This is a quick video on how to configure Netflow on a FortiGate. Very powerful setting that will enable you to gain so much visibility into your environment.
How To Configure Netflow On A FortiGate
1 Reply
Basic Traffic Shaping With A FortiGate on FortiOS 6.0.4
Short video explaining some basics on traffic shaping on a FortiGate that is running FortiOS 6.0.4
IPv6 in FortiOS
IPv6 in FortiOS
From an administrative point of view IPv6 works almost the same as IPv4 in FortiOS. The primary differences are the use of IPv6 format for addresses and fewer address types for IPv6. There is also no need for NAT if the FortiGate firewall is the interface between IPv6 networks. If the subnets attached to the FortiGate firewall are IPv6 and IPv4 NAT can be configured between the 2 different formats. This will involve either configuring a dual stack routing or IPv4 tunneling configuration. The reason for this is simple. NAT was developed primarily for the purpose of extending the number of usable IPv4 addresses. IPv6’s addressing allows for enough available addresses so the NAT is no longer necessary.
When configuring IPv6 in FortiOS, you can create a dual stack route or IPv4-IPv6 tunnel. A dual stack routing configuration implements dual IP layers, supporting both IPv4 and IPv6, in both hosts and routers. An IPv4-IPv6 tunnel is essentially similar, creating a tunnel that encapsulates IPv6 packets within IPv4 headers that carry these IPv6 packets over IPv4 tunnels. The FortiGate unit can also be easily integrated into an IPv6 network. Connecting the FortiGate unit to an IPv6 network is exactly the same as connecting it to an IPv4 network, the only difference is that you are using IPv6 addresses.
By default the IPv6 settings are not displayed in the Web-based Manager. It is just a matter of enabling the display of these feature to use them through the web interface. To enable them just go to System > Feature
Select and select IPv6. Once enabled, you will be able to use IPv6 addresses as well as the IPv4 addressing for the following FortiGate firewall features:
- Static routing l Policy Routing l Packet and network sniffing l Dynamic routing (RIPv6, BGP4+, and OSPFv3) l IPsec VPN l DNS l DHCP l SSL VPN
- Network interface addressing l Security Profiles protection l Routing access lists and prefix lists l NAT/Route and transparent mode l NAT 64 and NAT 66
- IPv6 tunnel over IPv4 and IPv4 tunnel over IPv6 l Logging and reporting l Security policies
- SNMP
- Authentication l Virtual IPs and groups l IPv6 over SCTP
- IPv6-specific troubleshooting, such as ping6
IPv6 features
In order to configure IPv6 features using the web-based manager, IPv6 must be enabled using Feature Select. Go to System > Config > Features, enable IPv6, and click Apply.
The following IPv6 features are available from the FortiOS web manager:
IPv6 policies
IPv6 security policies are created both for an IPv6 network and a transitional network. A transitional network is a network that is transitioning over to IPv6 but must still have access to the Internet or must connect over an IPv4 network.
These policies allow for this specific type of traffic to travel between the IPv6 and IPv4 networks. The IPv6 options for creating these policies is hidden by default. You must enable this feature under System > Config > Features.
IPv6 policy route
IPv6 policy routing
IPv6 policy routing functions in the same was as IPv4 policy routing. To add an IPv6 policy route, go to Network > Policy Routes and select Create New > IPv6 Policy Route.
Adding an IPv6 Policy route
You can also use the following command to add IPv6 policy routes:
config router policy6 edit 0 set input-device <interface> set src <ipv6_ip> set dst <ipv6_ip> set protocol <0-255> set gateway <ipv6_ip> set output-device <interface> set tos <bit_pattern> set tos-mask <bit_mask>
end
IPv6 security policies
IPv6 security policies support all the features supported by IPv4 security policies:
- Policy types and subtypes. l NAT support including using the destination interface IP address, fixed port, and dynamic IP pools. l All security features (antivirus, web filtering, application control, IPS, email filtering, DLP, VoIP, and ICAP).
- All traffic shaping options, including: shared traffic shaping, reverse shared traffic shaping, and per-IP traffic shaping. l All user and device authentication options.
IPv6 explicit web proxy
You can use the explicit web proxy for IPv6 traffic. To do this you need to:
l Enable the IPv6 explicit web proxy from the CLI. l Enable the explicit web proxy for one or more FortiGate interfaces. These interfaces also need IPv6 addresses. l Add IPv6 web proxy security policies to allow the explicit web proxy to accept IPv6 traffic.
Use the following steps to set up a FortiGate unit to accept IPv6 traffic for the explicit web proxy at the Internal interface and forward IPv6 explicit proxy traffic out the wan1 interface to the Internet.
- Enter the following CLI command to enable the IPv6 explicit web proxy:
config web-proxy explicit set status enable set ipv6-status enable
end
- Go to Network > Interfaces and edit the internal interface, select Enable Explicit Web Proxy and select OK.
- Go to Policy & Objects > Proxy Policy and select Create New to add an IPv6 explicit web proxy security policy with the following settings shown.
This IPv6 explicit web proxy policy allows traffic from all IPv6 IP addresses to connect through the explicit web proxy and through the wan1 interface to any IPv6 addresses that are accessible from the wan1 interface.
Example IPv6 Explicit Web Proxy security policy
Restricting the IP address of the explicit IPv6 web proxy
You can use the following command to restrict access to the IPv6 explicit web proxy using only one IPv6 address. The IPv6 address that you specify must be the IPv6 address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit web proxy is enabled on an interface with multiple IPv6 addresses.
For example, to require users to connect to the IPv6 address 2001:db8:0:2::30 to connect to the explicit IPv6 HTTP proxy, use the following command:
config web-proxy explicit set incoming-ipv6 2001:db8:0:2::30 end
Restricting the outgoing source IP address of the IPv6 explicit web proxy
You can use the following command to restrict the source address of outgoing web proxy packets to a single IPv6 address. The IP address that you specify must be the IPv6 address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit HTTP proxy is enabled on an interface with multiple IPv6 addresses.
For example, to restrict the outgoing packet source address to 2001:db8:0:2::50:
config http-proxy explicit set outgoing-ip6 2001:db8:0:2::50
end
VIP64
VIP64 policies can be used to configure static NAT virtual IPv6 address for IPv4 addresses. VIP64 can be configured from the CLI using the following commands:
config firewall vip64 edit <zname_str> set arp-reply {enable | disable} set color <color_int> set comment <comment_str> set extip <address_ipv6>[-address_ipv6] set extport <port_int> set id <id_num_str>
set mappedip [<start_ipv4>-<end_ipv4>] set mappedport <port_int> set portforward {enable | disable} set src-filter <addr_str>
end
VIP64 CLI Variables and Defaults
| Variable | Description | Default |
| <zname_str> | Enter the name of this virtual IP address. | No default. |
| arp-reply
{enable | disable} |
Select to respond to ARP requests for this virtual IP address. | enable |
| color <color_int> | Enter the number of the color to use for the group icon in the web-based manager. | 0 |
| comment <comment_str> | Enter comments relevant to the configured virtual IP. | No default. |
| Variable | Description | Default |
| extip <address_ipv6>[address_ipv6] | Enter the IP address or address range on the external interface that you want to map to an address or address range on the destination network.
If mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping. To configure a dynamic virtual IP that accepts connections destined for any IP address, set extip to ::. |
:: |
| extport <port_int> | Enter the external port number that you want to map to a port number on the destination network.
