FortiClient Profile changes (386267, 375049)

FortiClient profiles have been changed in FortiOS 5.6 to include new protection features and to change organization of the GUI options. FortiClient profiles also use the FortiGate to warn or quarantine endpoints that are not compliant with a FortiClient profile.

A bug that prevented the Dialog and Device Inventory pages from loading when there is a large number of devices (for example, 10,000) has been fixed.

Default FortClient profile

FortiClient profiles allow you to perform vulnerability scans on endpoints and make sure endpoints are running compliant versions of FortiClient. Also, security posture features cause FortiClient to apply realtime protection, AntiVirus, web filtering, and application control on endpoints.

The default FortiClient profile also allows you to set a general Non-compliance action for endpoints that don’t have FortiClient installed on them. The non-compliance action can be block or warning and is applied by the FortiGate. Blocked endpoints are quarantined by the FortiGate.

Endpoint vulnerability scanning

Similar to FortiOS 5.4 you can set the FortiClient Profile to run the FortiClient vulnerability scanner on endpoints and you can set the Vulnerability quarantine level to quarantine endpoints that don’t comply.

FortiClient Profile changes (386267, 375049)                                                                             System compliance

The vulnerability scan Non-compliance action can block or warn endpoints if the vulnerability scan shows they do not meet the vulnerability quarantine level.

System compliance

FortiOS 5.6 system compliance settings are similar to those in 5.4 with the addition of a non-compliance action. System compliance checking is performed by FortiClient but the non-compliance action is applied by the FortiGate.

Security posture checking

Security posture checking collects realtime protection, antivirus protection, web filtering and application firewall features under the Security Posture Check heading.

Security posture checking                                                                     FortiClient Profile changes (386267, 375049)

Application Control is a free service                                                                                  Security posture checking

Application Control is a free service

Application Control is now a free FortiGuard service and the database for Application Control signatures is separate from the IPS database. However, Botnet Application signatures are still part of the IPS signature database since these are more closely related with security issues and less about application detection.

With the release of FortiOS 5.6.1, Application Control signature database information is displayed under on the System > FortiGuardpage in the FortiCare section. And the Botnet category is no longer available when searching the Application Signatures list.

IPS / Application Control logging performance

There is a major boost to Application Control and IPS when logging is enabled. With the latest changes, the performance difference with or without logging enabled is negligible.

Real time logging to FortiAnalyzer and FortiCloud

FortiOS 5.6.0 adds new real-time logging options for FortiAnalyzer in System > Security Fabric and for FortiCloud in Log & Report > Log Settings. The default option is still every 5 minutes, but this will allow near real-time uploading and consistent high-speed compression and analysis.

For FortiAnalyzer, the CLI syntax to enable real-time is:

config log fortianalyzer setting set upload-option [realtime/1-minute/5-minute]

For FortiCloud:

config log fortiguard setting set upload-option [realtime/1-minute/5-minute]

Reliable Logging updated for real-time functionality (378937)

Previously, reliable logging was a feature for buffering and collecting logs for upload, to guarantee that no logs would be dropped before being passed to logging solutions. Reliable logging has been updated for 5.6.0 and is now enabled by default, so that real-time logs do not outpace upload speed.

It can be configured in the CLI with:

config log fortianalyzer setting set reliable [enable/disable]

FortiGate Logs can be sent to syslog servers in Common Event Format (CEF) (300128)

Reliable Logging updated for real-time functionality (378937)

FortiGate Logs can be sent to syslog servers in Common Event Format (CEF) (300128)

You can configure FortiOS to send log messages to remote syslog servers in CEF format. CEF is an open log management standard that provides interoperability of security-related information between different network devices and applications. CEF data can be collected and aggregated for analysis by enterprise management or Security Information and Event Management (SIEM) systems such as FortiSIEM.

FortiOS supports logging to up to four remote syslog servers. Each server can now be configured separately to send log messages in CEF or CSV format. Previously only CSV format was supported.

Use the following command to configure syslog3 to use CEF format:

config log syslog3 setting set format cef

end

All other syslog settings can be configured as required independently of the log message format including the server address and transport (UDP or TCP). You can also configure filtering for both CEF and CSV formatted log messages.

Controlled failover between wireless controllers

1+1 Wireless Controller HA

Instances of failover between FortiAP units was too long and lead to extended periods of time where WiFi users were without network connection. Because WiFi is considered a primary network connection in today’s verticals (including enterprise, retail, education, warehousing, healthcare, government, and more), it is necessary for successful failover to occur as fast as possible.

Primary and secondary ACs

You can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects the FortiGate. This process was previously decided on load-based detection, but can now be defined by each unit’s pre-determined priority. In addition, heartbeat intervals have been lowered to further improve FortiAP awareness and successful failover.

1+1 redundancy

1+1 HA is a form of resilience whereby a component has a backup component to take its place in the event of component failure, and successfully manage FortiAP without long failover periods.

CLI syntax

config wireless-controller inter-controller set inter-controller-mode {disable | l2-roaming | 1+1} Default is disable. set inter-controller-key <password> set inter-controller-pri {primary | secondary} Default is primary. set fast-failover-max [3-64] Default is 10. set fast-failover-wait [10-86400] Default is 10. config inter-controller-peer edit <name> set peer-ip <ip-address> set peer-port [1024-49150] Default is 5246.

set peer-priority {primary | secondary} Default is primary. next

end end

Multiple PSK for WPA Personal (393320)                                                                        1+1 Wireless Controller HA

Multiple PSK for WPA Personal (393320)

New CLI commands have been added, under config wireless-controller vap, to configure multiple WiFi Protected Access Pre-Shared Keys (WPA-PSKs), as PSK is more secure without all devices having to share the same PSK.

Note that mpsk-concurrent-clients and the mpsk-key configuration method are only available when mpsk is set to enable.

CLI syntax

config wireless-controller vap edit <example> set mpsk {enable|disable} set mpsk-concurrent-clients [0-65535] Default is 0.

config mpsk-key edit <key-name> set passphrase <wpa-psk> set concurrent-clients [0-65535] Default is empty. set comment <comments>

next

end

end

Use the mpsk-concurrent-clients entry to set the maximum number of concurrent connected clients for each mpsk entry. Use the mpsk-key configuration method to configure multiple mpsk entries.

VTEP (VXLAN Tunnel End Point) support (289354)                                                             VXLAN support (289354)

VXLAN support (289354)

Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud computing deployments. It encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets using standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels can be virtual or physical switch ports, are known as VXLAN tunnel endpoints (VTEPs). For more information about VXLAN, see RFC 7348.

VTEP (VXLAN Tunnel End Point) support (289354)

Native VXLAN is now supported by FortiOS. This feature is configurable from the CLI only:

Syntax

config system vxlan edit <vxlan1> //VXLAN device name (Unique name in system.interface).

set interface //Local outgoing interface. set vni //VXLAN network ID. set ip-version //IP version to use for VXLAN device (4 or 6).

set dstport //VXLAN destination port, default is 4789.

set ttl //VXLAN TTL.

set remote-ip //Remote IP address of VXLAN.

next

end

This will create a VXLAN interface:

show system interface vxlan1 config system interface edit “vxlan1” set vdom “root” set type vxlan set snmp-index 36 set macaddr 8a:ee:1d:5d:ae:53 set interface “port9”

next

end

From the GUI, go to Network > Interfaces to verify the new VXLAN interface:

To diagnose your VXLAN configuration, from the CLI, use the following command:

diagnose sys vxlan fdb list vxlan1

This command provides information about the VXLAN forwarding data base (fdb) associated to the vxlan1 interface. Below is a sample output:

———–mac=00:00:00:00:00:00 state=0x0082 flags=0x00———–

———–remote_ip=2.2.2.2 remote_port=4789———————remote_vni=1 remote_ifindex=19———-total fdb num: 1

VXLAN support (289354)                                                                 VXLAN support for multiple remote IPs (398959)

VXLAN support for multiple remote IPs (398959)

VXLAN is now supported for multiple remote IPs, these remote IPs can be IPv4 unicast, IPv6 unicast, IPv4 multicast, or IPv6 multicast. This is useful in datacenter scenarios where the FortiGate can be configured with multiple tunnels to computer nodes.

