Captive portals

Captive portals

Introduction to captive portals

You can authenticate your users on a web page that requests the user’s name and password. Until the user authenticates successfully, the authentication page is returned in response to any HTTP request. This is called a captive portal.

After successful authentication, the user accesses the requested URL and can access other web resources, as permitted by security policies. Optionally, the captive portal itself can allow web access to only the members of specified user group.

The captive portal can be hosted on the FortiGate unit or on an external authentication server. You can configure captive portal authentication on any network interface, including WiFi and VLAN interfaces.

When a captive portal is configured on a WiFi interface, the access point initially appears open. The wireless client can connect to the access point with no security credentials, but sees only the captive portal authentication page.

WiFi captive portal types:

  • Authentication — until the user enters valid credentials, no communication beyond the AP is permitted.
  • Disclaimer + Authentication — immediately after successful authentication, the portal presents the disclaimer page—an acceptable use policy or other legal statement—to which the user must agree before proceeding.
  • Disclaimer Only — the portal presents the disclaimer page—an acceptable use policy or other legal statement— to which the user must agree before proceeding. The authentication page is not presented.
  • Email Collection — the portal presents a page requesting the user’s email address, for the purpose of contacting the person in future. This is often used by businesses who provide free WiFi access to their customers. The authentication page is not presented.
  • MAC Bypass — when clients are authenticated against their bridged SSID and their MAC addresses are known, they are redirected to the external captive portal.

Configuring a captive portal

Captive portals are configured on network interfaces. A WiFi interface does not exist until the WiFi SSID is created. You can configure a WiFi captive portal at the time that you create the SSID. Afterwards, the captive portal settings will also be available by editing the WiFi network interface in System > Network > Interfaces.

On a physical (wired) network interface, you edit the interface configuration in System > Network > Interfaces and set Security Mode to Captive Portal.

To configure a WiFi captive portal – web-based manager:

  1. Go to WiFi & Switch Controller > SSID and create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

  1. Under WiFi Settings, for Security Mode, select Captive Portal.
  2. Enter the following:
Portal Type The portal can provide authentication and/or disclaimer, or perform user email address collection. See Introduction to captive portals on page 19.
Authentication Portal Local – portal hosted on the FortiGate unit.

Remote – enter FQDN or IP address of external portal.

User Groups Select permitted user groups.
Exempt Sources

Exempt

Destinations/Services

Select exempt lists whose members will not be subject to captive portal authentication.
Redirect after Captive Portal Select whether to have authenticated users navigate to their originally requested URL or be redirected to another/specific URL.
  1. Select OK.

To configure an SSID with external-web enabled – CLI:

config wireless-controller vap edit “web-ext” set vdom “root” set ssid “web-ext” set security captive-portal set selected-usergroups “qnap“

Configuring a

set security-exempt-list “wifi”

set security-redirect-url “ http://www.fortinet.com” set intra-vap-privacy enable set local-switching disable

set external-web “192.168.234.51/portal.php”

next

end

Note that the external-web entry is the URL of the external authentication web server. When this entry is not set, the FortiGate will use the local web server hosting the local login/splash page.

The external web URL is not explicitly set with HTTP/HTTPS – FortiGate uses the auth-secure-http entry under config user setting.

Exemption from the captive portal

A captive portal requires all users on the interface to authenticate. But some devices are not able to authenticate. You can create an exemption list of these devices. For example, a printer might need to access the Internet for firmware upgrades. Using the CLI, you can create an exemption list to exempt all printers from authentication.

config user security-exempt-list edit r_exempt config rule edit <id> set devices printer

end

end

Furthermore, a walled garden firewall policy can be created:

config firewall policy edit <id> set captive-portal-exempt enable …

next

end

MAC Bypass for captive portal

It is possible to provide a MAC address bypass for authenticated clients.When clients are authenticated with bridged SSID and their MAC addresses are known, they are redirected to the External Captive Portal.

A new portal type has been added, under config wireless-controller vap, to provide successful MAC authentication Captive Portal functionality.

Syntax

config wireless-controller vap edit {name} set portal-type {cmcc-macauth}

next

end

MAC-auth-bypass for the captive-portal SSID

Captive-portal SSID supports MAC-auth-bypass. If a client’s MAC can be authenticated from localuser or RADIUS, then the client can bypass firewall authentication directly.

 

config wireless-controller vap edit <name> set security captive-portal set MAC-auth-bypass {enable | disable}

next

end

Customizing captive portal pages

These pages are defined in replacement messages. Defaults are provided. In the web-based manager, you can modify the default messages in the SSID configuration by selecting Customize Portal Messages. Each SSID can have its own unique portal content.

The captive portal contains the following default web pages: l Login page—requests user credentials

Typical modifications for this page would be to change the logo and modify some of the text.

You can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters.

There is an exception to this rule. The line “Please enter your credentials to continue” is provided by the %%QUESTION%% tag. You can replace this tag with text of your choice. Except for this item, you should not remove any tags because they may carry information that the FortiGate unit needs.

  • Login failed page—reports that the entered credentials were incorrect and enables the user to try again.

The Login failed page is similar to the Login page. It even contains the same login form. You can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters.

There is an exception to this rule. The line “Firewall authentication failed. Please try again.” is provided by the %%FAILED_MESSAGE%% tag. You can replace this tag with text of your choice. Except for this item, you should not remove any tags because they may carry information that the FortiGate unit needs.

  • Disclaimer page—is a statement of the legal responsibilities of the user and the host organization to which the user must agree before proceeding.(WiFi or SSL VPN only)
  • Declined disclaimer page—is displayed if the user does not agree to the statement on the Disclaimer page. Access is denied until the user agrees to the disclaimer.

Changing images in portal messages

You can replace the default Fortinet logo with your organization’s logo. First, import the logo file into the FortiGate unit and then modify the Login page code to reference your file.

To import a logo file:

  1. Go to System > Replacement Messages and select Manage Images.
  2. Select Create New.
  3. Enter a Name for the logo and select the appropriate Content Type. The file must not exceed 24 Kilo bytes.
  4. Select Browse, find your logo file and then select Open.
  5. Select OK.

To specify the new logo in the replacement message:

  1. Go to Network > Interfaces and edit the interface. The Security Mode must be Captive Portal.
  2. Select the portal message to edit.
    • In SSL VPN or WiFi interfaces, in Customize Portal Messages click the link to the portal messages that you want to edit.
    • In other interfaces, make sure that Customize Portal Messages is selected, select the adjacent Edit icon, then select the message that you want to edit.
  3. In the HTML message text, find the %%IMAGE tag.

By default it specifies the Fortinet logo: %%IMAGE:logo_fw_auth%%

  1. Change the image name to the one you provided for your logo. The tag should now read, for example, %%IMAGE:mylogo%%
  2. Select Save.
  3. Select OK.

Modifying text in portal messages

Generally, you can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters. You should not remove any tags because they may carry information that the FortiGate unit needs. See the preceding section for any exceptions to this rule for particular pages.

To modify portal page text

  1. Go to System > Network > Interfaces and edit the interface. The SSID Security Mode must be Captive Portal.
  2. Select the portal message to edit.
    • In SSL VPN or WiFi interfaces, in Customize Portal Messages click the link to the portal messages that you want to edit.
    • In other interfaces, make sure that Customize Portal Messages is selected, select the adjacent Edit icon, then select the message that you want to edit.
  3. Edit the HTML message text, then select Save.
  4. Select OK.

Configuring disclaimer page for ethernet interface captive portals

While you can customize a disclaimer page for captive portals that connect via WiFi, the same can be done for wired connections. However, this can only be configured on the CLI Console, and only without configuring user groups.

When configuring a captive portal through the CLI, you may set security-groups to a specific user group. The result of this configuration will show an authentication form to users who wish to log in to the captive portal— not a disclaimer page. If you do not set any security-groups in your configuration, an “Allow all” status will be in effect, and the disclaimer page will be displayed for users.

The example CLI configuration below shows setting up a captive portal interface without setting security-groups, resulting in a disclaimer page for users:

config system interface edit “port1” set vdom “root” set ip 172.16.101.1 255.255.255.0 set allowaccess ping https ssh snmp http set type physical set explicit-web-proxy enable set alias “LAN”

set security-mode captive-portal

set snmp-index 1

next

end

Roaming support

Client devices can maintain captive portal authentication as they roam across different APs. By maintaining a consistent authentication, uninterrupted access to latency sensitive applications such as VoIP is ensured.

The Cloud will push a random per-AP Network encryption key to the AP. The key is 32 bytes in length, and is used in captive portal fast roaming. All APs of an AP Network will use the same encryption key. This key is randomly generated, and will be updated daily.

Session timeout interval for captive portal

The following syntax can be set to configure a session timeout interval in seconds for Captive Portal users. Set the range between 0 – 864000 (or no timeout to ten days). The default is set to 0.

Syntax

config wireless-controller vap edit <name> …

set captive-portal-session-timeout-interval <seconds>

next end

 

Configuration example – captive portal WiFi access control

In this scenario, you will configure the FortiGate for captive portal access so users can log on to your WiFi network.

You will create a user account (rgreen), add it to a user group (employees), create a captive portal SSID (example-staff), and configure a FortiAP unit. When the user attempts to browse the Internet, they will be redirected to the captive portal login page and asked to enter their username and password.

1. Enabling HTTPS authentication

Go to User & Device > Authentication Settings.

Under Protocol Support, enable Redirect HTTP Challenge to a Secure Channel (HTTPS). This will make sure that user credentials are communicated securely through the captive portal.

2. Creating the user

Go to User & Device > User Definition and create a Local user (rgreen).

Create additional users if needed, and assign any authentication methods.

3. Creating the user group

Go to User & Device > User Groups and create a user group (employees).

Add rgreen to the group.

4. Creating the SSID

Go to WiFi & Switch Controller > SSID and configure the wireless network.

Some FortiGate models may show the GUI path as WiFi & Switch Controller.

Enter an Interface Name (example-wifi) and IP/Network Mask.

An address range under DHCP Server will be automatically configured.

Under WiFi Settings, enter an SSID name (example-staff), set Security Mode to Captive Portal, and add the employees user group.

5. Creating the security policy

Go to Policy & Objects > Addresses and create a new address for the SSID (example-wifi-net).

Set Subnet/IP Range to the same range set on the DHCP server in the previous step.

Set Interface to the SSID interface.

Go to Policy & Objects > IPv4 Policy and create a new policy for WiFi users to connect to the Internet.

Add both the example-wifi-net address and employees user group to Source.

6. Connecting and authorizing the FortiAP

Go to Network > Interfaces and edit an available interface.

Under Address, set Addressing mode to Dedicated to Extension Device and assign it an IP address.

Connect the FortiAP unit to the configured interface, then go to WiFi & Switch Controller > Managed FortiAPs.

The FortiAP is listed, but its State shows a greyed-out question mark — this is because it is waiting for authorization.

Highlight the FortiAP and select Authorize.

The question mark is now replaced by a red down-arrow — this is because it is authorized, but still offline.

Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile.

For each radio, enable Radio Resource Provision and select your SSID.

Go back to WiFi & Switch Controller > Managed FortiAPs to verify that the FortiAP unit is online.

7. Results

When a user attempts to connect to the wireless network, they will be redirected to the captive portal login screen.

Members of the employees group must enter their Username and Password. The user will then be redirected to the URL originally requested.

On the FortiGate, go to Monitor > WiFi Client Monitor to verify that the user is authenticated.

 

Supported RFCs

Supported RFCs

FortiOS supports the following RFCs.

BGP

l RFC 4724: Graceful Restart Mechanism for BGP l RFC 4456: BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) l RFC 4360: BGP Extended Communities Attribute l RFC 4271: A Border Gateway Protocol 4 (BGP-4) l RFC 2918: Route Refresh Capability for BGP-4 l RFC 2545: Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing l RFC 2439: BGP Route Flap Damping l RFC 1997: BGP Communities Attribute l RFC 1930: Guidelines for creation, selection, and registration of an Autonomous System (AS) l RFC 1772: Application of the Border Gateway Protocol in the Internet

Cryptography

  • RFC 8031: Curve25519 and Curve448 for the Internet Key Exchange Protocol Version 2 (IKEv2) Key Agreement l RFC 7634: ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec l RFC 7627: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension l RFC 7539: ChaCha20 and Poly1305 for IETF Protocols l RFC 7427: Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) l RFC 7383: Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation l RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2) l RFC 7027: Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS) l RFC 6989: Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)
  • RFC 6954: Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol

Version 2 (IKEv2) l RFC 6290: A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) l RFC 6023: A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA) l RFC 5723: Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption l RFC 5282: Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol

  • RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile l RFC 4754: IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA) l RFC 4635: HMAC SHA TSIG Algorithm Identifiers l RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)

 

DHCP

  • RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol l RFC 4106: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) l RFC 3947: Negotiation of NAT-Traversal in the IKE l RFC 3602: The AES-CBC Cipher Algorithm and Its Use with IPsec l RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) l RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7 l RFC 2845: Secret Key Transaction Authentication for DNS (TSIG) l RFC 2631: Diffie-Hellman Key Agreement Method l RFC 2451: The ESP CBC-Mode Cipher Algorithms l RFC 2410: The NULL Encryption Algorithm and Its Use With IPsec l RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV l RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH l RFC 2403: The Use of HMAC-MD5-96 within ESP and AH l RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5 l RFC 2104: HMAC: Keyed-Hashing for Message Authentication l RFC 2085: HMAC-MD5 IP Authentication with Replay Prevention l RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management l RFC 1321: The MD5 Message-Digest Algorithm l PKCS #12: PKCS 12 v1: Personal Information Exchange Syntax

DHCP

l RFC 4361: Node-specific Client Identifiers for Dynamic Host Configuration Protocol Version Four (DHCPv4) l RFC 3736: Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6 l RFC 3633: IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6 l RFC 3456: Dynamic Host Configuration Protocol (DHCPv4) Configuration of IPsec Tunnel Mode l RFC 3315: Dynamic Host Configuration Protocol for IPv6 (DHCPv6) l RFC 2132: DHCP Options and BOOTP Vendor Extensions l RFC 2131: Dynamic Host Configuration Protocol

Diffserv

l RFC 3260: New Terminology and Clarifications for Diffserv l RFC 2597: Assured Forwarding PHB Group l RFC 2475: An Architecture for Differentiated Services l RFC 2474: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers 7

DNS

DNS

l RFC 6895: Domain Name System (DNS) IANA Considerations l RFC 6604: xNAME RCODE and Status Bits Clarification l RFC 6147: DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers l RFC 4592: The Role of Wildcards in the Domain Name System l RFC 4035: Protocol Modifications for the DNS Security Extensions l RFC 4034: Resource Records for the DNS Security Extensions l RFC 4033: DNS Security Introduction and Requirements l RFC 3597: Handling of Unknown DNS Resource Record (RR) Types l RFC 3226: DNSSEC and IPv6 A6 aware server/resolver message size requirements l RFC 3007: Secure Domain Name System (DNS) Dynamic Update l RFC 2308: Negative Caching of DNS Queries (DNS NCACHE) l RFC 2181: Clarifications to the DNS Specification l RFC 2136: Dynamic Updates in the Domain Name System (DNS UPDATE) l RFC 1996: A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) l RFC 1995: Incremental Zone Transfer in DNS l RFC 1982: Serial Number Arithmetic l RFC 1876: A Means for Expressing Location Information in the Domain Name System l RFC 1706: DNS NSAP Resource Records l RFC 1183: New DNS RR Definitions l RFC 1101: DNS Encoding of Network Names and Other Types l RFC 1035: Domain Names – Implementation and Specification l RFC 1034: Domain Names – Concepts and Facilities