This option only appears if portforward is enabled. If portforward is enabled and you want to configure a static NAT virtual IP that maps a range of external port numbers to a range of destination port numbers, set extport to the first port number in the range. Then set mappedport to the start and end of the destination port range. The FortiGate unit automatically calculates the end of the extport port number range. |
0 |
| id <id_num_str> | Enter a unique identification number for the configured virtual IP. Not checked for uniqueness. Range 0 – 65535. | No default. |
| Variable | Description | Default |
| mappedip
[<start_ipv4>-<end_ ipv4>] |
Enter the IP address or IP address range on the destination network to which the external IP address is mapped.
If mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping. If mappedip is an IP address range, the FortiGate unit uses extip as a single IP address to create a one-tomany mapping. |
0.0.0.0 |
| mappedport <port_int> | Enter the port number on the destination network to which the external port number is mapped.
You can also enter a port number range to forward packets to multiple ports on the destination network. For a static NAT virtual IP, if you add a map to port range the FortiGate unit calculates the external port number range. |
0 |
| portforward
{enable | disable} |
Select to enable port forwarding. You must also specify the port forwarding mappings by configuring extport and mappedport. | disable |
| src-filter <addr_str> | Enter a source address filter. Each address must be in the form of an IPv4 subnet (x:x:x:x:x:x:x:x/n). Separate addresses with spaces. | null |
VIP46 policies can be used to configure static NAT virtual IPv4 address for IPv6 addresses. VIP46 can be configured from the CLI using the following commands (see the table below for variable details):
config firewall vip46 edit <name_str>
set arp-reply {enable | disable} set color <color_int> set comment <comment_str> set extip <address_ipv4>[-address_ipv4] set extport <port_int>
set id <id_num_str> set mappedip [<start_ipv6>-<end_ipv6>] set mappedport <port_int> set portforward {enable | disable} set src-filter <add_str>
end
VIP46 CLI Variables and Defaults
| Variable | Description | Default |
| <name_str> | Enter the name of this virtual IP address. | No default. |
| arp-reply
{enable | disable} |
Select to respond to ARP requests for this virtual IP address. | enable |
| color <color_int> | Enter the number of the color to use for the group icon in the web-based manager. | 0 |
| comment <comment_str> | Enter comments relevant to the configured virtual IP. | No default. |
| extip <address_ipv4>[address_ipv4] | Enter the IP address or address range on the external interface that you want to map to an address or address range on the destination network.
If mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping. To configure a dynamic virtual IP that accepts connections destined for any IP address, set extip to 0.0.0.0. |
0.0.0.0 |
| Variable | Description | Default |
| extport <port_int> | Enter the external port number that you want to map to a port number on the destination network.
This option only appears if portforward is enabled. If portforward is enabled and you want to configure a static NAT virtual IP that maps a range of external port numbers to a range of destination port numbers, set extport to the first port number in the range. Then set mappedport to the start and end of the destination port range. The FortiGate unit automatically calculates the end of the extport port number range. |
0 |
| id <id_num_str> | Enter a unique identification number for the configured virtual IP. Not checked for uniqueness. Range 0 – 65535. | No default. |
| mappedip
[<start_ipv6>-<end_ ipv6>] |
Enter the IP address or IP address range on the destination network to which the external IP address is mapped.
If mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping. If mappedip is an IP address range, the FortiGate unit uses extip as a single IP address to create a one-tomany mapping. |
:: |
| Variable | Description | Default |
| mappedport <port_int> | Enter the port number on the destination network to which the external port number is mapped.
You can also enter a port number range to forward packets to multiple ports on the destination network. For a static NAT virtual IP, if you add a map to port range the FortiGate unit calculates the external port number range. |
0 |
| portforward
{enable | disable} |
Select to enable port forwarding. You must also specify the port forwarding mappings by configuring extport and mappedport. | disable |
| src-filter <addr_str> | Enter a source address filter. Each address must be in the form of an IPv4 subnet (x.x.x.x/n). Separate addresses with spaces. | null |
IPv6 network address translation
NAT66, NAT64, and DNS64 are now supported for IPv6. These options provide IPv6 NAT and DNS capabilities withIPv6-IPv4 tunneling or dual stack configurations. The commands are available only in the CLI.
Fortinet supports all features described in RFC 6146. However, for DNS64 there is no support for handling Domain Name System Security Extensions (DNSSEC). DNSSEC is for securing types of information that are provided by the DNS as used on an IP network or networks. You can find more information about DNS64 in RFC 6147.
NAT64 and DNS64 (DNS proxy)
NAT64 is used to translate IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.
NAT64 is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. ‘DNS proxy’ and ‘DNS64’ are interchangeable terms.
Example NAT64 configuration
With a NAT64 and DNS64 configuration in place on a FortiGate unit, clients on an IPv6 network can transparently connect to addresses on an IPv4 network. NAT64 and DNS64 perform the IPv4 to IPv6 transition, allowing clients that have already switched to IPv6 addresses to continue communicating with servers that still use IPv4 addresses.
To enable NAT64 and DNS64, use the following CLI commands:
Enable NAT64
config system nat64 set status enable
end
Enable the DNS proxy on the IPv6 interface
config system dns-server edit internal end
In your DHCP6 configuration, configure the IPv6 interface IP address as the DNS6 server IP address. The FortiGate will proxy DNS requests to the system DNS server.
config system dhcp6 server edit 1 set interface internal config ip-range
edit 1 set start-ip 2001:db8:1::11 set end-ip 2001:db8:1::20
end
set dns-server1 2001:db8:1::10
end
NAT64 policies
You can configure security policies for NAT64 using the web-based manager. For these options to appear, the feature must be enabled using System > Feature Visibility. You can then configure the policies under Policy & Objects > NAT64 Policy.
NAT64 policies and can also be configured from the CLI using the following command: config firewall policy64
In the following section, you will configure a NAT64 policy that allows connections from an internal IPv6 network to an external IPv4 network.
Configuring NAT64 to allow a host on the IPv6 network to connect to the Internet server
In this example, the Internal IPv6 network address is 2001:db8:1::/48 and the external IPv4 network address is 172.20.120.0/24. NAT64 is configured to allow a user on the internal network to connect to the server at IPv4 address 172.20.120.12. In this configuration, sessions exiting the wan1 interface must have their source address changed to an IPv4 address in the range 172.20.120.200 to 172.20.120.210.
Enter the following command to enable NAT64:
config system nat64 set status enable
end
Enabling NAT64 with the config system nat64 command means that all IPv6 traffic received by the current VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.
By default, the setting always-synthesize-aaaa-record is enabled. If you disable this setting, the DNS proxy (DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6 addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.
By using the nat64-prefix option of the config system nat64 command to change the default nat64 prefix from the well-known prefix of 64:ff9b::/96 and setting always-synthesize-aaaa-record to enable (default), the DNS proxy does not check for AAAA records but rather synthesizes AAAA records.
As an alternative to the above entry, there is the optional configuration that would allow the resolution of CNAME queries.
config system nat64 set status enable set nat64-prefix 64:ff9b::/96 set always-synthesize-aaaa-record enable
end
Enter the following command to add an IPv6 firewall address for the internal network:
config firewall address6 edit internal-net6 set ip6 2001:db8:1::/48
end
Enter the following command to add an IPv4 firewall address for the external network:
config firewall address edit external-net4 set subnet 172.20.120.0/24 set associated-interface wan1
end
Enter the following command to add an IP pool containing the IPv4 address that the should become the source address of the packets exiting the wan1 interface:
config firewall ippool
edit exit-pool4 set startip 172.20.120.200 set endip 172.20.120.210
end
Enter the following command to add a NAT64 policy that allows connections from the internal IPv6 network to the external IPv4 network:
config firewall policy64 edit 0 set srcintf internal set srcaddr internal-net6 set dstintf wan1 set dstaddr external-net4 set action accept set schedule always set service ANY set logtraffic enable set ippool enable set poolname exit-pool4
end
The srcaddr can be any IPv6 firewall address and the dstaddr can be any IPv4 firewall address.