CLI changes set ip-version option can be set to the following: ipv4-unicast //Use IPv4 unicast addressing for VXLAN. ipv6-unicast //Use IPv6 unicast addressing for VXLAN. ipv4-multicast //Use IPv4 multicast addressing for VXLAN. ipv6-multicast //Use IPv6 multicast addressing for VXLAN.

When ip-version is set to ipv4-multicast or ipv6-multicast, ttl option is replaced by multicast-ttl.

PPPoE dynamic gateway support (397628)                                                                              New PPPoE features

New PPPoE features

PPPoE dynamic gateway support (397628)

Original design for PPPoE requires to configure a static gateway. Although it works in many scenarios, some customers require to add support for dynamic gateway for internet-service based routes.

No changes to the CLI neither to the GUI.

Support multiple PPPoE connections on a single interface (363958)

Multiple PPPoE connections on a single physical or vlan interface are now supported by the FortiGate. In addition the interface can be on demand PPPoE.

New PPPoE features                                            Support multiple PPPoE connections on a single interface (363958)

GUI

CLI

config system pppoe-interace edit <name> set dial-on-demand [enable|disable] set ipv6 [enable|disable] set device <interface> set username <string> set password <string>

set auth-type [auto|pap|chap|mschapv1|mschapv2] set ipunnumbered <class_ip>

set pppoe-unnumbered-negotiate [enable|disable] set idle-timeout <integer> set disc-retry-timeout <integer> set padt-retry-timeout <integer> set service-name <string> set ac-name <string>

Support multiple PPPoE connections on a single interface (363958)                                            New PPPoE features

set lcp-echo-interval <integer> set lcp-max-echo-fails <integer>

• dial-on-demand- Enable/disable the dial on demand.feature l ipv6 – Enable/disable the use of IPv6. l device – The name of the physical interface.
• username – User name for credentials l password – Password matching the above username l auth-type – The type of PPP authentication to be used.
• auto – Automatic choice of authentication l pap – PAP authentication l chap – CHAP authentication l mschapv1 – MS-CHAPv1 authentication l mschapv2 – MS-CHAPv2 authentication
• ipunnumbered – PPPoE unnumbered IP. l pppoe-unnumbered-negotiate – Enable/disable PPPoE unnumbered negotiation. l idle-timeout – Idle time in seconds before PPPoE auto disconnects. 0 (zero) for no timeout. l disc-retry-timeout – Timeout value in seconds for PPPoE initial discovery. 0 to 4294967295. Default = 1. l padt-retry-timeout – Timeout value in seconds for PPPoE terminatation. 0 to 4294967295. Default = 1.
• service-name – PPPoE service name.) l ac-name – PPPoE AC name. l lcp-echo-interval – Interval in seconds allowed for PPPoE LCP echo. 0 to 4294967295. Default = 5.
• lcp-max-echo-fails – Maximum number of missed LCP echo messages before disconnect. 0 to 4294967295. Default = 3.

Adding Internet services to firewall policies (389951)                                                                                           CLI

Adding Internet services to firewall policies (389951)

In 5.4, support was added for Internet Service objects which could be used with FortiView, Logging, Routing and WAN Load Balancing. Now they can be added to firewall policies as well.

There is an either or relationship between Internet Service objects and destination address and service combinations in firewall policies. This means that a destination address and service can be specified in the policy OR an Internet service, not both.

CLI

The related CLI options/syntax are:

config firewall policy edit 1 set internet-service 1 5 10 set internet-service-custom test set internet-service-negate [enable|disable]

end

GUI

In the policy listing page you will notice that is an Internet Service object is used, it will be found in both the Destination and Service column.

In the policy editing page the Destination Address, now Destination field now has two types, Address and Internet Service.

Introduction

This document provides the following information for FortiOS 5.6.2 build 1486:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.2 supports the following models.

What’s new in FortiOS 5.6.2                                                                                                                Introduction

What’s new in FortiOS 5.6.2

For a list of new features and enhancements that have been made in FortiOS 5.6.2, see the What’s New for FortiOS 5.6.2 document.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

• PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
• Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

• ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

• All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN Requirements                                                                                Special Notices

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.2, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web

Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.6.2

FortiOS version 5.6.2 officially supports upgrading from version 5.4.4, 5.4.5, 5.6.0, and 5.6.1. To upgrade from other versions, see Supported Upgrade Paths.

Before upgrading, ensure that port 4433 is not used for admin-port or adminsport (in config system global), or for SSL VPN (in config vpn ssl settings).

If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.

Security Fabric Upgrade

FortiOS 5.6.2 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.0 l FortiClient 5.6.0 l FortiClient EMS 1.2.1 l FortiAP 5.4.2 and later l FortiSwitch 3.5.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

• Advanced FortiClient profiles (XML configuration)
• Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard

Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths FortiGate-VM 5.6 for VMware ESXi   Upgrade Information

• Client-side web filtering when on-net
• iOS and Android configuration by using the FortiOS GUI

With FortiOS 5.6.2, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec VPN, or SSL VPN) connections to FortiOS 5.6.2, but not for Security Fabric functions.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.2, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles.

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

1. Back up your configuration.
2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
3. Restore the configuration.
4. Perform the downgrade.

Amazon AWS Enhanced Networking Compatibility Issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.2 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Upgrade Information                                                                                                            FortiGate VM firmware

When downgrading from 5.6.2 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

• C3 l C4 l R3 l I2
• M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
• .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

• .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums                                                                                                    Upgrade Information

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.6.2 support

The following table lists 5.6.2 product integration and support information:

FortiOS 5.6.2 support

Product Integration and Support                                                                                                  Language support

Language support

The following table lists language support information.

Language support

SSL VPN support

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Product Integration and Support                                                                                                  SSL VPN support

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Supported Microsoft Windows 7 32-bit antivirus and firewall software

SSL VPN support

Resolved Issues

The following issues have been fixed in version 5.6.2. For inquires about a particular bug, please contact CustomerService & Support.

GUI

SSL VPN

Known Issues

The following issues have been identified in version 5.6.2. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Application Control

Firewall

FortiGate 3815D

FortiLink

FortiSwitch-Controller/FortiLink

Known Issues

FortiView

GUI

Known Issues

HA

IPsec

Log & Report

Known Issues

Proxy

Security Fabric

SSL VPN

System

Known Issues

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

• XenTools installation is not supported.
• FortiGate-VM can be imported or deployed in only the following three formats:
• XVA (recommended) l VHD l OVF
• The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

Combining source and destination NAT in the same policy (388718)

The Service field has been added to Virtual IP objects. When service and portforward are configured, only a single mapped port can be configured. However, multiple external ports can be mapped to that single internal port.

config firewall vip edit “vip1” set type load-balance

set service “HTTP-8080” “HTTP” <—– New Service field, accepts Service/Service group names

set extip 20.0.0.0-20.0.255.255 set extintf “wan1” set portforward enable set mappedip “30.0.0.1”

set mappedport 100 <——– single port end

The reason for making this configuration possible is to allow complex scenarios where multiple sources of traffic are using multiple services to connect to a single computer, while requiring a combination of source and destination NAT and not requiring numerous VIPs bundled into VIP groups.

Combining source and destination NAT in the same policy (388718)                                                                    GUI

GUI                                                   NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)

NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)

NP6 processors now include HPE functionality that can protect networks from DoS attacks by categorize incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks. You can use the options in the following CLI command to limit the number packets per second received for various packet types by each NP6 processor. This rate limiting is applied very efficiently because it is done in hardware by the NP6 processor.

