Category Archives: FortiOS 6.2

URL filter of webfilter

URL filter of webfilter

URL filter is also called static URL filter. By adding specific URLs with patterns containing text and regular expressions, FortiGate can allow, block, exempt, and monitor web pages matching any specified URLs or patterns, and can display a replacement message instead.

Sample topology

Create URL filter

You can create a URL filter using the GUI or CLI. After creating the URL filter, attach it to a webfilter profile.

To create URL filter in the GUI:

  1. Go to Security Profiles > Web Filter and go to the Static URL Filter
  2. Enable URL Filter.
  3. Under URL Filter, select Create New to display the New URL Filter
URL Filter Type Description
Simple FortiGate tries to strictly match the full context. For example, if you enter www.facebook.com in the URL field, it only matches traffic with www.facebook.com. It won’t match facebook.com or message.facebook.com.

When FortiGate finds a match, it performs the selected URL Action.

URL Filter Type Description
Regular

Expression or

Wildcard

FortiGate tries to match the pattern based on the rules of regular expressions or wildcards. For example, if you enter *fa* in the URL field, it matches all the content that has fa such as www.facebook.com, message.facebook.com, fast.com, etc.

When FortiGate finds a match, it performs the selected URL Action.

For more information, see the URL Filter expressions technical note in https://kb.fortinet.com/kb/documentLink.do?externalID=FD37057.

URL Filter Action Description
Block Denies or blocks attempts to access any URL matching the URL pattern. FortiGate displays a replacement message.
Allow The traffic is passed to the remaining FortiGuard webfilters, web content filters, web script filters, antivirus proxy operations, and DLP proxy operations. If the URL does not appear in the URL list, the traffic is permitted.
Monitor The traffic is processed the same way as the Allow action. For the Monitor action, a log message is generated each time a matching traffic pattern is established.
Exempt The traffic is allowed to bypass the remaining FortiGuard webfilters, web content filters, web script filters, antivirus scanning, and DLP proxy operations
  1. For example, enter *facebook.com and select Wildcard and Block; and select OK.

After creating the URL filter, attach it to a webfilter profile.

Create URL filter using CLI

To create and enable a URL filter using the CLI, create the URL filter and then attach it to a webfilter profile. The CLI commands below show the full configuration of creating a URL filter.

config webfilter urlfilter edit {id}

# Configure URL filter lists. set name {string} Name of URL filter list. size[35] config entries edit {id}

# URL filter entries. set url {string} URL to be filtered. size[511] set type {simple | regex | wildcard} Filter type (simple, regex, or wildcard).

simple    Simple URL string.

regex    Regular expression URL string.

wildcard Wildcard URL string.

set action {exempt | block | allow | monitor} Action to take for URL filter

matches. exempt Exempt matches. block      Block matches. allow   Allow matches (no log).

monitor Allow matches (with log).

set status {enable | disable} Enable/disable this URL filter.

set exempt {option} If action is set to exempt, select the security profile oper-

ations that exempt URLs skip. Separate multiple options with a space. av   AntiVirus scanning. web-content  Web filter content matching. activex-java-cookie ActiveX, Java, and cookie filtering. dlp   DLP scanning. fortiguard   FortiGuard web filtering. range-block Range block feature. pass  Pass single connection from all.

all                 Exempt from all security profiles.

set referrer-host {string} Referrer host name. size[255]

next

next

end

To create URL filter to filter Facebook using the CLI:

config webfilter urlfilter edit 1 set name “webfilter” config entries edit 1 set url “*facebook.com” set type wildcard set action block

next

end

next

end

To attach the URL filter to a webfilter profile:

config webfilter profile edit “webfilter”               <– the name of the webfilter profile config web set urlfilter-table 1 <– the URL filter created with ID number 1

end config ftgd-wf unset options

end

next

end

Attach webfilter profile to the firewall policy

After you have created the URL filter and attached it to a webfilter profile, you must attach the profile to a firewall policy.

To attach a webfilter profile to a firewall policy using the GUI:

  1. Go to Policy & Objects > IPv4 Policy.
  2. Edit the policy that you want to enable the webfilter.
  3. In the Security Profiles section, enable Web Filter and select the profile you created.

To attach a webfilter profile to a firewall policy using the CLI:

config firewall policy edit 1 set name “WF”

set uuid b725a4d4-5be5-51e9-43fa-6d4e67d56bad

set srcintf “wan2” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set inspection-mode proxy set logtraffic all

set webfilter-profile “webfilter”    <– attach the webfilter profile you just

created. set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next end

Validate the URL filter results

Validate the URL filter results by going to a blocked website. For example, when you go to the Facebook website, you see the replacement message.

To customize the URL web page blocked message:

  1. Go to System > Replacement Messages.
  2. Go to the Security section and select URL Block Page.
  3. Set up a custom message for blocked pages.

To check webfilter logs in the GUI:

  1. Go to Log & Report > Web Filter.
  2. If there are too many log entries, click Add Filter and select Event Type > urlfilter to display logs generated by the

URL filter.

To check webfilter logs in the CLI:

FGT52E-NAT-WF # execute log filter category utm-webfilter

FGT52E-NAT-WF # execute log display

1: date=2019-04-22 time=11:48:43 logid=”0315012544″ type=”utm” subtype=”webfilter” eventtype=”urlfilter” level=”warning” vd=”vdom1″ eventtime=1555958923322174610 urlfilteridx=0 urlsource=”Local URLfilter Block” policyid=1 sessionid=649063 srcip=10.1.200.15 srcport=50472 srcintf=”wan2″ srcintfrole=”wan” dstip=157.240.18.35 dstport=443 dstintf=”wan1″ dstintfrole=”wan” proto=6 service=”HTTPS” hostname=”www.facebook.com” profile=”webfilter” actionn=”blocked” reqtype=”direct” url=”/” sentbyte=1171 rcvdbyte=141 direction=”outgoing” msg=”URL was blocked because it is in the URL filter list” crscore=30 craction=8 crlevel=”high”

Introduction to Web Filter

Introduction to Web Filter

Web filtering is a means of controlling the content that an internet user is able to view. With the increased popularity of web applications, the need to monitor and control web access is becoming a key component of secure content management systems that employ antivirus, web filtering, and messaging security.

This topic provides a general introduction to the Web Filter security profile. Additional information, such as the GUI and CLI configurations, can be found in subsequent topics.

Web Filter Configuration

Web Filter configuration can be separated into the following parts: Web Filterprofile configuration and Web Filter profile overrides.

There are five components to Web Filter configuration:

  • URL filter: Block, allow, exempt, or monitor traffic by URL.
  • FortiGuard filter: With a FortiGuard license, you can get the rating of a URL. Action can be taken against the packet based on its rating.
  • Content filter: Block or exempt traffic by checking its content.
  • File filter: Log or block a file based on its file type (e.g. ZIP, MP3, PNG). l Advanced filter

There are two different ways to override web filtering behavior based on FortiGuard categorization of websites:

  • Using alternate categories: Web rating overrides. This method manually assigns a specific website to a different Fortinet category or a locally created category.
  • Using alternate profiles: The traffic going through the FortiGate unit using identity based policies and a web filtering profile have the option where configured users or IP addresses can use an alternative Web Filter profile when attempting to access blocked websites.

AppCtrl protocol enforcement check

AppCtrl protocol enforcement check

Protocol enforcement allows you to configure networking services (e.g. FTP, HTTP, HTTPS) on known ports (e.g. 21, 80, 443). For protocols which are not whitelisted under select ports, the IPS engine performs the violation action to block, allow, or monitor that traffic.

This feature acts upon the following two scenarios:

  • When one protocol dissector confirms the service of network traffic, protocol enforcement can check whether the confirmed service is whitelisted under the server port. If it is not, then the traffic is considered a violation and IPS can take the action specified by config (e.g. block).
  • When there is no confirmed service for the network traffic, the traffic is considered a service violation if IPS dissectors rule out all of the services enforced under its server port.

CLI configuration

In an applicable profile, a default-network-service list can be created to associate well known ports with accepted services.

To setup protocol enforcement in the CLI:

config application list

edit “protocol-GUI”

set other-application-log enable

 
      set control-default-network-services {enable | disable} of protocols over select ports. # Enable/Disable enforcement
      config default-network-services entries

edit 1

# Default network service
           set port 80 integer value from <0> to <65535> # Port number, port Enter an
           set services http

ssh, telnet, ftp, dns, smtp, pop3, imap, snmp, nntp and https          next

edit 2

set port 53

set services dns

# Network protocols: http,
           set violation-action { pass | monitor | block } when non-DNS traffic run over port 53

next

end    next end

GUI Configuration

  # Pass, or Log, or block

A new table is displayed when the Network Protocol Enforcement toggle is set to the On position. Enforced entries can be created, edited, or deleted to configure network services on certain ports and determine the violation action.

To setup protocol enforcement in the GUI:

  1. Go to Security Profiles > Application Control.
  2. Enable Network Protocol Enforcement.
  3. Click Create New.
  4. In the New Default Network Service window:
    1. Enter a Port
    2. Select the Enforced protocols.
    3. Choose the Violation action.
    4. Select OK.

AppCtrl port enforcement check

AppCtrl port enforcement check

Most networking applications run on specific ports. For example, SSH runs on port 22, and Facebook runs on port 80 and 443.

If the default network service is enabled in the application control profile, a port enforcement check is done at the application profile level, and any detected application signatures running on the non-standard TCP/IP port are blocked.

This means that each application allowed by the app control sensor is only run on its default port.

To set port enforcement check in the CLI:

config application list edit “default_port” set enforce-default-app-port {enable | disable}

disable       Disable default application port enforcement.

enable        Enable default application port enforcement.

config entries edit 1 set application 15896 set action pass

next

end

next

end

For example, when applying the above appctrl sensor, FTP traffic with the standard port (port 21) is allowed, while the non-standard port (port 2121) is blocked.

AppCtrl basic category filters and overrides

AppCtrl basic category filters and overrides

Once you have created an application sensor, you can define the applications that you want to control. You can add applications and filters using categories, application overrides, and/or filter overrides.

  • Categories: Choose groups of signatures based on a category type. l Application overrides: Choose individual applications. l Filter overrides: Select groups of applications and override the application signature settings for them.

Categories

Categories allow you to choose groups of signatures based on a category type.

Applications belonging to the category trigger the action set to the category.