Other NAT64 policy options include fixedport, which can be used to prevent NAT64 from changing the destination port. You can also configure traffic shaping for NAT64 policies.
How a host on the internal IPv6 network communicates with example.server.com that only has IPv4 address on the Internet
- The host on the internal network does a DNS lookup for example.server.com by sending a DNS query for an AAAA record for example.server.com.
- The DNS query is intercepted by the FortiGate DNS proxy.
- The DNS proxy attempts to resolve the query with a DNS server on the Internet and discovers that there are no AAAA records for example.server.com.
- The previous step is skipped if always-synthesize-aaaa-record is enabled.
- The DNS proxy performs an A-record query for example.server.com and gets back an RRSet containing a single A record with the IPv4 address 172.20.120.12.
- The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is 64:ff9b::172.20.120.12.
- The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address 64:ff9b::172.20.120.12.
- The packet is routed to the FortiGate internal interface where it is accepted by the NAT64 security policy.
- The FortiGate unit translates the destination address of the packets from IPv6 address 64:ff9b::172.20.120.12 to IPv4 address 172.20.120.12 and translates the source address of the packets to 172.20.120.200 (or another address in the IP pool range) and forwards the packets out the wan1 interface to the Internet.
NAT66
NAT66 is used for translating an IPv6 source or destination address to a different IPv6 source or destination address. NAT66 is not as common or as important as IPv4 NAT, as many IPv6 addresses do not need NAT66 as much as IPv4 NAT. However, NAT66 can be useful for a number of reasons. For example, you may have changed the IP addresses of some devices on your network but want traffic to still appear to be coming from their old addresses. You can use NAT66 to translate the source addresses of packets from the devices to their old source addresses.
In FortiOS, NAT66 options can be added to an IPv6 security policy from the CLI. Configuring NAT66 is very similar to configuring NAT in an IPv4 security policy. For example, use the following command to add an IPv6 security policy that translates the source address of IPv6 packets to the address of the destination interface (similar to IPv4 source NAT:
config firewall policy6 edit 0 set srcintf internal set dstintf wan1 set srcaddr internal_net set dstaddr all set action accept set schedule always set service ANY set nat enable
end
Its also can be useful to translate one IPv6 source address to another address that is not the same as the address of the exiting interface. You can do this using IP pools. For example, enter the following command to add an IPv6 IP pool containing one IPv6 IP address:
config firewall ippool6 edit example_6_pool set startip 2001:db8::
set endip 2001:db8:: end
Enter the following command to add an IPv6 firewall address that contains a single IPv6 IP address.
config firewall address6 edit device_address set ip6 2001:db8::132/128
end
Enter the following command to add an IPv6 security policy that accepts packets from a device with IP address 2001:db8::132 and translates the source address to 2001:db8::.
config firewall policy6 edit 0 set srcintf internal set dstintf wan1 set srcaddr device_address set dstaddr all set action accept set schedule always set service ANY set nat enable set ippool enable set poolname example_6_pool end
NAT66 destination address translation
NAT66 can also be used to translate destination addresses. This is done in an IPv6 policy by using IPv6 virtual IPs. For example, enter the following command to add an IPv6 virtual IP that maps the destination address 2001:db8::dd to 2001:db8::ee.
config firewall vip6 edit example-vip6 set extip 2001:db8::dd set mappedip 2001:db8::ee
end
Enter the following command to add an IPv6 security policy that accepts packets with a destination address 2001:db8::dd and translates that destination address to 2001:db8::ee.
config firewall policy6 edit 0 set srcintf internal set dstintf wan1 set srcaddr all set dstaddr example-vip6 set action accept set schedule always set service ANY
end
NAT64 and NAT66 session failover
The FortiGate Clustering Protocol (FGCP) supports IPv6, NAT64, and NAT66 session failover. If session pickup is enabled, these sessions are synchronized between cluster members and, after an HA failover, the sessions will resume with only minimal interruption.
NAT46
NAT46 is used to translate IPv4 addresses to IPv6 addresses so that a client on an IPv4 network can communicate transparently with a server on an IPv6 network.
To enable NAT46, use the following CLI command:
config firewall vip46
NAT46 policies
Security policies for NAT46 can be configured from the web-based manager. For these options to appear in the web-based manager, this feature must be enabled using System > Feature Visibility. You can then configure the policies under Policy & Objects > NAT46 Policy.
NAT46 policies and can also be configured from the CLI using the following command:
config firewall policy46
IPv6 tunneling
IPv6 Tunneling is the act of tunneling IPv6 packets from an IPv6 network through an IPv4 network to another IPv6 network. This is different than Network Address Translation (NAT) because once the packet reaches its final destination the true originating address of the sender will still be readable. The IPv6 packets are encapsulated within packets with IPv4 headers, which carry their IPv6 payload through the IPv4 network. This type of configuration is more appropriate for those who have completely transitional over to IPv6, but need an Internet connection, which is still mostly IPv4 addresses.
The key to IPv6 tunneling is the ability of the 2 devices, whether they are a host or a network device, to be dual stack compatible. They have to be able to work with both IPv4 and IPv6 at the same time. In the process the entry node of the tunnel portion of the path will create an encapsulating IPv4 header and transmit the encapsulated packet. The exit node at the end of the tunnel receives the encapsulated packet. The IPv4 header is removed.
The IPv6 header is updated and the IPv6 packet is processed.
There are two types of tunnels in IPv6:
| Automatic tunnels | Automatic tunnels are configured by using IPv4 address information embedded in an IPv6 address – the IPv6 address of the destination host includes information about which IPv4 address the packet should be tunneled to. |
| Configured tunnels | Configured tunnels must be configured manually. These tunnels are used when using IPv6 addresses that do not have any embedded IPv4 information. The IPv6 and IPv4 addresses of the endpoints of the tunnel must be specified. |
Tunnel configurations
There are a few ways in which the tunneling can be performed depending on which segment of the path between the end points of the session the encapsulation takes place.
| Network Device to Network Device | Dual stack capable devices connected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel spans one segment of the path taken by the IPv6 packets. |
| Host to Network Device | Dual stack capable hosts can tunnel IPv6 packets to an intermediary IPv6 or IPv4 network device that is reachable through an IPv4 infrastructure. This type of tunnel spans the first segment of the path taken by the IPv6 packets. |
| Host to Host | Dual stack capable hosts that are interconnected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel spans the entire path taken by the IPv6 packets. |
| Network Device to Host | Dual stack capable network devices can tunnel IPv6 packets to their final destination IPv6 or IPv4 host. This tunnel spans only the last segment of the path taken by the IPv6 packets. |
Regardless of whether the tunnel starts at a host or a network device, the node that does the encapsulation needs to maintain soft state information, such as the maximum transmission unit (MTU), about each tunnel in order to process the IPv6 packets.