ICMP

l RFC 6918: Formally Deprecating Some ICMPv4 Message Types l RFC 6633: Deprecation of ICMP Source Quench Messages l RFC 4884: Extended ICMP to Support Multi-Part Messages l RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification l RFC 1191: Path MTU Discovery l RFC 792: Internet Control Message Protocol

IP

  • RFC 5798: Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6 l RFC 4301: Security Architecture for the Internet Protocol l RFC 3272: Overview and Principles of Internet Traffic Engineering

IP multicast

  • RFC 3168: The Addition of Explicit Congestion Notification (ECN) to IP l RFC 2072: Router Renumbering Guide l RFC 2071: Network Renumbering Overview: Why would I want it and what is it anyway?
  • RFC 1918: Address Allocation for Private Internets l RFC 1123: Requirements for Internet Hosts — Application and Support l RFC 1122: Requirements for Internet Hosts — Communication Layers l RFC 791: Internet Protocol

IP multicast

  • RFC 5059: Bootstrap Router (BSR) Mechanism for Protocol Independent Multicast (PIM)
  • RFC 4604: Using Internet Group Management Protocol Version 3 (IGMPv3) and Multicast Listener Discovery

Protocol Version 2 (MLDv2) for Source-Specific Multicast l RFC 3973: Protocol Independent Multicast – Dense Mode (PIM-DM): Protocol Specification (Revised) l RFC 3956: Embedding the Rendezvous Point (RP) Address in an IPv6 Multicast Address l RFC 3306: Unicast-Prefix-based IPv6 Multicast Addresses l RFC 2365: Administratively Scoped IP Multicast l RFC 1112: Host Extensions for IP Multicasting

IPsec

  • RFC 4304: Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet

Security Association and Key Management Protocol (ISAKMP) l RFC 4303: IP Encapsulating Security Payload (ESP)

  • RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers

IPv4

l RFC 6864: Updated Specification of the IPv4 ID Field l RFC 5177: Network Mobility (NEMO) Extensions for Mobile IPv4 l RFC 4632: Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan l RFC 3927: Dynamic Configuration of IPv4 Link-Local Addresses l RFC 3021: Using 31-Bit Prefixes on IPv4 Point-to-Point Links l RFC 1812: Requirements for IP Version 4 Routers

IPv6

l RFC 6343: Advisory Guidelines for 6to4 Deployment l RFC 5175: IPv6 Router Advertisement Flags Option

9

IS-IS

  • RFC 5095: Deprecation of Type 0 Routing Headers in IPv6 l RFC 4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 l RFC 4862: IPv6 Stateless Address Autoconfiguration l RFC 4861: Neighbor Discovery for IP version 6 (IPv6) l RFC 4389: Neighbor Discovery Proxies (ND Proxy) l RFC 4213: Basic Transition Mechanisms for IPv6 Hosts and Routers l RFC 4193: Unique Local IPv6 Unicast Addresses l RFC 4007: IPv6 Scoped Address Architecture l RFC 3971: SEcure Neighbor Discovery (SEND) l RFC 3596: DNS Extensions to Support IP Version 6 l RFC 3587: IPv6 Global Unicast Address Format l RFC 3493: Basic Socket Interface Extensions for IPv6 l RFC 3056: Connection of IPv6 Domains via IPv4 Clouds l RFC 3053: IPv6 Tunnel Broker l RFC 2894: Router Renumbering for IPv6 l RFC 2675: IPv6 Jumbograms l RFC 2185: Routing Aspects Of IPv6 Transition
  • RFC 1752: The Recommendation for the IP Next Generation Protocol

IS-IS

l RFC 5310: IS-IS Generic Cryptographic Authentication l RFC 5308: Routing IPv6 with IS-IS l RFC 3359: Reserved Type, Length and Value (TLV) Codepoints in Intermediate System to Intermediate System l RFC 1195: Use of OSI IS-IS for Routing in TCP/IP and Dual Environments

LDAP

  • RFC 4513: Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms l RFC 4512: Lightweight Directory Access Protocol (LDAP): Directory Information Models l RFC 4511: Lightweight Directory Access Protocol (LDAP): The Protocol
  • RFC 3494: Lightweight Directory Access Protocol version 2 (LDAPv2) to Historic Status

MPLS

  • RFC 7026: Retiring TLVs from the Associated Channel Header of the MPLS Generic Associated Channel l RFC 6426: MPLS On-Demand Connectivity Verification and Route Tracing l RFC 6425: Detecting Data-Plane Failures in Point-to-Multipoint MPLS – Extensions to LSP Ping l RFC 6423: Using the Generic Associated Channel Label for Pseudowire in the MPLS Transport Profile (MPLS-TP) l RFC 5586: MPLS Generic Associated Channel

 

NAT

  • RFC 5462: Multiprotocol Label Switching (MPLS) Label Stack Entry: “EXP” Field Renamed to “Traffic Class” Field l RFC 5332: MPLS Multicast Encapsulations l RFC 5129: Explicit Congestion Marking in MPLS l RFC 4448: Encapsulation Methods for Transport of Ethernet over MPLS Networks l RFC 4182: Removing a Restriction on the use of MPLS Explicit NULL l RFC 3564: Requirements for Support of Differentiated Services-aware MPLS Traffic Engineering l RFC 3469: Framework for Multi-Protocol Label Switching (MPLS)-based Recovery l RFC 3443: Time To Live (TTL) Processing in Multi-Protocol Label Switching (MPLS) Networks l RFC 3270: Multi-Protocol Label Switching (MPLS) Support of Differentiated Services l RFC 3032: MPLS Label Stack Encoding

NAT

  • RFC 6888: Common Requirements for Carrier-Grade NATs (CGNs) l RFC 6146: Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers l RFC 4966: Reasons to Move the Network Address Translator – Protocol Translator (NAT-PT) to Historic Status l RFC 4787: Network Address Translation (NAT) Behavioral Requirements for Unicast UDP l RFC 4380: Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs) l RFC 3948: UDP Encapsulation of IPsec ESP Packets
  • RFC 3022: Traditional IP Network Address Translator (Traditional NAT)

OSPF

l RFC 6860: Hiding Transit-Only Networks in OSPF l RFC 6845: OSPF Hybrid Broadcast and Point-to-Multipoint Interface Type l RFC 5340: OSPF for IPv6 l RFC 4812: OSPF Restart Signaling l RFC 4811: OSPF Out-of-Band Link State Database (LSDB) Resynchronization l RFC 4203: OSPF Extensions in Support of Generalized Multi-Protocol Label Switching (GMPLS) l RFC 3630: Traffic Engineering (TE) Extensions to OSPF Version 2 l RFC 3623: Graceful OSPF Restart l RFC 3509: Alternative Implementations of OSPF Area Border Routers l RFC 3101: The OSPF Not-So-Stubby Area (NSSA) Option l RFC 2328: OSPF Version 2 l RFC 1765: OSPF Database Overflow l RFC 1370: Applicability Statement for OSPF

PPP

PPP

  • RFC 2516: A Method for Transmitting PPP Over Ethernet (PPPoE) l RFC 2364: PPP Over AAL5
  • RFC 1661: The Point-to-Point Protocol (PPP)

RADIUS

  • RFC 5176: Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) l RFC 2866: RADIUS Accounting
  • RFC 2548: Microsoft Vendor-specific RADIUS Attributes

RIP

l RFC 4822: RIPv2 Cryptographic Authentication l RFC 2453: RIP Version 2 l RFC 2080: RIPng for IPv6 l RFC 1724: RIP Version 2 MIB Extension l RFC 1058: Routing Information Protocol

SIP

l RFC 3960: Early Media and Ringing Tone Generation in the Session Initiation Protocol (SIP) l RFC 3325: Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks l RFC 3262: Reliability of Provisional Responses in the Session Initiation Protocol (SIP) l RFC 3261: SIP: Session Initiation Protocol

SNMP

  • RFC 4293: Management Information Base for the Internet Protocol (IP) l RFC 4273: Definitions of Managed Objects for BGP-4 l RFC 4113: Management Information Base for the User Datagram Protocol (UDP) l RFC 4022: Management Information Base for the Transmission Control Protocol (TCP) l RFC 3635: Definitions of Managed Objects for the Ethernet-like Interface Types l RFC 3417: Transport Mappings for the Simple Network Management Protocol (SNMP) l RFC 3416: Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) l RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) SSL
  • RFC 3413: Simple Network Management Protocol (SNMP) Applications l RFC 3412: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) l RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management

Frameworks l RFC 3410: Introduction and Applicability Statements for Internet Standard Management Framework l RFC 2863: The Interfaces Group MIB l RFC 2578: Structure of Management Information Version 2 (SMIv2)

  • RFC 1238: CLNS MIB for use with Connectionless Network Protocol (ISO 8473) and End System to Intermediate

System (ISO 9542) l RFC 1215: A Convention for Defining Traps for use with the SNMP l RFC 1213: Management Information Base for Network Management of TCP/IP-based internets: MIB-II l RFC 1212: Concise MIB Definitions l RFC 1157: A Simple Network Management Protocol (SNMP) l RFC 1156: Management Information Base for Network Management of TCP/IP-based internets l RFC 1155: Structure and Identification of Management Information for TCP/IP-based Internets

SSL

l RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 l RFC 6101:The Secure Sockets Layer (SSL) Protocol Version 3.0

TCP

l RFC 6691: TCP Options and Maximum Segment Size (MSS) l RFC 6298: Computing TCP’s Retransmission Timer l RFC 6093: On the Implementation of the TCP Urgent Mechanism l RFC 793: Transmission Control Protocol

TLS

l RFC 6347: Datagram Transport Layer Security Version 1.2 l RFC 6066:Transport Layer Security (TLS) Extensions: Extension Definitions l RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension l RFC 5425: Transport Layer Security (TLS) Transport Mapping for Syslog l RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 l RFC 4681: TLS User Mapping Extension l RFC 4680: TLS Handshake Message for Supplemental Data

VPN

VPN

  • RFC 4761: Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling
  • RFC 4684: Constrained Route Distribution for Border Gateway Protocol/MultiProtocol Label Switching (BGP/MPLS)

Internet Protocol (IP) Virtual Private Networks (VPNs) l RFC 4577: OSPF as the Provider/Customer Edge Protocol for BGP/MPLS IP Virtual Private Networks (VPNs) l RFC 4364: BGP/MPLS IP Virtual Private Networks (VPNs)

  • RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements

Other protocols

l RFC 5357: A Two-Way Active Measurement Protocol (TWAMP) l RFC 5214: Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) l RFC 4960: Stream Control Transmission Protocol l RFC 4251: The Secure Shell (SSH) Protocol Architecture l RFC 3435: Media Gateway Control Protocol (MGCP) Version 1.0 l RFC 3376 : Internet Group Management Protocol, Version 3 l RFC 2890: Key and Sequence Number Extensions to GRE l RFC 2784: Generic Routing Encapsulation (GRE) l RFC 2661: Layer Two Tunneling Protocol “L2TP” l RFC 2637: Point-to-Point Tunneling Protocol (PPTP) l RFC 2412: The OAKLEY Key Determination Protocol l RFC 2225: Classical IP and ARP over ATM l RFC 2033: Local Mail Transfer Protocol l RFC 1413: Identification Protocol l RFC 1011: Official Internet Protocols l RFC 862: Echo Protocol l RFC 768: User Datagram Protocol l The TACACS+ Protocol

Miscellaneous

  • RFC 7348: Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2

Networks over Layer 3 Networks l RFC 4784: Verizon Wireless Dynamic Mobile IP Key Update for cdma2000(R) Networks for cdma2000(R) Networks l RFC 4470: Minimally Covering NSEC Records and DNSSEC On-line Signing l RFC 3985: Pseudo Wire Emulation Edge-to-Edge (PWE3) Architecture l RFC 2979: Behavior of and Requirements for Internet Firewalls

Miscellaneous

  • RFC 2827: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address

Spoofing l RFC 2780: IANA Allocation Guidelines For Values In the Internet Protocol and Related Headers l RFC 2647: Benchmarking Terminology for Firewall Performance l RFC 2644: Changing the Default for Directed Broadcasts in Routers l RFC 2231: MIME Parameter Value and Encoded Word Extensions: Character Sets, Languages, and Continuations l RFC 1945: Hypertext Transfer Protocol — HTTP/1.0 l RFC 950: Internet Standard Subnetting Procedure l RFC 894: A Standard for the Transmission of IP Datagrams over Ethernet Networks

Security best practices

Security best practices

This chapter describes some techniques and best practices that you can use to improve FortiOS security.

Install the FortiGate unit in a physically secure location

A good place to start with is physical security. Install your FortiGate in a secure location, such as a locked room or one with restricted access. A restricted location prevents unauthorized users from getting physical access to the device.

If unauthorized users have physical access, they can disrupt your entire network by disconnecting your FortiGate (either by accident or on purpose). They could also connect a console cable and attempt to log into the CLI. Also, when a FortiGate unit reboots, a person with physical access can interrupt the boot process and install different firmware.

Register your product with Fortinet Support

You need to register your Fortinet product with Fortinet Support to receive customer services, such as firmware updates and customer support. You must also register your product for FortiGuard services, such as up-to-date antivirus and IPS signatures. To register your product the Fortinet Support website.

Keep your FortiOS firmware up to date

Always keep FortiOS up to date. The most recent version is the most stable and has the most bugs fixed and vulnerabilities removed. Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues.

After you register your FortiGate, you can receive notifications on FortiGate GUI about firmware updates. You can update the firmware directly from the GUI or by downloading firmware updates from the Fortinet Support website.

Before you install any new firmware, be sure to follow these steps:

  • Review the release notes for the latest firmware release.
  • Review the Supported Upgrade Paths guide to determine the best path to take from your current version of FortiOS to the latest version.
  • Back up the current configuration.

Only FortiGate administrators who have read and write privileges can upgrade the FortiOS firmware.

System administrator best practices

This section describes a collection of changes you can implement to make administrative access to the GUI and CLI more secure.

Disable administrative access to the external (Internet-facing) interface

When possible, don’t allow administration access on the external (Internet-facing) interface.

To disable administrative access, go to Network > Interfaces, edit the external interface and disable HTTPS, PING, HTTP, SSH, and TELNET under Administrative Access.

From the CLI:

config system interface edit <external-interface-name> unset allowaccess

end

Allow only HTTPS access to the GUI and SSH access to the CLI

For greater security never allow HTTP or Telnet administrative access to a FortiGate interface, only allow HTTPS and SSH access. You can change these settings for individual interfaces by going to Network > Interfaces and adjusting the administrative access to each interface.

From the CLI:

config system interface edit <interface-name> set allowaccess https ssh

end

Require TLS 1.2 for HTTPS administrator access

Use the following command to require TLS 1.2 for HTTPS administrator access to the GUI:

config system global set admin-https-ssl-versions tlsv1-2

end

TLS 1.2 is currently the most secure SSL/TLS supported version for SSL-encrypted administrator access.

Re-direct HTTP GUI logins to HTTPS

Go to System > Settings > Administrator Settings and enable Redirect to HTTPS to make sure that all attempted HTTP login connections are redirected to HTTPS.