To set category filters in the CLI:

config application list edit {id} config entries edit 1 set category {id}

 ID Select Category ID
 2  P2P
 3  VoIP
 5  Video/Audio
 6  Proxy
 7  Remote.Access
 8  Game
 12 General.Interest
 15 Network.Service
 17 Update
 21 Email
 22 Storage.Backup
 23 Social.Media
 25 Web.Client
 26 Industrial
 28 Collaboration
 29 Business
 30 Cloud.IT
 31 Mobile
set action {pass | block | reset}

pass      Pass or allow matching traffic.  block Block or drop matching traffic.

reset Reset sessions for matching traffic.

set log {enable | disable} next

end

next

end

To set category filters in the GUI:

  1. Go to Security Profiles > Application Control.
  2. Under Categories, left click the icon next to the category name to view a dropdown of actions:

l Allow l Monitor l Block l Quarantine l View signatures

  1. Select OK.

Application and filter overrides

Override type Setting
Application Type: Choose Application for application overrides.
Action: Can be set to Monitor/Allow/Block/Quarantine.
Application: Multiple app signatures can be added for one entry. A slide-in presenting an application list will be shown to select specific app signatures, and the search box can be used to filter matched signatures.
Filter Type: Choose Filter for filter overrides.
Action: Can be set to Monitor/Allow/Block/Quarantine.
Filter: Filters can be selected by behavior, application category, technology, popularity, protocol, risk, or vendor subtypes.
Search box: Can be used to determine if the input signature is included in selected filters, where matched applications are shown at the bottom.

To set overrides in the CLI:

config application list     edit {id}

config entries

edit 1 set protocols {0-47} #network protocol ID

set risk {id}

*level Risk, or impact, of allowing traffic from this application to

occur (1 – 5; Low, Elevated, Medium, High, and Critical).

set vendor {0-25}       #vendor ID

set technology {id}

All         All

  • Network-Protocol
  • Browser-Based
  • Client-Server

4           Peer-to-Peer

set behavior {id}

All         All

  • Botnet
  • Evasive
  • Excessive-Bandwidth
  • Tunneling

9           Cloud

set popularity {1-5} #Popularity level 1-5

set action {pass | block | reset}

pass    Pass or allow matching traffic.

block   Block or drop matching traffic.

reset   Reset sessions for matching traffic.

set log {enable | disable}

next

end     next end

To set overrides in the GUI:

  1. Go to Security Profiles > Application Control.
  2. Under the Application and FilterOverrides table, click Create New.
  3. To add individual applications:
    1. Select Application as the Type.
    2. Choose an action to be associated with the application.
    3. Select the + button in the Application field and choose the specific applications from the list where app signatures are displayed. Multiple applications may be selected.
    4. Select OK.
  4. To add advanced filters:
    1. Create another entry in the Application and FilterOverrides
    2. Select Filter as the Type.
    3. Select Cloud under the behavior section from the Select Entries Matched signatures are shown along the bottom.
    4. Select OK.

FortiOS 6.2.2 Release Notes

TABLE OF CONTENTS

Change Log                                                                                                                           5

 

 

Change Log

Date Change Description
2019-10-09 Initial release.
2019-10-10 Added 551119 to Resolved Issues.

Added commands to the Previous releases column in Changes in CLI defaults SSH and SSL VPN sections.

 

Introduction and supported models

This guide provides release information for FortiOS 6.2.2 build 1010.

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 6.2.2 supports the following models.

FortiGate FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E, FG-51E, FG-52E, FG-60E,

FG-60E-POE, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-92D, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E,

FG-140E-POE, FG-200E, FG-201E, FG-300D, FG-300E, FG-301E, FG-400D, FG-400E,

FG-401E, FG-500D, FG-500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D,

FG-900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG3000D, FG-3100D, FG-3200D, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1

FortiWiFi FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E
FortiGate Rugged FGR-30D, FGR-35D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS,

FG-VM64-AWSONDEMAND, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND,

FG-VM64-GCP, FG-VM64-GCPONDEMAND, FG-VM64-HV, FG-VM64-KVM,

FG-VM64-OPC, FG-VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier FortiOS Carrier 6.2.2 images are delivered on request and are not available on the Beta portal.

Special branch supported models

The following models are released on a special branch of FortiOS 6.2.2. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1010.

FGR-90D is released on build 5335.

Special notices

  • Common vulnerabilities and exposures l New Fortinet cloud services l FortiGuard Security Rating Service l FortiGate hardware limitation l CAPWAP traffic offloading
  • FortiClient (Mac OS X) SSL VPN requirements l Use of dedicated management interfaces (mgmt1 and mgmt2) l NP4lite platforms l Tags option removed from GUI l Mobile token authentication

Common vulnerabilities and exposures

FortiOS 6.2.1 is no longer vulnerable to the issue described in the following link – https://fortiguard.com/psirt/FG-IR-19144.

New Fortinet cloud services

FortiOS 6.2.0 introduced several new cloud-based services listed below. The new services require updates to FortiCare and Fortinet’s FortinetOne single sign-on (SSO) service. These updates will be available by mid-Q2 2019.

  • Overlay Controller VPN
  • FortiGuard Cloud-Assist SD-WAN Interface Bandwidth Monitoring l FortiManager Cloud l FortiAnalyzer Cloud

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate model: l FGR-30D l FGR-35D l FGT-30E l FGT-30E-MI

Special notices                                                                                                                                                          8

l FGT-30E-MN l FGT-50E l FGT-51E l FGT-52E l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E l FWF-50E-2R l FWF-51E

FortiGate hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

FG-92D does not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

 

Special notices

CAPWAP traffic offloading

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip. The following models are affected: l FG-900D l FG-1000D l FG-2000E l FG-2500E

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

NP4lite platforms

FortiOS 6.2 and later does not support NP4lite platforms.

Tags option removed from GUI

The Tags option is removed from the GUI. This includes the following:

l The System > Tags page is removed. l The Tags section is removed from all pages that had a Tags section. l The Tags column is removed from all column selections.

Mobile token authentication

Mobile token authentication does not work for SSL VPN on SOC3 platforms.

Affected models include FG-60E, FG-60E-POE, FG-61E, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-100E, FG100EF, FG-101E, FG-140E, FWF-60E, FWF-61E.

Changes in default behavior

AntiVirus

l In previous releases, the scan mode controls which features are displayed based on their compatibility with proxy and flow’s [quick | full] mode (now [default | legacy]).

This release disregards this behavior, making antivirus profile scan-mode agnostic. This means that all AV options are displayed regardless of the AV profile’s scan-mode setting. Enforcement is handled by the kernel based on the firewall policy using AV. Unsupported AV features do not take effect if inspection mode is proxy or flow. l In this release, AntiVirus can do SSH inspection.

FOC

apn option under apn-shaper now accepts multiple apn or apngroup.

Previous releases 6.2.2 release
config gtp apn edit “apn1” set apn “internet”

next edit “apn2” set apn “intranet”

next

end

config gtp apngrp edit “apngrp1” set member “apn1”

next

end

config gtp apn-shaper edit 1 next end

config gtp apn edit “apn1” set apn “internet”

next edit “apn2” set apn “intranet”

next

end

config gtp apngrp edit “apngrp1” set member “apn1”

next

end

config gtp apn-shaper edit 1 set apn “apn2” “apngrp1” <==changed

next end

FortiSwitch Controller

  • FortiLink interface is on by default on FortiGate E series platform.
  • On FG-100E and higher, create an empty FortiLink aggregate interface (fortilink) by default. If aggregate interface is not supported, create a hardware switch interface instead.
  • For FortiGate models below FG-100E, create an empty FortiLink hardware switch interface (fortilink) by default. If hardware switch interface is not supported, create aggregate interface instead.
  • When the FortiLink interface is enabled, CLI displays an error message when trying to change the FortiGate to TP mode.

default behavior

Firewall

  • Only IP and Protocol are matched and source port is ignored when ISDB is applied as source in policy. l Internet-service-addition will overwrite default ports of internet-service ID if protocols are the same. l Firewall policy supports wildcard-fqdn object with FQDN type.
  • This release supports srcaddr/dstaddr/internet-service/internet-service-src negate in consolidated policy.
  • All attributes for FABRIC_DEVICE object, except for IP address and type, can be modified from CLI but not from GUI.

Log & Report

l In previous releases, FortiGate only sends event log to FAZ-Cloud. In this release, FortiGate sends both event log and UTM log to FAZ-Cloud.

Switch l Add VLAN switch feature to FG-300E and FG-301E.

System

  • API user must have at least one trust host IP Address. l Only show diagnose sys nmi-watchdog command on platforms that have “nmi” button.
  • With mgmt interface set to dedicated to management, added three kinds of cases. l When no trust host is set, all IPv4 and IPv6 addresses have access. l When only IPv4 addresses are set to trust host, IPv6 address cannot log in.
  • When only IPv6 addresses are set to trust host, IPv4 address cannot log in.
  • There is no mgmt option in GRE tunnel interface when it is set to dedicated to management. l Allow VDOM admin to create loopback interface if no physical interface in VDOM.
  • The trust-ip option in config system interface always override trusthost option in config system admin.

 

Changes in CLI defaults

AntiVirus

Add SSH inspection. This is only compatible with proxy inspection.

Previous releases 6.2.2 release
config antivirus profile edit “profile_name” next end config antivirus profile edit “profile_name” config ssh                         <==added set options scan                <==added unset archive-block             <==added unset archive-log                <==added set emulator enable             <==added set outbreak-prevention disabled <==added

end

next end

Endpoint Control

Add fortiems-cloud option under FSSO user.

Previous releases 6.2.2 release
config user fsso edit <name> next end config user fsso edit <name> set type fortiems-cloud <==added

next end

Add attribute fortinetone-cloud-authentication to endpoint control fctems.

Previous releases 6.2.2 release
config endpoint-control fctems edit <name> next end config endpoint-control fctems edit <name> set fortinetone-cloud-authentication [enable |

disable] <==added next end

Add sub-second-sampling under GTP.

Previous releases 6.2.2 release
config firewall gtp edit “gtpp” next end config firewall gtp edit “gtpp” set sub-second-sampling enable <==added set sub-second-interval 0.1   <==added

next end

Firewall

Add HTTPS as a type of health check for VIP load-balance monitor.

Previous releases 6.2.2 release
config firewall ldb-monitor edit [Monitor Name] set type ?

ping   PING health monitor. tcp       TCP-connect health monitor. http HTTP-GET health monitor.

config firewall ldb-monitor edit [Monitor Name] set type ?

ping   PING health monitor. tcp       TCP-connect health monitor. http   HTTP-GET health monitor.

https   HTTP-GET health monitor with SSL. <==added

Remove set type wildcard-fqdn and set wildcard-fqdn <string> from firewall address.

