrome version 50 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 25 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 45 l Google Chrome version 51 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Security Fabric Upgrade on page 8. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Security Fabric Upgrade on page 8. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

See important compatibility information in Security Fabric Upgrade on page 8.

l 5.6.0

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading FortiGate.

FortiClient iOS l 5.4.3 and later

11

FortiOS 5.6.0 support

FortiClient Android and FortiClient VPN Android l 5.4.0
FortiAP l 5.4.2 and later l 5.6.0
FortiAP-S l 5.4.3 and later l 5.6.0
FortiSwitch OS

(FortiLink support)

l 3.5.2 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.0 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0254 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

l  4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExtender l 3.1.1
AV Engine l 5.239
IPS Engine l 3.410
Virtualization Environments  
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later

 

Product Integration and Support                                                                                                  Language support

Microsoft   l Hyper-V Server 2008 R2, 2012, and 2012 R2
Open Source   l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware   l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV   The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language   GUI
English  
Chinese (Simplified)  
Chinese (Traditional)  
French  
Japanese  
Korean  
Portuguese (Brazil)  
Spanish (Spain)  

SSL VPN support

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Microsoft Windows 7 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Windows 10 (64-bit)

2333
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333
Virtual Desktop for Microsoft Windows 7 SP1 (32-bit) 2333

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 52

Google Chrome version 56

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 52

Google Chrome version 56

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 52

Product Integration and Support                                                                                                  SSL VPN support

Operating System Web Browser
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 52

Google Chrome version 56

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011
Kaspersky Internet Security 2011

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009  
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

SSL VPN support

Product Antivirus Firewall
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 5.6.0. For inquires about a particular bug, please contact CustomerService & Support.

Firewall

Bug ID Description
398673 For the NGFW_vdom, App_category, and URL_category in NGFW, action=pass firewall policy don’t work as expected.

FortiRugged 60D

Bug ID Description
375246 Invalid hbdev dmz may be received if the default hbdev is used.
FortiGate 80D  
Bug ID Description
373127 FG-80D VLAN interface does not receive packets.
FortiGate 92D  
Bug ID Description
267347 FG-92D does not support hardware switch.

Endpoint Control

Bug ID Description
374855 Third party compliance may not be reported if FortiClient has no AV feature.
375149 FortiGate does not auto update AV signature version while Endpoint Control is enabled.
402054 Non-registered endpoint user is missing I understand button on the warning portal.

Resolved Issues

FortiView

Bug ID Description
372350 Threat view: Threat Type and Event information are missing at the lowest level.
373142 The filter result of Threat View may not be correct when adding a filter on a threat and threat type on the first level.
374947 FortiView may show empty country in the IPv6 traffic because country info is missing in log.

GUI

Bug ID Description
355388 The Select window for remote server in remote user group may not work as expected.
365223 CSF: downstream FortiGate may be shown twice when it uses hardware switch to connect upstream.
365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
372943 Explicit proxy policy may show a blank for default authentication method.
373127 FG-80D VLAN interfaces may fail to pass traffic.
374146 Peer certificate may still show up when editing IPsec VPN tunnel and even when setting the authmethod pre-shared key.
374166 Using Edge cannot select the firewall address when configuring a static route.
374221 SSL VPN setting portal mapping realm field misses the / option.
374237 You may not be able to set a custom NTP server using GUI if you did not config it using CLI first.
374322 Interfaces page may display the wrong MAC Address for the hardware switch.
374343 After enabling inspect-all in ssl-ssh-profile, user may not be able to modify allowinvalidserver-cert from GUI.
374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
374371 The IPS Predefined Signature information pop up window may not be seen as it is hidden behind the Add Signature window.
374521 Unable to Revert revisions on GUI.
Bug ID Description
374326 Accept type: Any peer ID may be unavailable when creating a IPsec dialup tunnel with a pre-shared key and ikev1 in main mode.
375020 IPsec tunnel Fortinet bar may not be displayed properly.

Resolved Issues

Bug ID Description
375255 You may not be able to quarantine the FortiClient device in FortiView because of a javascript error.
375259 Addrgrp editing page receives a js error if addrgrp contains another group object.
375290 Fortinet Bar may not be displayed properly.
375346 You may not be able to download the application control packet capture from the forward traffic log.
376808,

378744

The proxy.pac file is not updated according to changes from GUI.
403655 GUI has issue loading some web pages with IE 11 and Edge web browsers.
404781 Setup wizard does not work properly.
407030 Interface bandwidth widget is always loading for newly added interfaces.
407060 Some right-click menu items are missing icon on policy and firewall object list page.
407284 FortiView encounters JavaScript in non-root VDOM and FortiView from FortiAnalyzer.
408908 GUI has issue creating a site2site IPsec tunnel with authmethod psk.
409594 Unable to create VLAN interface for non-management VDOM at ‘Global’ view.