Use the following command to tunnel IPv6 traffic over an IPv4 network. The IPv6 interface is configured under config system interface. The command to do the reverse is config system ipv6-tunnel. These commands are not available in transparent mode.
config system sit-tunnel edit <tunnel name> set destination <tunnel _address> set interface <name>
set ip6 <address_ipv6> set source <address_ipv4>
end
| Variable | Description | Default |
| edit <tunnel_name> | Enter a name for the IPv6 tunnel. | No default. |
| destination <tunnel_ address> | The destination IPv4 address for this tunnel. | 0.0.0.0 |
| interface <name> | The interface used to send and receive traffic for this tunnel. | No default. |
| ip6 <address_ipv6> | The IPv6 address for this tunnel. | No default. |
| source <address_ipv4> | The source IPv4 address for this tunnel. | 0.0.0.0 |
FortiOS 6.0.4 Release Notes
Supported models
FortiOS 6.0.4 supports the following models.
| FortiGate | FG-30D, FG-30D-POE, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E,
FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-POE, FG-61E, FG-70D, FG70D-POE, FG-80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D, FG-90D-POE, FG-90E, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D, FG-200D-POE, FG-200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-300E, FG-301E, FG-400D, FG-500D, FG-500E, FG-501E, FG-600D, FG-800D, FG-900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D, FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D, FG-5001D, FG-3960E, FG-3980E, FG-5001E, FG-5001E1 |
| FortiWiFi | FWF-30D, FWF-30D-POE, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM,
FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-61E, FWF-90D, FWF-90D-POE, FWF-92D |
| FortiGate Rugged | FGR-30D, FGR-35D, FGR-60D, FGR-90D |
| FortiGate VM | FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS,
FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN, FG-VM64-GCP, FG-VM64-OPC, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-GCPONDEMAND |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN |
| FortiOS Carrier | FortiOS Carrier 6.0.4 images are delivered upon request and are not available on the customer support firmware download page. |
Introduction
Special branch supported models
The following models are released on a special branch of FortiOS 6.0.4. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 0231.
| FG-60E-DSL | is released on build 5168. | |
| FG-60E-DSLJ | is released on build 5168. | |
| FWF-60E-DSL | is released on build 5168. | |
| FWF-60E-DSLJ | is released on build 5168. |
Special Notices
- WAN optimization and web caching functions l FortiGuard Security Rating Service
- Built-in certificate
- FortiGate and FortiWiFi-92D hardware limitation
- FG-900D and FG-1000D
- FortiClient (Mac OS X) SSL VPN requirements
- FortiClient profile changes l Use of dedicated management interfaces (mgmt1 and mgmt2)
WAN optimization and web caching functions
WAN optimization and web caching functions are removed from 60D and 90D series platforms, starting from 6.0.0 due to their limited disk size. Platforms affected are: l FGT-60D l FGT-60D-POE l FWF-60D l FWF-60D-POE l FGT-90D l FGT-90D-POE l FWF-90D l FWF-90D-POE l FGT-94D-POE
Upon upgrading from 5.6 patches to 6.0.0, diagnose debug config-error-log read will show command parse error about wanopt and webcache settings.
FortiGuard Security Rating Service
Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric “root” device. The following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet Security Fabric managed by a supported FortiGate model:
- FGR-30D-A l FGR-30D l FGR-35D l FGR-60D l FGR-90D l FGT-200D
- FGT-200D-POE l FGT-240D l FGT-240D-POE l FGT-280D-POE l FGT-30D l FGT-30D-POE l FGT-30E l FGT-30E-MI l FGT-30E-MN l FGT-50E l FGT-51E l FGT-52E l FGT-60D l FGT-60D-POE l FGT-70D l FGT-70D-POE l FGT-90D l FGT-90D-POE l FGT-94D-POE l FGT-98D-POE l FWF-30D l FWF-30D-POE l FWF-30E l FWF-30E-MI l FWF-30E-MN l FWF-50E-2R l FWF-50E l FWF-51E l FWF-60D l FWF-60D-POE l FWF-90D l FWF-90D-POE l FWF-92D
Built-in certificate
FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.
9
FortiGate and FortiWiFi-92D hardware limitation
FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:
- PPPoE failing, HA failing to form. l IPv6 packets being dropped. l FortiSwitch devices failing to be discovered. l Spanning tree loops may result depending on the network topology.
FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:
config global set hw-switch-ether-filter <enable | disable>
When the command is enabled:
- ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed. l BPDUs are dropped and therefore no STP loop results. l PPPoE packets are dropped. l IPv6 packets are dropped. l FortiSwitch devices are not discovered. l HA may fail to form depending the network topology.
When the command is disabled:
- All packet types are allowed, but depending on the network topology, an STP loop may result.
FG-900D and FG-1000D
CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.
FortiClient (Mac OS X) SSL VPN requirements
When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.
FortiClient profile changes
With introduction of the Fortinet Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.
The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn.
FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.
Use of dedicated management interfaces (mgmt1 and mgmt2)
For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.
Using FortiAnalyzer units running older versions
When using FortiOS 6.0.4 with FortiAnalyzer units running 5.6.5 or lower, or 6.0.0-6.0.2, FortiAnalyzer might report increased bandwidth and session counts if there are sessions that last longer than two minutes.
For accurate bandwidth and session counts, upgrade the FortiAnalyzer unit to 5.6.6 or higher, or 6.0.2 or higher.
Upgrade Information
Supported upgrade path information is available on the Fortinet Customer Service & Support site.
To view supported upgrade path information:
- Go to https://support.fortinet.com.
- From the Download menu, select Firmware Images.
- Check that Select Product is FortiGate.
- Click the Upgrade Path tab and select the following:
l Current Product l Current FortiOS Version l Upgrade To FortiOS Version
- Click Go.
Fortinet Security Fabric upgrade
FortiOS 6.0.4 greatly increases the interoperability between other Fortinet products. This includes:
l FortiAnalyzer 6.0.0 l FortiClient 6.0.0 l FortiClient EMS 6.0.0 l FortiAP 5.4.4 and later l FortiSwitch 3.6.4 and later
Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.
Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.
If Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.0.4. When Security Fabric is enabled, you cannot have some FortiGate devices running 6.0.4 and some running 5.6.x.
Minimum version of TLS services automatically changed
For improved security, FortiOS 6.0.4 uses the ssl-min-proto-version option (under config system global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL and TLS services.
When you upgrade to FortiOS 6.0.4 and later, the default ssl-min-proto-version option is TLS v1.2. The following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.
l Email server (config system email-server) l Certificate (config vpn certificate setting) l FortiSandbox (config system fortisandbox) l FortiGuard (config log fortiguard setting) l FortiAnalyzer (config log fortianalyzer setting) l LDAP server (config user ldap) l POP3 server (config user pop3)
Downgrading to previous firmware versions
Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:
l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles
If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:
- Back up your configuration.
- In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
- Restore the configuration.
- Perform the downgrade.
Amazon AWS enhanced networking compatibility issue
With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 6.0.4 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.
When downgrading from 6.0.4 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:
- C3 l C4
13
- R3
- I2 l M4 l D2
FortiGate VM firmware
Fortinet provides FortiGate VM firmware images for the following virtual environments:
Citrix XenServer and Open Source XenServer
- .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
- .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
- .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.
Linux KVM
- .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
- .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.
Microsoft Hyper-V
- .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
- .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.
VMware ESX and ESXi
- .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
- .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.
Firmware image checksums
The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.
FortiGuard update-server-location setting
The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On hardware platforms, the default is any. On VMs, the default is usa.
On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location is set to usa.
If necessary, set update-server-location to use the nearest or low-latency FDS servers.
To set FortiGuard update-server-location:
config system fortiguard set update-server-location [usa|any] end
Product Integration and Support
The following table lists FortiOS 6.0.4 product integration and support information:
| Web Browsers | l Microsoft Edge 41 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)
Other web browsers may function correctly, but are not supported by Fortinet. |
| Explicit Web Proxy Browser | l Microsoft Edge 41 l Microsoft Internet Explorer version 11 l Mozilla Firefox version 59 l Google Chrome version 65 l Apple Safari version 9.1 (For Mac OS X)
Other web browsers may function correctly, but are not supported by Fortinet. |
| FortiManager | See important compatibility information in . For the latest information, see FortiManager compatibility with FortiOS in the Fortinet Document Library.