Previous releases 6.2.2 release
config firewall address edit [Address] set type wildcard-fqdn    <==removed set wildcard-fqdn <string> <==removed

next end

config firewall address edit [Address]

next end

Add CLI commands to support address and service negate in consolidated policy.

Previous releases 6.2.2 release
config firewall consolidated policy edit [Policy ID]

next end

config firewall consoli edit [Policy ID] set srcaddr-negate set dstaddr-negate dated policy

[enable | disable]   <==added

[enable | disable]   <==added

  set service-negate [enable | disable]   <==added
Previous releases 6.2.2 release
  set internet-service-negate [enable | disable]      

<==added set internet-service-src-negate [enable |

disable] <==added next end

Proxy

Previous releases 6.2.2 release
  config firewall traffic-class  <==added edit [Class-ID]             <==added end                            <==added

In protocol option profile, add ssl-offloaded command under each protocol.

Previous releases 6.2.2 release
config firewall edit “”de config end config end config end config end config end

next end

profile-protocol-options

fault-clone””

http ftp imap pop3 smtp

config firewall edit “”de config set

end config set

end config set

end config set end

profile-pr

fault-clone”” http ssl-offloaded

ftp ssl-offloaded

imap ssl-offloaded

pop3 ssl-offloaded

oto

no

no

no

no

col-options

<==added

<==added

<==added

<==added

  config smtp    
  set

end

next end

ssl-offloaded no <==added

Traffic Shaping

Add a new global CLI table to define traffic classes. This is ‘s a mapping between class-ID and naming. class-ID from shaping-policy, shaping-profile, and traffic-shaper need to be data-sourced from this CLI table.

Log & Report

Add CLI allowing user to configure socket priority and maximum log rate per remote log device.

Similar setting apply to config log fortiguard setting and config log syslogd setting.

Previous releases 6.2.2 release  
config log fortianalyzer setting end

config log fortianalyzer overridesetting end

config set set

end config

log fortianalyzer priority [default max-log-rate [Log

log fortianalyzer

setting

| low]             <==added Rate, unit is MBps] <==added

override-setting

  set priority [default | low]             <==added
  set end max-log-rate [Log Rate, unit is MBps] <==added

Add the test command option in CLI.

Previous releases 6.2.2 release
diag test application miglogd diag test application miglogd 40 <==added option “40”

SSH

Add file transfer scan over SSH (SCP and SFTP).

Previous releases 6.2.2 release
config ssh-filter profile edit [Profile Name] set default-command-log disable

next end

config ssh-filter profile edit [Profile Name] set block x11 shell exec port-forward tun-

forward sftp scp unknown <==added scp set log x11 shell exec port-forward tun-

forward sftp scp unknown  <==added scp set default-command-log disable

config file-filter                 <==added set status enable               <==added set log enable                  <==added set scan-archive-contents enable <==added config entries                  <==added edit [Entry]                 <==added set comment ”            <==added set action block          <==added

  set direction any         <==added
  set password-protected any <==added
  set file-type “msoffice”  <==added
Previous releases 6.2.2 release
  next

end

end

next end

SSL VPN

Remove citrix and portforward from apptype in the three entries in SSL VPN web bookmark.

Previous releases 6.2.2 release
conf vpn ssl web user-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? citrix Citrix.           <==removed ftp FTP.

portforward Port Forward. <==removed rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next

end

conf vpn ssl web user-group-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? citrix Citrix.          <==removed ftp FTP.

portforward Port Forward. <==removed rdp RDP. sftp SFTP. smb SMB/CIFS. ssh SSH.

conf vpn ssl web user-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? ftp FTP. rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next

end

conf vpn ssl web user-group-bookmark edit [Name] config bookmarks edit [Boormark Name] set apptype ? ftp FTP. rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next end

Previous releases 6.2.2 release  
telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next

end

conf vpn ssl web portal edit [Name] config bookmarks edit [Boormark Name] set apptype ? citrix Citrix.          <==removed ftp FTP.

portforward Port Forward. <==removed rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next end

next

end

conf vpn ssl web portal edit [Name] config bookmarks edit [Boormark Name] set apptype ? ftp FTP. rdp RDP. sftp SFTP. smb SMB/CIFS.

ssh SSH.

telnet Telnet.

vnc VNC.

web HTTP/HTTPS.

next

end

next end

System

Add description in system security zones.

Previous releases 6.2.2 release
config system zone edit [Zone Name]

next end

config system zone edit [Zone Name] set description “” <==added

next end

Increase the maximum number of DNS servers supported in DHCP server from 3 to 4.

Previous releases 6.2.2 release
config system dhcp server edit [Server ID] set dns-server1 1.1.1.1 set dns-server2 2.2.2.2 set dns-server3 3.3.3.3

next

end

config system dhcp server edit [Server ID] set dns-server1 1.1.1.1 set dns-server2 2.2.2.2 set dns-server3 3.3.3.3 set dns-server4 4.4.4.4 <==added

next

end

VM

Remove vdom-modemulti-vdom option for cloud-based ondemand FGT-VM.

Previous releases 6.2.2 release
config sys global set vdom-mode ?

no-vdom Disable split/multiple VDOMs

mode.

split-vdom Enable split VDOMs mode.

multi-vdom Enable multiple VDOMs mode.

<==removed end

config sys global set vdom-mode ?

no-vdom Disable split/multiple VDOMs

mode. split-vdom Enable split VDOMs mode.

end

Remove security rating from FGT_VMX and FGT_SVM.

Previous releases 6.2.2 release
diagnose security-rating version <==removed  

Enable CPU hot plug in kernel configuration.

Previous releases 6.2.2 release
  execute cpu show <==added

Active CPU number: 1 Total CPU number: 8

execute cpu add 1 <==added

Active CPU number: 2

Total CPU number: 8

Collect EIP from cloud-VMS (Azure, AWS, GCP, AliCloud, and OCI).

Previous releases 6.2.2 release
pcui-cloudinit-test # execute <?>

config sys interface edit [Name] next

end

conf sys global set sslvpn-cipher-hardware-acceleration

<==removed end

pcui-cloudinit-test # execute <?> update-eip Update external IP. <==added

config sys interface edit [Name] set eip                 <==added

next

end

conf sys global end

WiFi Controller

Add portal-type external-auth when captive-portal is enabled on local-bridge VAP.

Previous releases 6.2.2 release  
config wireless-controller vap edit “wifi.fap.02” set ssid “bridge-captive” set local-bridging enable set security captive-portal set external-web

“170.00.00.000/portal/index.php” set radius-server “peap”

next end

config wireless-controller vap edit “wifi.fap.02” set ssid “bridge-captive” set local-bridging enable set security captive-portal set portal-type external-auth set external-web

“170.00.00.000/portal/index.php” set radius-server “peap”

next end

<==added

Move darrp-optimize and darrp-optimize-schedules configurations from Global level to VDOM level.

Previous releases 6.2.2 release
### Global ### config wireless-controller timers set darrp-optimize 86400 <==removed set darrp-optimize-schedules “default-

darrp-optimize” <==removed end

### VDOM ### config wireless-controller setting set darrp-optimize 86400 <==added set darrp-optimize-schedules “default-

darrp-optimize” <==added end

Add external-web-format setting under captive-portal VAP when external portal is selected.

Previous releases 6.2.2 release
config wireless-controller vap edit guestwifi set ssid “GuestWiFi” set security captive-portal set external-web

“http://170.00.00.000/portal/index.php” set selected-usergroups “Guest-group” set intra-vap-privacy enable set schedule “always”

next end

config wireless-controller vap edit guestwifi set ssid “GuestWiFi” set security captive-portal set external-web

“http://170.00.00.000/portal/index.php” set selected-usergroups “Guest-group” set intra-vap-privacy enable set schedule “always”

set external-web-format auto-detect

<==added next end

Add new WTP profiles FAPU431F-default and FAPU433F-default.

Previous releases   6.2.2 release
config wireless-controller edit [FAPU431F-default | config platform

end

wtp-profile

FAPU433F-default]

config wireless-controller edit [FAPU431F-default config platform

set type [U431F | set mode [dual-5G end

wtp-profile

| FAPU433F-default]

U433F]      <==added | single-5G] <==added

config wireless-controller edit [FAPU431F-default

default] next

end

wtp-profile | FAPU433F- config wireless-controller wtp-profile edit [FAPU431F-default | FAPU433F-

default] config radio-1             <==added set band 802.11ax-5G   <==added

end

config radio-2             <==added set band 802.11ax-5G   <==added

end

config radio-3             <==added set band 802.11n,g-only <==added

end

next

end

config wireless-controller edit [SSID name]

next

end

vap config wireless-controller vap edit [SSID name] set high-efficiency enable <==added set target-wake-time enable <==added

next

end

For DFS approved countries, add 160 MHz channel bonding support for FortiAP U421EV/U422EV/U423EV models.

Previous releases 6.2.2 release
config wireless-controller wtp-profile edit [ FAPU421EV-default |

FAPU422EV-default | FAPU423EV-default ] config radio-2 set band 802.11ac

end

next

end

config wireless-controller wtp-profile edit [ FAPU421EV-default | FAPU422EV-default |

FAPU423EV-default ] config radio-2 set band 802.11ac

set channel-bonding 160MHz <==added

end

next

end

Add MPSK schedule that allows setting valid period for MPSK.

Previous releases 6.2.2 release
config wireless-controller vap edit [SSID Interface Name] set mpsk enable config mpsk-key edit [MPSK Entry Name] set passphrase 11111111

next

end

next end

config wireless-controller vap edit [SSID Interface Name] set mpsk enable config mpsk-key edit [MPSK Entry Name] set passphrase 11111111

set mpsk-schedules “always” <==added

next

end

next end

Add GRE&L2TP support in WiFi.

Previous releases 6.2.2 release
config wireless-controller vap edit “80e_gre” set ssid “FOS-QA_Bruce_80e_gre” set local-bridging enable set vlanid 3135

next

end

config wireless-controller wag-profile <==added edit [Profile Name]               <==added

end

config wireless-controller vap edit “80e_gre” set ssid “FOS-QA_Bruce_80e_gre” set local-bridging enable set vlanid 3135 set primary-wag-profile “tunnel” <==added set secondary-wag-profile “l2tp” <==added

next

end

 

Changes in default values

AntiVirus

Change AV scan mode from [quick | full] to [default | legacy]. The default value is set to default.