HPE protection is disable by default. You can use the following command to enable HPE protection for the NP6_0 NP6 processor:

config system np6 edit np6_0 config hpe set type-shaper enable

end

HPE can be enabled and configured separately for each NP6 processor. When enabled, the default configuration is designed to provide basic DoS protection. You can use the following command to adjust the HPE settings in real time if you network is experiencing an attack. For example, the following command allows you to configure HPE settings for np6_0.

config system np6 edit np6_0 config hpe set type-shaping-tcpsyn-max set type-shaping-tcp-max set type-shaping-udp-max set type-shaping-icmp-max set type-shaping-sctp-max set type-shaping-ipsec-esp-max set type-shaping-ip-frag-max set type-shaping-ip-others-max set type-shaping-arp-max set type-shaping-others-max

end Where:

type-shaping-tcpsyn-max applies shaping based on the maximum number of TCP SYN packets received per second. The range is 10,000 to 10,000,000,000 pps. The default limits the number os packets per second to 5,000,000 pps.

type-shaping-tcp-max applies shaping based on the maximum number of TCP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 5,000,000 pps.

type-shaping-udp-max applies shaping based on the maximum number of UDP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 5,000,000 pps.

type-shaping-icmp-max applies shaping based on the maximum number of ICMP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

NP6 Host Protection Engine (HPE) to add protection for DDoS attacks (363398)                                                     GUI

type-shaping-sctp-max applies shaping based on the maximum number of SCTP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-ipsec-esp-max NPU HPE shaping based on the maximum number of IPsec ESP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-ip-frag-max applies shaping based on the maximum number of fragmented IP packets received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps..

type-shaping-ip-others-max applies shaping based on the maximum number of other IP packet types received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-arp-max applies shaping based on the maximum number of ARP packet types received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

type-shaping-others-max applies shaping based on the maximum number of other layer 2 packet types received. The range is 10,000 to 10,000,000,000 pps. The default is 1,000,000 pps.

(5.6.1)

New feature catalog (5.61 and 5.6)

The following sections list all of the new features in FortiOS 5.6 and 5.6.1 organized alphabetically by subject area.

Getting Started (5.6.1)

New Getting Started features added to FortiOS 5.6.1.

VM License visibility improvement (423347)

VM License GUI items have changed as follows:

• Added VM widget to Global > Dashboard. Includes the following:
• License status and type. l CPU allocation usage. l License RAM usage. l VMX license information (if the VM supports VMX). l If the VM license specifies ‘unlimited’ the progress bar is blank.
• If the VM is in evaluation mode, it is yellow (warning style) and the dashboard show evaluation days used.
• Widget is shown by default in the dashboard of a FortiOS VM device. l Removed VM information from License widget at Global > Dashboard.
• License info and Upload License button provided on page Global > System > FortiGuard.
• Updated ‘Upload VM License’ page: l Added license RAM usage and VMX instance usage. l Replaced file input component.

CLI Syntax

config sys admin edit <name> config gui-dashboard edit <1> set name <name> config widget edit <2> set type {vminfo | …} <- new option set x-pos <2> set y-pos <1> set width <1> set height <1>

next

end

next

end next

Getting Started (5.6.1)

end

FortiView Dashboard Widget (434179)

Added a new widget type to the dashboard for top level FortiView. FortiView widgets have report-by, sort-by, visualization, timeframe properties, and filters subtable in the CLI.

Supported FortiViews include Source, Destination, Application, Country, Interfaces, Policy, Wifi Client, Traffic Shaper, Endpoint Vulnerability, Cloud User, Threats, VPN, Websites, and Admin and System Events.

Bubble, table, chord chart, and country visualizations are supported in the widget.

Widgets can be saved from a filtered FortiView page on to a dashboard.

Syntax

config system admin config gui-dashboard config widget set type fortiview

set report-by {source | destination | country | intfpair | srcintf | dstintf | policy | wificlient | shaper | endpoint | application | cloud | web | threat

| system | unauth | admin | vpn} set timeframe {realtime | 5min | hour | day | week} set sort-by <string>

set visualization {table | bubble | country | chord} config filters set key <filter_key> set value <filter_value>

end

end

end

end

end

Where:

l report-by = Field to aggregate the data by. l timeframe = Timeframe period of reported data. l sort-by = Field to sort the data by. l visualization = Visualization to use.

Controls added to GUI CLI console (422623)

FortiOS 5.6.1 introduces new options in the browser CLI console to export the console history. Options are now available to Clear console, Download, and Copy to clipboard.

FortiExplorer icon enhancement (423838)

FortiOS icons and colors are now exportable in the GUI shared project and FortiExplorer now uses these icons and colors. This change improves the icon colors only for the FortiExplorer GUI theme (seen only when accessing (5.6)

a web GUI page from within the FortiExplorer iOS app).

The following locations were affected: Policy List, Policy Dialogue, Address List, Address Dialogue, Virtual IP list, Virtual IP Dialogue.

Getting Started (5.6)

New Getting Started features added to FortiOS 5.6.

Change to CLI console (396225)

The CLI Console widget has been removed from FortiOS 5.6.0. It is accessed from the upper-right hand corner of the screen and is no longer a pop-out window but a sliding window.

System Information Dashboard widget WAN IP Information enhancement (401464)

WAN IP and location data are now available in the System Information widget. Additionally, If the WAN IP is blacklisted in the FortiGuard server, there will be a notification in the notification area, located in the upper righthand corner of the Dashboard. Clicking on the notification will open the WAN IP Blacklisted slider with the relevant blacklist information.

CLI and GUI changes to display FortiCare registration information (395254)

The changes pertain to industry and organization size of the FortiGate’s registered owner.

GUI Changes

l Add industry and organization size to FortiCare registration page l Add company and industry to license widget tooltip for FortiCare

When you hover over the Licenses widget in the FortiOS 5.6 dashboard, you can see the company and industry data, provided it has been entered in the FortiCare profile.

Getting Started (5.6)

CLI Changes

Commands are added to diagnose forticare

dia forticare direct-registration product-registration -h Options: a:A:y:C:c:T:eF:f:hI:i:l:O:o:p:P:z:R:r:S:s:t:v:

–&lt;long&gt; -&lt;short&gt; account_id a: address A: city y: company C: contract_number c: country_code T: existing_account e fax F: first_name f:

help h industry I: industry_id i: last_name l: orgsize O: orgsize_id o: password p: phone P:

postal_code z: reseller R: reseller_id r:

state S:

state_code s:

title t: version v:

(5.6)

Improved GUI for Mobile Screen Size & Touch Interface (355558)

The FortiOS web GUI on mobile screens and include functionality for touch interfaces like tap to hold are improved.

Authentication (5.6.1)

Authentication (5.6.1)

New authentication features added to FortiOS 5.6.1.

Full certificate chain CRL checking (407988)

Certificate revocation/status check for peer certificates and intermediate CAs is now supported. Redesigned fnbam_auth_cert() API to use stack type of X509 instead of array for certificate chain. Removed obsolete fnbam API and parameters. Now authd, sslvpnd, and GUI send full certificate chains to fnbamd for verification.

New option under user > setting to allow/forbid SSL renegotiation in firewall authentication (386595)

A new option auth-ssl-allow-renegotiation is now available under config user setting to allow/forbid renegotiation. The default value is disable, where a session would be terminated by authd once renegotiation is detected and this login would be recorded as failure. Other behavior follows regular auth settings.

Syntax

config user setting set auth-ssl-allow-renegotiation {enable | disable}

end

New option to allow spaces in RADIUS DN format (422978)

Previously, IKEv2 RADIUS group authentication introduced a regression because it removed spaces from ASN.1 DN peer identifier string.

Reverted default DN format to include spaces. Added a new CLI option ike-dn-format to allow the user to select either with-space or no-space. Customers using the group-authentication option can select the ike-dn-format setting to match the format used in their RADIUS user database.