HA

Bug ID Description
409707 User cannot login to FGT after restore config in HA.

IPsec

Resolved Issues Kernel

Bug ID Description
395515 ICMP unreachable message processing causes high CPU usage in kernel and DHCP daemon.
Bug ID Description
287612 Span function of software switch may not work on FortiGate 51E or FortiGate 30E.
304482 NP6 offloading may be lost when the IPsec interface has the aes256gcm proposal.
371320 Show system interface may not show the Port list in sequential order.
371986 NP6 may have issue handling fragment packets.
372717 Admin-https-banned-cipher in sys global may not work as expected.

Log & Report

Bug ID Description
300637 MUDB logs may display Unknown in the Attack Name field under UTM logs.
367247 FortiSwitch log may not show the details in GUI, while in CLI the details are displayed.
374103 Botnet detection events are not listed in the Learning Report.
374411 Local and Learning report web usage may only report data for outgoing traffic.
401511 FortiGate local report shows incorrect malware victims and malware sources.

SSL VPN

Bug ID Description
282914 If users use SSL VPN in Web Mode, they may not be able to access a FortiGate running 5.4.
375137 SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web mode.
408281 IE 11 and Safari browsers cannot load SSL VPN web portal page.
409755 iOS FortiClient 5.4.3.139 fails to connect to SSL VPN tunnel mode.

System

Resolved Issues

Bug ID Description
378870 When AV mode is flow-mode, the counters of fgAvStatsEntry cannot be counted up.
402589 Cannot forward traffic in TP VDOM with NP6Lite NPU VDOM link.
409198 System time zone may not take effect.
409203 Firewall recurring schedule does not work with time range.

Visibility

Bug ID Description
374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

WiFi

Bug ID Description
409670 mpsk-key entries do not allow saving passphrase in encrypted format.

Common Vulnerabilities and Exposures

Bug ID Description
374501 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2016-0723

Visit https://fortiguard.com/psirt for more information.

378697 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2016-2512

Visit https://fortiguard.com/psirt for more information.

379870 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2003-1418 l 2007-6750

Visit https://fortiguard.com/psirt for more information.

383538 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2016-3713 l 2016-5829

Visit https://fortiguard.com/psirt for more information.

383564 FortiOS 5.6.0 is no longer vulnerable to the following CVE Reference: l 2016-5696

Visit https://fortiguard.com/psirt for more information.

 

Known Issues

The following issues have been identified in version 5.6.0. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Antivirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json)
Firewall  
Bug ID Description
412799 auto-asic-offload disable does not work for NGFW policy.

FortiGate 800D

Bug ID Description
404228 All the interfaces status are down except mgmt after cfg revert.

FortiGate 3815D

Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.

FortiSwitch-Controller/FortiLink

Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
404399 FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.
408082 Operating a dedicated hardware switch into FortiLink changes STP from enable to disable.
415380 DHCP snooping enabled on FortiSwitch VLAN interfaces may prevent clients from obtaining addresses through DHCP. The workaround is to disable switch-controller-dhcpsnooping on FortiLink VLAN interfaces.

Known Issues

FortiView

Bug ID Description
366627 FortiView Cloud Application may display the incorrect drill down File and Session list in the Applications View.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
Bug ID Description
396319 For the NGFW_vdom, the application UTM log action is always PASS when firewall policy deny the traffic.

GUI

Bug ID Description
303928 After upgrading from 5.2 to 5.4, the default flow based AV profile may not be visible or selectable in the Firewall policy page in the GUI.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
374247 GUI list may list another VDOM interface when editing a redundant interface.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
375036 The Archived Data in the Sniffer Traffic log may not display detailed content and download.
397010 GUI does not display the App-DB and INDUSTRIAL-DB information.
413754 GUI create VDOM link on TP VDOM fails with error.
413891 In Topology > FortiAnalyzer, clicking Configure setting redirects to VDOM security fabric page.
413921 In FSSO standard mode, context menu allows you to delete ad-groups polled from CA.

HA

Bug ID Description
414336 Slave cannot sync to master with redundant interface.