Previous releases 6.2.2 release
config antivirus profile edit “profile_name” set scan-mode [quick | full]

next end

config antivirus profile edit “profile_name” set scan-mode [default | legacy] <==changed

next end

Log & Report

Change default value from disable to enable for some configuration options under fortianalyzer-cloud filter.

Previous releases 6.2.2 release
config log fortianalyzer-cloud filter set severity information set forward-traffic disable set local-traffic disable set multicast-traffic disable set sniffer-traffic disable set anomaly disable set voip disable set dlp-archive disable set filter ” set filter-type include end config log fortianalyzer-cloud filter set severity information set forward-traffic enable  <==changed set local-traffic enable    <==changed set multicast-traffic enable <==changed set sniffer-traffic enable  <==changed set anomaly enable          <==changed set voip enable             <==changed set dlp-archive disable set filter ” set filter-type include end

Changes in default values

System

After creating a new VDOM, add default certificates for ssl-cert and ssl-ca-cert under web-proxy setting.

Previous releases 6.2.2 release
show web-proxy global config web-proxy global set ssl-cert ” set ssl-ca-cert ” set proxy-fqdn “default.fqdn”

end

show web-proxy global config web-proxy global set ssl-cert ‘Fortinet_Factory’  <==changed set ssl-ca-cert ‘Fortinet_CA_SSL’ <==changed set proxy-fqdn “default.fqdn”

end

WiFi Controller

Change default LLDP setting in wtp-profile from disable to enable.

Previous releases 6.2.2 release
config wireless-controller wtp-profile edit [FAP-Profile] set lldp disable

end

end

config wireless-controller wtp-profile edit [FAP-Profile] set lldp enable <==changed

end

end

The default channel-utilization setting in wtp-profile is changed from disable to enable.

Previous releases 6.2.2 release
config wire edit [FAP config set

end config set

end

next end

less-controller wtp-profile

Profile Name] radio-1

channel-utilization disable

radio-2

channel-utilization disable

config wire edit [FAP config set

end config set

end

next end

less-controller wtp-profile

Profile Name] radio-1

channel-utilization enable <==changed

radio-2

channel-utilization enable <==changed

Increase normal WTP capacity on high end FortiGates from 1024 to 2048.

Previous releases 6.2.2 release
FGT( 1000, end ) = 1024 -> 2048 FGT( 1000, end ) = 1024 -> 2048

Upgrade Information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

  1. Go to https://support.fortinet.com.
  2. From the Download menu, select Firmware Images.
  3. Check that Select Product is FortiGate.
  4. Click the Upgrade Path tab and select the following:

l Current Product l Current FortiOS Version l Upgrade To FortiOS Version

  1. Click Go.

Device detection changes

In FortiOS 6.0.x, the device detection feature contains multiple sub-components, which are independent:

  • Visibility – Detected information is available for topology visibility and logging.
  • FortiClient endpoint compliance – Information learned from FortiClient can be used to enforce compliance of those endpoints.
  • Mac-address-based device policies – Detected devices can be defined as custom devices, and then used in devicebased policies.

In 6.2, these functionalities have changed:

  • Visibility – Configuration of the feature remains the same as FortiOS 6.0, including FortiClient information. l FortiClient endpoint compliance – A new fabric connector replaces this, and aligns it with all other endpoint connectors for dynamic policies. For more information, see Dynamic Policy FortiClient EMS (Connector) in the FortiOS 6.2.0 New Features Guide.
  • Mac-address-based policies – A new address type is introduced (Mac Address Range), which can be used in regular policies. The previous device policy feature can be achieved by manually defining MAC addresses, and then adding them to regular policy table in 6.2. For more information, see MAC Addressed-Based Policies in the FortiOS 6.2.0 New Features Guide.

If you were using device policies in 6.0.x, you will need to migrate these policies to the regular policy table manually after upgrade. After upgrading to 6.2.0:

  1. Create MAC-based firewall addresses for each device.
  2. Apply the addresses to regular IPv4 policy table.

 

FortiClient Endpoint Telemetry license

Starting with FortiOS 6.2.0, the FortiClient Endpoint Telemetry license is deprecated. The FortiClient Compliance profile under the Security Profiles menu has been removed as has the Enforce FortiClient Compliance Check option under each interface configuration page. Endpoints running FortiClient 6.2.0 now register only with FortiClient EMS 6.2.0 and compliance is accomplished through the use of Compliance Verification Rules configured on FortiClient EMS 6.2.0 and enforced through the use of firewall policies. As a result, there are two upgrade scenarios:

  • Customers using only a FortiGate device in FortiOS 6.0 to enforce compliance must install FortiClient EMS 6.2.0 and purchase a FortiClient Security Fabric Agent License for their FortiClient EMS installation.
  • Customers using both a FortiGate device in FortiOS 6.0 and FortiClient EMS running 6.0 for compliance enforcement, must upgrade the FortiGate device to FortiOS 6.2.0, FortiClient to 6.2.0, and FortiClient EMS to 6.2.0.

The FortiClient 6.2.0 for MS Windows standard installer and zip package containing FortiClient.msi and language transforms and the FortiClient 6.2.0 for macOS standard installer are included with FortiClient EMS 6.2.0.

Fortinet Security Fabric upgrade

FortiOS 6.2.2 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 6.2.0 l FortiClient EMS 6.2.0 l FortiClient 6.2.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.9 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

If Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.2.2. When Security Fabric is enabled in FortiOS 6.2.2, all FortiGate devices must be running FortiOS 6.2.2.

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.2.2 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.2.2 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.

  • Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox)
  • FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting) l LDAP server (config user ldap) l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l admin user account l session helpers l system access profiles

Amazon AWS enhanced networking compatibility issue

With this enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 6.2.2 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 6.2.2 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3
  • I2 l M4 l D2

FortiLink access-profile setting

The new FortiLink local-access profile controls access to the physical interface of a FortiSwitch that is managed by FortiGate.

After upgrading FortiGate to 6.2.2, the interface allowaccess configuration on all managed FortiSwitches are overwritten by the default FortiGate local-access profile. You must manually add your protocols to the localaccess profile after upgrading to 6.2.2.

To configure local-access profile:

config switch-controller security-policy local-access edit [Policy Name] set mgmt-allowaccess https ping ssh set internal-allowaccess https ping ssh

next

end

To apply local-access profile to managed FortiSwitch:

config switch-controller managed-switch edit [FortiSwitch Serial Number] set switch-profile [Policy Name] set access-profile [Policy Name]

next

end

FortiGate VM with V-license

This version allows FortiGate VM with V-License to enable split-vdom.

To enable split-vdom:

config system global set vdom-mode [no-vdom | split vdom]

end

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.

On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.

If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard set update-server-location [usa|any]

end

FortiView widgets

FortiView widgets have been rewritten in 6.2.2. FortiView widgets created in previous versions are deleted in the upgrade.

 

Product integration and support

The following table lists FortiOS 6.2.2 product integration and support information:

Web Browsers l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Fortinet Security Fabric upgrade on page 25. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Fortinet Security Fabric upgrade on page 25. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient:

l Microsoft Windows l Mac OS X l Linux

l 6.2.0

See important compatibility information in FortiClient Endpoint Telemetry license on page 25 and Fortinet Security Fabric upgrade on page 25.

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later.

If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported.

FortiClient iOS l 6.2.0 and later
FortiClient Android and FortiClient VPN Android l 6.2.0 and later
FortiAP l 5.4.2 and later l 5.6.0 and later
FortiAP-S l 5.4.3 and later l 5.6.0 and later
FortiAP-U l 5.4.5 and later
FortiAP-W2 l 5.6.0 and later

 

FortiSwitch OS

(FortiLink support)

l 3.6.9 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l 5.0 build 0282 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2016 Core l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Windows Server 2012 Core l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2008 Core l Novell eDirectory 8.8
FortiExtender l 3.2.1
AV Engine l 6.00132
IPS Engine l 5.00035
Virtualization Environments  
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, 6.5, and 6.7

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04 / 18.04 (32-bit & 64-bit)

2336. Download from the Fortinet Developer Network: https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 61

Google Chrome version 68

Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 61

Google Chrome version 68

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
OS X El Capitan 10.11.1 Apple Safari version 11

Mozilla Firefox version 61

Google Chrome version 68

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus   Firewall
Symantec Endpoint Protection 11  
Kaspersky Antivirus 2009    
McAfee Security Center 8.1  
Trend Micro Internet Security Pro  
F-Secure Internet Security 2009  

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011    
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved issues

The following issues have been fixed in version 6.2.2. For inquires about a particular bug, please contact Customer Service & Support.

New features or enhancements

Bug ID Description
457153 Support for SSL VPN sign on using certificate and remote (LDAP or RADIUS) username/password authentication.
538760 Monitor API to check SLBC cluster checksum status. New API added – monitor/system/configsync/status.
544704 FortiOS support for 802.11ax FortiAP-U431F/U433F.
550912 Support for link aggregation LACP on entry level FortiGate is extended to all two-digit entry level box for the following models:

FGR-30D, FGR-35D, FG-30E, FG-30E-MI, FG-30E-MN, FG-50E, FG-51E, FG-52E, FG-60E,

FG-60E-POE, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-91E, FG-92D, FWF-30E, FWF-30E-MI, FWF-30E-MN, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E

554965 IPv6 is supported in communication between the following:

l Collector agent and FortiGate l Collector agent and DC_agent l Collector agent and terminal server agent

AntiSpam

Bug ID Description
559802 Spam mail can’t be checked by antispam filter on SMTP protocol.

AntiVirus

Bug ID Description
545381 When proxy-av is configured for firewall policy, FTP file upload is stopped.
553143 Redundant logs and alert emails sent when file is sent to FortiSandbox Cloud via Suspicious Files Only.
561524 Cannot send an email with PDF attachment when FortiSandbox Cloud Inspection is enabled.
562037 CDR does not disarm files when they are sent over HTTP-POST even though despite AV logs show file has been disarmed.
Bug ID Description
575177 Advanced Threat Protection Statistics widget clean file count is incorrect.
580212 Policy in flow mode blocking Adobe creative cloud desktop application.

Application Control

Bug ID Description
558380 AppCtl does not detect application with webproxy-forward-server.

DNS Filter

Bug ID Description
567172 Enforcing Safe Search in 6.0.5 blocks access to Google domains which makes Safe Search not work.
578267 DNS request to a second DNS server with same Transaction ID is discarded when DNS Filter is enabled on a policy.
581778 Cannot re-order DNS domain filter list.

Data Leak Prevention

Bug ID Description
522472 DLP logs have a wrong reference link to archived file.
540317 DLP cannot detect attached zip files when receiving emails via MAPI over HTTP.
570379 DLP only detects the first word of filename.