From the CLI:

config system global set admin-https-redirect enable end

 

Change the HTTPS and SSH admin access ports to non-standard ports

Go to System > Settings > Administrator Settings and change the HTTPS and SSH ports.

You can change the default port configurations for HTTPS and SSH administrative access for added security. To connect to a non-standard port, the new port number must be included in the collection request. For example:

l If you change the HTTPS port to 7734, you would browse to https://<ip-address>:7734. l If you change the SSH port to 2345, you would connect to ssh admin@<ip-address>:2345 To change the HTTPS and SSH login ports from the CLI:

config system global set admin-sport 7734 set admin-ssh-port 2345

end

If you change to the HTTPS or SSH port numbers, make sure your changes do not conflict with ports used for other services.

Maintain short login timeouts

Set the idle timeout to a short time to avoid the possibility of an administrator walking away from their management computer and leaving it exposed to unauthorized personnel.

To set the administrator idle timeout, go to System > Settings and enter the amount of time for the Idle timeout. A best practice is to keep the default time of 5 minutes.

To set the administrator idle timeout from the CLI:

config system global set admintimeout 5

end

You can use the following command to adjust the grace time permitted between making an SSH connection and authenticating. The range can be between 10 and 3600 seconds, the default is 120 seconds (minutes). By shortening this time, you can decrease the chances of someone attempting a brute force attack a from being successful. For example, you could set the time to 30 seconds.

config system global set admin-ssh-grace-time 30

end

Restrict logins from trusted hosts

Setting up trusted hosts for an administrator limits the addresses from where they can log into FortiOS. The trusted hosts configuration applies to most forms of administrative access including HTTPS, SSH, and SNMP. When you identify a trusted host for an administrator account, FortiOS accepts that administrator’s login only from one of the trusted hosts. A login, even with proper credentials, from a non-trusted host is dropped.

System administrator best practices

To identify trusted hosts, go to System > Administrators, edit the administrator account, enable Restrict login to trusted hosts, and add up to ten trusted host IP addresses.

To add two trusted hosts from the CLI:

config system admin edit <administrator-name> set trustedhost1 172.25.176.23 255.255.255.255 set trustedhost2 172.25.177.0 255.255.255.0

end

Trusted host IP addresses can identify individual hosts or subnets. Just like firewall policies, FortiOS searches through the list of trusted hosts in order and acts on the first match it finds. When you configure trusted hosts, start by adding specific addresses at the top of the list. Follow with more general IP addresses. You don’t have to add addresses to all of the trusted hosts as long as all specific addresses are above all of the 0.0.0.0 0.0.0.0 addresses.

Set up two-factor authentication for administrators

FortiOS supports FortiToken and FortiToken Mobile 2-factor authentication. FortiToken Mobile is available for iOS and Android devices from their respective application stores.

Every registered FortiGate unit includes two trial tokens for free. You can purchase additional tokens from your reseller or from Fortinet.

To assign a token to an administrator, go to System > Administrators and select Enable Two-factor Authentication for each administrator.

Create multiple administrator accounts

Rather than allowing all administrators to access ForiOS with the same administrator account, you can create accounts for each person or each role that requires administrative access. This configuration allows you to track the activities of each administrator or administrative role.

If you want administrators to have different functions you can add different administrator profiles. Go to System > Admin Profiles and select Create New.

Modify administrator account lockout duration and threshold values

By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time.

Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.

To configure the lockout options:

config system global set admin-lockout-threshold <failed_attempts> set admin-lockout-duration <seconds>

end

The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The admin-lockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.

Global commands for stronger and more secure encryption

Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the FortiGate.

Example:

To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute duration before the administrator can try to log in again, enter the commands:

config system global set admin-lockout-threshold 1 set admin-lockout-duration 300 end

If the time span between the first failed login attempt and the admin-lockoutthreshold failed login attempt is less than admin-lockout-duration, the lockout will be triggered.

Rename the admin administrator account

You can improve security by renaming the admin account. To do this, create a new administrator account with the super_admin admin profile and log in as that administrator. Then go to System > Administrators and edit the admin administrator and change the User Name. Renaming the admin account makes it more difficult for an attacker to log into FortiOS.

Add administrator disclaimers

FortiOS can display a disclaimer before or after logging into the GUI or CLI (or both). In either case the administrator must read and accept the disclaimer before they can proceed.

Use the following command to display a disclaimer before logging in:

config system global set pre-login-banner enable

end

Use the following command to display a disclaimer after logging in:

config system global set post-login-banner enable

end

You can customize the replacement messages for these disclaimers by going to System > Replacement Messages. Select Extended View to view and edit the Administrator replacement messages.

From the CLI:

config system replacemsg admin pre_admin-disclaimer-text config system replacemsg admin post_admin-disclaimer-text

Global commands for stronger and more secure encryption

This section describes some best practices for employing stronger and more secure encryption.

Disable sending malware statistics to FortiGuard

Turn on global strong encryption

Enter the following command to configure FortiOS to use only strong encryption and allow only strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS, SSH, TLS, and SSL functions.

config sys global set strong-crypto enable

end

Disable MD5 and CBC for SSH

In some cases, you may not be able to enable strong encryption. For example, your FortiGate may be communicating with a system that does not support strong encryption. With strong-crypto disabled you can use the following options to prevent SSH sessions with the FortiGate from using less secure MD5 and CBC algorithms:

config sys global set ssh-hmac-md5 disable set ssh-cbc-cipher disable

end

Disable static keys for TLS

You can use the following command to prevent TLS sessions from using static keys (AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256):

config sys global set ssl-static-key-ciphers disable

end

Require larger values for Diffie-Hellman exchanges

Larger Diffie-Hellman values result in stronger encryption. Use the following command to force Diffie-Hellman exchanges to use 8192 bit values (the highest configurable DH value).

config sys global set dh-params 8192

end

Disable sending malware statistics to FortiGuard

By default FortiOS periodically sends encrypted malware statistics to FortiGuard. The malware statistics record Antivirus, IPS, or Application Control events. This data is used to improved FortiGuard services. The malware statistics that FortiOS sends do not include any personal or sensitive customer data. The information is not shared with any external parties and is used in accordance with Fortinet’s Privacy Policy.

To disable sending malware statistics to FortiGuard, enter the following command: config system global set fds-statistics disable

end

Disable sending Security Rating statistics to FortiGuard

Security Rating is a Fortinet Security Fabric feature that allows customers to audit their Security Fabric and find and fix security problems. As part of the feature, FortiOS sends your security rating to FortiGuard every time a security rating test runs.

You can opt out of submitting Security Rating scores to FortiGuard. If you opt out you won’t be able to see how your organization’s scores compare with the scores of other organizations. Instead, an absolute score is shown. Use the following command to disable FortiGuard Security Rating result submission:

config system global set fortiguard-audit-result-submission disable

end

Disable auto USB installation

If USB installation is enabled, an attacker with physical access to a FortiGate could load a new configuration or firmware on the FortiGate using the USB port. You can disable USB installation by entering the following from the CLI:

config system auto-install set auto-install-config disable set auto-install-image disable

end

Set system time by synchronizing with an NTP server

For accurate time, use an NTP server to set system time. Synchronized time facilitates auditing and consistency between expiry dates used in expiration of certificates and security protocols.

From the GUI go to System > Settings > System Time and select Synchronize with NTP Server. By default, this causes FortiOS to synchronize with Fortinet’s FortiGuard secure NTP server.

From the CLI you can use one or more different NTP servers:

config system ntp set type custom set ntpsync enable config ntpserver edit 1 set server <ntp-server-ip>

next edit 2 set server <other-ntp-server-ip> end

Disable the maintainer admin account

Administrators with physical access to a FortiGate appliance can use a console cable and a special administrator account called maintainer to log into the CLI without a password. This feature allows you to log into a FortiGate if you have lost all administrator passwords. See Resetting a lost Admin password on the Fortinet Cookbook for details.

The maintainer account can be disabled using the following command:

config system global set admin-maintainer disable

end

Enable password policies

Go to System > Settings > Password Policy, to create a password policy that all administrators must follow. Using the available options you can define the required length of the password, what it must contain (numbers, upper and lower case, and so on) and an expiry time.

Use the password policy feature to make sure all administrators use secure passwords that meet your organization’s requirements.

Configure auditing and logging

For optimum security go to Log & Report > Log Settings enable Event Logging. For best results send log messages to FortiAnalyzer or FortiCloud.

From FortiAnalyzer or FortiCloud, you can view reports or system event log messages to look for system events that may indicate potential problems. You can also view system events by going to FortiView > System Events.

Establish an auditing schedule to routinely inspect logs for signs of intrusion and probing.

Encrypt logs sent to FortiAnalyzer/FortiManager

To keep information in log messages sent to FortiAnalyzer private, go to Log & Report > Log Settings and when you configure Remote Logging to FortiAnalyzer/FortiManager select Encrypt log transmission.

From the CLI.

config log {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting set enc-algorithm high end

Disable unused interfaces

To disable an interface from the GUI, go to Network > Interfaces. Edit the interface to be disabled and set Interface State to Disabled.

From the CLI, to disable the port21 interface:

config system interface edit port21 set status down

end

Disable unused protocols on interfaces

You can use the config system interface command to disable unused protocols that attackers may attempt to use to gather information about a FortiGate unit. Many of these protocols are disabled by default. Using the config system interface command you can see the current configuration of each of these options for the selected interface and then choose to disable them if required.

config system interface edit <interface-name> set dhcp-relay-service disable set pptp-client disable set arpforward disable set broadcast-forward disable set l2forward disable set icmp-redirect disable set vlanforward disable set stpforward disable set ident-accept disable set ipmac disable set netbios-forward disable set security-mode none set device-identification disable set lldp-transmission disable end

Option Description
dhcp-relay-service Disable the DHCP relay service.
pptp-client Disable operating the interface as a PPTP client.
arpforward Disable ARP forwarding.
broadcast-forward Disable forwarding broadcast packets.
l2forward Disable layer 2 forwarding.
icmp-redirect Disable ICMP redirect.

 

Option Description
vlanforward Disable VLAN forwarding.
stpforward Disable STP forwarding.
ident-accept Disable authentication for this interface. The interface will not respond to a connection with an authentication prompt.
ipmac Disable IP/MAC binding.
netbios-forward Disable NETBIOS forwarding.
security-mode Set to none to disable captive portal authentication. The interface will not respond to a connection with a captive portal.
device-identification Disable device identification.
lldp-transmission Disable link layer discovery (LLDP).

Use local-in policies to close open ports or restrict access

You can also use local-in policies to close open ports or otherwise restrict access to FortiOS.

Close ICMP ports

Use the following command to close all ICMP ports on the WAN1 interface. The following example blocks traffic that matches the ICMP_ANY firewall service.

config firewall local-in-policy edit 1 set intf wan1 set scraddr all set dstaddr all set action deny set service ICMP_ANY set schedule always

end

Close the BGP port

Use the following command to close the BGP port on the wan1 interface. The following example blocks traffic that matches the BGP firewall service.

config firewall local-in-policy edit 1 set intf wan1 set scraddr all set dstaddr all

Use local-in policies to close open ports or restrict access

set action deny set service BGP set schedule always end

FortiOS ports and protocols

FortiOS ports and protocols

Communication to and from FortiOS is strictly controlled and only selected ports are opened for supported functionality such as administrator logins and communication with other Fortinet products or services.

Accessing FortiOS using an open port is protected by authentication, identification, and encryption requirements. As well, ports are only open if the feature using them is enabled.

FortiOS open ports

The following diagram and tables shows the incoming and outgoing ports that are potentially opened by FortiOS. For more details about open ports and the communication protocols that FortiOS uses, see the document Fortinet Communication Ports and Protocols.

Closing open ports

You can close open ports by disabling the feature that opens them. For example, if FortiOS is not managing a FortiAP then the CAPWAP feature for managing FortiAPs can be disabled, closing the CAPWAP port.

The following sections of this document described a number of options for closing open ports:

FortiOS 6.2.0 Release Notes

Introduction and supported models

This guide provides release information for FortiOS 6.2.0 build 0866.

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 6.2.0 supports the following models.

FortiGate FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E, FG-51E, FG-52E, FG-60E,

FG-60E-POE, FG-61E, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-92D, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E,

FG-140E-POE, FG-200E, FG-201E, FG-300D, FG-300E, FG-301E, FG-400D, FG-400E,

FG-401E, FG-500D, FG-500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D,

FG-900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG3000D, FG-3100D, FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1

FortiWiFi FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E
FortiGate Rugged FGR-30D, FGR-35D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS,

FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN,

FG-VM64-GCP, FG-VM64-OPC, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-GCPONDEMAND

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN
FortiOS Carrier FortiOS Carrier 6.2.0 images are delivered on request and are not available on the Beta portal.

Special Notices

  • FortiGuard Security Rating Service l FortiGate hardware limitation l CAPWAP traffic offloading
  • FortiClient (Mac OS X) SSL VPN requirements l Use of dedicated management interfaces (mgmt1 and mgmt2) l Using FortiAnalyzer units running older versions on page 8

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate model: l FGR-30D l FGR-35D l FGT-30E l FGT-30E-MI l FGT-30E-MN l FGT-50E l FGT-51E l FGT-52E l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E-2R l FWF-50E l FWF-51E

FortiGate hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.

Special Notices                                                                                                                                                          7

FG-92D does not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result.

CAPWAP traffic offloading

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip. The following models are affected: l FG-900D l FG-1000D l FG-2000E l FG-2500E

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

 

Special Notices

Using FortiAnalyzer units running older versions

When using FortiOS 6.2.0 with FortiAnalyzer units running 5.6.5 or lower, or 6.0.0-6.0.2, FortiAnalyzer might report increased bandwidth and session counts if there are sessions that last longer than two minutes.

For accurate bandwidth and session counts, upgrade the FortiAnalyzer unit to 5.6.6 or higher, or 6.0.2 or higher.

Changes in default behavior

Firewall

Remove dependency of ssl-ssh-profile on utm-status under firewall policy (531885).

Previous releases 6.2.0 release
You must enable utm-status under firewall policy before configuring ssl-ssh-profile. You can configure ssl-ssh-profile by itself. When you upgrade, this configuration is added to the existing firewall policy.

Log & Report

Previous releases 6.2.0 release
Super admin: can back up and restore configuration file.

Global admin: can back up and restore configuration file.

Super admin: can back up and restore configuration file. Global admin: can only back up configuration file.

Starting from the 6.2.0 release, exe log list displays the result of the current log device.

Previous releases 6.2.0 release
exe log list only lists the disk log file. exe log list lists the log file from the current log device (disk/memory).

exe log list shows the memory log file in exe log filter device memory.

exe log list shows the disk log file in exe log filter device disk.

Separate policy and address log-uuid options into two individual options.

Previous releases 6.2.0 release
config system global set log-uuid [policy-only | extended |

disable] end

config system global set log-uuid-policy [enable | disable] set log-uuid-address [enable | disable] end

System

Starting from the 6.2.0 release, Global admin can only back up but not restore the configuration file. default behavior

Previous releases 6.2.0 release
VDOM admin: can back up and restore VDOM

configuration file with full Admin and Maintenance permission.

VDOM admin: can back up and restore VDOM

configuration file with full Admin and Maintenance permission.

Devices configured under security-exempt-list are void after upgrading to 6.2.0.