Added LDAP filter when group-member-check is user-attr (403140)

Added LDAP filter when group-member-check is user-attr. LDAP filter is deployed when checking user attribute.

Syntax

config user ldap edit <name> set group-filter ?

next

end

• group-filter is none by default, where the process is the same as before.

When group-filter is set, the LDAP filter takes effect for retrieving the group information.

Authentication (5.6.1)

Added Refresh button to the LDAP browser (416649)

Previously, cached LDAP data was used even if the LDAP server configuration was updated.

In FortiOS 5.6.1, a Refresh button has been added in the LDAP browser. In the LDAP server dialog page, the user can delete the DN field to browse the root level tree when clicking the Fetch DN button.

Differentiate DN option for user authentication and membership searching (435791)

Previously, LDAP used the same DN option for user authentication and membership searching. New CLI commands are introduced to config user ldap to resolve this issue:

• group-member-check user-attr

For user attribute checking, a new attribute group-search-base is added, which indicates the starting point for the group search. If the group-search-base is not set, binddn is used as the search base. Removed searchtype when group-member-check is user-attr.

• group-member-check group-object

For group object checking, the group names in user group match rule will be picked up as the group search base. If there are multiple matching rules, each group name will trigger the ldapsearch query once. l group-member-check posix-group-object

Changed group-object-search-base to group-search-base for posix-group-object groupmember-check.

FTM Push when FAC is auth server (408273)

This feature adds support for FortiToken Mobile (FTM) push with FortiAuthenticator server in FortiOS. It also fixes a crash when adding a node to an RB tree, by checking if the same key has already been used in the tree. If yes, remove the node using the same key before adding a new node.

Non-blocking LDAP authentication (433700)

The previous LDAP authentication in fnbamd used openldap library. OpenLDAP supports non-blocking BIND but it is not event driven.

To support non-blocking LDAP in fnbamd, we stopped using the openLDAP library in fnbamd, instead using only liblber. Instead of using openLDAP, fnbamd will create its own event-driven connection with LDAP servers over LDAP/LDAPS/STARTTLS, make it non-blocking, do CRL checking if necessary, and compose all LDAP requests using liblber (including bind, unbind, search, password renewal, password query, send request and receive response, and parse response). The whole process is done in one connection.

This doesn’t change any openLDAP implementation but moves some data structure definitions and API definitions from some internal header files to public header files.

Manual certificate SCEP renewal (423997)

Added support of manual certificate SCEP renewal besides the auto-regeneration feature that already exists.

Authentication (5.6.1)

More detailed RADIUS responses shown in connectivity test (434303)

Improved on-demand test connectivity for RADIUS servers. Test results show RADIUS server reachability, NAS client rejection, and invalid User/Password. Test also shows RADIUS Attributes returned from the RADIUS server.

Example

FG100D3G12807101 # diagnose test authserver radius-direct

<server_name or IP> <port no(0 default port)> <secret> <user> <password>

FG100D3G12807101 # diagnose test authserver radius-direct 1.1.1.1 0 dd RADIUS server ‘1.1.1.1’ status is Server unreachable

FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 dd

RADIUS server ‘172.18.5.28’ status is Secret invalid

FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 fortinet jeff1 asdfasdf

RADIUS server ‘172.18.5.28’ status is OK Access-Reject

FG100D3G12807101 # diagnose test authserver radius-direct 172.18.5.28 0 fortinet ychen1 asdfasdf

RADIUS server ‘172.18.5.28’ status is OK

Access-Accept

AVP: l=6 t=Framed-Protocol(7) Value: 1

AVP: l=6 t=Service-Type(6) Value: 2

AVP: l=46 t=Class(25)

Value: 9e 2a 08 6d 00 00 01 37 00 01 17 00 fe 80 00 00 00 00 00 00 00 00 5e fe ac 12 05

1c 01 d2 cd b6 75 a6 80 56 00 00 00 00 00 00 00 1c

AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311) VSA: l=6 t=MS-Link-Utilization-Threshold(14) Value: 50

AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311)

VSA: l=6 t=MS-Link-Drop-Time-Limit(15) Value: 120

Firewall user authentication time-out range increased (378085)

The firewall user authentication time-out max value has increased from 3 days to 30 days.

Syntax

config user group set authtimeout <0 – 43200> end

Authentication (5.6)

Authentication (5.6)

New authentication features added to FortiOS 5.6.

FortiToken Mobile Push (397912, 408273, 399839, 404872)

FortiToken Mobile push supports two-factor authentication without requiring users to enter a four-digit code to authenticate. Instead they can just accept the authentication request from their FortiToken Mobile app.

A new command has been added under config system ftm-push allowing you to configure the FortiToken

Mobile Push services server IP address and port number. The Push service is provided by Apple (APNS) and Google (GCM) for iPhone and Android smartphones respectively. This will help to avoid tokens becoming locked after an already enabled two-factor authentication user has been disabled. In addition, FortiOS supports FTM Push when FortiAuthenticator is the authentication server.

CLI syntax

config system ftm-push set server-ip <ip-address> set server-port [1-65535] Default is 4433. end

In addition, FTM Push is supported on administrator login and SSL VPN login for both iOS and Android. If an SSL VPN user authenticates with their token, then logs out and attempts to reauthenticate again within a minute, a new message will display showing “Please wait x seconds to login again.” This replaces a previous error/permission denied message.

The “x” value will depend on the calculation of how much time is left in the current time step.

CLI syntax

config system interface edit <name> set allowaccess ftm

next

end

Support V4 BIOS certificate (392960)

FortiOS now supports backwards compatibility between new BIOS version 4 and old BIOS version 3.

New BIOS V4 certificates:

• Fortinet_CA l Fortinet_Sub_CA l Fortinet_Factory Authentication (5.6)

Old BIOS V3 certificates:

• Fortinet_CA_Backup l Fortinet_Factory_Backup

When FortiOS connects to FortiGuard, FortiCloud, FortiManager, FortiAnalyzer, FortiSandbox as a client, the new BIOS certificate Fortinet_Factory will be the default client certificate. When the server returns its certificate (chain) back, FortiOS looks up the issuer of the server certificate and either keeps client certificate as is or switches to the old BIOS certificate Fortinet_Factory_Backup. This process occurs in one handshake.

When FortiOS connects to FortiCare, the new BIOS certificate Fortinet_Factory is the only client certificate and Server Name Indication (SNI) is set. There is no switchover of certificate during SSL handshake.

When FortiOS acts as a server when connected by FortiExtender, FortiSwitch, FortiAP, etc., Fortinet_Factory is the default server certificate. FortiOS detects SNI in client hello, and if no SNI is found or if the CN in SNI is different from the CN of Fortinet_CA, it switches to use the old Fortinet_Factory_Backup.

Support extendedKeyUsage for x.509 certificates (390393)

As per Network Device Collaborative Protection Profile (NDcPP) v1.0 requirements, server certificates used for TLS connections between FortiGate and FortiAnalyzer should have the “Server Authentication” and “Client Authentication” extendedKeyUsage fields in FIPS/CC mode.

To implement this, a new CLI command has been added under log fortianalyzer setting to allow you to specify the certificate used to communicate with FortiAnalyzer.

CLI syntax

config log fortianalyzer setting set certificate <name>

end

Administrator name added to system event log (386395)

The administrator’s name now appears in the system event log when the admin issues a user quarantine ban on a source address.

Support RSA-4096 bit key-length generation (380278)

In anticipation of quantum computers, RSA-4096 bit key-length CSRs can now be imported.

New commands added to config user ldap to set UPN processing method and filter name (383561)

Added two new commands to config user ldap allowing you to keep or strip domain string of UPN in the token as well as the search name for this kind of UPN.

CLI syntax:

config user ldap set account-key-processing set account-key-name

FortiOS Carrier (5.6.1)

end

User authentication max timeout setting change (378085)

To accommodate wireless hotspot users authenticated on the FortiGate, the user authentication max timeout setting has been extended to three days (from one day, previously).