Explicit Proxy

Bug ID Description
543794 High CPU due to WAD process.
552334 Website does not work with SSL Deep inspection due to OCSP validation process.
557265 Browser redirect loop after re-authentication when using proxy-re-authentication-mode absolute.
561843 AppCtl unscans the traffic to forwarding to upstream proxy.
564582 Explicit proxy policy treats domain.tld in FQDN firewall address object as wildcard.
567029 WAD crashes at crypto_kxp_xform_block_enc when WAD is restarted while visiting a website after an authentication.
571034 Using disclaimer causes incorrect redirection.
Bug ID Description
572220 Unable to match the expected firewall proxy-policy when dstint is set to Zone where Zone member has PPPoE interface.
577372 WAD has signal 11 crash at wad_ssl_cert_get_auth_status.

Firewall

Bug ID Description
539421 Load Balance monitor stats reset after mode change.
540949 Health status of standby server in server load balance not available in GUI or CLI.
545056 Firewall should not be evaluated when an interface bandwidth widget is added to the dashboard.
552329 NP6 sessions dropped after any change in GUI.
554329 Schedule policy is not activated on time.
558689 Traffic dropped by anti replay in ECMP with IPS.
558690 Session timer left at half-open value once established in an ECMP with IPS context.
563471 HTTP load balancing doesn’t work after rebooting in Transparent mode.
563928 SFTP connection failure when SSH DPI and app-ctrl are enabled.
564990 Captive-portal-exempt is not supported in consolidated policy.
566951 Unexpected reverse path check failure on IPv6.
570468 FortiGate randomly not processing some NAT64 packets.
570507 Application control causing NAT hairpin traffic to be dropped.

Workaround: Create a new firewall policy from scratch and the default application control can be applied again.

571022 SNAT before encryption in policy-based VPN for local traffic after upgrade from 5.6.8 to 6.0.5.
571832 Provide different protocol/port list when the same ISDB object is used as source/destination.
577752 Policy with a VIP with a destination interface of a zone is dropping packets.

FortiView

Bug ID Description
527540 Cannot click the Quarantine Host option on a registered device.
537819 FortiView All Sessions page: tooltip of geography IP show ‘undefined’.
553627 FortiView pages cannot load with Failed to retrieve FortiView data.

GUI

Bug ID Description
445074 The MMS profiles pages have been removed from the FortiOS Carrier GUI.

Workaround: You can configure MMS profiles from the CLI using the config firewall mms-profile command.

479692 GUI shows error Image file doesn’t match platform even when the user is uploading correct image.
486230 GUI on FGT3800D with 5.6.3 is very slow – configuration with numerous policies.
493704 While accessing the FortiGate page, PC browser memory usage keeps spiking and finally PC hangs.
502740 Remove GUI instructions for Dialup-FortiClient VPN.
504829 GUI should not log out if there is 401 error on downstream device.
513157 Cannot filter on hit count “0” for policy match.
523403 GUI Protocol Port Mapping configuration should be rejected when an invalid port number such as -1 is entered.
526254 Interface page keep loading when VDOM admin have netgrp permission.
528649 vpngrp read or read-write access profile doesn’t work properly.
540056 Error message enhancement while creating packet capture in GUI with filter set to high port range.
540737 Should show warning and block user to use no-inspection SSL-SSH profile when any UTM profile is used.
543487 Collected Email Monitor page cannot list the wireless client if connected from captive-portal+emailcollection.
543637 Not able to filter the policy by multiple ID.
544313 GUI SD-WAN Monitor page keep loading.
548653 SSO_admin (super_admin) can’t open CLI window from GUI. Error says too many concurrent connection.
552552 Personal Privacy in FortiGuard category based filter mistranslated.
555121 Context menu of AP Group has unsupported actions enabled after change view on Managed FortiAPs page.
559799 Webhook automation host header incorrect.
560430 Some app-category cannot be listed on security policy editing page and get JS error.
561334 GUI SSID main passphrase and MPSK minimum length should be flexible according to new “wfacompatibility” setting.
563053 Warning message for third-party transceivers were removed for 6.2.1 to prevent excessive RMA or support tickets. 6.2.2 re-added the warning for third-party transceivers.
563445 Upgrade NGFW VDOM from v6.2.0, security policy should support virtual-wan-link interface.
Bug ID Description
564201 After OSPF change via GUI, password for virtual-link will completely disappear and must be reentered.
564601 Remove the license requirement to upload FortiGuard packages through the GUI when in USG mode.
565109 Add Selected button does not appear under Application Control slide-in when VDOM is enabled.
566666 AP comments do not appear on the columns for Managed AP page.
568176 GUI response is very slow when accessing Route-Monitor page in GUI.
569080 SD-WAN rule GUI page doesn’t show red exclamation mark for DST-negate enabled, like firewall policy.
569259 Fabric SAML with FortiManager management. Downstream FortiGate login with SAML super admin only have read-only access on most pages.
571674 GUI config changes generate misleading config event logs.
571828 GUI admin password injected as PSK when adding phase2 configuration on Chrome.
572027 In Log View/FortiView, GUI cannot list logs from FortiAnalyzer on FGT/FWF boxes.
573070 Interface widget not loading fully (keeps spinning) when a VDOM “prof_admin” is used.
573869 Log search index files are never deleted when the logdisk is out of space.
574239 AWS/AWSONDEMAND missing dropdown selection box for HTTPS server and WiFi certificates in GUI.
575756 Port Link speed option is missing on the FortiGate GUI after upgrading the managed FortiSwitch to 6.2.1.
579259 Firewall User Monitor shows “Failed to retrieve info” and no entries if session-based proxy authentication is used.
583760 After adding few Web Rating Overrides via GUI to an already existing long list of URIs, Web Rating Overrides page is not loaded and keeps spinning.

HA

Bug ID Description
543602 Unnecessary syncing process started during upgrade when it takes longer.
554187 HA slave gets FW Signature un-certified after upgrading image from the master.
555056 Enable 2-factor using vcluster in GUI gets overwritten (sync) by slave.
555998 Load balanced (A-A) slave-session doesn’t forward traffic after session is dirtied due to FortiManager policy install.
557277 FortiGate FGSP configured with standalone-config-sync will sync the FortinAlayzer source-IP configuration to the slave.
Bug ID Description
557473 FGSP found checksum mismatch after replaced one of the units in the cluster.
559172 VLAN in VDOM in virtual cluster not showing virtual MAC for the vcluster.
560096 Restoring config fails on slave when using TACACS+ (master OK).
560107 Cluster upgrade from 5.6.7 build 1653 to SB 5.6.8 build 3667 takes longer than normal.
563551 HASYNC aborts on slave unit.
569629 HA A-A local FQDN not resolving on slave unit.
574564 In an HA configuration with HA uninterruptible upgrade enabled, some signature database files may fail to synchronize upon upgrading from 5.6.9 and earlier to 5.6.10.
575715 Unable the sync the Local-GW in FGSP.
576638 HA cluster GUI change does not send logs to the slave immediately.
577115 Master unit console keeps showing message [ha_auth_set_logon_msg:228] buffer overflow.
578475 FortiGate HA reports not synced if firewall policy of master and slave does not contain the same VIP.

Intrusion Prevention

Bug ID Description
545823 Creating/editing a DoS-Policy takes a long time. GUI hangs or displays Error 500: Internal Server Error.
561623 IPS engine 5.009 crashes when updated new FFDB has different size from the old one.

IPsec VPN

Bug ID Description
449212 New dialup IPsec tunnel in policy mode/mode-cfg overwrites previously established tunnel.
537450 Site-to-site VPN policy based with DDNS destination fail to connect.
553759 ESP packets are sent to the wrong MAC after a routing change when IPsec SA is offloaded.
558693 FW90D VPN becomes unresponsive after changing VPN DDNS/Monitor.
559180 The command include-local-lan gets disabled after firewall is rebooted.
560223 Add support for EdDSA certificates for proxy-based deep-inspection / virtual-server when using TLS 1.3. This is resolved by: 0560223, 0561319, 0561820, 0561821, 0561822, 0561823, 0564510.
564237 After configuring SD-WAN and creating SD-WAN rule based on bandwidth criteria, the bandwidth value for tunnel interface is not calculated correctly.
569586 IPsec certificate based IKEv2 VPNs fail to read out certificate subject as username if ECC certificate is involved.
Bug ID Description
571209 Traffic over VLAN sub-interface pushed through the IPsec policy based VPN interface.
574115 PKI certificates with OU and/or DC as subject fail for PKI user filters.
575238 Redirected traffic on the same interface (ingress and egress interface are the same) is dropped.
575477 IKED memory leak.
577502 OCVPN cannot register – status ‘Undefined’.

Log & Report

Bug ID Description
387294 Country flags in Botnet C&C table and Top Destinations by Bandwidth table are all missing.
545948 FortiGate periodically stops sending syslog messages.
551459 srcintf is unknown-0 in traffic log for service DNS when action is IP connection error.
556199 No logs are generated when using local-in policy on ha-mgmt interface.
558702 miglogd not working until sysctl killall miglogd. Reboot does not help.
565216 Memory of miglogd increase and enter conserve mode.
565505 miglogd high CPU utilization.
566843 No log generated when traffic is blocked by setting tunnel-non-http in webproxy.
568795 Specific traffic type is not logged on FAZ/Memory.
576024 Set sniffer policy to only log logtraffic=utm but many traffic log stats are still generated in disk or FortiAnalyzer.

Proxy

Bug ID Description
457347 WAD crashes in wad_http_client_body_done when ICAP is enabled.
544414 WAD handles transparent FTP/FTPS traffic.
551119 Certificate blacklist not working correctly in proxy mode.
559166 In firmware 6.0.5, WAD CPU usage on all cores reaches 100% in each around 30s.
562610 FortiGate generates WAD crash wad_mem_malloc.
563154 Can’t open a particular web page via explicit proxy with deep inspection and webfilter profile enabled.
566859 In WAD conserve mode 5.6.8, max_blocks value is high on some workers.
567796 WAD constantly crashes every few seconds.
567942 FortiGate cannot block blacklist certificate against TLS 1.3 if the blacklist certificate server address
Bug ID Description
  is exempt.
568905 WAD crashes due to RCX null.
572489 SSL handshake sometimes fail due to FortiGate replying back FIN to client.
573340 WAD causing memory leak.
573721 For FortiGate with client certificate inspect mode, traffic will trigger WAD crash.
573917 Certain web pages time out.
574171 Fail to connect https://drive.google.com by TLS 1.3.
574730 Wildcard URL filter stops working after upgrade.
576852 WAD process crashes in internet_svc_entry_cmp.
579400 High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC broken between wad and authd.
581865 In Proxy inspection with Application control and certificate inspection, TLS error for certain web pages,in EDGE browser only.
582714 WAD might leak memory during SSL session ticket resumption.
583736 WAD application crashing in v6.2.1.