Previous releases 6.2.0 release
config user security-exempt-list edit “1” set description “device” config rule edit 1 set devices “linux-pc”

next edit 2 set srcaddr “10-1-100-0”

next

end

next

end

config user security-exempt-list edit “1” set description “device” config rule edit 2 set srcaddr “10-1-100-0”

next

end

next

end

 

Changes in CLI defaults

Anti-Spam

Rename spamfilter to emailfilter.

Previous releases 6.2.0 release
config spamfilter bwl end

config spamfilter profile end

config firewall policy edit [Policy ID] set spamfilter-profile [Profile Name]

next end

config emailfilter bwl end

config emailfilter profile end

config firewall policy edit [Policy ID] set emailfilter-profile [Profile Name]

next end

Data Leak Prevention

Rename DLP fp-sensitivity to sensitivity.

Previous releases 6.2.0 release
config dlp fp-sensitivity end config dlp sensitivity end

Firewall

Rename utm-inspection-mode to inspection-mode under firewall policy.

Previous releases 6.2.0 release
config firewall policy edit [Policy ID] set utm-inspection-mode [proxy | flow]

next end

config firewall policy edit [Policy ID] set inspection-mode [proxy | flow]

next end

 

Add a new direction command to Internet service group. Members are filtered according to the direction selected. The direction of a group cannot be changed after it is set.

Previous releases 6.2.0 release
config firewall internet-service-group edit [Internet Service Group Name] set member 65537 65538

next end

config firewall internet-service-group edit [Internet Service Group Name] set direction [source | destination |

both] set member 65537 65538

next end

FortiView

Previous releases 6.2.0 release
execute ha manage [ID] execute ha manage [ID] [admin-username]

The following FortiView CLI has been changed in this release.

Previous releases 6.2.0 release
config system admin

edit [User Name]

config gui

edit [Dashboard ID] config widget edit [Widget ID] set type fortiview set report-by source <- removed set timeframe realtime <- removed set sort-by “bytes” <- removed set visualization table <- removed

next

end

next

end next end

config system admin

edit [User Name]

config gui

edit [Dashboard ID] config widget

edit [Widget ID]

set type fortiview set fortiview-type ” <- added set fortiview-sort-by ” <- added set fortiview-timeframe ” <- added set fortiview-visualization ” <- added set fortiview-device ” <- added

next

end next

end next end

HA

The CLI command for HA member management is changed.

Intrusion Prevention

Move Botnet configuration option from interface level and policy level to IPS profile.

Previous releases 6.2.0 release
config system interface edit [Interface Name] set scan-botnet-connections

block | monitor] next

end

config firewall policy edit [Policy ID] set scan-botnet-connections

block | monitor] next

end

config firewall proxy-policy edit [Policy ID] set scan-botnet-connections

block | monitor] next

end

config firewall interface-policy edit [Policy ID] set scan-botnet-connections

block | monitor] next

end

config firewall sniffer edit [Policy ID] set scan-botnet-connections

block | monitor] next end

[disable

[disable

[disable

[disable

[disable

|

|

|

|

|

config ips sensor edit [Sensor name] set scan-botnet-connections [disable |

block | monitor] next end

IPsec VPN

Add net-device option under static/DDNS tunnel configuration.

Previous releases 6.2.0 release
config vpn ipsec phase1-interface edit [Tunnel Name] set type [static | ddns]

next end

config vpn ipsec phase1-interface edit [Tunnel Name] set type [static | ddns] set net-device [enable | disable]

next end

Log & Report

Move botnet-connection detection from malware to log threat-weight.

Previous releases 6.2.0 release
config log threat-weight config malware set botnet-connection [critical | high

| medium | low | disable] end end

config log threat-weight set botnet-connection [critical | high

| medium | low | disable] end

SDS.

Previous releases 6.2.0 release
config log threat-weight config malware set botnet-connection [critical | high

| medium | low | disable] end end

config log threat-weight set botnet-connection [critical | high

| medium | low | disable] end

Add new certificate verification option under FortiAnalyzer setting.

Previous releases 6.2.0 release
config log fortianalyzer setting set status enable

set server [FortiAnalyzer IP address] end

config log fortianalyzer setting set status enable set server [FortiAnalyzer IP address] set certificate-verification [enable |

disable] set serial [FortiAnalyzer Serial number] set access-config [enable | disable] end

Proxy

Move SSH redirect option from firewall ssl-ssh-profile to firewall policy.

Previous releases 6.2.0 release
config firewall ssl-ssh-profile edit [Profile Name] config ssh set ssh-policy-check [enable | disable]

end

next end

config firewall policy

edit [Policy ID]

set ssh-policy-redirect [enable | disable]

next end

Move HTTP redirect option from profile protocol option to firewall policy.

Previous releases 6.2.0 release
config firewall profile-protocol-option edit [Profile Name] config http set http-policy [enable | disable]

end

next end

config firewall policy

edit [Policy ID]

set http-policy-redirect [enable | disable]

next end

Move UTM inspection mode from VDOM setting/AV profile/webfilter profile/emailfilter profile/DLP sensor to firewall policy.

Previous releases 6.2.0 release
config system setting set inspection-mode [proxy |

end

config antivirus profile edit [Profile Name] set inspection-mode [proxy

next

end

config webfilter profile edit [Profile Name] set inspection-mode [proxy

flow]

| flow-based]

| flow-based]

config firewall policy edit [Policy ID] set inspection-mode [flow | proxy]

next end

Previous releases 6.2.0 release
next

end

config spamfilter profile edit [Profile Name] set flow-based [enable | disable]

next

end

config dlp sensor edit [Sensor Name] set flow-based [enable | disable]

next end

Routing

For compatibility with the API, the CLI command for OSPF MD5 is changed from a single line configuration to sub-table configuration.

Previous releases 6.2.0 release
config router ospf config ospf-interface edit [Interface Entry Name] set interface [Interface] set authentication md5

set md5-key [Key ID] [Key String Value]

next

end end

config router ospf config ospf-interface edit [Interface Entry Name] set interface [Interface] set authentication md5 config md5-keys edit [Key ID] set key-string [Key String Value]

next

end

next

end end

The name internet-service-ctrl and internet-service-ctrl-group is changed to internetservice-app-ctrl and internet-service-app-ctrl-group to specify it’s using application control.

Previous releases 6.2.0 release
config system virtual-wan-link config service edit [Priority Rule ID] set internet-service enable set internet-service-ctrl

[Application ID] set internet-service-ctrl-group

[Group Name] next

end end

config system virtual-wan-link config service edit [Priority Rule ID] set internet-service enable set internet-service-app-ctrl

[Application ID] set internet-service-app-ctrl-group

[Group Name] next

end end

Add cost for each SD-WAN member so that in the SLA mode in a SD-WAN rule, if SLAs are met for each member, the selection is based on the cost.

Previous releases 6.2.0 release
config system virtual-wan-link config member edit [Sequence Number]

next

end end

config system virtual-wan-link config member edit [Sequence Number] set cost [Value]

next

end end

Add a load-balance mode for SD-WAN rule. When traffic matches this rule, this traffic should be distributed based on the LB algorithm.

Previous releases 6.2.0 release
config system virtual-wan-link config service edit [Priority Rule ID] set mode [auto | manual | priority |

sla] next

end end

config system virtual-wan-link config service edit [Priority Rule ID] set mode [auto | manual | priority |

sla | load-balance] next

end end

Security Fabric

Add control to collect private or public IP address in SDN connectors.

Previous releases 6.2.0 release
config firewall address

edit [Address Name] set type dynamic set comment ” set visibility enable set associated-interface ” set sdn aws

set filter “tag.Name=publicftp”

next end

config firewall address

edit [Address Name] set type dynamic set comment ” set visibility enable set associated-interface ” set sdn aws

set filter “tag.Name=publicftp” set sdn-addr-type [private | public | all]

next end

Add generic support for integrating ET products (FortiADC, FortiMail, FortiWeb, FortiDDoS, FortiWLC) with Security Fabric.

Previous releases 6.2.0 release
config system csf config fabric-device edit [Device Name] set device-ip [Device IP] set device-type fortimail set login [Login Name] set password [Login Password]

next

end end

config system csf config fabric-device edit [Device Name] set device-ip [Device IP] set https-port 443

set access-token [Device Access Token]

next

end end

Add support for multiple SDN connectors under dynamic firewall address.

Previous releases 6.2.0 release
config firewall address edit [Address Name] set type dynamic set color 2 set sdn azure

set filter “location=NorthEurope”

next end

config firewall address edit [Address Name] set type dynamic set color 2 set sdn [SDN connector instance] set filter “location=NorthEurope”

next end

System

Add split VDOM mode configuration.

Previous releases 6.2.0 release
config global set vdom-admin [enable | disable] end config global set vdom-admin [no-vdom | split-vdom |

multi-vdom] end

WiFi Controller

Remove http and telnet in allowaccess options under wireless-controller wtp-profile and wireless-controller wtp.

Previous releases 6.2.0 release
config wireless-controller wtp-profile edit [WTP Profile Name]

set allowaccess http | https | telnet |

ssh next

end

config wireless-controller wtp

edit [WTP ID] set override-allowaccess enable set allowaccess http | https | telnet |

ssh next end

config wireless-controller wtp-profile edit [WTP Profile Name] set allowaccess https | ssh

next

end

config wireless-controller wtp

edit [WTP ID] set override-allowaccess enable set allowaccess https | ssh

next end

 

Changes in default values

Firewall

The default profile for ssl-ssh-profile is changed from certificate-inspection to no-inspection.

Previous releases 6.2.0 release
Config firewall policy

edit [Policy ID]

set ssl-ssh-profile certificateinspection   next end

Config firewall policy

edit [Policy ID]

set ssl-ssh-profile no-inspection

next end

IPsec VPN

The default value for net-device option under dynamic(dialup) tunnel has changed from disable to enable.

Previous releases 6.2.0 release
config vpn ipsec phase1-interface edit [Tunnel Name] set type dynamic set net-device disable

next end

config vpn ipsec phase1-interface edit [Tunnel Name] set type dynamic set net-device enable

next end

Log & Report

The default value, minimum value, and maximum value for memory log is changed.

Previous releases 6.2.0 release
config log memory global-setting set max-size 65536 end config log memory global-setting set max-size [1% of total RAM] end

Changes in default values                                                                                                                                         21

Routing

The default SD-WAN health-check interval is changed from 1 to 500 and the unit is changed from seconds to milliseconds.

Previous releases 6.2.0 release
config system virtual-wan-link config health-check edit [Health Check Name] set interval 1

next

end end

config system virtual-wan-link config health-check edit [Health Check Name] set interval 500

next

end end

The default link-monitor interval is changed from 1 to 500 and the unit is changed from seconds to milliseconds.

Previous releases 6.2.0 release
config system link-monitor edit [Link Monitor Name] set interval 1

next end

config system link-monitor edit [Link Monitor Name] set interval 500

next end

System

The default protocol used for FortiGuard service communication is changed from UDP to HTTPS.

The protocol setting remains unchanged for FortiGates upgrading from v6.0 to v6.2.

Previous releases 6.2.0 release
config system fortiguard set protocol udp set port 8888 end config system fortiguard set protocol https set port 8888 end

Changes in default values

Switch Controller

The default value for FortiLink split interface is changed from disable to enable.

Previous releases 6.2.0 release
config system interface edit [FortiLink Interface] set fortilink enable

set fortilink-split-interface disable

next end

config system interface edit [FortiLink Interface] set fortilink enable

set fortilink-split-interface enable

next end

WiFi Controller

The default value of broadcast-suppression under wireless vap is changed from dhcp-up arp-known to dhcp-up arp-known dhcp-ucast.

Previous releases 6.2.0 release
config wireless-controller vap edit [vap-name] set broadcast-suppression dhcp-up arp-

known next end

config wireless-controller vap edit [vap-name] set broadcast-suppression dhcp-up dhcp-

ucast arp-known next end

The default value of control-message-offload under wireless-controller wtp-profile is changed from ebp-frame aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu to ebpframe aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu sta-health.

Previous releases 6.2.0 release
config wireless-controller wtp-profile edit [FAP Profile Name] set control-message-offload ebp-frame aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu next end config wireless-controller wtp-profile edit [FAP Profile Name] set control-message-offload ebp-frame aeroscout-tag ap-list sta-list sta-cap-list stats aeroscout-mu sta-health next end

Upgrade Information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

  1. Go to https://support.fortinet.com.
  2. From the Download menu, select Firmware Images.
  3. Check that Select Product is FortiGate.
  4. Click the Upgrade Path tab and select the following:

l Current Product l Current FortiOS Version l Upgrade To FortiOS Version

  1. Click Go.

FortiClient Endpoint Telemetry license

Starting with FortiOS 6.2.0, the FortiClient Endpoint Telemetry license is deprecated and as a result there are two upgrade scenarios:

  • Customers using only a FortiGate device in FortiOS 6.0 to enforce compliance must install FortiClient EMS 6.2.0 and purchase a FortiClient Security Fabric Agent License.
  • Customers using both a FortiGate device in FortiOS 6.0 and FortiClient EMS running 6.0 for compliance enforcement, must upgrade both the FortiGate device to FortiOS 6.2.0, FortiClient to 6.2.0, and FortiClient EMS to 6.2.0.

Fortinet Security Fabric upgrade

FortiOS 6.2.0 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 6.2.0 l FortiClient EMS 6.2.0 l FortiClient 6.2.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.9 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

If Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.2.0. When Security Fabric is enabled in FortiOS 6.2.0, all FortiGate devices must be running FortiOS 6.2.0.

 

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.2.0 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.

When you upgrade to FortiOS 6.2.0 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.

l Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox) l FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting) l LDAP server (config user ldap) l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l admin user account l session helpers l system access profiles

Amazon AWS enhanced networking compatibility issue

With this enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 6.2.0 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

When downgrading from 6.2.0 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

FortiLink access-profile setting

The new FortiLink local-access profile controls access to the physical interface of a FortiSwitch that is managed by FortiGate.

After upgrading FortiGate to 6.2.0, the interface allowaccess configuration on all managed FortiSwitches are overwritten by the default FortiGate local-access profile. You must manually add your protocols to the localaccess profile after upgrading to 6.2.0.

To configure local-access profile:

config switch-controller security-policy local-access edit [Policy Name] set mgmt-allowaccess https ping ssh set internal-allowaccess https ping ssh

next

end

To apply local-access profile to managed FortiSwitch:

config switch-controller managed-switch edit [FortiSwitch Serial Number] set switch-profile [Policy Name] set access-profile [Policy Name]

next

end

FortiGate VM with V-license

This version allows FortiGate VM with V-License to enable split-vdom.

To enable split-vdom:

config system global set vdom-mode [no-vdom | split vdom] end

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.

On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.

If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard set update-server-location [usa|any]

end

FortiView widgets

FortiView widgets have been rewritten in 6.2.0. FortiView widgets created in previous versions are deleted in the upgrade.

 

Product Integration and Support

The following table lists FortiOS 6.2.0 product integration and support information:

Web Browsers l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 41 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in Fortinet Security Fabric upgrade on page 23. For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in Fortinet Security Fabric upgrade on page 23. For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.

Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient:

l Microsoft Windows l Mac OS X l Linux

l 6.2.0

See important compatibility information in FortiClient Endpoint Telemetry license on page 23 and Fortinet Security Fabric upgrade on page 23.

