Firewall (5.6.1)

New firewall features added to FortiOS 5.6.1.

Improvement to NAT column in Policy List Display (305575)

The NAT column in the listing of Policy can provide more information than before.

Previously the field for the policy in the column only showed whether NAT was Enabled or Disabled.

With the new improvements, not only does the field show the name of the Dynamic Pool, if one is being used, but the tool-tip feature is engaged if you hover the cursor over the icon in the field and provides even more specific information.

GUI support for adding Internet-services to proxy-policies (405509)

There is now GUI support for the configuration of adding Internet services to proxy policies. When choosing a destination address for a Proxy Policy, the Internet Service tab is visible and the listed objects can be selected.

Firewall (5.6.1)

By choosing an Internet Service object as the Destination, this sets internet-service to enable and specifying either an Address or IPv6 Address object will set internet-service to disable.

Inline editing of profile groups on policy (409485)

There can now be editing to the profile groups within the policy list display window. Before, you had to go into the edit window of the policy, such as in the image below:

However, now the editing can be done from the list display of policies and clicking on the GRP icon. Right clicking on the icon will slide a window out from the left and left clicking will give you a drop-down menu.

Rename “action” to “nat” in firewall.central-snat-map (412427)

The action field option in thecontext of firewall central-snat-map in the CLI was considered by some to be a little ambiguous, so it has been renamed to nat, an option that can either be enabled or disabled.

Explicit proxy supports session-based Kerberos authentication (0437054)

• Explicit proxy supports session-based Kerberos authentication l Transparent proxy will create an anonymous user if the an attempt to create a NTLM connection fails.
• When FSSO authentication fails for the explicit FTP proxy, the FortiGate responses with the error message “match policy failed”.

Firewall (5.6)

New firewall features added to FortiOS 5.6.

Optimization of the firewall Service cache (355819)

In order to improve the efficiency and performance of the firewall Service cache, the following improvements have been made:

• The logic behind the structure of the cache has been simplified. Instead of storing ranges of port numbers, we store each individual port number in the cache
• Separate caches are created for each VDOM so that cache searches are faster.
• The performance of more frequently used cases has been increased l Hash tables are used to improve the performance of complex cases. These could include such instances as:
• service names tied to specific IP Ranges
• redefinition (one port number with multiple service names)

New CLI option to prevent packet order problems for sessions offloaded to NP4 or NP6 (365497)

In order to prevent the issue of a packet, on FortiGate processing a heavy load of traffic, from being processed out of order, a new setting has been added to better control the timing of pushing the packets being sent to NP units.

The new option, delay-tcp-npc-session, has been added into the context of config firewall policy within the CLI

config firewall policy edit <Integer for policy ID> set delay-tcp-npc-session end

Policy may not be available on units not using NP units.

GUI changes to Central NAT (371516)

The Central NAT configuration interface prevents the accidental occurrence of being able to select “all” and “none” as two objects for the same field. It only allows the selecting of a single IP pool, though it is still possible to select multiple IP pools within the CLI.

Max value for Firewall User authentication changed (378085)

Previously, the maximum time that a member of a firewall user group could remain authenticated without any activity was 24 hours (1440 minutes). The maximum value for this setting has been changed to 72 hours (4320 minutes). This allow someone to log in but not be kicked off the system due to inactivity over the course of a weekend.

The syntax in the CLI for configuring this setting is: config user group edit <name of user group> set authtimeout 4320 end

Changes to default SSL inspection configuration (380736)

SSL is such a big part of normal traffic that SSL certificate inspection is no longer disabled by default. SSL inspection is not mandatory in both the CLI and GUI when it is applicable. The default setting is the Certificate Inspection level. As a result there have been a few changes within the CLI and the GUI.