REST API

Bug ID Description
566837 HTTPSD process crashes when using REST API.

Routing

Bug ID Description
558979 ECMP-based session with auxiliary session and IPS is not offloaded in reply direction.
559645 Creating static route from GUI should set Dynamic Gateway disabled by default.
560633 OSPF route for AD-VPN tunnel interface flaps.
562159 ADVPN OSPF unable to ping over ADVPN linknet.
567497 FortiGate sends PIM register messages to RP for group 64.0.0.0 about nonexistent sources.
570686 FortiOS 6.2.1 introduces asymmetric return path on the HUB in SD-WAN after the link change due to SLA on the spoke.
571714 DHCPv6 relay shows no route to host when there are multiple paths to reach it.
573789 OSPF with virtual clustering not learning routes.
578623 Gradual memory increase with full BGP table.
581488 BGP confederation router sending incorrect AS to neighbor-group routers.

SSL VPN

Bug ID Description
476377 SSL VPN FortiClient login with FAC user FTM two-factor fail because it times out too fast.
478957 SSL VPN web portal login history is not displayed if logs are stored in FortiAnalyzer.
481038 Web application is not loading through SSL VPN portal.
491733 When SSL VPN receives multiple HTTPS post requests under web filter, read_request_data_ f loops even when client is stopped, which causes the SSL VPN process to use 99% of CPU.
496584 SSL VPN bad password attempt causes excessive bind requests against LDAP and lockout of accounts.
515889 SSL VPN web mode has trouble loading internal web application.
525172 A web application accessed through SSL VPN web mode triggers Error 500 on Java server.
530509 Invalid HTTP Request when SMB via SSL VPN bookmark is executed with MS Server 2016, but works fine with MS server 2008R2.
531848 FortiSIEM WebGUI does not load on web portal.
537341 SSL bookmark is not loading SAP portal information.
545177 Web mode fails for SharePoint page.
549654 Citrix bookmarks should be disabled in SSL VPN portal.
549994 SSL VPN web mode logon page should not show Skip button for remote user with Force password change on next logon.
551695 Office365 applications through SSL VPN bookmarks.
555344 Downloading PDF file throigh SSL VPN portal.
555611 SSL VPN web mode web forward not working for video camera system after upgrade to 6.0.4.
556657 Internal website not working through SSL VPN web mode.
558076 In firmware 6.2.0, RDWeb (Windows Server 2016) via SSL web portal does not work.
558080 McAfee ESM 11 display issues in SSL VPN web portal.
558473 For FG-200E, after upgrading from 6.0.4 to 6.2.0, SSL VPN HTTPS bBookmark does not load (Secure Connection Failed).
559171 With SSL VPN web mode unable to get dropdown menu from internal web page.
559785 FortiMail login page with SSL VPN portal not displaying correctly.
560505 SharePoint 2019 page access fails using web mode.
560730 SSL VPN web mode SSO doesn’t work for some site like FAc login.
560747 The referer header is not correct, and some files are not loaded properly.
561585 SSL VPN doesn’t correctly show Windows Admin center application.

 

Bug ID Description
563147 Connection to internal portal freezes when using SSL VPN web bookmark.
563798 Redirect in bookmark is not loading.
564850 Object from CARL source not showing through SSL VPN web mode.
564871 SSL VPN users create multiple connections.
567182 In SSL VPN web mode, videos on internal website won’t display.
567626 SSL VPN still allows password expired users to change password and get access.
567628 SSL VPN banned-cipher SHA256 not completely working.
567987 In SSL VPN web mode, RDP disconnects when copying long text from remote to local.
568481 Internal website using java is not accessed using SSL VPN web mode.
568838 Internal website not working through SSL VPN web mode.
569030 SSL VPN tunnel mode can only add split tunneling of user’s policy with groups and its users in different SSL VPN policies.
569711 Error for proxy ssh database through SSL VPN.
570445 CMAT application through SSL VPN not working properly.
570620 SSL VPN web mode does not work properly for the website using JavaScript.
571005 NextCloud through SSL VPN behaving strangely.
571479 Cannot access sub-menus from the internal main website through the bookmark when using SSL VPN web mode.
571721 Local portal adzh-srop-nidm02.intern.cube.ch needs more than 10 min. to load via SSL VPN bookmark.
572653 Unable to access Qlik Sense URL via SSL VPN web mode .
573527 SSL web portal CSP v3 compatibility issue.
573853 TX packet drops on ssl.root interface.
574551 Subpages on internal websites are not working via SSL VPN web mode (Tunnel mode is OK).
574724 SSL VPN conserve mode on FWF-30E when FortiGate unit enters memory less than 25%.
575248 Synology DSM login page is not displayed when accessed via SSL VPN bookmark or connection tool.
575259 SSL VPN connection is being dropped intermittently.
576013 The SSL VPN web mode webserver link is not rewritten correctly after login.
576288 VIP customer – FSSO groups set in rule with SSL VPN interface.
578581 SSL web mode VPN portal freezing when opening some websites using JavaScript.
580182 The EOASIS website is not displayed properly using SSL VPN web mode.
Bug ID Description
580384 SSL VPN web mode not redirecting URL as expected after successful login.
581863 Accessing http://nlyte.ote.gr/nlyte/ configured with bookmark name ‘NLYTE’ not getting authentication page.
582115 Third-party (Ultimo) web app does not load over SSL VPN web portal.
582161 Internal web application is not accessable through web SSL VPN.

Switch Controller

Bug ID Description
557280 Need to add FSW port information on Security Fabric and device inventory the same as before

6.0.4.

563939 802-1X timer reauth-period option 0 doesn’t work.

System

Bug ID Description
423311 200E/201E software switch span function does not work.
470875 OID seems to be COUNTER32 instead of GAUGE32.
498599 Can’t create loopback interface by VDOM admin if there’s no physical interface in VDOM.
520283 Can’t show global setting when VDOM admin run exec tac report command.
531675 SFP ports do not link down when SFP cat5 interface status of FortiGate on the other side goes down.
539970 Kernel panic on HA pair of 301E.
540083 Partial traffic outage with softirq on 100%.
545449 IPinIP traffic over another IPinIP is dropped in NP6-Lite when offloading is enabled.
550206 Memory (SKB) which is no longer needed is not released in NP6 and NP6lite drivers (100E, 140E, 3600D, 3800D).
551281 process_tunnel_timeout_notify:377, send timeout notify message error -1 1 message printed in console.
556408 Aggregate link doesn’t work for LACP mode active for 60E internal ports but works for wan1 and wan2 combination.
557172 When there are many application-control based Internet-service entries in SD-WAN, system performance is affected by high CPU usage of softirq.
557527 FortiGate as L2TP client does not negotiate correctly.
557798 High memory utilization caused by authd and WAD processes.

 

Bug ID Description
559467 Support four DNS records inside DHCP offer.
560411 3980E unresponsive with millions of sessions in TIME_WAIT.
560686 4x10G split-port does not work on FG-3700D rev 2.
561097 SD-WAN rule corrupted on reboot after ISDB update.
561234 FG-800D shows wrong HA, ALERM LED status.
561929 REST API cmdb/router/aspath-list is not inserting new values.
562049 TLS 1.3 resumption and Pre-Shared Key (PSK) fail if Hello Retry Request is received.
563232 Authorization fails when 0.0.0.0/0 is listed as the trusted host.
563497 The trust-ip-x feature on interface does not work.
564184 Split DNS not working. CNAME fails to resolve.
564579 Updated crash signal 14, object creation not allowed from cli errno=Resource temporarily unavailable.
564911 DHCPDISCOVERY NATed with TP management IP when sent to NAT VDOM .
565291 SD-WAN rule doesn’t work with nested firewall address group selected as source or destination.
565296 Wrong configuration transmitted by FOS to FortiManager under certain conditions.
565631 DHCP relay sessions are removed from the session table after applying any config change.
567487 CPU goes to 100% when modifying members of an addrgrp object.
567504 Speed test break the cluster.
568215 Kernel bug at net/core/skbuff.
569652 High memory utilization after FortiOS and IPSengine upgrade.
570227 FortiGate is not selecting an NTP server that has a clock time in the majority clique of other NTP servers.
570834 STP (Spanning Tree) flapping.
571207 DHCP with manual address does not provide subnetmask in DHCP ACK.
572411 Timezone for Canary Islands is missing.
572428 lldptx – Application Crashed – Signal 11 Segmentation Fault.
572707 Configuration is corrupted when restoring a VDOM.
572763 softirq causing high CPU when session increase in an acceptable way.
573177 GUI cannot save edits made on replacement messages in a VDOM. When using CLI, user gets logged out while editing.
574086 Kernel panic occurs after upgrading from 6.2.0 to 6.2.1.
574110 When adding admin down interface as a member of aggregate interface, it shows up and process
Bug ID Description
  the traffic.
574327 FortiGate CSR traffic to SCEP srv generated from the root VDOM instead of the VDOM we create the CSR.
574991 FortiGate can’t extract the user principal name UPN from user certificate when certificate contains UPN and additional names.
576063 Crashlog keeps having cid could not load sigs after FortiGate is authed into FortiManager.
577047 FortiGate takes a long time to reboot when it has many firewall addresses used in many policies.
577302 Virtual WAN Link process (vwl) memory usage keeps increasing after upgrading to 6.2.1.
578531 forticldd deamon resolved mgrctrl1.fortinet.com to wrong IP address.
578746 FortiGate does not accept FortiManager created country code and causes address install fails.
579524 DHCP lease is not stable and dhcpd process crashes.
580185 authd4 crashes when deleting a VDOM or rebooting the FortiGate.
580883 DNS servers acquired via PPPoE in non-management VDOMs are used for DHCP DNS server option 6.
582547 fgfmsd crash makes connection to FortiManager go down.

Upgrade

Bug ID Description
550410 Cannot edit addrgrp which includes wildcardfqdn object after upgrade from v5.6.x.
556002 Some firewall policies were deleted after upgrade from FOS 6.0.4 to FOS 6.2.0.
558995 L2 WCCP stops working after upgrade to FOS 6.0.3 or newer.
562444 The firewall policy with internet-service enabled was lost after upgrade from 6.0.5.
580450 Policies removed after an upgrade in NGFW Policy Mode: maximum number of entries has been reached.