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later.

If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported.

FortiClient iOS l 6.2.0 and later
FortiClient Android and FortiClient VPN Android l 6.2.0 and later
FortiAP l 5.4.2 and later l 5.6.0 and later
FortiAP-S l 5.4.3 and later l 5.6.0 and later

 

FortiSwitch OS

(FortiLink support)

l 3.6.9 and later
FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later
Fortinet Single Sign-On (FSSO) l 5.0 build 0276 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8
FortiExtender l 3.2.1
AV Engine l 6.00127
IPS Engine l 4.00219
Virtualization Environments
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04 (32-bit & 64-bit)

2336. Download from the Fortinet Developer Network: https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 61

Google Chrome version 68

Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 61

Google Chrome version 68

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 54
OS X El Capitan 10.11.1 Apple Safari version 11

Mozilla Firefox version 61

Google Chrome version 68

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall
Symantec Endpoint Protection 11
Kaspersky Antivirus 2009
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 6.2.0. For inquires about a particular bug, please contact Customer Service & Support.

Anti-Spam

Bug ID Description
295539 Spam filter profile CLI options are disabled after GUI change.
477496 Unable to add email wildcard to black/white list GUI in Anti-Spam profile.

AntiVirus

Bug ID Description
474538 Remove mobile malware protection option from GUI.
491675 FTP Server is not accessible when AV profile is set to proxy based inspection.
502138 AV full-scan mode causes traffic to fail.
513667 WAD crash when av-scan is blocking the input and HTTP session is closing.
516072 In flow mode, scanunit API does not allow IPS to submit a scan job for a URL with no filename.
519759 Process scanunit crash in removeTransformCleanup when Outbreak Prevention is enabled.
522343 scanunitd experiences a constant different kind of crash.
525151 Flow AV profile and SSL deep inspection writes blocked invalid cert logs to webfilter logs.
525711 FortiGate not sending email headers to FortiSandbox.
537666 Flow AV in quick mode cannot block large infected samples (eicar.exe).
541023 Scanunit worker leaves urlfilter API socket files behind in tmp.

Application Control

Bug ID Description
511151 Application Control with traffic shaper is not attached to session.
Authentication
Bug ID Description
447575 Standard vs. Advanced mismatch on FortiOS GUI.
Bug ID Description
463849 FAC remote LDAP user authentication via RADIUS fails on invalid token if password change and 2FA are both required.

Data Leak Prevention

Bug ID Description
486958 scanunit signal 14 alarm clock caused by DLP scanning bz2 file.
496255 Some XML-based MS Office files are recognized as ZIP files.
518146 DLP incorrectly blocking .deb file extension (DLP log unclear for matches in archive files).
524910 DLP profile to block the file name pattern “*” not blocking uploading files.

DNS Filter

Bug ID Description
472267 DNS filter performance improvement.

Endpoint Control

Bug ID Description
543635 Extend GTP0/GTP1 policy for new RAT types.

Explicit Proxy

Bug ID Description
413187 XFF header enhancements (strip-off & enforcement) for URL filtering module.
445312 tcp-timewait-timer does not have any effect when WAD is running.
477289 Proxy is unexpectedly sending FIN packet (FTP over HTTP traffic).
491118 Kerberos users unable to access the internet.
500182 UDP over SOCKS PROXY.
503478 Presence of X-XSS-Protection header causes response to be not cacheable.
506654 High memory usage on WAD.
506821 Explicit web proxy, slow speed.
509876 Web-proxy internet service as DST address cannot work for some IP address range overlap case.
509994 Website denied due to certificate error (revoked) only in Proxy_policy and deep inspection profile.
512294 WAD should not keep buffer data if the server’s response broke the HTTP protocol.
Bug ID Description
515327 WAD returns 502 Bad Gateway if the server disconnects without data received.
521344 Explicit FTP proxy doesn’t work with second IP address.
521899 When proxy srvc is set to protocol CONNECT and client tries to connect to HTTPS page, client gets message: Access Denied.
524933 Agentless NTLM – FortiGate adds redundant domain suffix to username when it is already present (UPN used).

Firewall

Bug ID Description
390422 Cannot add a wildcard FQDN object to an addrgrp which is applying in policy
457294 GUI to allow negate an address object.
466999 Implicit deny policy generating logs when logging is disabled.
484599 Cannot use custom internet service group in traffic shaping policy.
484603 Cannot use application group in traffic shaping policy.
492034 Traffic not matching expected sessions and getting denied.
497535 In NGFW policy mode, applications allowed by unintended policy ID when together with firewall-session-dirty check new.
503904 Creating a new address group gives error: Associated Interface conflict detected!.
508085 Customer does not accept the confirmation of 0.0.0.0/0 object while creating address object errors.
508098 Creating wildcard address object errors but still creates the object.
511143 set logtraffic-start enable option is not available for policy64/policy46.
520558 Should not do passive port NAT for FTP session helper.
521337 Adding ports in a custom ISDB service for all the IP of the service is not easily achievable.
522447 FortiGate logging is not stable and stopped working.
525995 Session marked dirty when routing table updated for route which is not related to the session.
529685 WCCP not use the tunnel.
535468 DCE/RPC session-helper expectation session is removed unexpectedly.
536868 A FortiGate in TP mode with set send-deny-packet enabled policy, generates strange ICMP-REPLY for TCP SYN/ICMP-REQUEST/UD.
537227 When forwarding the multicast traffic for the first time, the packet size is not calculated correctly.
541248 FortiGate does not offer TLS-RSA-* ciphers when virtual server is configured and strongcrypto is disabled.
541596 Virtual server rejects TLS connections when plain RSA ciphers are specified in custom cipher-list.

FortiView

Bug ID Description
256264 Realtime session list cannot show IPv6 session and related issues.
414172 HTTPsd / DNSproxy / high CPU / memory with high rate UDP 1Byte spoofing traffic.
453610 Fortiview >Policies(or Sources) >Now, it shows nothing when filtered by physical interface at PPPoE mode.
460016 In Fortiview > Threats, drill down one level, click Return and the graph is cleared.
488886 FortiView > Sources is unable to sort information accurately when filtering by policy ID number.
521497 FortiView > All Sessions > real time view is missing right-click menu to end session/ban ip.
527751 No user name on Fortiview > Sources main page

GUI

Bug ID Description
457966 Virtual wire pair > Add VLAN range filter on GUI.
462011 GUI is blank when accessed by radius user with read-access profile.
469082 prof_admin profile admins not able to display GUI IPv4 source address.
470698 Create new default dashboards in factory default settings.
473148 FGT5001D Sessions widget in Dashboard show negative % for nTurbo after throughput test.
478057 Cannot restore configuration when GUI access to the FortiGate is via a connection with small bandwidth.
493704 While accessing FortiGate page, browser memory usage keeps spiking and finally PC hangs.
498738 GUI creating B/W widget referencing SIT-Tunnel generates error.
501911 In FOS-AWS prompts user password = instance ID, and forces user to change password upon initial log in.
502785 Remove # of interfaces from device list.
503867 Some certificates break Certificate page.
505187 Getting error Some changes failed to save when configuring IPv4 policies on firewall.
509791 Editing Address Objects name within SSL-SSH inspection profile selection pane cause loss of Address/Web exemption objects.
509978 Unable to download the results of the scheduled script.
515022 FortiGate and FSA has right connectivity, but Test Connectivity on GUI interface is showing

Unreachable or not Authorized.

516295 Error connecting to FortiCloud message while trying to access Forticloud Reports in GUI.
Bug ID Description
518964 Slowness when adding or removing member from address group via SSH.
518970 Suggestion to improve SD-WAN SLA creation page’s invalid-entry handling.
521253 LAG interface is not listed on the dropdown list when configuring DNS Service.
523902 REST API issue: Access Token only verifies the first 30 characters.
526748 Firewall policies with action DENY show default proxy-options applied in GUI.
527137 Local GW disappears from GUI.
528464 Disappearing policy add-also happens in 6.0.3 build 0200.
533018 Process nsm with high CPU when displaying the GUI section of IP4 and IPv6 policy when receiving full routing of BGP.
536841 DNS server in VPN SSL setting is overwritten when SSL-VPN settings are modified via GUI.

HA

Bug ID Description
445214 Slave in AP cluster memory/CPU spike as a result of DHCP/HA sync issue.
461915 When standalone config sync is enabled in FGSP, IPv6 setting of interface is synced.
477392 Can’t use FAC username, password, and FortiToken two-factor authenticate login HA slave unit.
481943 A green check mark indicating HA sync status on GUI is only put on a side of virtual cluster 1.
482548 Conserve mode caused by hasync consuming most available memory.
486846 FGSP session sync for FGCP cluster keeps syncronizing sessions back to the originator even after the traffic is stopped.
487444 FortiGate stops accepting traffic from any interface in a hardware switch after HA fail-over in 80/81E.
494029 After failover, cannot connect to management-IP of backup device.
503433 hasync daemon crashes when admin session timeout and cluster could be out of sync for a short period.
503763 Config sync communication on heartbeat link not encrypted when encryption is enabled under system HA.
503897 FG-501E units generating logs only for five minutes after rebooting the unit, then do not generate anymore logs.
507013 Out of sync after config change.
509557 Duplicate MAC on mgmt2 ports.
510660 Upgrade to build 3574 fails for HA cluster.
511522 HA uninterruptible upgrade from 9790 to 3558 fails.
Bug ID Description
513940 Enormous amount of session between heartbeat Interfaces for port 703 (HASYNC).
515401 SLBC-Dual mode: Slave chassis blade sending traffic logs.
516234 GUI checksums show slave is not synchronized when the master is synchronized.
517537 Slave out-of-sync. Unable to log into slave unit.
518116 Suggest to add a command to show virtual_mac usages on FGCP HA.
518621 ha-mgmt-interface IPv6 GW is not registered when ha-mgmt-interface IPv4 GW is not set.
518717 MTU of session-sync-dev does not come into effect.
519653 Increase FGSP session sync from 200 VDOM to 500 VDOM.
523733 Successive failovers lead to complete traffic stop (IPSEC[01]_IQUEUE counter catching all traffic).
526252 High memory caused by updated daemon.
526492 FGSP between two FGCP clusters – session expectation.
526703 FGSP of FGCP cluster, does not pickup NAT’ed sessions.
530215 Application hasync *** signal 11 (Segmentation fault) received ***.
531083 Config of HA pair of FortiGates goes out of sync when removed from Central Management (FortiManager).
531812 FGSP config replicating BGP and OSPF info after a config restore.
532015 High CPU on Core1 due to session sync process.
535534 Multicast-forward setting is lost after a backup restore on a FGCP cluster.
537289 Old master keeps forwarding traffic after failover.
539707 Wrong status for ping server after failover in the output of the command get sys ha status.
Bug ID Description
381062 Provide accurate statistics across multiple IPS daemons.
452131 ipsengine up time on FG-51E is a negative number after changing db from extended to regular.
469608 ICMP Packets drop while FGD updates.

ICAP

Bug ID Description
478617 ICAP X-Authenticated-Groups information.

Intrusion Prevention

Bug ID Description
476219 Delay for BFD in IPinIP traffic hitting policy with IPS while IPsec calculates new key.
489557 traceroute issues when IPS is enabled.
503895 Traffic drops for 15 seconds when UTM is enabled.
509352 IPv4.Invalid.Datagram.Size attack is not detected in IDS mode.
516128 Victim is quarantined after IPS attack.
517059 One arm sniffer is unable to see HTTPS log in web filter logs.
537162 High memory due to IPS and SSL-VPN going into conserve mode.
541224 Network loop over virtual-wire-pair in HA mode if running diagnose sys ha reset-uptime.

IPsec VPN

Bug ID Description
463441 NAT -T broken with AWS and Fortigate.
471326 AES-256-GCM for phase 1.
481720 Using transparent mode and policy base VPN, about 4 ICMP packets which exceed over MTU 1375 byte are dropped.
491305 Packet from FCT can not go through VXLAN over IPsec depending on packet size.
493918 Memory leak with IKED.
494285 Slow IPsec traffic between FortiGate and AWS FortiGate once run iPerf between unix and linux.
509559 Invalid ESP packet detected (replayed packet) when having high load on IPsec tunnel.
514519 OSPF neighbor can’t up because IPsec tunnel interface MTU keeps changing.
515132 ADVPN shortcut continuously flapping.
515375 VPN goes down randomly, also affects remote sites dialup.
517088 IPsec Gateway never clears unless manually forced.
517849 Index of existing OIDs changes when installing new IPsec tunnels to the FortiGate – breaks monitoring.
518063 DPD shows unnegotiated and is not functioning correctly on ADVPN Spoke.
519187 IKE route should not be deleted if it is needed by other proxyids.
520151 When two certificates are configured on p1, both aren’t offered or the wrong one is offered.
523567 MTU values does not gets calculated correctly in GRE over IPsec.
524101 Unnecessary next-hop restriction on static route prevents using static routing on Hub with ‘netdevice disable.’
Bug ID Description
527496 Rename One Click VPN to Overlay Controller VPN.
529448 Shouldn’t PPK:no be shown at IKEv2 SA level when NO-PPK-AUTH was used?
531203 Cannot edit existing phase1-interface config.
536899 One issue and two possible enhancements when proxying IKE mode-cfg and DHCP.
537140 KEv2 EAP – FortiGate fails to respond to IKE_AUTH when ECDSA certificate is used by ForitGate.
537450 Site-to-site VPN policy based – with DDNS destination fail to connect.
537769 FortiGate sends failure response to L2TP CHAP authentication attempt before checking it against RADIUS server.
537848 FortiGate IPsec VPN phase1-interface and phase2-interface configurations are not saved into configuration file.
540560 Missing IKE SA HA sync when FortiGate is mode-cfg client + xauth.

Log & Report

Bug ID Description
387324 Archive mark is always on under UTM logs page when log-display location set to FAZ.
477393 Negative values in ‘Load Balance’ monitor logs.
479607 Scheduled auto-update happens twice in ten seconds but a log entry for the first try is not logged.
490379 Long-live session statistics logs add sentdelta and rcvddelta fields for FortiCloud FortiView as required.
491914 miglogd : syslog reliable mode is claiming all logs failed when some pass.
503394 Duplicate description for different log IDs: LOG_ID_CHG_CONFIG & LOG_ID_CONF_CHG etc.
503395 Duplicate description for different log IDs: LOG_ID_POWER_FAILURE, LOG_ID_POWER_ FAILURE_WARNING etc.
503396 Duplicate description for different log IDs.
503397 IPsec logging – Duplicate description for different log IDs.
503398 AP Event log: Duplicate description for different log IDs.
503399 PPPOE Event log: Duplicate description for different log IDs.
503400 RADIUS event log: Duplicate description for different log IDs.
503401 SSL Event logs: Duplicate description for different log IDs.
504012 Duplicate description for different log IDs: LOG_ID_LEAVE_FD_CONSERVE_MODE, LOG_ID_ LEAVE_FD_CONSERVE_MODE_NOTIF.
505393 Quad File Dropped Reason forticloud-daily-quota-exceeded.
510973 FortiGate with disk and send logs to FAZ has PCI alerts.
Bug ID Description
518402 miglogd crash and no logs are generated.
521020 VPN usage duration days in local report is not correct.
523829 When destination interface is PPPoE, intf-role is logged as Undefined even though the role is not undefined.
540157 Cannot view logs from FortiGate when secondary IP is used (only secondary IP is allowed to go internet on upstream).