CLI

The setting SSL-SSH-Profile, is a required option, with the default value being “certificate-inspection”, when it is applicable in the following tables:

• profile-group l firewall.policy l firewall.policy6, l firewall.explicit-proxy-policy

The following default profiles are read-only:

• certificate-inspection l deep-ssl-inspection

GUI

IPv4/IPv6 Policy and Explicit Proxy Policy edit window l The configuration and display set up for SSL/SSH Inspection is now similar to “profile-protocol-option” option l The disable/enable toggle button is no longer available for the Profile Protocol Option l The default profile is set to “certificate-inspection” IPv4/IPv6 Policy, Explicit Proxy Policy list page l There is validation for SSL-SSH-Profile when configuring UTM profiles

SSL/SSH Inspection list page

l There is no delete menu on GUI for default ssl profiles l The “Edit” menu has been changed to “View” for default SSL profiles l The default SSL profile entries are considered an implicit class and are grayed out SSL/SSH Inspection edit window l The only input for default SSL profiles is now download/view trusted certificate links l To return to the List page from default SSL profiles, the name of the button is now “Return” Profile Group edit window l There is no check box for SSL-SSH-Profile. It is always required.

Add firewall policy comment field content to log messages (387865)

There has been a need by some customer to have some information in the logs that includes specific information about the traffic that produced the log. The rather elegant solution is that when the log-policy-comment option is enabled, the comment field from the policy will be included in the log. In order to make the logs more useful regarding the traffic just include a customized comment in the policy and enable this setting.

Syntax

config system settings set log-policy-comment [enable | disable] end

l This setting is for all traffic and security logs. l It can be select on a per VDOM basis

Learning mode changes profile type to single (387999)

The Learning mode does not function properly when it is applied to a policy that has a UTM profile group applied to it. The logging that should be taking place from the Learning Mode profiles does not occur as intended, and the

Automatically switching the profile type to single on a policy with Learning mode enabled prevents it from being affected by the UTM policy groups.

MAC address authentication in firewall policies and captive portals (391739)

When enabled, a MAC authentication request will be sent to fnbamd on any traffic. If the authentication receives a positive response, login becomes available. If the response is negative the normal authentication process takes over.

CLI

New option in the firewall policy setting

config firewall policy edit <policy ID> set radius-mac-auth-bypass [enable |disable] end

New option in the interface setting config system interface

edit <interface> set security-mode captive-portal set security-mac-auth-bypass end

Display resolved IP addresses for FQDN in policy list (393927)

If a FQDN address object is used in a policy, hovering the cursor over the icon for that object will show a tool tip that lists the parameters of the address object. This tool tip now includes the IP address that the FQDN resolves to.

Added comment for acl-policy, interface-policy and DoS-policy (396569)

A comment field has been added to the following policy types: l acl-policy l interface-policy l DoS-policy

Comments of up to 1023 characters can be added through the CLI.

Examples:

DoS policy

config firewall DoS-policy edit 1 set comment “you can put a comment here(Max 1023).”

set interface “internal” set srcaddr “all” set dstaddr “all” set service “ALL” config anomaly edit “tcp_syn_flood” set threshold 2000

next

end

end

Interface policy

config firewall interface-policy edit 1 set comment “you can put a comment here(max 1023).”

set interface “dmz2” set srcaddr “all” set dstaddr “all” set service “ALL” end

Firewall ACL

config firewall acl edit 1 set status disable

set comment “you can put a comment here(max 1023).”

set interface “port5” set srcaddr “all” set dstaddr “all” set service “ALL”

end

Internet service settings moved to more logical place in CLI (397029)

The following settings have moved from the application context of the CLI to the firewall context: l internet-service l internet-service-custom

Example of internet-service

config firewall internet-service 1245324 set name “Fortinet-FortiGuard”

set reputation 5 set icon-id 140 set offset 1602565 config entry

edit 1

set protocol 6 set port 443 set ip-range-number 27 set ip-number 80

next

edit 2

set protocol 6 set port 8890 set ip-range-number 27 set ip-number 80

next

edit 3

set protocol 17 set port 53 set ip-range-number 18 set ip-number 31

next

edit 4

set protocol 17 set port 8888 set ip-range-number 18 set ip-number 31

next

end

Example of internet-service-custom

config firewall internet-service-custom edit “custom1” set comment “custom1”

config entry

edit 1

set protocol 6 config port-range

edit 1

set start-port 30 set end-port 33

next

end

set dst “google-drive” “icloud”

next

end

next

end

Example of get command:

get firewall internet-service-summary

Version: 00004.00002

Timestamp: 201611291203

Number of Entries: 1349

Certificate key size selection (397883)

FortiOS will now support different SSL certificate key lengths from the HTTPS server. FortiOS will select a key size from the two options of 1024 and 20148, to match the key size (as close as possible, rounding up) on the HTTS server. If the size of the key from the server is 512 or 1024 the proxy will select a 1024 key size. If the key size from the servers is over 1024, the proxy will select a key size of 2048.