Upgrade FortiManager before upgrading FortiGate. |
| FortiAnalyzer | See important compatibility information in . For the latest information, see FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.
Upgrade FortiAnalyzer before upgrading FortiGate. |
| FortiClient:
l Microsoft Windows l Mac OS X l Linux |
l 6.0.0
See important compatibility information in Fortinet Security Fabric upgrade on page 11. If you’re upgrading both FortiOS and FortiClient from 5.6 to 6.0, upgrade FortiClient first to avoid compatibility issues. FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and later, and CentOS 7.4 and later. If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version 5.6.0 and later are supported. |
| FortiClient iOS | l 5.6.0 and later |
| FortiClient Android and FortiClient VPN Android | l 5.4.2 and later |
| FortiAP | l 5.4.2 and later l 5.6.0 and later |
| FortiAP-S | l 5.4.3 and later l 5.6.0 and later |
| FortiSwitch OS
(FortiLink support) |
l 3.6.4 and later |
| FortiController | l 5.2.5 and later
Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C |
| FortiSandbox | l 2.3.3 and later |
| Fortinet Single Sign-On (FSSO) | l 5.0 build 0272 and later (needed for FSSO agent support OU in group filters) l Windows Server 2016 Datacenter l Windows Server 2016 Standard l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8 |
| FortiExtender | l 3.2.1 |
| AV Engine | l 6.00019 |
| IPS Engine | l 4.00029 |
| Virtualization Environments | |
| Citrix | l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later |
| Linux KVM | l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later |
| Microsoft | l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016 |
| Open Source | l XenServer version 3.4.3 l XenServer version 4.1 and later |
| VMware | l ESX versions 4.0 and 4.1
l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5 |
| VM Series – SR-IOV | The following NIC chipset cards are supported:
l Intel 82599 l Intel X540 l Intel X710/XL710 |
Language support
The following table lists language support information.
Language support
| Language | GUI |
| English | ✔ |
| Chinese (Simplified) | ✔ |
| Chinese (Traditional) | ✔ |
| French | ✔ |
| Japanese | ✔ |
| Korean | ✔ |
| Portuguese (Brazil) | ✔ |
| Spanish | ✔ |
SSL VPN support
SSL VPN standalone client
The following table lists SSL VPN tunnel client standalone installer for the following operating systems.
Operating system and installers
| Operating System | Installer |
| Linux CentOS 6.5 / 7 (32-bit & 64-bit)
Linux Ubuntu 16.04 (32-bit & 64-bit) |
2336. Download from the Fortinet Developer Network: https://fndn.fortinet.net. |
Other operating systems may function correctly, but are not supported by Fortinet.
SSL VPN web mode
The following table lists the operating systems and web browsers supported by SSL VPN web mode.
Supported operating systems and web browsers
| Operating System | Web Browser |
| Microsoft Windows 7 SP1 (32-bit & 64-bit) | Mozilla Firefox version 61
Google Chrome version 68 |
| Microsoft Windows 10 (64-bit) | Microsoft Edge
Mozilla Firefox version 61 Google Chrome version 68 |
| Linux CentOS 6.5 / 7 (32-bit & 64-bit) | Mozilla Firefox version 54 |
| OS X El Capitan 10.11.1 | Apple Safari version 11
Mozilla Firefox version 61 Google Chrome version 68 |
| iOS | Apple Safari
Mozilla Firefox Google Chrome |
| Android | Mozilla Firefox
Google Chrome |
Other operating systems and web browsers may function correctly, but are not supported by Fortinet.
SSL VPN host compatibility list
The following table lists the antivirus and firewall client software packages that are supported.
Supported Microsoft Windows XP antivirus and firewall software
| Product | Antivirus | Firewall | |
| Symantec Endpoint Protection 11 | ✔ | ✔ | |
| Kaspersky Antivirus 2009 | ✔ | ||
| McAfee Security Center 8.1 | ✔ | ✔ | |
| Trend Micro Internet Security Pro | ✔ | ✔ | |
| F-Secure Internet Security 2009 | ✔ | ✔ |
Supported Microsoft Windows 7 32-bit antivirus and firewall software
| Product | Antivirus | Firewall |
| CA Internet Security Suite Plus Software | ✔ | ✔ |
| AVG Internet Security 2011 | ||
| F-Secure Internet Security 2011 | ✔ | ✔ |
| Kaspersky Internet Security 2011 | ✔ | ✔ |
| McAfee Internet Security 2011 | ✔ | ✔ |
| Norton 360™ Version 4.0 | ✔ | ✔ |
| Norton™ Internet Security 2011 | ✔ | ✔ |
| Panda Internet Security 2011 | ✔ | ✔ |
| Sophos Security Suite | ✔ | ✔ |
| Trend Micro Titanium Internet Security | ✔ | ✔ |
| ZoneAlarm Security Suite | ✔ | ✔ |
| Symantec Endpoint Protection Small Business Edition 12.0 | ✔ | ✔ |
Resolved Issues
The following issues have been fixed in version 6.0.4. For inquires about a particular bug, please contact Customer Service & Support. Antivirus
| Bug ID | Description |
| 516072 | In flow mode, scanunit API does not allow IPS to submit scan job for URL with no filename. |
| 519759 | Process scanunit crashes. |
| 522343 | scanunitd having constant different kind of crash. |
Endpoint Control
| Bug ID | Description |
| 495132 | Automation stitch IOC for Access Layer Quarantine works incompletely. |
Explicit Proxy
| Bug ID | Description |
| 521344 | Explicit FTP proxy doesn’t work with secondary IP address. |
| 521899 | When proxy srvc is set to protocol CONNECT and client tries to connect to HTTPS page, client gets message: Access Denied. |
| 523974 | Cannot access some web sites with deep inspection enabled. |
Firewall
| Bug ID | Description |
| 390422 | When a firewall address group is used in firewall policy, a wildcard FQDN address should not be allowed to be added into the firewall address group as a member. |
| 503904 | Creating a new address group gives error: Associated Interface conflict detected!. |
| 504057 | Service Object Limitation of 4096 needs to be increased. |
| 511261 | RSH connection disconnects when we have multiple commands executed via script and we can see the message no session matched. |
| 514187 | VIP ping healthchecks fail with high number of realservers. |
FortiView
| Bug ID | Description |
| 256264 | Realtime session list cannot show IPv6 session and related issues. |
| 453610 | Fortiview >Policies(or Sources) >Now shows nothing when filtered by physical interface at PPPoE mode. |
| 460016 | In Fortiview > Threats, drill down one level, click Return and the graph is cleared. |
| 461811 | In Cloud Applications widget bubble view, the tooltip cannot display Application. |
| 488886 | FortiView > Sources is unable to sort information accurately when filtering by policy ID number. |
| 495070 | In FortiView > Cloud Applications > Applications, GUI keeps loading and without any response. |
| 527700 | FortiView pages cannot be loaded by latest Chrome version 71.0.3578.80. |
GUI
| Bug ID | Description |
| 437117 | In Single Sign-on, multiple FSSO polling servers with the same AD (LDAP) server cannot select the same user or group. |
| 456289 | GUI to support two-level device classification schema. |
| 491919 | GUI – Routing Monitor page does not load with large number of routes inserted in the routing table. |
| 497427 | V3.3.0_533151 remote access stuck loading main dashboard page and login with Fortimanager_ Access user. |
| 512806 | Slowness in loading the Addresses page. |
| 515022 | FortiGate and FSA has right connectivity, but Test Connectivity on GUI interface is showing
Unreachable or not Authorized. |
| 515983 | Firefox cannot list user TACACS+ Servers. Chrome is OK. |
| 516027 | In GUI IPsec monitor page, the column username should be peerID. |
| 516295 | Error connecting to FortiCloud message while trying to access FortiCloud Reports in GUI. |