Proxy

Bug ID Description
458057 Constant DNS query on built-in FQDN cause network congestion.
470407 IPv6-Happy-Eyeballs-Mechanism not working with proxy-based Webfilter-Profile.
487096 SSL handshake fail when activate ESET application.
491417 FortiGate is dropping server hello packets when urlfilter is enabled.
492372 Multiple WAD crashes with signal 11 (Segmentation fault).
500965 FGT-200E in kernel conserve mode. WAD process consuming high memory.
505171 ICAP does not work if there is no other proxy-based UTM feature enabled in the policy.
506995 FGT1200D WAD Crashing 5.6.5 (wad mapi).
507155 System went into conserve mode due to wad after upgrade to 5.6.5.
507585 Support multiple DC servers in the agentless NTLM auth as well as user based matching.
512434 Need to do changes in default replacement message of Invalid certificate Message.
512936 SSL certificate inspection in proxy mode doesn’t use CN from Valid Certificate for categorization when SNI is not present.
513270 Certificate error with SSL deep inspection.
516147 WAD crashes.
516863 Webproxy learn-client-ip webfilter’s auth/warn/ovrd does not work.
518933 Certificate inspection (CN base) web category filter doesn’t work.
519021 The customer is unable to access internal CRM application server with antivirus enabled.
521051 HTTP WebSocket 101 switching protocol requests mismatch in v6.0.3.
525518 Skype call drops when handled by WAD process after around three sec of being answered.
526322 WAD Crashes when processing transparent proxy traffic after upgrade to 6.0.3.
526667 FortiGate doesn’t forward request:port command after 0 byte file transmission.
529792 WAD process crash with signal 11.
Bug ID Description
530906 Certificate chaining is broken on FortiGate site (deep inspection) for certain web sites.
531526 FTP proxy ignores OTP in authentication.
531575 Web site access failure due to OCSP check in WAD + Deep SSL inspection.
532121 WAD uses high CPU with “netlink recvmsg No buffer space available” after upgrade to 6.0.3+.
534346 WAD memory leak on OCSP certificate caching.
536063 SSL deep inspection doesn’t work with OCSP stapling.
536623 WAD performs category SSL-Exemptions when SSL-inspection profiles are in “protect-server” mode.
537183 Removed default ssl-exempt entries page show empty.
539452 FortiGate does not follow Authority key identifier when sending certificate chain in deep inspection.
540067 Wildcard addresses removed from SSL deep inspection exempt list after upgrade to 6.0.4 from 5.6.

REST API

Bug ID Description
424403 REST API for system csf didn’t return csf group name.
467747 REST API user cannot create API user via autoscript upload and cannot set API password via CLI.

Routing

Bug ID Description
441506 BGP Aggregate address results in blackhole for incoming traffic.
448205 Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less.
449010 WAN LLB session log srcip and dstip are mixed up intermittently.
476805 FortiGate delays to send keepalive which causes neighbor’s hold down timer to expire and reset the BGP neighborship.
485408 Merge vwl_valeo project – No option for proute based on only dynamic routes.
499328 Add VRF filtering capability to command get router info routing-table all.
500432 IGMP multicast joins taking very long time and uses high NSM CPU utilization.
503638 config system ipip-tunnel is lost after reboot when pppoe interface is used.
505189 Kernel is missing routes.
509561 SD-WAN health check status log is incorrect.
509768 Spillover rules do not work on PPPoE virtual-wan-link.
Bug ID Description
511203 When using policy route for IPv6, NAT64 does not work.
511932 Can’t make mgmt1 and mgmt2 redundant interfaces.
515683 FortiGate generates fragmented OSPFv3 DBD packets.
518655 IPv6 doesn’t respond to neighbor solicitation request.
518677 Log message MOB-L2-UNTRUST:311 not found in router advertisement enabled. the list! seen on VDOM with IPv6
518943 RIPv2 with MD5 authentication key ID incompatible with oth er vendors.
519498 Cease unspecified sent to all BGP peers when new peer is created.
522258 Some missing fields in proute list.
522271 Central NAT – Not updating when dst interface changes.
525182 WLAN guest user in VDOM makes the cluster out of sync.
526008 Differences between routing table and kernel forward information. ADVPN + BGP.
527478 Proute list fill “null ” application name.
529683 Upgrade from 5.6 to 6.0 causes all routes to be advertised in BGP.
530545 SD-WAN Health-Check – Reported packet loss inaccurate.
531660 With VRRP use VRDST checking without default gateway.
531947 SD WAN IPsec interfaces keep failing over when link selection strategy is set to Custom-profile.
532257 OSPFD crash (Segmentation fault) – NSSA – removal of network statement for interface in ‘down’ state.
537110 BGP/BFD packets marked as CS0.
538411 Successfully configured static route CLI commands fail with parse errors after reboot.
539982 Multicast failed after failover from another interface.
540103 OSPF6 will advertise only /128 prefixes to neighbours using point-to-point network type.
544603 Multicast on interfaces with secondary IP addresses.

Security Fabric

Bug ID Description
473086 Quarantine monitor, should support showing devices for the whole fabric.
481381 Industry field shows up abnormally when adding security rating widget.
491508 If downstream device is part of security fabric, it should be exempted from FortiClient enforcement.
504773 Some minor GUI improvement to facilitate security fabric config.
Bug ID Description
505068 Add CSF trust-list support into GUI.
505073 Should let approval request message be more standing out.
505656 Edge: Page reloaded when hovering on a connecting line between objects in topology.
525790 Not able to connect through SSL VPN to addresses resolved by SDN dynamic objects.
537130 Email notifications from automation stitches are being sent with a blank from field.

SSL VPN

Bug ID Description
453740 Remove unused java source file in fortiweb/java.
466438 High CPU usage by sslvpnd [web and mixed mode].
477231 Unable to login to VMware vSphere vCenter 6.5 through SSL VPN web portal.
482497 Running diagnose npu np6lite session in FGT-201E results in high CPU and system instability.
483712 SSLVPND consumes high memory causing FGT enter conserve mode.
491130 SSLVPND 100% VPN when accessing OWA through bookmark.
491733 SSL VPN process taking 99% of CPU utilization even not using SSL VPN.
492654 SSLVPND process is crashing and users are disconnecting from SSL VPN.
493127 Connection to web server freezes when using SSL VPN web bookmark.
496584 SSL VPN bad password attempt causes excessive bindRequests against LDAP and lockout of accounts.
500901 SSL VPN web portal connect to FMG (5.6.3) unable to view Managed devices and policy packages.
508101 HTTPS bookmark to internal website produces error after the initial successful login.
509333 SSL VPN to Nextcloud doesn’t open.
511107 RADIUS 2FA + password change against FAC fails due to unexpected state AVP + GUI bug.
511111 When accessing an internal listing website via SSL VPN, loading long lists fails or is interrupted.
515370 SSL VPN access denied if address object added after group object in firewall policy
517819 Unable to load web page in SSL VPN web mode.
518406 Unable to load WebPage through SSL VPN webmode. Some js files of xunta internal web sites have problems.
519113 SSL VPN web mode SMB connection doesn’t work when enable then disable SMBCD debug.
519483 Invalid HTTP Request‘ when SMB via SSL VPN bookmark is executed.
519987 HTTP bookmark error SyntaxError: Expected ‘)’ after accessing internal server.

 

Bug ID Description
520307 Unable to view Cisco APIC web interface page after logging using SSL VPN web portal.
520361 SSL VPN portal not loading predefined bookmarks.
520965 IBM QRadar page not displaying in SSL VPN web-mode.
521459 HSTS header missing again under SSL VPN.
522987 Backup and restore the VDOM config with SSL VPN settings causes some critical flags and counter for SSL VPN to not update so SSL VPN stops working.
523450 Unable to access internal website via bookmark in SSL VPN web mode.
523647 Search result gives empty output upon accessing the URL https://ieeexplore.ieee.org via SSL VPN bookmark.
523717 Dropdown list can not get expanded through bookmarks (SSL VPN).
525106 HTML PABX Admin Console not working correctly in SSL VPN Mode.
525375 Atlassian Confluence wiki Javascript problem via SSL VPN web mode.
527342 sslConnGotoNextState:298 error when use SSL VPN bookmark method access huawei appliances.
527348 JavaScript script is not available when connecting using SSL VPN web mode.
527476 Update from web mode fails for SharePoint page using MS NLB.
528289 SSL VPN crashes when it receives HTTP request with header “X-Forwarded-For” because of the wrong use of sslvpn_ap_pstrcat.
528630 For SSL VPN with the realm named sslvpn, the authentication fails.
529186 Problem loading reaching internal web server through SSL VPN Web bookmark when using HTTPS. Some js files of “srvdnsmgt” do not run correctly.
529930 Scrolling in Jira is not working in SSL VPN web mode.
530223 SSL VPN wants client certificate even when no client-cert for realm is configured.
530833 Synology NAS login page stuck after login when accessing by SSL VPN Web portal.
531683 Can’t authenticate on internal web server using web mode SSL VPN.
531827 Active cache memory leak after upgrade to 6.0.3 GA.
532261 SSL VPN web mode RDP connection not working when security set to NLA.
532464 Unable to load webpage in SSL VPN Webmode.
533008 SSL web mode is not modifying links on certain web pages.
534728 Unable to get dropdown menu from internal server via SSL VPN web mode connection.
535739 SSL VPN bookmark fails with JavaScript error.
536058 Redirected port is not entered in the URL through SSL VPN web mode.
536847 Not able to access OnlyOffice through SSL VPN web mode.
Bug ID Description
537120 Adding latest macOS in the SSL OS-check-list.
537133 SSL VPN web mode gets redirected out of SSL VPN proxy.
537275 SSL VPN for users with passwords that expires allows password change after the password is expired.
537341 SSL bookmark is not loading a SAP portal information.
538904 Unable to receive SSL tunnel IP address.
539187 SSL VPN random stale sessions exhausting IP pool.
539948 Unable to load webpage in SSL VPN web mode.
545492 Unable to change tabs for internal website through web SSL VPN HTTPS bookmark.

Switch Controller

Bug ID Description
306406 FortiSwitch Ports page display improvements.
503402 Switch controller event: duplicate description for different log IDs.
512112 Add allowaccess profile to the physical interfaces on the FortiSwitch.
522457 After a physical port of FortiLink LAG has link down/up, fortilinkd packet cannot be sent from FortiGate to FortiSwitch.
527521 On FortiSwitch Ports page, Display More does not work.
529915 FortiGate sends FortiSwitch serial# in SNMP trap fgFcSwName instead of FortiSwitch hostname.
530237 HA cluster out-of-sync after changing port POE mode on switch-controller managed-switch settings : Double commit.

System

Bug ID Description
370151 CPU doesn’t remove dirty flag when returns session back to NP6.
404944 Kernel Panic on creation of aggregate interface belonging to different NP6, when NP6 is configured in low latency mode.
408977 802.1AX L4 algorithm and NP4 do not distribute UDP evenly on egress LAG bundle.
415910 CPU cores utilization shows 0 percent while handling CPS in 5.4.
435910 On FG-50E and FG-51E ifHCOutOctets rolls as if counter32.
462178 Front Panel “SPEED” LED is flushing Green when Transmitting & receiving data.

 

Bug ID Description
466805 Adding USB Host devices to a virtual machine connected by USB to FortiGate 500D causes the units to restart in loop.
468684 EHP drop improvement for units using NP_SERVICE_MODULE.
471191 Request to improve CLI help text for config system NP6 session-timeout options.
474737 fwgrp read&read-write access profile doesn’t work properly.
477886 PRP support.
479533 skippingBad tar header message flooding on console after rebooting box and retrieving logs.
481511 Sniffer packet feature does not display any reverse packets on trunk interface.
482916 WAD crash with signal 6.
488400 FGFM sessions timeout when NPU offloaded (also applies to 6.0.0).
489772 vlan-filter is not straightforward.
491425 FortiGate sends MAB packet two minutes after receiving Access-Reject.
492441 Policy packet capture does not show timestamp.
492655 DNSproxy does not seem to update link-monitor module.
493126 One of the aggregate port members is transmitting irregularly LACP packets.
495572 Some of the FortiGate SNMP OIDs not giving any value.
496934 DNS Domain List.
498636 External resource should not update CMDB and cause FortiManager revision.
499435 Allow packet sniffer to use RAM disk.
503318 Accessing FDS via proxy server without DNS resolution.
504057 Service Object Limitation of 4096 needs to be increased.
505252 EMAC VLAN: SNMP data is incorrect.
505468 Incorrect SNMP answer for get-next.
505522 Intermittent failure of DHCP address assignment.
505715 DHCP lease new IP to same EFTPOS S800 device cause DHCP lease exhausted.
505927 ddnscd fortiddns monitor-interface is not being updated properly.
505930 FG3700D freeze when deleting VDOM.
506223 FortiGate is not compliant with rfc3397 (Domain Search Option Format).
507518 Partial configuration loss after root VDOM restore.

 

Bug ID Description
509939 Firewall objects not visible or editable (Return code -361) when logged in via SSH key authentication.
510200 FGT DNS configuration doesn’t allow one word domain names.
510419 HTTP link-monitor – response parser is case-sensitive (Content-Length header).
511018 SSH/SSL VPN connection to external VLAN interface drop by changing unrelated interface IP or restart OSPF.
513339 Finisar FCLF8521p2BTL (FG-TRAN-GC) and (FS-TRAN-GC) FCLF8522P2BTL transceivers not detected by FortiOS.
513419 High CPU on some cores of CPU & packet drops around 2-3%.
516783 DSA and RSA fingerprints are identical.
519246 ipmc_sensord process not checking sensors due to pending jobs.
519492 Not able to access TP FortiGate from different network.
519493 MCLAG: if remote side change systemID, only one port goes down, the other remains up.
521193 DNSPROXY causing high CPU usage.
521902 Addresses are taking a long time to load.
524083 MSS size negotiation is wrong when configured MTU value is less than 297.
524422 Merge br_6-0_sp back to 6.0 and 6.2.
525813 FortiGate managed by FortiManager intermittently going offline after rebooting FortiGate.
526240 Inactive interfaces in LAG causing unbalance packet distribution and link saturation.
526646 LAG interface flaps when the member ports go up.
526771 Allow sit-tunnel to not specify the source address.
526788 Password policy forces password change even if expire-status is disabled.
527390 Kernel panic in the HA cluster with FortiGate-3800D units running FortiOS v6.0.0 build 0200
527599 Internal prioritization of OSPF/BGP/BFD packets in conjunction with HPE feature.
527902 TXT records are truncated in DNS replies, when FortiGate is used as DNS server.
528004 Add global log device statistics to SNMP.
528465 GRE tunnel does not come up.
531584 Kernel Panic when Fragmented Multicast Traffic received on EMAC-VLAN interface.
531636 Certificate chain validation fails when trying to fetch the intermediate CA cert; untrusted cert presented.
532966 In SNMPv3 config, to select the Encryption Algorithm should be “Encryption Algorithm” instead of the label “Authentication Algorithm”.
Bug ID Description
533556 Read-only admin account can delete IPsec SA.
535420 SNMPv3 traps settings are not available in the GUI.
535730 Memory leak after upgrade to 6.0.4.
536520 GTP Tunnel States are not synced on subordinate unit after a reboot.
536817 FortiGate sending DHCP offer using broadcast.
539090 Modifying FortiGate administrator password to complex ones via SSH triggers a FortiManager password change by auto-update.
540634 Status of a port member of a redundant interface changes if an alias is set.
541211 Cannot create soft switch with VX LAN interface under same base interface.
541243 DHCP option doesn’t include all NTP servers.
542258 DHCP exclusion isn’t used for new DHCP range if the range is lower than the existing DHCP range.