CLI changes:

In ssl-ssh-profile remove:

• certname-rsa l certname-dsa l certname-ecdsa

In vpn certificate setting, add the following options :

• certname-rsa1024 l certname-rsa2048 l certname-dsa1024 l certname-dsa2048 l certname-ecdsa256 l certname-ecdsa384

AWS API integration for dynamic firewall address object (400265)

Some new settings have been added to the CLI that will support instance information being retrieved directly from the AWS server. The IP address of a newly launched instance can be automatically added to a certain firewall address group if it meets specific requirements. The new address type is:ADDR_TYPE_AWS New CLI configuration settings:

The AWS settings config aws

set access-key set secret-key set region set vpc-id set update-interval

l access-key – AWS access key. l secret-key – AWS secret key. l region – AWS region name. l vpc-id – AWS VPC ID. l update-interval – AWS service update interval (60 – 600 sec, default = 60).

The AWS address:

config firewall address edit <address name> set type aws set filter <filter values>

The filter can be a combination of any number of conditions, as long as the total length of filter is less than 2048 bytes. The syntax for the filter is:

<key1=value1> [& <key2=value2>] [| <key3=value3>]

For each condition, it includes a key and value, the supported keys are:

1. instanceId, (e.g. instanceId=i-12345678)
2. instanceType, (e.g. instanceType=t2.micro)
3. imageId, (e.g. imageId=ami-123456)
4. keyName, (e.g. keyName=aws-key-name)
5. architecture, (e.g. architecture=x86)
6. subnetId, (e.g. subnetId=sub-123456)
7. availabilityzone, (e.g. placement.availabilityzone=us-east-1a)
8. groupname, (e.g. placement.groupname=group-name)
9. tenancy, (e.g. placement.tenancy=tenancy-name)
10. privateDnsName, (e.g. privateDnsName=ip-172-31-10-211.us-west-2.compute.internal)
11. publicDnsName, (e.g. publicDnsName=ec2-54-202-168-254.us-west-2.compute.amazonaws.com)
12. AWS instance tag, each tag includes a key and value, the format of tag set is: tag.Name=Value, maximum of 8 tags are supported.

Internet service configuration (405518)

To make the CLI configuration of Internet service configuration more intuitive, the settings for Internet service in Explicit Web proxy are closer to those in the Firewall police. An Internet service enable switch has been added to the Explicit Web proxy with the same text description as the Firewall policy.

CLI:

The relevant options in the firewall policy are:

config firewall policy edit 1 set internet-service enable

set internet-service-id 327681 1572864 917519 393225 1572888 1572877 917505

next end

The Explicit Web proxy is now has these options:

config firewall explicit-proxy-policy

edit 1

set uuid f68e0426-dda8-51e6-ac04-37fc3f92cadf

set proxy web set dstintf “port9” set srcaddr “all” set internet-service 2686980 set action accept set schedule “always” set logtraffic all

next end

Changes to SSL abbreviate handshake (407544)

The SSL handshake process has changed to make troubleshooting easier.

• In order to better identify which clients have caused SSL errors, the WAD SSL log will use the original source address rather than the source address of packets. l The return value of wad_ssl_set_cipher is checked.
• The wad_ssl_session_match has been removed because it will add the connection into bypass cache and bypass further inspection.
• DSA and ECDSA certificates are filtered for admin-server-cert l cert-inspect is reset after a WAD match to a Layer 7 policy l An option to disable the use of SSL abbreviate handshake has been added

CLI addition

config firewall ssl setting set abbreviate-handshake [enable|disable]

NGFW mode in the VDOM – NAT & SSL Inspection considerations (407547)

Due to how the NGFW Policy mode works, it can get complicated in the two areas of NAT and SSL Deep

Inspection. To match an application against a policy, some traffic has to pass through the FortiGate in order to be properly identified. Once that happens may end up getting mapped to a different policy, where the new policy will be appropriately enforced.