Log & Report

Known Issues

Bug ID Description
412649 In NGFW Policy mode, FGT does not create webfilter logs.
413778 With long VDOM names, no log is displayed when only one field subtype forward is added to traffic log filter.

Security Fabric

Bug ID Description
385341 If there are multiple FortiAPs managed, GUI cannot display managed FortiAPs in FortiView > Physical Topology page.
403085 The session tab cannot be displayed on historical page when you drill down into the members.
403229 FortiGate is unable to drill down to the final level when using FortiAnalyzer as logging device.
406561 Matching username is not highlighted in tooltip after topology search.
408495 An improper warning message may appear in the FortiAnalyzer log when changing the root FortiGate to a downstream FortiGate.
409156 An unlicensed FortiGate may be marked as Passed in Firmware & Subscriptions.
411368 Multiple MAC addresses may be displayed abnormally in Device field.
411479 The icon used to signify the souce of logs when the time range is set to now is incorrect.
411645 Drilling down to an upstream FortiGate from a downstream FortiGate may produce a blank page.
412104 The drill down for an aggregated device is not displayed as an individual device.
412249 Threats of a downstream FortiGate cannot be displayed on the root FortiGate.
412930 Security Audit Event are shown incorrectly in the security fabric child nodes.
413189 The bubble chart with FortiAnalyzer view may not be drawn correctly.
413492 CSF topology change can cause high CPU usage by miglogd on CSF root.
413742 A red circle to indicate the root node of the security fabric may be displayed on each child FortiGate.
413912 An upstream FortiGate may still be displayed incorrectly when Security Fabric is disabled on a downstream FortiGate.

Known Issues

Bug ID Description
414013 The FortiGate may produce an “Internal CLI error” on GUI when changing the logging mode from default to local.
414147 The topology fails to be updated after changing the upstream port on a child FortiGate.
414301 Security Fabric topology will not be displayed due to js error if managed FortiSwitches have redundant topology.

SSL VPN

Bug ID Description
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
396788 SSL VPN GUI is unable to keep SSO password information for user bookmark.
413758 Auto-generated SSL interface do not ‘t associate with SSLVPN_TUNNEL_ADDR1 for a long name VDOM.

System

Bug ID Description
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
410916 FG-5001D might encounter kernel panic after set split port.
412244 Fortitoken Mobile push won’t work when VDOM is enabled.
413885 long-vdom-name is disabled after exe factoryrest2.
414482 miglogd might keep crashing if more than 50000 polices are configured.
414490 FG-101E might hang after reboot.

Known Issues

WiFi

Bug ID Description
382296 Unable to redirect HTTPS FortiGuard web filtering block page when deploying webfilter with deep inspection on IE and Firefox.
413693 WPA_Entreprise with Radius Auth mode fails with VDOM that has a long VDOM name.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiOS 5.6 Beta 3

FortiOS 5.6 Beta 3 was released. They are steadily improving upon it. There are some glaring bugs (for instance, if you are running in NGFW policy mode and put a deny for certain web categories at the very top…..it kills all traffic below it too, even if there is an allow). That is going to come with the territory though as they adjust how their system approaches a packet.

Either way, progress is being made and I am very excited about where this version of code is going. I think 5.6 will genuinely be able to shut Palo Alto Networks up when it comes to their marketing of how the policies differ.

Protocol optimization

Protocol optimization

Protocol optimization techniques optimize bandwidth use across the WAN. These techniques can improve the efficiency of communication across the WAN optimization tunnel by reducing the amount of traffic required by communication protocols. You can apply protocol optimization to Common Internet File System (CIFS), FTP, HTTP, MAPI, and general TCP sessions. You can apply general TCP optimization to MAPI sessions.

For example, CIFS provides file access, record locking, read/write privileges, change notification, server name resolution, request batching, and server authentication. CIFS is a fairly “chatty” protocol, requiring many background transactions to successfully transfer a single file. This is usually not a problem across a LAN. However, across a WAN, latency and bandwidth reduction can slow down CIFS performance.

When you select the CIFS protocol in a WAN optimization profile, the FortiGate units at both ends of the WAN optimization tunnel use a number of techniques to reduce the number of background transactions that occur over the WAN for CIFS traffic.

If a policy accepts a range of different types of traffic, you can set Protocol to TCP to apply general optimization techniques to TCP traffic. However, applying this TCP optimization is not as effective as applying more protocol- specific optimization to specific types of traffic. TCP protocol optimization uses techniques such as TCP SACK support, TCP window scaling and window size adjustment, and TCP connection pooling to remove TCP bottlenecks.