Upgrade

Bug ID Description
495994 After upgrade to V5.4.9, observing lot of IPS syntax errors on the console screen.
511529 vdom-property limits error after upgrade from 5.4.6 to 5.6.3.
524948 Wrong management-vdom after upgrade from V6.0 or rebooting FortiGate.
530793 config-error-log shows after upgrade from v5.6.6 to v5.6.7.

User & Device

Bug ID Description
437117 Single Sign-on, multiple FSSO polling servers with the same AD (LDAP) server, cannot select the same user or group.
453095 Mobile FortiTokens not assignable VDOM in vcluster on slave unit.
470803 fnbamd uses high CPU when receive user member groups.
499941 Not able to SSH into FortiGate through FortiManager using TACAS+ user.
516403 FSSO – established session aren’t re-evaluated when a user is removed from an Active Directory group.
523891 FortiGate: Unable to browse structure of Netscape LDAP.
525648 FortiOS does not prompt for token when Access-Challenge is received – RADIUS authentication fails.
525816 LDAP search issue after upgrade to 5.6.6 build 3444 from 5.6.5 build 3342.
525925 Unable to login to FortiGate using Symantec 2-factor authentication.
Bug ID Description
525929 LDAPS requests fail with fnbamd stop error “Not enough bytes”. LDAP works fine. Additional timeout observed.
527340 FortiGate fails to match User group after passing authentication (Local User).
529945 Local certificate content changes should be directly applied for the admin-server-cert sent to the client browser.
535279 FortiGate sends error user password to RADIUS server for CMCC auth user sometimes.
538304 Aggregate interface (four member) flapps when the third member interface goes down.
538407 FortiOS doesn’t allow setting source-ip for mobile token activation.
Bug ID Description
500087 Support WCCP set up with one arm WCCP web cache diagram.

VM

Bug ID Description
484540 FOS VM serial number changes during firmware upgrade.
512019 FortiGate VM closed network + UTM license showing Package update failed due to invalid contract.
512713 Connectivity loss between FGT-SVM and FGT-VMX cause license to became invalid after one hour.
526471 VMX: Adding a security group with ~30+ devices into the redirection policy the connection starts to experience huge delay.
528405 FortiMeter Consumption is not accurate.
540062 Kernel panic after upgrade from 5.6.7 to 5.6.8.
541531 Service Manager is not automatically updated with the NSX dynamic security groups.

VoIP

Bug ID Description
508277 Non-SIP packet send to SIP ALG got dropped with no log.
509625 Issues with RTP when ISP connections flaps when two equal default routes are present.

WCCP Web Application Firewall

Bug ID Description
463468 Clients are unable to connect to the mail server when WAF is enabled on the VIP policy.

Web Filter

Bug ID Description
486087 Unable to open one URL on the redirection after the upgrade.
499604 Web Filter profile with SSL does not check SNI against server certificate.
499864 Web Filter profile’s proxy options to allow corporate Gmail accounts gets overlooked if “general interest” category is blocked.
506707 Web filter CLI only options are unset when clicking Apply via GUI.
507253 ovrd-auth-port-https uses VIP’s mapped IP as CN when no TLS SNI is present.
509860 Regex case insensitivity flag is ignored in 5.6.5 and 6.0.2 when FortiGate is in proxy mode.
526555 WAD Segmentation Signal 11 in 6.0.3.
531101 Web Filter inspection proxy mode unable to resolve hostname because website is unrated.
531471 The URL filter is not blocking a page when there are many entries in it.
532823 Wrong FortiGuard page displayed with Override enabled on Web Filter profile.
536099 “Filtering Services Availability” keeps showing as green even when port 8888 is blocked by an upstream device.
541539 URL filter wildcard expression not matched correctly in proxy mode.

WiFi Controller

Bug ID Description
503106 Remote site client connected to the FAP14C Ethernet port is randomly not able to reach the LAN client connected to the FortiGate.
505661 FortiWiFi sends DHCP Offer as a unicast address via WiFi interface even though the BROADCAST bit is set to “1” in DHCP Discover.
507622 FortiGate does not send WTP-ID in RADIUS accounting packet when client is connected with captive-portal SSID.
512606 FortiWiFi not working with FortiPresence Pro.
519321 FWF-50E kernel panic due to a WiFi driver issue.
520521 Application hostapd crashed – causing a wireless outage.
521832 CAPWAP traffic is not offloaded successfully when using dynamic-vlan SSID and IPS profile or AV profile is enabled in the policy.
Bug ID Description
522762 Frequent hostapd crash.
525959 Part of FAP221C and FAPC24JE went offline and failed to be managed by the controller again.
527587 Different accounting behavior between FAP221C and FAPC24JE for CMCC portal auth.
530328 CAPWAP traffic dropped when offloaded if packets are fragmented.
543562 11r clients stuck on the default/fail VLAN when using WPA2 enterprise and dynamic-vlan while roaming between APs.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
395544 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2017-17544

452730 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2017-14186

495090 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13366

496642 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13371

502940 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13374

510148 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-15473

528040 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13384

529353 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13380

529377 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13379

529712 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13381

529719 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13383

529745 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13382

 

Bug ID CVE references
534592 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2019-5587

539553 FortiOS 6.2.0 is no longer vulnerable to the following CVE Reference:

l CVE-2019-5586

 

Known Issues

The following issues have been identified in version 6.2.0. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Application Control

Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.

Data Leak Prevention

Bug ID Description
548396 DLP archiving intermittently blocks a file when it should be log only.
547437 WAD crash due to scheduler error occurs when oversized file is bypassing the DLP sensor.

Explicit Proxy

Bug ID Description
548415 User cannot pass authentication after timeout if using IP-based authentication.
Firewall
Bug ID Description
541348 Shaper in shaping policy is not applied when URL category is configured.

FortiView

Bug ID Description
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
482045 FortiView – no data shown on Traffic from WAN.
526956 FortiView widgets get deleted upon upgrading to B222.
544017 FortiView > VPN 1 hour historical shows entries from 8 hours ago when logged in from FortiCloud.

GUI

Bug ID Description
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
451776 Admin GUI has limit of 10 characters for OTP.
504770 Introduce an enable/disable button in the GUI to toggle central SNAT table.
532309 Custom device page keep loading and cannot create device group.
546254 Forward traffic log cannot be shown on Windows Edge browser.
546953 DNS Filter column and Profile Group column is missing on policy list.
547393 GUI still shows fortianalyzer-cloud connection status error even after FortiGate connects to fortianalyzer-cloud.
547458 Cannot access VOIP profile list and only the default profile editor is shown.
547808 Security rating event logs cannot be shown in split-vdom FortiGate GUI.
548091 Cannot configure network interface IP addresses from GUI for FG-5001D and FG-5001E.

HA

Bug ID Description
479987 FG MGMT1 does not authenticate Admin RADIUS users through primary unit (secondary unit works).

Intrusion Prevention

Bug ID Description
445113 IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect.
548649 IPS custom signature is not detected after FortiGate is rebooted or upgraded.

IPsec VPN

Bug ID Description
469798 The interface shaping with egress shaping profile doesn’t work for offloaded traffic.
481201 The OCVPN feature is delayed about one day after registering on FortiCare.
545871 IPsec tunnel can’t establish if OCVPN members with different Fortinet_CA and Fortinet_factory cert.

Log & Report

Bug ID Description
412649 In NGFW Policy mode, FortiGate does not create web filter logs.

Proxy

Bug ID Description
546360 When applying proxy address in transparent proxy policy, FortiGate blocks traffic and reports SSL_ ERROR_SYSCALL.
548233 SMTP, POP3, IMAP starttls cannot be exempted by FortiGate when first time traffic goes through FortiGate.
Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
462552 Add an extra dialog in the interface page to clean up config when changing a FortiLink interface back to a regular port.
548145 Configuring FortiLink from GUI does not work on platforms that do not support hardware switch.

Security Fabric

Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
547659 Access denied error when reviewing security recommendations from physical topology in VDOM mode.
547509 Fail to configure Security Fabric if only enable FortiAnalyzer cloud logging not FortiAnalyzer logging in GUI.

SSL VPN

Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.
476838 Check domain log-on as SSL VPN host checks condition.
495522 RDP session freezes when using SSL VPN tunnel mode.

Switch Controller

Bug ID Description
548453 Ondemand platforms show error with FortiCare/FortinetOne login.
548531 FGT-AWS HA failover and SDN using IAM role do not work due to AWS IAM role token length being

+increased.

System

Bug ID Description
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
385860 FG-3815D does not support 1GE SFP transceivers.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
472843 When FortiManager is set for DM = set verify-install-disable, FortiGate does not always save script changes.
474132 FG-51E hang under stress test since build 0050.
494042 If we create VLAN in VDOM A, then we cannot create ZONE name with the same VLAN name in VDOM B.
495532 EHP drop improvement for units with no NP_SERVICE_MODUL.
548076 FortiGateCloud cannot restore configuration on FortiGate.

Upgrade

Bug ID Description
470575 After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and web filter.
473075 When upgrading, multicast policies are lost when there is a zone member as interface.
481408 When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface.
494217 Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1. Workaround: Use CLI to rename the user bookmark to the new name.
539112 Devices configured under security-exempt-list become void after upgrade.
548256 Upgrading to v6.2 from v6.0.x causes CIFS/SMB configurations in AV profile to be lost.

VM

Web Filter

Bug ID Description
538593 B0821: FGD service on https/8888 does not work well under specific wanopt topology.
544342 When encryption is set to yes, file-type incorrectly shows all file types when only zip files are supported.
544342 Web filter file: filter match only encrypted files will still block un-encrypted MS Office files.
545334 Web filter file filtering does not support FTP traffic inspection but user can still configure FTP protocol in GUI and CLI.
547772 Web filter FGD category is not detected by sniffer policy for HTTPS traffic.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended)
  • VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

Introduction to wireless networking

Introduction to wireless networking

Wireless concepts

Wireless networking is radio technology, subject to the same characteristics and limitations as the familiar audio and video radio communications. Various techniques are used to modulate the radio signal with a data stream.

Bands and channels

Depending on the wireless protocol selected, you have specific channels available to you, depending on what region of the world you are in.

l IEEE 802.11b and g protocols provide up to 14 channels in the 2.400-2.500 GHz Industrial, Scientific and Medical (ISM) band. l IEEE 802.11a,n (5.150-5.250, 5.250-5.350, 5.725–5.875 GHz, up to 16 channels) in portions of Unlicensed National Information Infrastructure (U-NII) band

Note that the width of these channels exceeds the spacing between the channels. This means that there is some overlap, creating the possibility of interference from adjacent channels, although less severe than interference on the same channel. Truly non-overlapping operation requires the use of every fourth or fifth channel, for example ISM channels 1, 6 and 11.

The capabilities of your wireless clients is the deciding factor in your choice of wireless protocol. If your clients support it, 5GHz protocols have some advantages. The 5GHz band is less used than 2.4GHz and its shorter wavelengths have a shorter range and penetrate obstacles less. All of these factors mean less interference from other access points, including your own.

When configuring your WAP, be sure to correctly select the Geography setting to ensure that you have access only to the channels permitted for WiFi use in your part of the world.

For detailed information about the channel assignments for wireless networks for each supported wireless protocol, see Reference on page 182.

 

Power

Wireless LANs operate on frequencies that require no license but are limited by regulations to low power. As with other unlicensed radio operations, the regulations provide no protection against interference from other users who are in compliance with the regulations.

Power is often quoted in dBm. This is the power level in decibels compared to one milliwatt. 0dBm is one milliwatt, 10dBm is 10 milliwatts, 27dBm, the maximum power on Fortinet FortiAP equipment, is 500 milliwatts. The FortiGate unit limits the actual power available to the maximum permitted in your region as selected by the WiFi controller country setting.

Received signal strength is almost always quoted in dBm because the received power is very small. The numbers are negative because they are less than the one milliwatt reference. A received signal strength of -60dBm is one millionth of a milliwatt or one nanowatt.

Antennas

Transmitted signal strength is a function of transmitter power and antenna gain. Directional antennas concentrate the signal in one direction, providing a stronger signal in that direction than would an omnidirectional antenna.

FortiWiFi units have detachable antennas. However, these units receive regulatory approvals based on the supplied antenna. Changing the antenna might cause your unit to violate radio regulations.

Security

There are several security issues to consider when setting up a wireless network.

Whether to broadcast SSID

It is highly recommended to broadcast the SSID. This makes connection to a wireless network easier because most wireless client applications present the user with a list of network SSIDs currently being received. This is desirable for a public network.

Attempting to obscure the presence of a wireless network by not broadcasting the SSID does not improve network security. The network is still detectable with wireless network “sniffer” software. Clients search for SSIDs that they know, leaking the SSID. Refer to RFC 3370. Also, many of the latest Broadcom drivers do not support hidden SSID for WPA2.

Encryption

Wireless networking supports the following security modes for protecting wireless communication, listed in order of increasing security.

None — Open system. Any wireless user can connect to the wireless network.

WEP64 — 64-bit Web Equivalent Privacy (WEP). This encryption requires a key containing 10 hexadecimal digits.

WEP128 — 128-bit WEP. This encryption requires a key containing 26 hexadecimal digits.

WPA — 256-bit WiFi Protected Access (WPA) security. This encryption can use either the TKIP or AES encryption algorithm and requires a key of either 64 hexadecimal digits or a text phrase of 8 to 63 characters. It is also possible to use a RADIUS server to store a separate key for each user.

WPA2 — WPA with security improvements fully meeting the requirements of the IEEE 802.11i standard. Configuration requirements are the same as for WPA.

For best security, use the WPA2 with AES encryption and a RADIUS server to verify individual credentials for each user. WEP, while better than no security at all, is an older algorithm that is easily compromised. With either WEP or WAP, changing encryption passphrases on a regular basis further enhances security.

Separate access for employees and guests

Wireless access for guests or customers should be separate from wireless access for your employees. Each of the two networks can have its own SSID, security settings, firewall policies, and user authentication. This does not require additional hardware. Both FortiWiFi units and FortiAP units support multiple wireless LANs on the same access point.

A good practice is to broadcast the SSID for the guest network to make it easily visible to users, but not to broadcast the SSID for the employee network.

Two separate wireless networks are possible because multiple virtual APs can be associated with an AP profile. The same physical APs can provide two or more virtual WLANs.

Captive portal

As part of authenticating your users, you might want them to view a web page containing your acceptable use policy or other information. This is called a captive portal. No matter what URL the user initially requested, the portal page is returned. Only after authenticating and agreeing to usage terms can the user access other web resources.

Power

Reducing power reduces unwanted coverage and potential interference to other WLANs. Areas of unwanted coverage are a potential security risk. There are people who look for wireless networks and attempt to access them. If your office WLAN is receivable out on the public street, you have created an opportunity for this sort of activity.