NAT

In the case of NAT being used, the first policy that is triggered to identify the traffic might require NAT enabled for it to work correctly. i.e., without NAT enabled it may never be identified, and thus not fall through. Let’s use a very simple example:

Policy 1: Block Youtube

Policy 2: Allow everything else (with NAT enabled)

Any new session established will never be identified immediately as Youtube, so it’ll match policy #1 and let some traffic go to try and identify it. Without NAT enabled to the Internet, the session will never be setup and thus stuck here.

Solution:

• NAT for NGFW policies must be done via Central SNAT Map l Central SNAT Map entries now have options for ‘srcintf’, ‘dstintf’ and ‘action’. l If no IP-pools are specified in the Central SNAT entry, then the outgoing interface address will be used.
• NGFW policies now must use a single default ssl-ssh-profile. The default ssl-ssh-profile can be configured under the system settings table.

SSL

In the case of SSL inspection, the issue is a bit simpler. For each policy there are 3 choices:

1. No SSL,
2. Certificate Only
3. Deep Inspection.

For 1. and 2. there is no conflict and the user could enable them inter-changeably and allow policy fallthrough.

The issue happens when:

• The first policy matched, uses Certificate Only
• After the application is detected, it re-maps the session to a new policy which has Deep Inspection enabled This switching of behavior is the main cause of the issue.

Solution:

• Multiple SSL profiles have been replaced with a single page of settings l The user can setup exemptions for destination web category, source IP or etc.

CLI

Changes

config system settings set inspection-mode flow set policy-mode [standard | ngfw]

Has been changed to:

config system settings set inspection-mode flow

set ngfw-mode [profile-based | policy-based]

l ngfw-mode – Next Generation Firewall mode. l profile-based – Application and web-filtering is configured using profiles applied to policy entries. l policy-based – Application and web-filtering is configured as policy match conditions.

Additions

Setting the vdom default ssl-ssh-profile

config system settings set inspection-mode flow set ngfw-mode policy-based set ssl-ssh-profile <profile> ssl-ssh-profile – VDOM SSL SSH profile.

Setting srcintf, dstintf, action on the central-snat policy

config firewall central-snat-map edit <id> set srcintf <names or any> set dstintf <names or any> set action (permit | deny)

l srcintf – Source interface name. l dstintf – Destination interface name. l action – Action of central SNAT policy.

GUI

System settings, VDOM settings list/dialog: l A field has been added to show the default ssl-ssh-profile IPv4/v6 Policy list and dialogs:

• In NGFW policy-based mode, there are added tool tips under NAT columns/fields to indicate that NAT must be configured via Central SNAT Map. Additionally, links to redirect to Central SNAT list were added.
• Default ssl-ssh-profile is shown in the policy list and dialog for any policies doing NGFW (`application, application-categories, url-categories`) or UTM (`av-profile etc.) inspection. l Default ssl-ssh-profile is disabled from editing in policy list dialog Central SNAT Policy list and dialogs:
• In both profile-based & policy-basedngfw-mode, fields for srcintf, dstintf were added to Central

SNAT policies entries.

• In policy-based mode only, a toggle-switch for NAT Action was added in Central SNAT policy dialog. The action is also configurable from the Action column in Central SNAT policy list.

SSL/SSH Inspection list:

• In policy-based mode only, the navigation bar link to SSL/SSH Inspection redirects to the profiles list l In policy-based mode only, the SSL/SSH Inspection list table indicates which profile is the current VDOM default.

Additionally, options are provided in the list menu and context menu to change the current VDOM default.

Support HTTP policy for flow-based inspection (411666)

It is possible to impliment an HTTP-policy in a VDOM that is using the Flow-based inspection mode. Enabling the HTTP-policy causes the traffic to be redirected to WAD so that the traffic can be properly matched and processed.

Managed FortiSwitch OS 3.6.0 (FortiOS 5.6.1)

New managed FortiSwitch features added to FortiOS 5.6.1 if the FortiSwitch is running FortiSwitch OS 3.6.0.