Changes to Authentication Settings > Certificates GUI (374980)

Added new icons for certificate types and updated formatters to use these new icons.

Password for private key configurable in both GUI and CLI (374593)

FortiOS 5.4.1 introduced a feature that allowed you to export a local certificate and its private key in password protected p12, and later import them to any device. This option to set password for private key was available only in the CLI (when requesting a new certificate via SCEP or generating a CSR). This feature is now also configurable through the GUI.

The new Password for private key option is available under System > Certificates when generating a new CSR.

RADIUS password encoding (365145)

A new CLI command, under config user radius, has been added to allow you to configure RADIUS password encoding to use ISO-8859-1 (as per RFC 2865).

Certain RADIUS servers use ISO-8859-1 password encoding instead of others such as UTF-8. In these instances, the server will fail to authenticate the user, if the user’s password is using UTF-8.

CLI syntax

config user radius edit <example> set password-encoding <auto | ISO-8859-1>

end

This option will be skipped if the auth-type is neither auto nor pap.

RSSO supports Delegated-IPv6-Prefix and Framed-IPv6-Prefix (290990)

Two attributes, Delegated-IPv6-Prefix and Framed-IPv6-Prefix, have been introduced for RSSO to provide a /56 prefix for DSL customers. All devices connected from the same location (/56 per subscriber) can be mapped to the same profile without the need to create multiple /64 or smaller entries.

FortiOS Carrier (5.6.1)

New FortiOS Carrier features added to FortiOS 5.6.1.

FortiOS Carrier

GTP enhancement and GTP Performance Improvement. (423332)

The GTP changes in 5.6.1 take place in the following categories:

New GTP features and functionality enhancements.

• GTP message filter enhancements, including: l Unknown message white list l GTPv1 and GTPv2 profile separation l Message adoption.
• GTP IE white list.
• Global APN rate limit, including: l sending back REJECT message with back-off timer l “APN congestion” cause value
• GTP half-open, half-close configurable timer.

GTP performance improvements.

• Implemented RCU on GTP-U running path. i.e, no locking needed to look up tunnel state when processing GTP-U.

Note the RCU is only applied on GTPv1 and GTPv2 tunnels. It is not used for GTPv0 tunnels, due to the fact that (1) GTPv0 traffic is relatively minor compared with GTPv1 and GTPv2, and (2) GTPv0 tunnel indexing is totally different from GTPv1 and GTPv2. GTPv0 tunnel is indexed by [IMSI, NSAPI]. GTPv1 and GTPv2 tunnel is indexed by [IP, TEID]

• Localized CPU memory usage on GTP-U running path.
• GTP-C: changed some GTP tables from RB tree to hash table, including l GTP request tables, and GTPv0 tunnel tables. l Testing showed, when handling millions of entries adding/deleting, hash table performance was much better.
• 3.2 Hash table is compatible with RCU API, so we can apply RCU on these GTP-C tables later for further performance improvements.
• GTP-C, improved GTP path management logic, so that GTP path will time out sooner when there are no tunnels linked to it

CLI Changes:

New Diagnose commands: diagnose firewall gtp

FortiOS Carrier (5.6.1)

diagnose firewall gtp vd-apn-shaper

diagnose firewall gtp ie-white-list-v0v1

diagnose firewall gtp ie-white-list-v2

config gtp apn-shaperapn-shaper

FortiOS Carrier

Changed commands:

Under command firewall gtp, config message-filter is replaced by set message-filterv0v1

Example:

config firewall gtp edit <name> set message-filter-v0v1

New fields have been added to the config firewall gtp command context

Example:

config firewall gtp edit <name> set half-open-timeout 10 set half-close-timeout 10 Models affected by change

l FortiGate 3700D l FortiGate 3700DX l FortiGate 3800D Device identification (5.6)

Device identification (5.6)

New Device Identification features added to FortiOS 5.6.

Changed default for device-identification-active-scan to disabled (380837)

It was decided that most customers would not appreciate a default setting that resulted in the FortiGate probing their systems, so active scan option is changed to disabled by default going forward, but upgrade code is added to keep the option enabled for those upgrading from 5.4.0 or 5.4.1 who were using device-identification with active scan enabled.

Diagnose command changes

Diagnose command changes (5.6.1)

New diagnose features added to FortiOS 5.6.1.

crash dump improvement on i386/X86_64 (396580)

The output from the WPAD crash dump can now be in binary format as well as hexidecimal. The two commands are:

1. For dump in binary format diagnose debug app wpad-dump <debug_level>
2. For dump in hexidecimal format

diagnose debug app wpad-crash-hexdump <debug_level>

LLDP diagnose commands easier to execute (413102)

While there is no change to the syntax of the commands, the LLDP diagnose commands are allowed to execute without switchid/portid parameters configured.

New command to monitor IPS stats (414496)

When WAD IPS scanning took place with a failed result, the message caused the IPS sensor to mistakenly record the event as something triggering the sensor. To correct this, a new command was created.

Command:

diagnose wad stats ips [list | clear ]

Example

diagnose wad stats ips list IPS status unix stream counter = 0 active sess counter = 0 ips provider counter = 0 not running failure = 0 all busy failure = 0 conn close counter = 0 conn connected counter = 0 conn failure = 0 zero len failure = 0

suspended failure = 0 push failure = 0 block write counter = 0 un-block write counter = 0 un-matching failure = 0 ips action failure = 0 ips action permit = 0 ips action deny = 0 ips action bypass = 0

New diagnose sys fips kat-error options (440186)

The command diagnose sys fips kat-error has added additional options, like ECDSA.

Diagnose command changes (5.6)

New diagnose features added to FortiOS 5.6.

Add missing “diag npu np6 …” Commands (305808)

The following diag npc np6 commands have been reintroduced into 5.6.0. These options were available in 5.2.x but were not in 5.4.0

l diag npc np6 gmac-stats – Shows the GMAC MIBs counters l diag npc np6 gmac-stats-clear – Clears the GMAC MIBS counters l diag npc np6 gige-port-stats – Shows the GIGE PORT MIBs counters l diag npc np6 gige-port-stats-clear – Clears the GIGE PORT MIBs counters

Diagnose command to show firewall service cache (355819)

A diagnostic command has been added to dump out the service name cache kept by the miglogd daemon for each individual VDOM. diag test app miglogd 106 Example output:

This output has been edited down to conserve space. Only the first 5 of each grouping has been included.

diag test app miglogd 106

tcp port(0), name(NONE) port(21), name(FTP) port(22), name(SSH) port(23), name(TELNET) port(25), name(SMTP) udp port(53), name(DNS) port(67–68), name(DHCP) port(69), name(TFTP) port(88), name(KERBEROS)

port(111), name(ONC-RPC) extra: (ONC-RPC) (NFS) icmp port(1), name(test) port(8), name(PING) port(13), name(TIMESTAMP) port(15), name(INFO_REQUEST) port(17), name(INFO_ADDRESS) general

prot(6), port(4300), name(example.com_Webadmin) prot(6), port(5060), name(SIP) prot(6), port(5190–5194), name(AOL) prot(6), port(5631), name(PC-Anywhere) prot(6), port(5900), name(VNC) service names:

WINFRAME,DNS,DCE-RPC,H323,RLOGIN,IRC,UUCP,example.com_Webadmin,HTTPS,WAIS,FINGER,REXEC, RAUDIO,SNMP,TIMESTAMP,RADIUS-OLD,DHCP,AOL,MGCP,SMTPS,INFO_REQUEST,HTTP,SCCP,SOCKS,PPTP,

ONC-RPC,NNTP,SMTP,QUAKE,PC-Anywhere,TFTP,NONE,SSH,RSH,IMAPS,LDAP_UDP,SIP,RIP,PING,PING6,

X-WINDOWS,SMB,SAMBA,TRACEROUTE,NFS,WINS,L2TP,IMAP,GOPHER,SIP-MSNmessenger,SYSLOG,DHCP6,

TELNET,LDAP,MS-SQL,MMS,KERBEROS,SQUID,NTP,FTP,CVSPSERVER,test,AFS3,POP3,Internet-Locator-

Service, service groups:

Email Access(DNS,IMAP,IMAPS,POP3,POP3S,SMTP,SMTPS,)

Windows AD(DCE-RPC,DNS,KERBEROS,LDAP,LDAP_UDP,SAMBA,SMB,)

Web Access(DNS,HTTP,HTTPS,) Exchange Server(DCE-RPC,DNS,HTTPS,) policies involving multiple service definitions:

Diagnose command to show crash history and adjust crash interval (366691)

In order to alleviate the impact logging put on resources if processes repeatedly crash, limits have been put on crash logs.

