VTEP (VXLAN Tunnel End Point) support (289354)

Native VXLAN is now supported by FortiOS. This feature is configurable from the CLI only:

Syntax

config system vxlan edit <vxlan1> //VXLAN device name (Unique name in system.interface).

set interface //Local outgoing interface. set vni //VXLAN network ID. set ip-version //IP version to use for VXLAN device (4 or 6).

set dstport //VXLAN destination port, default is 4789.

set ttl //VXLAN TTL.

set remote-ip //Remote IP address of VXLAN.

next

end

This will create a VXLAN interface:

show system interface vxlan1 config system interface edit “vxlan1” set vdom “root” set type vxlan set snmp-index 36 set macaddr 8a:ee:1d:5d:ae:53 set interface “port9”

next

end

From the GUI, go to Network > Interfaces to verify the new VXLAN interface:

To diagnose your VXLAN configuration, from the CLI, use the following command:

diagnose sys vxlan fdb list vxlan1

This command provides information about the VXLAN forwarding data base (fdb) associated to the vxlan1 interface. Below is a sample output:

———–mac=00:00:00:00:00:00 state=0x0082 flags=0x00———–

———–remote_ip=2.2.2.2 remote_port=4789———————remote_vni=1 remote_ifindex=19———-total fdb num: 1

VXLAN support (289354)                                                                 VXLAN support for multiple remote IPs (398959)

VXLAN support (289354)

Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud computing deployments. It encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets using standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels can be virtual or physical switch ports, are known as VXLAN tunnel endpoints (VTEPs). For more information about VXLAN, see RFC 7348.

Multiple PSK for WPA Personal (393320)

New CLI commands have been added, under config wireless-controller vap, to configure multiple WiFi Protected Access Pre-Shared Keys (WPA-PSKs), as PSK is more secure without all devices having to share the same PSK.

Note that mpsk-concurrent-clients and the mpsk-key configuration method are only available when mpsk is set to enable.

CLI syntax

config wireless-controller vap edit <example> set mpsk {enable|disable} set mpsk-concurrent-clients [0-65535] Default is 0.

config mpsk-key edit <key-name> set passphrase <wpa-psk> set concurrent-clients [0-65535] Default is empty. set comment <comments>

next

end

end

Use the mpsk-concurrent-clients entry to set the maximum number of concurrent connected clients for each mpsk entry. Use the mpsk-key configuration method to configure multiple mpsk entries.

VTEP (VXLAN Tunnel End Point) support (289354)                                                             VXLAN support (289354)

FortiGate Logs can be sent to syslog servers in Common Event Format (CEF) (300128)

You can configure FortiOS to send log messages to remote syslog servers in CEF format. CEF is an open log management standard that provides interoperability of security-related information between different network devices and applications. CEF data can be collected and aggregated for analysis by enterprise management or Security Information and Event Management (SIEM) systems such as FortiSIEM.

FortiOS supports logging to up to four remote syslog servers. Each server can now be configured separately to send log messages in CEF or CSV format. Previously only CSV format was supported.

Use the following command to configure syslog3 to use CEF format:

config log syslog3 setting set format cef

end

All other syslog settings can be configured as required independently of the log message format including the server address and transport (UDP or TCP). You can also configure filtering for both CEF and CSV formatted log messages.

Real time logging to FortiAnalyzer and FortiCloud

FortiOS 5.6.0 adds new real-time logging options for FortiAnalyzer in System > Security Fabric and for FortiCloud in Log & Report > Log Settings. The default option is still every 5 minutes, but this will allow near real-time uploading and consistent high-speed compression and analysis.

For FortiAnalyzer, the CLI syntax to enable real-time is:

config log fortianalyzer setting set upload-option [realtime/1-minute/5-minute]

For FortiCloud:

config log fortiguard setting set upload-option [realtime/1-minute/5-minute]

Reliable Logging updated for real-time functionality (378937)

Previously, reliable logging was a feature for buffering and collecting logs for upload, to guarantee that no logs would be dropped before being passed to logging solutions. Reliable logging has been updated for 5.6.0 and is now enabled by default, so that real-time logs do not outpace upload speed.

It can be configured in the CLI with:

config log fortianalyzer setting set reliable [enable/disable]

FortiGate Logs can be sent to syslog servers in Common Event Format (CEF) (300128)

Reliable Logging updated for real-time functionality (378937)

Application Control is a free service

Application Control is now a free FortiGuard service and the database for Application Control signatures is separate from the IPS database. However, Botnet Application signatures are still part of the IPS signature database since these are more closely related with security issues and less about application detection.

With the release of FortiOS 5.6.1, Application Control signature database information is displayed under on the System > FortiGuardpage in the FortiCare section. And the Botnet category is no longer available when searching the Application Signatures list.

IPS / Application Control logging performance

There is a major boost to Application Control and IPS when logging is enabled. With the latest changes, the performance difference with or without logging enabled is negligible.

FortiClient Profile changes (386267, 375049)

FortiClient profiles have been changed in FortiOS 5.6 to include new protection features and to change organization of the GUI options. FortiClient profiles also use the FortiGate to warn or quarantine endpoints that are not compliant with a FortiClient profile.

A bug that prevented the Dialog and Device Inventory pages from loading when there is a large number of devices (for example, 10,000) has been fixed.

Default FortClient profile

FortiClient profiles allow you to perform vulnerability scans on endpoints and make sure endpoints are running compliant versions of FortiClient. Also, security posture features cause FortiClient to apply realtime protection, AntiVirus, web filtering, and application control on endpoints.

The default FortiClient profile also allows you to set a general Non-compliance action for endpoints that don’t have FortiClient installed on them. The non-compliance action can be block or warning and is applied by the FortiGate. Blocked endpoints are quarantined by the FortiGate.

Endpoint vulnerability scanning

Similar to FortiOS 5.4 you can set the FortiClient Profile to run the FortiClient vulnerability scanner on endpoints and you can set the Vulnerability quarantine level to quarantine endpoints that don’t comply.

FortiClient Profile changes (386267, 375049)                                                                             System compliance

The vulnerability scan Non-compliance action can block or warn endpoints if the vulnerability scan shows they do not meet the vulnerability quarantine level.

System compliance

FortiOS 5.6 system compliance settings are similar to those in 5.4 with the addition of a non-compliance action. System compliance checking is performed by FortiClient but the non-compliance action is applied by the FortiGate.

Security posture checking

Security posture checking collects realtime protection, antivirus protection, web filtering and application firewall features under the Security Posture Check heading.

Security posture checking                                                                     FortiClient Profile changes (386267, 375049)

Application Control is a free service                                                                                  Security posture checking