| 518024 | Guest admin logging in gets GUI Error 500: Internal Server Error. |
| 518131 | Cannot add static route with the same gateway IP and interface from WebGUI. |
| 518970 | Suggestion to improve SD-WAN SLA creation page’s invalid-entry handling. |
| 522576 | GUI always loading VPN interface when there is over 5k VPN tunnel interfaces. |
| 526573 | GUI Virtual IP misses SSL-VPN interface. |
HA
| Bug ID | Description |
| 445214 | Slave in AP cluster memory/CPU spike as a result of DHCP/HA sync issue. |
| 509557 | Duplicate MAC on mgmt2 ports. |
| 510660 | Upgrade to build 3574 fails for HA cluster. |
| 511522 | HA uninterruptible upgrade from 9790 to 3558 fails. |
| 515401 | SLBC-Dual mode: Slave chassis blade sending traffic logs. |
| 516779 | Confsync cannot work with three members when encryption is enabled. |
| 517537 | Slave out-of-sync. Unable to log into slave unit. |
| 518621 | ha-mgmt-interface IPv6 GW is not registered when ha-mgmt-interface IPv4 GW is not set. |
| 518651 | TCP Session lost when only one unit in HA cluster kicked un-interruptive upgrade. |
| 519653 | Increase FGSP session sync from 200 VDOMs to 500 VDOMs. |
| 525182 | WLAN guest user in VDOM makes the cluster out of sync. |
Intrusion Prevention
| Bug ID | Description |
| 469608 | ICMP packets dropped during FortiGate update. |
| 476219 | Delay for BFD in IPinIP traffic hitting policy with IPS while IPsec calculates new key. |
| 501986 | DOS policy configured with action proxy for tcp_syn_flood doesn’t work properly. |
| 516128 | Victim is quarantined after IPS attack. |
IPsec VPN
| Bug ID | Description |
| 515375 | VPN goes down randomly, also affects remote sites dialup. |
| 520151 | When two certificates are configured on p1, both aren’t offered or the wrong one is offered. |
Log & Report
| Bug ID | Description |
| 503897 | FortiGate-501E units generating logs only for five minutes after rebooting the unit, Then do not generate logs anymore. |
| 516033 | The traffic log for WANOPT data traffic in the server-side FortiGate should show policy type as proxy-policy, not policy. |
| Bug ID | Description |
| 518402 | miglogd crash and no logs are generated. |
| 522447 | FortiGate logging is not stable and stops working. |
| 522512 | When a service group contains more than 128 services, the existing logic cannot catch it and causes buffer overflow. |
| 519969 | EXE log filter category utm-anomaly/utm-voip does not work. |
| Bug ID | Description |
| 441506 | BGP Aggregate address results in blackhole for incoming traffic. |
| 449010 | WAN LLB session log srcip and dstip are mixed up intermittently. |
Proxy
| Bug ID | Description |
| 477289 | Proxy is unexpectedly sending FIN packet (FTP over HTTP traffic). |
| 509994 | Web site denied due to certificate error (revoked) only in Proxy_policy and deep inspection profile. |
| 512434 | Need to do changes in default replacement message of Invalid certificate Message. |
| 513270 | Certificate error with SSL deep inspection. |
| 514426 | Explicit proxy cannot catch Microsoft Outlook after FFDB update. |
| 516414 | Traffic over 1GB through SCP gets terminated when SSH inspection is enabled in ssl-sshprofile. |
| 516934 | In transparent proxy policy with cookie authentication mode, NTLM authentication doesn’t work and LDAP authentication using wrong username/password will cause WAD to crash. |
| 519021 | Cannot access internal CRM application server with antivirus enabled. |
| 521051 | HTTP WebSocket 101 switching protocol requests mismatch in 6.0.3. |
| 521648 | WAD crashes and fnbamd process takes 100% of CPU. Kerberos and NTLM authentication do not work |
| 526322 | WAD crashes when processing transparent proxy traffic after upgrade to 6.0.3. |
| 526555 | WAD segmentation signal 11 in 6.0.3. |
REST API
| Bug ID | Description |
| 467747 | REST API user cannot create API user via autoscript upload and cannot set API password via CLI. |
Routing
| Bug ID | Description |
| 476805 | FortiGate delays to send keepalive which causes neighbor’s hold down timer to expire and reset the BGP neighborship |
| 485408 | Merge vwl_valeo project – no option for proute based on only dynamic routes. |
| 500432 | IGMP multicast joins taking very long time and uses high NSM CPU utilization. |
| 515683 | FortiGate generates fragmented OSPFv3 DBD packets. |
| 518677 | Log message MOB-L2-UNTRUST:311 not found in the list! seen on VDOM with IPv6 router advertisement enabled. |
| 518929 | SNMP, OSPF MIB ospfIfState value when designated router is not correct. |
| 518943 | RIPv2 with MD5 authentication key ID incompatible with other vendors. |
| 520907,
520945 |
Zebos doesn’t start up correctly on models using Linux 2.4 kernel. |
| 522258 | Some missing fields in proute list. |
Security Fabric
| Bug ID | Description |
| 515970 | Fabric settings/widget and FortiMail icons are yellow even when they are connected. |
SSL-VPN
| Bug ID | Description |
| 508101 | HTTPS bookmark to internal website produces error after the initial successful login. |
| 511002 | SSL-VPN web mode login fails when entering valid OTP manually. |
| 511107 | For RADIUS with 2FA and password renewal enabled, password change fails due to unexpected state AVP + GUI bug. |
| 511415 | SSL-VPN web mode RDP connection disconnects when pasting text from local to remote RDP server. |
| 515889 | SSL-VPN web mode has trouble loading internal web application. |
| 519068 | WAD informer process crashes in tunnel mode SSL-VPN user login. |
| 519372 | SSL-VPN web mode RDP doesn’t work. |
| 519987 | HTTP bookmark error SyntaxError: Expected ‘)’ after accessing internal server. |
| 520361 | SSL-VPN portal not loading predefined bookmarks. |
| 521459 | HSTS header missing again under SSL-VPN. |
Switch Controller
| Bug ID | Description |
| 522457 | After a physical port of FortiLink LAG has link down/up, fortilinkd packet cannot be sent from FortiGate to FortiSwitch. |
System
| Bug ID | Description |
| 502651 | Inconsistent behavior with 1G copper transceivers on 3960E. |
| 503318 | Accessing FDS via proxy server without DNS resolution. |
| 505468 | Incorrect SNMP answer for get-next. |
| 505522 | Intermittent failure of DHCP address assignment. |
| 505873 | ftm2 daemon cannot detect change of ssl-static-key-ciphers and need to restart daemon. |
| 507518 | Partial configuration loss after root VDOM restore. |
| 508285 | After restoring a config for VDOM, the VDOM cannot be deleted unless OS is rebooted. |
| 510737 | Users are not able to pull DHCP addresses from FGT. |
| 511851 | Unable to set EMAC VLANs on different VDOMs to the same VLAN ID. |
| 512930 | WAD crash with signal 11. |
| 513156 | Packet loss on startup when interfaces are in bypass mode (2500E). |
| 513339 | Finisar FCLF8521p2BTL (FG-TRAN-GC) and (FS-TRAN-GC) FCLF8522P2BTL transceivers not detected by FortiOS. |
| 513663 | FG-3200D running FOS 5.6.5 – WAD crashing frequently. |
| 516105 | Daylight Saving Time no longer used in Azerbaijan. |
| 516783 | DSA and RSA fingerprints are identical. |
| 524422 | Support FortiGateRugged-30D model containing the new CPU. |
Upgrade
| Bug ID | Description |
| 510447 | FWF-30D keeps rebooting after upgrade to 6.0.2. |
User & Device
| Bug ID | Description |
| 463849 | FAC remote LDAP user authentication via RADIUS fails on invalid token if password change and 2FA are both required. |
| 491118 | Kerberos users unable to access internet. |
| 510581 | Backup password for LDAP admin does not work when interface is down. |
| 511776 | Once user has assigned token other tokens not listed in pull down menu. |