• The default limit is 10 times per 60 minutes for crash logs. This limit can be edited using the command: diagnose debug crashlog interval <interval>

<interval> is the number of second to log crash logs for a particular process l The miglogd daemon is the only one to write crash logs directly. Crash logs from other processes are done through miglogd.

• Crash logs for a single crash are written all at once so that the logs are easier to read if there are crashes of multiple processes at the same time.
• A diagnose command has been added to show crash history.

# diagnose debug crashlog history

# Crash log interval is 3600 seconds

# reportd crashed 2 times. The latest crash was at 2016-12-01 17:53:45 diagnose switch-controller commands (368197)

The following diagnose commands in the CLI, are designed to l Output stats on the managed switches l Kick the client from the managed switches diagnose switch-controller dump lldp neighbors-summary <device-id> <portid> diagnose switch-controller dump lldp neighbors-detail <device-id> <portid> diagnose switch-controller dump lldp Stats <device-id> diagnose switch-controller dump port-stats <device-id> diagnose switch-controller dump trunk-state <device-id>

diagnose switch-controller kick <device-id> <vlan ID> <port ID> <MAC ID>

While not a diagnostic command, the following can also be run from VDOMs execute replace-device fortiswitch <device-id>

These commands are now longer restricted to being run from the root VLAN and can be run from any VDOM

Diagnose commands for monitoring NAT sessions (376546)

We have developed the following monitoring capabilities in CLI and SNMP.

• NAT sessions per IP pool l Total tcp sessions per IP pool l Total udp sessions per IP pool
• Total others (non-tcp and non-udp) sessions per IP pool FortiGate supports 4 types of NAT, which are l Overload l One-to-one l Fixed-port-range l Port-block-allocation.

diagnose firewall ippool-all

l list – lists all of the IP Pools l stats – Statistics of the IP Pools

list

diagnose firewall ippool-all list

Example output:

vdom:root owns 4 ippool(s) name:Client-IPPool type:port-block-allocation nat-ip-range:10.23.75.5-10.23.75.200

name:Fixed Port Range type:fixed-port-range

nat-ip-range:20.20.20.5-20.20.20.50

name:One to One type:one-to-one

nat-ip-range:10.10.10.5-10.10.10.50 name:Sales_Team

type:overload nat-ip-range:10.23.56.18-10.23.56.20

Stats

This option has two methods of being used. By just hitting enter after stats, the output contains the stats for all of the IP Pools. By putting the name of an IP Pool after stats, the output is filtered so that only stats relating to that particular IP Pool is included in the output.

Example output #1

# diagnose firewall ippool-all stats vdom:root owns 5 ippool(s) name: Client-IPPool type: port-block-allocation startip: 10.23.75.5 endip: 10.23.75.200 total ses: 0 tcp ses: 0 udp ses: 0 other ses: 0 name: Fixed Port Range type: fixed-port-range startip: 20.20.20.5 endip: 20.20.20.50 total ses: 0 tcp ses: 0 udp ses: 0 other ses: 0 name: One to One type: one-to-one startip: 10.10.10.5 endip: 10.10.10.50 total ses: 0 tcp ses: 0 udp ses: 0 other ses: 0 name: Sales_Team type: overload startip: 10.23.56.18 endip: 10.23.56.20 total ses: 0 tcp ses: 0 udp ses: 0 other ses: 0

Example #2

# diagnose firewall ippool-all stats “Sales_Team” name: Sales_Team type: overload startip: 10.23.56.18 endip: 10.23.56.20 total ses: 0 tcp ses: 0 udp ses: 0

other ses: 0

SIP diagnose command improvements (376853)

A diagnose command has been added to the CLI that outputs VDOM data located in the voipd daemon.

diagnose sys sip-proxy vdom

Example

(global) # diagnose sys sip-proxy vdom VDOM list by id: vdom 0 root (Kernel: root) vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 4 vdoma2 (Kernel: vdoma2) vdom 5 vdomb2 (Kernel: vdomb2) vdom 6 vdomc2 (Kernel: vdomc2) vdom 7 vdoma (Kernel: vdoma) vdom 8 vdomb (Kernel: vdomb) vdom 9 vdomc (Kernel: vdomc) VDOM list by name: vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 0 root (Kernel: root) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 7 vdoma (Kernel: vdoma) vdom 4 vdoma2 (Kernel: vdoma2) vdom 8 vdomb (Kernel: vdomb) vdom 5 vdomb2 (Kernel: vdomb2) vdom 9 vdomc (Kernel: vdomc) vdom 6 vdomc2 (Kernel: vdomc2)

Diagnose command to get AV virus statistics (378870)

A new diagnostic command has been added for the showing of AV statistics. This can be used within each VDOM Syntax: diagnose ips av stats show

Example output

diagnose ips av stats show AV stats:

HTTP virus detected: 0

HTTP virus blocked: 0

SMTP virus detected: 0

SMTP virus blocked: 0

POP3 virus detected: 0

POP3 virus blocked: 0

IMAP virus detected: 0

IMAP virus blocked: 0

NNTP virus detected: 0

NNTP virus blocked: 0

FTP virus detected: 0

FTP virus blocked: 0

SMB virus detected: 0

SMB virus blocked: 0

Diagnose command to get remote FortiSwitch trunk information (379329)

To ensure that a FortiGate and its managed FortiSwitches stay in synchronization in the event of an inadvertent trunk table change situation, there is a new CLI setting that checks for discrepancies.

The idea is to check to see if there will be a synchronization issue between the FortiGate and the FortiSwitch before applying the configuration

1. On fortilink reconnection, FGT reads trunk table of FSW using REST API GET– Hence FGT gets all the port and its trunk membership information from FSW
2. FGT then compares its managed FSW trunk information with received FSW information
3. If there is any conflict, FGT will delete extra/conflicted trunk on FSW using REST API POST
4. At the end FGT replays all configuration to FSW as usual

This will help delete the extra trunks, conflicted trunks on the FSW and to make sure in sync Possible reasons for losing synchronization include:

l The FortiGate reboots after a factory reset while there is still a trunk configuration in the FortiSwitch. l The managed FortiSwitch’s trunk table gets edited on the FortiGate while the FortiSwitch is offline. l A trunk table on the FortiSwitch gets added or the existing one gets modified or deleted by a user.

New diagnose command for the CLI: diagnose switch-controller dump trunk-switch-config <Managed FortiSwitch device ID> help provided for diagnose debug application csfd (379675)

The syntax for the command is: diagnose debug application csfd <Integer>

The <Integer> being the debug level. To get the integer value for the debug level, run the command without the integer. You will get the following:

# diagnose debug application csfd csfd debug level is 0 (0x0)

Error 0x01

Warning 0x02

Function trace 0x04

Information 0x08

Detail 0x10

MAC packet encryption debug 0x20

MAC learning debug 0x40

FAZ configuration synchronize debugging 0x0080

FAZ configuration function trace 0x00100

Configuration tree update debug 0x00200

Configuration tree function trace 0x00400

HA Sync plugin debug 0x00800

Convert the value next to the debug level you want to an integer. For example, to set the debug level to Information, convert 0x08 to 8 and use it for the option at the end of the command.