User & Device

Bug ID Description
547657 Disclaimer+Auth Guest portal RADIUS auth failing due to FAC trying to resolve 3rd party websites as access-points.
549394 fnbamd crashes frequently.
558332 CoA from FAC is not working for FortiGate wired interface based captive portal.
561289 User-based Kerberos Authentication not working in new VDOM.
Bug ID Description
561610 src-vis process memory leak.
562185 Disclaimer redirection to IP instead of FQDN results in Certificate/SSL warning.
562861 RADIUS CoA (disconnect request) not working with use-management-vdom.
567990 Hard-timeout setting not working for captive portal.
Bug ID Description
564290 FOS can’t collaborate web-cache with FortiProxy successfully.

VM

Bug ID Description
524052 Application cloudinitd has signal 11 crash on FortiGate-VM64-GCP.
561083 VPN tunnels not coming up after HA failover in GCP.
561909 Azure SDN connector try querying invalid FQDN when using Azure Stack Integrated systems.
567137 VM in Oracle cloud has 100% CPU usage in system space.
570176 HA cluster multi AZ does not failover IPsec VPN in AWS with TGW.
571652 OCI SDN connector gets HTTP response err:500 when enabling use-metadata-iam.
573952 FGT-VM with network driver vmxnet3 has lots of fragments when testing throughput.
575400 In Azure SDN, the firewall address filter cannot fetch the secondary public and private IP addresses of the NICs.
578727 FGTVM_OPC unable to failover the route properly during failover.
578966 OpenStack PCI passthru sub interface VLAN cannot received traffic.
580738 In the Cluster setup, slave unit can have different fingerprint for the OCI SDN connector, which can cause unit to fail to connect to OCI metatdata server properly.
580911 EIP assigned to the secondary IP address on the OCI do not ‘t fail over during HA failover.
577856 Add missing AWS HA failover error log and set firewall.vip/vip46/vip6/vip64 not sync’ing when cross zone HA is configured.

VoIP

Bug ID Description
570430 SIP ALG generates a VoIP session with wrong direction.
580588 SDP information fields are not being natted in Multipart Media Encapsulation traffic.

WanOpt Web Filter

Bug ID Description
356487 When central-management is NONE, include-default-servers setting is not honored by rating.
549928 Block page images not loading for web sites protected by HSTS.
551956 Proxy web filtering blocks innocent sites due to urlsource=”FortiSandBox Block”.
565952 Proxy-based Webfilter breaks WCCP traffic.

WiFi Controller

Bug ID Description
540027 FortiWiFi working as client mode cannot see and connect to the hotspot SSID from iOS devices.
569966 WPA2-Enterprise SSID authentication cannot utilize the source IP setting in RADIUS server configuration.
570745 FAPs detecting BSSIDs of others FAPs managed by the same WC as Fake-ap-on-air.
573024 FAP cannot be managed by FortiGate when admin trusthost is configured.

 

Known issues

The following issues have been identified in version 6.2.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Data Leak Prevention

Bug ID Description
586689 Downloading a file with FTP client in EPSV mode will hang.
DNS Filter  
Bug ID Description
586526 Unable to change DNS filter profile category action after upgrading from 6.0.5 to 6.2.0.
FortiView  
Bug ID Description
582341 Fortiview > policies: Consolidate policy without name and tooltips, Security policy with tooltips are not working.

GUI

Bug ID Description
282160 GUI does not show byte info for aggregate and VLAN interface.
438298 When VDOM is enabled, the interface faceplate should only show data for interfaces managed by the admin.
480731 Interface filter get incorrect result (EMAC VLAN, VLAN ID, etc.) when entries are collapsed.
510685 Hardware Switch Row is shown, indicating a number of interfaces but without any interfaces below.
514632 Inconsistent Refcnt value in GUI when using ports in HA session-sync-dev.
537307 Gets “Fail to retrieve info” for ha-mgmt-interface on GUI > interface page.
540098 GUI does not display the status for VLAN and loopback under status column at Network > interfaces.
541042 Log viewer Forward Traffic cannot support double negate filter (client side issue).
542544 In Log & Report, filtering for blank values (None) always show no results.
553290 The tooltip of VLAN interface displays Failed to retrieve info on GUI.
Bug ID Description
557786 GUI response is very slow when accessing IPSec-Monitor (api/v2/monitor/vpn/ipsec is taking a long time).
559866 When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses root FortiGate via management tunnel.
565748 New interface pair consolidated policy added via CLI is not displayed on GUI policy page.
573456 FortiGate without disk Email Alert Settings page should remove Disk usage exceeds option.
574101 Empty firmware version in managed FortiSwitch from FortiGate GUI.
579711 An error occurs while running Security Rating.
583049 Internal Server Error while trying to create new interface.
584939 VPN event logs shows incorrectly when adding two action filters and if the filter action filter contains

“-“.

586749 Enable/Disable Disarm and Reconstruction on GUI only takes effect on SMTP protocol in AV profile.
Bug ID Description
573028 WAD crashes causing traffic interruption.
575224 WAD – high memory usage from worker process causing conserve mode and traffic issues.

HA

Bug ID Description
479780 Slave fails to send and receive HA heartbeat on config cfg-revert setting on FGT2500E.
575020 HA failing config sync on VM01 with error (slave and master have different hdisk status) when master is pre-configured.
581906 HA slave sending out GARP packets in 16-20 seconds after HA monitored interface failed.
586004 Moving VDOM via GUI between virtual clusters causes cluster to go out of sync but VDOM state work/standby doesn’t change.

IPsec VPN

Bug ID Description
582251 IKEv2 with eap auth peerid validation doesn’t work.

Proxy REST API

Bug ID Description
584631 REST API admin with token unable to configure HA setting (via login session can work).

Security Fabric

Bug ID Description
578268 Downstream device shows offline.
586587 Security Fabric widget keep loading when FortiSwitch is in a loop or two FortiSwitches are in mclag mode.
587758 Invalid CIDR format shows as valid by Security Fabric threat feed.

SSL VPN

Bug ID Description
505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.
563022 SSL VPN LDAP group object matching only matches the first policy, isn’t ‘t consistent with normal firewall policy.
585754 An SSL VPN bookmark failed to load the GUI of proxmox GUI interface.

Switch Controller

Bug ID Description
581370 FortiSwitch managed by FortiGate not updating RADIUS settings and user group in the FortiSwitch.
586299 Adding factory-reset device to HA fails with switch-controller.qos settings in root.

System

Bug ID Description
464340 EHP drops for units with no NP_SERVICE_MODULE.
484749 TCP traffic with tcp_ecn tag cannot go through ipip IPv6 tunnel with NP6 offload enabled.
555616 TCP packets send wrong interface and high CPU.
562212 Management tunnel to devices goes down and cannot reclaim tunnel; so policy pushes get stuck.
570759 RX/TX counters for VLAN interfaces based on LACP interface are 0.
573973 ASIC offloading sessions sticking to interfaces after SD-WAN SLA interface selection.
Bug ID Description
575013 Errors in the FortiGate’s CLI 8 debug, when FortiManager is obtaining the HA status and mgmtdata status, if ha-mgmt-status enabled.
581998 Session clash event log found on FG-6500F when passing a lot of same source IP ICMP traffic over Load balance VIP.

User & Device

Bug ID Description
569062 fnbamd takes high CPU usage and user cannot authenticate.

VM

Bug ID Description
579013 FortiGate HA failover fails in Azure stack due to invalid authentication token tenant.
579708 Should replace GUI option to register to FortiCare from AWS PAYG with link to portal for registration.
587180 FGTVM64_KVM is unable to boot up properly when doing a hard reboot with the host.
587757 FG-VM image unable to be deployed on AWS with additional disk of type HDD(st1).

WiFi Controller

Bug ID Description
555659 When FAP is managed across VDOM links, WiFi client can’t join SSID when auto-asicoffload is enabled.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

Introduction to AppCtrl sensors

Introduction to AppCtrl sensors

FortiGate units can detect and take action against network traffic depending on the application generating the traffic. Based on FortiGate Intrusion Protection protocol decoders, application control is a user-friendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non-standard ports or protocols. Applications control supports detection for traffic using the HTTP protocol (version 1.0, 1.1, and 2.0).

The FortiGate unit can recognize the network traffic generated by a large number of applications. You can create application control sensors that specify the action to take with the traffic of the applications you need to manage and the network on which they are active, and then add application control sensors to the firewall policies that control the network traffic you need to monitor.

An application control sensor has one or more options/entries configured which examines the app traffic for:

  • Application category l Application signature ID l Filters overrides l Custom signature l Default port service l Default network service

When selecting the app category, signature, or filter that you intend to work with, the following actions can be set to the specific entry:

  • Allow: App traffic will be allowed and no logs are recorded. l Monitor: The entry match is allowed and logged. l Block: Traffic matching the entry will be blocked. l Reset: The session will be dropped and a new session will be started. l Quarantine IP address: Traffic matching the entry will be blocked. The client initiating the traffic will be source-ip banned. l Shaper/Per-ip-shaper: Max-bandwidth and quaratined-bandwidth values can be set to limit the link speed.

Security Profiles – AntiVirus – FortiOS 6.2

AntiVirus

Content disarm and reconstruction for AntiVirus

Introduction

Content Disarm and Reconstruction (CDR) allows the FortiGate to sanitize Microsoft documents and PDF (disarm) by removing active content such as hyperlinks, embedded media, javascript, macros, etc. from the office document files without affecting the integrity of it’s textual content (reconstruction).

This feature allows network admins to protect their users from malicious office document files.

Files processed by CDR can have the original copy quarantined on the FortiGate, allowing admins to observe them. These original copies can also be obtained in the event of a false positive.

Support and limitations

  • CDR can only be performed on Microsoft Office Document and PDF files. l Local Disk CDR quarantine is only possible on FortiGate models that contain a hard disk.
  • CDR is only supported on HTTP, SMTP, POP3, IMAP. l SMTP splice and client-comfort mode is not supported.
  • CDR does not work on flow based inspection modes. l CDR can only work on files in .ZIP type archives.

Network topology example

Configuring the feature

In order to configure AntiVirus to work with CDR, you must enable CDR on your AntiVirus profile, set the quarantine location, and then fine tune the CDR detection parameters.

To enable CDR on your AntiVirus profile:

  1. Go to Security Profiles > AntiVirus.
  2. Enable the toggle for Content Disarm and Reconstruction under APT Protection Options.

