Tag Archives: fortinet user must have a profile

WiFi

WiFi

Automatic all-SSID selection in FortiAP Profile (219347)

The SSID field in FortiAP Profiles now includes the option Automatically assign Tunnel-mode SSIDs. This eliminates the need to re-edit the profile when new SSIDs are created. You can still select SSIDs individually using the Select SSIDs option.

Automatic assignment of SSIDs is not available for FortiAPs in Local Bridge mode. The option is hidden on both the Managed FortiAP settings and the FortiAP Profile assigned to that AP.

 

Improved override of FortiAP settings (219347 264010 264897)

The configuration settings of a FortiAP in WiFi Controller > Managed FortiAPs can override selected settings in the FortiAP Profile:

  • Band and/or Channel
  • Transmitter Power
  • SSIDs
  • LAN Port mode

 

Note that a Band override also overrides Channel selections.

In the CLI, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, and split tunneling settings.

 

Spectrum Analysis removed from FortiAP Profile GUI

Spectrum Analysis is no longer available in FortiAP Profiles in the GUI. It can be enabled in the CLI if needed.

 

Disable low data rates in 802.11a, g, n ac (297821)

To reduce air-time usage on your WiFi network, you can disable the use of low data rates which cause communications to consume more air time.

The 802.11 a, b, and g protocols are specified by data rate. 802.11a can support 6,9,12, 18, 24, 36, 48, and 54

Mb/s. 802.11b/g can support 1, 2, 5.5, 6, 9,12, 18, 24, 36, 48, 54 Mb/s. Basic rates are specified with the suffix “basic”, “12-basic” for example. The capabilities of expected client devices need to be considered when deciding the lowest Basic rate.

The 802.11n and ac protocols are specified by MSC (Modulation and Coding Scheme) Index and the number of spatial streams.

  • 802.11n with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1,mcs8/2,mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2.
  • 802.11n with 3 or 4 spatial streams can support mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4.
  • 802.11ac with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2.
  • 802.11ac with 3 or 4 spatial streams can support mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4

 

Here are some examples of setting basic and supported rates.

config wireless-controller vap edit <vap_name>

set rates-11a 12-basic 18 24 36 48 54 set rates-11bg 12-basic 18 24 36 48 54

set rates-11n-ss34 mcs16/3 mcs18/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4 set rates-11ac-ss34 mcs0/3 mcs1/3 mcs2/3 mcs9/4 mcs9/3

end

 

WiFi and Switch controllers are enabled separately (275860)

In the Feature Store (System > Features), the WiFi Controller and Switch Controller are now separate. However, the Switch Controller must be enabled in order for the WiFi Controller to be visible.

In the CLI, the settings that enable the WiFi and Switch controllers have been separated:

config system global

set wireless-controller enable set switch-controller enable

end

 

The settings that enable the GUI display for those controllers have also been separated:

config system settings

set gui-wireless-controller enable set gui-switch-controller enable

end

 

Add Support of LLDP protocol on FortiAP to send switch and port information (283107)

You can enable LLDP protocol in the FortiAP Profile. Each FortiAP using that profile can then send back information about the switch and port that it is connected to. This information is visible in the optional LLDP column of the Managed FortiAP list. To enable LLDP:

config wireless-controller wtp-profile edit <profile-name>

set lldp enable end

 

WTP groups (278462)

You can define FortiAP Groups. Each group can contain FortiAPs of a single platform (model). These groups can be used in VLAN-pooling to assign APs to particular VLANs. Create a FortiAP Group in the CLI like this:

 

config wireless-controller wtp-group edit 1

set platform-type 320C

config wtp-list

edit FP320C3X14010828 next

edit FP320C3X14010830 end

end

The platform-type field is optional. If it is left empty, the group can contain FortiAPs of any model.

 

VLANpooling (278462)

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN

pool can

  • assign a specific VLAN based on the AP’s FortiAP Group, usually for network configuration reasons, or
  • assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)

WAN Optimization

WAN Optimization

Toggle Disk Usage for logging or wan-opt (290892)

Both logging and WAN Optimization use hard disk space to save data. For FortiOS 5.4 you cannot use the same hard disk for WAN Optimization and logging.

  • If the FortiGate has one hard disk, then it can be used for either disk logging or WAN optimization, but not both. By default, the hard disk is used for disk logging.
  • If the FortiGate has two hard disks, then one disk is always used for disk logging and the other disk is always used for WAN optimization.

On the FortiGate, go to System > Advanced > Disk Settings to switch between Local Log and WAN Optimization.

You can also change disk usage from the CLI using the following command:

configure system global

set disk-usage {log | wanopt}

end

 

The Toggle Disk Usage feature is supported on all new “E” Series models, while sup- port for “D” Series models may vary.

Please refer to the Feature Platform Matrix for more information.

Changing the disk setting formats the disk, erases current data stored on the disk and disables either disk logging or WAN Optimization.

You can configure WAN Optimization from the CLI or the GUI. To configure WAN Optimization from the GUI you must go to System > Feature Select and turn on WAN Optimization.

Remote logging (including logging to FortiAnalyzer and remote Syslog servers) is not affected by using the single local hard disk for WAN Optimization.

VDOMS

VDOMs

Stackable VDOM licenses (269153)

Using this feature you can purchase VDOM licenses for your FortiGate in multiples of 5 and increase the number of VDOM licenses that your FortiGate has incrementally over time. For example, you could add a 5 VDOM license to a 25 VDOM license and your FortiGate would now support up to 30 VDOMs. In the future you could add another 5 (or 10 or more).

For previous versions of FortiOS if you had a 25 VDOM license and wanted to increase the number of VDOMs you would have to purchase a 50 VDOM license, resulting in a total of 50 VDOMs.