Simplified method to convert a FortiSwitch to standalone mode (393205)

There is an easier way to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no longer be managed by a FortiGate:

• execute switch-controller factory-reset <switch-id>

This command returns the FortiSwitch to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery, FortiGate can detect and automatically authorize the FortiSwitch.

• execute switch-controller set-standalone <switch-id>

This command returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from automatically detecting and authorizing the FortiSwitch.

You can disable FortiLink auto-discovery on multiple FortiSwitches using the following commands:

config switch-controller global set disable-discovery <switch-id>

end

You can also add or remove entries from the list of FortiSwitches that have FortiLink auto-discovery disabled using the following commands:

config switch-controller global append disable-discovery <switch-id> unselect disable-discovery <switch-id>

end

Quarantines (410828)

Quarantined MAC addresses are blocked on the connected FortiSwitches from the network and the LAN.

NOTE: You must enable the quarantine feature in the FortiGate CLI using the set quarantine enable command. You can add MAC addresses to the quarantine list before enabling the quarantine feature, but the quarantine does not go into effect until enabled.

Quarantining a MAC address

Using the FortiGate GUI

1. Select the host to quarantine.
   • Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
   • Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
   • Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on FortiSwitch.
2. Click OK to confirm that you want to quarantine the host.

Using the FortiGate CLI

config switch-controller quarantine set quarantine enable edit <MAC_address> set description <string>

set tags <tag1 tag2 tag3 …>

next

next

end

Viewing quarantine entries

Quarantine entries are created on the FortiGate that is managing the FortiSwitch.

Using the FortiGate GUI

1. Go to Monitor > Quarantine Monitor.
2. Click Quarantined on FortiSwitch.

Using the FortiGate CLI

Use the following command to view the quarantine list of MAC addresses: show switch-controller quarantine

When the quarantine feature is enabled on the FortiGate, it creates a quarantine VLAN (qtn.<FortiLink_port_ name>) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.

Use the following command to view the quarantine VLAN: show system interface qtn.<FortiLink_port_name>

Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports:

show switch-controller managed-switch

Releasing MAC addresses from quarantine

Using the FortiGate GUI

1. Go to Monitor > Quarantine Monitor.
2. Click Quarantined on FortiSwitch.
3. Right-click on one of the entries and select Delete or Remove All.
4. Click OK to confirm your choice.

Using the FortiGate CLI

Use the following commands to delete a quarantined MAC address:

config switch-controller quarantine config targets delete <MAC_address>

end

When the quarantine feature is disabled, all quarantined MAC addresses are released from quarantine. Use the following commands to disable the quarantine feature:

config switch-controller quarantine set quarantine disable

end

Assign untagged VLANs to a managed FortiSwitch port (410828)

Use the following commands to assign untagged VLANs to a managed FortiSwitch port:

config switch-controller managed-switch edit <managed-switch> config ports edit <port> set untagged-vlans <VLAN-name>

next

end

next

end

View, create, and assign multiple 802.1X policy definitions (408389 and 403901)

Previously, you could create one 802.1X policy for all managed FortiSwitches in a virtual domain. Now, you can create multiple 802.1X policies and assign a different 802.1X policy to each managed FortiSwitch port.

View security policies for managed FortiSwitches

You can view security policies for managed FortiSwitches in two places:

• Go to WiFi & Switch Controller > FortiSwitch Security Policies.
• Go to WiFi & Switch Controller > FortiSwitch Ports and click the + next to a FortiSwitch. The security policy for each port is listed in the Security Policy column.

Create and assign multiple 802.1X policy definitions for managed FortiSwitches

Previously, you could create one 802.1X policy for all managed FortiSwitches in a virtual domain. Now, you can create multiple 802.1X policies and assign a different 802.1X policy to each managed FortiSwitch port.

To create an 802.1X security policy:

1. Go to WiFi & Switch Controller > FortiSwitch Security Policies.
2. Click Create New.
3. Enter a name for the new FortiSwitch security policy.
4. For the security mode, select Port-based or MAC-based.
5. Click + to select which user groups will have access.
6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
7. Enter the number of seconds for authentication delay for guest VLANs. The range is 60-900 seconds.
8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
9. Enable or disable MAC authentication bypass (MAB) on this interface.
10. Enable or disable EAP pass-through mode on this interface.
11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
12. Click OK.