Monitoring for rogue APs

It is likely that there are APs available in your location that are not part of your network. Most of these APs belong to neighboring businesses or homes. They may cause some interference, but they are not a security threat. There is a risk that people in your organization could connect unsecured WiFi-equipped devices to your wired network, inadvertently providing access to unauthorized parties. The optional On-Wire Rogue AP Detection Technique compares MAC addresses in the traffic of suspected rogues with the MAC addresses on your network. If wireless traffic to non-Fortinet APs is also seen on the wired network, the AP is a rogue, not an unrelated AP.

Decisions about which APs are rogues are made manually on the Rogue AP monitor page. For detailed information, see Wireless network monitoring on page 115.

Suppressing rogue APs

When you have declared an AP to be a rogue, you have the option of suppressing it. To suppress and AP, the FortiGate WiFi controller sends reset packets to the rogue AP. Also, the MAC address of the rogue AP is blocked in the firewall policy. You select the suppression action on the Rogue AP monitor page. For more information, see Wireless network monitoring on page 115.

Wireless Intrusion Detection (WIDS)

You can create a WIDS profile to enable several types of intrusion detection:

l Unauthorized Device Detection l Rogue/Interfering AP Detection l Ad-hoc Network Detection and Containment l Wireless Bridge Detection l Misconfigured AP Detection l Weak WEP Detection l Multi Tenancy Protection l MAC OUI Checking

Authentication

Wireless networks usually require authenticated access. FortiOS authentication methods apply to wireless networks the same as they do to wired networks because authentication is applied in the firewall policy.

The types of authentication that you might consider include:

l user accounts stored on the FortiGate l user accounts managed and verified on an external RADIUS, LDAP or TACACS+ server l Windows Active Directory authentication, in which users logged on to a Windows network are transparently authenticated to use the wireless network.

This FortiWiFi and FortiAP Configuration Guide provides some information about each type of authentication, but more detailed information is available in the Authentication chapter of the FortiOS Handbook.

What all of these types of authentication have in common is the definition of user groups to specify who is authorized. For each wireless LAN, you will create a user group and add to it the users who can use the WLAN. In the identity-based firewall policies that you create for your wireless LAN, you will specify this user group.

Some access points, including FortiWiFi units, support MAC address filtering. You should not rely on this alone for authentication. MAC addresses can be “sniffed” from wireless traffic and used to impersonate legitimate clients.

Wireless networking equipment

Fortinet produces two types of wireless networking equipment:

  • FortiWiFi units, which are FortiGate units with a built-in wireless access point/client
  • FortiAP units, which are wireless access points that you can control from any FortiGate unit that supports the WiFi Controller featu

FortiWiFi units

A FortiWiFi unit can:

  • Provide an access point for clients with wireless network cards. This is called Access Point mode, which is the default

or

  • Connect the FortiWiFi unit to another wireless network. This is called Client mode. A FortiWiFi unit operating in client mode can only have one wireless interface.

or

  • Monitor access points within radio range. This is called Monitoring mode. You can designate the detected access points as Accepted or Rogue for tracking purposes. No access point or client operation is possible in this mode. But, you can enable monitoring as a background activity while the unit is in Access Point mode.

The Products section of the Fortinet web site (www.fortinet.com) provides detailed information about the FortiWiFi models that are currently available.

FortiAP units

FortiAP units are thin wireless access points are controlled by either a FortiGate unit or FortiCloud service.

FortiAP is a family of Indoor, Outdoor and Remote Access Point models supporting the latest single, dual, and triple stream MIMO 802.11ac and 802.11n technology, as well as 802.11g and 802.11a.

For large deployments, some FortiAP models support a mesh mode of operation in which control and data backhaul traffic between APs and the controller are carried on a dedicated WiFi network. Users can roam seamlessly from one AP to another.

In dual-radio models, each radio can function as an AP or as a dedicated monitor. The monitoring function is also available during AP operation, subject to traffic levels.

The Products section of the Fortinet web site (www.fortinet.com) provides detailed information about the FortiAP models that are currently available.

Automatic Radio Resource Provisioning

To prevent interference between APs, the FortiOS WiFi Controller includes the Distributed Automatic Radio Resource Provisioning (DARRP) feature. Through DARRP, each FortiAP unit autonomously and periodically determines the channel that is best suited for wireless communications. FortiAP units to select their channel so Automatic Radio Resource Provisioning

that they do not interfere with each other in large-scale deployments where multiple access points have overlapping radio ranges.

To enable ARRP – GUI

  1. Go to WiFi Controller > FortiAP Profiles and edit the profile for your device.
  2. In the Radio sections (Radio 1, Radio 2, etc.), enable Radio Resource Provision.
  3. Click OK.

To enable ARRP – CLI

In this example, ARRP is enabled for both radios in the FAP321C-default profile:

config wireless-controller wtp-profile edit FAP321C-default config radio-1 set darrp enable

end config radio-2 set darrp enable

end

end

Setting ARRP timing

By default, ARRP optimization occurs at a fixed interval of 1800 seconds (30 minutes). You can change this interval in the CLI. For example, to change the interval to 3600 seconds enter:

config wireless-controller timers set darrp-optimize 3600

end

Optionally, you can schedule optimization for fixed times. This enables you to confine ARRP activity to a lowtraffic period. Setting darrp-optimize to 0, makes darrp-day and darrp-time available. For example, here’s how to set DARRP optimization for 3:00am every day:

config wireless-controller timers set darrp-optimize 0

set darrp-day sunday monday tuesday wednesday thursday friday saturday set darrp-time 03:00

end

Both darrp-day and darrp-time can accept multiple entries.

 

Building security into FortiOS

Building security into FortiOS

The FortiOS operating system, FortiGate hardware devices, and FortiOS virtual machines (VMs) are built with security in mind, so many security features are built into the hardware and software. Fortinet maintains an ISO:9001 certified software and hardware development processes to ensure that FortiOS and FortiGate products are developed in a secure manner

Boot PROM and BIOS security

The boot PROM and BIOS in FortiGate hardware devices use Fortinet’s own FortiBootLoader that is designed and controlled by Fortinet. FortiBootLoader is a secure, proprietary BIOS for all FortiGate appliances. FortiGate physical devices always boot from FortiBootLoader.

FortiOS kernel and user processes

FortiOS is a multi-process operating system with kernel and user processes. The FortiOS kernel runs in a privileged hardware mode while higher-level applications run in user mode. FortiOS is a closed system that does not allow the loading or execution of third-party code in the FortiOS user space. All non-essential services, packages, and applications are removed.

FortiGate appliances with SD drives are encrypted to prevent unauthorized access to data.

Administration access security

Admin administrator account

All FortiGate firewalls ship with a default administrator account called admin. By default, this account does not have a password. FortiOS allows administrators to add a password for this account or to remove the account and create new custom super_admin administrator accounts.

Secure password storage

User and administrator passwords are stored securely on the system in an encrypted format. The encryption hash used for admin account passwords is SHA256/SHA1. The value that is seen in the configuration file is the Base64 encoded hash value. For example:

config system admin edit “admin” set accprofile “super_admin”

set vdom “root”

set password ENC SH2nlSm9QL9tapcHPXIqAXvX7vBJuuqu22hpa0JX0sBuKIo7z2g0Kz/+0KyH4E=

next end

Pre-shared keys in IPSec phase-1 configurations are stored in plain text. In the configuration file these pre-shared keys are encoded. The encoding consists of encrypting the password with a fixed key using DES (AES in FIPS mode) and then Base64 encoding the result.

Maintainer account

Administrators with physical access to a FortiGate appliance can use a console cable and a special administrator account called maintainer to log into the CLI. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password for the maintainer account is bcpb followed by the FortiGate serial number. An administrator has 60-seconds to complete this login. See Resetting a lost Admin password on the Fortinet Cookbook for details.

The only action the maintainer account has permissions to perform is to reset the passwords of super_admin accounts. Logging in with the maintainer account requires rebooting the FortiGate. FortiOS generates event log messages when you login with the maintainer account and for each password reset.

The maintainer account is enabled by default; however, there is an option to disable this feature. The maintainer account can be disabled using the following command:

config system global set admin-maintainer disable

end

Administrative access security

Secure administrative access features:

  • SSH, Telnet, and SNMP are disabled by default. If required, these admin services must be explicitly enabled on each interface from the GUI or CLI.
  • SSHv1 is disabled by default. SSHv2 is the default version.
  • SSLv3 and TLS1.0 are disabled by default. TLSv1.1 and TLSv1.2 are the SSL versions enabled by default for HTTPS admin access.
  • HTTP is disabled by default, except on dedicated MGMT, DMZ, and predefined LAN interfaces. HTTP redirect to HTTPS is enabled by default. l The strong-crypto global setting is enabled by default and configures FortiOS to use strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. l SCP is disabled by default. Enabling SCP allows downloading the configuration file from the FortiGate as an alternative method of backing up the configuration file. To enable SCP:

config system global set admin-scp enable

end

  • DHCP is enabled by default on the dedicated MGMT interface and on the predefined LAN port (defined on some FortiGate models).
  • The default management access configuration for FortiGate models with dedicated MGMT, DMZ, WAN, and LAN interfaces is shown below. Outside of the interfaces listed below, management access must be explicitly enabled on interfaces – management services are enabled on specific interfaces and not globally.
  • Dedicated management interface l Ping l FMG-Access (fgfm) l CAPWAP l HTTPS l HTTP
  • Dedicated WAN1/WAN2 interface l Ping l FMG-Access (fgfm)
  • Dedicated DMZ interface l Ping l FMG-Access (fgfm) l CAPWAP l HTTPS l HTTP
  • Dedicated LAN interface l Ping l FMG-Access (fgfm) l CAPWAP l HTTPS l HTTP

Network security

This section describes FortiOS and FortiGate network security features.

Network interfaces

The following are disabled by default on each FortiGate interface:

l Broadcast forwarding l STP forwarding l VLAN forwarding l L2 forwarding l Netbios forwarding l Ident accept

For more information, see Disable unused protocols on interfaces on page 20.

TCP sequence checking

FortiOS uses TCP sequence checking to ensure a packet is part of a TCP session. By default, anti-replay protection is strict, which means that if a packet is received with sequence numbers that fall out of the expected range, FortiOS drops the packet. Strict anti-replay checking performs packet sequence checking and ICMP antireplay checking with the following criteria:

  • The SYN, FIN, and RST bit cannot appear in the same packet.
  • FortiOS does not allow more than 1 ICMP error packet to go through before it receives a normal TCP or UDP packet.
  • If FortiOS receives an RST packet, FortiOS checks to determine if its sequence number in the RST is within the unACKed data and drops the packet if the sequence number is incorrect. l For each new session, FortiOS checks to determine if the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value.

Reverse path forwarding

FortiOS implements a mechanism called Reverse Path Forwarding (RPF), or Anti Spoofing, to block an IP packet from being forwarded if its source IP does not:

l belong to a locally attached subnet (local interface), or l be in the routing domain of the FortiGate from another source (static route, RIP, OSPF, BGP).

If those conditions are not met, FortiOS silently drops the packet.

FIPS and Common Criteria

FortiOS has received NDPP, EAL2+, and EAL4+ based FIPS and Common Criteria certifications. Common Criteria evaluations involve formal rigorous analysis and testing to examine security aspects of a product or system. Extensive testing activities involve a comprehensive and formally repeatable process, confirming that the security product functions as claimed by the manufacturer. Security weaknesses and potential vulnerabilities are specifically examined during an evaluation.

To see Fortinet’s complete history of FIPS/CC certifications go to the following URL and add Fortinet to the Vendor field:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search

PSIRT advisories

The FortiGuard Labs Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. Any such findings are fed back to Fortinet’s development teams and serious issues are described along with protective solutions. The PSIRT regulatory releases PSIRT advisories when issues are found and corrected. Advisories are listed at https://www.fortiguard.com/psirt.

 

IP, TCP, and UDP load balancing

IP, TCP, and UDP load balancing

You can load balance all IP, TCP or UDP sessions accepted by the security policy that includes a load balancing virtual server with the type set to IP, TCP, or UDP. Traffic with destination IP and port that matches the virtual server IP and port is load balanced. For these protocol-level load balancing virtual servers you can select a load balance method and add real servers and health checking. However, you can’t configure persistence, HTTP multiplexing and SSL offloading.

Example HTTP load balancing to three real web servers

In this example, a virtual web server with IP address 192.168.37.4 on the Internet, is mapped to three real web servers connected to the FortiGate unit dmz1 interface. The real servers have IP addresses 10.10.123.42, 10.10.123.43, and 10.10.123.44. The virtual server uses the First Alive load balancing method. The configuration also includes an HTTP health check monitor that includes a URL used by the FortiGate unit for get requests to monitor the health of the real servers.

Connections to the virtual web server at IP address 192.168.37.4 from the Internet are translated and load balanced to the real servers by the FortiGate unit. First alive load balancing directs all sessions to the first real server. The computers on the Internet are unaware of this translation and load balancing and see a single virtual server at IP address 192.168.37.4 rather than the three real servers behind the FortiGate unit.

Virtual server configuration example

GUI configuration

Use the following procedures to configure this load balancing setup from the GUI.

To add an HTTP health check monitor

In this example, the HTTP health check monitor includes the URL “/index.html” and the Matched Phrase “Fortinet products”.

  1. Go to Policy & Objects > Health Check.
  2. Select Create New.
  3. Add an HTTP health check monitor that sends get requests to http://<real_server_IP_address>/index.html and searches the returned web page for the phrase “Fortinet products”.
Name HTTP_health_chk_1
Type HTTP
Port 80
URL /index.html
Matched Content Fortinet products
Interval 10 seconds
Timeout 2 seconds
Retry 3
  1. Select OK.

To add the HTTP virtual server and the real servers

  1. Go to Policy & Objects > Virtual Servers.
  2. Select Create New.
  3. Add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network.

In this example, the FortiGate wan1 interface is connected to the Internet.

Name Load_Bal_VS1
Type HTTP
Interface wan1
Virtual Server IP 192.168.37.4

The public IP address of the web server.

The virtual server IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.

Virtual Server Port 80

 

Load Balance Method First Alive
Persistence HTTP cookie
Health Check HTTP_health_chk_1
HTTP Multiplexing Turn on.

The FortiGate unit multiplexes multiple client into a few connections between the FortiGate unit and each real HTTP server. This can improve performance by reducing server overhead associated with establishing multiple connections.

Preserve Client IP Turn on.

The FortiGate unit preserves the IP address of the client in the XForwarded-For HTTP header.

  1. Add three real servers to the virtual server. Each real server must include the IP address of a real server on the internal network.

Configuration for the first real server.

IP Address 10.10.10.42
Port 80
Max Connections 0

Setting Max Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of connections to each real server to limit the traffic received by each server. In this example, the Max Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

Mode Active

Configuration for the second real server.

IP Address 10.10.10.43
Port 80
Max Connections 0
Mode Active

Configuration for the third real server.

IP Address   10.10.10.44
Port   80

 

HTTP load balancing to three real web servers

Max Connections 0
Mode Active

To add the virtual server to a security policy

Add a wan1 to dmz1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Configure the security policy:
Name Add a name for the policy.
Incoming Interface wan1
Outgoing Interface dmz1
Source all (or a more specific address)
Destination Load_Bal_VS1
Schedule always
Service HTTP
Action ACCEPT
NAT Select this option and select Use Destination Interface Address.
Log Allowed Traffic Select to log virtual server traffic
  1. Select other security policy options as required.
  2. Select OK.