This stackable VDOM licenses feature is backwards compatible with VDOM licenses purchased for older versions of FortiOS. For example, if you purchased a 25-VDOM license for your FortiGate running FortiOS 5.2.x, when you upgrade to FortiOS 5.4.x you can purchase 5 more VDOM licenses so that your FortiGate running FortiOS 5.4.x now supports up to 30 VDOMs.

 

Support execution of global CLI commands from within VDOMs (262848)

A new CLI command, sudo, allows the running of global commands from within the vdom context of the

CLI.This means that the user no longer has to:

1. exit from the VDOM

2. enter global

3. run the command

4. return to the previous VDOM The syntax for the command is:

sudo {global | vdom-name} {diagnose | execute | show | get}

These commands will only work if the user already has permissions to run the command. Unlike the the sudo command in some other operating systems like Linux, this command does not allow the user to run programs with the privileges of another user.

 

GUI features can now be enabled and disabled per VDOM (263708 273799 266028)

When VDOMs are enabled, most of the items in the Features section of the menu are moved to a similar menu section within the VDOM menu and are now customizable on a per VDOM basis. Some items such as IPv6 and Certificates are still configured on a global basis.

From the GUI, you can enable or disable GUI features from System > Feature Select.

From the CLI, GUI items that are enabled or disabled per-VDOM are configured from the config system settings command. GUI items that are enabled globally are enabled or disabled from the config system global command.

Turning these features on or off does not enable or disable the feature but determines whether or not that option is

Custom Original Videos Coming Soon!

So I have my rig setup with OBS (Open Broadcasting Software) and a camera now which should enable me to start making videos that will enable me to pump out some original content for you guys. I am pretty excited about this. I will be doing videos on various versions of FortiOS code as well as covering various tasks.

My goal is to create five videos a week that will provide some insight, guidance, or perhaps just general tips for Fortinet users out there.

I am also pretty tempted to start a podcast if people would be willing to listen. Yeah yeah, I’m from the south so I talk a little lower. Perhaps you guys would enjoy laughing at me while I do the show!

System Advancements

System

 

New role property on interfaces (294385)

Interfaces now have a property called ‘role’ which affects visibility and suggests different default options depending on it’s value.

  • WAN – this interface is used to connect to the internet.
  • LAN – this interface is used to connect to local network of endpoints.
  • DMZ – this interface is used to connect to servers.
  • Undefined – This interface has a custom role which isn’t one of the above.

 

Interface roles affect visibility of properties and features (295736)

Depending on an interfaces role, some properties may set to a default value and the visibility of others may be set to show or hide in the GUI.

 

Toggle automatic authorization of extension devices (294966)

When an interface is configured to be dedicated to an extension device, a new option appears to auto-authorize extension devices.

 

Support for new modem added (293598)

Support for the Linktop LW273 modem has been added.

SSL VPN

SSL VPN

Significant SSL VPN web portal improvements (287328, 292726, 299319)

Significant updates and improvements have been made to the SSL VPN web portal in preparation for future browser updates, and in order to support all browsers:

  • SSL VPN web portal redesigned.
  • SSL VPN tunnel mode widget no longer works in the web portal.The tunnel mode widget used a deprecated NPAPI plugin mechanism to send the tunnel client to the browser for local system execution—this is a popular exploitation vector. FortiClient is now required for tunnel mode SSL VPN.
  • SSL VPN Web mode RDP Native java applet removed.
  • Removed unnecessary options from RDP bookmark and changed to HTML5 RDP.
  • Cache cleaning function has been removed.

Implement post-authentication CSRF protection in SSL VPN web mode (287180)

This attribute can enable/disable verification of a referer in the HTTP request header in order to prevent a Cross- Site Request Forgery attack.

Syntax:

config vpn ssl settings

set check-referer [enable|disable]

end

Session-aware Load Balancing (SLBC)

Sessionaware Load Balancing (SLBC)

 

GUI support for SSL VPN and WiFi controller in SLBC mode (246481)

SSL VPN and WiFi controller GUI pages now appear on the worker GUI when operating in SLBC mode.

 

Add an option to force IPsec to use NAT Traversal (275010)

Add a new option for NAT. If NAT is set to forced, then the worker will use a port value of zero when constructing the NAT discovery hash for the peer. This causes the peer to think it is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no NAT is present. This approach maintains interoperability with any IPsec implementation that supports the NAT-T RFC.

 

Security Profiles

Security Profiles

FortiClient Endpoint Profile improvements and new features (285443 275781 287137)

  • 275781: New options available in FortiClient Profiles.
  • 285446: VPN can be configured on the GUI either on IPsec VPN or SSLVPN and changes can be preserved.
  • 287137: In the Mobile tab, .mobileconfig files can be configured and Client VPN Provisioning can be enabled.

 

FortiClient Enforcement added to Interfaces (253933)

FortiClient enforcement has been moved from the Policy page to Network > Interfaces to enforce FortiClient registration on a desired LAN interface rather than a policy.

 

To enforce FortiClient endpoint registration – web-based manager:

1. Go to System > Feature Select and enable Endpoint Control.

2. Go to Network > Interfaces and select the internal interface.

3. Under Restrict Access, enable FortiHeartBeat.

4. Under Admission Control, enable Enforce FortiHeartBeat for all FortiClients.

 

FortiClient exempt list improvements (268357 293191)

  • 268357: Before you could only configure captive portal policy addresses in the CLI, but it can now be performed in the GUI.
  • 293191: Exempt List has been replaced with Exempt Sources, and Exempt Destinations/Services has been added (once an interface has been set to captive portal). Before it was only possible to configure the FortiGate interface port to captive portal through the CLI, but it can now also be performed in the GUI.