# diagnose debug application csfd 8

New IPS engine diagnose commands (381371)

Periodically, when troubleshooting, an different IPS engine will need to be installed on the FortiGate but there will also be a restriction that the FortiGate can’t be rebooted. Normally, a new IPS engine will not be fully recognized by the system until after a reboot. This command allows the running of new commands or new versions of commands in the IPS engine without having to reboot the FortiGate.

diagnose ips test cmd <command strings>

The command strings are separated by a semicolon such as: diagnose ips test cmd command1;command2;command3

Examples:

• diagnose ips test cmd “ips session status”

This command triggers the diagnosis command in the double quotation marks: “diagnose ips session status”

• diag ips test cmd “ips memory track; ips memory status; ips session status”

This command triggers the diagnosis commands in the double quotation marks in order.

The results:

Commands[0]: ips memory track

—-< execute “diagnose ips memory track” >—-

Commands[1]: ips memory status

—-< execute “diagnose ips memory status” >—-

Commands[2]: ips session status

—-< execute “diagnose ips session status” >—-

New AV engine diagnose commands (383352)

The purpose of this diagnostic command is to display information from within the AV engine for the purposes of aiding trouble shooting and diagnostics if the AV engine crashes or times out.

The command is: diagnose antivirus test

It’s syntax can be one of the following:

diagnose antivirus test <command> diagnose antivirus test <command argument1>; <argument2>; …

The command is defined and interpreted by the AV engine. FortiOS just passes the CLI command into the AV engine and outputs the strings returned by AV engine.

In AV engine 5.4.239, the following command are supported. l get scantypes l set scantypes

l debug

NPU diagnose command now included HPE info in results (384692)

There is no change to the CLI but the results of the diagnose npu np6 npu-feature command now include results regarding HPE.

clear checksum log files (diag sys ha checksum log clear) (385905)

There is currently a command, diag sys ha checksum log [enable | disable] that enables a

checksum debug log by saving checksum calculations to a temp file. However, the checksum calculations saved in this file can be processed by two different functions, cmdbsvr and the CLI.

The function cmf_context-is-server() now enables the determining whether the running process is cmdbsvr or the CLI and also a diagnose command has been added to clear the contents of the file. diag sys ha checksum log clear new diagnose command to delete avatars (388634)

It is now possible to delete avatars associated with FortiClient clients. diagnose endpoint avatar delete <FortiClient UID> or

diagnose endpoint avatar delete <FortiClient UID> <username>

• If only the FortiClient UID is used, all of the avatars, except those that are currently being used will be deleted.
• If both the FortiClient UID and the username are used, all of the avatars that belong to that combination, except those being used, will be deleted.

CID signatures have been improved for DHCP and CDP (389350, 409436)

More parameters have been added to make them more specific. This helps to reduce false positives.

• DHCP signatures:
• A new dhcp signature file has been added ‘cid.dhcp2’ that allows for the class and host name to specified in the same signature. This is for increased accuracy.
• Relevant signatures from ‘cid.dhcp’ have been ported to the new signature file ‘cid.dhcp2’ l Support DHCP parameter matching in signatures.
• Support DHCP option list matching in signatures. l CDP mac analyzer now passes all three keys to the OS matcher.
• Tests:
• A number of new tests (including pcaps) have been added to match existing signatures and new signatures.
• Some tests where multiple protocols were present in a single pcap, have been modified. These are now split into multiple pcaps, each containing a single protocol. This allows FortiOS to fully test a signature, where previously a single test may have matched multiple signatures.
• CID debug statistics now use shared memory. This prevents the daemon from having to respond to CLI requests and allows for the stats to persist across daemon restarts.
• A Change has been made to the host ip update priority. IP changes for routers that have had their type set by heuristic are not allowed to change IPs.
• If it is a Fortinet device, the change is allowed if it comes through a protocol we trust more (CDP, DHCP, LLDP, or MAC).

diagnose command to calculate socket memory usage (392655)

This diagnostic command gives the socket memory usage by individual process.

diagnose sys process sock-mem <pid>; <pid> …

Separate arguments with a semicolon “;”

Example

Run diagnose sys top to get the pid of a few process…

diagnose sys top

Run Time: 1 days, 0 hours and 44 minutes

0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 7996T, 5839F httpsdS 0.1 0.2 httpsd 1398 S 0.1 0.2 snmpdS 0.1 0.1

Then use those pid with the command…

diagnose sys process sock-mem 214; 173

Process ID=214, sock_mem=0(bytes)

Process ID=173, sock_mem=2(bytes)

FortiGuard can determine a FortiGate’s location from its public IP address (393972)

The FortiGate now shows the public IP address and the geographical location (country) in the dashboard. The FortiGate sends a ping to the FortiCare/FortiGuard network and as a response receives the local WAN IP, or if it is being NATed the public IP of the network. Using the public IP address a geo-ip Blackpool is done to determine the country.

In the same location on the Dashboard, it also shows whether or not the listed IP address if a member of the

Fortinet Blacklist.

CLI

The diagnostic command to get the information is:

diag sys waninfo Example:

diagnose sys waninfo Public/WAN IP: 209.87.240.98 Location:

Latitude: 45.250100

Longitude: -75.916100

Accuracy radius: 5

Time zone: America/Toronto City: Stittsville Subdivisions:

0: Ontario Country: Canada Postal:

Code: K2S

Continent: North America

Registered country: Canada

ISP: Unknown

Failed to query whether 209.87.240.98 is in the FortiGuard IP Blacklist: ret=-1 buf_ sz=1024

Command fail. Return code 5

To get information about the address’s inclusion as a member of the Fortinet Blacklist, the command is: diag fortiguard ipblacklist [db | vr | ip | ctx]

• db – Get Database and Vendor/Reason List Versions. l vr – Get Vendor/Reason List.
• ip – Get Information on Specific IP.
• ctx – Show Local Context.

If using the ip option, specify the IPv4 address after the ip option. Example:

diagnose fortiguard ipblacklist ip 209.87.240.98

AWS bootstrapping diagnose commands (394158)

Bootstrap feature is quite similar to cloudinit in Openstack. When user launching a new instance of FGT-VM in AWS, it needs to provide some basic information of license and config stored in AWS s3 bucket via userdata. Bootstrap will download license and config from s3 bucket and apply them to FGT automatically. CLI

Add a new cli to show the results of bootstrap config apply.

Example:

diagnose debug aws-bootstrap show >> FGVM040000066475 $ config sys glo

>> FGVM040000066475 (global) $ set hostname awsondemand

>> FGVM040000066475 (global) $ end

Diagnose command to aid in conserver mode issues (394856)

The diagnose hardware sys conserve command provides memory information about the system that is useful in diagnosing conserve mode issues.

Example

diagnose hardware sys conserve memory conserve mode: off total RAM: 7996 MB

memory used: 2040 MB 25% of total RAM memory used threshold extreme: 7597 MB 95% of total RAM memory used threshold red: 7037 MB 88% of total RAM memory used threshold green: 6557 MB 82% of total RAM

Diagnose commands to display FortiCare registration information (395254)

The Dashboard License widget can display information about the registered company owner and industry. There are some diagnostic commands that can do that in the CLI.

diagnose forticare protocol [HTTP | HTTPS] diagnose forticare server < server IP>

diagnose forticare cnreg-code-list – List of known ISO 3166-1 numeric country/region codes.

diagnose forticare direct-registration reseller-list <cnreg-code> diagnose forticare direct-registration country-data <cnreg-code> diagnose forticare direct-registration organization-list diagnose forticare direct-registration product-registration <arguments>

Options/arguments for product registration:

• a = account_id l A = address l y = city l C = company
• c = contract_number l T = country_code l e = existing_account l F = fax
• f = first_name l h = help
• I = industry l i = industry_id l l = last_name l O = orgsize l o = orgsize_id l p = password l P = phone
• z = postal_code l R = reseller l r = reseller_id l S = state
• s = state_code l t = title l v = version new diag test app csfd options (395302)

Two additional test levels have been added to the diag test app csfd command in order to dump some additional information about timers, file handlers status and received MAC addresses to the HA master. diag test app csfd 11 diag test app csfd 40 new ‘AND’ and ‘OR’ filter capabilities for debug flow addr (398985)

In order to make a more flexible filter for the debug flow address command, the Boolean arguments of ‘AND’ and ‘OR’ have been added to the command parser. This will work regardless of whether or not the source or destination address is being filtered.