To set a quarantine location:

  1. Go to Security Profiles > AntiVirus.
  2. Select a quarantine location from the available options, including Discard, File Quarantine, and FortiSandbox.
Discard The default setting which discards the original document file.
File Quarantine Saves the original document file to disk (if possible) or a connected FortiAnalyzer based on the FortiGate’s log settings, visible through Config Global > Config Log FortiAnalyzerSetting.
FortiSandbox Saves the original document file to a connected FortiSandbox.

To fine tune CDR detection parameters in the FortiGate CLI:

  • Select which active content to detect/process:
  • By default, all active office and PDF content types are enabled. To fine tune CDR to ignore certain content, you must disable that particular content parameter. The example below configures the CDR to ignore Microsoft Office macros.

FGT_PROXY (vdom1) # config antivirus profile

FGT_PROXY (profile) # edit av change table entry ‘av’

FGT_PROXY (av) # config content-disarm

FGT_PROXY (content-disarm) # set ? original-file-destination       Destination to send original file if active content is removed.

office-macro Enable/disable stripping of macros in Microsoft Office documents.

office-hylink               Enable/disable stripping of hyperlinks in Microsoft

Office documents.

office-linked              Enable/disable stripping of linked objects in Microsoft

Office documents.

office-embed                Enable/disable stripping of embedded objects in

Microsoft Office documents.

office-dde   Enable/disable stripping of Dynamic Data Exchange events in Microsoft Office documents.

office-action

Microsoft Office documents.

Enable/disable stripping of PowerPoint action events in
pdf-javacode documents. Enable/disable stripping of JavaScript code in PDF
pdf-embedfile documents. Enable/disable stripping of embedded files in PDF
pdf-hyperlink documents. Enable/disable stripping of hyperlinks from PDF
pdf-act-gotor access other PDF documents. Enable/disable stripping of PDF document actions that
pdf-act-launch launch other applications. Enable/disable stripping of PDF document actions that
pdf-act-sound play a sound. Enable/disable stripping of PDF document actions that
pdf-act-movie play a movie. Enable/disable stripping of PDF document actions that
pdf-act-java execute JavaScript code. Enable/disable stripping of PDF document actions that
pdf-act-form Enable/disable stripping of PDF document actions that
submit data to other targets.

cover-page   Enable/disable inserting a cover page into the disarmed document.

detect-only  Enable/disable only detect disarmable files, do not alter content.

FGT_PROXY (content-disarm) # set office-macro disable FGT_PROXY (content-disarm) #

  • Detect but do not modify active content:
  • By default, CDR will disarm any detected documents containing active content. To prevent CDR from disarming documents, you can set it to operate in detect-only mode. To do this, the option detect-only must be enabled.

FGT_PROXY (vdom1) # config antivirus profile

FGT_PROXY (profile) # edit av change table entry ‘av’ FGT_PROXY (av) # config content-disarm

FGT_PROXY (content-disarm) # set detect-only ?

disable      Disable this Content Disarm and Reconstruction feature. enable Enable this Content Disarm and Reconstruction feature.

FGT_PROXY (content-disarm) # set detect-only enable FGT_PROXY (content-disarm) #

  • Enabling/disabling the CDR cover page:
  • By default, a cover page will be attached to the file’s content when the file has been processed by CDR. To disable the cover page, the paramater cover-page needs to be disabled.

FGT_PROXY (vdom1) # config antivirus profile

FGT_PROXY (profile) # edit av change table entry ‘av’

FGT_PROXY (av) # config content-disarm

FGT_PROXY (content-disarm) # set cover-page disable  Disable this Content Disarm and Reconstruction feature. enable    Enable this Content Disarm and Reconstruction feature.

FGT_PROXY (content-disarm) # set cover-page disable

FGT_PROXY (content-disarm) #

FortiGuard Outbreak Prevention for AntiVirus

Introduction

FortiGuard Outbreak Prevention was introduced in FortiOS 6.0.0 and allows the FortiGate’s AntiVirus database to be subsidized with third-party malware hash signatures curated by the FortiGuard.

Those hash signatures are obtained from external sources such as VirusTotal, Symantec, Kaspersky, and other thirdparty websites and services.

This feature provides the mechanism for AntiVirus to query the FortiGuard with the hash of a scanned file. If the FortiGuard returns a match from its many curated signature sources, the scanned file is deemed to be malicious.

The concept of FortiGuard Outbreak Prevention is to detect zero-day malware in a collaborative approach.

Support and limitations

  • FortiGuard Outbreak Prevention can be used in both proxy-based and flow-based policy inspections across all supported protocols.
  • FortiGuard Outbreak Prevention does not support AV in quick scan mode. l FortiGate must be registered with a valid FortiGuard Outbreak Prevention license before this feature can be used.

Network topology example

Configuring the feature

In order for AntiVirus to work with an external block list, you must register the FortiGate with a FortiGuard Outbreak Prevention license and enable FortiGuard Outbreak Prevention in the AntiVirus profile.

To obtain/renew a FortiGuard AntiVirus license:

  1. See the following link for instructions on how to purchase or renew a FortiGuard Outbreak Prevention license:

https://video.fortinet.com/products/fortigate/6.0/how-to-purchase-or-renew-fortiguard-services-6-0

  1. Once the license has been activated, you can verify its status by going to Global > System > FortiGuard.

To enable FortiGuard Outbreak Prevention in the AntiVirus profile:

  1. Go to Security Profiles > AntiVirus.
  2. Select the toggle to enable Use FortiGuard Outbreak Prevention Database.
  3. Select Apply.

Diagnostics and debugging

l Check if FortiGate has Outbreak Prevention license:

  FGT_PROXY (global) # diagnose debug rating

Locale       : english

Service      : Web-filter

Status       : Enable

License      : Contract

Service      : Antispam

Status       : Disable

Service      : Virus Outbreak Prevention

Status       : Enable

License      : Contract

-=- Server List (Tue Feb 19 16:36:15 2019) -=-

   
          IP                     Weight    RTT Flags TZ

Updated Time

Packets Curr Lost Total Lost
          192.168.100.185          -218      2 DI     -8

19 16:35:55 2019

113                    0          0 Tue Feb
l Scanunit daemon showing Outbreak Prevention verdict:    
FGT_PROXY (vdom1) # diagnose debug application scanunit -1 Debug messages will be on for 30 minutes.

FGT_PROXY (vdom1) # diagnose debug enable

FGT_PROXY (vdom1) # su 4739 job 1 open

su 4739 req vfid 1 id 1 ep 0 new request, size 313, policy id 1, policy type 0 su 4739 req vfid 1 id 1 ep 0 received; ack 1, data type: 0 su 4739 job 1 request info: su 4739 job 1 client 10.1.100.11:39412 server 172.16.200.44:80 su 4739 job 1 object_name ‘zhvo_test.com’ su 4739 file-typing NOT WANTED options 0x0 file_filter no su 4739 enable databases 0b (core mmdb extended) su 4739 job 1 begin http scan su 4739 scan file ‘zhvo_test.com’ bytes 68

su 4739 job 1 outbreak-prevention scan, level 0, filename ‘zhvo_test.com’ su 4739 scan result 0 su 4739 job 1 end http scan su 4739 job 1 inc pending tasks (1)

su 4739 not wanted for analytics: analytics submission is disabled (m 0 r 0) su 4739 job 1 suspend su 4739 outbreak-prevention recv error su 4739 ftgd avquery id 0 status 1

su 4739 job 1 outbreak-prevention infected entryid=0 su 4739 report AVQUERY infection priority 1

su 4739 insert infection AVQUERY SUCCEEDED loc (nil) off 0 sz 0 at index 0 total infections 1 error 0 su 4739 job 1 dec pending tasks 0 su 4739 job 1 send result su 4739 job 1 close su 4739 outbreak-prevention recv error

External malware blocklist for Antivirus

Introduction

External Malware Blocklist is a new feature introduced in FortiOS 6.2.0 which falls under the umbrella Outbreak Prevention.

This feature provides another means of supporting the AV Database by allowing users to add their own malware signatures in the form of MD5, SHA1, and SHA256 hashes.

This feature provides a mechanism for Antivirus to retrieve an external malware hash list from a remote server and polls the hash list every n minutes for updates.

Support and limitations

Malware detection using External Malware Blocklist can be used in both proxy-based and flow-based policy inspections.

Just like FortiGuard Outbreak Prevention, External Dynamic Block List is not supported in AV quick scan mode.

Using different types of hash simultaneously may slow down the performance of malware scanning. For this reason, users are recommended to only using one type of hash (either MD5, SHA1, or SHA256), not all three simultaneously.

Network topology example

Configuring the feature

To configure AntiVirus to work with External Block List:

  1. Creating the Malware Hash List

The malware hash list follows a strict format in order for its contents to be valid. Malware hash signatures entries must be separated into each line. A valid signature needs to follow the format below:

# MD5 Entry with hash description aa67243f746e5d76f68ec809355ec234 md5_sample1

# SHA1 Entry with hash description a57983cb39e25ab80d7d3dc05695dd0ee0e49766 sha1_sample2

# SHA256 Entry with hash description ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379 sha256_sample1

# Entry without hash description

0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521

# Invalid entries

7688499dc71b932feb126347289c0b8a_md5_sample2

7614e98badca10b5e2d08f8664c519b7a906fbd5180ea5d04a82fce9796a4b87sha256_sample3

  1. Configure External Malware Blocklist source:

 

Create new external source on Global > Security Fabric > Fabric Connectors page:

  • Select Malware Hash:

Fill out the fields as shown below. URI should point to the malware hashlist on the remote server:

  • Malware Hash source object is now created:

User can view entries inside the malware blocklist by clicking the View Entries button:

  • Malware Has Threatfeed hash_list is shown.
  1. Enable External Malware Blocklist in Antivirus profile

Enable External Malware Blocklist on the AntiVirus profile and apply the change:

Antivirus is now ready to use external malware blocklist.

Diagnostics and debugging

Check if scanunit daemon has updated itself with the external hashes:

FGT_PROXY # config global

FGT_PROXY (global) # diagnose sys scanunit malware-list list

md5 ‘aa67243f746e5d76f68ec809355ec234’ profile ‘hash_list’ description ‘md5_sample1’ sha1 ‘a57983cb39e25ab80d7d3dc05695dd0ee0e49766’ profile ‘hash_list’ description ‘sha1_sample2’ sha256 ‘0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521’ profile ‘hash_list’ description ”

sha256 ‘ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379’ profile ‘hash_list’ description ‘sha256_sample1’