| 515226 | FortiGate keeps sending accounting packet to RADIUS server for user that is no longer authenticated. |
| 519826 | fnbamd crashes and LDAP authentication stops working after upgrade. |
VM
| Bug ID | Description |
| 488964 | Service Manger warns that internal and external interfaces are down. |
| 498653 | FortiOSVM stops passing traffic after failover. |
| 509672 | “netx request error:60…” was reported when running some “exec nsx service” and “exec nsx group” commands on SVM. |
| 512713 | Connectivity loss between FGT-SVM and FGT-VMX causes license to became invalid after one hour. |
| 515624 | FortiGate VM cannot use the maximum memory allowance as per the license. |
| 524852 | Possible cross-origin error when attempting to read state from window.opener for GCP marketplace. |
VoIP
| Bug ID | Description |
| 516927 | No audio when call is generated from the outside in a FGT30E SIP-ALG when local devices apps register against remote SIP server. |
Web Filter
| Bug ID | Description |
| 486171 | The “Web Rating Overrides” doesn’t work with flow-mode. |
| 518933 | Certificate inspection (CN base) web category filter doesn’t work. |
| 523804 | Enabling safe search on DNS causes any site with google in the domain to redirect to forcesafesearch.google.com. |
WiFi Controller
| Bug ID | Description |
| 478594 | wpad_ac uses high CPU. |
| 503106 | Remote site client connected to the FAP14C ethernet port is randomly not able to reach the LAN client connected to the FortiGate. |
| 512606 | FortiWiFi not working with FortiPresence Pro. |
| 519321 | FWF-50E kernel panic due to a WiFi driver issue. |
| 520521 | hostapd crashes and causes a wireless outage. |
| 522762 | Frequent hostapd crash. |
Known Issues
The following issues have been identified in version 6.0.4. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.
Application Control
| Bug ID | Description |
| 435951 | Traffic keeps going through the DENY NGFW policy configured with URL category. |
| 488369 | DSCP/ToS is not implemented in shaping-policy yet. |
FortiView
| Bug ID | Description | |
| 375172 | FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate. | |
| 403229 | In FortiView, display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic. | |
| 411368 | In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field. | |
| 482045 | FortiView – no data shown on Traffic from WAN. | |
| 521497 | The FortiView All Sessions real time view is missing right-click menu to end session/ban ip. | |
| 525702 | FortiView does not support auto update in real-time view and shows unscanned application. | |
| 526956 | FortiView widgets get deleted on upgrading to B222. | |
| 527540 | In many FortiView pages, the Quarantine Host option is not clickable on a registered device. | |
| 527708 | Policy ID hyper link in policy view is missing. | |
| 527775 | FortiView logs entries do not refresh on log drill down page. | |
| 527952 | FortiView > WiFi Clients > drill down > Sessions gets nothing at final drill down if device identification is disabled. | |
| 528483 | FortiView > Destination page filter destination owner cannot filter out correct destination in real time view. | |
| 528684 | FortiView > Bubble Chart cannot drill down on Firefox 63 with ReferenceError: “event is not defined”. | |
| 528744 | FortiView > Traffic Shaping displays data with error message if switched from other pages in custom period. | |
| 528767 | In FortiView > multiple charts, Previous Time Periods in custom period is missing. | |
| Bug ID | Description | |
| 529000 | Threat view does not show entries if signature attack direction is incoming and the source is FortiAnalyzer. | |
| 529001 | In FortiView > Cloud Applications, there are entries without cloud action details. | |
| 529313 | FortiView > Web Sites > Web Categories drill down displays all entries in Policies tab. | |
| 529355 | All tabs in FortiView > System Events show no entry when the source is FortiCloud. | |
| 529558 | System Events widget shows No matching entries found when drilling down HA event. | |
GUI
| Bug ID | Description |
| 439185 | AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer. |
| 442231 | Link cannot show different colors based on link usage legend in logical topology real time view. |
| 451776 | Admin GUI has limit of 10 characters for OTP. |
| 508015 | Edit Policy from GUI changes fsso setting to disabled. |
| 513451 | Archived data filed in logs shows incorrect data. |
| 516415 | Edit Disclaimer Message button is missing on Proxy Policy page. |
| Bug ID | Description |
| 469798 | The interface shaping with egress shaping profile doesn’t work for offloaded traffic. |
| 481201 | The OCVPN feature is delayed about one day after registering on FortiCare. |
HA
| Bug ID | Description |
| 451470 | Unexpected performance reduction in case of Inter-Chassis HA fail-back with enabling HA override. |
| 479987 | FG MGMT1 does not authenticate Admin RADIUS users through primary unit (secondary unit works). |
| 529274 | Factory reset box faild to sync with master in multi-VDOM upgraded from 6.0.3. |
Intrusion Prevention
| Bug ID | Description |
| 445113 | IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect. |
IPsec VPN
Log & Report
| Bug ID | Description |
| 412649 | In NGFW Policy mode, FortiGate does not create web filter logs. |
| 528786 | In Log viewer, forward traffic filter Result Accept(all)/Deny(all) does not work. |
SSL-VPN
| Bug ID | Description |
| 405239 | URL rewritten incorrectly for a specific page in application server. |
Switch Controller
| Bug ID | Description |
| 304199 | Using HA with FortiLink can encounter traffic loss during failover. |
| 357360 | DHCP snooping may not work on IPv6. |
System
| Bug ID | Description |
| 295292 | If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key. |
| 364280 | User cannot use ssh-dss algorithm to login to FortiGate via SSH. |
| 385860 | FG-3815D does not support 1GE SFP transceivers. |
| 436746 | NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM. |
| 468684 | EHP drop improvement for units using NP_SERVICE_MODULE. |
| 472843 | When FortiManager is set for DM = set verify-install-disable, FortiGate does not always save script changes. |
| 474132 | FG-51E hang under stress test since build 0050. |
| 494042 | If we create VLAN in VDOM A, then we cannot create ZONE name with the same VLAN name in VDOM B. |
| 513339 | Finisar FCLF8521p2BTL (FG-TRAN-GC) and (FS-TRAN-GC) FCLF8522P2BTL transceivers not detected by FortiOS. |
Upgrade
| Bug ID | Description |
| 470575 | After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and web filter. |
| 473075 | When upgrading, multicast policies are lost when there is a zone member as interface. |
| 481408 | When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface. |
| 494217 | Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1. Workaround: Use CLI to rename the user bookmark to the new name. |
Web Filter
| Bug ID | Description |
| 480003 | FortiGuard category does not work in NGFW mode policy. |
| WiFi Controller | |
| Bug ID | Description |
| 516067 | CAPWAP traffic from non-VLAN SSID is blocked when dtls-policy=ipsec-vpn and NP6 offload are enabled. |
Limitations
Citrix XenServer limitations
The following limitations apply to Citrix XenServer installations:
- XenTools installation is not supported.
- FortiGate-VM can be imported or deployed in only the following three formats:
- XVA (recommended)
- VHD l OVF
- The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.
Open source XenServer limitations
When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.