Syntax:

diagnose debug flow filter address <IP1|from IP> <IP2|to IP> <ENTER|and/or>

Improve wad debug trace and crash log information (400454)

Previously, when filtering on a wad debug trace or crash log information, the information may not have been as targeted as necessary. A new setting has been added to target a specific policy.

diagnose wad filter firewall-policy <index> diagnose wad filter explicit-policy <index>

These commands will target the firewall or explicit proxy policies. Using a “-1” as the value will index of that particular policy type.

diagnose hardware test added to additional models (403571)

The diagnose hardware test that was previously on FortiGate E Series models, and the FortiGate 300/500D models, has been expanded to include:

l Multiple low range models l Multiple mid range models l FortiGate 3800D model

This diagnostic feature replaces much of the functionality of the HQIP test that requires the installation of a separate firmware image.

diag sys sip-proxy config profile –> diag sys sip-proxy config profiles (404874)

Diagnose command has been changed to make it more consistent with other similar commands.

diagnose sys sip-proxy config profile has been changed to

diagnose sys sip-proxy config profiles

diag debug flow changes (405348)

For crash and console logs, the logs are no longer parsed before being sent to their destination. Now they are dumped directly to the destination.

In addition the following options have been removed from the diagnose command list:

diag debug flow show console diag debug flow show console enable diag debug flow show console disable improve wad memory diagnose process (408236)

The WAD SSL memory dump functions have been moved to migbase so they can be shared by both WAD and

CLI.

CLI additions

l diagnose wad memory – WAD memory diagnostics l diagnose wad memory general – List of WAD memory blocks. l diagnose wad memory bucket List suspicious WAD memory buckets. l diagnose wad memory ssl List SSL memory statistics

New daemon watchdog framework in forticron (409243)

A new feature has been added to dump userspace’s process stacks.

CLI additions: diagnose sys process pstack <pid>

<pid> – Process ID, such as those displayed when using diagnose sys top

Output from diagnose wad debug command filterable(410069)

The output from the command was so verbose that there was some concern that the information that was being looked for could get lost in all of the extraneous data so some parameters were added that allow the information to be filtered by both severity level and the category of the information.

The command has a few settings diagnose wad debug [enable|disable|show|clear|display]

• enable – Enable the level or category debug setting. l disable – Disable debug setting. l show – Show the current debug setting. l clear – Clear the exiting debug setting.
• display – Changes to the Display setting.
• diag wad debug dispay pid enable – enables the display of PID values in the output.

Syntax to set the level diagnose wad debug enable level <level>

Where the <level> is one of:

• error – error l warn – warning l info – information l verbose – verbose

Syntax to set the category diag wad debug enable category <category>

Where <category> is one of the following:

• connection – connection l session – session l protocol – protocol l io – I/O l packet – packet l db – cache database l cifs – CIFS l ssl – SSL l webcache – webcache l policy – policy matching l auth – authentication l scan – UTM scan l cache – wanopt cache l tunnel – wanopt tunnel l bank – bank l stats – stats l disk – cache disk l video – cache video l rplmsg – replacement message l ipc – IPC
• bar – Fortinet top bar
• waf – WAF
• memblk – memory block l all – all catetory

DNS log improvements (410132)

DNS logs have been improved to make the presentation of the data clearer. These changes involve a reorganization of the DNS log subtypes.

These changes include:

• Change dns-subtype to dns-response l Remove status field and add Pass/Block/Redirect to action field l Change the msg field display DNS filter rating results l All error messages now to the error field l Change urlfilteridx to domainfilteridx l Change urlfilterlist to domainfilterlist l Add a query type value field.

Explicit web proxy

Explicit web proxy (5.6)

New explicit web proxy features added to FortiOS 5.6.

Explicit proxy supports multiple incoming ports and port ranges (402775, 398687)

Explicit proxy can now be configured to listen on multiple ports on the same IP as well as listen for HTTP and HTTPS on those same (or different) ports.

Define the IP ranges using a hyphen (–). As shown below, port_high is not necessary to specify if port_low is equal to port_high.

CLI syntax

config web-proxy explicit set http-incoming-port <port_low> [-<port_high>]

end

Explicit proxy supports IP pools (402221)

Added a new command, poolname, to config firewall explicit-proxy-policy. When setting the IP pool name with this command, the outgoing IP will be selected.

CLI syntax

config firewall explicit-proxy-policy edit <example> set poolname <name>

end

Option to remove unsupported encoding from HTTP headers (392908)

Added a new command to config web-proxy profile that, when enabled, allows the FortiGate to strip out unsupported encoding from request headers, and correctly block banned words. This is to resolve issues when attempting to successfully block content using Google Chrome.

CLI syntax:

config web-proxy profile edit <example> set strip-encoding {enable | disable}

end

New authentication process for explicit web proxying (386474, 404355)

While in Proxy inspection mode, explicit proxy options can be set under Network > Explicit Proxy. These settings will affect what options are available for creating proxy policies under Policy & Objects > Proxy Policy. From here you may create new policies with Proxy Type set to either Explicit Web, Transparent Web, or FTP.

Explicit web proxy (5.6)

Authentication will be triggered differently when configuring a transparent HTTP policy. Before such a policy can be configured, you must enable HTTP Policy Redirect under Security Profiles > Proxy Options.

Added Internet services to explicit proxy policies (386182)

Added two new commands to config firewall explicit-proxy-policy. FortiOS can use the Internet Service Database (introduced in 5.4.1) as the web-proxy policy matching factor.

CLI syntax:

config firewall explicit-proxy-policy edit <example> set internet-service <application-id> set internet-service-custom <application-name>

Virtual WAN link in an explicit proxy firewall policy (385849, 396780)

Virtual WAN link (VWL) interfaces may now be set as the destination interface in an explicit proxy policy, routing traffic properly using basic virtual WAN link load balance settings. This is now configurable through both the CLI under firewall explicit-proxy-policy and the GUI.

Added application ID and category setting on the explicit proxy enabled service (379330)

This feature introduces support for application ID/category in the service of explicit proxy as one policy selection factor. The intent is to identify the application type based on the HTTP request with IPS application type detection function. It is similar to the current firewall explicit address, but it is implemented as a service type, and you can select the application ID/ category to define explicit service. Of course, now it must be an HTTP-based application.

CLI syntax

config firewall service custom edit “name” set app-service-type [disable|app-id|app-category]

next

end

Explicit Proxy – populate pac-file-url in transparent mode (373977)

You can now use manageip to populate pac-file-url in transparent opmode. Previously, in the CLI, when displaying pac-file-url, the code only tries to get interface IP to populate pac-file-url.

CLI syntax

config vdom edit root config system settings set opmode transparent set manageip 192.168.0.34/24

end config web-proxy explicit set pac-file-server-status enable get pac-file-url [url.pac]

Explicit web proxy

end

SSL deep inspection OCSP support for Explicit Proxy (365843)

OCSP support for SSL deep inspection added for Explicit Proxy.

CLI syntax

config vpn certificate setting set ssl-ocsp-status [enable|disable] set ssl-ocsp-option [certificate|server]

end

Timed out authentication requests are now logged (357098)

CLI syntax

config web-proxy explicit set trace-auth-no-rsp [enable|disable] end

(5.6.1)