DLP sensor GUI changes (307225)

Leave a reply

DLP sensor GUI changes (307225)

The DLP sensor for file size has been corrected to indicate that the file size has to be greater than the number of KB entered. Previously, the GUI incorrectly showed that the files size could be greater than or equal to the number of KB entered.

Restricting access to YouTube (replacement for the YouTube Education filter feature) (378277)

Leave a reply

Restricting access to YouTube (replacement for the YouTube Education filter feature) (378277)

Previous versions of FortiOS supported YouTube for Schools (YTfS). As of July 1, 2016 this feature is no longer supported by YouTube. Instead you can use the information in the YouTube support article Restrict YouTube content on your network or managed devices to achieve the same result. FortiOS supports applying Strict or Moderate restrictions using HTTP headers as described in this article.

In FortiOS 5.6 with inspection mode set to proxy-based, in a Web Filter profile under Search Engines you can select Restrict YouTube Access and select either Strict or Moderate.

SSL/SSH profile certificate handling changes (373835)

Leave a reply

SSL/SSH profile certificate handling changes (373835)

In order to support DSA and ECDSA key exchange (in addition to RSA) in SSL resign and replace mode, CLI commands for deep-inspection have changed. The certname command in ssl-ssh-profile has been removed.

To select from the list of available certificates in the system, use the CLI below.

edit deep-inspection set server-cert-mode re-sign set certname-{rsa | dsa | ecdsa}

New diagnose command to delete avatars (388634)

Leave a reply

New diagnose command to delete avatars (388634)

Commands to delete avatars by FortiClient UID or avatar name have been added to the CLI.

the two following commands has been added to diagnose endpoint avatar: l diagnose endpoint avatar delete <ftcl_uid> l diagnose endpoint avatar delete <ftcl_uid> <username>

The attribute delete did not exist before. The values <fctl_uid> and <user_name> describe a set of avatars. If only <fctl_uid> is defined, all avatars belonging to this FortiClient UID that are not being used will be removed. If both values are defined, the avatar belonging to them will be removed unless they are being used in which case this call will cause an error to user.

CASI functionality moved into application control (385183 372103)

Leave a reply

CASI functionality moved into application control (385183 372103)

Cloud Access Security Inspection (CASI) is merged with Application Control resulting in changes to the GUI and the CLI.

GUI Changes

  • Toggle option added to quickly filter CASI signatures in the Application Signatures list.
  • Application Overrides table now shows any parent-child hierarchy using the –parent metadata on signatures. Deleting a parent app also deletes its child apps. And conversely, adding a child app will add all its parent apps but with implicit filter action.
  • A policy breakdown is shown on existing application control profiles for policies using the profile. The breakdown indicates which policies are using a deep inspection.
  • A breakdown is shown for application categories and filter overrides to indicate the number of CASI and non-CASI signatures. A lock icon is shown for applications requiring deep inspection.

CLI Changes

Commands removed:

l config application casi profile l casi profile in config firewall policy l casi profile in config firewall policy6 l casi-profile-status and casi-profile under config firewall sniffer l casi-profile-status and casi-profile under config firewall interface-policy

Enable “sync-session-ttl” in “config ips global” CLI by default (399737)

Leave a reply

Enable “sync-session-ttl” in “config ips global” CLI by default (399737)

sync-session-ttl is now set to enable by default in order to:

l enhance detection of P2P traffic. Efficient detection of P2P is important on hardware accelerated platforms l ensure that IPS and the kernel use the same ttl l ensure that IPS sessions time out sooner