IPv6
IPv6
Internet Protocol version 6 (IPv6) will succeed IPv4 as the standard networking protocol of the Internet. IPv6 provides a number of advances over IPv4 but the primary reason for its replacing IPv4 is its limitation in addresses. IPv4 uses 32 bit addresses which means there is a theoretical limit of 2 to the power of 32. The IPv6 address scheme is based on a 128 bit address or a theoretical limit of 2 to the power of 128.
IPv6 addressing
Possible addresses:
l IPv4 = 4,294,967,296 (over 4 billion) l IPv6 = 340,282,366,920,938,463,463,374,607,431,768,211,456 (over 340 undecillion – We had to look that term up. We didn’t know what a number followed by 36 digits was either)
Assuming a world population of approximately 8 billion people, IPv6 would allow for each individual to have approximately 42,535,295,865,117,200,000,000,000,000 devices with an IP address. That’s 42 quintillion devices.
There is little likelihood that you will ever need to worry about these numbers as any kind of serious limitation in addressing but they do give an idea of the scope of the difference in the available addressing.
IPv6 address syntax
Aside from the difference of possible addresses there is also the different formatting of the addresses that will need to be addressed.
A computer would view an IPv4 address as a 32 bit string of binary digits made up of 1s and 0s, broken up into 4 octets of 8 digits separated by a period “.” Example:
10101100.00010000.11111110.00000001
To make number more user friendly for humans we translate this into decimal, again 4 octets separated by a period “.” which works out to:
172.16.254.1
A computer would view an IPv6 address as a 128 bit string of binary digits made up of 1s and 0s, broken up into 8 octets of 16 digits separated by a colon “:”
1000000000000001:0000110110111000:101011000001000:1111111000000001:000000000000000
0:0000000000000000:0000000000000000:0000000000000000
To make number a little more user friendly for humans we translate this into hexadecimal, again 8 octets separated by a colon “:” which works out to:
8001:0DB8:AC10:FE01:0000:0000:0000:0000:
IPv6 packet structure
Because any four-digit group of zeros within an IPv6 address may be reduced to a single zero or altogether omitted, this address can be shortened further to:
8001:0DB8:AC10:FE01:0:0:0:0 or
8001:0DB8:AC10:FE01::
IPv6 packet structure
Each IPv6 packet consists of a mandatory fixed header and optional extension headers, and carries a payload, which is typically either a datagram and/or Transport Layer information. The payload could also contain data for the Internet Layer or Link Layer. Unlike IPv4, IPv6 packets aren’t fragmented by routers, requiring hosts to implement Maximum Transmission Unit (MTU) Path Discovery for MTUs larger than the smallest MTU (which is 1280 octets).
Jumbograms and jumbo payloads
In IPv6, packets which exceed the MTU of the underlying network are labeled jumbograms, which consist of a jumbo payload. A jumbogram typically exceeds the IP MTU size limit of 65,535 octets, and provides the jumbo payload option, which can allow up to nearly 4GiB of payload data, as defined in RFC 2675. When the MTU is determined to be too large, the receiving host sends a ‘Packet too Big’ ICMPv6 type 2 message to the sender.
Fragmentation and reassembly
As noted, packets that are too large for the MTU require hosts to perform MTU Path Discovery to determine the maximum size of packets to send. Packets that are too large require a ‘Fragment’ extension header, to divide the payload into segments that are 8 octets in length (except for the last fragment, which is smaller). Packets are reassembled according to the extension header and the fragment offset.
Benefits of IPv6
In addition to the expanded number of addresses, some of the other benefits of IPv6 include:
l More efficient routing l Reduced management requirement l Stateless auto-reconfiguration of hosts l Improved methods to change Internet Service Providers l Better mobility support l Multi-homing l Security l Scoped address: link-local, site-local and global address space Benefits of IPv6
Traffic logging
Traffic logging
When you enable logging on a security policy, the FortiGate unit records the scanning process activity that occurs, as well as whether the FortiGate unit allowed or denied the traffic according to the rules stated in the security policy. This information can provide insight into whether a security policy is working properly, as well as if there needs to be any modifications to the security policy, such as adding traffic shaping for better traffic performance.
Depending on what the FortiGate unit has in the way of resources, there may be advantages in optimizing the amount of logging taking places. This is why in each policy you are given 3 options for the logging:
- Disable Log Allowed Traffic – Does not record any log messages about traffic accepted by this policy.
If you enable Log Allowed Traffic, the following two options are available:
- Security Events – This records only log messages relating to security events caused by traffic accepted by this policy. l All Sessions – This records all log messages relating to all of the traffic accepted by this policy.
Depending on the model, if the Log all Sessions option is selected there may be 2 additional options. These options are normally available in the GUI on the higher end models such as the FortiGate 600C or larger.
- Generate Logs when Session Starts l Capture Packets
You can also use the CLI to enter the following command to write a log message when a session starts:
config firewall policy edit <policy-index> set logtraffic-start end
Traffic is logged in the traffic log file and provides detailed information that you may not think you need, but do. For example, the traffic log can have information about an application used (web: HTTP.Image), and whether or not the packet was SNAT or DNAT translated. The following is an example of a traffic log message.
2011-04-13 05:23:47 log_id=4 type=traffic subtype=other pri=notice vd=root status=”start” src=”10.41.101.20″ srcname=”10.41.101.20″ src_port=58115 dst=”172.20.120.100″ dstname=”172.20.120.100″ dst_country=”N/A” dst_port=137 tran_ip=”N/A” tran_port=0 tran_sip=”10.31.101.41″ tran_sport=58115 service=”137/udp” proto=17 app_type=”N/A” duration=0 rule=1 policyid=1 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 src_int=”internal” dst_int=”wan1″ SN=97404 app=”N/A” app_cat=”N/A” carrier_ep=”N/A”
If you want to know more about logging, see the Logging and Reporting chapter in the FortiOS Handbook. If you want to know more about traffic log messages, see the FortiGate Log Message Reference.
Endpoint security
Endpoint security
Endpoint security enforces the use of the FortiClient End Point Security (FortiClient and FortiClient Lite) application on your network. It can also allow or deny endpoints access to the network based on the application installed on them.
By applying endpoint security to a security policy, you can enforce this type of security on your network. FortiClient enforcement can check that the endpoint is running the most recent version of the FortiClient application, that the antivirus signatures are up-to-date, and that the firewall is enabled. An endpoint is usually often a single PC with a single IP address being used to access network services through a FortiGate unit.
With endpoint security enabled on a policy, traffic that attempts to pass through, the FortiGate unit runs compliance checks on the originating host on the source interface. Non-compliant endpoints are blocked. If someone is browsing the web, the endpoints are redirected to a web portal which explains the non-compliance and provides a link to download the FortiClient application installer. The web portal is already installed on the FortiGate unit, as a replacement message, which you can modify if required.
Endpoint Security requires that all hosts using the security policy have the FortiClient Endpoint Security agent installed. Currently, FortiClient Endpoint Security is available for Microsoft Windows 2000 and later only.
For more information about endpoint security, see the Security Profiles chapter in the FortiOS Handbook.
Fixed port
Fixed port
Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service.
From the CLI you can enable fixedport when configuring a security policy for NAT policies to prevent source port translation.
config firewall policy edit <policy-id> …
set fixedport enable …
end
However, enabling fixedport means that only one connection can be supported through the firewall for this service. To be able to support multiple connections, add an IP pool, and then select Dynamic IP pool in the policy. The firewall randomly selects an IP address from the IP pool and assigns it to each connection. In this case, the number of connections that the firewall can support is limited by the number of IP addresses in the pool.
Endpoint security