To apply an 802.1X security policy to a managed FortiSwitch port:

1. Go to WiFi & Switch Controller > FortiSwitch Ports.
2. Click the + next to a FortiSwitch.
3. In the Security Policy column for a port, click + to select a security policy.
4. Click OK to apply the security policy to that port.

Override 802.1X settings

To override the 802.1X settings for a virtual domain:

1. Go to WiFi & Switch Controller > Managed FortiSwitch.
2. Click on a FortiSwitch faceplate and click Edit.
3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentication.
5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does not need to be reauthenticated when a link is down.
7. Click OK.

Enable and disable switch-controller access VLANs through FortiGate (406718)

Access VLANs are VLANs that aggregate client traffic solely to the FortiGate. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate. After the client traffic reaches the FortiGate, the FortiGate can then determine whether to allow various levels of access to the client by shifting the client’s network VLAN as appropriate.

config system interface edit <VLAN name> set switch-controller-access-vlan {enable | disable}

next

end

Override the admin password for all managed FortiSwitches (416261)

By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitches managed by a FortiGate, use the following commands:

config switch-controller switch-profile edit default set login-passwd-override {enable | disable} set login-passwd <password>

next

end

If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and use the unset login-passwd command; otherwise, your previously set password will remain in the FortiSwitch.

Configure an MCLAG with managed FortiSwitches (366617)

To configure a multichassis LAG (MCLAG) with managed FortiSwitches:

1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:

config switch trunk edit “LAG-member” set mode lacp-active set mclag-icl enable set members “<port>” “<port>”

next

2. Enable the MCLAG on each managed FortiSwitch:

config switch-controller managed-switch edit “<switch-id>” config ports edit “<trunk name>” set type trunk

set mode {static | lacp-passive | lacp-active} set bundle {enable | disable}

set members “<port>,<port>” set mclag {enable | disable}

next

end

next

3. Log into each managed FortiSwitch to check the MCLAG configuration:

diagnose switch mclag

After the FortiSwitches are configured as MCLAG peer switches, any port that supports advanced features on the FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member ports on the peer FortiSwitch.

Configure QoS with managed FortiSwitches (373581)

Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows. NOTE: FortiGate does not support QoS for hard or soft switch ports.

To configure the QoS for managed FortiSwitches:

1. Configure a Dot1p map.

config switch-controller qos dot1p-map edit <Dot1p map name> set description <text> set priority-0 <queue number> set priority-1 <queue number> set priority-2 <queue number> set priority-3 <queue number> set priority-4 <queue number> set priority-5 <queue number> set priority-6 <queue number> set priority-7 <queue number>

next

end

2. Configure a DSCP map.

config switch-controller qos ip-dscp-map edit <DSCP map name> set description <text> configure map <map_name> edit <entry name> set cos-queue <COS queue number>

set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF |

CS6 | CS7} set ip-precedence {network-control | internetwork-control | critic-ecp

| flashoverride | flash | immediate | priority | routine} set value <DSCP raw value>

next

end end

3. Configure the egress QoS policy.

config switch-controller qos queue-policy edit <QoS egress policy name> set schedule {strict | round-robin | weighted}

config cos-queue edit [queue-<number>] set description <text> set min-rate <rate in kbps> set max-rate <rate in kbps>

set drop-policy {taildrop | random-early-detection} set weight <weight value>

next

end

next

end

4. Configure the overall policy that will be applied to the switch ports.

config switch-controller qos qos-policy edit <QoS egress policy name> set default-cos <default CoS value 0-7> set trust-dot1p-map <Dot1p map name> set trust-ip-dscp-map <DSCP map name> set queue-policy <queue policy name>

next

end

5. Configure each switch port.

config switch-controller managed-switch edit <switch-id> config ports edit <port> set qos-policy <CoS policy>

next

end

next end

Reset PoE-enabled ports from the GUI (387417)

If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

Adding preauthorized FortiSwitches (382774)

After you preauthorize a FortiSwitch, you can assign the FortiSwitch ports to a VLAN.

