FortiGate VM (5.6)

New FortiGate VM features added to FortiOS 5.6.

FGT-VM VCPUs (308297)

Fortinet has now launched licensing for FortiGate VMs that support larger than 8 vCPUs. The new models/licenses include:

• Support for up to 16 vCPU – FortiGate-VM16 l Support for up to 32 vCPU – FortiGate-VM32 l Support for unlimited vCPU – FortiGate-VMUL

Each of these models should be able to support up to 500 VDOMs.

Improvements to License page (382128)

The page has been rewritten with some minor improvements such as:

• An indicator to show when a VM is waiting for authentication or starting up l Shows VM status when license is valid
• Shows CLI console window when VM is waiting too long for remote registration of server

Citrix XenServer tools support for XenServer VMs (387984)

This support allows users, with Citrix XenServer tools to read performance statistics from XenServer clients and do Xenmotion with servers in the same cluster

There are no changes to the GUI, but there are some changes to the CLI.

A setting has been edited to control the debug level of the XenServer tools daemon diag debug application xstoolsd <integer>

Integer = Debug level

An additional update has been added to set the update frequency for XenServer tools

config system global set xstools-update-frequency Xenserver <integer> end

Enter an integer value from 30 to 300 (default = 60).

FortiGate VM

FOS VM supports more interfaces (393068)

The number of virtual interfaces that the VM version of FortiOS supports has been raised from 3 to 10.

FortiView (5.6)

New FortiView features added to FortiOS 5.6.

Added Vulnerability score topology view (303786)

In Physical Topology and Logical Topology pages, there are two new views added: Vulnerability, and

Threat. Drill-downs in these menus will now include Vulnerability/Threat information. In Vulnerability view, device bubbles are colored based on maximum vulnerability level, and bubble size is the vulnerability score. In Threat view, device bubbles are colored based on maximum threat level, and bubble size is the threat score.

FortiView VPN tunnel map feature (382767)

The FortiView VPN page now displays VPN tunnel connections between devices, and offers more information about tunnels and devices on drill-down.

FortiView (5.6)

Updated FortiView CSF topology pages (384188)

The FortiView Physical Topology and Logical Topology pages have been updated in 5.6.0 to reorganize and clarify larger deployments with servers and multi-directional traffic.

Historical FortiView includes FortiAnalyzer (387423)

Data from associated FortiAnalyzer devices can now be selected as a log display option for Historical FortiView.

FortiView menu reorganization (399713)

The order of FortiView pages has been reorganized in 5.6.0 based on the source interface of data being displayed:

l Topology l Traffic from LAN/DMZ l Traffic from WAN l All Segments

Data Exchange with FortiAnalyzer (393891)

Rather than sending all CSF information via log messages, FortiGate and FortiAnalyzer will now directly pass CSF information (tree, interface roles, user devices, HA members), if the FAZ responds to notices that are sent when the data has changed.

Google Maps Integration

FortiView now uses Google Maps to display location-related information. In this release the first view to use Google maps this component is the FortView VPN page. All current VPNs can be viewed on a fully scalable Google world map.

FortiView

FortiView usability and organization updates (306247)

Several organization changes have been made to make the FortiView menu order less cluttered, and more intuitive. l WiFi Client Monitor is now in FortiView, but is hidden when there is no managed FortiAP or WiFi Radio. l Country view has been merged into Destinations view. l Failed Authentication and Admin Login views have been merged into System Events view.

FortiGate VM (5.6)

FortiView (5.6.1)

New FortiView features added to FortiOS 5.6.1.

FortiView Dashboard Widget (434179)

A new widget type has been added to the FortiGate Dashboard, that displays compact FortiView data. Supported

FortiViews include Source, Destination, Application, Country, Interfaces, Policy, Wifi Client, Traffic Shaper, Endpoint Vulnerability, Cloud User, Threats, VPN, Websites, Admin, and System. All usual visualizations are supported.

Widgets can be saved directly to the Dashboard from a filtered page in FortiView, or configured in the CLI.

Interface Categories (srcintfrole, etc) added to log data (434188)

In 5.6, logs and FortiView both sort log traffic into two interface categories: “Traffic from LAN/DMZ”, and “Traffic from WAN.” For greater compatibility and troubleshooting of FortiAnalyzer and FortiCloud setups, interface category fields that expose this information have been added to general log data in 5.6.1: srcintfrole and dstintfrole for better backend control and monitoring.

Managed FortiSwitch OS 3.6.0 (FortiOS 5.6)

New managed FortiSwitch features added to FortiOS 5.6 if the FortiSwitch is running FortiSwitch OS 3.6.0.

IGMP snooping (387515)

The GUI and CLI support the ability to configure IGMP snooping for managed switch ports.

To enable IGMP snooping from the GUI, go to WiFi & Switch Controller > FortiSwitch VLANs, edit a VLAN and turn on IGMP Snooping under Networked Devices.

From the CLI, start by enabling IGMP snooping on the FortiGate:

config switch-controller igmp-snooping set aging-time <int>

set flood-unknown-multicast (enable | disable)

end

Then enable IGMP snooping on a VLAN:

config system interface edit <vlan> set switch-controller-igmp-snooping (enable | disable)

end

Use the following command to enable IGMP snooping on switch ports, and to override the global parameters for a specific switch.

config switch-controller managed-switch edit <switch> config ports edit port <number> set igmp-snooping (enable | disable) set igmps-flood-reports (enable | disable)

next

config igmp-snooping globals set aging-time <int>

set flood-unknown-multicast (enable | disable)

end

next

end

User-port link aggregation groups (378470)

The GUI now supports the ability to configure user port LAGs on managed FortiSwitches.