To preauthorize a FortiSwitch:

Managed FortiSwitch OS 3.6.0 (FortiOS 5.6)

1. Go to WiFi & Switch Controller > Managed FortiSwitch.
2. Click Create New.
3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
4. Move the Authorized slider to the right.
5. Click OK.

The Managed FortiSwitch page shows a FortiSwitch faceplate for the preauthorized switch.

Managed FortiSwitch OS 3.6.0 (FortiOS 5.6)

New managed FortiSwitch features added to FortiOS 5.6 if the FortiSwitch is running FortiSwitch OS 3.6.0.

IGMP snooping (387515)

The GUI and CLI support the ability to configure IGMP snooping for managed switch ports.

To enable IGMP snooping from the GUI, go to WiFi & Switch Controller > FortiSwitch VLANs, edit a VLAN and turn on IGMP Snooping under Networked Devices.

From the CLI, start by enabling IGMP snooping on the FortiGate:

config switch-controller igmp-snooping set aging-time <int>

set flood-unknown-multicast (enable | disable)

end

Then enable IGMP snooping on a VLAN:

config system interface edit <vlan> set switch-controller-igmp-snooping (enable | disable)

end

Use the following command to enable IGMP snooping on switch ports, and to override the global parameters for a specific switch.

config switch-controller managed-switch edit <switch> config ports edit port <number> set igmp-snooping (enable | disable) set igmps-flood-reports (enable | disable)

next

config igmp-snooping globals set aging-time <int>

set flood-unknown-multicast (enable | disable)

end

next

end

User-port link aggregation groups (378470)

The GUI now supports the ability to configure user port LAGs on managed FortiSwitches.

To create a link aggregation group for FortiSwitch user ports:

5.6)

1. Go to WiFi & Switch Controller > FortiSwitch Ports

2. Click Create New > Trunk.
3. In the New Trunk Group page:
   1. Enter a name for the trunk group
   2. Select two or more physical ports to add to the trunk group
   3. Select the mode: Static, Passive LACP, or Active LACP
4. Click OK.

DHCP blocking, STP, and loop guard on managed FortiSwitch ports (375860)

The managed FortiSwitch GUI now supports the ability to enable/disable DHCP blocking, STP and loop guard for FortiSwitch user ports.

Go to to WiFi & Switch Controller > FortiSwitch Ports. For any port you can select DHCP Blocking, STP, or Loop Guard. STP is enabled on all ports by default. Loop guard is disabled by default on all ports.

Switch profile enhancements (387398)

Defaults switch profiles are bound to every switch discovered by the FortiGate. This means that an administrator can establish a password for this profile or create a new profile and bind that profile to any switch. Consquently, the password provided shall be configured on the FortiSwitch against the default “admin” account already present.

Number of switches per FortiGate based on model (388024)

The maximum number of supported FortiSwitches depends on the FortiGate model:

Up to FortiGate-98 and FortiGate-VM01                                8

FortiGate-00 to 280 and FortiGate-VM02                              24

FortiGate-300 to 5xx                                                           48

FortiGate-600 to 900 and FortiGate-VM04                             64

FortiGate-000 and up                                                         128

FortiGate-3xxx and up, and FortiGate-VM08 and up               256

Miscellanous configuration option changes

• The default value of dhcp-Snooping (also called DHCP-blocking) is changed from trusted in FortiOS 5.4 to untrusted in FortiOS 5.6.
• The default value of edge-port is changed from disabled in FortiOS 5.4 to enabled in FortiOS 5.6.0.

FortiView (5.6.1)

Additional GUI support

• Link aggregation of FortiSwitch ports l DHCP trusted/untrusted, loop guard, and STP for FortiSwitch ports l Connect to CLI support for FortiSwitch

FortiView (5.6.1)

New FortiView features added to FortiOS 5.6.1.

FortiView Dashboard Widget (434179)

A new widget type has been added to the FortiGate Dashboard, that displays compact FortiView data. Supported

FortiViews include Source, Destination, Application, Country, Interfaces, Policy, Wifi Client, Traffic Shaper, Endpoint Vulnerability, Cloud User, Threats, VPN, Websites, Admin, and System. All usual visualizations are supported.

Widgets can be saved directly to the Dashboard from a filtered page in FortiView, or configured in the CLI.

Interface Categories (srcintfrole, etc) added to log data (434188)

In 5.6, logs and FortiView both sort log traffic into two interface categories: “Traffic from LAN/DMZ”, and “Traffic from WAN.” For greater compatibility and troubleshooting of FortiAnalyzer and FortiCloud setups, interface category fields that expose this information have been added to general log data in 5.6.1: srcintfrole and dstintfrole for better backend control and monitoring.

FortiView (5.6)

New FortiView features added to FortiOS 5.6.

Added Vulnerability score topology view (303786)

In Physical Topology and Logical Topology pages, there are two new views added: Vulnerability, and

Threat. Drill-downs in these menus will now include Vulnerability/Threat information. In Vulnerability view, device bubbles are colored based on maximum vulnerability level, and bubble size is the vulnerability score. In Threat view, device bubbles are colored based on maximum threat level, and bubble size is the threat score.

FortiView VPN tunnel map feature (382767)

The FortiView VPN page now displays VPN tunnel connections between devices, and offers more information about tunnels and devices on drill-down.

FortiView (5.6)

Updated FortiView CSF topology pages (384188)

The FortiView Physical Topology and Logical Topology pages have been updated in 5.6.0 to reorganize and clarify larger deployments with servers and multi-directional traffic.

Historical FortiView includes FortiAnalyzer (387423)

Data from associated FortiAnalyzer devices can now be selected as a log display option for Historical FortiView.

FortiView menu reorganization (399713)

The order of FortiView pages has been reorganized in 5.6.0 based on the source interface of data being displayed:

l Topology l Traffic from LAN/DMZ l Traffic from WAN l All Segments

Data Exchange with FortiAnalyzer (393891)

Rather than sending all CSF information via log messages, FortiGate and FortiAnalyzer will now directly pass CSF information (tree, interface roles, user devices, HA members), if the FAZ responds to notices that are sent when the data has changed.

Google Maps Integration

FortiView now uses Google Maps to display location-related information. In this release the first view to use Google maps this component is the FortView VPN page. All current VPNs can be viewed on a fully scalable Google world map.

FortiView

FortiView usability and organization updates (306247)

Several organization changes have been made to make the FortiView menu order less cluttered, and more intuitive. l WiFi Client Monitor is now in FortiView, but is hidden when there is no managed FortiAP or WiFi Radio. l Country view has been merged into Destinations view. l Failed Authentication and Admin Login views have been merged into System Events view.

FortiGate VM (5.6)

FortiGate VM (5.6)

New FortiGate VM features added to FortiOS 5.6.

FGT-VM VCPUs (308297)

Fortinet has now launched licensing for FortiGate VMs that support larger than 8 vCPUs. The new models/licenses include:

• Support for up to 16 vCPU – FortiGate-VM16 l Support for up to 32 vCPU – FortiGate-VM32 l Support for unlimited vCPU – FortiGate-VMUL

Each of these models should be able to support up to 500 VDOMs.

Improvements to License page (382128)

The page has been rewritten with some minor improvements such as:

• An indicator to show when a VM is waiting for authentication or starting up l Shows VM status when license is valid
• Shows CLI console window when VM is waiting too long for remote registration of server

Citrix XenServer tools support for XenServer VMs (387984)

This support allows users, with Citrix XenServer tools to read performance statistics from XenServer clients and do Xenmotion with servers in the same cluster

There are no changes to the GUI, but there are some changes to the CLI.

A setting has been edited to control the debug level of the XenServer tools daemon diag debug application xstoolsd <integer>

Integer = Debug level

An additional update has been added to set the update frequency for XenServer tools

config system global set xstools-update-frequency Xenserver <integer> end

Enter an integer value from 30 to 300 (default = 60).

FortiGate VM

FOS VM supports more interfaces (393068)

The number of virtual interfaces that the VM version of FortiOS supports has been raised from 3 to 10.