To create a link aggregation group for FortiSwitch user ports:

5.6)

1. Go to WiFi & Switch Controller > FortiSwitch Ports

2. Click Create New > Trunk.
3. In the New Trunk Group page:
   1. Enter a name for the trunk group
   2. Select two or more physical ports to add to the trunk group
   3. Select the mode: Static, Passive LACP, or Active LACP
4. Click OK.

DHCP blocking, STP, and loop guard on managed FortiSwitch ports (375860)

The managed FortiSwitch GUI now supports the ability to enable/disable DHCP blocking, STP and loop guard for FortiSwitch user ports.

Go to to WiFi & Switch Controller > FortiSwitch Ports. For any port you can select DHCP Blocking, STP, or Loop Guard. STP is enabled on all ports by default. Loop guard is disabled by default on all ports.

Switch profile enhancements (387398)

Defaults switch profiles are bound to every switch discovered by the FortiGate. This means that an administrator can establish a password for this profile or create a new profile and bind that profile to any switch. Consquently, the password provided shall be configured on the FortiSwitch against the default “admin” account already present.

Number of switches per FortiGate based on model (388024)

The maximum number of supported FortiSwitches depends on the FortiGate model:

Up to FortiGate-98 and FortiGate-VM01                                8

FortiGate-00 to 280 and FortiGate-VM02                              24

FortiGate-300 to 5xx                                                           48

FortiGate-600 to 900 and FortiGate-VM04                             64

FortiGate-000 and up                                                         128

FortiGate-3xxx and up, and FortiGate-VM08 and up               256

Miscellanous configuration option changes

• The default value of dhcp-Snooping (also called DHCP-blocking) is changed from trusted in FortiOS 5.4 to untrusted in FortiOS 5.6.
• The default value of edge-port is changed from disabled in FortiOS 5.4 to enabled in FortiOS 5.6.0.

FortiView (5.6.1)

Additional GUI support

• Link aggregation of FortiSwitch ports l DHCP trusted/untrusted, loop guard, and STP for FortiSwitch ports l Connect to CLI support for FortiSwitch

Adding preauthorized FortiSwitches (382774)

After you preauthorize a FortiSwitch, you can assign the FortiSwitch ports to a VLAN.

To preauthorize a FortiSwitch:

Managed FortiSwitch OS 3.6.0 (FortiOS 5.6)

1. Go to WiFi & Switch Controller > Managed FortiSwitch.
2. Click Create New.
3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
4. Move the Authorized slider to the right.
5. Click OK.

The Managed FortiSwitch page shows a FortiSwitch faceplate for the preauthorized switch.

Reset PoE-enabled ports from the GUI (387417)

If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

Configure QoS with managed FortiSwitches (373581)

Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows. NOTE: FortiGate does not support QoS for hard or soft switch ports.

To configure the QoS for managed FortiSwitches:

1. Configure a Dot1p map.

config switch-controller qos dot1p-map edit <Dot1p map name> set description <text> set priority-0 <queue number> set priority-1 <queue number> set priority-2 <queue number> set priority-3 <queue number> set priority-4 <queue number> set priority-5 <queue number> set priority-6 <queue number> set priority-7 <queue number>

next

end

2. Configure a DSCP map.

config switch-controller qos ip-dscp-map edit <DSCP map name> set description <text> configure map <map_name> edit <entry name> set cos-queue <COS queue number>

set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF |

CS6 | CS7} set ip-precedence {network-control | internetwork-control | critic-ecp

| flashoverride | flash | immediate | priority | routine} set value <DSCP raw value>

next

end end

3. Configure the egress QoS policy.

config switch-controller qos queue-policy edit <QoS egress policy name> set schedule {strict | round-robin | weighted}

config cos-queue edit [queue-<number>] set description <text> set min-rate <rate in kbps> set max-rate <rate in kbps>

set drop-policy {taildrop | random-early-detection} set weight <weight value>

next

end

next

end

4. Configure the overall policy that will be applied to the switch ports.

config switch-controller qos qos-policy edit <QoS egress policy name> set default-cos <default CoS value 0-7> set trust-dot1p-map <Dot1p map name> set trust-ip-dscp-map <DSCP map name> set queue-policy <queue policy name>

next

end

5. Configure each switch port.

config switch-controller managed-switch edit <switch-id> config ports edit <port> set qos-policy <CoS policy>

next

end

next end

Configure an MCLAG with managed FortiSwitches (366617)

To configure a multichassis LAG (MCLAG) with managed FortiSwitches:

1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:

config switch trunk edit “LAG-member” set mode lacp-active set mclag-icl enable set members “<port>” “<port>”

next

2. Enable the MCLAG on each managed FortiSwitch:

config switch-controller managed-switch edit “<switch-id>” config ports edit “<trunk name>” set type trunk

set mode {static | lacp-passive | lacp-active} set bundle {enable | disable}

set members “<port>,<port>” set mclag {enable | disable}

next

end

next

3. Log into each managed FortiSwitch to check the MCLAG configuration:

diagnose switch mclag

After the FortiSwitches are configured as MCLAG peer switches, any port that supports advanced features on the FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member ports on the peer FortiSwitch.